                              FreeBSD ************

  FreeBSD ************

   ******: 45d720938e

   Copyright (c) 1995-2019 The FreeBSD Documentation Project

   ******

   Redistribution and use in source (XML DocBook) and 'compiled' forms (XML,
   HTML, PDF, PostScript, RTF and so forth) with or without modification, are
   permitted provided that the following conditions are met:

    1. Redistributions of source code (XML DocBook) must retain the above
       copyright notice, this list of conditions and the following disclaimer
       as the first lines of this file unmodified.

    2. Redistributions in compiled form (transformed to other DTDs, converted
       to PDF, PostScript, RTF and other formats) must reproduce the above
       copyright notice, this list of conditions and the following disclaimer
       in the documentation and/or other materials provided with the
       distribution.

  ******:

   THIS DOCUMENTATION IS PROVIDED BY THE FREEBSD DOCUMENTATION PROJECT "AS
   IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
   THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
   PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD DOCUMENTATION
   PROJECT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
   EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
   PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
   PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
   LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
   NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
   DOCUMENTATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

   FreeBSD *** FreeBSD ************************._

   3Com *** HomeConnect *** 3Com Corporation ***************._

   3ware *** 3ware Inc ***************._

   ARM *** ARM Limited. ***************._

   Adaptec *** Adaptec, Inc. ***************._

   Adobe, Acrobat, Acrobat Reader, Flash ****** PostScript *** Adobe Systems
   Incorporated ************/***************************************._

   Apple, AirPort, FireWire, iMac, iPhone, iPad, Mac, Macintosh, Mac OS,
   Quicktime ****** TrueType *** Apple Inc.
   ******************************************._

   Android *** Google Inc *********._

   Heidelberg, Helvetica, Palatino ****** Times Roman *** Heidelberger
   Druckmaschinen AG ***************************************************._

   IBM, AIX, OS/2, PowerPC, PS/2, S/390 ****** ThinkPad *** International
   Business Machines Corporation *********************************._

   IEEE, POSIX ****** 802 *** Institute of Electrical and Electronics
   Engineers, Inc. ************************._

   Intel, Celeron, Centrino, Core, EtherExpress, i386, i486, Itanium, Pentium
   ****** Xeon *** Intel Corporation
   ******************************************************************._

   Intuit *** Quicken *** Intuit Inc.,
   ***************************************************************._

   Linux *** Linus Torvalds ***************._

   LSI Logic, AcceleRAID, eXtremeRAID, MegaRAID ****** Mylex *** LSI Logic
   Corp ************************._

   Microsoft, IntelliMouse, MS-DOS, Outlook, Windows, Windows Media ******
   Windows NT *** Microsoft Corporation
   ************/***************************************._

   Motif, OSF/1 ****** UNIX *** The Open Group
   ***************************************** IT DialTone *** The Open Group
   ************._

   Oracle *** Oracle Corporation ***************._

   RealNetworks, RealPlayer, *** RealAudio *** RealNetworks, Inc.
   ***************._

   Red Hat, RPM, *** Red Hat, Inc. ***************************************._

   Sun, Sun Microsystems, Java, Java Virtual Machine, JDK, JRE, JSP, JVM,
   Netra, OpenJDK, Solaris, StarOffice, SunOS ****** VirtualBox *** Sun
   Microsystems, Inc. ************************************************._

   MATLAB *** The MathWorks, Inc. ***************._

   SpeedTouch *** Thomson *********._

   VMware *** VMware, Inc. *********._

   Mathematica *** Wolfram Research, Inc ***************._

   XFree86 *** The XFree86 Project, Inc *********._

   Ogg Vorbis ****** Xiph.Org *** Xiph.Org *********._

   ***************************************************************************************************._
   ***************************************** FreeBSD Project
   ***************************************** "(TM)" *** "(R)"
   ***************._

   2019-12-03 17:05:41 +0000 *** Ruey-Cherng Yu.
   ******

   ************ FreeBSD** ************************************ FreeBSD
   12.0-RELEASE *** FreeBSD 11.3-RELEASE *********************************._
   ***********************************************************<"************>"************************************************************************************************************************
   FreeBSD ************************._

   *** FreeBSD ******
   ********************************************************
   https://docs.FreeBSD.org/doc/
   ******._******************************************************************
   FreeBSD FTP ********* ****************** ************ ******._
   *************************************** FreeBSD ****** ******._
   ***************** ************
   ******************************************._

   [ ************ / ************ ]

     ----------------------------------------------------------------------

   ************

   ***

   I. ******

                1. ******

                             1.1. ******

                             1.2. ************ FreeBSD**

                             1.3. ****** FreeBSD ******

                2. ****** FreeBSD

                             2.1. ******

                             2.2. ******************

                             2.3. *********************

                             2.4. ************

                             2.5. ****** bsdinstall

                             2.6. ******************

                             2.7. ************

                             2.8. *********************

                             2.9. ************

                             2.10. ****** Live CD

                3. FreeBSD ******

                             3.1. ******

                             3.2. ****** Console ************

                             3.3. ******************************

                             3.4. ******

                             3.5. ************

                             3.6. ************

                             3.7. ***************************

                             3.8. ********* Daemon

                             3.9. Shell

                             3.10. ***************

                             3.11. *********************

                             3.12. ************

                4. ***************************** Port

                             4.1. ******

                             4.2. *********************

                             4.3. ************

                             4.4. ****** pkg ****** Binary ******

                             4.5. ****** Port *********

                             4.6. ****** Poudriere ************

                             4.7. ************************

                             4.8. *************** Port

                5. X Window ******

                             5.1. ******

                             5.2. ******

                             5.3. ****** Xorg

                             5.4. Xorg ******

                             5.5. *** Xorg ************

                             5.6. X ******************

                             5.7. ************

                             5.8. ****** Compiz Fusion

                             5.9. ************

   II. ************

                6. ******************

                             6.1. ******

                             6.2. *********

                             6.3. ************

                             6.4. ******************

                             6.5. ******

                7. *********

                             7.1. ******

                             7.2. ***************

                             7.3. MP3 ******

                             7.4. ************

                             7.5. *********

                             7.6. MythTV

                             7.7. ***************

                8. ****** FreeBSD ******

                             8.1. ******

                             8.2. ******************************?

                             8.3. ******************

                             8.4. *********

                             8.5. ***************************

                             8.6. ******************

                9. ******

                             9.1. ************

                             9.2. ***************

                             9.3. ***************************

                             9.4. ************

                             9.5. LPD (****************** Daemon)

                             9.6. ******************

                10. Linux(R) Binary *********

                             10.1. ******

                             10.2. ****** Linux(R) Binary *********

                             10.3. ************

   III. ************

                11. ***************

                             11.1. ******

                             11.2. ************

                             11.3. ****** cron(8)

                             11.4. ****** FreeBSD ************

                             11.5. *********************

                             11.6. ************

                             11.7. ******************

                             11.8. *********

                             11.9. ****** sysctl(8) ******

                             11.10. ************

                             11.11. ******************

                             11.12. ******************

                             11.13. *********************

                12. FreeBSD ************

                             12.1. ******

                             12.2. FreeBSD ************

                             12.3. ************************

                             12.4. ************

                             12.5. ************

                13. *********

                             13.1. ******

                             13.2. ******

                             13.3. ***************

                             13.4. TCP Wrapper

                             13.5. Kerberos

                             13.6. OpenSSL

                             13.7. VPN over IPsec

                             13.8. OpenSSH

                             13.9. ******************

                             13.10. ******************************

                             13.11. FreeBSD ************

                             13.12. ************

                             13.13. ************

                             13.14. ****** Sudo ******************

                14. Jail

                             14.1. ******

                             14.2. Jail ************

                             14.3. *************** Jail

                             14.4. ***************

                             14.5. ************ Jail

                             14.6. ****** ezjail ****** Jail

                15. ****************** (MAC)

                             15.1. ******

                             15.2. *********

                             15.3. ****** MAC ******

                             15.4. ******************

                             15.5. ********* MAC ************

                             15.6. User Lock Down

                             15.7. *** MAC Jail ********* Nagios

                             15.8. MAC ******************

                16. ******************

                             16.1. ******

                             16.2. *********

                             16.3. ************

                             16.4. ******************

                17. ************

                             17.1. ******

                             17.2. ************

                             17.3. ***************************

                             17.4. USB ************

                             17.5. *************** CD ******

                             17.6. *************** DVD ******

                             17.7. *********************

                             17.8. ******************

                             17.9. ***************

                             17.10. ******************

                             17.11. ************

                             17.12. *********************

                             17.13. ******************

                             17.14. ********************* (HAST)

                18. GEOM: ***************************

                             18.1. ******

                             18.2. RAID0 - ****** (Striping)

                             18.3. RAID1 - ****** (Mirroring)

                             18.4. RAID3 -
                             ************************************

                             18.5. ****** RAID ******

                             18.6. GEOM Gate Network

                             18.7. ******************

                             18.8. UFS Journaling ****** GEOM

                19. Z ************ (ZFS)

                             19.1. ********* ZFS ************

                             19.2. ******************

                             19.3. zpool ******

                             19.4. zfs ******

                             19.5. ************

                             19.6. ************

                             19.7. ************

                             19.8. ZFS ***************

                20. ******************

                             20.1. ******

                             20.2. Linux(R) ************

                21. *********

                             21.1. ******

                             21.2. *** Mac OS(R) X *** Parallels ******
                             FreeBSD *********

                             21.3. *** Windows(R) *** Virtual PC ******
                             FreeBSD *********

                             21.4. *** Mac OS(R) *** VMware Fusion ******
                             FreeBSD *********

                             21.5. *** VirtualBox(TM) ****** FreeBSD
                             ************

                             21.6. *** FreeBSD ******************
                             VirtualBox(TM)

                             21.7. *** FreeBSD ****************** bhyve

                             21.8. *** FreeBSD ****************** Xen(TM)

                22. ********* - i18n/L10n ***************

                             22.1. ******

                             22.2. ************

                             22.3. ****** i18n ************

                             22.4. ***************************

                23. *************** FreeBSD

                             23.1. ******

                             23.2. FreeBSD ******

                             23.3. ***************

                             23.4. ******************

                             23.5. ****************** FreeBSD

                             23.6. ******************

                24. DTrace

                             24.1. ******

                             24.2. ************

                             24.3. ****** DTrace ******

                             24.4. ****** DTrace

                25. USB Device Mode / USB OTG

                             25.1. ******

                             25.2. USB ***************

                             25.3. USB ************************

                             25.4. USB ******************

   IV. ************

                26. ************

                             26.1. ******

                             26.2. *********************

                             26.3. *********

                             26.4. ************

                             26.5. ************

                             26.6. ************ Console

                27. PPP

                             27.1. ******

                             27.2. ****** PPP

                             27.3. PPP ******************

                             27.4. ********************* PPP (PPPoE)

                             27.5. *** ATM ****** PPP (PPPoA)

                28. ************

                             28.1. ******

                             28.2. ************

                             28.3. Sendmail *********

                             28.4. ******************************

                             28.5. ************

                             28.6. ************

                             28.7. ************

                             28.8. ***************************

                             28.9. SMTP ******

                             28.10. ***************************

                             28.11. ****** fetchmail

                             28.12. ****** procmail

                29. ***************

                             29.1. ******

                             29.2. inetd ***************

                             29.3. ****************** (NFS)

                             29.4. ****************** (NIS)

                             29.5. *************************** (LDAP)

                             29.6. ************************ (DHCP)

                             29.7. ****************** (DNS)

                             29.8. Apache HTTP *********

                             29.9. ****************** (FTP)

                             29.10. Microsoft(R) Windows(R)
                             ****************************** (Samba)

                             29.11. NTP ************

                             29.12. iSCSI Initiator *** Target ******

                30. *********

                             30.1. ******

                             30.2. ***************

                             30.3. PF

                             30.4. IPFW

                             30.5. IPFILTER (IPF)

                             30.6. Blacklistd

                31. ******************

                             31.1. ******

                             31.2. ******************

                             31.3. ************

                             31.4. USB ************

                             31.5. ******

                             31.6. ******

                             31.7. Link Aggregation ***************

                             31.8. PXE ***************

                             31.9. IPv6

                             31.10. ************************ (CARP)

                             31.11. VLANs

   V. ******

                A. ****** FreeBSD

                             A.1. CD *** DVD ******

                             A.2. FTP ***

                             A.3. ****** Subversion

                             A.4. ****** rsync

                B. ************

                             B.1. FreeBSD ************

                             B.2. ************

                             B.3. ************

                             B.4. ************

                             B.5. ******************

                             B.6. *********************

                             B.7. ******************

                             B.8. UNIX(R) ******

                             B.9. ***************

                C. ************

                             C.1. ******

                             C.2. ************ (Mailing List)

                             C.3. Usenet ************

                             C.4. ***************

                D. OpenPGP ******

                             D.1. ******

   FreeBSD *********

   ******

   ************

   2.1. FreeBSD ************************

   2.2. FreeBSD ******************

   2.3. ************

   2.4. *********************

   2.5. ******************

   2.6. *********************************

   2.7. ******************

   2.8. ************************

   2.9. ***************

   2.10. ***************

   2.11. FreeBSD 10.x ************************************

   2.12. *********************

   2.13. ******************************

   2.14. ***************************

   2.15. *********************

   2.16. *********************

   2.17. *********************

   2.18. ZFS ******************

   2.19. ZFS ***************

   2.20. ************

   2.21. ***************

   2.22. ************

   2.23. ******************

   2.24. ************

   2.25. ************

   2.26. *********************

   2.27. *********************

   2.28. *********************

   2.29. ****** root ******

   2.30. *********************

   2.31. ***************************

   2.32. ******************

   2.33. WPA2 ******

   2.34. ****** IPv4 ******

   2.35. ****** IPv4 DHCP ******

   2.36. IPv4 ******************

   2.37. ****** IPv6 ******

   2.38. ****** IPv6 SLAAC ******

   2.39. IPv6 ******************

   2.40. DNS ******

   2.41. *************** UTC ******

   2.42. ************

   2.43. ************

   2.44. ************

   2.45. ************

   2.46. ******************************

   2.47. ****************** (Crash Dump)

   2.48. *********************

   2.49. *********************

   2.50. ******************************

   2.51. ************

   2.52. ************

   2.53. ************

   31.1. ****** NFS Root Mount ****** PXE ************

   ************

   2.1. *********************

   3.1. ******************************

   3.2. UNIX(R) ******

   3.3. ******************

   3.4. ******************

   5.1. XDM *********

   7.1. ******************

   9.1. ****** PDL ******

   12.1. ************************

   12.2. ***************************

   13.1. ******************************

   16.1. ************************

   16.2. ************************

   22.1. ***************************

   22.2. ***************************************************

   22.3. Port ********************* Console

   22.4. ******************

   23.1. FreeBSD ************************

   26.1. RS-232C ************

   26.2. DB-25 *** DB-25 Null-Modem ***

   26.3. DB-9 *** DB-9 Null-Modem ***

   26.4. DB-9 *** DB-25 Null-Modem ***

   29.1. NIS ******

   29.2. ***************

   29.3. ************

   29.4. DNS ******

   30.1. ********* pfctl ******

   31.1. *********************

   31.2. ******************

   31.3. ************ IPv6 ******

   ************

   2.1. ******************************************

   3.1. ***************************************

   3.2. *** FreeBSD ***************

   3.3. rmuser *********************

   3.4. ********************************* chpass

   3.5. ********************************* chpass

   3.6. ******************

   3.7. *********************************************************

   3.8. ****** pw(8) ************

   3.9. ****** pw(8) ************************************

   3.10. ****** pw(8) ************************

   3.11. ****** id(1) *********************

   3.12. ******,_******************************

   3.13. *********************

   5.1. ****************** Intel(R) ******************

   5.2. ****************** Radeon ******************

   5.3. ****************** VESA ******************

   5.4. ****************** scfb ******************

   5.5. *********************************

   5.6. ***************************

   5.7. ******************

   5.8. ************************

   5.9. ****************** X ******

   5.10. *********************

   11.1. ***************************

   11.2. ****************** FreeBSD 10.X ***************

   11.3. ****************** FreeBSD 9.X ***************

   12.1. boot0 ************

   12.2. boot2 ************

   12.3. *** /etc/ttys ****************** Console

   13.1. ********* SMTP *********************

   13.2. ************ POP3 *********

   13.3. ***************

   14.1. *************** Jail *** mergemaster(8)

   14.2. ************ Jail *** mergemaster(8)

   14.3. *** Jail ********* BIND

   17.1. *** ssh ****** dump

   17.2. *** ssh ****** dump ****** RSH ******

   17.3. ****** tar ******************

   17.4. ****** tar ******************

   17.5. ****** ls *** cpio ************************************

   17.6. ****** pax ******************

   18.1. ************************************

   23.1. *********************

   26.1. *********************

   29.1. ************ inetd *********

   29.2. ****** amd ****** Export

   29.3. ****** autofs(5) ****** Export

   29.4. /etc/ntp.conf ******

   31.1. Cisco(R) ****************** LACP Aggregation

   31.2. ******************

   31.3. ***************************************************

                                      ***

***************

   ************************ FreeBSD
   ******************************************** FreeBSD
   ************************************** UNIX(R)
   ******************************,_***************._*****************************************************************************._

   ****************************************************************************************************************************._
   *********************************************************************************************************************************************._

   ***************************** ****** B, ************._

******************************

   *************************************************************** 10
   ***************************._************ 2014
   *****************************************************

     * *** 24, DTrace *************************** DTrace
       ***************************._

     * *** 20, ****************** ************ FreeBSD
       ******************************************* Sun(TM) *** ZSF._

     * *** 16, ****************** ********************* FreeBSD
       ************************************._

     * *** 21, ********* ************************************ FreeBSD
       *********._

     * *** 2, ****** FreeBSD ******************************************
       bsdinstall ********* FreeBSD._

****************************** (2004)

   ****************************************** FreeBSD
   ******************************************************._***********************************************************************._***********************************

     * *** 11, *************** **********************************ACPI
       ************,_cron
       ***************************************************._

     * *** 13, ********* ***************************
       (VPN),_*************************** (ACL)********************._

     * *** 15, ****************** (MAC)
       ***************************._*********************** MAC
       ***************************************** FreeBSD ***************._

     * *** 17, ************ *****************USB
       *********,_****************** (Snapshot),_****************** (Quota)
       ,_***************************************,_************************************************._

     * *** 27, PPP ******************************._

     * *** 28, ************
       ***************************************************,_SMTP
       ******,_UUCP,_fetchmail,_procmail *********************************._

     * *** 29, ***************
       ***************************._****************************** Apache
       HTTP *********,_ftpd ****************** Microsoft(R) Windows(R)
       ************ Samba._********************************* *** 31,
       ****************** ._

     * *** 31, ****************** *************** FreeBSD
       ***************(R)******,_***************************************************
       (Asynchronous Transfer Mode, ATM) ***************._

     * *****************************************************._

     * *********************************._

****************************** (2001)

   ************************ FreeBSD
   ******************************************************._***********************************

     * ***************************._

     * ********* ASCII ************************************._

     * ***********************************************************************,_***************************._

     * *****************************************"******",_"************"
       ****** "******"._

     * *** 3, FreeBSD ****** ***************,_Daemon ************ (Signal)
       *********._

     * *** 4, ***************************** Port ***************************
       Binary ***************._

     * *** 5, X Window ****** ******************************** XFree86(TM)
       4.X ******************************* KDE *** GNOME._

     * *** 12, FreeBSD ************ ******************._

     * *** 17, ************ ********************* "******" *** "******"
       *********._*********************************************************._************
       RAID (************,_****** RAID) ***************************._

     * *** 26, ************ ******************************** FreeBSD 4.X/5.X
       *********._

     * *** 27, PPP ************************._

     * *** 31, ****************** *********************._

     * *** 28, ************ ********************* sendmail *********._

     * *** 10, Linux(R) Binary ********* ************************ Oracle(R)
       ****** SAP(R) R/3(R) *********._

     * ************************************************************

          * *** 11, ***************._

          * *** 7, *********._

************

   ********************************************************** FreeBSD
   *********,_************._
   **********************************************************************************
   ******************************** FreeBSD
   ***********************************************._
   **********************************************************************************************
   *****************************************************
   ******************************** FreeBSD
   *****************************************
   ****************************************************************************************************************
   FreeBSD *********._

   *** 1, ******

           *************** FreeBSD._*************** FreeBSD
           ***************,_*********************._

   *** 2, ****** FreeBSD

           ****************************** bsdinstall *** FreeBSD 9.x
           ************************************._

   *** 3, FreeBSD ******

           ****** FreeBSD ************************************._************
           Linux(R) ************ UNIX(R) *****************************._

   *** 4, ***************************** Port

           ****************** FreeBSD ********* "Port *********" *********
           Binary ***************************._

   *** 5, X Window ******

           ****** X Windows ****************** FreeBSD *********
           X11******************************************** KDE *** GNOME._

   *** 6, ******************

           ****************************************************************,_******************************************************
           FreeBSD._

   *** 7, *********

           **************************************************************************************************************************._

   *** 8, ****** FreeBSD ******

           ******************************************************,_************************************._

   *** 9, ******

           *************** FreeBSD
           ***********************************,_***************************************._

   *** 10, Linux(R) Binary *********

           ****** FreeBSD *** Linux(R)
           ******************************************** Linux(R)
           *********************************************** Oracle(R) ***
           Mathematica(R)._

   *** 11, ***************

           *************************************** FreeBSD
           ******************************************************** FreeBSD
           ************************************************************._

   *** 12, FreeBSD ************

           ****** FreeBSD
           ***************************************************************._

   *** 13, *********

           ************************ FreeBSD
           ************************************** Kerberos, IPsec ***
           OpenSSH._

   *** 14, Jail

           ****** Jail Framework******** Jail ************ FreeBSD ******
           chroot ***************._

   *** 15, ****************** (MAC)

           ********************************* (Mandatory Access Control, MAC)
           ********************************* FreeBSD ***************._

   *** 16, ******************

           *************** FreeBSD
           ****************************************************************************._

   *** 17, ************

           *************** FreeBSD
           ***********************************************************,_RAID
           ******,_*********************,_***************************************************._

   *** 18, GEOM: ***************************

           ********* FreeBSD ****** GEOM Framework
           ******************************************** RAID ******._

   *** 20, ******************

           ****** FreeBSD ***************************************** Sun(TM)
           *** Z ************._

   *** 21, *********

           ***********************************************************
           FreeBSD *********._

   *** 22, ********* - i18n/L10n ***************

           *************** FreeBSD
           ********************************************************************._

   *** 23, *************** FreeBSD

           ****** FreeBSD-STABLE,_FreeBSD-CURRENT ****** FreeBSD
           *************************************************************************************************************************************************************************._

   *** 24, DTrace

           *************** FreeBSD *************** Sun(TM) *** DTrace
           *****************************************************************************************._

   *** 26, ************

           ************************************************ FreeBSD
           ******************************._

   *** 27, PPP

           *************** FreeBSD ****** PPP ************************._

   *** 28, ************

           ****************************************************************************************************************sendmail._

   *** 29, ***************

           ********************************************************************
           FreeBSD
           ******************************,_*********************,_***************************************************._

   *** 30, *********

           ********************************************************************
           FreeBSD ******************************************._

   *** 31, ******************

           ***************************************************** (LAN)
           ***************************************,_******************,_************,_Bluetooth(R),_ATM,_IPv6
           ************************._

   ****** A, ****** FreeBSD

           ************ FreeBSD CDROM *** DVD
           *******************************************************************************************
           FreeBSD._

   ****** B, ************

           *******************************************************************************************************************************._

   ****** C, ************

           *************** FreeBSD ***************************************
           FreeBSD ***************************._

   ****** D, OpenPGP ******

           *************** FreeBSD *************** PGP ******._

*********************

   ***********************************************************************************************._

  ******************

   *********

           ***********************,_******,_****** (URL),_
           ************,_************************************._

   *********

           ***************** ************,_******,_************,_Port
           ******,_************,_******,_******,_************,_******,_************._

   *********

           ********************************,_******,_******._

  ***************

   **************************************************************._
   ************************************************** `+'
   *************************

   Ctrl+Alt+Del

   ***************** Ctrl,_ Alt ****** Del ***._

   ************************************** (,) *******************

   Ctrl+X, Ctrl+S

   *********************** Ctrl *** X ***** *************************** Ctrl
   *** S ***._

  ******

   ********* C:\> *************** MS-DOS(R) *********._
   *****************************************************
   Microsoft(R) Windows(R) ********* "****************** (Command Prompt)"
   ***************._

 E:\> tools\fdimage floppies\kern.flp A:

   ********* # ****************** FreeBSD
   *********************************************._ *************** root
   ******************************************************************** su(1)
   ******************************._

 # dd if=kern.flp of=/dev/fd0

   ********* % ****************** FreeBSD
   ******************************************._
   ************************************************** C-shell
   **************************************************************._

 % top

******

   *********************************************************************************************._
   **************************************************************************************************************._

   ************************************************************,_***************************************************._
   ********BSDi (************ Wind River Systems) ****** FreeBSD
   ************************************************ 2000 *** 3
   *********************._(ISBN 1-57176-241-8) Wind River Systems
   **************************************************************************************************._*********************
   2001 *** 11 ************._(ISBN 1-57176-303-1) *** 2003-2004
   ***********FreeBSD Mall, Inc
   ************************************************************************************._

                                 *** I. ******

   ********************************* FreeBSD ******************************._
   ********************

     * ****** FreeBSD ******._

     * ***************************._

     * ****** UNIX(R) ******************._

     * ************************************ FreeBSD ***************._

     * ************ X**UNIX(R)
       ***********************************************************************._

   *****************************************************************************************************************************************************._

   ************

   1. ******

                1.1. ******

                1.2. ************ FreeBSD**

                1.3. ****** FreeBSD ******

   2. ****** FreeBSD

                2.1. ******

                2.2. ******************

                2.3. *********************

                2.4. ************

                2.5. ****** bsdinstall

                2.6. ******************

                2.7. ************

                2.8. *********************

                2.9. ************

                2.10. ****** Live CD

   3. FreeBSD ******

                3.1. ******

                3.2. ****** Console ************

                3.3. ******************************

                3.4. ******

                3.5. ************

                3.6. ************

                3.7. ***************************

                3.8. ********* Daemon

                3.9. Shell

                3.10. ***************

                3.11. *********************

                3.12. ************

   4. ***************************** Port

                4.1. ******

                4.2. *********************

                4.3. ************

                4.4. ****** pkg ****** Binary ******

                4.5. ****** Port *********

                4.6. ****** Poudriere ************

                4.7. ************************

                4.8. *************** Port

   5. X Window ******

                5.1. ******

                5.2. ******

                5.3. ****** Xorg

                5.4. Xorg ******

                5.5. *** Xorg ************

                5.6. X ******************

                5.7. ************

                5.8. ****** Compiz Fusion

                5.9. ************

*** 1. ******

   Restructured, reorganized, and parts rewritten by Jim Mock.
   ************

   1.1. ******

   1.2. ************ FreeBSD**

   1.3. ****** FreeBSD ******

1.1. ******

   ****************** FreeBSD ***************************** FreeBSD
   **************************************,_******,_******************._

   ****************************

     * FreeBSD ************************************._

     * FreeBSD ***************._

     * FreeBSD ***************._

     * FreeBSD *********************************._

     * ***************** "FreeBSD" ******************._

1.2. ************ FreeBSD**

   FreeBSD ***************,_****************** Unix
   ************************** x86 (32 *** 64 ******), ARM(R), AArch64,
   RISC-V(R), MIPS(R), POWER(R), PowerPC(R) ****** Sun UltraSPARC(R)
   *********._**********************************************************************************,_***************,_***************,_******************,_******************
   (SMP),_*************************************************************** X
   Window ******,_KDE *** GNOME
   **********************************************

     * **********************************************************************************************************************************************************
       Copyleft
       ***********************************************************************._

     * ********* TCP/IP ****** - FreeBSD
       *****************************************************************************
       FreeBSD ******************************,_*********/****************** -
       ***************************************************._

     * ************ OpenZFS******** root-on-ZFS,_ZFS
       ************,_************,_************,_*** Jail *********,_FreeBSD
       ************************************************._

     * ***************************************************** (Mandatory
       Access Control, MAC) ********* Capsicum ************************._

     * ****** 3
       *********************************************************************************************
       Port *********._

     * ************ -
       *****************************************************************************************************************
       Userspace
       Daemon,_******************************************************** APIs
       (*** 9 ***) ********************* (*** 4 ***) ****************** (
       man(1) page)._

     * ****************************************************** - FreeBSD
       ******************,_********* Userspace
       **************************************,_***********************************************************
       FreeBSD ***************************************************._

     * ****** Unix ***************************************** "*********"
       ****** Daemon._

     * Linux ********* (Binary) ********************************************
       Linux *********._

   FreeBSD
   ************************************************************************
   (Computer Systems Research Group ********* CSRG) ************
   4.4BSD-Lite*********** BSD ***************************._ ********* CSRG
   ***********************************FreeBSD
   ********************************************************************************************************************._
   FreeBSD
   ********************************************************************************************************._

  1.2.1. FreeBSD **************

   FreeBSD ***************************************************._
   *************************************************************************************************************************
   UNIX(R) ***************************************** FreeBSD **************
   FreeBSD
   ******************************************************************************************
   ********************************************************************._

   ****************************** FreeBSD ********************
   ***********************************************************************************************
   ******************************************************************************._
   ****************************** FreeBSD ***********

     * ******************** FreeBSD
       *************************************************** (*********)
       *****************

          * ***************

          * IPv4 *** IPv6 ******

          * *************** NAT ("IP ******") *********

          * ***************************

          * *********************

          * ************...

     * *************************************************************************
       FreeBSD
       ***************************,_***************,_*********************._***************************
       CAD**************************************************************
       ****** *****************************

     * ****************************************FreeBSD
       ***************************************************._
       ************************************ FreeBSD
       *******************************************************************************************
       *********************._

     * ******** *************** *********,_*************** (DNS)
       *********************** FreeBSD ************************************
       386 *** 486 PC
       *****************************************************************._

     * *********** FreeBSD
       ******************************************************._ ******
       ARM(R), MIPS(R) ****** PowerPC(R)
       **************************************,_******************************
       BSD **************FreeBSD
       ************************************,_***************************************._

     * ******: FreeBSD
       *****************************************************************************
       X11 *********._FreeBSD
       ******************************************************** GNOME *** KDE
       ************************._FreeBSD ************************************
       "*********"
       *****************************************,_***************._

     * ************** *************** FreeBSD
       ******************************************** C/C++
       *********************._ ****** Port
       ***************************************************._

   ********************* CD-ROM,_DVD ********* FTP ************ FreeBSD._
   *************** ****** A, ****** FreeBSD ****** FreeBSD._

  1.2.2. ********* FreeBSD**

   FreeBSD ************ (Web) ********************* - *** FreeBSD
   ************************ Hacker News, Netcraft, NetEase, Netflix, Sina,
   Sony Japan, Rambler, Yahoo! *** Yandex._

   FreeBSD
   ***************,_******************,_********************************************************
   FreeBSD
   ***************************************,_************,_**************************************************************************
   FreeBSD**

     * Apache - Apache
       *****************************************************************************************
       SVN ********* (************ 140 ************) ********* FreeBSD
       *********._

     * Apple - OS X ************ FreeBSD *********
       Stack,_******************************************************._Apple
       iOS ************ FreeBSD ******************._

     * Cisco - IronPort
       ****************************************************** FreeBSD
       ***************._

     * Citrix - *************** NetScaler ********************* 4-7
       ******************,_************,_******************,_********* VPN
       ******************************************** FreeBSD Shell
       ***************._

     * Dell EMC Isilon - Isilon *************************** FreeBSD
       *********._*************** FreeBSD *************** Isilon
       **********************************************************************************************************._

     * Quest KACE - KACE ****************************** FreeBSD***********
       FreeBSD
       ************,_************************************************._

     * iXsystems - ************ (Unified Storage) ********* TrueNAS
       *************** FreeBSD
       *********._*****************************************iXsystems
       ************ TrueOS *** FreeNAS ***************************._

     * Juniper - JunOS ****************************** Juniper ************
       (*************************************************) ********* FreeBSD
       *********._Juniper
       ***********************************************************************************._***
       Juniper ************************************ FreeBSD
       *************************** FreeBSD ********* JunOS ************._

     * McAfee - SecurOS *** McAfee
       *********************************************** Sidewinder ***********
       FreeBSD *********._

     * NetApp - ****************** Data ONTAP GX *************** FreeBSD
       *********._**************NetApp *************** FreeBSD
       *********************** BSD *************** hypervisor, bhyve._

     * Netflix - Netflix *************************************** OpenConnect
       ************ FreeBSD *********._ Netflix
       *****************************************************************
       FreeBSD ******************._Netflix *** OpenConnect
       ****************************************** 32** ******._

     * Sandvine - Sandvine ****** FreeBSD
       ******************************************************************************************************._

     * Sony - PlayStation 4 ********************************* FreeBSD
       ***************._

     * Sophos - Sophos ****************************************** (Hardened)
       *** FreeBSD
       ****************************************************************************************************************************._

     * Spectra Logic - ************************ nTier ************ FreeBSD
       *** OpenZFS *********._

     * Stormshield - Stormshield
       ********************************************* FreeBSD
       **************BSD
       ******************************************************************************************************._

     * The Weather Channel -
       ***********************************************************************************************************
       IntelliStar ****************** FreeBSD._

     * Verisign - VeriSign ************ .com *** .net
       ****************************************** DNS
       ******************._************************************************************************
       FreeBSD ***************************************._

     * Voxer - Voxer ********* FreeBSD *** ZFS
       ************************************** Voxer *** Solaris *********
       FreeBSD ************ FreeBSD
       *********************,_***************************,_******************************._*********************
       ZFS *** DTrace ************ FreeBSD *** ZFS ************ TRIM._

     * WhatsApp - *** WhatsApp
       ********************************************************* 100 ******
       TCP ***********************************
       FreeBSD._****************************************************** 250
       ************._

     * Wheel Systems - FUDO
       ************************************,_******,_***************************************************************._*********************
       FreeBSD ***************************************** ZFS, GELI, Capsicum,
       HAST *** auditdistd._

   FreeBSD *****************************************

     * BSD Router - *** FreeBSD
       **************************************************************************
       PC ***************._

     * FreeNAS - ***************************************************
       FreeBSD._************ Python ********************************* UFS ***
       ZFS ******************************** NFS,_SMB/ CIFS,_AFP,_FTP ***
       iSCSI*********** FreeBSD Jail ************************._

     * GhostBSD - ****** Gnome *************** FreeBSD *********._

     * mfsBSD - *************************************** FreeBSD
       *********************._

     * NAS4Free - *** FreeBSD *** PHP
       *********************************************._

     * OPNSense - OPNsense ************ FreeBSD
       ******************,_******************************************************._OPNsense
       *********************************************************._********************************************************************************._

     * TrueOS - ***************
       FreeBSD**************************************************************
       FreeBSD
       ********************************************************************
       Windows *** OS X ************._

     * pfSense - *** FreeBSD
       ************************************************************** IPv6._

     * ZRouter - *********************************************** FreeBSD
       *****************************************************************._

   *** FreeBSD ********************************* FreeBSD
   ********************************************* ******._ Wikipedia
   ********************* FreeBSD ************************._

1.3. ****** FreeBSD ******

   ****************** FreeBSD
   *****************************,_******************************._

  1.3.1. FreeBSD ************

   FreeBSD *************** 1993 ********
   ***************************<"********* 386BSD
   ************>"****************************** Nate Williams**Rod Grimes ***
   Jordan Hubbard._

   ****************************** 386BSD ************************ (Snapshot)
   *************************** (Patchkit)
   ***********************************************************************
   386BSD 0.5 *** 386BSD Interim ******************._

   386BSD *** Bill Jolitz
   *********************************************************************************************************************************************************
   "******" *************** Bill._ ************** Bill Jolitz
   **********************************************************************************************************************._

   *************************************** Bill
   ************************************************** David Greenman
   ***********************************
   "FreeBSD"._**************************************************************************************************************************._Jordan
   ****** Walnut Creek CD-ROM ***************************** FreeBSD
   **************************************************************._ Walnut
   Creek CD-ROM *************** CD ********* FreeBSD
   ***********************************************************._ *********
   Walnut Creek CD-ROM
   **************************************************************************************************
   FreeBSD ***************************************._

   ************ CD-ROM (*********) ****************** FreeBSD 1.0********
   1993 ******************._ ****************** U.C. Berkeley
   ************************ 4.3BSD-Lite ("Net/2") ****************** 386BSD
   ******************************************._***********************************************************
   1994 *** 5 *************************** FreeBSD 1.1._

   *********************************************** Novell *** U.C. Berkeley
   ****** Berkeley Net/2 ************************************************._
   U.C. Berkeley ****************** Net/2
   ******************"************"************ Novell ********* --
   ****************************** AT&T *********._ Berkeley ************
   Novell ****** 4.4BSD-Lite ***"******"*********** 4.4BSD-Lite
   ********************************************._ *************** Net/2
   ******************************************************** FreeBSD._
   ************************** 1994 *** 6 ************************ Net/2
   ******************._*************************************************************************************
   FreeBSD 1.1.5.1._

   FreeBSD *********************<"******************>"*************** --
   *************************** 4.4BSD-Lite ************._ ****** "Lite"
   ***************************** Berkeley *** CSRG
   ************************************************************************************
   (******************************)***************** Intel
   ************************************._ ****** 1994 *** 11
   ************************************** *************** 12 ********* CD-ROM
   ****************************** FreeBSD 2.0._
   *****************************************************************************._
   ********* 1995 *** 6 ***************************************** FreeBSD
   2.0.5._

   *****************FreeBSD
   ******************************************,_******************************************************._

   ************************************** 10.X-CURRENT (trunk)
   ******************** 10.X ********* (Snapshot) ***************
   *************** ******._

  1.3.2. FreeBSD ************

   Contributed by Jordan Hubbard.

   FreeBSD
   ************************************************************************************._
   ********************************* (******************)
   **************************
   ****************************************************************************************************************._
   ***************************"******"********************************
   ***********************************************
   **************************************************************************._
   ***********************************************************************************._

   ************************************** GNU ************************ (GPL)
   ****** GNU ********************************* (LGPL)
   *****************************************************************************************************************._
   ************ GPL
   ***************************************************************************************
   *************************************************** BSD
   *********************._

  1.3.3. FreeBSD ************

   Contributed by Satoshi Asami.

   FreeBSD **************************************************************
   ***************
   ********************************************************************._
   FreeBSD
   *********************************************************************************._
   *****************************************************************************************
   ********************************************************* FreeBSD
   ************************ ************._ FreeBSD ******************
   ************************************************************._

   ***************************************************************** FreeBSD
   ********************************************

   SVN *********

           *************** FreeBSD ********************* (Source tree)
           ************ CVS (Concurrent Versions System) **************
           ******************************************._ *** 2008 *** 6
           ******** FreeBSD ****************** SVN (Subversion)._
           *************************************************************************************************************CVS
           ************************************._ *************** Port
           ****************************** 2012 *** 5 ****** 2012 *** 7 ******
           CVS ****** SVN._********* ************************
           ********************************* FreeBSD src/
           ******************************** ****** Port *********
           ****************** FreeBSD Port *********._

   ***************

           ********* ********* (Committer) ************ Subversion
           *************** ****** ************** *********************
           FreeBSD ******************._ ("committer"
           ************************************ commit
           ***********************************************************)._
           ********************************* Bug
           Database************************************* FreeBSD
           ************,_IRC
           *************************************************** (Bug)._

   FreeBSD ************

           ********* FreeBSD ***************************** FreeBSD
           ************ (FreeBSD core team) ******************************._
           ***********************************************************************************************************._
           *******************************************************************************************************************************************************************._
           *************************** 2018 *** 7
           ********************************************************************************._

  ******:

           ***********************************************************
           FreeBSD ********************************
           **************************************************************
           "******" ********************* "************" ******._ *********
           "*********"
           *******************************************************
           ************************************************,_**************************
           *************** FreeBSD ********************************

   ******************

           **********************************************
           *********************************************************************************************._
           *** FreeBSD
           ***********************************************************
           FreeBSD ************************
           ********************************************** ****** C,
           ************ ************************ FreeBSD ************._

           FreeBSD *************** *****************************
           ************************************** ***************************
           FreeBSD *****************

           **************************************************************
           ************************************************ FreeBSD
           ************._

   ***********************************************************************._***************************************
   FreeBSD
   **************************************************************************************************************************************************************************************************
   ******************************************************** -
   ***************************************************************************._

   ****************************** FreeBSD ***********************
   *************************************************************

  1.3.4. ***************

   *****************************FreeBSD
   **********************************************************************************************************
   24,000 *** Port**Port ************ HTTP
   ******************,_******,_*****************************************._*********
   Port ********************* 500 MB._*************** Port
   ******************************************************************** make
   install*****************************************._****************** Port
   **************************************************************************************************************
   Port._************ Port
   *********************************"******"*****************************************
   (pkg
   install)***********************************************************._*********************
   Port *************** *** 4, ***************************** Port ******._

  1.3.5. ************

   *************** FreeBSD
   *****************************************************************************************************************************
   /usr/local/share/doc/freebsd._********************************************************************
   *** 23.3.2, "*** Port ******************"._******************************
   HTML ************************ URL ***********************************

   FreeBSD ************

           /usr/local/share/doc/freebsd/handbook/index.html

   FreeBSD ***************

           /usr/local/share/doc/freebsd/faq/index.html

   *****************************************
   (******************************)**https://www.FreeBSD.org/._

*** 2. ****** FreeBSD

   Restructured, reorganized, and parts rewritten by Jim Mock.
   Updated for bsdinstall by Gavin Atkinson and Warren Block.
   Updated for root-on-ZFS by Allan Jude.
   ************

   2.1. ******

   2.2. ******************

   2.3. *********************

   2.4. ************

   2.5. ****** bsdinstall

   2.6. ******************

   2.7. ************

   2.8. *********************

   2.9. ************

   2.10. ****** Live CD

2.1. ******

   ************************************ FreeBSD******************************

     * **************************************************************************._***************
       Download FreeBSD **************KVM ("qcow2"), VMWare ("vmdk"), Hyper-V
       ("vhd")
       ************************************._*****************************************************************
       ("************")
       *****************************************************._

     * ************************************** Amazon *** AWS Marketplace,
       Microsoft Azure Marketplace *** Google Cloud Platform
       *********************************************._*************** Azure
       ********* FreeBSD ****************** Azure
       ******************************._

     * SD ************************************* Raspberry Pi *** BeagleBone
       Black ************************** Download FreeBSD
       ********************************************************************************
       SD ******************************************._

     * *********************************** FreeBSD
       *****************************,_******************************._

   ********************************************************************************************************
   bsdinstall ****** FreeBSD._

   ************************************************** i386(TM) *** AMD64
   ******._**************************************************._
   *************************************************************************************************************************************._

  ******:

   ************************************ FreeBSD ************** ************
   pc-sysinstall ***************** TrueOS ******************._
   ************************************ (TrueOS) ************************
   FreeBSD._ *************** TrueOS ********* Handbook
   (https://www.trueos.org/handbook/trueos.html)._

   ****************************

     * ************************ FreeBSD ***************._

     * ************ FreeBSD ***************._

     * ****************** bsdinstall._

     * bsdinstall
       *************************************************************._

     * ************************************._

     * ****************************** live ********* FreeBSD._

   ****************************************

     * ********************* FreeBSD
       *****************************************************************************._

2.2. ******************

   ****** FreeBSD ****************** FreeBSD
   *********************************._ FreeBSD
   ************************************************ FreeBSD ************
   ******._FreeBSD ************
   ******************************************************************._

   FreeBSD ************************ 96 MB *** RAM ****** 1.5 GB
   ***************._**********************************************************************************************._*****************************************************2-4
   GB RAM ********* 8 GB *********************************._

   ***********************************************

   amd64

           ***********************************************************************************._Intel(R)
           *************** Intel64***********************************
           x86-64._

           *** amd64 ********************************AMD Athlon(TM)64,
           AMD Opteron(TM), ********* Intel(R) Xeon(TM) ******
           Intel(R) Core(TM) 2 *********************._

   i386

           *************************************************** 32-bit, x86
           ******._

           ************************************ i386
           ***************************._****** Intel(R) 486
           ***************************************._

           FreeBSD ********************************* (Physical Address
           Extensions, PAE) ********* CPU
           ************************************._********* PAE
           ****************************** 4 GB
           *****************************************************************._
           ********* PAE ****************************** FreeBSD
           ***************************** pae(4)._

   ia64

           *************************** Itanium(R) *** Itanium(R)
           2._************************ HP zx1** Intel(R) 460GX *** Intel(R)
           E8870._ ************ (Uniprocessor, UP) *********************
           (Symmetric Multi-processor, SMP) *********************._

   powerpc

           ************ USB *** New World ROM Apple(R) Mac(R)
           ******************._ SMP ****** CPU *********************._

           32 ****************************** 2 GB *** RAM._

   sparc64

           FreeBSD/sparc64 ********************* FreeBSD/sparc64 ******._

           ************************************************
           SMP._********************************************************************************._

2.3. *********************

   ****************************** FreeBSD
   **************************************************************************._
   *************************************************************************

    1. ******************

       ***************************** ****** ******************************._
       **********************************************************************************************
       USB
       *********,_******************************************************._
       *********************************************************************************************************************************************************************._

    2. ****** FreeBSD ***************

       ****** FreeBSD
       **************************************************************************._
       ************ FreeBSD
       ************************************************************** FreeBSD
       ********************************************* (Partition)._

       *** i386 *** amd64
       *************************************************************************************
       (Partitioning scheme) *********************._ ************************
       (Master Boot Record, MBR)
       ********************************************************* (Primary
       partition)*************************FreeBSD ************************
       slice************************************************** (Extended
       partition)*****************************************************
       (Logical partition)._ GUID ************ (GUID Partition Table, GPT)
       ***************************************************** GPT
       ****************************** 128
       ***********************************************._

  ******:

       ************************************** Windows(R) XP ************ GPT
       ***************._ ****** FreeBSD
       ******************************************************** MBR
       ***************._

       FreeBSD ****************************************** GPT
       *********._****************************** GPT
       *********************************************************** FreeBSD
       ******._*******************************************************************************************************************************************************************************._

       ******************************************************
       http://en.wikipedia.org/wiki/List_of_disk_partitioning_software._GParted
       Live (http://gparted.sourceforge.net/livecd.php)
       ****************************** GParted ********* Live CD._ GParted
       ****************** Linux Live CD ******************._

  ******:

       **************************************************************************************************************._
       ****************************************************************************************
       ********************************************************._

       **************************************************************************************************************************************
       (*** 21, *********)
       ********************************************************************************._

    3. ******************

       ****** FreeBSD
       ****************************************************************************************************************************._

       ****************** DHCP
       **********************************************************************
       DHCP********************************************************************
       (Internet Service Provider, ISP)
       *****************************************

       *********************
         1. IP ******

         2. ***************

         3. *************** IP ******

         4. *********************

         5. ****** DNS ********* IP ******

    4. ****** FreeBSD *********

       ****** FreeBSD ************************ FreeBSD
       *****************************************************************************************************************************************************************************************
       FreeBSD ********* FreeBSD *********
       (https://www.freebsd.org/releases/12.0R/errata.html)._
       ***********************************************************************._

       ********************************************* FreeBSD
       ***************************
       (https://www.freebsd.org/releases/index.html)._

  2.3.1. *********************

   FreeBSD
   *****************************************************************************************************
   FreeBSD
   ******************************************************************** (CD,
   DVD *** USB)*****************************************._

   FreeBSD ****************** www.freebsd.org/where.html#download
   ******._********************* FreeBSD
   ************,_******,_******************************************* DVD
   ****** FreeBSD 10.2 *** amd64 ********************
   FreeBSD-10.2-RELEASE-amd64-dvd1.iso**************************
   DVD******************** DVD *********._

   ***********************************************************************************************._

   ************************************ UEFI (Unified Extensible Firmware
   Interface) ******************************************************** uefi._

   **************

     * -bootonly.iso**********************************************************._
       ******************************************************************
       FreeBSD ******._********************* CD ***************************
       CD ******._

     * -disc1.iso******************************** FreeBSD
       *********************************** Port
       *********._********************* CD *************************** CD
       ******._

     * -dvd1.iso******************************** FreeBSD
       *********************************** Port *****************************
       Binary
       **********************************************************************************************************************************._*********************
       DVD *************************** DVD ******._

     * -memstick.img******************************** FreeBSD
       *********************************** Port
       *********._************************************************ USB
       ***************._

     * -mini-memstick.img******** -bootonly.iso********************
       (******************)*******************************************
       *** 2.3.1.1, "****************** USB" ******************************
       USB *********._

   ***********************************************************
   CHECKSUM.SHA256._FreeBSD ****** sha256(1) ***************************
   ********* (Checksum)***************** sha256
   imagefilename********************************************._

   ****************************** CHECKSUM.SHA256
   ********************************************************************************************************************************._

    2.3.1.1. ****************** USB

   *.img *********************************************
   (image)**************************************************************._************************************
   *.img *** USB **************************************._

  ******:

   ***************************** USB
   ***********************************************************************._

   ****** 2.1. ****** dd ******************

  ******:

   *************** /dev/da0
   *****************************************************._
   *****************************************************************************************************************************._

     * dd(1) ****************** BSD, Linux(R) ******Mac OS(R)
       ******************._********* dd *************************** USB
       ***********************************************._*********************************************
       USB ************************._************************ FreeBSD
       ************ amd64 *************************** USB ******._

 # dd if=FreeBSD-10.2-RELEASE-amd64-memstick.img of=/dev/da0 bs=1M conv=sync

       ************************************** USB
       *******************************************************************************************************._************************************
       sudo(8) *********************._*** dd(1)
       *****************************************************************
       Mac OS(R) ********************* bs=1m******** Linux(R)
       ****************************************************************************************
       sync(8)._

   ****** 2.2. ****** Windows(R) ******************

  ******:

   ***********************************************************************************************************._

    1. ****** Image Writer Windows(R) ***

       Image Writer Windows(R) ***
       **************************************************************************._******
       https://sourceforge.net/projects/win32diskimager/
       **************************************._

    2. *** Image Writer ***************

       ****** Win32DiskImager ******************._ ****** Device
       ******************************************************._
       *********************************************************._ ******
       [ Save ] ************************._
       ********************************************************************************._
       ******************************** [ Write ]
       ***************************._

   *************************** FreeBSD ._

2.4. ************

  ******:

   *****************************************************************************

 Your changes will now be written to disk.  If you
 have chosen to overwrite existing data, it will
 be PERMANENTLY ERASED. Are you sure you want to
 commit your changes?

   ************************************************************************************************************************************************************._

   ********************************* *** 2.3.1, "*********************"
   ***************************************._*********************
   USB***************************** USB *********._********* CD ***
   DVD**************************************************._************************************************************************************._

  2.4.1. *** i386(TM) *** amd64 ******

   ************************ BIOS
   ****************************************************************************
   CD/DVD *** USB
   *********************************._********************************************************************************************BIOS*****************************
   F10, F11, F12 *** Escape ************._

   ***************************************************** FreeBSD
   *******************************

    1. ***********************************************************************************************************************._

    2. *************** BIOS
       **************************************************************************._

    3. *******************************************************************************************
       Plop Boot Manager (http://www.plop.at/en/bootmanagers.html)
       *********************************._

  2.4.2. *** PowerPC(R) ******

   ***************************************************** C*********** CD
   ******._********* Apple(R) ********************* Command+Option+O+F ***
   Windows+Alt+O+F******** 0 > *****************

 boot cd:,\ppc\loader cd:0

  2.4.3. *** SPARC64(R) ******

   ********* SPARC64(R) ************************************** CD ******
   FreeBSD ************ PROM._

   *********
   PROM*****************************************************._**********************************************************

 Sun Blade 100 (UltraSPARC-IIe), Keyboard Present
 Copyright 1998-2001 Sun Microsystems, Inc.  All rights reserved.
 OpenBoot 4.2, 128 MB memory installed, Serial #51090132.
 Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4.

   ******************************************************** L1+A *** Stop+A
   *************** Console ****** BREAK._********* tip *** cu, ~#
   ************ BREAK *****PROM ****************** CPU ***************
   ok**SMP *************** ok {0} ******************************** CPU ***._

   ************** CD ********************* PROM ****************** boot
   cdrom._

  2.4.4. FreeBSD ************

   *******************************************************

   ****** 2.1. FreeBSD ************************
   FreeBSD ************************

   ********************* FreeBSD
   ********************************************* 10 ***********************
   FreeBSD*********************** FreeBSD
   *********._***************************************************** Space
   ***._********************************************,_***************._***************************._

     * ************************ (Boot Multi User)***********************
       FreeBSD ****************************************************
       1,_*************** B *** Enter ***._

     * ************************ (Boot Single
       User)************************************** FreeBSD***** *** 12.2.4.1,
       "******************" ******._****** 2,_*************** S
       ******************._

     * *************************** (Escape to loader
       prompt)*********************************************************************************************************************
       *** 12.2.3, "*********"._****** 3 *** Esc ******************._

     * ************ (Reboot)********************._

     * ****************** (Configure Boot
       Options)************************************* ****** 2.2, "FreeBSD
       ******************"._

   ****** 2.2. FreeBSD ******************
   FreeBSD ******************

   ************************************._***************************************************************************************._

   ************************************************ (On) ******
   (Off)**************************************************._*****************************************************************._***********************************************

     * ACPI ****** (ACPI
       Support)****************************************************************
       (Off)._

     * ************ (Safe Mode)************** ACPI ****** (ACPI Support)
       ********* (Off)
       *********************************************************** (On)._

     * ************ (Single User)************************** (On)
       ********************* FreeBSD *** *** 12.2.4.1, "******************"
       **************************************** (Off)._

     * ************ (Verbose)************************** (On)
       ***********************************************************************************._

   *********************************** 1 *** Backspace
   *********************************** Enter ******************
   FreeBSD._FreeBSD
   *************************************************************************************************************************
   ****** 2.3, "************"._

   ****** 2.3. ************
   ************

   ****** Enter *************** [ Install ]
   **************************************************************************._
   ********************************************************************************************************._[ Shell ]
   *************** FreeBSD *** Shell
   ************************************************._[ Live CD ]
   ************************************ FreeBSD**Live
   ************************ *** 2.10, "****** Live CD"._

  ******:

   ****************************************************************************
   S ************ Enter ****** Shell._*** Shell ****************** more
   /var/run/dmesg.boot
   ************************************._************************ exit
   ******************._

2.5. ****** bsdinstall

   *************************************** bsdinstall
   *******************************************************************************************************
   Space *********************************._*********************** Enter
   ***************************************._

  2.5.1. ***************************

   ********************* Console**bsdinstall
   ************************************ ****** 2.4, "*********************"._

   ****** 2.4. *********************
   *********************

   ******************************** [ YES ] ******
   Enter************************** ****** 2.5,
   "******************"._********************************************************
   [ NO ] ************ Enter ************************._

   ****** 2.5. ******************
   ******************

   *****************************************************************************************************************
   (Keymap)************** Enter ************._

  ******:

   *** Esc
   *******************************************************************************************************United
   States of America ISO-8859-1 ************************._

   *** FreeBSD 10.0-RELEASE
   *********************************************************************************************************************._**********************************************************************************************************************._

   ****** 2.6. *********************************
   *********************************

  2.5.2. ******************

   ********* bsdinstall ***************************************************._

   ****** 2.7. ******************
   ******************

   *******************************************************************************************
   machine3.example.com._

  2.5.3. ************************

   ********* bsdinstall ***************************************._

   ****** 2.8. ************************
   ************************

   ***************************************************************************************._FreeBSD
   ****** (Kernel) *** Userland ********* ************ (Base
   system)**************************._*******************************************************

     * doc -
       **********************************************************************
       /usr/share/doc._*** FreeBSD
       **************************************************************
       *** 23.3, "***************" ******************._

     * games - ************ BSD ************** fortune, rot13 ************._

     * lib32 - *** 64-bit ********* FreeBSD ********* 32-bit
       ***************************************._

     * ports - FreeBSD Port
       *********************************,_*********************************************** 4,
       ***************************** Port *************************** Port
       *********._

  ******:

       ***********************************************************FreeBSD
       Port ********************* 500 MB
       **************************************************************************._

     * src - ********* FreeBSD *********************** (Kernel) ***
       Userland._********************************************************************************,_***************************
       Port ******************************************************** FreeBSD
       ***************._*************************** 1 GB
       *********************************** FreeBSD ********************* 5 GB
       *********._

  2.5.4. ***************

   *** ****** 2.9, "***************" ******************************
   -bootonly.iso CD
   ********************************************************************._***********************************************************************************._

   ****** 2.9. ***************
   ***************

   ***************************** Enter ************ *** 2.8.2,
   "*********************"
   *************************************************************************
   FreeBSD
   ******************************************************************************************************************************************._

   ****** 2.10. ***************
   ***************

   **************************************************************************._

2.6. ******************

   *********************************************************._

   ****** 2.11. FreeBSD 10.x ************************************
   FreeBSD 10.x ************************************

   ********* (Guided) *********************************************
   (Partition)******** (Manual)
   ***********************************************************************************
   Shell ********* Shell
   ********************************************************* gpart(8),
   fdisk(8) ****** bsdlabel(8) ***************************._ZFS
   ****************** FreeBSD 10
   *********************************************************** root-on-ZFS
   *************** ************ (Boot environment)._

   ***********************************************************************************************************._

  2.6.1. *********************

   **********************************************************************************************************************************************************************************
   /usr *******************************************************************/,
   swap, /var ****** /usr._

   ********************************* /var
   ***************************************************** (Mailbox),_*********
   (Log file) ******************
   (Spool)._*************************************************************************************************************************************
   /var ************ 1 GB *********************._

  ******:

   ********* /var/tmp
   ****************************************************************************************************
   /var/tmp._****** /var/tmp
   ********************************************************** Firefox, Apache
   OpenOffice *** LibreOffice ************._

   /usr *********************************************************** FreeBSD
   Port ***************************************************************** 2
   GB *********._

   **********************************************************************************************************************************._

   ***************************************************** (RAM)
   *********._********************* RAM
   ************************************************************************._***************************************
   VM
   ***********************************************************************************._

   ************ SCSI *************** IDE
   ********************************************************************************************************************._*********************************************._********************************************************************************
   4
   **************************************************************************************************************************************************._************************************************************************************************************************************************************************._

   *******************************************************************************************************************************************************************
   I/O ******._********************************************* I/O
   ***********************************************************************************
   /var ************************************************._

  2.6.2. *********************

   ***************************************************************************************************************************
   FreeBSD._

   ****** 2.12. *********************
   *********************

   **************************************************************************************************************************._*********
   [ Entire Disk ]**************************************************************._******
   [ Partition ]
   ***************************************************************._

   ****** 2.13. ******************************
   ******************************

   ***********************************************************************************._******
   [ Revert ] ***************************************************** [ Auto ]
   ****************************** FreeBSD
   *********._******************************,_***************._*****************************************
   [ Finish ] ************._

   ****** 2.14. ***************************
   ***************************

  2.6.3. ******************

   **************************************************

   ****** 2.15. *********************
   *********************

   *************************** (****************** ada0) ************
   [ Create ] ****************************************** (Partition scheme)**

   ****** 2.16. *********************
   *********************

   amd64 ********************************* GPT************** GPT
   ************************
   MBR._***************************************************************************._

   ****** 2.1. *********************

   ****** ******                                                              
   APM    Apple Partition Map******** PowerPC(R)._                            
          *** MBR *** BSD ************** BSD                                  
   BSD    ***********************************************************         
          ****************** (Dangerously dedicated mode)._                   
   GPT    GUID ************                                                   
          (http://en.wikipedia.org/wiki/GUID_Partition_Table)._               
   MBR    *************** (http://en.wikipedia.org/wiki/Master_boot_record)._ 
   PC98   ****** MBR ************** NEC PC-98 ******                          
          (http://en.wikipedia.org/wiki/Pc9801)._                             
   VTOC8  Volume Table Of Contents******** Sun SPARC64 *** UltraSPARC         
          ******._                                                            

   ***************************************************** [ Create ]
   ************************._Tab ************************************._

   ****** 2.17. *********************
   *********************

   ********* FreeBSD GPT **************************************

     * freebsd-boot - ****** FreeBSD ************ (Boot code)._

     * freebsd-ufs - FreeBSD *** UFS ************._

     * freebsd-swap - FreeBSD ************._

   ******************************************
   freebsd-zfs***************************** FreeBSD ZFS ************ (*** 19,
   Z ************ (ZFS))._********* gpart(8) *************** GPT
   *********************._

   ********************************************************************************************
   /, /var, /tmp ****** /usr *********************************._*********
   ****** 2.1, "******************************************" *********._

   ****** (Size) ********************************************K ****** KB, M
   ****** MB, G ****** GB._

  ******:

   *************************** (Sector)
   ***************************************************** 4 KB
   ****************************************************** 512-byte ***
   4K-byte ******._************************************** 1M *** 1G
   ************************************************************ 4K
   ***************************._***********************freebsd-boot
   ****************************** (Boot code) *********************** 512K._

   *********************************************************
   (Mountpoint)*********************** UFS
   *********************************** /._

   ****** (Label)
   *************************************************************************************************************************************************************._******************
   /etc/fstab
   ***********************************************************************************************************************._GPT
   ***************************************
   /dev/gpt/._*****************************************************************
   /dev/ *********************._

  ******:

   **************************************************************************************************************,_******,_*********************._**************
   labroot *** rootfslab ************************ lab *** UFS
   ******************._

   ****** 2.1. ******************************************

   ****************************** /, /var, /tmp ****** /usr
   *********************************************._********* GPT
   ********************************************************._***************
   20G
   ****************************************************************************************************
   (Swap) *** /var ***************._*************************** ex
   *****************
   "example"**************************************************************._

   ****** FreeBSD *** gptboot ****************** UFS ************ /
   *********._

   ***************              ******               *********  ******  
   freebsd-boot    512K                                                 
   freebsd-ufs     2G                                /         exrootfs 
   freebsd-swap    4G                                          exswap   
   freebsd-ufs     2G                                /var      exvarfs  
   freebsd-ufs     1G                                /tmp      extmpfs  
   freebsd-ufs     *************** (***************) /usr      exusrfs  

   ************************************** [ Finish ] ************._

  2.6.4. Root-on-ZFS ******************

   *** FreeBSD 10.0-RELEASE *************************** root-on-ZFS
   ***************._**************************************************************************************._*********************************
   4k ****************************** ZFS ****** 4k ****** (Sector)._*********
   512 ************************************************************** 512
   ********************************* (Pool) ********************* 4k
   ********************************************************************************************._*********************************
   GELI ***************** *** 17.12.2, "****** geli ***************"
   ******************************************************* /boot *********
   2 GB
   ********************************************************************************************._***************************
   ZFS ***************._

   ****** ZFS
   ******************************************************************._

   ****** 2.18. ZFS ******************
   ZFS ******************

   ****** T ************************ (Pool Type)
   *********************************._****** ZFS
   ********************************************* vdev*****************
   (Stripe) ******._***************************************** *** 2.6.5,
   "Shell ******************"
   ***************************._***********************************************************
   Stripe (*****************************),_****** Mirror
   (***********************************) ****** RAID-Z 1, 2, *** 3
   (*************************** 1, 2 *** 3
   ******************)._********************************************************************************************
   RAID-Z ***********************************._

   ****** 2.19. ZFS ***************
   ZFS ***************

   *************** (Pool Type)
   *************************************************************************************************************._**********************************************************************************
   (<Change Selection>) ****************************** (<Cancel>)
   ************************._

   ****** 2.20. ************
   ************
   ****** 2.21. ***************
   ***************

   *************************************************************************************************************************
   (- Rescan Devices)
   ******************************._**************************************************
   (- Disk Info)
   **************************************************************************************************
   (************)._

   ****** 2.22. ************
   ************

   *** ZFS ***************************************************,_************
   4k ************,_*********************,_****** GPT (******) *** MBR
   *********************************************._***********************************************************************
   (>>> Install) ******._

   ************ GELI
   **************************************************************************._

   ****** 2.23. ******************
   ******************

   ************************************************************************************************
   ZFS *********************._

   ****** 2.24. ************
   ************

   *********************************._

  2.6.5. Shell ******************

   *****************************bsdinstall
   ******************************************************._***************************************************
   Shell ******************************,_******************,_******
   /tmp/bsdinstall_etc/fstab *************************** /mnt
   ***._******************************** exit ********* bsdinstall
   ******************._

2.7. ************

   *********************************************************************************************************************************************
   [ Back ] ******************************._[ Revert & Exit ]
   ********************************************************._

   ****** 2.25. ************
   ************

   *********************************** [ Commit ] ************ Enter._

   ***************************************,_************,_**************************************************************************************._

   *************************************************************************._*****************************
   (Boot only) ********************************************

   ****** 2.26. *********************
   *********************

   *******************************************************************************************************************************************

   ****** 2.27. *********************
   *********************

   ****************************************************************

   ****** 2.28. *********************
   *********************

   *****************************************bsdinstall
   ********************************************************************************************._

2.8. *********************

   FreeBSD *****************bsdinstall
   *****************************************************************************************************._

  ******:

   ********************bsdconfig
   ******************************************************************************************._

  2.8.1. ****** root ******

   ******************** root
   ****************************************************************************._***********************************************************************._

   ****** 2.29. ****** root ******
   ****** root ******

  2.8.2. *********************

   ***********************************************************._******************************._

  ******:

   ********* bootonly
   *****************************************************************************._

   ****** 2.30. *********************
   *********************

   *****************************************************************************
   ****** 2.34, "****** IPv4
   ******"*******************************************************************************
   (Wireless Access Point)**

   ****** 2.31. ***************************
   ***************************

   ********************* Service Set Identifier (SSID) ***********SSID
   ***************,_***********************************************._
   ****************** SSID
   ***********************************************************._
   ****************** SSID *********************************** [ Rescan ]
   ***********************************************************************************************************************************************************************************._

   ****** 2.32. ******************
   ******************

   ***********************************************************._******************
   WPA2 ************************************* WEP
   ***************************._*************** WPA2
   ***************************** Pre-Shared Key
   (PSK)._**************************************************************._

   ****** 2.33. WPA2 ******
   WPA2 ******

   ***********************************************************************
   IPv4 ********

   ****** 2.34. ****** IPv4 ******
   ****** IPv4 ******

   *************************** IPv4._ DHCP
   *************************************************** DHCP
   *********************._***********************************************************._

  ******:

   *****************************************************._*********************
   DHCP ******************************************************** (Internet
   Service Provider, ISP) ************ ********************* *********._

   *************** DHCP ******************************************** [ Yes ]
   *********************************._********* DHCP
   ********************************************************************************************._

   ****** 2.35. ****** IPv4 DHCP ******
   ****** IPv4 DHCP ******

   ****************** DHCP ******************** [ No ]
   **************************************************

   ****** 2.36. IPv4 ******************
   IPv4 ******************
     * IP ****** (IP Address) - *************************** IPv4
       ******._******************************************************************************._

     * *************** (Subnet Mask) - ************************._

     * *************** (Default Router) - IP
       ************************************._

   ****************************************************** IPv6
   ******************************** IPv6*********** [ Yes ]._

   ****** 2.37. ****** IPv6 ******
   ****** IPv6 ******

   ********************************* IPv6._StateLess Address
   AutoConfiguration (SLAAC)
   ***********************************************************************
   http://tools.ietf.org/html/rfc4862
   *********************._*********************************************._

   *************** IPv6 ***************************************** [ Yes ]
   ******************************._*****************************************************************************************************._

   ****** 2.38. ****** IPv6 SLAAC ******
   ****** IPv6 SLAAC ******

   ****************** IPv6 ******************** [ No ]
   **************************************************

   ****** 2.39. IPv6 ******************
   IPv6 ******************
     * IPv6 ****** (IPv6 Address) - *************************** IPv6
       ******._******************************************************************************._

     * *************** (Default Router) - IPv6
       ************************************._

   ************************************************************ (Domain Name
   System, DNS)
   ***********************************************************._************
   DHCP *** SLAAC *********************************************** (Resolver
   Configuration)
   ***********************************************************************************
   (Search) ******._ DNS #1 *** DNS #2 ********* DNS ************ IPv4
   ***/*** IPv6 ***************************** DNS *********._

   ****** 2.40. DNS ******
   DNS ******

  2.8.3. ************

   ************************************************ UTC ******************._
   ************************ [ No ]******************************._

   ****** 2.41. *************** UTC ******
   *************** UTC ******

   ******************************************************,_*********************************************._*****************************************************************************************************************************._

   *****************************************************************************************._

   ****** 2.42. ************
   ************

   ************************************************ Enter._

   ****** 2.43. ************
   ************

   ************************************************ Enter._

   ****** 2.44. ************
   ************

   ************************************************ Enter._

   ****** 2.45. ************
   ************

   **************************************************** Enter
   *********************._

  2.8.4. ************

   ******************************************************************************._***********************************************************************._

   ****** 2.46. ******************************
   ******************************

   **************************************************

     * sshd - Secure Shell (SSH) Daemon
       *****************************************************************************************************._

     * moused - ********************* Console
       *****************************************._

     * ntpd - ************************ (Network Time Protoco, NTP) Daemon
       ************************._************************ Windows(R),
       Kerberos *** LDAP ********************************._

     * powerd - ******************************************************._

  2.8.5. ****************** (Crash Dump)

   ****************************************************** (Crash
   dump)****************************************************************************************._

   ****** 2.47. ****************** (Crash Dump)
   ****************** (Crash Dump)

  2.8.6. ***************

   ******************************************************._************ root
   *********************************************** root
   **************************************************._
   *********************************************._

   ****** [ Yes ] *********************._

   ****** 2.48. *********************
   *********************

   *********************************************************** 2.49,
   "*********************" ********************* asample ***************._

   ****** 2.49. *********************
   *********************

   ***********************************

     * *************** (Username) -
       *************************************************************************************************************************************************._***************************************************************._

     * ****** (Full name) -
       **************************************************************************************._

     * Uid - *********
       ID*************************************************************._

     * ************ (Login group) -
       *****************************************************************._

     * *********************************? (Invite user into other groups?) -
       ****************************************************************************************************
       wheel._

     * ************ (Login class) - *********************************._

     * Shell - ************************************************************
       Shell*********** *** 3.9, "Shell" ****************** Shell *********._

     * ********* (Home directory) -
       ********************************************************._

     * *************** (Home directory permissions) -
       **************************************************************._

     * ************************************? (Use password-based
       authentication?) - ************
       (yes)*****************************************._

     * ******************? (Use an empty password?) - ************
       (no)**************************************._

     * ******************? (Use a random password?) - ************
       (no)*****************************************************._

     * ************ (Enter password) -
       *****************************************************************._

     * ********************* (Enter password again) -
       ************************************._

     * ******************************? (Lock out the account after creation?)
       - ************ (no)********************************._

   ***************************************************************************************
   (no) *******************************************************************
   (yes) ******************************._

   ****** 2.50. ******************************
   ******************************

   ***********************************************************************?
   (Add another user?) ************ (yes)._********* (no)
   ******************************************._

   ********************************************************************
   *** 3.3, "******************************"._

  2.8.7. ************

   ***********************************************************************************._

   ****** 2.51. ************
   ************

   ******************************************************************************._

     * *************** (Add User) - ********* *** 2.8.6, "***************"._

     * Root ****** (Root Password) - ********* *** 2.8.1, "****** root
       ******"._

     * ************ (Hostname) - ********* *** 2.5.2, "******************"._

     * ****** (Network) - ********* *** 2.8.2, "*********************"._

     * ****** (Services) - ********* *** 2.8.4, "************"._

     * ****** (Time Zone) - ********* *** 2.8.3, "************"._

     * ************ (Handbook) - *************** FreeBSD ************._

   *********************************** Exit._

   ****** 2.52. ************
   ************

   bsdinstall
   ***************************************************************************************._******
   [ Yes ] ****************************** Shell *** [ No ]
   ***************************._

   ****** 2.53. ************
   ************

   ************************************************** [ Live CD ]
   ****************************** Live CD ******._

   ************************** [ Reboot ] ************************************
   FreeBSD ******._****************** FreeBSD
   ***********************************************************._

   FreeBSD
   ******************************************************************************************************
   login:
   ***********************************************._***************************
   root*********** *** 3.3.1.3, "*********************"
   *********************************************************************._

   ****************************************** Scroll-Lock
   ***************************************** PgUp, PgDn
   ******************************._************************ Scroll-Lock
   ***************************************
   Console._******************************************************************************
   less /var/run/dmesg.boot***************** q ************************._

   ****** ****** 2.46, "******************************" *********
   sshd******************** RSA *** DSA
   ********************************************************************************._******************************
   (Fingerprint)*******************

 Generating public/private rsa1 key pair.
 Your identification has been saved in /etc/ssh/ssh_host_key.
 Your public key has been saved in /etc/ssh/ssh_host_key.pub.
 The key fingerprint is:
 10:a0:f5:af:93:ae:a3:1a:b2:bb:3c:35:d9:5a:b3:f3 root@machine3.example.com
 The key's randomart image is:
 +--[RSA1 1024]----+
 |    o..          |
 |   o . .         |
 |  .   o          |
 |       o         |
 |    o   S        |
 |   + + o         |
 |o . + *          |
 |o+ ..+ .         |
 |==o..o+E         |
 +-----------------+
 Generating public/private dsa key pair.
 Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
 Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.
 The key fingerprint is:
 7e:1c:ce:dc:8a:3a:18:13:5b:34:b5:cf:d9:d1:47:b2 root@machine3.example.com
 The key's randomart image is:
 +--[ DSA 1024]----+
 |       ..     . .|
 |      o  .   . + |
 |     . ..   . E .|
 |    . .  o o . . |
 |     +  S = .    |
 |    +  . = o     |
 |     +  . * .    |
 |    . .  o .     |
 |      .o. .      |
 +-----------------+
 Starting sshd.

   ********* *** 13.8, "OpenSSH" ****************************** SSH
   *********._

   FreeBSD *********************************************** *** 5, X Window
   ****** ***************************************************************._

   ************ FreeBSD
   *********************************************************._********************************************************
   *************** wheel ******************************************** su
   ************ root ******************************._************ shutdown -p
   now
   **********************************************************************._

2.9. ************

   ***********************************************************************************._

   ********* FreeBSD ********* Hardware Notes
   (https://www.freebsd.org/releases/index.html)
   ************************************._**************************************************************************
   *** 8, ****** FreeBSD ****** ******************************************
   GENERIC
   ***************._************************************************************************
   IRQs, I/O *********** DMA
   *******************************************************************************
   FreeBSD ************************._

  ******:

   **************************************************************************************************._******************************
   BIOS*****************************************************************************************._

   ************************************************************************
   BIOS********************************************************************************
   BIOS ************************._

   ********************************************************************************
   ACPI**FreeBSD *** i386, amd64 *** ia64 ****************************** ACPI
   ***********************************************************************._**************ACPI
   ********************************* BIOS
   *********************************._*********************************************
   hint.acpi.0.disabled Hint ********* ACPI**

 set hint.acpi.0.disabled="1"

   ******************************************************** /boot/loader.conf
   ************
   hint.acpi.0.disabled="1"._*********************************************
   *** 12.1, "******" ******._

2.10. ****** Live CD

   *** ****** 2.3, "************" ****** bsdinstall ************************
   [ Live CD ] *********************** FreeBSD
   ********************************************************************************************************************._

   ********* [ Live CD ] **************************************

     * ********************************************._****************** root
       *********************._

     * *******************************************************************************************._

     * ***********************************************************._

*** 3. FreeBSD ******

   ************

   3.1. ******

   3.2. ****** Console ************

   3.3. ******************************

   3.4. ******

   3.5. ************

   3.6. ************

   3.7. ***************************

   3.8. ********* Daemon

   3.9. Shell

   3.10. ***************

   3.11. *********************

   3.12. ************

3.1. ******

   ****************************** FreeBSD
   ************************************._ ********************* UNIX(R)-like
   ******************************._
   ***********************************************************._
   ****************** FreeBSD**************************************._

   ****************************

     * ************ FreeBSD ********* Console._

     * ********* FreeBSD *********************************._

     * UNIX(R) ****************** FreeBSD ***************************._

     * ********* FreeBSD ******************._

     * FreeBSD ***************._

     * ************ (Mount),_****** (Umount) ************._

     * ***************,_Daemon ************ (Signal)._

     * ********* Shell********************************************._

     * ************************************._

     * *************** (Device) *************** (Device node)._

     * ************************************************._

3.2. ****** Console ************

   ****************** FreeBSD
   *******************************************************************************************************

 FreeBSD/amd64 (pc3.example.org) (ttyv0)

 login:

   ***********************************************amd64
   ****************************************** 64-***************
   FreeBSD************************** pc3.example.org**ttyv0 ***************
   "****** Console"._************************************._

   FreeBSD
   ********************************************************************************._******************************************************"******"*********************************************._*********************************************************
   ("username") *************** ("password")._

   *************** Console
   ************************************************************** *** 2.8.6,
   "***************"*********** Enter._
   ********************************************* Enter._
   *********************************************************._

   ***************************************************************** (Message
   of the day,
   MOTD)*************************************************************************
   Shell ************************************ #, $ ****** %._
   *************************************************** FreeBSD ****** Console
   *********************************._

  3.2.1. ****** Console

   ************ Console
   ********************************************************************
   FreeBSD *************************************** Console ******._
   ******************************************
   Console*******************************************************************************************._

   FreeBSD ************************ Console *****************************
   Console ****************************** Shell
   ****************************** Console *********._
   ***************************************************************************************************._

   ********* Alt+F1 *** Alt+F8 *** FreeBSD ************************
   Console******** Alt+F1 ****************** Console (ttyv0)**Alt+F2
   ************************ Console (ttyv1)**Alt+F3 ************************
   Console (ttyv2)**************._********* Xorg *************** Console
   ************************** Ctrl+Alt+F1 *********************************
   Console._

   *************** Console *****************************FreeBSD
   ********************************
   ************************************************************************
   FreeBSD ******._ ****************** Console
   ****************************************************** Console
   ***************._

   ********* kbdcontrol(1), vidcontrol(1), atkbd(4), syscons(4) ****** vt(4)
   ********************* FreeBSD Console
   ************************************._

   FreeBSD ********* Console ****************** /etc/ttys
   **************************

 # name    getty                         type  status comments
 #
 ttyv0   "/usr/libexec/getty Pc"         xterm   on  secure
 # Virtual terminals
 ttyv1   "/usr/libexec/getty Pc"         xterm   on  secure
 ttyv2   "/usr/libexec/getty Pc"         xterm   on  secure
 ttyv3   "/usr/libexec/getty Pc"         xterm   on  secure
 ttyv4   "/usr/libexec/getty Pc"         xterm   on  secure
 ttyv5   "/usr/libexec/getty Pc"         xterm   on  secure
 ttyv6   "/usr/libexec/getty Pc"         xterm   on  secure
 ttyv7   "/usr/libexec/getty Pc"         xterm   on  secure
 ttyv8   "/usr/X11R6/bin/xdm -nodaemon"  xterm   off secure

   *************** Console ************************ Console
   ****************************************** (#)._ ******************
   Console ************ 8 ********* 4 ************** # ******************
   Console *** ttyv5 *** ttyv8 ************************._ ***************
   Console ttyv0 ******************._ ******************** *** 5, X Window
   ****** *************** Xorg ******************************** Console
   (ttyv8)._

   ***************************************************** ttys(5) ******._

  3.2.2. ******************

   FreeBSD ************************************ "Boot Single
   User"********************************************** "******************"
   ***************._
   ****************************************************************** root
   ******._ *********************************************************
   Console************** root
   ******************************************************** root ******._
   *************************************************************************
   FreeBSD *********************************************************._

   *************************************** /etc/ttys
   *****************************

 # name  getty                           type  status  comments
 #
 # If console is marked "insecure", then init will ask for the root password
 # when going to single-user mode.
 console none                            unknown  off  secure

   *********************
   (secure)********************************************************************************************._
   *************************** (insecure)
   **************************************************************************._
   ********************************* (insecure)
   **********************************************FreeBSD ******************
   root *********._

  ******:

   ****************************** insecure** ****************** root
   ****************************************************************************************
   FreeBSD *********************************._

  3.2.3. ****** Console ************

   FreeBSD Console ********************************* 1024x768,_1280x1024
   ******************************************************._
   *************************************** VESA ********

 # kldload vesa

   *********************************************** vidcontrol(1)._
   ***********************************************************

 # vidcontrol -i mode

   *****************************************************************************************
   root *************** vidcontrol(1) ********

 # vidcontrol MODE_279

   ***************************************** /etc/rc.conf
   ****************************************************

 allscreens_flags="MODE_279"

3.3. ******************************

   FreeBSD
   **********************************************************************************************************************************************************************************._************************************************************._

   **************

     * FreeBSD ***************************************._

     * ************,_******************************._

     * ************************************************************************._

     * ******************************************************._

  3.3.1. ************

   *************** FreeBSD
   *******************************************************************************************************************************************._

   ********************************************,_******************************************._

    3.3.1.1. ************

   **************************************
   DNS,_******************************************************************************************************************************************************************._

   ************************ daemon, operator, bind, news, and www._

   nobody
   *********************************._********************************************
   nobody****************************************************************************************************._

    3.3.1.2. ***************

   ********************************************************************._********************************************************************************************************************************************************************._

   *****************************************************************************************************
   Shell,_*********,_********* (Key Binding) ***************._

   ********* FreeBSD ********************************************************

   *************** (User name)

           *** login:
           *****************************************************************************************************._***********************************************************
           passwd(5) ************._************************ 8
           ********************************************************************************._

   ****** (Password)

           ***************************._

   ********* ID (UID)

           ********* ID (User ID, UID)
           ****************************************** FreeBSD
           ***********************************************************************************
           UID._****************** 65535 ***
           UID**************************************************************._

   ****** ID (GID)

           ****** ID (Group ID, GID)
           ************************************************************************._***************************
           UID ************************ GID
           *********************************._***************************************************************************************************._************
           65535 ************ GID******************** GID
           ************************************._

   ************ (Login class)

           ************ (Login class)
           *****************************************************************************************._***
           *** 13.13.1, "******************"
           ***************************************._

   ****************** (Password change time)

           ***************************************************************************************************************************************************************************._

   ****************** (Account expiration time)

           *************** FreeBSD
           ************************._*********************************************************************************
           pw(8)
           ***************************._*******************************************************************************************************._

   ****************** (User's full name)

           ****************************************** FreeBSD
           ***********************************************************._********************************************,_************************
           8 ******************._

   ********* (Home directory)

           **************************************************************************************************._*********************************************
           /home/username ***
           /usr/home/username._***************************************************************************************._

   ********* Shell (User shell)

           Shell
           ***************************************************._************************
           Shell*************************************************************************************._

    3.3.1.3. *********************

   ***********************************
   root***************************************************************************************************************************************,_************************************._

   *************************************************************************************************************************************************._**********************************************************************************************************************************************************************._

   ***********************************************************************************************************************************************._

   ********************************************************************************
   root*****************************._

   ********* su(1) ************************._*************************** -
   ***************************** root
   ******************._************************************ wheel
   ********************************._*************************** root
   ************************._

   ******************************************** make install
   **************************************************************************._**************************************
   exit ***************************************************************._

   ****** 3.1. ***************************************

 % configure
 % make
 % su -
 Password:
 # make install
 # exit
 %

   ********* su(1)
   ***************************************************************************************._************************
   security/sudo *********
   Port._***************************************************************************************************************._

  3.3.2. ************

   FreeBSD
   ***********************************************************************************
   ****** 3.1,
   "******************************"********************************._*********************************************************************************._

   ****** 3.1. ******************************

   ******                                  ******                                
 adduser(8) ******************************************************._             
 rmuser(8)  ***************************************************._                
 chpass(1)  *********************************************._                      
 passwd(1)  *********************************************._                      
 pw(8)      ******************************************************************._ 

    3.3.2.1. adduser

   ******************************************
   adduser(8)._*****************************************************
   /etc/passwd ******
   /etc/group*********************************************** (******
   /usr/share/skel
   *********************)*****************************************************************._*********************************************._

   adduser(8)
   *****************************************************************************._***
   ****** 3.2, "*** FreeBSD ***************"
   ************************************** Return
   ******************************._*****************************************
   wheel ******************************** su(1)
   *********************._**************************************************************************._

   ****** 3.2. *** FreeBSD ***************

 # adduser
 Username: jru
 Full name: J. Random User
 Uid (Leave empty for default):
 Login group [jru]:
 Login group is jru. Invite jru into other groups? []: wheel
 Login class [default]:
 Shell (sh csh tcsh zsh nologin) [sh]: zsh
 Home directory [/home/jru]:
 Home directory permissions (Leave empty for default):
 Use password-based authentication? [yes]:
 Use an empty password? (yes/no) [no]:
 Use a random password? (yes/no) [no]:
 Enter password:
 Enter password again:
 Lock out the account after creation? [no]:
 Username   : jru
 Password   : ****
 Full Name  : J. Random User
 Uid        : 1001
 Class      :
 Groups     : jru wheel
 Home       : /home/jru
 Shell      : /usr/local/bin/zsh
 Locked     : no
 OK? (yes/no): yes
 adduser: INFO: Successfully added (jru) to the user database.
 Add another user? (yes/no): no
 Goodbye!
 #

  ******:

   *****************************************************************************************************._

    3.3.2.2. rmuser

   *********************************************************************
   rmuser(8)._***********************************

    1. ****************** crontab(1) ***********************._

    2. ********************************* at(1) ******._

    3. ***************************************._

    4. ******************************************._

    5. ********************************************************************._

    6. *** /var/mail ******************************************._

    7. ************************ (*** /tmp)
       ************************************._

    8. *********** /etc/group
       ******************************************************._**************************************************************************************************._******************
       adduser(8) *********************************************._

   rmuser(8)
   ********************************************************************************._

   **************************************************._

   ****** 3.3. rmuser *********************

 # rmuser jru
 Matching password entry:
 jru:*:1001:1001::0:0:J. Random User:/home/jru:/usr/local/bin/zsh
 Is this the entry you wish to remove? y
 Remove user's home directory (/home/jru)? y
 Removing user (jru): mailspool home passwd.
 #

    3.3.2.3. chpass

   ****************************** chpass(1) ************************ Shell
   ******************************************************._*********************************************************************************._

   *************************************************************chpass(1)
   ******************************************._*****************************************************************************._

  ******:

   *******************************************************************************************************._

   *** ****** 3.4, "********************************* chpass"
   ***************************** chpass jru
   ***************************************************._********* jru
   ****************************************************************
   ****** 3.5, "********************************* chpass" ******._

   ****** 3.4. ********************************* chpass

 #Changing user database information for jru.
 Login: jru
 Password: *
 Uid [#]: 1001
 Gid [# or name]: 1001
 Change [month day year]:
 Expire [month day year]:
 Class:
 Home directory: /home/jru
 Shell: /usr/local/bin/zsh
 Full Name: J. Random User
 Office Location:
 Office Phone:
 Home Phone:
 Other information:

   ****** 3.5. ********************************* chpass

 #Changing user database information for jru.
 Shell: /usr/local/bin/zsh
 Full Name: J. Random User
 Office Location:
 Office Phone:
 Home Phone:
 Other information:

  ******:

   ****** chfn(1) ****** chsh(1) ************ chpass(1)***********
   ypchpass(1), ypchfn(1) ****** ypchsh(1) *********._****** NIS
   ************************************************** yp************** NIS
   ****** 29, *************** ************._

    3.3.2.4. passwd

   ************************************ passwd(1)
   *********************._*******************************************************************************************************************

   ****** 3.6. ******************

 % passwd
 Changing local password for jru.
 Old password:
 New password:
 Retype new password:
 passwd: updating the database...
 passwd: done

   ******************************************************************
   passwd(1)
   ************************._**********************************************************************************************************************************************._

   ****** 3.7. *********************************************************

 # passwd jru
 Changing local password for jru.
 New password:
 Retype new password:
 passwd: updating the database...
 passwd: done

  ******:

   ****** chpass(1)**yppasswd(1) ********* passwd(1)******** NIS
   ******************************._

    3.3.2.5. pw

   pw(8)
   ******************,_******,_***********************************************************************************************._pw(8)
   **************************************************************************
   Shell
   scripts********************************************************************************._

  3.3.3. ************

   ************************************************************** GID
   *********._*** FreeBSD************************** UID
   ***************************************************************._************************************
   GID ******************************************._

   *************** GID ******************
   /etc/group._******************************************************************************************************************************************************
   GID
   ******************************************************._********************************************
   group(5)._

   ************************************************
   /etc/group***************** pw(8)
   *********************._***************************** teamtwo
   *****************************************

   ****** 3.8. ****** pw(8) ************

 # pw groupadd teamtwo
 # pw groupshow teamtwo
 teamtwo:*:1100:

   **************1100 *** teamtwo *** GID._****** teamtwo
   ***************************************** jru ****** teamtwo *********._

   ****** 3.9. ****** pw(8) ************************************

 # pw groupmod teamtwo -M jru
 # pw groupshow teamtwo
 teamtwo:*:1100:jru

   *** -M
   **************************************************************************
   (******)
   ***************************************._***************************************************************************************
   (*********)************** pw(8) ****** groupshow
   **************************************************************************
   id(1) ***************************************._********* pw(8)
   ******************************************************** /etc/group
   ****************** /etc/passwd *********************._

   ****** 3.10. ****** pw(8) ************************

 # pw groupmod teamtwo -m db
 # pw groupshow teamtwo
 teamtwo:*:1100:jru,db

   ******************** -m
   *****************************************************************************._*************************************************************************************************._

   ****** 3.11. ****** id(1) *********************

 % id jru
 uid=1001(jru) gid=1001(jru) groups=1001(jru), 1100(teamtwo)

   **************jru ********* jru ****** teamtwo *********._

   ****************************************** /etc/group ********************
   pw(8) ****** group(5)._

3.4. ******

   *** FreeBSD
   **********************************************************************************************************._*****************************************************************************************************************************************************************************._

   ****************** FreeBSD ********************* UNIX(R)
   ******._************************************************** *** 13.9,
   "******************"._

   ***
   UNIX(R)**********************************************************,_***************._*********************************************,_*********************
   (***************)
   ******************._******,_****************************** r, w, and x
   ***************._***************************************************************************
   (0)._***************************************************** rwx******** r
   *************** 4**w *************** 2 ****** x *************** 1._

   ****** 4.1 ******************************************._*********
   "******************" ***********- *********************************._

   ****** 3.2. UNIX(R) ******

    ******                     ******                     ******************  
   0         ************, ************, ************    ---                  
   1         ************, ************, *********       --x                  
   2         ************, *********, ************       -w-                  
   3         ************, *********, *********          -wx                  
   4         *********, ************, ************       r--                  
   5         *********, ************, *********          r-x                  
   6         *********, *********, ************          rw-                  
   7         *********, *********, *********             rwx                  

   ****** ls(1) *********************** -l ********
   ******************************._
   ************************************************,_***************************._
   ****************************** ls -l****************************

 % ls -l
 total 530
 -rw-r--r--  1 root  wheel     512 Sep  5 12:31 myfile
 -rw-r--r--  1 root  wheel     512 Sep  5 12:31 otherfile
 -rw-r--r--  1 root  wheel    7680 Sep  5 12:31 email.txt

   ********* (*********)
   *************************************************************************************,_******************,_Socket
   *********************************** *****************-
   ***************************************._
   **************************************rw-
   ***************************************._ *****************************
   r-- ***************************************** ********************r--
   ******************************************._ ********* (-)
   *******************************************************
   ************************,_*****************************************************._
   ******************************************************** 644 ***********
   *********************************************._

   ************************************** ********* FreeBSD
   ***********************************************************,_***************************************._
   ************************************ /dev/ *********._

   ***********************************,_**************************
   ************************************************._
   ***************************************************** cd(1)
   ***************************._
   *****************************************************************************************************************._

   **************************************************************._
   ***********************************************************************
   ****** ***************._

   *************************************************************************
   setuid ************ sticky ******._
   ********************************************************************************
   chmod(1)._

  3.4.1. ************

   Contributed by Tom Rhodes.

   **************************************************************************************************************._
   ******************************
   (******)(******)(******)****************************

           ******               ******                 ************           
   (******)               u                   *********                       
   (******)               g                   ***************                 
   (******)               o                   ******                          
   (******)               a                   ****** ("world")                
   (******)               +                   ************                    
   (******)               -                   ************                    
   (******)               =                   ************                    
   (******)               r                   ******                          
   (******)               w                   ******                          
   (******)               x                   ******                          
   (******)               t                   Sticky ******                   
   (******)               s                   ****** UID *** GID              

   ********************* chmod(1)
   **************************************************._
   ********************************************************************
   FILE**

 % chmod go= FILE

   *************************************************** (,) ******._
   ************************************************** ("world") *********
   FILE ***************** *****************************************

 % chmod go-w,a+x FILE

  3.4.2. FreeBSD ************

   Contributed by Tom Rhodes.

   **************************************FreeBSD ************
   "************"._
   ***********************************************************************._******************************************
   root ************************************._

   *************** flag *************************************** chflags(1)
   ******._ **************************************************
   file1**********************

 # chflags sunlink file1

   *********************************************************** sunlink
   ********* "no"**********

 # chflags nosunlink file1

   ****** ls(1) ********* -lo ********************************

 # ls -lo file1

 -rw-r--r--  1 trhodes  trhodes  sunlnk 0 Mar  1 05:54 file1

   ************************ root
   ***********************************************************************._
   ************************************ chflags(1) *** chflags(2)
   ***************************._

  3.4.3. setuid ,_setgid *** sticky ******

   Contributed by Tom Rhodes.

   *************************************************************************************************************************
   setuid, setgid ****** sticky ******._

   ************************************************************ UNIX(R)
   ***********************************************._*****************************************************
   ID (Real user ID) ****************** ID (Effective user ID) *********._

   *************** ID ************************************ UID*********** UID
   ************************************ ID._********passwd(1)
   ********************************************************* ID
   ****************************************************************** root
   ********************* ID
   ********************************************************************************
   (Permission Denied) *********._

   setuid ********************************************* (4)
   *******************************

 # chmod 4755 suidexample.sh

   ****** suidexample.sh **************************

 -rwsr-xr-x   1 trhodes  trhodes    63 Aug 29 06:36 suidexample.sh

   ********s
   **********************************************************************************************************************************
   passwd(1) ***************._

  ******:

   mount(8) *** nosuid ********************* Binary
   **************************************._****** nosuid Wrapper
   ***********************************************************._

   ****************************************************************************************
   passwd._***********************************************************
   passwd(1) **************************

   ************ A**

 Changing local password for trhodes
 Old Password:

   ************ B**

 # ps aux | grep passwd

 trhodes  5232  0.0  0.2  3420  1608   0  R+    2:10AM   0:00.00 grep passwd
 root     5211  0.0  0.2  3620  1724   2  I+    2:09AM   0:00.01 passwd

   ************************************ passwd(1)*********************** root
   ********* UID._

   setgid ****************** setuid
   ******************************************************************************************************************************************._

   ****************** setgid ************** chmod(1) ****************** (2)**

 # chmod 2755 sgidexample.sh

   ***********************s ***********************************************

 -rwxr-sr-x   1 trhodes  trhodes    44 Aug 31 01:49 sgidexample.sh

  ******:

   *********************************************** Shell script
   *********************************************** EUID ****************** ID
   ******************** Shell script *************** setuid(2) ************
   (System call)._

   setuid *** setgid
   *************************************************************************************************************sticky
   bit********************************._

   ********************* sticky
   bit********************************************._*****************************
   /tmp
   *********************************************************._***********************************************
   (1)**

 # chmod 1777 /tmp

   sticky bit ************ t *****************************

 # ls -al / | grep tmp

 drwxrwxrwt  10 root  wheel         512 Aug 31 01:49 tmp

3.5. ************

   ****** FreeBSD ********************************************************._
   ***************************************************** "/" ********
   ************************************
   (mount)********************************************._
   ***********************************************************************._

   <'*********>'**************************************************************
   (************<'*********>'************) *********._ *** *** 3.6,
   "************" ******************************._
   *************************** /usr/, /var/, /tmp/, /mnt/ ****** /cdrom/._
   ****************************** /etc/fstab ************._ /etc/fstab
   ***************************************************._ ************
   /etc/fstab ******************************************** rc(8) Script
   ************************************** noauto ******._
   *************************** *** 3.7.1, "fstab ***"._

   ************************************************ hier(7)._
   **************************************************************._

    ******                                    ******                                
/               ************************._                                          
/bin/           ************ (Single-user),_************ (Multi-user)               
                *************************************** ._                          
/boot/          ******************************************,_*********._             
/boot/defaults/ *********************************************** loader.conf(5)._    
/dev/           ************ (Device node)***************** intro(4)._              
/etc/           ************************ Script ***._                               
/etc/defaults/  ***************************************** rc(8)._                   
/etc/mail/      ******************************** sendmail(8) ******************._   
/etc/periodic/  ******,_******,_************ cron(8)***********************         
                Script***************** periodic(8)._                               
/etc/ppp/       ppp(8) *********._                                                  
/mnt/           ******************************************************._            
/proc/          ****** (Process) ***************************** procfs(5) ***        
                mount_procfs(8)._                                                   
/rescue/        *************************************** (Statically linked)         
                ************************** rescue(8)._                              
/root/          root ******************._                                           
/sbin/          *************** (Single-user) *************** (Multi-user)          
                ****************************************** ._                       
/tmp/           ************._ ***************************** /tmp                   
                ***************************._ ************************************  
                (Memory-based) ************************ /tmp ***._                  
                ********************* tmpmfs ********* rc.conf(5)                   
                *************************** ._(********* /etc/fstab **************  
                *************** mdmfs(8))._                                         
/usr/           ******************************************,_*********************._ 
/usr/bin/       ************,_************,_************._                          
/usr/include/   ****** C include ******._                                           
/usr/lib/       ******************._                                                
/usr/libdata/   ******************************._                                    
/usr/libexec/   ****** Daemon ********************* (***************************)._ 
/usr/local/     ************************************,_***************._             
                ************** FreeBSD Port ***************************._           
                /usr/local *************************** /usr *********************** 
                hier(7) ******._ *** man ***********************************        
                /usr/local ************** /usr/local/share***** Port                
                ****************************** share/doc/port._                     
/usr/obj/       ********* /usr/src ******************************************._     
/usr/ports/     FreeBSD Port ********* (******)._                                   
/usr/sbin/      *************************** Daemon ***************._                
/usr/share/     ***************************._                                       
/usr/src/       BSD ********* (******************)._                                
/var/           *************************** (Log)                                   
                ***,_*********************,_************************ (Spool)        
                ******._******************************** (Memory-based)             
                ****************************** /var._ ********************* varmfs  
                ********* rc.conf(5) ***************************._(*********        
                /etc/fstab *********************************** mdmfs(8))._          
/var/log/       *************************** (Log) ***._                             
/var/mail/      ********************* (Mailbox) ******._                            
/var/spool/     ***************,_********************* (Spool) ******._             
/var/tmp/       ************._                                                      
                ***************************************************** /var          
                ****************************** (Memory-based) ***************._     
/var/yp/        NIS *********._                                                     

3.6. ************

   FreeBSD *********************************************************._
   ******************************************** readme.txt *** README.TXT
   ************************._ FreeBSD ********************* (.txt)
   ******************************,_************************************._

   ************************._
   ***********************************************************************._
   ********************************************
   ******************************************************._

   ********************************************************************************************
   (/)***********************************************._
   ************************ foo *****************************
   bar************************************** readme.txt
   ****************************************************************
   (Path)****** foo/bar/readme.txt._************ Windows(R)
   ********************************************* \ *********** FreeBSD
   *******************************************************************************
   FreeBSD ********************* c:\foo\bar\readme.txt ************._

   ************************************ (File system) ******._
   ***********************************************************************
   (Root directory)._
   ******************************************************._*********************************************************
   (Root file system) *** /*********************************** (Mount)
   ************************************** FreeBSD
   *****************************************************************._

   ******************************************** A, B *** C._
   *********************************************** A1, A2 (***************
   B1, B2 *** C1, C2)._

   *** A ************************************** ls(1)
   ************************************************************* A1 ***
   A2****************

   ************************************************************************._
   ******************** B ********* A1 *********** B ************************
   A1******** B ***********************************************

   *** B1 *** B2 ****************************************** /A1/B1 *** /A1/B2
   ************._ *************** /A1
   ******************************************** B ********* (Unmount)
   ************************._

   ****** B ********* A2 **********************

   ************************ /A2/B1 *** /A2/B2._

   *********************************************************._
   ***********************C ************************************ B *** B1
   ****************************

   ****** C *************** A *** A1 **************

   ************************************************************************************._
   ******************************._

   *********************************
     * ********************************************************* ************
       (Mount option)._
       *******************************************************************
       ***************************************************._
       ************************************ (****** /home)
       ********************************* nosuid
       ***********************************************************************
       suid/guid ***********************************._

     * FreeBSD
       ******************************************************************************._
       ********************************,_
       *********************************************************************************************._
       *****************************************************************._

     * FreeBSD ******************************************._
       ********************************************************************************._
       ***********************************************************************************
       ******************************************************._

   *********************************
     * *********************************._ ********************* FreeBSD
       ***********************************************************************************************************************************************************************************************._

  ******:

       FreeBSD *** growfs(8)
       ************************************************************._

   ************************ (Partition) ***._ ****** FreeBSD ****** UNIX(R)
   ***************************************************** (****** MS-DOS(R)
   *********) ******._****************************** (******) *********** a
   *** h._
   ******************************************************************************************************************************************************************************************._

   FreeBSD ****************************************** (Swap space)
   ************************ (Virtual memory)._
   *********************************************************._ *** FreeBSD
   *************************************************************************************************************************
   (******************************)._

   ***************************************._

******                                                  ******                                                  
a      ***************************._                                                                            
b      ************************._                                                                               
c      *********************************                                                                        
       (Slice)***********************************************._************************************************ 
       (******************************) ****** c                                                                
       ***************._******************************************************._                                
d      ****** d *****************************************************._************ d                           
       ************************._                                                                               

   *** FreeBSD ************************************ (Slice)********
   Windows(R) ************ 1 *** 4
   ******************._****************************************************************************************************._

   ************************************************** s ********************
   1 ************._ ****** "da0s1" *************** SCSI
   ***************************._
   **************************************************************************************************************._************************************
   5 ************** "ada0s5" ************ SATA
   ************************************._******************************************************
   (Device) ************************************._

   *********,_"************ (Dangerously dedicated)"
   ********************************************* (Partition)
   ************************ a *** h *********._
   ******************************************** "da0a" ************
   "dangerously dedicated" ********* da ****** a *********._ *** "ada1s3e"
   *************** SATA *********************************************._

   *********************************************************************************************************************************************************************************._***********************************
   0 ******._*************************** ****** 3.3, "******************"._

   ***********************************************************,_s,_*********************************._******************
   ****** 3.12, "******,_******************************"._

   ****** 3.13, "*********************"
   **************************************************************._

   *********
   FreeBSD*************************************************************************
   FreeBSD ************._ ******************************************
   (***************) ************************************************._

   ****** 3.3. ******************

      ***************                     ******************                  
   SATA *** IDE ******    ada *** ad                                          
   SCSI ********* USB     da                                                  
   ************           
   SATA *** IDE CD-ROM    cd *** acd                                          
   *********              
   SCSI CD-ROM *********  cd                                                  
   *********              fd                                                  
   *************** CD-ROM mcd ****** Mitsumi CD-ROM ****** scd ****** Sony    
   *********              CD-ROM *********                                    
   SCSI *********         sa                                                  
   IDE *********          ast                                                 
                          ************ aacd ****** Adaptec(R)                 
   RAID *********         AdvancedRAID**mlxd *** mlyd ****** Mylex(R)**amrd   
                          ****** AMI MegaRAID(R)**idad ****** Compaq Smart    
                          RAID**twed ****** 3ware(R) RAID.                    

   ****** 3.12. ******,_******************************

   ******                                ******                               
   ada0s1a ********* SATA ****** (ada0) *********************                 
           (s1)******************(a) ._                                       
   da1s2e  ********* SCSI ****** (da1) ********************* (s2)             
           ****************** (e) ._                                          

   ****** 3.13. *********************

   ************ FreeBSD ****************************** SATA
   ************************._ ******************************
   250 GB*********************** 80 GB ********************* 170 GB
   ************ (MS-DOS(R) ************)._ ********************* Windows(R)
   NTFS *************** C: ******************************** FreeBSD._
   ********************* FreeBSD ******************************************._

   ******************************************._ ****** a
   ******************,_****** d *** /var/,_****** e *** /tmp/*********** f
   *** /usr/._************ c
   *****************************************************************._

3.7. ***************************

   ***************************._/ ******************** /dev**/usr
   *************************************************************************************************
   /usr/local ***._

   ********************************************************************************._
   *** /var ****************************** log/**spool/
   ***************************************._
   ***********************************************************************************************
   /var *** / ************._

   **************************************************************************
   ***************************************************._
   ************************ (Network File System) *************** *** 29.3,
   "****************** (NFS)" ***************._

  3.7.1. fstab ***

   *** /etc/fstab ****************************************** (*** 12, FreeBSD
   ************) ******************************
   (********************************* noauto
   ******)._*****************************

 device       /mount-point fstype     options      dumpfreq     passno

   device

           ***************************************** ****** 3.3,
           "******************"._

   mount-point

           ********************************* (*********************)._

   fstype

           *********************************** mount(8) *********._ FreeBSD
           ************************ ufs._

   options

           ************ (Read-Write) ****************** rw***********
           (Read-Only) ************************
           ro*****************************************._ ******************
           noauto
           ***************************************************************._
           ********************* mount(8) ******._

   dumpfreq

           dump(8) ************************************************._
           ***************************************._

   passno

           *********************************************._
           *********************************************** passno
           ***************._ ****************** passno ***************
           (*********************************************)*****************************
           passno ***************************._
           *************************************** passno ******** fsck(8)
           ****************** (******************) ************************._

   ************ /etc/fstab *************************************** fstab(5)
   ************._

  3.7.2. ****** mount(8)

   mount(8)
   ***************************************._***********************************

 # mount device mountpoint

   *** mount(8)
   *******************************************************************

   ************

   -a

           *** /etc/fstab ******************************,_******************
           /etc/fstab *************** -t *********************************._

   -d

           ********************************************************************
           (System call)._ *************** -v ****************** mount(8)
           *********************************._

   -f

           ************************************
           (******)**************************************
           (******************************************************)._

   -r

           ************************************._ ****************** -o
           *************** ro ******************._

   -t fstype

           **************************************************************************
           -a
           *********************************************._******************************
           "ufs"._

   -u

           *********************************._

   -v

           ******************._

   -w

           ***************************************._

   -o ***********************************************

   nosuid

           *************************** setuid *** setgid ********
           ***************************************._

  3.7.3. ****** umount(8)

   ****************************** umount(8)
   ******._*********************************************
   (mountpoint)********************** -a ****** -A *********._

   ****** -f ************************** -v ***************************._
   ****************************** -f
   *******************************************************************************
   ************************************._

   -a *** -A
   ***************************************************************** -t
   ***************************************************._ *************** -A
   ************************************._

3.8. ********* Daemon

   FreeBSD
   *****************************************************************************************._
   *************************************************** (Process)._
   ***********************************************************
   ******************************************************************._

   ****************************************************** ************
   (Process ID,
   PID)*******************************************************************._
   *********************************************************************************************
   (******************************)._ *********************************._
   ******************************************************* Shell
   **************Shell
   ***********************************************************._
   ********************************************************* Shell._
   ****************************** init(8) ***************** FreeBSD
   *************** init ***********************init
   ************************************** PID *************** 1._

   ********************************************************************
   ***************************************************************._
   ***********
   ***********************************************************************************************._
   *************************************************************************************************._***************************
   Daemon._ Daemon
   *************************************************************************************************************************************._******************
   BSD
   ********************************************************************************._

   ****************** Deamon ************************************************
   "d"._ BIND *** Berkeley Internet Name Domain
   *********************************************** named,_Apache
   ********************************* httpd,_******************************
   (Line Printer Spooling) Daemon *** lpd**************._
   **************************************************** Sendmail
   *************** Daemon ********* sendmail ********* maild._

  3.8.1. ************

   **********************************************************************
   ps(1) ****** top(1)._ps(1)
   ***********************************************************************
   PID,_*********************,_******************************************************._
   top(1) ***********************************************
   ***************************._************************************************************._

   ***********************ps(1)
   ************************************************._ ********

 % ps
  PID TT  STAT    TIME COMMAND
 8203  0  Ss   0:00.59 /bin/csh
 8895  0  R+   0:00.00 ps

   ****************************** ps(1) ******************************._ PID
   ************************************._ PID *************** 1
   *************** 99999*****************************************************
   (****** PID ******************** PID ******************)._ TT
   ********************************* Console (tty)
   *****************************************._STAT
   *****************************************._TIME ****************** CPU
   ******************-*****************************************
   ******************************************************** CPU
   ****************************************** ._ ********COMMAND
   ******************************._

   ********************************************************************************************************
   auxww._ a
   ********************************************************************._ u
   ***************************************************************._ x
   ********* daemon ******************** *** ww ****** ps(1)
   **************************************
   ***************************************._

   top(1) *********************._ ********************************

 % top
 last pid:  9609;  load averages:  0.56,  0.45,  0.36              up 0+00:20:03  10:21:46
 107 processes: 2 running, 104 sleeping, 1 zombie
 CPU:  6.2% user,  0.1% nice,  8.2% system,  0.4% interrupt, 85.1% idle
 Mem: 541M Active, 450M Inact, 1333M Wired, 4064K Cache, 1498M Free
 ARC: 992M Total, 377M MFU, 589M MRU, 250K Anon, 5280K Header, 21M Other
 Swap: 2048M Total, 2048M Free

   PID USERNAME    THR PRI NICE   SIZE    RES STATE   C   TIME   WCPU COMMAND
   557 root          1 -21  r31   136M 42296K select  0   2:20  9.96% Xorg
  8198 dru           2  52    0   449M 82736K select  3   0:08  5.96% kdeinit4
  8311 dru          27  30    0  1150M   187M uwait   1   1:37  0.98% firefox
   431 root          1  20    0 14268K  1728K select  0   0:06  0.98% moused
  9551 dru           1  21    0 16600K  2660K CPU3    3   0:01  0.98% top
  2357 dru           4  37    0   718M   141M select  0   0:21  0.00% kdeinit4
  8705 dru           4  35    0   480M    98M select  2   0:20  0.00% kdeinit4
  8076 dru           6  20    0   552M   113M uwait   0   0:12  0.00% soffice.bin
  2623 root          1  30   10 12088K  1636K select  3   0:09  0.00% powerd
  2338 dru           1  20    0   440M 84532K select  1   0:06  0.00% kwin
  1427 dru           5  22    0   605M 86412K select  1   0:05  0.00% kdeinit4

   *********************************._****** (******************)
   ****************************** PID,_******************
   (******************************),_*********************
   (*********************) ************************._
   ************************************************************************,_*****************************************************************************************************
   CPU *********._************ ZFS ******************************** ARC
   ************************************************************._

   ***************************************************** ps(1)
   *********************._ ********************************
   PID,_***************,_CPU ******************************************._
   top(1)
   ***************************************************************************._
   ******************************************** (Total
   size)************************** (Resident
   size)--********************************************************************************************************************************._

   top(1) ****** 2 ***************************************** -s
   ******************************._

  3.8.2. ************

   *************************** Daemon ****************************** kill(1)
   ****************** (Signal)._
   ************************************************************************************************************************************************************._
   *****************************************************************************************************************._
   ******************
   root**************************************************._

   *********************************************************._
   ****************************************************************************************FreeBSD
   ************ "Segmentation Violation" ****** (SIGSEGV) ***************._
   ********************************* alarm(3) *************** (System call)
   *****************************************************************************************"******"******
   (SIGALRM) ************._

   SIGTERM *** SIGKILL ***************************************._ *** SIGTERM
   *******************************************************************************************************************************************************
   ***************************************************._
   ******************************************
   SIGTERM**************************************************._

   SIGKILL ******************************._ ****** SIGKILL
   *********************************************[1]._

   **************************SIGHUP, SIGUSR1 *** SIGUSR2._
   ***********************************************************************._

   **********************************************************************************************************._
   ************ httpd
   ********************************************************************
   SIGHUP ***************************._ ********* Daemon
   ************************************************** Deamon
   ******************************************************._

   ****** 3.1. ******************

   ************************************************ inetd(8)._inetd(8)
   *************** /etc/inetd.conf***** inetd(8) ************ SIGHUP
   ************************************._

    1. ****** pgrep(1) ***************************************._
       ****************** inetd(8) *** PID *** 198**

 % pgrep -l inetd
 198  inetd -wW

    2. ****** kill(1) ***************._****** inetd(8) *** root
       ************************** su(1) ********* root ***._

 % su
 Password:
 # /bin/kill -s HUP 198

       ************ UNIX(R) **************kill(1)
       ******************************************._
       ********************************************************************
       ************************************** kill: PID: Operation not
       permitted._ ********* PID
       *********************************************************************************************************************
       PID****************************kill: PID: No such process._

  *************** /bin/kill**:

       ****** Shell ********************* kill ******._ ******************
       shell ************************************** /bin/kill._
       ********************* shell
       ************************************************._
       *****************************************************************
       /bin/kill._

   **************************************************************************
   TERM *** KILL ************************************._

  ******:

   ************************************************************************._
   ********* init(8)** PID 1 ******************************._ ******
   /bin/kill -s KILL 1 *********************************._ ******************
   Return ********* kill(1) ********
   *********************************************._

3.9. Shell

   Shell ********************************************************Shell
   ***************************************************._ ****** Shell
   *****************************************************************,_************,_***************,_*********************************._
   FreeBSD ****************** Shell******** Bourne Shell
   (sh(1))***************** C-shell (tcsh(1))._ ********************* Shell
   ********* FreeBSD Port ************************** zsh ****** bash ***._

   ************ Shell ***************************._ ****************** C
   ************************************** tcsh(1) ****** C-like *** shell
   ******************************._ ********* Linux(R)
   ************************************** bash._ ********* Shell
   **********************************************************************************************
   shell ************._

   ********* Shell ************************************._
   *********************************************************** Tab *****Shell
   ************************************************************._
   ************************************ foobar *** football._ *********
   foobar******************** rm foo ************ Tab ***************._

   *** Shell ************ rm
   foo*******************************************************************************************._
   foobar *** football ****** foo ***************._ ********* Shell
   *********************************************************._
   ************************************************************._ ****** t
   ************ Tab *********** Shell
   ******************************************._

   Shell ******************************************._
   ********************************* (Variable/Key) ************************
   Shell *********************** Shell
   **************************************************
   ************************************************._ ****** 3.4,
   "******************" ***************************************************._
   ***************************************************._

   ****** 3.4. ******************

 ******                                   ******                                   
USER     ******************************._                                          
PATH     ********* (:) *****************************************************._     
DISPLAY  ************************************** Xorg ************************._    
SHELL    *************** Shell._                                                   
TERM     ***********************************************************************._ 
TERMCAP  ****************************************************** (Terminal escape   
         code) ******************._                                                
OSTYPE   *********************._                                                   
MACHTYPE ********* CPU ******._                                                    
EDITOR   *********************************._                                       
PAGER    ******************************************._                              
MANPATH  ********* (:) ********************************************************._  

   ************ Shell ************************************************._ ***
   tcsh(1) *** csh(1)******** setenv *********************._ *** sh(1) ***
   bash ********* export ******************************._ ***************
   tcsh(1) Shell ****** EDITOR *********************************
   /usr/local/bin/emacs**

 % setenv EDITOR /usr/local/bin/emacs

   ************************ bash ***********

 % export EDITOR="/usr/local/bin/emacs"

   ***********************************************************************************************
   $ ******._ **************echo $TERM ****************** $TERM
   ************._

   Shell **************************************************************
   Meta-character._ ****************** Meta-character *** *
   ********************************************._ Meta-character
   ********************************************** echo * ************ ls
   ***************************************** shell ****************** *
   ****************** echo ************._

   ************ Shell
   ********************************************************************************
   (\) ********************* (Escape) Shell *********._**************echo
   $TERM ************************************** echo \$TERM
   ****************** $TERM ************._

  3.9.1. ****** Shell

   ************ Shell ****************************** chsh ******._ ******
   chsh *************************** EDITOR
   ********************************************************** vi(1)._
   ********* Shell: ********* Shell ***************._

   ************** chsh -s** *************** Shell
   ***************************._ ******** ************ Shell ********* bash**

 % chsh -s /usr/local/bin/bash

  ******:

   ****** Shell *************** /etc/shells ******._ ********* *** 4,
   ***************************** Port ********* Port ******************
   Shell** ************************************._
   ***********************************************
   (*************************** Shell *********)**

 # echo /usr/local/bin/bash >> /etc/shells

   ****************** chsh(1)._

  3.9.2. ****** Shell ******

   Written by Tom Rhodes.

   UNIX(R) Shell
   ***********************************************************************************,_***************************,_******************************************************************************************._***********************************************************************************************************._

   Shell
   *********************************************************************************._*****************
   ls(1) **********************************************************

 % ls > directory_listing.txt

   ****************************** directory_listing.txt
   *******************************************
   sort(1)._**********************************************

 % sort < directory_listing.txt

   ****************************************************************************************************************
   sort(1) ***********

 % sort < directory_listing.txt > sorted.txt

   *********************************************************** (File
   descriptor) *********************._****** UNIX(R)
   ********************************************************
   (stdin),_************ (stdout) ******************
   (stderr)._********************************************************************************,_****************************************************************************************************************************************************._***************************
   I/O ********************************************************._

   ***********************************Shell
   ******************************************************************************._******************************************************
   (Pipe operator)._

   UNIX(R) ***********************
   "|"********************************************************************._******************************************************************************************************

 % cat directory_listing.txt | sort | less

   ********************directory_listing.txt
   ******************************************
   less(1)****************************************************************************************************._

3.10. ***************

   *** FreeBSD ***************************************************._
   *****************************************************._ FreeBSD
   ************************************** ****************** Port
   ******************************************._

   *************************************** ee(1)**************************
   (Easy Editor)._ ******************************** ************ ee
   filename******** filename ************************************._
   *****************
   ************************************************************._
   ********************* (^) ****************** Ctrl *********** ^e
   ************ Ctrl+e._ ************ ee(1)*********** Esc *****************
   "leave editor" ******._
   ***********************************************************************._

   FreeBSD *****************************************************vi(1)._
   ****************** editors/emacs *** editors/vim ****** FreeBSD Port
   ***************._
   **************************************************************._
   ****************** vim *** Emacs ***************************************._

   **************************************************************************************************************************
   EDITOR *************** *** 3.9, "Shell" *********._

3.11. *********************

   ****** (Device)
   ***********************************************************,_*********,_******************._
   FreeBSD ******************************** (Boot Message)
   ***********************************************************************************
   /var/run/dmesg.boot._

   ************************************************************** ada0
   ************ SATA *********** kbd0 ***************._

   *** FreeBSD ********************************************* (Device Node)
   ************************************************** /dev._

3.12. ************

   *** FreeBSD ********************************************._
   ******************************************************************************************************************._
   ****************************** man *****************

 % man command

   ****** command ***************************._ ***************** ls(1)
   *******************************

 % man ls

   ********************************************************************._ ***
   FreeBSD ********************************

    1. ***************._

    2. ************ (System call) ***************._

    3. C ***************._

    4. ******************._

    5. ************._

    6. *********************._

    7. ************._

    8. ***************************._

    9. ******************._

   ************************************************************._
   ***************************** chmod ********************************
   chmod() ************._ ************************** man(1)
   **************************

 % man 1 chmod

   *************************************** chmod(1)._
   ***************************************************************************._
   ****** chmod(1) ***************************** chmod(2)
   *********************._

   *********************************************** man -k
   **************************************************

 % man -k mail

   ********************************************************* "mail"
   *********._ *************** apropos(1)._

   ********************* /usr/bin ***********************************

 % cd /usr/bin
 % man -f * | more

   ***

 % cd /usr/bin
 % whatis * |more

  3.12.1. GNU Info ***

   FreeBSD ********************************************************* (Free
   Software Foundation, FSF)._
   **************************************************************************************************
   info ***._ ************************ info(1)
   ******************************** editors/emacs ************ emacs *** info
   ************._

   ********* info(1) **********************

 % info

   *************************** h ***************************************** ?
   ***._

     ----------------------------------------------------------------------

   [1] ************************************._
   ********************************************************************
   ***********************************************************************
   "***************" ******._ *************** 2
   ***************************************._
   *********************************************************._

*** 4. ***************************** Port

   ************

   4.1. ******

   4.2. *********************

   4.3. ************

   4.4. ****** pkg ****** Binary ******

   4.5. ****** Port *********

   4.6. ****** Poudriere ************

   4.7. ************************

   4.8. *************** Port

4.1. ******

   FreeBSD ************************************** FreeBSD
   ********************************************************************************
   FreeBSD Port ************************************** Binary *********
   Binary
   *********._***************************************************************._

   ****************************

     * Binary ************ Port *********._

     * ************************ FreeBSD ******************._

     * ************ pkg ****** Binary ******._

     * ****************** Port ************************************._

     * *********************************************************************._

     * ************************************._

4.2. *********************

   ************ UNIX(R)
   **********************************************************

    1. *********************************************************** Binary
       ************._

    2. *********************************._ ************************ tarball
       *********************** compress(1), gzip(1), bzip2(1) *** xz(1)._

    3. ************ INSTALL, README ****** doc/
       ***************************************************._

    4. ***************************************************************._
       ************************ Makefile ********* configure Script._

    5. ************************._

   FreeBSD Port
   ***********************************************************************************************
   Port
   ******************************,_*********,_******,_******************************************._

   ****************** FreeBSD
   *****************************************************************************._

   ******************************** 24,000
   ******************************************
   FreeBSD._**************************************************************
   ****** (Package) *********._

   ****** Binary *************** FreeBSD ***************************._

   ********* Binary ************ Port *********************** Binary
   ********* Port
   *******************************************************************************************************************._

   FreeBSD Binary
   ******************************************************************,_***********************Binary
   ****************** pkg(8) ******************** pkg install._

   *********************************** Binary ********* Port
   ******************._ ************************************************._

   Binary ************
     * ****************** Binary ********* tarball ************************
       tarball *********._

     * ****** Binary
       **************************************************************************************
       Mozilla, KDE *** GNOME ************************._

     * Binary ************************ FreeBSD ************************._

   Port ************
     * ****** Binary
       *******************************************************************************************************
       Port ******************************._

     * *****************************************************************************
       Apache *********************************************._

       ************************************************************** Binary
       *********** Ghostscript *** ghostscript *** ghostscript-nox11 ******
       Binary *********************************** Xorg._
       *********************************************************************************
       Binary ******._

     * *************************************** Binary ************._
       ***************************************************************._

     * ********************* Binary
       *****************************************************************._

     * *********************************._

   *************** Port ********************* FreeBSD Port ************ ***
   FreeBSD Port ******************._

  ******:

   *********************************************** https://vuxml.freebsd.org/
   ************************************************************ pkg audit -F
   ***************************************************************._

   ****************************************** FreeBSD ****** Binary *********
   Port ************************************._

4.3. ************

   FreeBSD ********************************************
   **************************************************

     * FreeBSD **************************************************************
       https://www.FreeBSD.org/ports/._
       *************************************************** Port._

     * *** Dan Langille *********
       FreshPorts.org*********************************************** Port
       *********************************._************************************************************************************
       Port ***************._

     * ***************************************************** SourceForge.net
       *** GitHub.com *********************** FreeBSD ******
       ***************************************._

     * ********* Binary **************************************

 # pkg search subversion
 git-subversion-1.9.2
 java-subversion-1.8.8_2
 p5-subversion-1.8.8_2
 py27-hgsubversion-1.6
 py27-subversion-1.8.8_2
 ruby-subversion-1.8.8_2
 subversion-1.8.8_2
 subversion-book-4515
 subversion-static-1.8.8_2
 subversion16-1.6.23_4
 subversion17-1.7.16_2

       ************************************** Port ****** Python
       *********************************************** Python ******._******
       Port ******************************** Subversion
       ******************************************************************************************
       Subversion._******************************************** Port
       ********************************Port *************************** Port
       ***************._*************** pkg search ********* -o
       *****************************

 # pkg search -o subversion
 devel/git-subversion
 java/java-subversion
 devel/p5-subversion
 devel/py-hgsubversion
 devel/py-subversion
 devel/ruby-subversion
 devel/subversion16
 devel/subversion17
 devel/subversion
 devel/subversion-book
 devel/subversion-static

       pkg search ************ Shell ************
       (globs),_***************,_******************************************._*********
       ports-mgmt/pkg *** ports-mgmt/pkg-devel *****************
       pkg-search(8) ***************************._

     * *** Port *********************************************** Port
       *********************._********* Port **************************
       whereis file******** file ***********************

 # whereis lsof
 lsof: /usr/ports/sysutils/lsof

       ******************** echo(1)**

 # echo /usr/ports/*/*lsof*
 /usr/ports/sysutils/lsof

       ************************************** /usr/ports/distfiles
       ***************************************._

     * ************************ Port
       ******************************************._******************************
       cd *** /usr/ports ************ make search name=program-name********
       program-name *********************._************ lsof**

 # cd /usr/ports
 # make search name=lsof
 Port:   lsof-4.88.d,8
 Path:   /usr/ports/sysutils/lsof
 Info:   Lists information about open files (similar to fstat(1))
 Maint:  ler@lerctr.org
 Index:  sysutils
 B-deps:
 R-deps:

  ******:

       ***************************************************._***************************
       INDEX ************** make fetchindex ***************************._***
       INDEX **************make search *********************************._

       "Path:" ************ Port ***************._

       ***************************************** quicksearch ********

 # cd /usr/ports
 # make quicksearch name=lsof
 Port:   lsof-4.88.d,8
 Path:   /usr/ports/sysutils/lsof
 Info:   Lists information about open files (similar to fstat(1))

       ***************************************** make search key=string ***
       make quicksearch key=string ****** string
       *********************._************************************,_*****************************************************************************************
       Port._

       ********* search *** quicksearch ***********************************._
       ****** "LSOF" ************ "lsof" *********************._

4.4. ****** pkg ****** Binary ******

   pkg
   ***********************************************************************************
   Binary *********************._

   ************************ FreeBSD ************************ Binary
   *********************** pkg ************************._

   **********************************************************************************************
   Port ************._

   ****** pkg ************ Binary *********************************** Port
   *********************************************** Binary *** Port
   *********************** pkg ************ Binary ******._

  4.4.1. ************ pkg

   FreeBSD ************ (Bootstrap) ****************************** pkg
   ******************._************************ FreeBSD ****** 10.X
   ************._

  ******:

   ************ FreeBSD
   *****************************************************************
   https://pkg.freebsd.org/**************************************** Port
   *************** Binary *************** pkg._

   ********* (Bootstrap) *****************

 # /usr/sbin/pkg

   ************************************************************************._

   ***************** Port **********************

 # cd /usr/ports/ports-mgmt/pkg
 # make
 # make install clean

   ************************ pkg_*
   *******************************************************************************************************************************._pkg
   **********************************************************************************************

 # pkg2ng

  ******:

   *********************************************************************************._

  ******:

   ************************._****************************** pkg
   ***************** pkg_* ******************************._

  ******:

   ******************************************************************************._************************************************************************
   pkg2ng
   ***********************************************************************************._

   ************ FreeBSD Port ****************************************** pkg
   *****************************FreeBSD ****** 10.X ***************
   /etc/make.conf **************

 WITH_PKGNG=     yes

   ****** pkg ********* FreeBSD *************** (Repository) *** Binary
   ******._*****************************************************************
   *** 4.6, "****** Poudriere ************"._

   ****** pkg *************************** pkg.conf(5)._

   pkg ********************* pkg(8) ***************************************
   pkg *********._

   ****** pkg ******************************************._********* pkg
   install ****************************************

 # pkg help install

 # man pkg-install

   ****************************************** pkg *************** Binary
   ******************._***********************************************************************************************************************************._

  4.4.2. ************************************

   ****************************************************** pkg info
   *************************************************************************************************._

   ***************************** pkg *****************

 # pkg info pkg
 pkg-1.1.4_1

  4.4.3. *********************

   ********* Binary *********************************** packagename
   *****************************

 # pkg install packagename

   ***************************************************************************************************************._*****************
   curl**

 # pkg install curl
 Updating repository catalogue
 /usr/local/tmp/All/curl-7.31.0_1.txz          100% of 1181 kB 1380 kBps 00m01s

 /usr/local/tmp/All/ca_root_nss-3.15.1_1.txz   100% of  288 kB 1700 kBps 00m00s

 Updating repository catalogue
 The following 2 packages will be installed:

         Installing ca_root_nss: 3.15.1_1
         Installing curl: 7.31.0_1

 The installation will require 3 MB more space

 0 B to be downloaded

 Proceed with installing packages [y/N]: y
 Checking integrity... done
 [1/2] Installing ca_root_nss-3.15.1_1... done
 [2/2] Installing curl-7.31.0_1... done
 Cleaning up cache files...Done

   **************************************************************************************************

 # pkg info
 ca_root_nss-3.15.1_1    The root certificate bundle from the Mozilla Project
 curl-7.31.0_1   Non-interactive tool to get files from FTP, GOPHER, HTTP(S) servers
 pkg-1.1.4_6     New generation package manager

   ********************************* pkg delete *******************

 # pkg delete curl
 The following packages will be deleted:

         curl-7.31.0_1

 The deletion will free 3 MB

 Proceed with deleting packages [y/N]: y
 [1/1] Deleting curl-7.31.0_1... done

  4.4.4. *********************

   *******************************************************************

 # pkg upgrade

   **************************************************************************************************************._

  4.4.5. *********************

   *************************************************************************************************
   pkg
   *********************._********************************************************************************

 # pkg audit -F

  4.4.6. ******************************

   ******************************************************************._*********************************************************************
   (************)*************************************************

 # pkg autoremove
 Packages to be autoremoved:
         ca_root_nss-3.15.1_1

 The autoremoval will free 723 kB

 Proceed with autoremoval of packages [y/N]: y
 Deinstalling ca_root_nss-3.15.1_1... done

   ************************************ ****** (Automatic)
   ************************************************************************************************************************

 # pkg prime-list
 nginx
 openvpn
 sudo

   pkg prime-list ********************************
   /usr/local/etc/pkg.conf*********************************************************************************************
   pkg prime-origins ************************************ Port ********

 # pkg prime-origins
 www/nginx
 security/openvpn
 security/sudo

   *****************************************************************************
   ports-mgmt/poudriere *** ports-mgmt/synth *********************._

   ****************************************** "******" ***********

 # pkg set -A 1 devel/cmake

   ************************ (Leaf Package) ***************
   "******"*********** pkg autoremove ************._

   ************************************ "*********" ***********

 # pkg set -A 0 devel/cmake

  4.4.7. *********************

   ***********************************pkg
   ********************************************************************._

  ******:

   ****************** Script *************************** periodic.conf(5)
   ****** daily_backup_pkgdb_enable="NO"._

   ********************************************************************
   /path/to/pkg.sql **************************

 # pkg backup -r /path/to/pkg.sql

  ******:

   ********************* Script
   ************************************************._

   *************** pkg *******************************************
   /path/to/pkg.sql ***********************************

 # pkg backup -d /path/to/pkg.sql

  4.4.8. *********************

   ****** pkg ********* Binary ****************************** pkg.conf(5)
   ****** PKG_CACHEDIR*****************************************._************
   pkg *********************************************************** Binary
   *******************

 # pkg clean

   ********************************************

 # pkg clean -a

  4.4.9. ************ Metadata

   *** FreeBSD Port
   *****************************************************************************************
   pkg ************************************._***********************
   lang/php5 *************** lang/php53 ****** lang/php5
   ************************ 5.4._

   ****************************************************

 # pkg set -o lang/php5:lang/php53

   ************************** lang/ruby18 *** lang/ruby19*************

 # pkg set -o lang/ruby18:lang/ruby19

   ***************************** libglut ***************************
   graphics/libglut ****** graphics/freeglut ***********

 # pkg set -o graphics/libglut:graphics/freeglut

  ******:

   **********************************************************************************************************************************._**********************************************

 # pkg install -Rf graphics/freeglut

4.5. ****** Port *********

   Port ************************
   Makefiles,_***********************************************************************
   FreeBSD ***************************************** Port._

   ********Port ****************** /usr/ports ***************._

   *************************** Port ***************************** Port
   *********._************ FreeBSD
   *************************************************************

   ****** 4.1. Portsnap ******

   FreeBSD ********************* Portsnap***************************** Port
   *****************************************************************************._*********************
   FreeBSD ************************************* Port
   *********************._************************************************************._

    1. ********************* Port *************** (Snapshot) ***
       /var/db/portsnap**

 # portsnap fetch

    2. ****************** Portsnap ***************************** /usr/ports**

 # portsnap extract

    3. ****************************** Portsnap
       **************************************************************
       /usr/ports **

 # portsnap fetch
 # portsnap update

       ********* fetch ********************* extract *** update *****

 # portsnap fetch update

   ****** 4.2. Subversion ******

   ********************* Port
   ****************************************************************
   Subversion ********* Port *********._********* Subversion Primer *********
   Subversion ***************._

    1. ************ Subversion ****************** (Check out) Port
       ***._************ Port **************************************
       Subversion**

 # cd /usr/ports/devel/subversion
 # make install clean

       ****************** Port ******************** pkg
       ***************************************** Subversion**

 # pkg install subversion

    2. ****** Port **************

 # svn checkout https://svn.FreeBSD.org/ports/head /usr/ports

    3. *********************** Subversion
       ************************************ /usr/ports**

 # svn update /usr/ports

   Port
   *******************************************************************************************************************************************
   FreeBSD
   ********************************************************************* Port
   Skeleton******** Port Skeleton ********************************

     * Makefile***********************************************,_************************************._

     * distinfo************** Port ******************************************
       (Checksum)._

     * files/***************************************** FreeBSD
       *********************._****************************************** Port
       *********._

     * pkg-descr********************************._

     * pkg-plist**Port *********************************************** Port
       *********************************************._

   ****** Port ****** pkg-message
   ***************************************._**************************************************
   Port ****************** FreeBSD Porter's Handbook._

   Port ************************************** distfile*********** Port
   ****************************************** /usr/ports/distfiles._

  4.5.1. ****** Port

   ********************************* Port
   ******************,_***************************._ make
   *************************************************** ports(7)._

  ******:

   *************** Port
   ***************************************************************** Port
   *********._*****************************************************************************************
   https://vuxml.freebsd.org/ ****** Port
   ************************._************************ Port ********* pkg
   audit
   -F._************************************************************************************************************._********************************
   pkg-audit(8) *** periodic(8)._

   ****** Port
   ***********************************************************************************************._

   ****************** Port******************************** Port
   ******************** make install*************************************

 # cd /usr/ports/sysutils/lsof
 # make install
 >> lsof_4.88D.freebsd.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
 >> Attempting to fetch from ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/.
 ===>  Extracting for lsof-4.88
 ...
 [extraction output snipped]
 ...
 >> Checksum OK for lsof_4.88D.freebsd.tar.gz.
 ===>  Patching for lsof-4.88.d,8
 ===>  Applying FreeBSD patches for lsof-4.88.d,8
 ===>  Configuring for lsof-4.88.d,8
 ...
 [configure output snipped]
 ...
 ===>  Building for lsof-4.88.d,8
 ...
 [compilation output snipped]
 ...

 ===>  Installing for lsof-4.88.d,8
 ...
 [installation output snipped]
 ...
 ===>   Generating temporary packing list
 ===>   Compressing manual pages for lsof-4.88.d,8
 ===>   Registering installation for lsof-4.88.d,8
 ===>  SECURITY NOTE:
       This port has installed the following binaries which execute with
       increased privileges.
 /usr/local/sbin/lsof
 #

   lsof
   ***********************************************************************************************************._******************************************._

   ****** Shell ****** PATH
   ***********************************************************************************************************._tcsh
   Shell ********************* rehash
   ************************************************************._****** sh
   Shell ********* hash -r._********* Shell
   ************************************._

   *********************************************************************************._******************************************************************
   Port *****************

 # make clean
 ===>  Cleaning for lsof-88.d,8
 #

  ******:

   ************************************************** Port ********* make
   install clean._

    4.5.1.1. ****** Port ******

   ****** Port
   ********************************************************************,_************,_******************************._*********************************
   www/firefox, security/gpgme ****** mail/sylpheed-claws._*** Port
   *************** Port
   *************************************************************************************************************************************************._*************************************************************
   Port skeleton ********* make config-recursive***************** make
   install [clean] ****************** Port._

  ******:

   ****** config-recursive ************** all-depends-list Target
   ************************ Port ******._************ make config-recursive
   ********************* Port ************************** Port
   *****************************************************************************._

   ********************************* Port
   ************************************** Port
   ************,_***************************._*************** cd ************
   Port ****************** make config._****************************** make
   showconfig._*************************** make rmconfig
   **************************************************************._***************
   ports(7) ************************._

   Port ************ fetch(1)
   ********************************************************._*** FreeBSD
   ********************* FTP/HTTP ***********************************
   FTP_PASSIVE_MODE, FTP_PROXY ****** FTP_PASSWORD ******._********* fetch(3)
   *********************************._

   *****************************************************************
   /usr/ports ********* make fetch ******************
   distfiles**********************************************
   /usr/ports/net************** Port Skeleton *********._********************
   Port ******************************** Port Skeleton *********************
   ****** ****************************** Port distfiles._********* make
   fetch-recursive ********************* Port *** distfiles._

   *****************************************************************
   distfiles ******************** MASTER_SITES ****************** Makefile
   ************************._***********************************

 # cd /usr/ports/directory
 # make MASTER_SITE_OVERRIDE= \
 ftp://ftp.organization.org/pub/FreeBSD/ports/distfiles/ fetch

   ************ WRKDIRPREFIX *** PREFIX
   *********************************************._********

 # make WRKDIRPREFIX=/usr/home/example/ports install

   ************ /usr/home/example/ports *** Port ************************
   /usr/local ***._

 # make PREFIX=/usr/home/example/local install

   ************ /usr/ports Port ************
   /usr/home/example/local._********

 # make WRKDIRPREFIX=../ports PREFIX=../local install

   ************************************._

   ***************************************************************** Shell
   ******************************************************._

  4.5.2. ****************** Port

   ********* Port ************ pkg delete ************._
   ************************************ pkg-delete(8) ******************._

   ************** Port ****************** make deinstall**

 # cd /usr/ports/sysutils/lsof
 make deinstall
 ===>  Deinstalling for sysutils/lsof
 ===>   Deinstalling
 Deinstallation has been requested for the following 1 packages:

         lsof-4.88.d,8

 The deinstallation will free 229 kB
 [1/1] Deleting lsof-4.88.d,8... done

   ************ Port *********************************************** Port
   *************************************************************************************._************************************************************************._

  4.5.3. ****** Port

   ********************Port
   ***************************************._************************************************************************._

   ****************** Port
   *********************************************************** Port
   *********** ****** 4.1, "Portsnap ******" *** ****** 4.2, "Subversion
   ******" ***************************._*** FreeBSD 10
   **************************************************
   pkg*********************************************** Port
   ***********************

 # pkg version -l "<"

   *** FreeBSD 9.X
   ***************************************************************** Port
   ***********************

 # pkg_version -l "<"

  ******:

   ******************************************** /usr/ports/UPDATING
   ************************ Port
   ***************************._************************************************
   Port
   **************************************************************************,_*********************,_******************************************._***************************
   Port **************************************************._

    4.5.3.1. *************** Port *********

   Port
   **************************************************************************************._

   ************ Port *************** Portmaster ***
   Portupgrade******************** Synth *********._

  ******:

   ************************************************************************._******************************************************._

    4.5.3.2. ****** Portmaster ****** Port

   ports-mgmt/portmaster *************************** Port
   *********************************** FreeBSD
   ************************************************** Port
   ********************* FreeBSD ***************** Port ********************

 # cd /usr/ports/ports-mgmt/portmaster
 # make install clean

   Portmaster *** Port ***********************

     * *** Port************************************** Port ******._

     * ****** Port**************************** Port ******._

     * ****** Port**************************** Port ******._

     * *** Port******************************* Port ******._

   **************************************************

 # portmaster -L
 ===>>> Root ports (No dependencies, not depended on)
 ===>>> ispell-3.2.06_18
 ===>>> screen-4.0.3
         ===>>> New version available: screen-4.0.3_1
 ===>>> tcpflow-0.21_1
 ===>>> 7 root ports
 ...
 ===>>> Branch ports (Have dependencies, are depended on)
 ===>>> apache22-2.2.3
         ===>>> New version available: apache22-2.2.8
 ...
 ===>>> Leaf ports (Have dependencies, not depended on)
 ===>>> automake-1.9.6_2
 ===>>> bash-3.1.17
         ===>>> New version available: bash-3.2.33
 ...
 ===>>> 32 leaf ports

 ===>>> 137 total installed ports
         ===>>> 83 have new versions available

   ************************************ Port**

 # portmaster -a

  ******:

   ****** Portmaster ************************ Port
   ************************************** Portmaster
   ******************._****** -b ****** Portmaster
   ************************._****** -i ********* Portmaster
   *********************************** Port
   ***************._********************************************
   portmaster(8) ***************************************._

   ***************************************** -f
   ****************************** Port**

 # portmaster -af

   Portmaster ************************ Port ********************************
   Port ***************************._******************************** Port
   ****** Port ***********************

 # portmaster shells/bash

   ************ ports-mgmt/portmaster ****************** pkg-descr ******._

    4.5.3.3. ****** Portupgrade ****** Port

   ports-mgmt/portupgrade ****************************** Port
   ***************************************************** Port
   ******************************** Ruby._************ Port**

 # cd /usr/ports/ports-mgmt/portupgrade
 # make install clean

   ************************************************** pkgdb -F
   ****************** Port
   *********************************************************._

   ****************************************** Port*********** portupgrade
   -a************** -i *****************************************

 # portupgrade -ai

   ************************************************ Port *********
   portupgrade pkgname******************************* -R
   ********************************************* Port**

 # portupgrade -R firefox

   ********* -P**Portupgrade ********* PKG_PATH
   ************************************************._*****************************************************._*****************************************Portupgrade
   ************ Port *********._********************* Port *****************
   -PP*********************** Portupgrade
   **************************************

 # portupgrade -PP gnome3

   ****************** Port distfiles ***************** -P
   ******._******************************************** -F._*********
   portupgrade *********************************************************._

   ************ ports-mgmt/portupgrade ****************** pkg-descr ******._

  4.5.4. Port ***************

   ****** Port ******************************************._******************
   Port ************** Port Skeleton ********* make clean ******************
   work ******._********* Portmaster *********
   Port******************************************* -K._************
   Portupgrade******************************** Port
   ************************************ work ********

 # portsclean -C

   **************************************************************
   /usr/ports/distfiles._****** Portupgrade *************************** Port
   ************ distfiles**

 # portsclean -D

   Portupgrade *************************************************** Port
   ************ distfiles**

 # portsclean -DD

   ************ Portmaster****************

 # portmaster --clean-distfiles

   *********** distfile
   ********************************************************************._

   ***********************ports-mgmt/pkg_cutleaves
   ************************************ Port._

4.6. ****** Poudriere ************

   Poudriere *************** BSD ********************************* FreeBSD
   ***************._********* FreeBSD Jail
   ************************************** Jail
   ********************************************* FreeBSD
   ******************************************** amd64 *********************
   i386
   ***************._*********************************************************************._******************
   pkg(8) *********************************._

   Poudriere ********* ports-mgmt/poudriere ********* Port
   ******._*********************************************
   /usr/local/etc/poudriere.conf.sample._******************
   /usr/local/etc/poudriere.conf***********************************************._

   ************************ poudriere *********************
   ZFS*****************************._************ ZFS**************
   /usr/local/etc/poudriere.conf ****** ZPOOL ****** FREEBSD_HOST
   ************************************._****** CCACHE_DIR ***************
   devel/ccache
   *********************************************************************************************._***
   poudriere ************************************************ /poudriere
   *****************************************************************._

   ************************************************************************._********************************************
   RAM ************************************************* Jail
   *****************************************************************._

  4.6.1. ********* Jail *** Port ***

   ************************** poudriere ********* Jail ***************
   FreeBSD ****** Port ***._****** -j ********* Jail *************** -v
   ********* FreeBSD *********._********* FreeBSD/amd64 *********************
   -a ****************************** i386 *** amd64***********************
   uname ******************._

 # poudriere jail -c -j 10amd64 -v 10.0-RELEASE
 ====>> Creating 10amd64 fs... done
 ====>> Fetching base.txz for FreeBSD 10.0-RELEASE amd64
 /poudriere/jails/10amd64/fromftp/base.txz      100% of   59 MB 1470 kBps 00m42s
 ====>> Extracting base.txz... done
 ====>> Fetching src.txz for FreeBSD 10.0-RELEASE amd64
 /poudriere/jails/10amd64/fromftp/src.txz       100% of  107 MB 1476 kBps 01m14s
 ====>> Extracting src.txz... done
 ====>> Fetching games.txz for FreeBSD 10.0-RELEASE amd64
 /poudriere/jails/10amd64/fromftp/games.txz     100% of  865 kB  734 kBps 00m01s
 ====>> Extracting games.txz... done
 ====>> Fetching lib32.txz for FreeBSD 10.0-RELEASE amd64
 /poudriere/jails/10amd64/fromftp/lib32.txz     100% of   14 MB 1316 kBps 00m12s
 ====>> Extracting lib32.txz... done
 ====>> Cleaning up... done
 ====>> Jail 10amd64 10.0-RELEASE amd64 is ready to be used

 # poudriere ports -c -p local
 ====>> Creating local fs... done
 ====>> Extracting portstree "local"...
 Looking up portsnap.FreeBSD.org mirrors... 7 mirrors found.
 Fetching public key from ec2-eu-west-1.portsnap.freebsd.org... done.
 Fetching snapshot tag from ec2-eu-west-1.portsnap.freebsd.org... done.
 Fetching snapshot metadata... done.
 Fetching snapshot generated at Tue Feb 11 01:07:15 CET 2014:
 94a3431f0ce567f6452ffde4fd3d7d3c6e1da143efec76100% of   69 MB 1246 kBps 00m57s
 Extracting snapshot... done.
 Verifying snapshot integrity... done.
 Fetching snapshot tag from ec2-eu-west-1.portsnap.freebsd.org... done.
 Fetching snapshot metadata... done.
 Updating from Tue Feb 11 01:07:15 CET 2014 to Tue Feb 11 16:05:20 CET 2014.
 Fetching 4 metadata patches... done.
 Applying metadata patches... done.
 Fetching 0 metadata files... done.
 Fetching 48 patches.
 (48/48) 100.00%  done.
 done.
 Applying patches...
 done.
 Fetching 1 new ports or files... done.
 /poudriere/ports/tester/CHANGES
 /poudriere/ports/tester/COPYRIGHT

 [...]

 Building new INDEX files... done.

   *****************poudriere ****************************** Jail
   ****************** Port ******
   Port._********************************************* sets**************
   ports-mgmt/poudriere *** ports-mgmt/poudriere-devel ********* poudriere(8)
   ****** CUSTOMIZATION ******************************._

   ********************************************* jail-, port- ****** set-
   ********* make.conf ***
   /usr/local/etc/poudriere.d._************************************ Jail
   ******,_Port ************ set
   *****************10amd64-local-workstation-make.conf._****** make.conf
   ********************************************************* Jail
   ************ make.conf._

   ****************************** 10amd64-local-workstation-pkglist**

 editors/emacs
 devel/git
 ports-mgmt/pkg
 ...

   ********************************************

 # poudriere options -j 10amd64 -p local -z workstation -f 10amd64-local-workstation-pkglist

   **********************************************

 # poudriere bulk -j 10amd64 -p local -z workstation -f 10amd64-local-workstation-pkglist

   ******************** Ctrl+t ***********************************Poudriere
   *************** /poudriere/logs/bulk/jailname
   ***********************************************************._

   ************************************** poudriere ******************._

   ********************* poudriere ******************** poudriere(8)
   ************ https://github.com/freebsd/poudriere/wiki._

  4.6.2. ****** pkg *************** Poudriere *********

   ********************************************************************************************************._******************************************************************************._******
   /usr/local/etc/pkg/repos/FreeBSD.conf ********************

 FreeBSD: {
         enabled: no
 }

   ************************ poudriere ***************************************
   HTTP._****************************************************************/usr/local/poudriere/data/packages/10amd64********
   10amd64 ******************._

   ****************************** URL
   *****http://pkg.example.com/10amd64********
   /usr/local/etc/pkg/repos/custom.conf **************************

 custom: {
         url: "http://pkg.example.com/10amd64",
         enabled: yes,
 }

4.7. ************************

   *************************** Port
   *************************************************************************************************************************************************************._

     * ********************************* /usr/local/etc
       ********************************************************************************************************************************._***************************************
       .sample
       **********************************************************************************************************************************************************
       .sample *********._

     * ***************************************
       /usr/local/share/doc*************************************************************************************************************._

     * ***********************************************************************************************
       /etc/rc.conf._*************************************** Script ***
       /usr/local/etc/rc.d*********** ************ *********************._

  ******:

       ********************************************************
       Script*****************************************************
       Script********************************************._

     * csh(1) ************************ rehash *************** Binary
       ********* Shell *** PATH._

     * ****** pkg info
       ******************************************,_******************
       Binary._

4.8. *************** Port

   *************** Port
   *******************************************************************

    1. ****** ********************* ****** Port
       *****************************************************************************._

    2. ******************************** Port Skeleton *************** make
       maintainer ********* Port *** Makefile
       ******************************************._***************************************************
       Port *** Makefile ****** $FreeBSD: *********************************._

  ******:

       ********* Port ******************************** ************
       ***************************************************************
       <freebsd-listname@FreeBSD.org>
       **************************************************._

       ************ <ports@FreeBSD.org> ************ Port
       ************************************** Port
       ***********************************************************************************************************!

       ************************************************** ****** FreeBSD
       ************ *************** Bugzilla ******************._

    3. ********************Porter's Handbook ********* Port
       **************************************************************************
       Port ************************************ Port**

    4. ****** *** 4.4, "****** pkg ****** Binary ******" ******************
       Binary ******************** Port ******._

*** 5. X Window ******

   ************

   5.1. ******

   5.2. ******

   5.3. ****** Xorg

   5.4. Xorg ******

   5.5. *** Xorg ************

   5.6. X ******************

   5.7. ************

   5.8. ****** Compiz Fusion

   5.9. ************

5.1. ******

   ****** bsdinstall ****** FreeBSD
   *********************************************._************************************
   Xorg************************************** X Window
   ******************************._*********************************************************************._

  ******:

   ****************************** Xorg
   ************************************************************************
   http://www.trueos.org/ ******._

   ************ Xorg *********************************** x.org ******._

   ****************************

     * ****** X Window
       ******************************************************._

     * ********************* Xorg._

     * ************************************************************._

     * ********* Xorg ********* TrueType(R) ******._

     * ****************************************** (XDM)._

   ****************************************

     * ****************** *** 4, ***************************** Port
       *********************************._

5.2. ******

   ****** X
   ********************************************************************._
   ************************************************._

   X ********* (X Server)

           X ***************************************** "client-server"
           ******._*************** "X *********"
           ************,_******,_************************._*********************************************,_******************,_************************************
           (******************************)
           ******************._***************************************** X
           *********************************************._
           ********************* "X *********"
           ***************************************** "X *********"
           **************************************************._

   X ********* (X Client)

           ****** X ***************** XTerm,_Firefox ****** "*********"._
           *******************************************"*********************************"***************************************"*********************************"._

           ***************************************** X ************ X
           ******************************************._***************************************
           X *********** ***************,_*************************** X
           ************._ *****************X
           ***************************************************************._

   ****************** (Window Manager)

           X
           *********************************************,_***************************,_
           *********************************,_*******************************************************************._***********X
           ******************************************************._*****************************************************************************************************************************************************************************************
           "******"
           ****************************************************************************************._
           ************************ Port ************ x11-wm ************._

           **********************************************************************************************
           *********************************************************************._

   ************ (Desktop Environment)

           KDE *** GNOME
           *****************************************************************************************************************************,_************************._

   ************ (Focus Policy)

           ***************************************************._
           ************************************************************************._

           ******************************************
           "click-to-focus"****************************************************************
           (Active) *********._*** "focus-follows-mouse"
           *******************************************************************************************************************************************************
           (Root Window)**************************._*** "sloppy-focus"
           ***********************************************************************************************************************************************************************************._"click-to-focus"
           ***************************************************************************************************************************************************************************************._

           ***********************************************************************
           click-to-focus
           **************************************************************************************************************._

   ************ (Widget)

           **************************************************************************************************,_************,_************,_***************._
           ********************* (Widget toolkit)
           ******************************************************************._*****************************************************
           KDE ************ Qt,_GNOME ************ GTK+._
           ******************************************************************************************._

5.3. ****** Xorg

   *** FreeBSD**Xorg ****************** Port *********._

   ****** Binary
   *************************************************************

 # pkg install xorg

   ****** Port **************************

 # cd /usr/ports/x11/xorg
 # make install clean

   ************************************ Xorg
   ******************************************** Binary ************._

   ****************** X **************************************************
   x11/xorg-minimal
   ******._*********************************************,_********************************************************************************************._

5.4. Xorg ******

   Warren Block

  5.4.1. ************

   Xorg *********************************,_************************._

  ******:

   *********,_********************************************************************._********************************************
   xorg.conf ********* -configure ******._

    1. *** Xorg
       ****************************************************************************

 # mv /etc/X11/xorg.conf ~/xorg.conf.etc
 # mv /usr/local/etc/X11/xorg.conf ~/xorg.conf.localetc

    2. *************** Xorg *************** video *** wheel
       *********************************** 3D ******._****************** jru
       *****************************

 # pw groupmod video -m jru || pw groupmod wheel -m jru

    3. ************ TWM ************************** Xorg
       **************************************

 % startx

    4. ********************* FreeBSD******************** Console *********
       Console ************ vt(4) ***************************** *** 5.4.3,
       "****************** (Kernel Mode Setting, KMS)"._

  5.4.2. ***************************************

   ********* /dev/dri ************************ 3D
   ******************************************** X ****************** video
   *** wheel ******._************ pw(8) *************** slurms ****** video
   ***************** video ************ wheel ********

 # pw groupmod video -m slurms || pw groupmod wheel -m slurms

  5.4.3. ****************** (Kernel Mode Setting, KMS)

   ****************** Console ****************************** X
   *****************************************._*************** Xorg
   ************************************************************._************
   FreeBSD ********* sc(4) ************ KMS
   *********************************** X *********************************
   Console ***************._************ vt(4) Console
   *********************._

   *************** /boot/loader.conf ********* vt(4)**

 kern.vty=vt

  5.4.4. *********

   ****************************************************************************************************._

    5.4.4.1. ******

   Xorg ******************************************** FreeBSD ***************
   /usr/local/etc/X11/
   ********************************************************************************************************._

   *************************** /etc/X11/
   *********************************************************** FreeBSD
   ***************************._

    5.4.4.2. ***************

   ********************************************************************************
   xorg.conf
   ******************._************************************************
   xorg.conf.d/ ********************************
   /usr/local/etc/X11/xorg.conf.d/._

   ******************************************._

   ************ xorg.conf *********************************** xorg.conf.d/
   ************************************************************._

  5.4.5. *********

   ************ FreeBSD ******************************************** Port
   ********************************************************************************
   graphics/drm-kmod ***************._

   Intel KMS ************, Radeon KMS ************, AMD KMS ************

           *************** Intel KMS *************** Intel *************** 2D
           *** 3D ******._

           ********************i915kms

           *************** Radeon KMS ****************** AMD ***************
           2D *** 3D ******._

           ********************radeonkms

           *************** AMD KMS ****************** AMD *************** 2D
           *** 3D ******._

           ********************amdgpu

           ******************
           https://en.wikipedia.org/wiki/List_of_Intel_graphics_processing_units
           ******
           https://en.wikipedia.org/wiki/List_of_AMD_graphics_processing_units
           *************** GPU ******._

   Intel(R)

           3D ****************** Intel(R) ***********************************
           Ivy Bridge (HD Graphics 2500, 4000, *** P4000) ****** Iron Lake
           (HD Graphics) *** Sandy Bridge (HD Graphics 2000)._

           ********************intel

           ******************
           https://en.wikipedia.org/wiki/List_of_Intel_graphics_processing_units._

   AMD(R) Radeon

           Radeon *************** 2D *** 3D ***************** HD6000 ******._

           ********************radeon

           ******************
           https://en.wikipedia.org/wiki/List_of_AMD_graphics_processing_units._

   NVIDIA

           ********* NVIDIA ****************** Port *************** x11
           **************************************************************._

           ******************
           https://en.wikipedia.org/wiki/List_of_Nvidia_graphics_processing_units._

   ************************

           ***************************************************************************************._Optimus
           ********* Intel(R) *** NVIDIA ***********Switchable Graphics ***
           Hybrid Graphics *************** Intel(R) *** AMD(R) ************
           AMD(R) Radeon GPU._

           **************************************************FreeBSD *** Xorg
           ************************************************._

           ********************* BIOS
           ********************************************************* discrete
           ********************************************************************._********************
           Optimus ************ NVIDIA GPU ************ Intel(R)
           ****************** Intel(R) ******************._

           BIOS
           *************************************************************************************
           GPU******************************** Device *********************
           GPU *********************._

   ***************

           ****************************************** Port ************
           x11-drivers ************._

           ********************************************************************
           x11-drivers/xf86-video-vesa
           *********************._************************ x11/xorg
           ******************** x11-drivers/xf86-video-vesa
           ************._****************************** Xorg
           ***************************************************._

           x11-drivers/xf86-video-scfb
           ***************************************************** UEFI ***
           ARM(R) ******************._

   ************************************

           *************************** Intel(R) **************

           ****** 5.1. ****************** Intel(R) ******************

           /usr/local/etc/X11/xorg.conf.d/driver-intel.conf

 Section "Device"
         Identifier "Card0"
         Driver     "intel"
         # BusID    "PCI:1:0:0"
 EndSection

           ************************************** BusID identifier
           *********************************************** Bus ID
           ****************** pciconf -lv | grep -B3 display ******._

           *************************** Radeon **************

           ****** 5.2. ****************** Radeon ******************

           /usr/local/etc/X11/xorg.conf.d/driver-radeon.conf

 Section "Device"
         Identifier "Card0"
         Driver     "radeon"
 EndSection

           *************************** VESA **************

           ****** 5.3. ****************** VESA ******************

           /usr/local/etc/X11/xorg.conf.d/driver-vesa.conf

 Section "Device"
         Identifier "Card0"
         Driver     "vesa"
 EndSection

           ********* UEFI *** ARM(R) ************ scfb **************

           ****** 5.4. ****************** scfb ******************

           /usr/local/etc/X11/xorg.conf.d/driver-scfb.conf

 Section "Device"
         Identifier "Card0"
         Driver     "scfb"
 EndSection

  5.4.6. *********

   ************************************************************ (Extended
   Display Identification Data, EDID)**Xorg ********* EDID
   ********************************************************************************************************************._

   *****************************************************************************************************
   X *************************** xrandr(1)._

   ****** xrandr(1)

           ****** xrandr(1)
           ********************************************************************************

 % xrandr
 Screen 0: minimum 320 x 200, current 3000 x 1920, maximum 8192 x 8192
 DVI-0 connected primary 1920x1200+1080+0 (normal left inverted right x axis y axis) 495mm x 310mm
    1920x1200     59.95*+
    1600x1200     60.00
    1280x1024     85.02    75.02    60.02
    1280x960      60.00
    1152x864      75.00
    1024x768      85.00    75.08    70.07    60.00
    832x624       74.55
    800x600       75.00    60.32
    640x480       75.00    60.00
    720x400       70.08
 DisplayPort-0 disconnected (normal left inverted right x axis y axis)
 HDMI-0 disconnected (normal left inverted right x axis y axis)

           ****************** DVI-0 *********************************
           1920x1200 ************************ 60 Hz
           *********************************** DisplayPort-0 *** HDMI-0
           ******._

           ********* xrandr(1)
           ************************************._****************** 1280x1024
           *** 60 Hz**

 % xrandr --mode 1280x1024 --rate 60

           ************************************************************************._

           *****************************************************************************************************************._***************************
           HDMI-1 *********************************************
           HDMI1._****************************** xrandr(1)
           *****************************

 % xrandr
 Screen 0: minimum 320 x 200, current 1366 x 768, maximum 8192 x 8192
 LVDS1 connected 1366x768+0+0 (normal left inverted right x axis y axis) 344mm x 193mm
    1366x768      60.04*+
    1024x768      60.00
    800x600       60.32    56.25
    640x480       59.94
 VGA1 connected (normal left inverted right x axis y axis)
    1280x1024     60.02 +  75.02
    1280x960      60.00
    1152x864      75.00
    1024x768      75.08    70.07    60.00
    832x624       74.55
    800x600       72.19    75.00    60.32    56.25
    640x480       75.00    72.81    66.67    60.00
    720x400       70.08
 HDMI1 disconnected (normal left inverted right x axis y axis)
 DP1 disconnected (normal left inverted right x axis y axis)

           ************************************** LVDS1*********** VGA1,
           HDMI1 ****** DP1 ******._

           ********************* VGA1 ******************** xrandr(1)
           ****************************** (***************)
           ********************************************

 % xrandr --output VGA1 --auto --right-of LVDS1

           --auto *************** EDID
           ************************************._**************************************
           --auto *** --mode
           *********************._************************************
           1024x768 ************************** --mode 1024x768._

           xrandr(1) ************ .xinitrc ************ X
           ******************************._

   *********************************

           ************************************ 1024x768**

           ****** 5.5. *********************************

           /usr/local/etc/X11/xorg.conf.d/screen-resolution.conf

 Section "Screen"
         Identifier "Screen0"
         Device     "Card0"
         SubSection "Display"
         Modes      "1024x768"
         EndSubSection
 EndSection

           ********************* EDID*********** HorizSync *** VertRefresh
           *********************************._

           ****** 5.6. ***************************

           /usr/local/etc/X11/xorg.conf.d/monitor0-freq.conf

 Section "Monitor"
         Identifier   "Monitor0"
         HorizSync    30-83   # kHz
         VertRefresh  50-76   # Hz
 EndSection

  5.4.7. ************

    5.4.7.1. ******

   ************

           ************************************ ******
           (Layout)._***************************************
           xkeyboard-config(7)._

           ********* United States **************************************
           InputClass ****** XkbLayout *** XkbVariant
           ******._************************************************._

           ****************** French ****************** oss ******._

           ****** 5.7. ******************

           /usr/local/etc/X11/xorg.conf.d/keyboard-fr-oss.conf

 Section "InputClass"
         Identifier      "KeyboardDefaults"
         Driver          "keyboard"
         MatchIsKeyboard "on"
         Option          "XkbLayout" "fr"
         Option          "XkbVariant" "oss"
 EndSection

           ****** 5.8. ************************

           ****** United States, Spanish *** Ukrainian
           *********************** Alt+Shift *********************._*********
           x11/xxkb *** x11/sbxkb
           ***************************************************._

           /usr/local/etc/X11/xorg.conf.d/kbd-layout-multi.conf

 Section "InputClass"
         Identifier      "All Keyboards"
         MatchIsKeyboard "yes"
         Option          "XkbLayout" "us, es, ua"
 EndSection

   *************** Xorg

           X
           *************************************************************************************************************************._***************************************
           InputDevice *****

           ****** 5.9. ****************** X ******

           /usr/local/etc/X11/xorg.conf.d/keyboard-zap.conf

 Section "InputClass"
         Identifier      "KeyboardDefaults"
         Driver          "keyboard"
         MatchIsKeyboard "on"
         Option          "XkbOptions" "terminate:ctrl_alt_bksp"
 EndSection

    5.4.7.2. *********************

   ************************************************************** mousedrv(4)
   *********************._

   ************

           ************************ xorg.conf ********* InputDevice
           ************************************** 7**

           ****** 5.10. *********************

           /usr/local/etc/X11/xorg.conf.d/mouse0-buttons.conf

 Section "InputDevice"
         Identifier  "Mouse0"
         Option      "Buttons" "7"
 EndSection

  5.4.8. ************

   *************** Xorg
   *****************************************************************************._*********************************************._

  ******:

   **************************************************************************************._

   *************** Xorg
   ********************************************************************************._

   ****** xorg.conf**

 # Xorg -configure

   *********************
   /root/xorg.conf.new*********************************************************************

 # Xorg -config /root/xorg.conf.new

   ********************************************************************************************
   /usr/local/etc/X11/xorg.conf.d/._

5.5. *** Xorg ************

  5.5.1. Type1 ******

   ****** Xorg
   ***************************************************************************************************************************************************************************._*****************************************
   Type1 (PostScript(R)) ******************************** Xorg
   ******._********URW ********* (Times Roman(R), Helvetica(R), Palatino(R)
   *********)._ Freefont ********* (x11-fonts/freefonts)
   ***************************************************************** GIMP
   ***********************************************************._********Xorg
   *************************** TrueType(R)
   ******._*********************************************** X(7)
   *************** *** 5.5.2, "TrueType(R) ******"._

   ****** Binary ********************* Type1 ********************************

 # pkg install urwfonts

   ****** Port ****************************************

 # cd /usr/ports/x11-fonts/urwfonts
 # make install clean

   ****************************** Freefont ******************._****** X
   *********************************************************************** X
   ****************** (/etc/X11/xorg.conf)*************

 FontPath "/usr/local/share/fonts/urwfonts/"

   ********* X session ********************

 % xset fp+ /usr/local/share/fonts/urwfonts
 % xset fp rehash

   ******************** X session
   ******************************************************** (********* startx
   session ****** ~/.xinitrc ***********************************************
   XDM *************** ~/.xsession ******)._***************************
   /usr/local/etc/fonts/local.conf***** *** 5.5.3, "***************"
   *********._

  5.5.2. TrueType(R) ******

   Xorg ****************** TrueType(R)
   *****************************************************._******************
   freetype
   **************************************************************._*********
   freetype ********************************* /etc/X11/xorg.conf ******
   "Module" section._

 Load  "freetype"

   *************************** TrueType(R) ***************
   (********/usr/local/share/fonts/TrueType) ****************** TrueType(R)
   *********************._********* TrueType(R) ***************************
   Apple(R) Mac(R)**Xorg ************************
   UNIX(R)/MS-DOS(R)/Windows(R)
   *********._************************************** mkfontscale *********
   fonts.dir ****** X
   *********************************************._mkfontscale
   *****************************

 # pkg install mkfontscale

   ************************ X ********************

 # cd /usr/local/share/fonts/TrueType
 # mkfontscale

   ************ TrueType(R) *********************._*************** *** 5.5.1,
   "Type1 ******" *****************************

 % xset fp+ /usr/local/share/fonts/TrueType
 % xset fp rehash

   *************** FontPath ********* xorg.conf._

   ****** Gimp, Apache OpenOffice ************ X
   ****************************************** TrueType(R)
   ******._*************** (******************************************)
   ****************** (*** StarOffice(TM) ***)
   *********************************._

  5.5.3. ***************

   ************ /usr/local/share/fonts/ *** ~/.fonts/ ********* Xorg
   *************** Xft-aware
   ***************************************._*********************************
   Xft-aware *********** KDE, GNOME ****** Firefox._

   *****************************************************************************
   /usr/local/etc/fonts/local.conf ******
   (************************)._****************************** Xft
   ***************************************************************************************************************
   fonts-conf(5)._

   ************************ XML
   *************************************************************************._******************************
   XML ***************** DOCTYPE ***************** <fontconfig> ********

 <?xml version="1.0"?>
       <!DOCTYPE fontconfig SYSTEM "fonts.dtd">
       <fontconfig>

   *********************************** /usr/local/share/fonts/ *** ~/.fonts/
   ****************** Xft-aware
   ****************************************************************************************************************
   /usr/local/etc/fonts/local.conf**

 <dir>/path/to/my/fonts</dir>

   *******************************************************************************

 # fc-cache -f

   **************************************************************************************************************
   "******"***********************************************************._***************
   14 *************************************************************

         <match target="font">
             <test name="size" compare="less">
                 <double>14</double>
             </test>
             <edit name="antialias" mode="assign">
                 <bool>false</bool>
             </edit>
         </match>
         <match target="font">
             <test name="pixelsize" compare="less" qual="any">
                 <double>14</double>
             </test>
             <edit mode="assign" name="antialias">
                 <bool>false</bool>
             </edit>
         </match>

   ***********************************************************************************
   KDE
   ************************._******************************************************
   100**********************

         <match target="pattern" name="family">
            <test qual="any" name="family">
                <string>fixed</string>
            </test>
            <edit name="family" mode="assign">
                <string>mono</string>
            </edit>
         </match>
         <match target="pattern" name="family">
             <test qual="any" name="family">
                 <string>console</string>
             </test>
             <edit name="family" mode="assign">
                 <string>mono</string>
             </edit>
         </match>

   (************************************************ "mono")****************

          <match target="pattern" name="family">
              <test qual="any" name="family">
                  <string>mono</string>
              </test>
              <edit name="spacing" mode="assign">
                  <int>100</int>
              </edit>
          </match>     

   *****************
   Helvetica***************************************************************************************************************************************._*****************************************************
   local.conf**

          <match target="pattern" name="family">
              <test qual="any" name="family">
                  <string>Helvetica</string>
              </test>
              <edit name="family" mode="assign">
                  <string>sans-serif</string>
              </edit>
          </match>       

   ****** local.conf ***************************** </fontconfig>
   ***********************************************************._

   ********************************* ~/.config/fontconfig/fonts.conf
   ******************************************************************** XML
   ******._

   ************************** LCD
   ******************************************** (Sub-pixel
   sampling)***************************** (************)
   ***,_***,_***********************************************************************._**************************************
   local.conf **************

          <match target="font">
              <test qual="all" name="rgba">
                  <const>unknown</const>
              </test>
              <edit name="rgba" mode="assign">
                  <const>rgb</const>
              </edit>
          </match>

  ******:

   ************************************************ rgb ********* bgr, vrgb
   *** vbgr***********************************************._

5.6. X ******************

   Originally contributed by Seth Kingsley.

   Xorg ********* X ****************** (X Display Manager,
   XDM)***********************************._XDM
   *********************************************************************************************
   (***************)._

   *************************** FreeBSD *** X
   ******************._**************************************************************************
   *** 5.7.1, "GNOME" ****************** GNOME ****************** (GNOME
   Display Manager) ********************* *** 5.7.2, "KDE" ******************
   KDE ****************** (KDE Display Manager) ***************._

  5.6.1. ****** XDM

   ********* XDM ********* x11/xdm *********
   Port._***************************** XDM ********************************
   /etc/ttys *****************

 ttyv8   "/usr/local/bin/xdm -nodaemon"  xterm   off secure

   ********* (off) ****** (on) ******************._****************** ttyv8
   ****** XDM ********* 9 ************************._

   XDM *********************
   /usr/local/etc/X11/xdm._*************************************** XDM
   ********************************* XDM ************************************
   Script ***************** 5.1, "XDM *********"
   ******************************._***************************************
   xdm(1) *********._

   ****** 5.1. XDM *********

  ******                                                                              ******                                                                            
Xaccess    ********* XDM *************************** X ************************************ (X Display Manager Connection Protocol,                                     
           XDMCP)********************************************************************** XDMCP ******._*********************************************************._       
           *************** XDM                                                                                                                                          
Xresources ***************************************._******************************************************************************************************************* 
           "Login:" *** "Password:" ******._********************* Xorg ************************ app-defaults *********._                                                
Xservers   *********************************************************************._                                                                                      
Xsession   ********************* Script************************** XDM ******._****************************************** Script *** ~/.xsession._                       
Xsetup_*   ************************************************************************ Script._*************************** Script*********** Xsetup_********* *            
           *********************._****************** Script ***************************************** xconsole._                                                        
xdm-config ******************************************************************._                                                                                         
           ************************************************** XDM                                                                                                       
xdm-errors **************************************************************************._***********************************************************************          
           ~/.xsession-errors._                                                                                                                                         
xdm-pid    XDM *************** ID._                                                                                                                                     

  5.6.2. ******************

   ********************************************* XDM
   ******._***********************************************************************************************************************._

   ********* XDM ********************************
   /usr/local/etc/X11/xdm/xdm-config ****** DisplayManager.requestPort
   ************ ! *****************

 ! SECURITY: do not listen for XDMCP or Chooser requests
 ! Comment out this line if you want to manage X terminals with xdm
 DisplayManager.requestPort:     0

   *************************** XDM*******************************
   /usr/local/etc/X11/xdm/Xaccess ***************************** xdm(1)
   *********************._

5.7. ************

   Contributed by Valentino Vaschetto.

   ************************ FreeBSD
   ***************************************._*********************************************************************************************._*********************************
   Port ************ x11-wm ************._

  5.7.1. GNOME

   GNOME
   *****************************************************************************************************************,_******************************************************************************,_*********************._************
   FreeBSD GNOME *************** https://www.FreeBSD.org/gnome
   *********************************** FreeBSD ******,_*************** GNOME
   ***************._

   *****************************************

 # pkg install gnome3

   *************************** Port ****** GNOME**GNOME
   *******************************************************************************************************._

 # cd /usr/ports/x11/gnome3
 # make install clean

   GNOME ************ /proc._*************** /etc/fstab
   *****************************************************

 proc           /proc       procfs  rw  0   0

   GNOME ********* D-Bus ****** HAL *** Message bus *** Hardware
   abstraction._****************************** GNOME
   ***************************************** /etc/rc.conf
   **********************************************

 dbus_enable="YES"
 hald_enable="YES"

   ***************************** Xorg ******
   GNOME._*************************** GNOME Display Manager,
   GDM******************** GNOME ********* Port
   ***************************************** /etc/rc.conf ***********

 gdm_enable="YES"

   ********************************* GNOME **************************
   /etc/rc.conf**

 gnome_enable="YES"

   GDM ************************************._

   *************** GNOME ************************ ~/.xinitrc
   *********************
   startx._*******************************************************************************************
   /usr/local/bin/gnome-session._*******************************************************

 % echo "exec /usr/local/bin/gnome-session" > ~/.xinitrc

   ************************ XDM
   ***********************************************************************
   ~/.xsession**

 % echo "exec /usr/local/bin/gnome-session" > ~/.xsession

  5.7.2. KDE

   KDE
   ***************************************._******************************************************,_******************************,_*********,_************,_******************,_******************************._************
   KDE ****** http://www.kde.org/ ******._********* FreeBSD
   ***************************** http://freebsd.kde.org._

   ********* KDE *******************

 # pkg install x11/kde5

   *************** KDE Port ************************************* Port
   ******************************************************._KDE
   ***********************************************************************************************._

 # cd /usr/ports/x11/kde5
 # make install clean

   KDE ************ /proc._*************** /etc/fstab
   *****************************************************

 proc           /proc       procfs  rw  0   0

   KDE ********* D-Bus ****** HAL *** Message bus *** Hardware
   abstraction._****************************** KDE
   ***************************************** /etc/rc.conf
   **********************************************

 dbus_enable="YES"
 hald_enable="YES"

   *** KDE Plasma 5 ********KDE Display Manager, KDM
   *****************************************
   SDDM*******************************

 # pkg install x11/sddm

   *************** /etc/rc.conf**

 sddm_enable="YES"

   *************** KDE *********************************
   startx._******************************************** ~/.xinitrc**

 exec ck-launch-session startkde

   *************** KDE ******************
   XDM***************************************************** ~/.xsession
   ********

 % echo "exec ck-launch-session startkde" > ~/.xsession

   ****** KDE
   ***********************************************************************************************************._

  5.7.3. Xfce

   Xfce ****** GNOME ********* GTK
   +*****************************************************************************************,_******,_*********************._************************,_************,_Applet
   ************************************,_******************************************************************._******************,_******,_**************************************************************************************._************
   Xfce *************** http://www.xfce.org ******._

   ********* Xfce ********

 # pkg install xfce

   ************ Port ********

 # cd /usr/ports/x11-wm/xfce4
 # make install clean

   Xfce ********* D-Bus ****** Message bus*********** Xfce
   ********************************************** /etc/rc.conf
   **************************************************

 dbus_enable="YES"

   ****** GNOME *** KDE**Xfce ***********************************************
   startx *************** Xfce ****************************** ~/.xinitrc**

 % echo ". /usr/local/etc/xdg/xfce4/xinitrc" > ~/.xinitrc

   ************************
   XDM************************************************** ~/.xsession**

 % echo ". /usr/local/etc/xdg/xfce4/xinitrc" > ~/.xsession

5.8. ****** Compiz Fusion

   *************************************************************** 3D
   ******._

   ****** Compiz Fusion
   ******************************************************** Port
   ******************************._

  5.8.1. ****** FreeBSD nVidia ************

   *********************************************************** nVidia
   ********************************************************************************._********************************************************
   xorg.conf ******._

   ************************ nVidia ************************ FAQ
   ******************************._

   ********************************************************************************************************************************._

   ****************************************

 # pkg install x11/nvidia-driver

   *****************************************************************************************
   /boot/loader.conf**

 nvidia_load="YES"

  ******:

   ********************************************************* kldload nvidia
   *************************************************************** Xorg
   ***************************._*************** /boot/loader.conf
   ***************************._

   ******************************************** xorg.conf
   ***********************************************

   ****** /etc/X11/xorg.conf **************

 Driver      "nv"

   ***********************

 Driver      "nvidia"

   ****************** GUI******************** nVidia
   **************************************************._

  5.8.2. ****** xorg.conf *********************

   ********* Compiz Fusion ************ /etc/X11/xorg.conf**

   ************ Section ***********************

 Section "Extensions"
     Option         "Composite" "Enable"
 EndSection

   ****** "Screen" section****************************

 Section "Screen"
     Identifier     "Screen0"
     Device         "Card0"
     Monitor        "Monitor0"
     ...

   ************************ (***"Monitor" ******)**

 DefaultDepth    24
 Option         "AddARGBGLXVisuals" "True"

   *********************************************
   "Subsection"************************* 1280x1024**************************
   Section._*************************************** Subsection
   **********************************************

 SubSection     "Display"
     Viewport    0 0
     Modes      "1280x1024"
 EndSubSection

   ****************** 24 bit ***************************** Subsection *****

 SubSection     "Display"
     Viewport    0 0
     Depth       24
     Modes      "1280x1024"
 EndSubSection

   *************** "Module" section *************** "glx" *** "extmod"
   ********

 Section "Module"
     Load           "extmod"
     Load           "glx"
     ...

   ********************************* x11/nvidia-xconfig ***************
   (****** root)**

 # nvidia-xconfig --add-argb-glx-visuals
 # nvidia-xconfig --composite
 # nvidia-xconfig --depth=24

  5.8.3. *************** Compiz Fusion

   ****** Compiz Fusion **************************************

 # pkg install x11-wm/compiz-fusion

   **********************************************************************************************
   (*********************)**

 % compiz --replace --sm-disable --ignore-desktop-hints ccp &
 % emerald --replace &

   ****************************** (********Metacity************** GNOME)
   *************** Compiz Fusion*****************************._*** Emerald
   ************************
   (**************,_*********,_***************,_************************)._

   ************************************************ Script
   ****************************** (****** GNOME ********* "Sessions" ***)**

 #! /bin/sh
 compiz --replace --sm-disable --ignore-desktop-hints ccp &
 emerald --replace &

   ************ Script **************************************
   start-compiz**********************************

 % chmod +x ~/start-compiz

   ************ GUI ****************************** Startup Programs (******
   GNOME *************** System, ************ Preferences, ************
   Sessions)._

   ********************************************************
   (***************************) Compiz Config ******************
   Compiz Config Settings Manager**

 % ccsm

  ******:

   *** GNOME ******************** System, ************ Preferences
   ***************._

   *************************** "gconf support"***************** gconf-editor
   *** apps/compiz ***************._

5.9. ************

   *****************************************************************._************
   Xorg ******************************************** xorg.conf ******
   InputDevice section._*****************************************************
   ServerLayout *** ServerFlags section**

 Option "AutoAddDevices" "false"

   **************************************************************************
   (***********************)._

  ******:

   **************************hald Daemon
   ****************************************************************************************************
   GNOME, KDE *** Xfce
   ******************************._***********************************
   setxkbmap(1) ********* hald
   ***************************************************._

   *********************************** PC 102 **************************
   (French) ************************************** hald
   ***************************** x11-input.fdi*****************
   /usr/local/etc/hal/fdi/policy
   ******._**************************************

 <?xml version="1.0" encoding="iso-8859-1"?>
 <deviceinfo version="0.2">
   <device>
     <match key="info.capabilities" contains="input.keyboard">
           <merge key="input.x11_options.XkbModel" type="string">pc102</merge>
           <merge key="input.x11_options.XkbLayout" type="string">fr</merge>
     </match>
   </device>
 </deviceinfo>

   **************************************************************************************************._

   ****************************************** hald ******************._

   *************** X ************ Script ********************************

 % setxkbmap -model pc102 -layout fr

   /usr/local/share/X11/xkb/rules/base.lst
   *********************************,_***************._

   ************************ xorg.conf.new ********************************
   emacs(1) *** ee(1)
   ******************._************************************************ (Sync
   frequency)
   *****************************************************************
   xorg.conf.new *** "Monitor" section**

 Section "Monitor"
         Identifier   "Monitor0"
         VendorName   "Monitor Vendor"
         ModelName    "Monitor Model"
         HorizSync    30-107
         VertRefresh  48-120
 EndSection

   **************************************************************************************._***********************************************************************************************************._

   X ********************************* DPMS (Energy Star) ********xset(1)
   ****************************************** (Standby),_****** (Suspend)
   ********* (Off) ******._************************************ DPMS
   ***************************************** (Monitor) *** Section**

 Option       "DPMS"

   ************************ xorg.conf.new
   *****************************************************************._******************
   "Screen" section ********

 Section "Screen"
         Identifier "Screen0"
         Device     "Card0"
         Monitor    "Monitor0"
         DefaultDepth 24
         SubSection "Display"
                 Viewport  0 0
                 Depth     24
                 Modes     "1024x768"
         EndSubSection
 EndSection

   DefaultDepth
   **************************************************************************
   Xorg(1) ****************** -depth ******._Modes
   ********************************************************** VESA
   ******************************************************************._**************************************************************
   24 bit***************************************** 1024 x 768 ******._

   ********************************************************************._

  ******:

   ***************************************************** Xorg
   *********._************************ Xorg
   ******************************._Xorg ***************************
   /var/log/Xorg.0.log*********************************** Xorg.0.log ***
   Xorg.8.log ************._

   *********************************************** Xorg(1)
   ******************************************** /etc/X11/xorg.conf ***
   /usr/local/etc/X11/xorg.conf._

 # cp xorg.conf.new /etc/X11/xorg.conf

   ********************* Xorg ***************._Xorg ******************
   startx(1) ************._Xorg ************************ xdm(1) *********._

  5.9.1. ****** Intel(R) i810 ***************

   ********* Intel(R) i810 *************************** agpgart AGP
   ********************* Xorg ******************._********* agp(4)
   ***************************************************._

   *********************************************************._********************
   agp(4) *********************************** kldload(8)
   *************************************************************************************************************
   /boot/loader.conf *********._

  5.9.2. ******************************************

   *************************************************************************************************************************************************************************************************._************************************._

   ********************* (WSXGA, WSXGA+, WUXGA, WXGA, WXGA+, et.al.)
   *************** 16:10 *** 10:9
   ******************************************._************ 16:10
   ***********************************

     * 2560x1600

     * 1920x1200

     * 1680x1050

     * 1440x900

     * 1280x800

   ***************************************************************** Mode
   ********* Section "Screen"**

 Section "Screen"
 Identifier "Screen0"
 Device     "Card0"
 Monitor    "Monitor0"
 DefaultDepth 24
 SubSection "Display"
         Viewport  0 0
         Depth     24
         Modes     "1680x1050"
 EndSubSection
 EndSection

   Xorg ********************************************* (******
   I2C/DDC)********************************************************._

   ***************************************************
   ModeLines************** Xorg ************._****** /var/log/Xorg.0.log
   ******************************************************
   ModeLine._*****************************************************

 (II) MGA(0): Supported additional Video Mode:
 (II) MGA(0): clock: 146.2 MHz   Image Size:  433 x 271 mm
 (II) MGA(0): h_active: 1680  h_sync: 1784  h_sync_end 1960 h_blank_end 2240 h_border: 0
 (II) MGA(0): v_active: 1050  v_sync: 1053  v_sync_end 1059 v_blanking: 1089 v_border: 0
 (II) MGA(0): Ranges: V min: 48  V max: 85 Hz, H min: 30  H max: 94 kHz, PixClock max 170 MHz

   ****************** EDID ************** EDIT ************ ModeLine
   ***********************************************

 ModeLine <name> <clock> <4 horiz. timings> <4 vert. timings>

   ******************************** Section "Monitor" ****** ModeLine
   ***********************

 Section "Monitor"
 Identifier      "Monitor1"
 VendorName      "Bigname"
 ModelName       "BestModel"
 ModeLine        "1680x1050" 146.2 1680 1784 1960 2240 1050 1053 1059 1089
 Option          "DPMS"
 EndSection

   ***********************************************************************
   X._

  5.9.3. Compiz Fusion ************

   5.9.3.1. ******************
   Compiz Fusion****************************************************************************************._******************?

   5.9.3.2. *************************** Compiz Fusion**X
   ***************************************** Console._******************?

5.9.3.1. ******************                                                                                                         
         Compiz Fusion****************************************************************************************._******************? 
         ****************** /etc/X11/xorg.conf ************._************************************** DefaultDepth ***                
         AddARGBGLXVisuals *********._                                                                                              
5.9.3.2. *************************** Compiz Fusion**X ***************************************** Console._******************?        
         ************ /var/log/Xorg.0.log************************** X                                                               
         *********************************._*****************************                                                           
                                                                                                                                    
         (EE) NVIDIA(0):     Failed to initialize the GLX module; please check in your X                                            
         (EE) NVIDIA(0):     log file that the GLX module has been loaded in your X                                                 
         (EE) NVIDIA(0):     server, and that the module is the NVIDIA GLX module.  If                                              
         (EE) NVIDIA(0):     you continue to encounter problems, Please try                                                         
         (EE) NVIDIA(0):     reinstalling the NVIDIA driver.                                                                        
                                                                                                                                    
         ************************************************ Xorg*********************** x11/nvidia-driver ********************* glx._ 

                              *** II. ************

   ***********************************************************************************************
   FreeBSD *******************************

     * ***********************************************************,_************,_*********************._

     * ****************** FreeBSD ***************************._

     * ********************************* FreeBSD
       ******************************************._

     * *****************************************************************************._

     * ****************************** FreeBSD *************** Linux
       ************._

   **************************************************************************************************._

   ************

   6. ******************

                6.1. ******

                6.2. *********

                6.3. ************

                6.4. ******************

                6.5. ******

   7. *********

                7.1. ******

                7.2. ***************

                7.3. MP3 ******

                7.4. ************

                7.5. *********

                7.6. MythTV

                7.7. ***************

   8. ****** FreeBSD ******

                8.1. ******

                8.2. ******************************?

                8.3. ******************

                8.4. *********

                8.5. ***************************

                8.6. ******************

   9. ******

                9.1. ************

                9.2. ***************

                9.3. ***************************

                9.4. ************

                9.5. LPD (****************** Daemon)

                9.6. ******************

   10. Linux(R) Binary *********

                10.1. ******

                10.2. ****** Linux(R) Binary *********

                10.3. ************

*** 6. ******************

   ************

   6.1. ******

   6.2. *********

   6.3. ************

   6.4. ******************

   6.5. ******

6.1. ******

   ****** FreeBSD
   ********************************************************************************************._FreeBSD
   ********* Port ********* 24,000
   ********************************************************************************************************************._**************************************************************************,_************,_************************************._

  ******:

   ******************************************** FreeBSD
   ********************************************************* trueos.org
   ******._

   **********************************************

     * *************** Port ********************* *** 4,
       ***************************** Port *********._

     * ****** X ************************ *** 5, X Window ****** *********._

   ************************************************************** *** 7,
   *********._

6.2. *********

   *** FreeBSD ***************************************._ ****** Port
   *************** www ************************************ Binary
   ****************** Port ******************************._

   KDE *** GNOME ********************************* HTML *********._*********
   *** 5.7, "************"
   ************************************************************._

   *********************************************** www/dillo2, www/links
   ****** www/w3m._

   ******************************************************************************************************************,_*********************
   Port *********************************._

   ****************** ************   *** Port              ******             
                                   ************ 
   Firefox            ***          ***          *** FreeBSD ,_ Linux(R)       
                                                ******************            
   Opera              ***          ***          *** FreeBSD ,_ Linux(R)       
                                                ******                        
   Konqueror          ***          ***          ****** KDE *********          
   Chromium           ***          ***          ****** Gtk+ *********         

  6.2.1. Firefox

   Firefox ***************************************************** HTML
   *********************,_************,_******************,_************,_************************************._Firefox
   ****************** Mozilla ************._

   ****************************** Firefox *****************

 # pkg install firefox

   *************************** (Extended Support Release, ESR) *********
   Firefox*************

 # pkg install firefox-esr

   ************************ www/firefox-i18n *** www/firefox-esr-i18n
   ******._

   ****** Port ************************************************ Firefox
   ******._*************** www/firefox******** firefox ************ ESR
   ***************************._

 # cd /usr/ports/www/firefox
 # make install clean

  6.2.2. Opera

   Opera
   ************************,_*********************,_***************************._
   ************************************,_***************,_IRC
   *********,_RSS/Atom ******************._ *********************************
   FreeBSD ********* Linux(R) ******************************._

   ********************* FreeBSD Binary *************** Opera******** opera
   *** linux-opera *************** Linux(R) ******._

 # pkg install opera

   ***************** Port
   *************************************************************

 # cd /usr/ports/www/opera
 # make install clean

   ********* Linux(R) ********* opera *** linux-opera._

   ********* Adobe(R) Flash(R) **************************
   www/linux-flashplayer
   Port************************************************** Binary
   ******._***************
   www/opera-linuxplugins._****************************** Port
   *****************************

 # cd /usr/ports/www/linux-flashplayer
 # make install clean
 # cd /usr/ports/www/opera-linuxplugins
 # make install clean

   **********************************************************************************
   opera:plugins ********* Enter
   *****************************************************._

   ************ Java(TM) *************************** java/icedtea-web._

  6.2.3. Konqueror

   Konqueror *****************************
   ***************************************************._************
   x11/kde4-baseapps ********* Port ***._

   Konqueror ************ WebKit ****************** KTHML._WebKit
   *****************************************************************
   Chromium._****** FreeBSD *** Konqueror ****** WebKit *********
   www/kwebkitpart ********* Port._********************* Binary
   **************

 # pkg install kwebkitpart

   *** Port *****************

 # cd /usr/ports/www/kwebkitpart
 # make install clean

   ********* Konqueror ****** WebKit ****** "Settings",_"Configure
   Konqueror"._*** "General" ********************* "Default web browser
   engine" ****************************** "KHTML" *** "WebKit"._

   Konqueror ********* Flash(R)**"******"*** Konqueror ********* Flash(R)
   ****************** http://freebsd.kde.org/howtos/konqueror-flash.php._

  6.2.4. Chromium

   Chromium
   **************************************************************************************,_***************************************._Chromium
   ***************************,_******************,_******************._

   Chromium *******************************************

 # pkg install chromium

   ************ Port *************************** Chromium**

 # cd /usr/ports/www/chromium
 # make install clean

  ******:

   Chromium *************** /usr/local/bin/chrome********
   /usr/local/bin/chromium._

6.3. ************

   *****************************************************************************************************._
   ************ ************ ****** KDE
   ****************************************************************FreeBSD
   **************************************************************************************************************._

   ************************************************************************************************,_***
   Port ******************************************************._

   ****************** ************   *** Port        ******************       
                                   ************ 
   Calligra           ***          ***          KDE                           
   AbiWord            ***          ***          Gtk+ *** GNOME                
   The Gimp           ***          ***          Gtk+                          
   Apache OpenOffice  ***          *********    JDK(TM) *** Mozilla           
   LibreOffice        *********    *********    Gtk+ *** KDE/ GNOME ***       
                                                JDK(TM)                       

  6.3.1. Calligra

   KDE ****************************************** KDE ************._Calligra
   ************************************************************** Words
   *********************,_Sheets ******************,_Stage
   ************************ Karbon ************************._

   *** FreeBSD *** editors/calligra ********************* Port
   ****************************************

 # pkg install calligra

   ************************************** Port *****************

 # cd /usr/ports/editors/calligra
 # make install clean

  6.3.2. AbiWord

   AbiWord *****************************************************************
   Microsoft(R) Word._
   **************************************************************._

   AbiWord *****************************************
   ************************************** Microsoft(R) .rtf ******._

   ********* AbiWord Binary *******************************

 # pkg install abiword

   ********* Binary ************************** Port
   **************************

 # cd /usr/ports/editors/abiword
 # make install clean

  6.3.3. The GIMP

   **************************************The GIMP
   ************************************._
   ************************************************************************._
   ************************************************ (script-fu) ******._ The
   GIMP ******************************._ *********************************._

   ********************

 # pkg install gimp

   ********* Port *****************

 # cd /usr/ports/graphics/gimp
 # make install clean

   *** Port ************ graphics ****** (freebsd.org/ports/graphics.html)
   ********************* GIMP
   ***********************************************._

  6.3.4. Apache OpenOffice

   Apache OpenOffice ***************************************** Apache
   Software Foundation's Incubator ************************._
   ***********************************************
   ***************,_*********,_******************************._
   **************************************************************
   ******************************************************._
   *********************************************,_*********************._

   Apache OpenOffice ********************************* XML
   ***************************************._ ***************************
   (Macro) ************************************************._ Apache
   OpenOffice ******************** *************** Windows(R), Solaris(TM),
   Linux(R), FreeBSD *** Mac OS(R) X ***************************._
   ********************* Apache OpenOffice ****************** openoffice.org
   ***************._*** FreeBSD ************************
   porting.openoffice.org/freebsd/._

   ********* Apache OpenOffice ********

 # pkg install apache-openoffice

   ********************************************************************
   Apache OpenOffice**

 % openoffice-X.Y.Z

   ****** X.Y.Z *************** Apache OpenOffice
   ***************._*************** Apache OpenOffice
   ***************************************************************
   .openoffice.org *********._

   ********************************* Apache OpenOffice***************** Port
   ******._
   ****************************************************************************

 # cd /usr/ports/editors/openoffice-4
 # make install clean

  ******:

   **********************************************************************

 # make LOCALIZED_LANG=your_language install clean

   ****** your_language ****************** ISO
   ******._****************************** files/Makefile.localized***********
   Port *********._

  6.3.5. LibreOffice

   LibreOffice ********************************* documentfoundation.org
   *********._************************************************************************._******
   Apache OpenOffice
   *************************************************************************************************************,_*********,_******************,_************,_***************************************************************._*********************************************************,_***************************._

   LibreOffice *************************************** XML
   ********************************************************************************************************._LibreOffice
   *************************** Windows(R), Linux(R), FreeBSD ******
   Mac OS(R) X *********._************ LibreOffice ***************
   libreoffice.org ******._

   ************************ LibreOffice ********

 # pkg install libreoffice

   Port *************************** (freebsd.org/ports/editors.html)
   *************** LibreOffice *********._***********************************
   libreoffice ***************************._

   *********************************************** LibreOffice**

 % libreoffice

   *********************************************************************************
   .libreoffice *********._

   ************************ LibreOffice ***************** Port
   *****************************************************************._**************************************

 # cd /usr/ports/editors/libreoffice
 # make install clean

  ******:

   ******************************** cd ********************* Port
   ******._********************* Port ***************************
   (freebsd.org/ports/editors.html) *********._

6.4. ******************

   UNIX(R)
   ****************************************************************************************************************************._*****************************************************

   ******************  ************  *** Port ************ ****************** 
   Xpdf                ***           ***                   FreeType           
   gv                  ***           ***                   Xaw3d              
   Geeqie              ***           ***                   Gtk+ *** GNOME     
   ePDFView            ***           ***                   Gtk+               
   Okular              ***           ***                   KDE                

  6.4.1. Xpdf

   ****************************** FreeBSD PDF ************** Xpdf
   ******************************************._
   ************************************************._ ********************* X
   ************************************(Toolkit)._

   ****** Xpdf ********

 # pkg install xpdf

   ***************************************** Port *****************

 # cd /usr/ports/graphics/xpdf
 # make install clean

   *********************** xpdf *********************************._

  6.4.2. gv

   gv *** PostScript(R) *** PDF ************._ ************ ghostview
   ******************************** Xaw3d
   ********************************************************._ gv
   **************************************************,_************,_************,_************(Anti-aliasing)***._
   ***************************************************************._

   ****** gv ********

 # pkg install gv

   ***************************************** Port *****************

 # cd /usr/ports/print/gv
 # make install clean

  6.4.3. Geeqie

   Geeqie *************************** GQView
   ********************************************************************************._Geeqie
   *****************************************************,_*********************,_*********************._
   ***********************************************************************************************************************._
   Geeqie *********************************************._

   ****** Geeqie ********

 # pkg install geeqie

   ***************************************** Port *****************

 # cd /usr/ports/graphics/geeqie
 # make install clean

  6.4.4. ePDFView

   ePDFView ****************** PDF ******************************** Gtk+ ***
   Poppler
   *********._*********************************************************** PDF
   ****** (*********************),_************************************ CUPS
   *********._

   ****************** ePDFView**

 # pkg install epdfview

   ***************************************** Port *****************

 # cd /usr/ports/graphics/epdfview
 # make install clean

  6.4.5. Okular

   Okular ***************************************** KDE *** KPDF
   *********._*********************************************** PDF,
   PostScript(R), DjVu, CHM, XPS ****** ePub._

   ****************** Okular**

 # pkg install okular

   ***************************************** Port *****************

 # cd /usr/ports/graphics/okular
 # make install clean

6.5. ******

   *************************************** FreeBSD
   *****************************************
   ***************************,_***************************************._
   ********************************************************* Quicken ***
   Excel ******._

   ***********************************

   ******************  ************  *** Port ************ ****************** 
   GnuCash             ***           ***                   GNOME              
   Gnumeric            ***           ***                   GNOME              
   KMyMoney            ***           ***                   KDE                

  6.5.1. GnuCash

   GnuCash *** GNOME *********************************** GNOME
   ************************************************************************._******
   GnuCash
   *********************************,_*********************************._
   ***************************************************._

   GnuCash
   ***************************,_*********************************************************._
   ******************************************************._ GnuCash
   ************************ Quicken QIF ******._
   ***************************************************************._

   ****** GnuCash ********

 # pkg install gnucash

   ***************************************** Port *****************

 # cd /usr/ports/finance/gnucash
 # make install clean

  6.5.2. Gnumeric

   Gnumeric *** GNOME *********************************._
   ************************************************
   <'******>'******************************************._
   ***************************************************** Excel, Lotus 1-2-3
   ****** Quattro Pro._
   *************************************************************************************,_******,_******,_************************._

   ****** Gnumeric ********

 # pkg install gnumeric

   ***************************************** Port *****************

 # cd /usr/ports/math/gnumeric
 # make install clean

  6.5.3. KMyMoney

   KMyMoney ************************************** KDE
   ***************._KMyMoney
   ********************************************************************************************************************************************************._KMyMoney
   ************ Quicken QIF
   ******************,_************,_***************************************._

   ****************** KMyMoney**

 # pkg install kmymoney-kde4

   ***************************************** Port *****************

 # cd /usr/ports/finance/kmymoney-kde4
 # make install clean

*** 7. *********

   Edited by Ross Lippert.
   ************

   7.1. ******

   7.2. ***************

   7.3. MP3 ******

   7.4. ************

   7.5. *********

   7.6. MythTV

   7.7. ***************

7.1. ******

   FreeBSD ********************************
   *********************************************************(Hi-Fi)**
   ********************************* MPEG Audio Layer 3 (MP3),_ Waveform
   Audio File (WAV),_Ogg Vorbis
   ******************************************._****** FreeBSD Port
   ************************************************,_************************
   MIDI *********************._

   FreeBSD ********************************* DVD._ FreeBSD Port
   ***************************,_***************************************************._

   *************************** FreeBSD
   ***************,_***************,_*********************._************************************************************._

   ****************************

     * ****** FreeBSD ***************._

     * ************************._

     * ******,_****** MP3 ***************************._

     * FreeBSD *********************************._

     * ****** DVD *** .mpg *** .avi ***._

     * ******(Rip) CD *** DVD******************._

     * ***************._

     * *** FreeBSD ****** MythTV

     * *********************._

     * ******************._

   ****************************************

     * ********************************* *** 4, *****************************
       Port *********._

7.2. ***************

   Contributed by Moses Moore.
   Enhanced by Marc Fonvieille.

   ********************************************************,_************._
   FreeBSD ***********************************************************
   Hardware Notes*****************************************************
   FreeBSD *********._

   *****************************************************************._************************
   kldload(8) *********************._************************ Intel
   *****************************************

 # kldload snd_hda

   **************************************************************
   /boot/loader.conf *******************************

 snd_hda_load="YES"

   ******************************************
   /boot/defaults/loader.conf._*****************************************************
   snd_driver ********

 # kldload snd_driver

   ****** metadriver
   ******************************************************************************************._************
   metadriver ****** /boot/loader.conf ************************************._

   *************** snd_driver metadriver
   ************************************************** cat /dev/sndstat._

  7.2.1. ******************************

   This section is for users who prefer to statically compile in support for
   the sound card in a custom kernel. For more information about recompiling
   a kernel, refer to *** 8, ****** FreeBSD ******.

   When using a custom kernel to provide sound support, make sure that the
   audio framework driver exists in the custom kernel configuration file:

 device sound

   Next, add support for the sound card. To continue the example of the
   built-in audio chipset based on the Intel specification from the previous
   section, use the following line in the custom kernel configuration file:

 device snd_hda

   Be sure to read the manual page of the driver for the device name to use
   for the driver.

   Non-PnP ISA sound cards may require the IRQ and I/O port settings of the
   card to be added to /boot/device.hints. During the boot process, loader(8)
   reads this file and passes the settings to the kernel. For example, an old
   Creative SoundBlaster(R) 16 ISA non-PnP card will use the snd_sbc(4)
   driver in conjunction with snd_sb16. For this card, the following lines
   must be added to the kernel configuration file:

 device snd_sbc
 device snd_sb16

   If the card uses the 0x220 I/O port and IRQ 5, these lines must also be
   added to /boot/device.hints:

 hint.sbc.0.at="isa"
 hint.sbc.0.port="0x220"
 hint.sbc.0.irq="5"
 hint.sbc.0.drq="1"
 hint.sbc.0.flags="0x15"

   The syntax used in /boot/device.hints is described in sound(4) and the
   manual page for the driver of the sound card.

   The settings shown above are the defaults. In some cases, the IRQ or other
   settings may need to be changed to match the card. Refer to snd_sbc(4) for
   more information about this card.

  7.2.2. ************

   After loading the required module or rebooting into the custom kernel, the
   sound card should be detected. To confirm, run dmesg | grep pcm. This
   example is from a system with a built-in Conexant CX20590 chipset:

 pcm0: <NVIDIA (0x001c) (HDMI/DP 8ch)> at nid 5 on hdaa0
 pcm1: <NVIDIA (0x001c) (HDMI/DP 8ch)> at nid 6 on hdaa0
 pcm2: <Conexant CX20590 (Analog 2.0+HP/2.0)> at nid 31,25 and 35,27 on hdaa1

   The status of the sound card may also be checked using this command:

 # cat /dev/sndstat
 FreeBSD Audio Driver (newpcm: 64bit 2009061500/amd64)
 Installed devices:
 pcm0: <NVIDIA (0x001c) (HDMI/DP 8ch)> (play)
 pcm1: <NVIDIA (0x001c) (HDMI/DP 8ch)> (play)
 pcm2: <Conexant CX20590 (Analog 2.0+HP/2.0)> (play/rec) default

   The output will vary depending upon the sound card. If no pcm devices are
   listed, double-check that the correct device driver was loaded or compiled
   into the kernel. The next section lists some common problems and their
   solutions.

   If all goes well, the sound card should now work in FreeBSD. If the CD or
   DVD drive is properly connected to the sound card, one can insert an audio
   CD in the drive and play it with cdcontrol(1):

 % cdcontrol -f /dev/acd0 play 1

  ******:

   Audio CDs have specialized encodings which means that they should not be
   mounted using mount(8).

   Various applications, such as audio/workman, provide a friendlier
   interface. The audio/mpg123 port can be installed to listen to MP3 audio
   files.

   Another quick way to test the card is to send data to /dev/dsp:

 % cat filename > /dev/dsp

   where filename can be any type of file. This command should produce some
   noise, confirming that the sound card is working.

  ******:

   The /dev/dsp* device nodes will be created automatically as needed. When
   not in use, they do not exist and will not appear in the output of ls(1).

  7.2.3. ************************

   Connecting to a Bluetooth device is out of scope for this chapter. Refer
   to *** 31.5, "******" for more information.

   To get Bluetooth sound sink working with FreeBSD's sound system, users
   have to install audio/virtual_oss first:

 # pkg install virtual_oss

   audio/virtual_oss requires cuse to be loaded into the kernel:

 # kldload cuse

   To load cuse during system startup, run this command:

 # sysrc -f /boot/loader.conf cuse_load=yes

   To use headphones as a sound sink with audio/virtual_oss, users need to
   create a virtual device after connecting to a Bluetooth audio device:

 # virtual_oss -C 2 -c 2 -r 48000 -b 16 -s 768 -R /dev/null -P /dev/bluetooth/headphones -d dsp

  ******:

   headphones in this example is a hostname from /etc/bluetooth/hosts.
   BT_ADDR could be used instead.

   ********* virtual_oss(8) ******************._

  7.2.4. ******************

   ****** 7.1, "******************" lists some common error messages and
   their solutions:

   ****** 7.1. ******************

             ******                            ************                   
   sb_dspwr(XX) timed out     The I/O port is not set correctly.              
   bad irq XX                 The IRQ is set incorrectly. Make sure that the  
                              set IRQ and the sound IRQ are the same.         
   xxx: gus pcm not attached, There is not enough available memory to use the 
   out of memory              device.                                         
                              Type fstat | grep dsp to check if another       
   xxx: can't open /dev/dsp!  application is holding the device open.         
                              Noteworthy troublemakers are esound and KDE's   
                              sound support.                                  

   Modern graphics cards often come with their own sound driver for use with
   HDMI. This sound device is sometimes enumerated before the sound card
   meaning that the sound card will not be used as the default playback
   device. To check if this is the case, run dmesg and look for pcm. The
   output looks something like this:

 ...
 hdac0: HDA Driver Revision: 20100226_0142
 hdac1: HDA Driver Revision: 20100226_0142
 hdac0: HDA Codec #0: NVidia (Unknown)
 hdac0: HDA Codec #1: NVidia (Unknown)
 hdac0: HDA Codec #2: NVidia (Unknown)
 hdac0: HDA Codec #3: NVidia (Unknown)
 pcm0: <HDA NVidia (Unknown) PCM #0 DisplayPort> at cad 0 nid 1 on hdac0
 pcm1: <HDA NVidia (Unknown) PCM #0 DisplayPort> at cad 1 nid 1 on hdac0
 pcm2: <HDA NVidia (Unknown) PCM #0 DisplayPort> at cad 2 nid 1 on hdac0
 pcm3: <HDA NVidia (Unknown) PCM #0 DisplayPort> at cad 3 nid 1 on hdac0
 hdac1: HDA Codec #2: Realtek ALC889
 pcm4: <HDA Realtek ALC889 PCM #0 Analog> at cad 2 nid 1 on hdac1
 pcm5: <HDA Realtek ALC889 PCM #1 Analog> at cad 2 nid 1 on hdac1
 pcm6: <HDA Realtek ALC889 PCM #2 Digital> at cad 2 nid 1 on hdac1
 pcm7: <HDA Realtek ALC889 PCM #3 Digital> at cad 2 nid 1 on hdac1
 ...

   In this example, the graphics card (NVidia) has been enumerated before the
   sound card (Realtek ALC889). To use the sound card as the default playback
   device, change hw.snd.default_unit to the unit that should be used for
   playback:

 # sysctl hw.snd.default_unit=n

   where n is the number of the sound device to use. In this example, it
   should be 4. Make this change permanent by adding the following line to
   /etc/sysctl.conf:

 hw.snd.default_unit=4

  7.2.5. ************************

   Contributed by Munish Chopra.

   It is often desirable to have multiple sources of sound that are able to
   play simultaneously. FreeBSD uses "Virtual Sound Channels" to multiplex
   the sound card's playback by mixing sound in the kernel.

   Three sysctl(8) knobs are available for configuring virtual channels:

 # sysctl dev.pcm.0.play.vchans=4
 # sysctl dev.pcm.0.rec.vchans=4
 # sysctl hw.snd.maxautovchans=4

   This example allocates four virtual channels, which is a practical number
   for everyday use. Both dev.pcm.0.play.vchans=4 and dev.pcm.0.rec.vchans=4
   are configurable after a device has been attached and represent the number
   of virtual channels pcm0 has for playback and recording. Since the pcm
   module can be loaded independently of the hardware drivers,
   hw.snd.maxautovchans indicates how many virtual channels will be given to
   an audio device when it is attached. Refer to pcm(4) for more information.

  ******:

   The number of virtual channels for a device cannot be changed while it is
   in use. First, close any programs using the device, such as music players
   or sound daemons.

   The correct pcm device will automatically be allocated transparently to a
   program that requests /dev/dsp0.

  7.2.6. *********************************

   Contributed by Josef El-Rayes.

   The default values for the different mixer channels are hardcoded in the
   source code of the pcm(4) driver. While sound card mixer levels can be
   changed using mixer(8) or third-party applications and daemons, this is
   not a permanent solution. To instead set default mixer values at the
   driver level, define the appropriate values in /boot/device.hints, as seen
   in this example:

 hint.pcm.0.vol="50"

   This will set the volume channel to a default value of 50 when the pcm(4)
   module is loaded.

7.3. MP3 ******

   Contributed by Chern Lee.

   This section describes some MP3 players available for FreeBSD, how to rip
   audio CD tracks, and how to encode and decode MP3s.

  7.3.1. MP3 *********

   A popular graphical MP3 player is Audacious. It supports Winamp skins and
   additional plugins. The interface is intuitive, with a playlist, graphic
   equalizer, and more. Those familiar with Winamp will find Audacious simple
   to use. On FreeBSD, Audacious can be installed from the
   multimedia/audacious port or package. Audacious is a descendant of XMMS.

   The audio/mpg123 package or port provides an alternative, command-line MP3
   player. Once installed, specify the MP3 file to play on the command line.
   If the system has multiple audio devices, the sound device can also be
   specified:

 # mpg123 -a /dev/dsp1.0 Foobar-GreatestHits.mp3
 High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
         version 1.18.1; written and copyright by Michael Hipp and others
         free software (LGPL) without any warranty but with best wishes

 Playing MPEG stream from Foobar-GreatestHits.mp3 ...
 MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo

   Additional MP3 players are available in the FreeBSD Ports Collection.

  7.3.2. ****** CD ******

   Before encoding a CD or CD track to MP3, the audio data on the CD must be
   ripped to the hard drive. This is done by copying the raw CD Digital Audio
   (CDDA) data to WAV files.

   The cdda2wav tool, which is installed with the sysutils/cdrtools suite,
   can be used to rip audio information from CDs.

   With the audio CD in the drive, the following command can be issued as
   root to rip an entire CD into individual, per track, WAV files:

 # cdda2wav -D 0,1,0 -B

   In this example, the -D 0,1,0 indicates the SCSI device 0,1,0 containing
   the CD to rip. Use cdrecord -scanbus to determine the correct device
   parameters for the system.

   To rip individual tracks, use -t to specify the track:

 # cdda2wav -D 0,1,0 -t 7

   To rip a range of tracks, such as track one to seven, specify a range:

 # cdda2wav -D 0,1,0 -t 1+7

   To rip from an ATAPI (IDE) CDROM drive, specify the device name in place
   of the SCSI unit numbers. For example, to rip track 7 from an IDE drive:

 # cdda2wav -D /dev/acd0 -t 7

   Alternately, dd can be used to extract audio tracks on ATAPI drives, as
   described in *** 17.5.5, "************ CD".

  7.3.3. MP3 ***************

   Lame is a popular MP3 encoder which can be installed from the audio/lame
   port. Due to patent issues, a package is not available.

   The following command will convert the ripped WAV file audio01.wav to
   audio01.mp3:

 # lame -h -b 128 --tt "Foo Song Title" --ta "FooBar Artist" --tl "FooBar Album" \
 --ty "2014" --tc "Ripped and encoded by Foo" --tg "Genre" audio01.wav audio01.mp3

   The specified 128 kbits is a standard MP3 bitrate while the 160 and 192
   bitrates provide higher quality. The higher the bitrate, the larger the
   size of the resulting MP3. The -h turns on the "higher quality but a
   little slower" mode. The options beginning with --t indicate ID3 tags,
   which usually contain song information, to be embedded within the MP3
   file. Additional encoding options can be found in the lame manual page.

   In order to burn an audio CD from MP3s, they must first be converted to a
   non-compressed file format. XMMS can be used to convert to the WAV format,
   while mpg123 can be used to convert to the raw Pulse-Code Modulation (PCM)
   audio data format.

   To convert audio01.mp3 using mpg123, specify the name of the PCM file:

 # mpg123 -s audio01.mp3 > audio01.pcm

   To use XMMS to convert a MP3 to WAV format, use these steps:

   ****** 7.1. Converting to WAV Format in XMMS
    1. Launch XMMS.

    2. Right-click the window to bring up the XMMS menu.

    3. Select Preferences under Options.

    4. Change the Output Plugin to "Disk Writer Plugin".

    5. Press Configure.

    6. Enter or browse to a directory to write the uncompressed files to.

    7. Load the MP3 file into XMMS as usual, with volume at 100% and EQ
       settings turned off.

    8. Press Play. The XMMS will appear as if it is playing the MP3, but no
       music will be heard. It is actually playing the MP3 to a file.

    9. When finished, be sure to set the default Output Plugin back to what
       it was before in order to listen to MP3s again.

   Both the WAV and PCM formats can be used with cdrecord. When using WAV
   files, there will be a small tick sound at the beginning of each track.
   This sound is the header of the WAV file. The audio/sox port or package
   can be used to remove the header:

 % sox -t wav -r 44100 -s -w -c 2 track.wav track.raw

   Refer to *** 17.5, "*************** CD ******" for more information on
   using a CD burner in FreeBSD.

7.4. ************

   Contributed by Ross Lippert.

   Before configuring video playback, determine the model and chipset of the
   video card. While Xorg supports a wide variety of video cards, not all
   provide good playback performance. To obtain a list of extensions
   supported by the Xorg server using the card, run xdpyinfo while Xorg is
   running.

   It is a good idea to have a short MPEG test file for evaluating various
   players and options. Since some DVD applications look for DVD media in
   /dev/dvd by default, or have this device name hardcoded in them, it might
   be useful to make a symbolic link to the proper device:

 # ln -sf /dev/cd0 /dev/dvd

   Due to the nature of devfs(5), manually created links will not persist
   after a system reboot. In order to recreate the symbolic link
   automatically when the system boots, add the following line to
   /etc/devfs.conf:

 link cd0 dvd

   DVD decryption invokes certain functions that require write permission to
   the DVD device.

   To enhance the shared memory Xorg interface, it is recommended to increase
   the values of these sysctl(8) variables:

 kern.ipc.shmmax=67108864
 kern.ipc.shmall=32768

  7.4.1. ************************

   There are several possible ways to display video under Xorg and what works
   is largely hardware dependent. Each method described below will have
   varying quality across different hardware.

   Common video interfaces include:

    1. Xorg: normal output using shared memory.

    2. XVideo: an extension to the Xorg interface which allows video to be
       directly displayed in drawable objects through a special acceleration.
       This extension provides good quality playback even on low-end
       machines. The next section describes how to determine if this
       extension is running.

    3. SDL: the Simple Directmedia Layer is a porting layer for many
       operating systems, allowing cross-platform applications to be
       developed which make efficient use of sound and graphics. SDL provides
       a low-level abstraction to the hardware which can sometimes be more
       efficient than the Xorg interface. On FreeBSD, SDL can be installed
       using the devel/sdl20 package or port.

    4. DGA: the Direct Graphics Access is an Xorg extension which allows a
       program to bypass the Xorg server and directly alter the framebuffer.
       Because it relies on a low level memory mapping, programs using it
       must be run as root. The DGA extension can be tested and benchmarked
       using dga(1). When dga is running, it changes the colors of the
       display whenever a key is pressed. To quit, press q.

    5. SVGAlib: a low level console graphics layer.

    7.4.1.1. XVideo

   To check whether this extension is running, use xvinfo:

 % xvinfo

   XVideo is supported for the card if the result is similar to:

 X-Video Extension version 2.2
   screen #0
   Adaptor #0: "Savage Streams Engine"
     number of ports: 1
     port base: 43
     operations supported: PutImage
     supported visuals:
       depth 16, visualID 0x22
       depth 16, visualID 0x23
     number of attributes: 5
       "XV_COLORKEY" (range 0 to 16777215)
               client settable attribute
               client gettable attribute (current value is 2110)
       "XV_BRIGHTNESS" (range -128 to 127)
               client settable attribute
               client gettable attribute (current value is 0)
       "XV_CONTRAST" (range 0 to 255)
               client settable attribute
               client gettable attribute (current value is 128)
       "XV_SATURATION" (range 0 to 255)
               client settable attribute
               client gettable attribute (current value is 128)
       "XV_HUE" (range -180 to 180)
               client settable attribute
               client gettable attribute (current value is 0)
     maximum XvImage size: 1024 x 1024
     Number of image formats: 7
       id: 0x32595559 (YUY2)
         guid: 59555932-0000-0010-8000-00aa00389b71
         bits per pixel: 16
         number of planes: 1
         type: YUV (packed)
       id: 0x32315659 (YV12)
         guid: 59563132-0000-0010-8000-00aa00389b71
         bits per pixel: 12
         number of planes: 3
         type: YUV (planar)
       id: 0x30323449 (I420)
         guid: 49343230-0000-0010-8000-00aa00389b71
         bits per pixel: 12
         number of planes: 3
         type: YUV (planar)
       id: 0x36315652 (RV16)
         guid: 52563135-0000-0000-0000-000000000000
         bits per pixel: 16
         number of planes: 1
         type: RGB (packed)
         depth: 0
         red, green, blue masks: 0x1f, 0x3e0, 0x7c00
       id: 0x35315652 (RV15)
         guid: 52563136-0000-0000-0000-000000000000
         bits per pixel: 16
         number of planes: 1
         type: RGB (packed)
         depth: 0
         red, green, blue masks: 0x1f, 0x7e0, 0xf800
       id: 0x31313259 (Y211)
         guid: 59323131-0000-0010-8000-00aa00389b71
         bits per pixel: 6
         number of planes: 3
         type: YUV (packed)
       id: 0x0
         guid: 00000000-0000-0000-0000-000000000000
         bits per pixel: 0
         number of planes: 0
         type: RGB (packed)
         depth: 1
         red, green, blue masks: 0x0, 0x0, 0x0

   The formats listed, such as YUV2 and YUV12, are not present with every
   implementation of XVideo and their absence may hinder some players.

   If the result instead looks like:

 X-Video Extension version 2.2
 screen #0
 no adaptors present

   XVideo is probably not supported for the card. This means that it will be
   more difficult for the display to meet the computational demands of
   rendering video, depending on the video card and processor.

  7.4.2. ****************** Port *********

   This section introduces some of the software available from the FreeBSD
   Ports Collection which can be used for video playback.

    7.4.2.1. MPlayer *** MEncoder

   MPlayer is a command-line video player with an optional graphical
   interface which aims to provide speed and flexibility. Other graphical
   front-ends to MPlayer are available from the FreeBSD Ports Collection.

   MPlayer can be installed using the multimedia/mplayer package or port.
   Several compile options are available and a variety of hardware checks
   occur during the build process. For these reasons, some users prefer to
   build the port rather than install the package.

   When compiling the port, the menu options should be reviewed to determine
   the type of support to compile into the port. If an option is not
   selected, MPlayer will not be able to display that type of video format.
   Use the arrow keys and spacebar to select the required formats. When
   finished, press Enter to continue the port compile and installation.

   By default, the package or port will build the mplayer command line
   utility and the gmplayer graphical utility. To encode videos, compile the
   multimedia/mencoder port. Due to licensing restrictions, a package is not
   available for MEncoder.

   The first time MPlayer is run, it will create ~/.mplayer in the user's
   home directory. This subdirectory contains default versions of the
   user-specific configuration files.

   This section describes only a few common uses. Refer to mplayer(1) for a
   complete description of its numerous options.

   To play the file testfile.avi, specify the video interfaces with -vo, as
   seen in the following examples:

 % mplayer -vo xv testfile.avi

 % mplayer -vo sdl testfile.avi

 % mplayer -vo x11 testfile.avi

 # mplayer -vo dga testfile.avi

 # mplayer -vo 'sdl:dga' testfile.avi

   It is worth trying all of these options, as their relative performance
   depends on many factors and will vary significantly with hardware.

   To play a DVD, replace testfile.avi with dvd://N -dvd-device DEVICE, where
   N is the title number to play and DEVICE is the device node for the DVD.
   For example, to play title 3 from /dev/dvd:

 # mplayer -vo xv dvd://3 -dvd-device /dev/dvd

  ******:

   The default DVD device can be defined during the build of the MPlayer port
   by including the WITH_DVD_DEVICE=/path/to/desired/device option. By
   default, the device is /dev/cd0. More details can be found in the port's
   Makefile.options.

   To stop, pause, advance, and so on, use a keybinding. To see the list of
   keybindings, run mplayer -h or read mplayer(1).

   Additional playback options include -fs -zoom, which engages fullscreen
   mode, and -framedrop, which helps performance.

   Each user can add commonly used options to their ~/.mplayer/config like
   so:

 vo=xv
 fs=yes
 zoom=yes

   mplayer can be used to rip a DVD title to a .vob. To dump the second title
   from a DVD:

 # mplayer -dumpstream -dumpfile out.vob dvd://2 -dvd-device /dev/dvd

   The output file, out.vob, will be in MPEG format.

   Anyone wishing to obtain a high level of expertise with UNIX(R) video
   should consult mplayerhq.hu/DOCS as it is technically informative. This
   documentation should be considered as required reading before submitting
   any bug reports.

   Before using mencoder, it is a good idea to become familiar with the
   options described at mplayerhq.hu/DOCS/HTML/en/mencoder.html. There are
   innumerable ways to improve quality, lower bitrate, and change formats,
   and some of these options may make the difference between good or bad
   performance. Improper combinations of command line options can yield
   output files that are unplayable even by mplayer.

   Here is an example of a simple copy:

 % mencoder input.avi -oac copy -ovc copy -o output.avi

   To rip to a file, use -dumpfile with mplayer.

   To convert input.avi to the MPEG4 codec with MPEG3 audio encoding, first
   install the audio/lame port. Due to licensing restrictions, a package is
   not available. Once installed, type:

 % mencoder input.avi -oac mp3lame -lameopts br=192 \
          -ovc lavc -lavcopts vcodec=mpeg4:vhq -o output.avi

   This will produce output playable by applications such as mplayer and
   xine.

   input.avi can be replaced with dvd://1 -dvd-device /dev/dvd and run as
   root to re-encode a DVD title directly. Since it may take a few tries to
   get the desired result, it is recommended to instead dump the title to a
   file and to work on the file.

    7.4.2.2. xine ***************

   xine is a video player with a reusable base library and a modular
   executable which can be extended with plugins. It can be installed using
   the multimedia/xine package or port.

   In practice, xine requires either a fast CPU with a fast video card, or
   support for the XVideo extension. The xine video player performs best on
   XVideo interfaces.

   By default, the xine player starts a graphical user interface. The menus
   can then be used to open a specific file.

   Alternatively, xine may be invoked from the command line by specifying the
   name of the file to play:

 % xine -g -p mymovie.avi

   Refer to xine-project.org/faq for more information and troubleshooting
   tips.

    7.4.2.3. Transcode ******

   Transcode provides a suite of tools for re-encoding video and audio files.
   Transcode can be used to merge video files or repair broken files using
   command line tools with stdin/stdout stream interfaces.

   In FreeBSD, Transcode can be installed using the multimedia/transcode
   package or port. Many users prefer to compile the port as it provides a
   menu of compile options for specifying the support and codecs to compile
   in. If an option is not selected, Transcode will not be able to encode
   that format. Use the arrow keys and spacebar to select the required
   formats. When finished, press Enter to continue the port compile and
   installation.

   This example demonstrates how to convert a DivX file into a PAL MPEG-1
   file (PAL VCD):

 % transcode -i input.avi -V --export_prof vcd-pal -o output_vcd
 % mplex -f 1 -o output_vcd.mpg output_vcd.m1v output_vcd.mpa

   The resulting MPEG file, output_vcd.mpg, is ready to be played with
   MPlayer. The file can be burned on a CD media to create a video CD using a
   utility such as multimedia/vcdimager or sysutils/cdrdao.

   In addition to the manual page for transcode, refer to
   transcoding.org/cgi-bin/transcode for further information and examples.

7.5. *********

   Original contribution by Josef El-Rayes.
   Enhanced and adapted by Marc Fonvieille.

   ********* (TV card)
   *********************************,_******************._*********************
   RCA *** S-video ********************************************************
   FM ***************._

   FreeBSD ********* bktr(4) *********************** PCI
   *********************************************** Brooktree
   Bt848/849/878/879 *** Conexant CN-878/Fusion 878a
   ******************._**********************************************************************************
   bktr(4) *****************************************._

  7.5.1. ******************

   *********************************** bktr(4)
   *********************************** /boot/loader.conf
   **************************************

 bktr_load="YES"

   **********************************************************************************************************************************

 device   bktr
 device  iicbus
 device  iicbb
 device  smbus

   *****************************************************************************************
   I2C ***************************._********************,_******************
   ._

   ****************** (Tuner)
   **************************************************._****************************************************************

 bktr0: <BrookTree 848A> mem 0xd7000000-0xd7000fff irq 10 at device 10.0 on pci0
 iicbb0: <I2C bit-banging driver> on bti2c0
 iicbus0: <Philips I2C bus> on iicbb0 master-only
 iicbus1: <Philips I2C bus> on iicbb0 master-only
 smbus0: <System Management Bus> on bti2c0
 bktr0: Pinnacle/Miro TV, Philips SECAM tuner.

   ******************************************._***********************
   sysctl(8)
   ***************************************************._*********************
   Philips SECAM ********************************************************

 options OVERRIDE_TUNER=6

   ********* sysctl(8)**

 # sysctl hw.bt848.tuner=6

   ********* bktr(4) ****** sysctl(8) ************************************._

  7.5.2. *********************

   To use the TV card, install one of the following applications:

     * multimedia/fxtv provides TV-in-a-window and image/audio/video capture
       capabilities.

     * multimedia/xawtv is another TV application with similar features.

     * audio/xmradio provides an application for using the FM radio tuner of
       a TV card.

   More applications are available in the FreeBSD Ports Collection.

  7.5.3. ************

   If any problems are encountered with the TV card, check that the video
   capture chip and the tuner are supported by bktr(4) and that the right
   configuration options were used. For more support or to ask questions
   about supported TV cards, refer to the freebsd-multimedia mailing list.

7.6. MythTV

   MythTV is a popular, open source Personal Video Recorder (PVR)
   application. This section demonstrates how to install and setup MythTV on
   FreeBSD. Refer to mythtv.org/wiki for more information on how to use
   MythTV.

   MythTV requires a frontend and a backend. These components can either be
   installed on the same system or on different machines.

   The frontend can be installed on FreeBSD using the
   multimedia/mythtv-frontend package or port. Xorg must also be installed
   and configured as described in *** 5, X Window ******. Ideally, this
   system has a video card that supports X-Video Motion Compensation (XvMC)
   and, optionally, a Linux Infrared Remote Control (LIRC)-compatible remote.

   To install both the backend and the frontend on FreeBSD, use the
   multimedia/mythtv package or port. A MySQL(TM) database server is also
   required and should automatically be installed as a dependency.
   Optionally, this system should have a tuner card and sufficient storage to
   hold recorded data.

  7.6.1. ******

   MythTV uses Video for Linux (V4L) to access video input devices such as
   encoders and tuners. In FreeBSD, MythTV works best with USB DVB-S/C/T
   cards as they are well supported by the multimedia/webcamd package or port
   which provides a V4L userland application. Any Digital Video Broadcasting
   (DVB) card supported by webcamd should work with MythTV. A list of known
   working cards can be found at wiki.freebsd.org/WebcamCompat. Drivers are
   also available for Hauppauge cards in the multimedia/pvr250 and
   multimedia/pvrxxx ports, but they provide a non-standard driver interface
   that does not work with versions of MythTV greater than 0.23. Due to
   licensing restrictions, no packages are available and these two ports must
   be compiled.

   The wiki.freebsd.org/HTPC page contains a list of all available DVB
   drivers.

  7.6.2. ****** MythTV ******

   ********* Binary ************ MythTV *****

 # pkg install mythtv

   ****** Port *****************

 # cd /usr/ports/multimedia/mythtv
 # make install

   Once installed, set up the MythTV database:

 # mysql -uroot -p < /usr/local/share/mythtv/database/mc.sql

   Then, configure the backend:

 # mythtv-setup

   Finally, start the backend:

 # sysrc mythbackend_enable=yes
 # service mythbackend start

7.7. ***************

   Written by Marc Fonvieille.

   In FreeBSD, access to image scanners is provided by SANE (Scanner Access
   Now Easy), which is available in the FreeBSD Ports Collection. SANE will
   also use some FreeBSD device drivers to provide access to the scanner
   hardware.

   FreeBSD supports both SCSI and USB scanners. Depending upon the scanner
   interface, different device drivers are required. Be sure the scanner is
   supported by SANE prior to performing any configuration. Refer to
   http://www.sane-project.org/sane-supported-devices.html for more
   information about supported scanners.

   This chapter describes how to determine if the scanner has been detected
   by FreeBSD. It then provides an overview of how to configure and use SANE
   on a FreeBSD system.

  7.7.1. ***************

   The GENERIC kernel includes the device drivers needed to support USB
   scanners. Users with a custom kernel should ensure that the following
   lines are present in the custom kernel configuration file:

 device usb
 device uhci
 device ohci
 device ehci

   To determine if the USB scanner is detected, plug it in and use dmesg to
   determine whether the scanner appears in the system message buffer. If it
   does, it should display a message similar to this:

 ugen0.2: <EPSON> at usbus0

   In this example, an EPSON Perfection(R) 1650 USB scanner was detected on
   /dev/ugen0.2.

   If the scanner uses a SCSI interface, it is important to know which SCSI
   controller board it will use. Depending upon the SCSI chipset, a custom
   kernel configuration file may be needed. The GENERIC kernel supports the
   most common SCSI controllers. Refer to /usr/src/sys/conf/NOTES to
   determine the correct line to add to a custom kernel configuration file.
   In addition to the SCSI adapter driver, the following lines are needed in
   a custom kernel configuration file:

 device scbus
 device pass

   Verify that the device is displayed in the system message buffer:

 pass2 at aic0 bus 0 target 2 lun 0
 pass2: <AGFA SNAPSCAN 600 1.10> Fixed Scanner SCSI-2 device
 pass2: 3.300MB/s transfers

   If the scanner was not powered-on at system boot, it is still possible to
   manually force detection by performing a SCSI bus scan with camcontrol:

 # camcontrol rescan all
 Re-scan of bus 0 was successful
 Re-scan of bus 1 was successful
 Re-scan of bus 2 was successful
 Re-scan of bus 3 was successful

   The scanner should now appear in the SCSI devices list:

 # camcontrol devlist
 <IBM DDRS-34560 S97B>              at scbus0 target 5 lun 0 (pass0,da0)
 <IBM DDRS-34560 S97B>              at scbus0 target 6 lun 0 (pass1,da1)
 <AGFA SNAPSCAN 600 1.10>           at scbus1 target 2 lun 0 (pass3)
 <PHILIPS CDD3610 CD-R/RW 1.00>     at scbus2 target 0 lun 0 (pass2,cd0)

   Refer to scsi(4) and camcontrol(8) for more details about SCSI devices on
   FreeBSD.

  7.7.2. SANE ******

   The SANE system is split in two parts: the backends
   (graphics/sane-backends) and the frontends (graphics/sane-frontends or
   graphics/xsane). The backends provide access to the scanner. Refer to
   http://www.sane-project.org/sane-supported-devices.html to determine which
   backend supports the scanner. The frontends provide the graphical scanning
   interface. graphics/sane-frontends installs xscanimage while
   graphics/xsane installs xsane.

   ****** Binary ********************************

 # pkg install xsane sane-frontends

   ****** Port ***************

 # cd /usr/ports/graphics/sane-frontends
 # make install clean
 # cd /usr/ports/graphics/xsane
 # make install clean

   After installing the graphics/sane-backends port or package, use
   sane-find-scanner to check the scanner detection by the SANE system:

 # sane-find-scanner -q
 found SCSI scanner "AGFA SNAPSCAN 600 1.10" at /dev/pass3

   The output should show the interface type of the scanner and the device
   node used to attach the scanner to the system. The vendor and the product
   model may or may not appear.

  ******:

   Some USB scanners require firmware to be loaded. Refer to
   sane-find-scanner(1) and sane(7) for details.

   Next, check if the scanner will be identified by a scanning frontend. The
   SANE backends include scanimage which can be used to list the devices and
   perform an image acquisition. Use -L to list the scanner devices. The
   first example is for a SCSI scanner and the second is for a USB scanner:

 # scanimage -L
 device `snapscan:/dev/pass3' is a AGFA SNAPSCAN 600 flatbed scanner
 # scanimage -L
 device 'epson2:libusb:/dev/usb:/dev/ugen0.2' is a Epson GT-8200 flatbed scanner

   In this second example, 'epson2:libusb:/dev/usb:/dev/ugen0.2' is the
   backend name (epson2) and /dev/ugen0.2 is the device node used by the
   scanner.

   If scanimage is unable to identify the scanner, this message will appear:

 # scanimage -L

 No scanners were identified. If you were expecting something different,
 check that the scanner is plugged in, turned on and detected by the
 sane-find-scanner tool (if appropriate). Please read the documentation
 which came with this software (README, FAQ, manpages).

   If this happens, edit the backend configuration file in
   /usr/local/etc/sane.d/ and define the scanner device used. For example, if
   the undetected scanner model is an EPSON Perfection(R) 1650 and it uses
   the epson2 backend, edit /usr/local/etc/sane.d/epson2.conf. When editing,
   add a line specifying the interface and the device node used. In this
   case, add the following line:

 usb /dev/ugen0.2

   Save the edits and verify that the scanner is identified with the right
   backend name and the device node:

 # scanimage -L
 device 'epson2:libusb:/dev/usb:/dev/ugen0.2' is a Epson GT-8200 flatbed scanner

   Once scanimage -L sees the scanner, the configuration is complete and the
   scanner is now ready to use.

   While scanimage can be used to perform an image acquisition from the
   command line, it is often preferable to use a graphical interface to
   perform image scanning. The graphics/sane-frontends package or port
   installs a simple but efficient graphical interface, xscanimage.

   Alternately, xsane, which is installed with the graphics/xsane package or
   port, is another popular graphical scanning frontend. It offers advanced
   features such as various scanning modes, color correction, and batch
   scans. Both of these applications are usable as a GIMP plugin.

  7.7.3. ***************

   In order to have access to the scanner, a user needs read and write
   permissions to the device node used by the scanner. In the previous
   example, the USB scanner uses the device node /dev/ugen0.2 which is really
   a symlink to the real device node /dev/usb/0.2.0. The symlink and the
   device node are owned, respectively, by the wheel and operator groups.
   While adding the user to these groups will allow access to the scanner, it
   is considered insecure to add a user to wheel. A better solution is to
   create a group and make the scanner device accessible to members of this
   group.

   This example creates a group called usb:

 # pw groupadd usb

   Then, make the /dev/ugen0.2 symlink and the /dev/usb/0.2.0 device node
   accessible to the usb group with write permissions of 0660 or 0664 by
   adding the following lines to /etc/devfs.rules:

 [system=5]
 add path ugen0.2 mode 0660 group usb
 add path usb/0.2.0 mode 0666 group usb

   Finally, add the users to usb in order to allow access to the scanner:

 # pw groupmod usb -m joe

   For more details refer to pw(8).

*** 8. ****** FreeBSD ******

   ************

   8.1. ******

   8.2. ******************************?

   8.3. ******************

   8.4. *********

   8.5. ***************************

   8.6. ******************

8.1. ******

   ****** (Kernel) *** FreeBSD
   ************************************._************************,_************,_******,_******************._
   ************ FreeBSD *****************************
   ************************************************._

   ****************************

     * ******************************._

     * ************************._

     * *********************************._

     * *********************************************************._

     * ************************._

     * *********************************._

   ****************************************** root *********._

8.2. ******************************?

   ********* FreeBSD ********* (Kernel) ************
   "******"._***********************************************************************************************************************************************************************************._

   ******************** FreeBSD ****************************** (Module)
   **************************************************************._
   **************************************************************************************************************************
   (Modular Kernel)._

   ******************************************************************************************************************************************************************._**************************************************************************************************************************************._

   ********************************************* BSD
   *********************************._********************************************
   FreeBSD ******************************._
   *************************************** GENERIC ********************
   ************************<"******>"***********<"************>"***************._
   *************************************

     * ****************************************************************************************************************************._

     * ************************************************** GENERIC
       ***************************************************************************************************************************************._*******************************************************************************._

     * ******************************************************** GENERIC
       *********************************._

   ************************************************************************************************************************************************._

   ********************* /boot/kernel *************** kldload(8)
   *********************************._*********************************************************************._******
   ath(4) *****************************************************************

 Alternatively, to load the driver as a module at boot time, place the
 following line in loader.conf(5):

     if_ath_load="YES"

   ****** if_ath_load="YES" *** /boot/loader.conf
   ******************************************._

   *************** /boot/kernel
   *****************************************************************._

8.3. ******************

   *****************************************************************************._**************************************************************************************************._
   **************Microsoft(R) *** *************** (Device Manager)
   ***************************************._

  ******:

   *************** Microsoft(R) Windows(R) ************ (System)
   ********************* ***************._

   *** FreeBSD ******************************************** dmesg(8)
   ************************************************ ._FreeBSD
   *********************************************************************._**************************
   psm(4) **************************************

 psm0: <PS/2 Mouse> irq 12 on atkbdc0
 psm0: [GIANT-LOCKED]
 psm0: [ITHREAD]
 psm0: model Generic PS/2 mouse, device ID 0

   ***********************************************************************************._

   *** dmesg
   ********************************************************************
   /var/run/dmesg.boot ***************._

   *********************** pciconf(8)
   **********************************************************************************

 % pciconf -lv
 ath0@pci0:3:0:0:        class=0x020000 card=0x058a1014 chip=0x1014168c rev=0x01 hdr=0x00
     vendor     = 'Atheros Communications Inc.'
     device     = 'AR5212 Atheros AR5212 802.11abg wireless'
     class      = network
     subclass   = ethernet

   ************************ ath
   ******************************************************._

   *** man(1) ************ -k
   ***************************************************************************************************************

 # man -k Atheros
 ath(4)                   - Atheros IEEE 802.11 wireless network driver
 ath_hal(4)               - Atheros Hardware Access Layer (HAL)

   ********************************************************************************************************************************._

8.4. *********

   ***********************************************************************************
   FreeBSD ************._

   *** /usr/src/
   **************************************************._*********************
   Subversion ********* *** A.3, "****** Subversion"
   ***************************._

   ***************************************** /usr/src/sys
   ************._********************************************************************************
   (Architecture) ********amd64, i386, ia64, powerpc ******
   sparc64._****************************************************************************************************************************._************************************
   conf ******************************************** GENERIC
   ***************._

   ****************** GENERIC
   ***************._*******************************************************************************************************************._***************************************
   FreeBSD ***************************************************** (Host name)
   *********************._****************** amd64 ********* GENERIC
   *************************************** MYKERNEL**

 # cd /usr/src/sys/amd64/conf
 # cp GENERIC MYKERNEL

   ************************ ASCII ************************
   MYKERNEL._********************* vi***** FreeBSD
   ****************************************************** ee._

   ***************************************************************** (Device)
   ************ (Subsystem)
   ************,_***************************._********* #
   ***************************************************._***********************************************************************************************************
   # ******._********************************************************* #
   ******._

  ******:

   ***************************************************************._*****************************
   ata(4) ************************** ATA
   *********************************************._**************************************************************._

   **************************************************************************
   NOTES ***************************** GENERIC
   ***************************._***********************************************
   /usr/src/sys/conf/NOTES._

  ******:

   *********************************************** /usr/src ************._

   ****************************************************************************
   (Symbolic link) **************

 # cd /usr/src/sys/amd64/conf
 # mkdir /root/kernels
 # cp GENERIC /root/kernels/MYKERNEL
 # ln -s /root/kernels/MYKERNEL

   ************************ include ******
   (Directive)._**************************************************************************************************************************._*****************************************************************************
   GENERIC *************************************************

 include GENERIC
 ident MYKERNEL

 options         IPFIREWALL
 options         DUMMYNET
 options         IPFIREWALL_DEFAULT_TO_ACCEPT
 options         IPDIVERT

   ************************************** GENERIC
   *********************._*************************** GENERIC
   ******************************************* nooptions *** nodevice
   *********************._*********************************************
   config(5) ******._

  ******:

   ***************************************************** root
   ********************

 # cd /usr/src/sys/arch/conf && make LINT

8.5. ***************************

   *************************************************************************************************

   ****** 8.1. ************
    1. ********************

 # cd /usr/src

    2. ***********************************************************

 # make buildkernel KERNCONF=MYKERNEL

    3. ******************************************************._*********************************
       /boot/kernel/kernel ************************ /boot/kernel.old/kernel**

 # make installkernel KERNCONF=MYKERNEL

    4. *****************************************************************
       ************************._

   *****************************************************************************._***********************************************************************************
   /etc/make.conf._

   *******************************************************************************************************

 MODULES_OVERRIDE = linux acpi

   ****************************************************************************

 WITHOUT_MODULES = linux acpi sound

   ************************************** make.conf(5) ******************._

8.6. ******************

   *****************************************************************

   config ******

           *** config
           ***********************************._**************************************
           GENERIC *** NOTES ****************** 17 **************************

 config: line 17: syntax error

   make ******

           *** make
           *****************************************************************
           config
           ************._*************************************************************************
           FreeBSD general questions mailing list ************************._

   ************************

           **********************************************************************FreeBSD
           ***************************************************._************
           FreeBSD ****************** (Boot loader)
           **************************************************************************
           "Escape to a loader prompt" ***********************************
           boot kernel.old
           *********************************************************************._

           ***********************************************************************._/var/log/messages
           ********************************************************************._***********dmesg(8)
           *********************************************._

  ******:

           ***************************************** GENERIC
           ****************************************************************************************************************************************************************************kernel.old
           **************************************************************._*******************************************************************************************

 # mv /boot/kernel /boot/kernel.bad
 # mv /boot/kernel.good /boot/kernel

   ******************** ps(1) ************

           *************************************************************************************
           -CURRENT ****************************** -RELEASE
           ***************************************** ps(1) *** vmstat(8)
           ******************._*****************************************************************
           (Source tree) *********************
           World._*********************************************************************************._

*** 9. ******

   Originally contributed by Warren Block.
   ************

   9.1. ************

   9.2. ***************

   9.3. ***************************

   9.4. ************

   9.5. LPD (****************** Daemon)

   9.6. ******************

   ********************************************************************************************._***********************************************************************************************************************._

9.1. ************

   *****************************************************************************
   ASCII ******._******************************************** *** 9.5.3,
   "*********"._

    1. **************************************************

 # mkdir -p /var/spool/lpd/lp
 # chown daemon:daemon /var/spool/lpd/lp
 # chmod 770 /var/spool/lpd/lp

    2. *** root ****** /etc/printcap **************

 lp:\
         :lp=/dev/unlpt0:\  1
         :sh:\
         :mx#0:\
         :sd=/var/spool/lpd/lp:\
         :lf=/var/log/lpd-errs:

       1 ************************ USB ***************._                       
                                                                              
         ****************** "********* (Printer)" **************************  
                                                                              
         :lp=/dev/lpt0:\                                                      
                                                                              
         ********************************************                         
                                                                              
         :lp=:rm=network-printer-name:rp=raw:\                                
                                                                              
         ****** network-printer-name ********************* DNS ************._ 

    3. ****** /etc/rc.conf ********************* lpd**

 lpd_enable="YES"

       **************

 # service lpd start
 Starting lpd.

    4. **************

 # printf "1. This printer can print.\n2. This is the second line.\n" | lpr

  ******:

       ***************************************************** "*********
       (Stairstep)"*********** *** 9.5.3.1,
       "******************************************"._

       ****************** lpr
       *******************************************************************************************
       (Pipe) ********* lpr._

 % lpr textfile.txt
 % ls -lh | lpr

9.2. ***************

   **************************************************************************************************
   USB ***************************************** (Parallel) *** "*********
   (Printer)"
   ***************************************************************************************************************************************************************
   (Serial) ***._

   FreeBSD ***************************************._

   USB

           USB ************************************************ USB ***._

           *** FreeBSD ********* USB
           ****************************************/dev/ulpt0 ******
           /dev/unlpt0*****************************************************************._******************************
           ulpt0 ************ USB *********** USB
           ***********************************************************************
           unlpt0 ******._unlpt0 ************ USB ***._

   ****** (IEEE-1284)

           *********************
           /dev/lpt0*******************************************************************************._

           ****************************** "******"
           ***********************************************************._*********************************************
           USB **************************************************** USB
           ***************._****************** *************** (Print server)
           ***************************************************._

   ****** (RS-232)

           ************************************************************************************************************,_******************************************************._

           ****************************************************** /dev/cuau0
           *** /dev/cuau1._************ USB
           ************************************************** /dev/cuaU0._

           ********************************************************************************
           ************ (Baud rate) *** BPS (Bits Per Second) ******
           ************
           (Parity)._**************************************************
           ****************** 9600 ******************._

   ******

           *********************************************._

           ****************** DHCP ************************************** DNS
           **************DNS
           ********************************************************* IP
           ******._************************************ IP
           ***************************._

           ****************************************** LPD
           ************************************************** (Print queue)
           ******************************._*****************************************************************************
           raw ******************************** text
           ********************************************* (Carriage return)._

           ********************************************************* 9100
           *********._

  9.2.1. ******

   ***********************************************************************************._********************************************
   USB*****************,_******._***********************************************************************._***************************************************************************************************************************************************************************._

9.3. ***************************

   ***********************************************************************************************************
   (Page Description Languages) *** PDL._

   ASCII

           *** ASCII
           *************************************************************************************************************
           A *************** A
           *********._**************************************************************************._************************
           ASCII
           *****************************************************************************************************************************************._

           ************************************ ASCII
           *****************************************._

   PostScript(R)

           PostScript(R) *** ASCII
           ****************************************PostScript(R)
           ************************************************************************************************************************************************************************************************************************************************************************._

           ********************************* PostScript(R)
           ***************************._

   PCL (Printer Command Language)

           PCL *** ASCII *********************************** (Escape
           sequence)
           ***************,_******************************._***************************
           PCL5*********************** PCL6 ***
           PCLXL************************** PCL5 ************
           (Superset)**************************************._

   ****************** (Host-Based)

           ************************************************************************************************************************************************************************************************************************._******************************
           (Host-based) ************._

           ********************************************************************************************************************************************************************._

  9.3.1. ****** PostScript(R) ********* PDL

   Port ************ FreeBSD ****************************** PostScript(R)
   ************************************************** PostScript(R)
   *************** PDL ***********

   ****** 9.1. ****** PDL ******

   ****** PDL *********               ******                                  
   PCL ***                            ************                            
   PCL5       print/ghostscript9-base -sDEVICE=ljet4,_************            
                                      -sDEVICE=cljet5                         
   PCLXL ***                          ************                            
   PCL6       print/ghostscript9-base -sDEVICE=pxlmono,_************          
                                      -sDEVICE=pxlcolor                       
   ESC/P2     print/ghostscript9-base -sDEVICE=uniprint                       
   XQX        print/foo2zjs                                                   

  9.3.2. ******

   *************************************************** PostScript(R)
   ***************************** PCL ********************
   print/ghostscript9-base ************************************ PostScript(R)
   ************************._*************** PostScript(R) *** PCL
   *************************************** ASCII ************._

   ******************************************************************
   PostScript(R) *** PCL************************************** ASCII
   ************._print/ghostscript9-base ************************************
   PDL****************************************************************************************************************************************._

   ********************************************************************************
   PDL ********************************************************._

   ************ PDL ***************
   http://www.undocprint.org/formats/page_description_languages._***************************************
   PDL ****** http://www.openprinting.org/printers ******._

9.4. ************

   *************************************************************************************._********************************
   sample.txt ************ USB ***********

 # cp sample.txt /dev/unlpt0

   **************************************************************************************************
   9100 ************************** nc(1) *********._********* DNS
   *************** netlaser ***********************************************

 # nc netlaser 9100 < sample.txt

9.5. LPD (****************** Daemon)

   ********************************* Spooling************** (Spooler)
   *********************************************************************************************************._

   FreeBSD ********************* (Spooler) ******
   lpd(8)************************** lpr(1) *********._

  9.5.1. ************

   ******************************************,_*****************************************************************************************

 # mkdir -p /var/spool/lpd/lp
 # chown daemon:daemon /var/spool/lpd/lp
 # chmod 770 /var/spool/lpd/lp

   *********************
   /etc/printcap********************************************************,_***************************************._******
   /etc/printcap ********************

 lp:\                            1
         :lp=/dev/unlpt0:\       2
         :sh:\                   3
         :mx#0:\                 4
         :sd=/var/spool/lpd/lp:\ 5
         :lf=/var/log/lpd-errs:  6

1 ******************._ lpr(1) ************************ lp ************************** -P                        
  ************************************************************** lp._                                          
2 ***************************._*****************************************************._                         
                                                                                                               
  +----------------------------------------------------------------------------------------------------------+ 
  | ************ |                             *** /etc/printcap ***************                             | 
  |--------------+-------------------------------------------------------------------------------------------| 
  |              |:lp=/dev/unlpt0:\                                                                          | 
  | USB          |                                                                                           | 
  |              | ****************** USB **********************************************************         | 
  |              | ulpt0***************************************** USB ***._                                  | 
  |--------------+-------------------------------------------------------------------------------------------| 
  | ******       |:lp=/dev/lpt0:\                                                                            | 
  |--------------+-------------------------------------------------------------------------------------------| 
  |              | ************ LPD **************************                                               | 
  |              |                                                                                           | 
  |              |:lp=:rm=network-printer-name:rp=raw:\                                                      | 
  |              |                                                                                           | 
  | ******       | ************************ 9100 ********************                                        | 
  |              |                                                                                           | 
  |              |:lp=9100@network-printer-name:\                                                            | 
  |              |                                                                                           | 
  |              | ******************************************** network-printer-name *********************   | 
  |              | DNS ************._                                                                        | 
  |--------------+-------------------------------------------------------------------------------------------| 
  |              |:lp=/dev/cuau0:br=9600:pa=none:\                                                           | 
  | ******       |                                                                                           | 
  |              | ***************************************************************************************** | 
  |              | (Baud rate) *** 9600 ****************** (No Parity)._                                     | 
  +----------------------------------------------------------------------------------------------------------+ 
3 ***************************************._                                                                    
4 ************************************._                                                                       
5 ********************* (Spooling) *****************************************************************           
  (Spooling) ******._                                                                                          
6 ***************************************._                                                                    

   ********* /etc/printcap ************** chkprintcap(8)
   ********************************

 # chkprintcap

   ******************************************._

   ****** /etc/rc.conf ****** lpd(8)**

 lpd_enable="YES"

   **************

 # service lpd start

  9.5.2. ****** lpr(1) ******

   Documents are sent to the printer with lpr. A file to be printed can be
   named on the command line or piped into lpr. These two commands are
   equivalent, sending the contents of doc.txt to the default printer:

 % lpr doc.txt
 % cat doc.txt | lpr

   Printers can be selected with -P. To print to a printer called laser:

 % lpr -Plaser doc.txt

  9.5.3. *********

   The examples shown so far have sent the contents of a text file directly
   to the printer. As long as the printer understands the content of those
   files, output will be printed correctly.

   Some printers are not capable of printing plain text, and the input file
   might not even be plain text.

   Filters allow files to be translated or processed. The typical use is to
   translate one type of input, like plain text, into a form that the printer
   can understand, like PostScript(R) or PCL. Filters can also be used to
   provide additional features, like adding page numbers or highlighting
   source code to make it easier to read.

   The filters discussed here are input filters or text filters. These
   filters convert the incoming file into different forms. Use su(1) to
   become root before creating the files.

   Filters are specified in /etc/printcap with the if= identifier. To use
   /usr/local/libexec/lf2crlf as a filter, modify /etc/printcap like this:

 lp:\
         :lp=/dev/unlpt0:\
         :sh:\
         :mx#0:\
         :sd=/var/spool/lpd/lp:\
         :if=/usr/local/libexec/lf2crlf:\   1
         :lf=/var/log/lpd-errs:

   1   if= identifies the input filter that will be used on incoming text.  

  ******:

   The backslash line continuation characters at the end of the lines in
   printcap entries reveal that an entry for a printer is really just one
   long line with entries delimited by colon characters. An earlier example
   can be rewritten as a single less-readable line:

 lp:lp=/dev/unlpt0:sh:mx#0:sd=/var/spool/lpd/lp:if=/usr/local/libexec/lf2crlf:lf=/var/log/lpd-errs:

    9.5.3.1. ******************************************

   Typical FreeBSD text files contain only a single line feed character at
   the end of each line. These lines will "stairstep" on a standard printer:

 A printed file looks
                     like the steps of a staircase
                                                  scattered by the wind

   A filter can convert the newline characters into carriage returns and
   newlines. The carriage returns make the printer return to the left after
   each line. Create /usr/local/libexec/lf2crlf with these contents:

 #!/bin/sh
 CR=$'\r'
 /usr/bin/sed -e "s/$/${CR}/g"

   Set the permissions and make it executable:

 # chmod 555 /usr/local/libexec/lf2crlf

   Modify /etc/printcap to use the new filter:

 :if=/usr/local/libexec/lf2crlf:\

   Test the filter by printing the same plain text file. The carriage returns
   will cause each line to start at the left side of the page.

    9.5.3.2. ****** print/enscript *** PostScript(R)
    ******************************

   GNU Enscript converts plain text files into nicely-formatted PostScript(R)
   for printing on PostScript(R) printers. It adds page numbers, wraps long
   lines, and provides numerous other features to make printed text files
   easier to read. Depending on the local paper size, install either
   print/enscript-letter or print/enscript-a4 from the Ports Collection.

   Create /usr/local/libexec/enscript with these contents:

 #!/bin/sh
 /usr/local/bin/enscript -o -

   Set the permissions and make it executable:

 # chmod 555 /usr/local/libexec/enscript

   Modify /etc/printcap to use the new filter:

 :if=/usr/local/libexec/enscript:\

   Test the filter by printing a plain text file.

    9.5.3.3. ****** PostScript(R) *** PCL *********

   Many programs produce PostScript(R) documents. However, inexpensive
   printers often only understand plain text or PCL. This filter converts
   PostScript(R) files to PCL before sending them to the printer.

   *** Port *************** Ghostscript PostScript(R)
   ***********print/ghostscript9-base._

   Create /usr/local/libexec/ps2pcl with these contents:

 #!/bin/sh
 /usr/local/bin/gs -dSAFER -dNOPAUSE -dBATCH -q -sDEVICE=ljet4 -sOutputFile=- -

   Set the permissions and make it executable:

 # chmod 555 /usr/local/libexec/ps2pcl

   PostScript(R) input sent to this script will be rendered and converted to
   PCL before being sent on to the printer.

   Modify /etc/printcap to use this new input filter:

 :if=/usr/local/libexec/ps2pcl:\

   Test the filter by sending a small PostScript(R) program to it:

 % printf "%%\!PS \n /Helvetica findfont 18 scalefont setfont \
 72 432 moveto (PostScript printing successful.) show showpage \004" | lpr

    9.5.3.4. ***************

   A filter that detects the type of input and automatically converts it to
   the correct format for the printer can be very convenient. The first two
   characters of a PostScript(R) file are usually %!. A filter can detect
   those two characters. PostScript(R) files can be sent on to a
   PostScript(R) printer unchanged. Text files can be converted to
   PostScript(R) with Enscript as shown earlier. Create
   /usr/local/libexec/psif with these contents:

 #!/bin/sh
 #
 #  psif - Print PostScript or plain text on a PostScript printer
 #
 IFS="" read -r first_line
 first_two_chars=`expr "$first_line" : '\(..\)'`

 case "$first_two_chars" in
 %!)
     # %! : PostScript job, print it.
     echo "$first_line" && cat && exit 0
     exit 2
     ;;
 *)
     # otherwise, format with enscript
     ( echo "$first_line"; cat ) | /usr/local/bin/enscript -o - && exit 0
     exit 2
     ;;
 esac

   Set the permissions and make it executable:

 # chmod 555 /usr/local/libexec/psif

   Modify /etc/printcap to use this new input filter:

 :if=/usr/local/libexec/psif:\

   Test the filter by printing PostScript(R) and plain text files.

    9.5.3.5. *********************

   Writing a filter that detects many different types of input and formats
   them correctly is challenging. print/apsfilter from the Ports Collection
   is a smart "magic" filter that detects dozens of file types and
   automatically converts them to the PDL understood by the printer. See
   http://www.apsfilter.org for more details.

  9.5.4. *********

   The entries in /etc/printcap are really definitions of queues. There can
   be more than one queue for a single printer. When combined with filters,
   multiple queues provide users more control over how their jobs are
   printed.

   As an example, consider a networked PostScript(R) laser printer in an
   office. Most users want to print plain text, but a few advanced users want
   to be able to print PostScript(R) files directly. Two entries can be
   created for the same printer in /etc/printcap:

 textprinter:\
         :lp=9100@officelaser:\
         :sh:\
         :mx#0:\
         :sd=/var/spool/lpd/textprinter:\
         :if=/usr/local/libexec/enscript:\
         :lf=/var/log/lpd-errs:

 psprinter:\
         :lp=9100@officelaser:\
         :sh:\
         :mx#0:\
         :sd=/var/spool/lpd/psprinter:\
         :lf=/var/log/lpd-errs:

   Documents sent to textprinter will be formatted by the
   /usr/local/libexec/enscript filter shown in an earlier example. Advanced
   users can print PostScript(R) files on psprinter, where no filtering is
   done.

   This multiple queue technique can be used to provide direct access to all
   kinds of printer features. A printer with a duplexer could use two queues,
   one for ordinary single-sided printing, and one with a filter that sends
   the command sequence to enable double-sided printing and then sends the
   incoming file.

  9.5.5. *********************

   Several utilities are available to monitor print jobs and check and
   control printer operation.

    9.5.5.1. lpq(1)

   lpq(1) shows the status of a user's print jobs. Print jobs from other
   users are not shown.

   Show the current user's pending jobs on a single printer:

 % lpq -Plp
 Rank   Owner      Job  Files                                 Total Size
 1st    jsmith     0    (standard input)                      12792 bytes

   Show the current user's pending jobs on all printers:

 % lpq -a
 lp:
 Rank   Owner      Job  Files                                 Total Size
 1st    jsmith     1    (standard input)                      27320 bytes

 laser:
 Rank   Owner      Job  Files                                 Total Size
 1st    jsmith     287  (standard input)                      22443 bytes

    9.5.5.2. lprm(1)

   lprm(1) is used to remove print jobs. Normal users are only allowed to
   remove their own jobs. root can remove any or all jobs.

   Remove all pending jobs from a printer:

 # lprm -Plp -
 dfA002smithy dequeued
 cfA002smithy dequeued
 dfA003smithy dequeued
 cfA003smithy dequeued
 dfA004smithy dequeued
 cfA004smithy dequeued

   Remove a single job from a printer. lpq(1) is used to find the job number.

 % lpq
 Rank   Owner      Job  Files                                 Total Size
 1st    jsmith     5    (standard input)                      12188 bytes
 % lprm -Plp 5
 dfA005smithy dequeued
 cfA005smithy dequeued

    9.5.5.3. lpc(8)

   lpc(8) is used to check and modify printer status. lpc is followed by a
   command and an optional printer name. all can be used instead of a
   specific printer name, and the command will be applied to all printers.
   Normal users can view status with lpc(8). Only root can use commands which
   modify printer status.

   Show the status of all printers:

 % lpc status all
 lp:
         queuing is enabled
         printing is enabled
         1 entry in spool area
         printer idle
 laser:
         queuing is enabled
         printing is enabled
         1 entry in spool area
         waiting for laser to come up

   Prevent a printer from accepting new jobs, then begin accepting new jobs
   again:

 # lpc disable lp
 lp:
         queuing disabled
 # lpc enable lp
 lp:
         queuing enabled

   Stop printing, but continue to accept new jobs. Then begin printing again:

 # lpc stop lp
 lp:
         printing disabled
 # lpc start lp
 lp:
         printing enabled
         daemon started

   Restart a printer after some error condition:

 # lpc restart lp
 lp:
         no daemon to abort
         printing enabled
         daemon restarted

   Turn the print queue off and disable printing, with a message to explain
   the problem to users:

 # lpc down lp Repair parts will arrive on Monday
 lp:
         printer and queuing disabled
         status message is now: Repair parts will arrive on Monday

   Re-enable a printer that is down:

 # lpc up lp
 lp:
         printing enabled
         daemon started

   See lpc(8) for more commands and options.

  9.5.6. ***************

   Printers are often shared by multiple users in businesses and schools.
   Additional features are provided to make sharing printers more convenient.

    9.5.6.1. ******

   The printer name is set in the first line of the entry in /etc/printcap.
   Additional names, or aliases, can be added after that name. Aliases are
   separated from the name and each other by vertical bars:

 lp|repairsprinter|salesprinter:\

   Aliases can be used in place of the printer name. For example, users in
   the Sales department print to their printer with

 % lpr -Psalesprinter sales-report.txt

   Users in the Repairs department print to their printer with

 % lpr -Prepairsprinter repairs-report.txt

   All of the documents print on that single printer. When the Sales
   department grows enough to need their own printer, the alias can be
   removed from the shared printer entry and used as the name of a new
   printer. Users in both departments continue to use the same commands, but
   the Sales documents are sent to the new printer.

    9.5.6.2. ******

   It can be difficult for users to locate their documents in the stack of
   pages produced by a busy shared printer. Header pages were created to
   solve this problem. A header page with the user name and document name is
   printed before each print job. These pages are also sometimes called
   banner or separator pages.

   Enabling header pages differs depending on whether the printer is
   connected directly to the computer with a USB, parallel, or serial cable,
   or is connected remotely over a network.

   Header pages on directly-connected printers are enabled by removing the
   :sh:\ (Suppress Header) line from the entry in /etc/printcap. These header
   pages only use line feed characters for new lines. Some printers will need
   the /usr/share/examples/printing/hpif filter to prevent stairstepped text.
   The filter configures PCL printers to print both carriage returns and line
   feeds when a line feed is received.

   Header pages for network printers must be configured on the printer
   itself. Header page entries in /etc/printcap are ignored. Settings are
   usually available from the printer front panel or a configuration web page
   accessible with a web browser.

  9.5.7. ************

   Example files: /usr/share/examples/printing/.

   The 4.3BSD Line Printer Spooler Manual,
   /usr/share/doc/smm/07.lpd/paper.ascii.gz.

   Manual pages: printcap(5), lpd(8), lpr(1), lpc(8), lprm(1), lpq(1).

9.6. ******************

   Several other printing systems are available in addition to the built-in
   lpd(8). These systems offer support for other protocols or additional
   features.

  9.6.1. CUPS (Common UNIX(R) Printing System)

   CUPS is a popular printing system available on many operating systems.
   Using CUPS on FreeBSD is documented in a separate
   article:../../../../doc/en_US.ISO8859-1/articles/cups

  9.6.2. HPLIP

   Hewlett Packard provides a printing system that supports many of their
   inkjet and laser printers. The port is print/hplip. The main web page is
   at http://hplipopensource.com/hplip-web/index.html. The port handles all
   the installation details on FreeBSD. Configuration information is shown at
   http://hplipopensource.com/hplip-web/install/manual/hp_setup.html.

  9.6.3. LPRng

   LPRng was developed as an enhanced alternative to lpd(8). The port is
   sysutils/LPRng. For details and documentation, see http://www.lprng.com/.

*** 10. Linux(R) Binary *********

   Restructured and parts updated by Jim Mock.
   Originally contributed by Brian N. Handy and Rich Murphey.
   ************

   10.1. ******

   10.2. ****** Linux(R) Binary *********

   10.3. ************

10.1. ******

   FreeBSD ****** Linux(R) Binary ******************************** FreeBSD
   ************************************************************ Linux(R)
   Binary._ *******************************************Linux(R) Binary ***
   FreeBSD *************** Linux(R) ***._

   *********************** Linux(R) *************************** FreeBSD
   ***************._*********** Linux(R) Binary *************** i386(TM)
   ******************************** 8086 ******************** FreeBSD
   ******._

  ******:

   FreeBSD 10.3 ********* 64 ********* Linux(R) Binary *********._

   ****************************

     * ********* FreeBSD ************ Linux(R) Binary ************._

     * ********************* Linux(R) ***************._

     * ********* FreeBSD ************ Linux(R) ************._

     * *** FreeBSD *** Linux(R) ************************._

   ****************************************

     * ****************** ************************._

10.2. ****** Linux(R) Binary *********

   Linux(R) ************************************************** Linux(R)
   Binary *********._ Linux(R) ************************************ FreeBSD
   Port ***************._

   *************** Port ************** Linux(R)
   *************************************

 # kldload linux

   *** 64-********************

 # kldload linux64

   ***********************

 % kldstat
       Id Refs Address    Size     Name
       1    2 0xc0100000 16bdb8   kernel
       7    1 0xc24db000 d000     linux.ko

   *** FreeBSD *************** Linux(R) ************ Binary
   *************************** emulators/linux_base-c6 ************ Port
   ._********* Port**

 # pkg install emulators/linux_base-c6

   ********************* Linux(R) ********************************
   /etc/rc.conf**

 linux_enable="YES"

   *** 64-********************/etc/rc.d/abi ************************
   64-*********************._

   Since the Linux(R) binary compatibility layer has gained support for
   running both 32- and 64-bit Linux(R) binaries (on 64-bit x86 hosts), it is
   no longer possible to link the emulation functionality statically into a
   custom kernel.

  10.2.1. ***************************

   ****** Linux(R) ********************* Linux(R) Binary
   ************************************************************** Linux(R)
   Binary ******************************************._

   *** Linux(R) ***************** ldd
   ************************************************._ **************
   linuxdoom ***************************************** Doom *** Linux(R)
   **************************

 % ldd linuxdoom
 libXt.so.3 (DLL Jump 3.1) => /usr/X11/lib/libXt.so.3.1.0
 libX11.so.3 (DLL Jump 3.1) => /usr/X11/lib/libX11.so.3.1.0
 libc.so.4 (DLL Jump 4.5pl26) => /lib/libc.so.4.6.29

   ******************** Linux(R)
   ********************************************* FreeBSD *********
   /compat/linux._ ******************************** (Symbolic link)
   *********************************._********************* FreeBSD
   **************************

 /compat/linux/usr/X11/lib/libXt.so.3.1.0
 /compat/linux/usr/X11/lib/libXt.so.3 -> libXt.so.3.1.0
 /compat/linux/usr/X11/lib/libX11.so.3.1.0
 /compat/linux/usr/X11/lib/libX11.so.3 -> libX11.so.3.1.0
 /compat/linux/lib/libc.so.4.6.29
 /compat/linux/lib/libc.so.4 -> libc.so.4.6.29

   *** Linux(R) ************************************** ldd
   *******************************************************************************************************************************._**********************************************************************************************************************._

   ******************************** FreeBSD ********

 /compat/linux/lib/libc.so.4.6.27
 /compat/linux/lib/libc.so.4 -> libc.so.4.6.27

   *** ldd ****** Binary *****************************

 libc.so.4 (DLL Jump 4.5pl26) -> libc.so.4.6.29

   *********************************************************************************************************************************************************************
   libc.so ********************

 /compat/linux/lib/libc.so.4.6.29
 /compat/linux/lib/libc.so.4 -> libc.so.4.6.29

   ***************************** Linux(R) ********* FreeBSD
   ****************************** Linux(R) Binary
   ************************._*************************** Linux(R)
   *************************************** Linux(R)
   Binary********************************._

  10.2.2. ****** Linux(R) ELF Binary

   ELF Binary ******************************._****************** (Unbranded)
   *** ELF Binary*************************

 % ./my-linux-elf-binary
 ELF binary type not known
 Abort

   ********* FreeBSD *************** FreeBSD ELF Binary ****** Linux(R)
   Binary*********** brandelf(1)**

 % brandelf -t Linux my-linux-elf-binary

   ****** GNU ************************************************ ELF
   Binary*****************************._

  10.2.3. ********* Linux(R) RPM ************************

   ********* Linux(R) RPM **************************************
   archivers/rpm4 ********* Port._********************root
   ****************************** .rpm**

 # cd /compat/linux
 # rpm2cpio < /path/to/linux.archive.rpm | cpio -id

   ************** brandelf ************ ELF
   Binary._********************************************._

  10.2.4. ***************************

   ****** DNS ***********************************

 resolv+: "bind" is an invalid keyword resolv+:
 "hosts" is an invalid keyword

   *** /compat/linux/etc/host.conf **************

 order hosts, bind
 multi on

   ****************** /etc/hosts*********** DNS._ ***
   /compat/linux/etc/host.conf *********** Linux(R) *********************
   /etc/host.conf ************************ FreeBSD
   ******._************************************ /etc/resolv.conf
   ******************** bind._

10.3. ************

   This section describes how Linux(R) binary compatibility works and is
   based on an email written to FreeBSD chat mailing list by Terry Lambert
   <tlambert@primenet.com> (Message ID:
   <199906020108.SAA07001@usr09.primenet.com>).

   FreeBSD has an abstraction called an "execution class loader". This is a
   wedge into the execve(2) system call.

   Historically, the UNIX(R) loader examined the magic number (generally the
   first 4 or 8 bytes of the file) to see if it was a binary known to the
   system, and if so, invoked the binary loader.

   If it was not the binary type for the system, the execve(2) call returned
   a failure, and the shell attempted to start executing it as shell
   commands. The assumption was a default of "whatever the current shell is".

   Later, a hack was made for sh(1) to examine the first two characters, and
   if they were :\n, it invoked the csh(1) shell instead.

   FreeBSD has a list of loaders, instead of a single loader, with a fallback
   to the #! loader for running shell interpreters or shell scripts.

   For the Linux(R) ABI support, FreeBSD sees the magic number as an ELF
   binary. The ELF loader looks for a specialized brand, which is a comment
   section in the ELF image, and which is not present on SVR4/Solaris(TM) ELF
   binaries.

   For Linux(R) binaries to function, they must be branded as type Linux
   using brandelf(1):

 # brandelf -t Linux file

   When the ELF loader sees the Linux brand, the loader replaces a pointer in
   the proc structure. All system calls are indexed through this pointer. In
   addition, the process is flagged for special handling of the trap vector
   for the signal trampoline code, and several other (minor) fix-ups that are
   handled by the Linux(R) kernel module.

   The Linux(R) system call vector contains, among other things, a list of
   sysent[] entries whose addresses reside in the kernel module.

   When a system call is called by the Linux(R) binary, the trap code
   dereferences the system call function pointer off the proc structure, and
   gets the Linux(R), not the FreeBSD, system call entry points.

   Linux(R) mode dynamically reroots lookups. This is, in effect, equivalent
   to union to file system mounts. First, an attempt is made to lookup the
   file in /compat/linux/original-path. If that fails, the lookup is done in
   /original-path. This makes sure that binaries that require other binaries
   can run. For example, the Linux(R) toolchain can all run under Linux(R)
   ABI support. It also means that the Linux(R) binaries can load and execute
   FreeBSD binaries, if there are no corresponding Linux(R) binaries present,
   and that a uname(1) command can be placed in the /compat/linux directory
   tree to ensure that the Linux(R) binaries cannot tell they are not running
   on Linux(R).

   In effect, there is a Linux(R) kernel in the FreeBSD kernel. The various
   underlying functions that implement all of the services provided by the
   kernel are identical to both the FreeBSD system call table entries, and
   the Linux(R) system call table entries: file system operations, virtual
   memory operations, signal delivery, and System V IPC. The only difference
   is that FreeBSD binaries get the FreeBSD glue functions, and Linux(R)
   binaries get the Linux(R) glue functions. The FreeBSD glue functions are
   statically linked into the kernel, and the Linux(R) glue functions can be
   statically linked, or they can be accessed via a kernel module.

   Technically, this is not really emulation, it is an ABI implementation. It
   is sometimes called "Linux(R) emulation" because the implementation was
   done at a time when there was no other word to describe what was going on.
   Saying that FreeBSD ran Linux(R) binaries was not true, since the code was
   not compiled in.

                             *** III. ************

   FreeBSD ****************************************************** FreeBSD
   ************._
   ********************************************************************************************************************************************************._

   ************************************************************._
   **************************************************************************************************
   FreeBSD._

   ************

   11. ***************

                11.1. ******

                11.2. ************

                11.3. ****** cron(8)

                11.4. ****** FreeBSD ************

                11.5. *********************

                11.6. ************

                11.7. ******************

                11.8. *********

                11.9. ****** sysctl(8) ******

                11.10. ************

                11.11. ******************

                11.12. ******************

                11.13. *********************

   12. FreeBSD ************

                12.1. ******

                12.2. FreeBSD ************

                12.3. ************************

                12.4. ************

                12.5. ************

   13. *********

                13.1. ******

                13.2. ******

                13.3. ***************

                13.4. TCP Wrapper

                13.5. Kerberos

                13.6. OpenSSL

                13.7. VPN over IPsec

                13.8. OpenSSH

                13.9. ******************

                13.10. ******************************

                13.11. FreeBSD ************

                13.12. ************

                13.13. ************

                13.14. ****** Sudo ******************

   14. Jail

                14.1. ******

                14.2. Jail ************

                14.3. *************** Jail

                14.4. ***************

                14.5. ************ Jail

                14.6. ****** ezjail ****** Jail

   15. ****************** (MAC)

                15.1. ******

                15.2. *********

                15.3. ****** MAC ******

                15.4. ******************

                15.5. ********* MAC ************

                15.6. User Lock Down

                15.7. *** MAC Jail ********* Nagios

                15.8. MAC ******************

   16. ******************

                16.1. ******

                16.2. *********

                16.3. ************

                16.4. ******************

   17. ************

                17.1. ******

                17.2. ************

                17.3. ***************************

                17.4. USB ************

                17.5. *************** CD ******

                17.6. *************** DVD ******

                17.7. *********************

                17.8. ******************

                17.9. ***************

                17.10. ******************

                17.11. ************

                17.12. *********************

                17.13. ******************

                17.14. ********************* (HAST)

   18. GEOM: ***************************

                18.1. ******

                18.2. RAID0 - ****** (Striping)

                18.3. RAID1 - ****** (Mirroring)

                18.4. RAID3 - ************************************

                18.5. ****** RAID ******

                18.6. GEOM Gate Network

                18.7. ******************

                18.8. UFS Journaling ****** GEOM

   19. Z ************ (ZFS)

                19.1. ********* ZFS ************

                19.2. ******************

                19.3. zpool ******

                19.4. zfs ******

                19.5. ************

                19.6. ************

                19.7. ************

                19.8. ZFS ***************

   20. ******************

                20.1. ******

                20.2. Linux(R) ************

   21. *********

                21.1. ******

                21.2. *** Mac OS(R) X *** Parallels ****** FreeBSD *********

                21.3. *** Windows(R) *** Virtual PC ****** FreeBSD *********

                21.4. *** Mac OS(R) *** VMware Fusion ****** FreeBSD
                *********

                21.5. *** VirtualBox(TM) ****** FreeBSD ************

                21.6. *** FreeBSD ****************** VirtualBox(TM)

                21.7. *** FreeBSD ****************** bhyve

                21.8. *** FreeBSD ****************** Xen(TM)

   22. ********* - i18n/L10n ***************

                22.1. ******

                22.2. ************

                22.3. ****** i18n ************

                22.4. ***************************

   23. *************** FreeBSD

                23.1. ******

                23.2. FreeBSD ******

                23.3. ***************

                23.4. ******************

                23.5. ****************** FreeBSD

                23.6. ******************

   24. DTrace

                24.1. ******

                24.2. ************

                24.3. ****** DTrace ******

                24.4. ****** DTrace

   25. USB Device Mode / USB OTG

                25.1. ******

                25.2. USB ***************

                25.3. USB ************************

                25.4. USB ******************

*** 11. ***************

   Written by Chern Lee.
   Based on a tutorial written by Mike Smith.
   Also based on tuning(7) written by Matt Dillon.
   ************

   11.1. ******

   11.2. ************

   11.3. ****** cron(8)

   11.4. ****** FreeBSD ************

   11.5. *********************

   11.6. ************

   11.7. ******************

   11.8. *********

   11.9. ****** sysctl(8) ******

   11.10. ************

   11.11. ******************

   11.12. ******************

   11.13. *********************

11.1. ******

   *** FreeBSD
   **************************************************************************._
   ********************* FreeBSD *****************************************
   FreeBSD *********************._

   ****************************

     * rc.conf ************************ /usr/local/etc/rc.d ****** Script._

     * ******************************._

     * ******************************************._

     * *************** /etc *********************._

     * ************ sysctl(8) ************ FreeBSD._

     * *********************************************._

   ****************************************

     * ****** UNIX(R) *** FreeBSD ****** (*** 3, FreeBSD ******)._

     * ************************************ (*** 8, ****** FreeBSD ******)._

11.2. ************

   Contributed by Tom Rhodes.

   ************************ Port ********************************* FreeBSD
   ************************************************************._**************
   mail/postfix *** www/apache22
   ***************************************************************************._*********************************************************._

   *** FreeBSD ******************************** cron(8)
   ************************ Script *********._

  11.2.1. ************************

   ****** FreeBSD *********
   rc.d*****************************************************************._*********
   *** 11.4, "****** FreeBSD ************"
   ***********************************************************************************************
   /etc/rc.conf ************************************************ Script
   ************._*************** Script **************************

 #!/bin/sh
 #
 # PROVIDE: utility
 # REQUIRE: DAEMON
 # KEYWORD: shutdown

 . /etc/rc.subr

 name=utility
 rcvar=utility_enable

 command="/usr/local/sbin/utility"

 load_rc_config $name

 #
 # DO NOT CHANGE THESE DEFAULT VALUES HERE
 # SET THEM IN THE /etc/rc.conf FILE
 #
 utility_enable=${utility_enable-"NO"}
 pidfile=${utility_pidfile-"/var/run/utility.pid"}

 run_rc_command "$1"

   ****** Script ********************* utility ********************* DAEMON
   ************************************************** ID (Process ID, PID)
   *********._

   ****************************************** /etc/rc.conf *****

 utility_enable="YES"

   ******************************************************,_******
   /etc/rc.subr ************************,_*** rcorder(8) ***************
   rc.conf ***************._

  11.2.2. *********************************

   *************************** inetd(8) ************** *** 29.2, "inetd
   ***************" *************** inetd(8) ******************************._

   ****************************** cron(8) *****************************
   cron(8) ********* crontab(5)
   *******************************************************************************************************************************************._

   cron(8) *** @reboot
   ****************************************************************************************
   cron(8) *********._

11.3. ****** cron(8)

   Contributed by Tom Rhodes.

   *** FreeBSD ******************************************
   cron************************************************** /etc/crontab
   *************************************** /var/cron/tabs ******************
   crontab ************************************** cron
   ***********************************crontab
   ***************************************************************** cron
   job._

   ******************************************************** crontab********
   crontab ************************************** crontab*********** crontab
   ******************************._*************************** crontab(5)
   *********._****** crontab /etc/crontab *************************** crontab
   ************ who ***************** crontab**cron
   ***********************************************************************
   crontab************** crontab ***************************._

   ********* crontab ***********************************************root
   ************************************ crontab ********************* crontab
   ************._

   *************** crontab /etc/crontab *****************

 # /etc/crontab - root's crontab for FreeBSD
 #
 # $FreeBSD$
 # 1
 SHELL=/bin/sh
 PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin 2
 #
 #minute hour    mday    month   wday    who     command 3
 #
 */5     *       *       *       *       root    /usr/libexec/atrun 4

1 *** #                                                                                                                                                                                                                                   
  ******************************._************************************************************************._***************************************************************************************************************************._ 
2 ****** (=) ************************************._*********************************************** SHELL *** PATH._*** SHELL ***********cron ********************* Bourne shell._*** PATH *********************************** Script      
  ***************************._                                                                                                                                                                                                           
3 ************************ crontab *****************************minute, hour, mday, month, wday, who ****** command._minute **************************************************hour *****************************mday                      
  ********************month ************** wday ******************._****************************** 24 ********************* * ***************************._who ************************ crontab                                           
  ***********************************************************._******************************************._                                                                                                                               
4 ***************************************************/5 *************** * ********************************************************************* 5 *************** root ****** /usr/libexec/atrun._                                        
                                                                                                                                                                                                                                          
  ******************************************************************************** "\" ******************._                                                                                                                               

  11.3.1. ****************** Crontab

   ************************ crontab *************************** crontab**

 % crontab -e

   ************************************************************
   crontab**********************************************************************************
   crontab ****************************************** crontab *********._

   ****************** crontab
   *************************************************** crontab
   ********************************

 SHELL=/bin/sh
 PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
 # Order of crontab fields
 # minute        hour    mday    month   wday    command

   ************************************ Script
   ********************************************._******************************
   2 ************************ Bourne shell script***************** PATH
   ****** Script ************************************** Script ********

 0       14      *       *       *       /usr/home/dru/bin/mycustomscript.sh

  ******:

   ****************** Script *********************** Script
   ************************ cron
   *********************************._********************************* cron
   *****************************

 env -i SHELL=/bin/sh PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin HOME=/home/dru LOGNAME=dru /usr/home/dru/bin/mycustomscript.sh

   *** crontab(5) ********* cron ************************** Script
   ***********************************************************************
   Script ************ cron ***************************._

   ************ crontab ******************************** crontab
   ********************* cron ************ crontab
   ********************************* cron job._********* crontab
   *************** cron job ***********************

 % crontab -l
 0       14      *       *       *       /usr/home/dru/bin/mycustomscript.sh

   *************************** crontab ****** cron job *****

 % crontab -r
 remove crontab for dru? y

11.4. ****** FreeBSD ************

   Contributed by Tom Rhodes.

   FreeBSD *************************** rc(8) *************** Script._******
   /etc/rc.d *** Script ********************************* service(8) ******
   start, stop ****** restart
   ***************._******************************************** sshd(8)**

 # service sshd restart

   ********************************************************************
   rc.conf(5)
   ***************************************************._***********************************
   natd(8)***************** /etc/rc.conf**

 natd_enable="YES"

   *** natd_enable="NO" ******************** NO *********
   YES******************** rc(8) script
   ***********************************************************._

   ****** rc(8)
   ********************************************************************************************************
   /etc/rc.conf *** start, stop ****** restart ***************._****** sshd
   restart ********* /etc/rc.conf ****** sshd_enable ****** YES
   ******************************** /etc/rc.conf ************ start, stop ***
   restart ***************************************
   "one"***************************** /etc/rc.conf *********************
   sshd(8) ***********************

 # service sshd onerestart

   ********************************* /etc/rc.conf **************************
   rc(8) Script ****** rcvar._********************* sshd(8) *********
   /etc/rc.conf **************

 # service sshd rcvar
 # sshd
 #
 sshd_enable="YES"
 #   (default: "")

  ******:

   *** # sshd *********************************** root console._

   *****************************************************
   status***************** sshd(8) ***********************

 # service sshd status
 sshd is running as pid 433.

   ************************** reload
   ************._******************************************************************************************************************************************************
   SIGHUP._******************************************._

   rc(8) ******************************************************************
   ._************ /etc/rc.d/bgfsck Script **************************

 Starting background file system checks in 60 seconds.

   ****** Script
   **************************************************************************._

   ******************************************************** yp(8)
   ************ RPC ********************* rpcbind(8)
   ************************************._*****************************************
   Script ***************************************
   meta-data._*************************** rcorder(8)
   ***************************************************************************************._

   *** rc.subr(8) ***********************************************************
   Script ****** "enable" ****** Script**

     * PROVIDE: *********************************._

   *************************************** Script
   ********************************************** rcorder(8)
   **************************

     * REQUIRE:
       ************************************._************************ Script
       ************************ ****** *********._

     * BEFORE: ******************************._************************
       Script *************************** ****** ******._

   ********************************* Script
   ************************************** Script
   ***************************************************** UNIX(R)
   ************************ "runlevels"._

   ********************* rc(8) ****** rc.subr(8) *********._*********
   ********* *************************** rc(8) Script ***************._

  11.4.1. ***************************

   *********************************
   /etc/rc.conf**********************************************************************************************************************
   rc* ************._

   *** /etc/rc.conf ****************************** /etc/defaults/rc.conf
   *************************************************************************************************
   /etc/rc.conf *********._

   ****************************************************************************************************************************************************************************
   /etc/rc.conf.local**************************************************************
   /etc/rc.conf**

 sshd_enable="YES"
 keyrate="fast"
 defaultrouter="10.1.1.254"

   *************************************** /etc/rc.conf.local**

 hostname="node1.example.org"
 ifconfig_fxp0="inet 10.1.1.1/8"

   ********************* rsync *** puppet *** /etc/rc.conf
   ***************************************************** /etc/rc.conf.local._

   ***************************
   /etc/rc.conf********************************************._

  ******:

   /etc/rc.conf ****** /etc/rc.conf.local ************************ sh(1)
   *****************************************************************._*********
   rc.conf(5) ***************************************._

11.5. *********************

   Contributed by Marc Fonvieille.

   *** FreeBSD ********************************************* (Network
   Interface Card, NIC) ***************************._

  11.5.1. ***************************

   ******************** NIC ******************************._FreeBSD
   ************ NIC************** FreeBSD
   *************************************************************** NIC._

   *************** NIC******************** NIC *************** FreeBSD
   ******************._********* /usr/src/sys/conf/NOTES ***
   /usr/src/sys/arch/conf/NOTES ********* NIC
   ******************************************************._*************************************************************************************************************************************._

   GENERIC ************************ NIC ***************
   ***************************************** NIC._************ more
   /var/run/dmesg.boot
   ************************************************************._********************************
   NIC ********************* dc(4) **************

 dc0: <82c169 PNIC 10/100BaseTX> port 0xa000-0xa0ff mem 0xd3800000-0xd38
 000ff irq 15 at device 11.0 on pci0
 miibus0: <MII bus> on dc0
 bmtphy0: <BCM5201 10/100baseTX PHY> PHY 1 on miibus0
 bmtphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
 dc0: Ethernet address: 00:a0:cc:da:da:da
 dc0: [ITHREAD]
 dc1: <82c169 PNIC 10/100BaseTX> port 0x9800-0x98ff mem 0xd3000000-0xd30
 000ff irq 11 at device 12.0 on pci0
 miibus1: <MII bus> on dc1
 bmtphy1: <BCM5201 10/100baseTX PHY> PHY 1 on miibus1
 bmtphy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
 dc1: Ethernet address: 00:a0:cc:da:da:db
 dc1: [ITHREAD]

   ****** GENERIC ************ NIC
   ********************************************************************** NIC
   **********************************************************************

     * *************************** kldload(8) ****** NIC
       ************************._********************************************************
       /boot/loader.conf._************ NIC
       ************************************._

     * *********************** NIC ***********************************
       /usr/src/sys/conf/NOTES, /usr/src/sys/arch/conf/NOTES
       ******************************************************************************************._*********************************************************
       *** 8, ****** FreeBSD ******._***************************
       NIC***********************************._

    11.5.1.1. ****** Windows(R) NDIS ************

   *******************************************************************************************************************************************._********FreeBSD
   **************************************************************************************************************************************************************
   Microsoft(R) Windows(R) ************************ Binary._

   FreeBSD *** Network Driver Interface Specification (NDIS) *********
   "******" *********************** ndisgen(8) *************** Windows(R) XP
   ********************* FreeBSD ******************._****** ndis(4)
   ************************ Windows(R) XP binary***************** i386(TM)
   *** amd64 ***************._PCI, CardBus, PCMCIA ****** USB
   *********************._

   ********* ndisgen(8) ********************

    1. FreeBSD ***************._

    2. ****** .SYS ************ Windows(R) XP ************ Binary._

    3. ****** .INF ************ Windows(R) XP *********************._

   *************** NIC ********* .SYS *** .INF
   ***._*************************************** CD
   *********************************._********************* W32DRIVER.SYS ***
   W32DRIVER.INF._

   ************************************ FreeBSD ***************._******
   FreeBSD/i386 ************ Windows(R) 32-bit *****************
   FreeBSD/amd64 *************** Windows(R) 64-bit ************._

   ********************************* Binary ***************************._***
   root ************ ndisgen(8)**

 # ndisgen /path/to/W32DRIVER.INF /path/to/W32DRIVER.SYS

   *********************************************************************************************************************************
   kldload(8) ***********************

 # kldload ./W32DRIVER_SYS.ko

   ***********************************ndis.ko ****** if_ndis.ko
   ************************************** ndis(4)
   ***************************************._*************************************************************

 # kldload ndis
 # kldload if_ndis

   ************************ ndis(4) miniport
   ************************************************************** NIC
   ************._

   ****** dmesg(8)
   ************************************************************************************

 ndis0: <Wireless-G PCI Adapter> mem 0xf4100000-0xf4101fff irq 3 at device 8.0 on pci1
 ndis0: NDIS API version: 5.0
 ndis0: Ethernet address: 0a:b1:2c:d3:4e:f5
 ndis0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
 ndis0: 11g rates: 6Mbps 9Mbps 12Mbps 18Mbps 36Mbps 48Mbps 54Mbps

   ************ ndis0 ********************* NIC ************._

   ********************************* ndis(4) ********************************
   W32DRIVER_SYS.ko *** /boot/modules._*********************
   /boot/loader.conf**

 W32DRIVER_SYS_load="YES"

  11.5.2. ***************

   *************** NIC
   *******************************************************************************************
   bsdinstall(8) ************._

   ********* NIC *****************************

 % ifconfig
 dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
         options=80008<VLAN_MTU,LINKSTATE>
         ether 00:a0:cc:da:da:da
         inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255
         media: Ethernet autoselect (100baseTX <full-duplex>)
         status: active
 dc1: flags=8802<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
         options=80008<VLAN_MTU,LINKSTATE>
         ether 00:a0:cc:da:da:db
         inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
         media: Ethernet 10baseT/UTP
         status: no carrier
 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
         options=3<RXCSUM,TXCSUM>
         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
         inet6 ::1 prefixlen 128
         inet 127.0.0.1 netmask 0xff000000
         nd6 options=3<PERFORMNUD,ACCEPT_RTADV>

   *****************************************

     * dc0: ***************************._

     * dc1: ***************************._

     * lo0: Loopback ******._

   FreeBSD
   *********************************************************************************
   NIC._****** sis2 ************************ sis(4) ************************
   NIC._

   **************dc0 ***************************._********************

    1. UP *********************************************._

    2. ************************ (inet) ********192.168.1.3._

    3. ****************************************** (netmask)********
       0xffffff00 ********* 255.255.255.0._

    4. *****************************************192.168.1.255._

    5. ********* (ether) *** MAC ********* 00:a0:cc:da:da:da._

    6. *************************************** (media: Ethernet autoselect
       (100baseTX <full-duplex>))._************ dc1 ***************
       10baseT/UTP
       ******._***************************************************************************._

    7. *************** (status) ************
       (active)******************************** (Carrier Signal)._*** dc1
       ********************************************************* status: no
       carrier ************._

   *** ifconfig(8) ***********************

 dc0: flags=8843<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
         options=80008<VLAN_MTU,LINKSTATE>
         ether 00:a0:cc:da:da:da
         media: Ethernet autoselect (100baseTX <full-duplex>)
         status: active

   ******************************._

   ****************** root *********._NIC ******************************
   ifconfig(8)
   **********************************************************************
   /etc/rc.conf._****** LAN ****** DHCP **********************************

 ifconfig_dc0="DHCP"

   ****** dc0 ************************._

   ******************************** *** 11.5.3, "*********************"
   ************._

  ******:

   ************************************************** NIC
   ***************._*************************************** /etc/rc.conf._

   *********************** DHCP *****************************
   NIC._*************************** NIC *******************************

 ifconfig_dc0="inet 192.168.1.3 netmask 255.255.255.0"
 ifconfig_dc1="inet 10.0.0.1 netmask 255.255.255.0 media 10baseT/UTP"

   ****** dc0 *** dc1 ****** IP
   *********************************._************************************,_ifconfig(8)
   ****** rc.conf(5) ************************************ /etc/rc.conf
   *********._

   ********************* DNS*********** /etc/hosts ****** LAN
   ********************* IP ******._****************************** hosts(5)
   *** /usr/share/examples/etc/hosts._

  ******:

   ********* DHCP
   **********************************************************************************************

 # echo 'defaultrouter="your_default_router"' >> /etc/rc.conf
 # echo 'nameserver your_DNS_server' >> /etc/resolv.conf

  11.5.3. *********************

   ************************ /etc/rc.conf
   **************************************************************************************************************._********************************************************

 # service netif restart

  ******:

   ********************************* /etc/rc.conf
   *****************************

 # service routing restart

   *********************************************** NIC._

    11.5.3.1. *********************

   ************************************************ ping(8)
   *********************** ping(8) ********* LAN **************

 % ping -c5 192.168.1.3
 PING 192.168.1.3 (192.168.1.3): 56 data bytes
 64 bytes from 192.168.1.3: icmp_seq=0 ttl=64 time=0.082 ms
 64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.074 ms
 64 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=0.076 ms
 64 bytes from 192.168.1.3: icmp_seq=3 ttl=64 time=0.108 ms
 64 bytes from 192.168.1.3: icmp_seq=4 ttl=64 time=0.076 ms

 --- 192.168.1.3 ping statistics ---
 5 packets transmitted, 5 packets received, 0% packet loss
 round-trip min/avg/max/stddev = 0.074/0.083/0.108/0.013 ms

 % ping -c5 192.168.1.2
 PING 192.168.1.2 (192.168.1.2): 56 data bytes
 64 bytes from 192.168.1.2: icmp_seq=0 ttl=64 time=0.726 ms
 64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.766 ms
 64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=0.700 ms
 64 bytes from 192.168.1.2: icmp_seq=3 ttl=64 time=0.747 ms
 64 bytes from 192.168.1.2: icmp_seq=4 ttl=64 time=0.704 ms

 --- 192.168.1.2 ping statistics ---
 5 packets transmitted, 5 packets received, 0% packet loss
 round-trip min/avg/max/stddev = 0.700/0.729/0.766/0.025 ms

   ***************************************************** IP
   ******._********************* DNS ***************************
   /etc/hosts************************** /etc/hosts *****************
   /etc/hosts ****** LAN ********************* IP
   ************************************** hosts(5) ***
   /usr/share/examples/etc/hosts._

    11.5.3.2. ************

   ***********************************************************************._******************************************************************************************FreeBSD
   *************** NIC******************************************* Hardware
   Notes,_****** FreeBSD ************ STABLE
   ******,_************************************************._

   *******************************************************
   tuning(7)*******************************************************************************************._

   *************************************** device timeout
   ********************************************._************************************************************************************************************************************._

   ********* watchdog timeout
   **************************._********************************* Bus
   Mastering *** PCI **************************************************** PCI
   ***************************** 0._****** NIC
   ******************************************************._

   ************************************************************ No route to
   host
   **************************************************************************._*********
   netstat -rn
   **********************************************************************************
   *** 31.2, "******************"._

   ****** ping: sendto: Permission denied
   ***************************************************._****** FreeBSD
   *********************************************************************************************************
   ping(8)._********* *** 30, ********* ******************._

   *****************************************************************************************************
   autoselect
   ***********************************************************************************************************************************************
   tuning(7)._

11.6. ************

   FreeBSD
   *******************************************************************************************************************************************************************************._

   ****************************** "****** (Real)" ***************************
   "****** (Alias)" ******._************ /etc/rc.conf
   *************************************************

 ifconfig_fxp0_alias0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx"

   ********************* alias0 ******************************** alias0,
   alias1
   ********************************************************************._

   *************************** (Netmask)
   *************************************************************************************************************************************************
   1 *********************** 255.255.255.255 *** 0xffffffff *********._

   *********************** fxp0 *****************************10.1.1.0
   ****************** 255.255.255.0 ****** 202.0.75.16 ******************
   255.255.255.240._********************************* 10.1.1.1 *** 10.1.1.5
   ****** 202.0.75.17 ***
   202.0.75.20._**************************************************************************************
   (10.1.1.2 *** 10.1.1.5 *** 202.0.75.18 *** 202.0.75.20)
   ********************* 255.255.255.255 *********._

   ****************************************************** /etc/rc.conf
   **************

 ifconfig_fxp0="inet 10.1.1.1 netmask 255.255.255.0"
 ifconfig_fxp0_alias0="inet 10.1.1.2 netmask 255.255.255.255"
 ifconfig_fxp0_alias1="inet 10.1.1.3 netmask 255.255.255.255"
 ifconfig_fxp0_alias2="inet 10.1.1.4 netmask 255.255.255.255"
 ifconfig_fxp0_alias3="inet 10.1.1.5 netmask 255.255.255.255"
 ifconfig_fxp0_alias4="inet 202.0.75.17 netmask 255.255.255.240"
 ifconfig_fxp0_alias5="inet 202.0.75.18 netmask 255.255.255.255"
 ifconfig_fxp0_alias6="inet 202.0.75.19 netmask 255.255.255.255"
 ifconfig_fxp0_alias7="inet 202.0.75.20 netmask 255.255.255.255"

   ***********************************************************************************
   IP
   ************._***********************************************************************************
   255.255.255.255 ******************._

 ifconfig_fxp0_aliases="inet 10.1.1.1-5/24 inet 202.0.75.17-20/28"

11.7. ******************

   Contributed by Niclas Zeising.

   *************************************************************************************************************************************************************************************************************._***********************************************************************************************
   Daemon ***************************************._

   FreeBSD ********************************* syslogd
   ******************._****** syslogd
   ***************************._*************** /etc/rc.conf ************
   syslogd_enable *********._***************************************
   /etc/rc.conf ****** syslogd_flags *********._********* syslogd(8)
   ************************************._

   ****************************** FreeBSD
   *********************************************************************************
   (Log rotation) ***************._

  11.7.1. ******************

   ********* /etc/syslog.conf ****** syslogd
   ********************************************************************************************************._******
   (facility) ******************************************
   (subsystem)***************** Daemon***** ****** (level)
   ***************************************._*********************************************************************************************************************._

   **************************************************************************************
   (Selector field) ************************ (Action
   field)._*************************** facility.level
   ************************ facility ********* level
   ********************************************************************************************************************._******************************************************************
   (;) *********._*** *
   ************************._********************************************************************************************._******************
   FreeBSD ********* syslog.conf**

 # $FreeBSD$
 #
 #       Spaces ARE valid field separators in this file. However,
 #       other *nix-like systems still insist on using tabs as field
 #       separators. If you are sharing this file between systems, you
 #       may want to use only tabs as field separators here.
 #       Consult the syslog.conf(5) manpage.
 *.err;kern.warning;auth.notice;mail.crit                /dev/console
 *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
 security.*                                      /var/log/security
 auth.info;authpriv.info                         /var/log/auth.log
 mail.info                                       /var/log/maillog
 lpr.info                                        /var/log/lpd-errs
 ftp.info                                        /var/log/xferlog
 cron.*                                          /var/log/cron
 !-devd
 *.=debug                                        /var/log/debug.log
 *.emerg                                         *
 # uncomment this to log all writes to /dev/console to /var/log/console.log
 #console.info                                   /var/log/console.log
 # uncomment this to enable logging of all log messages to /var/log/all.log
 # touch /var/log/all.log and chmod it to mode 600 before it will work
 #*.*                                            /var/log/all.log
 # uncomment this to enable logging to a remote loghost named loghost
 #*.*                                            @loghost
 # uncomment these if you're running inn
 # news.crit                                     /var/log/news/news.crit
 # news.err                                      /var/log/news/news.err
 # news.notice                                   /var/log/news/news.notice
 # Uncomment this if you wish to see messages produced by devd
 # !devd
 # *.>=info
 !ppp
 *.*                                             /var/log/ppp.log
 !*

   ********************

     * *** 8 ************************ err ********************************
       kern.warning, auth.notice *** mail.crit
       *********************************************** Console
       (/dev/console)._

     * *** 12 ************************ mail ************ info
       ******************************************** /var/log/maillog._

     * *** 17 ************************ (=) ****************** debug
       ************************************** /var/log/debug.log._

     * *** 33
       *********************************._***************************************************************._***********************
       ppp ****************************** /var/log/ppp.log._

   ********************************************************* emerg, alert,
   crit, err, warning, notice, info ****** debug._

   ****** (facility) ******************************** auth, authpriv,
   console, cron, daemon, ftp, kern, lpr, mail, mark, news, security, syslog,
   user, uucp *** local0 ***
   local7._******************************************************._

   ********************* notice ***************************
   /var/log/daemon.log ***********************

 daemon.notice                                        /var/log/daemon.log

   *************************************************************** syslog(3)
   *** syslogd(8)._*********************
   /etc/syslog.conf,_******************************************************
   syslog.conf(5)._

  11.7.2. *********************

   ****************************************************************************************************************************************************************._***
   FreeBSD ************ newsyslog
   *********************************************************** (Rotate)
   ***********************************************************************************************************************._************************
   syslogd ******************************************************._newsyslog
   ************ cron(8) ********************************
   Daemon***********************************._

   newsyslog ********************* /etc/newsyslog.conf
   ******************************************** newsyslog
   ***********************************************************************************************,_******,_************************,_*********************************************************************************._*********
   FreeBSD *****************

 # configuration file for newsyslog
 # $FreeBSD$
 #
 # Entries which do not specify the '/pid_file' field will cause the
 # syslogd process to be signalled when that log file is rotated.  This
 # action is only appropriate for log files which are written to by the
 # syslogd process (ie, files listed in /etc/syslog.conf).  If there
 # is no process which needs to be signalled when a given log file is
 # rotated, then the entry for that file should include the 'N' flag.
 #
 # The 'flags' field is one or more of the letters: BCDGJNUXZ or a '-'.
 #
 # Note: some sites will want to select more restrictive protections than the
 # defaults.  In particular, it may be desirable to switch many of the 644
 # entries to 640 or 600.  For example, some sites will consider the
 # contents of maillog, messages, and lpd-errs to be confidential.  In the
 # future, these defaults may change to more conservative ones.
 #
 # logfilename          [owner:group]    mode count size when  flags [/pid_file] [sig_num]
 /var/log/all.log                        600  7     *    @T00  J
 /var/log/amd.log                        644  7     100  *     J
 /var/log/auth.log                       600  7     100  @0101T JC
 /var/log/console.log                    600  5     100  *     J
 /var/log/cron                           600  3     100  *     JC
 /var/log/daily.log                      640  7     *    @T00  JN
 /var/log/debug.log                      600  7     100  *     JC
 /var/log/kerberos.log                   600  7     100  *     J
 /var/log/lpd-errs                       644  7     100  *     JC
 /var/log/maillog                        640  7     *    @T00  JC
 /var/log/messages                       644  5     100  @0101T JC
 /var/log/monthly.log                    640  12    *    $M1D0 JN
 /var/log/pflog                          600  3     100  *     JB    /var/run/pflogd.pid
 /var/log/ppp.log        root:network    640  3     100  *     JC
 /var/log/devd.log                       644  3     100  *     JC
 /var/log/security                       600  10    100  *     JC
 /var/log/sendmail.st                    640  10    *    168   B
 /var/log/utx.log                        644  3     *    @01T05 B
 /var/log/weekly.log                     640  5     1    $W6D0 JN
 /var/log/xferlog                        600  7     100  *     JC

   *********************************************,_************************************************************
   (******)._mode **************************************count
   ***************************************************** size *** when
   *************** newsyslog
   ************************._************************************ size
   *************************** when
   *********************************************** (*) ***************._flags
   ****************************************************************************************************._********************************************************
   ID (PID) ************************************************************
   (Signal) ******._

   *********************************,_*****************************************************
   newsyslog.conf(5)._****** newsyslog ****** cron(8)
   ***************************** cron(8)
   ************************************************************._

  11.7.3. ******************

   Contributed by Tom Rhodes.

   Monitoring the log files of multiple hosts can become unwieldy as the
   number of systems increases. Configuring centralized logging can reduce
   some of the administrative burden of log file administration.

   In FreeBSD, centralized log file aggregation, merging, and rotation can be
   configured using syslogd and newsyslog. This section demonstrates an
   example configuration, where host A, named logserv.example.com, will
   collect logging information for the local network. Host B, named
   logclient.example.com, will be configured to pass logging information to
   the logging server.

    11.7.3.1. *********************

   A log server is a system that has been configured to accept logging
   information from other hosts. Before configuring a log server, check the
   following:

     * If there is a firewall between the logging server and any logging
       clients, ensure that the firewall ruleset allows UDP port 514 for both
       the clients and the server.

     * The logging server and all client machines must have forward and
       reverse entries in the local DNS. If the network does not have a DNS
       server, create entries in each system's /etc/hosts. Proper name
       resolution is required so that log entries are not rejected by the
       logging server.

   On the log server, edit /etc/syslog.conf to specify the name of the client
   to receive log entries from, the logging facility to be used, and the name
   of the log to store the host's log entries. This example adds the hostname
   of B, logs all facilities, and stores the log entries in
   /var/log/logclient.log.

   ****** 11.1. ***************************

 +logclient.example.com
 *.*     /var/log/logclient.log

   When adding multiple log clients, add a similar two-line entry for each
   client. More information about the available facilities may be found in
   syslog.conf(5).

   Next, configure /etc/rc.conf:

 syslogd_enable="YES"
 syslogd_flags="-a logclient.example.com -v -v"

   The first entry starts syslogd at system boot. The second entry allows log
   entries from the specified client. The -v -v increases the verbosity of
   logged messages. This is useful for tweaking facilities as administrators
   are able to see what type of messages are being logged under each
   facility.

   Multiple -a options may be specified to allow logging from multiple
   clients. IP addresses and whole netblocks may also be specified. Refer to
   syslogd(8) for a full list of possible options.

   Finally, create the log file:

 # touch /var/log/logclient.log

   At this point, syslogd should be restarted and verified:

 # service syslogd restart
 # pgrep syslog

   If a PID is returned, the server restarted successfully, and client
   configuration can begin. If the server did not restart, consult
   /var/log/messages for the error.

    11.7.3.2. *********************

   A logging client sends log entries to a logging server on the network. The
   client also keeps a local copy of its own logs.

   Once a logging server has been configured, edit /etc/rc.conf on the
   logging client:

 syslogd_enable="YES"
 syslogd_flags="-s -v -v"

   The first entry enables syslogd on boot up. The second entry prevents logs
   from being accepted by this client from other hosts (-s) and increases the
   verbosity of logged messages.

   Next, define the logging server in the client's /etc/syslog.conf. In this
   example, all logged facilities are sent to a remote system, denoted by the
   @ symbol, with the specified hostname:

 *.*             @logserv.example.com

   After saving the edit, restart syslogd for the changes to take effect:

 # service syslogd restart

   To test that log messages are being sent across the network, use logger(1)
   on the client to send a message to syslogd:

 # logger "Test message from logclient"

   This message should now exist both in /var/log/messages on the client and
   /var/log/logclient.log on the log server.

    11.7.3.3. *********************

   If no messages are being received on the log server, the cause is most
   likely a network connectivity issue, a hostname resolution issue, or a
   typo in a configuration file. To isolate the cause, ensure that both the
   logging server and the logging client are able to ping each other using
   the hostname specified in their /etc/rc.conf. If this fails, check the
   network cabling, the firewall ruleset, and the hostname entries in the DNS
   server or /etc/hosts on both the logging server and clients. Repeat until
   the ping is successful from both hosts.

   If the ping succeeds on both hosts but log messages are still not being
   received, temporarily increase logging verbosity to narrow down the
   configuration issue. In the following example, /var/log/logclient.log on
   the logging server is empty and /var/log/messages on the logging client
   does not indicate a reason for the failure. To increase debugging output,
   edit the syslogd_flags entry on the logging server and issue a restart:

 syslogd_flags="-d -a logclient.example.com -v -v"

 # service syslogd restart

   Debugging data similar to the following will flash on the console
   immediately after the restart:

 logmsg: pri 56, flags 4, from logserv.example.com, msg syslogd: restart
 syslogd: restarted
 logmsg: pri 6, flags 4, from logserv.example.com, msg syslogd: kernel boot file is /boot/kernel/kernel
 Logging to FILE /var/log/messages
 syslogd: kernel boot file is /boot/kernel/kernel
 cvthname(192.168.1.10)
 validate: dgram from IP 192.168.1.10, port 514, name logclient.example.com;
 rejected in rule 0 due to name mismatch.

   In this example, the log messages are being rejected due to a typo which
   results in a hostname mismatch. The client's hostname should be logclient,
   not logclien. Fix the typo, issue a restart, and verify the results:

 # service syslogd restart
 logmsg: pri 56, flags 4, from logserv.example.com, msg syslogd: restart
 syslogd: restarted
 logmsg: pri 6, flags 4, from logserv.example.com, msg syslogd: kernel boot file is /boot/kernel/kernel
 syslogd: kernel boot file is /boot/kernel/kernel
 logmsg: pri 166, flags 17, from logserv.example.com,
 msg Dec 10 20:55:02 <syslog.err> logserv.example.com syslogd: exiting on signal 2
 cvthname(192.168.1.10)
 validate: dgram from IP 192.168.1.10, port 514, name logclient.example.com;
 accepted in rule 0.
 logmsg: pri 15, flags 0, from logclient.example.com, msg Dec 11 02:01:28 trhodes: Test message 2
 Logging to FILE /var/log/logclient.log
 Logging to FILE /var/log/messages

   At this point, the messages are being properly received and placed in the
   correct file.

    11.7.3.4. ******************

   As with any network service, security requirements should be considered
   before implementing a logging server. Log files may contain sensitive data
   about services enabled on the local host, user accounts, and configuration
   data. Network data sent from the client to the server will not be
   encrypted or password protected. If a need for encryption exists, consider
   using security/stunnel, which will transmit the logging data over an
   encrypted tunnel.

   Local security is also an issue. Log files are not encrypted during use or
   after log rotation. Local users may access log files to gain additional
   insight into system configuration. Setting proper permissions on log files
   is critical. The built-in log rotator, newsyslog, supports setting
   permissions on newly created and rotated log files. Setting log files to
   mode 600 should prevent unwanted access by local users. Refer to
   newsyslog.conf(5) for additional information.

11.8. *********

  11.8.1. /etc ******

   **********************************************************

/etc                *********************************._                                                
/etc/defaults       ******************************._                                                   
/etc/mail           sendmail(8) *************************** MTA *********._                            
/etc/ppp            user- *** kernel-ppp ***************._                                             
/usr/local/etc      ********************************************************************************._ 
/usr/local/etc/rc.d ************************ rc(8) Script._                                            
/var/db             *********************************************************************** locate(1)  
                    *********._                                                                        

  11.8.2. ************

    11.8.2.1. /etc/resolv.conf

   FreeBSD ********************************************* (Internet Domain
   Name System, DNS) ****** resolv.conf(5) *********._

   /etc/resolv.conf **************************

nameserver ************ (Resolver) *************************** IP                                         
           ****************************************************************************._                 
search     ***************************************._***************************************************._ 
domain     ******************._                                                                           

   ********* /etc/resolv.conf ***********

 search example.com
 nameserver 147.11.1.11
 nameserver 147.11.100.30

  ******:

   search *** domain *********************._

   ********* DHCP *****dhclient(8) ****************** DHCP
   ************************************ /etc/resolv.conf._

    11.8.2.2. /etc/hosts

   /etc/hosts *********************************** DNS *** NIS
   ************************************ IP ***************._************ LAN
   ***********************************************************************************************
   named(8) *********._************ /etc/hosts
   ***********************************************************************************
   DNS ************************._

 # $FreeBSD$
 #
 #
 # Host Database
 #
 # This file should contain the addresses and aliases for local hosts that
 # share this file.  Replace 'my.domain' below with the domainname of your
 # machine.
 #
 # In the presence of the domain name service or NIS, this file may
 # not be consulted at all; see /etc/nsswitch.conf for the resolution order.
 #
 #
 ::1                     localhost localhost.my.domain
 127.0.0.1               localhost localhost.my.domain
 #
 # Imaginary network.
 #10.0.0.2               myname.my.domain myname
 #10.0.0.3               myfriend.my.domain myfriend
 #
 # According to RFC 1918, you can use the following IP networks for
 # private nets which will never be connected to the Internet:
 #
 #       10.0.0.0        -   10.255.255.255
 #       172.16.0.0      -   172.31.255.255
 #       192.168.0.0     -   192.168.255.255
 #
 # In case you want to be able to connect to the Internet, you need
 # real official assigned numbers.  Do not try to invent your own network
 # numbers but instead get one from your network provider (if any) or
 # from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
 #

   /etc/hosts *****************

 [Internet address] [official hostname] [alias1] [alias2] ...

   ********

 10.0.0.1 myRealHostname.example.com myRealHostname foobar1 foobar2

   ********* hosts(5) ******************._

11.9. ****** sysctl(8) ******

   sysctl(8) *************************** FreeBSD ***********************
   TCP/IP
   ********************************************************************************************************._******************************************
   sysctl(8) ******************._

   sysctl(8) *****************************************************._

   ********************************

 % sysctl -a

   ********************************************

 % sysctl kern.maxproc
 kern.maxproc: 1044

   ****************************** variable=value ********

 # sysctl kern.maxfiles=5000
 kern.maxfiles: 2088 -> 5000

   sysctl ***************************,_**************************************
   1 ***********0 *********._

   *********************************************************************
   /etc/sysctl.conf._********************************* sysctl.conf(5) ***
   *** 11.9.1, "sysctl.conf"._

  11.9.1. sysctl.conf

   sysctl(8) *************** /etc/sysctl.conf**************
   /etc/rc.conf******************** variable=value
   ******._***********************************************************************************************************._

   ***************************** (Fatal signal)
   **************************************************************************************************
   /etc/sysctl.conf**

 # Do not log fatal signal exits (e.g., sig 11)
 kern.logsigexit=0

 # Prevent users from seeing information about processes that
 # are being run under another UID.
 security.bsd.see_other_uids=0

  11.9.2. ****** sysctl(8)

   Contributed by Tom Rhodes.

   ********************************************* sysctl(8)
   *****************************************._

   ***************************** cardbus(4)
   ********************************************************************************

 cbb0: Could not map register memory
 device_probe_and_attach: cbb0 attach returned 12

   ********************************* sysctl(8) ******._******
   hw.pci.allow_unsupported_io_range=1 *** /boot/loader.conf
   ******************._****** cardbus(4) ******************._

11.10. ************

   ******************************************************************************._**********************************************************
   SCSI
   ***********************************************************._******************************************************************************************************************************************._**************************************
   iostat(8)
   *****************************************************************************************
   IO *********************._

  11.10.1. Sysctl ******

    11.10.1.1. vfs.vmiodirenable

   The vfs.vmiodirenable sysctl(8) variable may be set to either 0 (off) or 1
   (on). It is set to 1 by default. This variable controls how directories
   are cached by the system. Most directories are small, using just a single
   fragment (typically 1 K) in the file system and typically 512 bytes in the
   buffer cache. With this variable turned off, the buffer cache will only
   cache a fixed number of directories, even if the system has a huge amount
   of memory. When turned on, this sysctl(8) allows the buffer cache to use
   the VM page cache to cache the directories, making all the memory
   available for caching directories. However, the minimum in-core memory
   used to cache a directory is the physical page size (typically 4 K) rather
   than 512  bytes. Keeping this option enabled is recommended if the system
   is running any services which manipulate large numbers of files. Such
   services can include web caches, large mail systems, and news systems.
   Keeping this option on will generally not reduce performance, even with
   the wasted memory, but one should experiment to find out.

    11.10.1.2. vfs.write_behind

   The vfs.write_behind sysctl(8) variable defaults to 1 (on). This tells the
   file system to issue media writes as full clusters are collected, which
   typically occurs when writing large sequential files. This avoids
   saturating the buffer cache with dirty buffers when it would not benefit
   I/O performance. However, this may stall processes and under certain
   circumstances should be turned off.

    11.10.1.3. vfs.hirunningspace

   The vfs.hirunningspace sysctl(8) variable determines how much outstanding
   write I/O may be queued to disk controllers system-wide at any given
   instance. The default is usually sufficient, but on machines with many
   disks, try bumping it up to four or five megabytes. Setting too high a
   value which exceeds the buffer cache's write threshold can lead to bad
   clustering performance. Do not set this value arbitrarily high as higher
   write values may add latency to reads occurring at the same time.

   There are various other buffer cache and VM page cache related sysctl(8)
   values. Modifying these values is not recommended as the VM system does a
   good job of automatically tuning itself.

    11.10.1.4. vm.swap_idle_enabled

   The vm.swap_idle_enabled sysctl(8) variable is useful in large multi-user
   systems with many active login users and lots of idle processes. Such
   systems tend to generate continuous pressure on free memory reserves.
   Turning this feature on and tweaking the swapout hysteresis (in idle
   seconds) via vm.swap_idle_threshold1 and vm.swap_idle_threshold2 depresses
   the priority of memory pages associated with idle processes more quickly
   then the normal pageout algorithm. This gives a helping hand to the
   pageout daemon. Only turn this option on if needed, because the tradeoff
   is essentially pre-page memory sooner rather than later which eats more
   swap and disk bandwidth. In a small system this option will have a
   determinable effect, but in a large system that is already doing moderate
   paging, this option allows the VM system to stage whole processes into and
   out of memory easily.

    11.10.1.5. hw.ata.wc

   Turning off IDE write caching reduces write bandwidth to IDE disks, but
   may sometimes be necessary due to data consistency issues introduced by
   hard drive vendors. The problem is that some IDE drives lie about when a
   write completes. With IDE write caching turned on, IDE hard drives write
   data to disk out of order and will sometimes delay writing some blocks
   indefinitely when under heavy disk load. A crash or power failure may
   cause serious file system corruption. Check the default on the system by
   observing the hw.ata.wc sysctl(8) variable. If IDE write caching is turned
   off, one can set this read-only variable to 1 in /boot/loader.conf in
   order to enable it at boot time.

   For more information, refer to ata(4).

    11.10.1.6. SCSI_DELAY (kern.cam.scsi_delay)

   The SCSI_DELAY kernel configuration option may be used to reduce system
   boot times. The defaults are fairly high and can be responsible for 15
   seconds of delay in the boot process. Reducing it to 5 seconds usually
   works with modern drives. The kern.cam.scsi_delay boot time tunable should
   be used. The tunable and kernel configuration option accept values in
   terms of milliseconds and not seconds.

  11.10.2. *********

   To fine-tune a file system, use tunefs(8). This program has many different
   options. To toggle Soft Updates on and off, use:

 # tunefs -n enable /filesystem
 # tunefs -n disable /filesystem

   A file system cannot be modified with tunefs(8) while it is mounted. A
   good time to enable Soft Updates is before any partitions have been
   mounted, in single-user mode.

   Soft Updates is recommended for UFS file systems as it drastically
   improves meta-data performance, mainly file creation and deletion, through
   the use of a memory cache. There are two downsides to Soft Updates to be
   aware of. First, Soft Updates guarantee file system consistency in the
   case of a crash, but could easily be several seconds or even a minute
   behind updating the physical disk. If the system crashes, unwritten data
   may be lost. Secondly, Soft Updates delay the freeing of file system
   blocks. If the root file system is almost full, performing a major update,
   such as make installworld, can cause the file system to run out of space
   and the update to fail.

    11.10.2.1. ************************************

   Meta-data updates are updates to non-content data like inodes or
   directories. There are two traditional approaches to writing a file
   system's meta-data back to disk.

   Historically, the default behavior was to write out meta-data updates
   synchronously. If a directory changed, the system waited until the change
   was actually written to disk. The file data buffers (file contents) were
   passed through the buffer cache and backed up to disk later on
   asynchronously. The advantage of this implementation is that it operates
   safely. If there is a failure during an update, meta-data is always in a
   consistent state. A file is either created completely or not at all. If
   the data blocks of a file did not find their way out of the buffer cache
   onto the disk by the time of the crash, fsck(8) recognizes this and
   repairs the file system by setting the file length to 0. Additionally, the
   implementation is clear and simple. The disadvantage is that meta-data
   changes are slow. For example, rm -r touches all the files in a directory
   sequentially, but each directory change will be written synchronously to
   the disk. This includes updates to the directory itself, to the inode
   table, and possibly to indirect blocks allocated by the file. Similar
   considerations apply for unrolling large hierarchies using tar -x.

   The second approach is to use asynchronous meta-data updates. This is the
   default for a UFS file system mounted with mount -o async. Since all
   meta-data updates are also passed through the buffer cache, they will be
   intermixed with the updates of the file content data. The advantage of
   this implementation is there is no need to wait until each meta-data
   update has been written to disk, so all operations which cause huge
   amounts of meta-data updates work much faster than in the synchronous
   case. This implementation is still clear and simple, so there is a low
   risk for bugs creeping into the code. The disadvantage is that there is no
   guarantee for a consistent state of the file system. If there is a failure
   during an operation that updated large amounts of meta-data, like a power
   failure or someone pressing the reset button, the file system will be left
   in an unpredictable state. There is no opportunity to examine the state of
   the file system when the system comes up again as the data blocks of a
   file could already have been written to the disk while the updates of the
   inode table or the associated directory were not. It is impossible to
   implement a fsck(8) which is able to clean up the resulting chaos because
   the necessary information is not available on the disk. If the file system
   has been damaged beyond repair, the only choice is to reformat it and
   restore from backup.

   The usual solution for this problem is to implement dirty region logging,
   which is also referred to as journaling. Meta-data updates are still
   written synchronously, but only into a small region of the disk. Later on,
   they are moved to their proper location. Because the logging area is a
   small, contiguous region on the disk, there are no long distances for the
   disk heads to move, even during heavy operations, so these operations are
   quicker than synchronous updates. Additionally, the complexity of the
   implementation is limited, so the risk of bugs being present is low. A
   disadvantage is that all meta-data is written twice, once into the logging
   region and once to the proper location, so performance "pessimization"
   might result. On the other hand, in case of a crash, all pending meta-data
   operations can be either quickly rolled back or completed from the logging
   area after the system comes up again, resulting in a fast file system
   startup.

   Kirk McKusick, the developer of Berkeley FFS, solved this problem with
   Soft Updates. All pending meta-data updates are kept in memory and written
   out to disk in a sorted sequence ("ordered meta-data updates"). This has
   the effect that, in case of heavy meta-data operations, later updates to
   an item "catch" the earlier ones which are still in memory and have not
   already been written to disk. All operations are generally performed in
   memory before the update is written to disk and the data blocks are sorted
   according to their position so that they will not be on the disk ahead of
   their meta-data. If the system crashes, an implicit "log rewind" causes
   all operations which were not written to the disk appear as if they never
   happened. A consistent file system state is maintained that appears to be
   the one of 30 to 60 seconds earlier. The algorithm used guarantees that
   all resources in use are marked as such in their blocks and inodes. After
   a crash, the only resource allocation error that occurs is that resources
   are marked as "used" which are actually "free". fsck(8) recognizes this
   situation, and frees the resources that are no longer used. It is safe to
   ignore the dirty state of the file system after a crash by forcibly
   mounting it with mount -f. In order to free resources that may be unused,
   fsck(8) needs to be run at a later time. This is the idea behind the
   background fsck(8): at system startup time, only a snapshot of the file
   system is recorded and fsck(8) is run afterwards. All file systems can
   then be mounted "dirty", so the system startup proceeds in multi-user
   mode. Then, background fsck(8) is scheduled for all file systems where
   this is required, to free resources that may be unused. File systems that
   do not use Soft Updates still need the usual foreground fsck(8).

   The advantage is that meta-data operations are nearly as fast as
   asynchronous updates and are faster than logging, which has to write the
   meta-data twice. The disadvantages are the complexity of the code, a
   higher memory consumption, and some idiosyncrasies. After a crash, the
   state of the file system appears to be somewhat "older". In situations
   where the standard synchronous approach would have caused some zero-length
   files to remain after the fsck(8), these files do not exist at all with
   Soft Updates because neither the meta-data nor the file contents have been
   written to disk. Disk space is not released until the updates have been
   written to disk, which may take place some time after running rm(1). This
   may cause problems when installing large amounts of data on a file system
   that does not have enough free space to hold all the files twice.

11.11. ******************

  11.11.1. ******/************

    11.11.1.1. kern.maxfiles

   The kern.maxfiles sysctl(8) variable can be raised or lowered based upon
   system requirements. This variable indicates the maximum number of file
   descriptors on the system. When the file descriptor table is full, file:
   table is full will show up repeatedly in the system message buffer, which
   can be viewed using dmesg(8).

   Each open file, socket, or fifo uses one file descriptor. A large-scale
   production server may easily require many thousands of file descriptors,
   depending on the kind and number of services running concurrently.

   In older FreeBSD releases, the default value of kern.maxfiles is derived
   from maxusers in the kernel configuration file. kern.maxfiles grows
   proportionally to the value of maxusers. When compiling a custom kernel,
   consider setting this kernel configuration option according to the use of
   the system. From this number, the kernel is given most of its pre-defined
   limits. Even though a production machine may not have 256 concurrent
   users, the resources needed may be similar to a high-scale web server.

   The read-only sysctl(8) variable kern.maxusers is automatically sized at
   boot based on the amount of memory available in the system, and may be
   determined at run-time by inspecting the value of kern.maxusers. Some
   systems require larger or smaller values of kern.maxusers and values of
   64, 128, and 256 are not uncommon. Going above 256 is not recommended
   unless a huge number of file descriptors is needed. Many of the tunable
   values set to their defaults by kern.maxusers may be individually
   overridden at boot-time or run-time in /boot/loader.conf. Refer to
   loader.conf(5) and /boot/defaults/loader.conf for more details and some
   hints.

   In older releases, the system will auto-tune maxusers if it is set to 0.
   [2]. When setting this option, set maxusers to at least 4, especially if
   the system runs Xorg or is used to compile software. The most important
   table set by maxusers is the maximum number of processes, which is set to
   20 + 16 * maxusers. If maxusers is set to 1, there can only be 36
   simultaneous processes, including the 18 or so that the system starts up
   at boot time and the 15 or so used by Xorg. Even a simple task like
   reading a manual page will start up nine processes to filter, decompress,
   and view it. Setting maxusers to 64 allows up to 1044 simultaneous
   processes, which should be enough for nearly all uses. If, however, the
   proc table full error is displayed when trying to start another program,
   or a server is running with a large number of simultaneous users, increase
   the number and rebuild.

  ******:

   maxusers does not limit the number of users which can log into the
   machine. It instead sets various table sizes to reasonable values
   considering the maximum number of users on the system and how many
   processes each user will be running.

    11.11.1.2. kern.ipc.soacceptqueue

   The kern.ipc.soacceptqueue sysctl(8) variable limits the size of the
   listen queue for accepting new TCP connections. The default value of 128
   is typically too low for robust handling of new connections on a heavily
   loaded web server. For such environments, it is recommended to increase
   this value to 1024 or higher. A service such as sendmail(8), or Apache may
   itself limit the listen queue size, but will often have a directive in its
   configuration file to adjust the queue size. Large listen queues do a
   better job of avoiding Denial of Service (DoS) attacks.

  11.11.2. ************

   The NMBCLUSTERS kernel configuration option dictates the amount of network
   Mbufs available to the system. A heavily-trafficked server with a low
   number of Mbufs will hinder performance. Each cluster represents
   approximately 2 K of memory, so a value of 1024 represents 2 megabytes of
   kernel memory reserved for network buffers. A simple calculation can be
   done to figure out how many are needed. A web server which maxes out at
   1000 simultaneous connections where each connection uses a 6 K receive and
   16 K send buffer, requires approximately 32 MB worth of network buffers to
   cover the web server. A good rule of thumb is to multiply by 2, so
   2x32 MB / 2 KB = 64 MB / 2 kB = 32768. Values between 4096 and 32768 are
   recommended for machines with greater amounts of memory. Never specify an
   arbitrarily high value for this parameter as it could lead to a boot time
   crash. To observe network cluster usage, use -m with netstat(1).

   The kern.ipc.nmbclusters loader tunable should be used to tune this at
   boot time. Only older versions of FreeBSD will require the use of the
   NMBCLUSTERS kernel config(8) option.

   For busy servers that make extensive use of the sendfile(2) system call,
   it may be necessary to increase the number of sendfile(2) buffers via the
   NSFBUFS kernel configuration option or by setting its value in
   /boot/loader.conf (see loader(8) for details). A common indicator that
   this parameter needs to be adjusted is when processes are seen in the
   sfbufa state. The sysctl(8) variable kern.ipc.nsfbufs is read-only. This
   parameter nominally scales with kern.maxusers, however it may be necessary
   to tune accordingly.

  ******:

   Even though a socket has been marked as non-blocking, calling sendfile(2)
   on the non-blocking socket may result in the sendfile(2) call blocking
   until enough struct sf_buf's are made available.

    11.11.2.1. net.inet.ip.portrange.*

   The net.inet.ip.portrange.* sysctl(8) variables control the port number
   ranges automatically bound to TCP and UDP sockets. There are three ranges:
   a low range, a default range, and a high range. Most network programs use
   the default range which is controlled by net.inet.ip.portrange.first and
   net.inet.ip.portrange.last, which default to 1024 and 5000, respectively.
   Bound port ranges are used for outgoing connections and it is possible to
   run the system out of ports under certain circumstances. This most
   commonly occurs when running a heavily loaded web proxy. The port range is
   not an issue when running a server which handles mainly incoming
   connections, such as a web server, or has a limited number of outgoing
   connections, such as a mail relay. For situations where there is a
   shortage of ports, it is recommended to increase
   net.inet.ip.portrange.last modestly. A value of 10000, 20000 or 30000 may
   be reasonable. Consider firewall effects when changing the port range.
   Some firewalls may block large ranges of ports, usually low-numbered
   ports, and expect systems to use higher ranges of ports for outgoing
   connections. For this reason, it is not recommended that the value of
   net.inet.ip.portrange.first be lowered.

    11.11.2.2. TCP ******************

   TCP bandwidth delay product limiting can be enabled by setting the
   net.inet.tcp.inflight.enable sysctl(8) variable to 1. This instructs the
   system to attempt to calculate the bandwidth delay product for each
   connection and limit the amount of data queued to the network to just the
   amount required to maintain optimum throughput.

   This feature is useful when serving data over modems, Gigabit Ethernet,
   high speed WAN links, or any other link with a high bandwidth delay
   product, especially when also using window scaling or when a large send
   window has been configured. When enabling this option, also set
   net.inet.tcp.inflight.debug to 0 to disable debugging. For production use,
   setting net.inet.tcp.inflight.min to at least 6144 may be beneficial.
   Setting high minimums may effectively disable bandwidth limiting,
   depending on the link. The limiting feature reduces the amount of data
   built up in intermediate route and switch packet queues and reduces the
   amount of data built up in the local host's interface queue. With fewer
   queued packets, interactive connections, especially over slow modems, will
   operate with lower Round Trip Times. This feature only effects server side
   data transmission such as uploading. It has no effect on data reception or
   downloading.

   Adjusting net.inet.tcp.inflight.stab is not recommended. This parameter
   defaults to 20, representing 2 maximal packets added to the bandwidth
   delay product window calculation. The additional window is required to
   stabilize the algorithm and improve responsiveness to changing conditions,
   but it can also result in higher ping(8) times over slow links, though
   still much lower than without the inflight algorithm. In such cases, try
   reducing this parameter to 15, 10, or 5 and reducing
   net.inet.tcp.inflight.min to a value such as 3500 to get the desired
   effect. Reducing these parameters should be done as a last resort only.

  11.11.3. ***************

    11.11.3.1. kern.maxvnodes

   A vnode is the internal representation of a file or directory. Increasing
   the number of vnodes available to the operating system reduces disk I/O.
   Normally, this is handled by the operating system and does not need to be
   changed. In some cases where disk I/O is a bottleneck and the system is
   running out of vnodes, this setting needs to be increased. The amount of
   inactive and free RAM will need to be taken into account.

   To see the current number of vnodes in use:

 # sysctl vfs.numvnodes
 vfs.numvnodes: 91349

   To see the maximum vnodes:

 # sysctl kern.maxvnodes
 kern.maxvnodes: 100000

   If the current vnode usage is near the maximum, try increasing
   kern.maxvnodes by a value of 1000. Keep an eye on the number of
   vfs.numvnodes. If it climbs up to the maximum again, kern.maxvnodes will
   need to be increased further. Otherwise, a shift in memory usage as
   reported by top(1) should be visible and more memory should be active.

11.12. ******************

   ************************************ (Swap)
   ******************************************************************************************************************************************************************************************._

   ******************************************************,_***********************************************************
   *** 17.13, "******************"._

  11.12.1. ***************************************************

   ************************************************************************************************._***************************
   *** 17.2, "************" ******************** *** 2.6.1,
   "*********************"
   ************************************************************************._

   ****** swapon ****************************************

 # swapon /dev/ada1s1b

  ******:

   *********************************,_**************************************************************************************************
   swapon **************************************************************
   swapon *********************************************************._

   ***********************************************************************
   /etc/fstab**

 /dev/ada1s1b    none    swap    sw      0       0

   ********* fstab(5) ************ /etc/fstab
   ******************._************ swapon ********* ********* swapon(8)
   ******._

  11.12.2. ***************

   *************************** 64M *************** /usr/swap0
   ******************************************._

   ****************************************************************** md(4)
   ************************** *** 8, ****** FreeBSD ******
   ***************************************._

   ****** 11.2. ****************** FreeBSD 10.X ***************
    1. *****************

 # dd if=/dev/zero of=/usr/swap0 bs=1m count=64

    2. ***********************************

 # chmod 0600 /usr/swap0

    3. ************ /etc/fstab **************************************

 md99    none    swap    sw,file=/usr/swap0,late 0       0

       ********* md(4) *********
       md99*****************************************************._

    4. ***************************************._*****************************************
       swapon(8)**

 # swapon -aL

   ****** 11.3. ****************** FreeBSD 9.X ***************
    1. *************** /usr/swap0**

 # dd if=/dev/zero of=/usr/swap0 bs=1m count=64

    2. ************************ /usr/swap0**

 # chmod 0600 /usr/swap0

    3. *** /etc/rc.conf *****************

 swapfile="/usr/swap0"   # Set to name of swap file

    4. ***************************************._**************************************************************************._*********
       *** 17.9, "***************"
       ******************************************._

 # mdconfig -a -t vnode -f /usr/swap0 -u 0 && swapon /dev/md0

11.13. *********************

   Written by Hiten Pandya and Tom Rhodes.

   *******************************************************************************************************************************************************************************._******************************************************
   (Advanced Power Management, APM)**APM
   ******************************************************._************** APM
   ***********************************************************************************************************
   BIOS
   **********************************************************************************
   APM BIOS
   ********************************************************************************
   APM ****************************** APM
   ***************************************._

   *** APM
   ************************._********************************************
   BIOS **************************************._*********************** APM
   BIOS ************************************************** BIOS
   ************************************************************._********APM
   ********************* BIOS
   **********************************************************************************************************
   ROM ********* APM BIOS
   ******************************************************************************************************._********APM
   *************************************************************************************
   BIOS
   ***************************************************._**************APM
   BIOS
   ***************************************************************************************************._

   Plug and Play BIOS (PNPBIOS) ********************************PNPBIOS ***
   16 *********************************************** 16 ******************
   PNPBIOS._FreeBSD *************** APM ****************** APM**************
   2000 ******************************************************** apm(4)._

   APM ****************************************** (Advanced Configuration and
   Power Interface, ACPI)._ACPI
   *******************************************************************************************************
   *************************************** (Operating System-directed
   configuration and Power Management)
   ********************************************************************._

   *************************** FreeBSD ******
   ACPI***************************** ACPI
   ********************************************************************************************************
   ACPI *********._

  11.13.1. ****** ACPI

   *** FreeBSD acpi(4)
   ********************************************************************************._********************************************************************************************************._*************************************ACPI
   ************************** /boot/loader.conf *********
   hint.acpi.0.disabled="1"
   ********************************************************************
   *** 12.2.3, "*********" ************._

  ******:

   ACPI *** APM
   *************************************************************************************************************._

   ACPI *********************************************** acpiconf *** -s
   ****************** 1 *** 5 *********._****************************** 1
   (*************** RAM) *** 3 (********* RAM)******** 5 ******************
   (Soft-off)************** halt -p ******._

   ************************ sysctl ******************** acpi(4) ******
   acpiconf(8) *********************._

  11.13.2. ************

   ACPI is present in all modern computers that conform to the ia32 (x86),
   ia64 (Itanium), and amd64 (AMD) architectures. The full standard has many
   features including CPU performance management, power planes control,
   thermal zones, various battery systems, embedded controllers, and bus
   enumeration. Most systems implement less than the full standard. For
   instance, a desktop system usually only implements bus enumeration while a
   laptop might have cooling and battery management support as well. Laptops
   also have suspend and resume, with their own associated complexity.

   An ACPI-compliant system has various components. The BIOS and chipset
   vendors provide various fixed tables, such as FADT, in memory that specify
   things like the APIC map (used for SMP), config registers, and simple
   configuration values. Additionally, a bytecode table, the Differentiated
   System Description Table DSDT, specifies a tree-like name space of devices
   and methods.

   The ACPI driver must parse the fixed tables, implement an interpreter for
   the bytecode, and modify device drivers and the kernel to accept
   information from the ACPI subsystem. For FreeBSD, Intel(R) has provided an
   interpreter (ACPI-CA) that is shared with Linux(R) and NetBSD. The path to
   the ACPI-CA source code is src/sys/contrib/dev/acpica. The glue code that
   allows ACPI-CA to work on FreeBSD is in src/sys/dev/acpica/Osd. Finally,
   drivers that implement various ACPI devices are found in
   src/sys/dev/acpica.

   For ACPI to work correctly, all the parts have to work correctly. Here are
   some common problems, in order of frequency of appearance, and some
   possible workarounds or fixes. If a fix does not resolve the issue, refer
   to *** 11.13.4, "***************************" for instructions on how to
   submit a bug report.

    11.13.2.1. ************

   In some cases, resuming from a suspend operation will cause the mouse to
   fail. A known work around is to add hint.psm.0.flags="0x3000" to
   /boot/loader.conf.

    11.13.2.2. ******/******

   ACPI has three suspend to RAM (STR) states, S1-S3, and one suspend to disk
   state (STD), called S4. STD can be implemented in two separate ways. The
   S4BIOS is a BIOS-assisted suspend to disk and S4OS is implemented entirely
   by the operating system. The normal state the system is in when plugged in
   but not powered up is "soft off" (S5).

   Use sysctl hw.acpi to check for the suspend-related items. These example
   results are from a Thinkpad:

 hw.acpi.supported_sleep_state: S3 S4 S5
 hw.acpi.s4bios: 0

   Use acpiconf -s to test S3, S4, and S5. An s4bios of one (1) indicates
   S4BIOS support instead of S4 operating system support.

   When testing suspend/resume, start with S1, if supported. This state is
   most likely to work since it does not require much driver support. No one
   has implemented S2, which is similar to S1. Next, try S3. This is the
   deepest STR state and requires a lot of driver support to properly
   reinitialize the hardware.

   A common problem with suspend/resume is that many device drivers do not
   save, restore, or reinitialize their firmware, registers, or device memory
   properly. As a first attempt at debugging the problem, try:

 # sysctl debug.bootverbose=1
 # sysctl debug.acpi.suspend_bounce=1
 # acpiconf -s 3

   This test emulates the suspend/resume cycle of all device drivers without
   actually going into S3 state. In some cases, problems such as losing
   firmware state, device watchdog time out, and retrying forever, can be
   captured with this method. Note that the system will not really enter S3
   state, which means devices may not lose power, and many will work fine
   even if suspend/resume methods are totally missing, unlike real S3 state.

   Harder cases require additional hardware, such as a serial port and cable
   for debugging through a serial console, a Firewire port and cable for
   using dcons(4), and kernel debugging skills.

   To help isolate the problem, unload as many drivers as possible. If it
   works, narrow down which driver is the problem by loading drivers until it
   fails again. Typically, binary drivers like nvidia.ko, display drivers,
   and USB will have the most problems while Ethernet interfaces usually work
   fine. If drivers can be properly loaded and unloaded, automate this by
   putting the appropriate commands in /etc/rc.suspend and /etc/rc.resume.
   Try setting hw.acpi.reset_video to 1 if the display is messed up after
   resume. Try setting longer or shorter values for hw.acpi.sleep_delay to
   see if that helps.

   Try loading a recent Linux(R) distribution to see if suspend/resume works
   on the same hardware. If it works on Linux(R), it is likely a FreeBSD
   driver problem. Narrowing down which driver causes the problem will assist
   developers in fixing the problem. Since the ACPI maintainers rarely
   maintain other drivers, such as sound or ATA, any driver problems should
   also be posted to the freebsd-current list and mailed to the driver
   maintainer. Advanced users can include debugging printf(3)s in a
   problematic driver to track down where in its resume function it hangs.

   Finally, try disabling ACPI and enabling APM instead. If suspend/resume
   works with APM, stick with APM, especially on older hardware (pre-2000).
   It took vendors a while to get ACPI support correct and older hardware is
   more likely to have BIOS problems with ACPI.

    11.13.2.3. ***************

   Most system hangs are a result of lost interrupts or an interrupt storm.
   Chipsets may have problems based on boot, how the BIOS configures
   interrupts before correctness of the APIC (MADT) table, and routing of the
   System Control Interrupt (SCI).

   Interrupt storms can be distinguished from lost interrupts by checking the
   output of vmstat -i and looking at the line that has acpi0. If the counter
   is increasing at more than a couple per second, there is an interrupt
   storm. If the system appears hung, try breaking to DDB (CTRL+ALT+ESC on
   console) and type show interrupts.

   When dealing with interrupt problems, try disabling APIC support with
   hint.apic.0.disabled="1" in /boot/loader.conf.

    11.13.2.4. ******

   Panics are relatively rare for ACPI and are the top priority to be fixed.
   The first step is to isolate the steps to reproduce the panic, if
   possible, and get a backtrace. Follow the advice for enabling options DDB
   and setting up a serial console in *** 26.6.4, "*************** (Serial
   Line) ****** DDB ************" or setting up a dump partition. To get a
   backtrace in DDB, use tr. When handwriting the backtrace, get at least the
   last five and the top five lines in the trace.

   Then, try to isolate the problem by booting with ACPI disabled. If that
   works, isolate the ACPI subsystem by using various values of
   debug.acpi.disable. See acpi(4) for some examples.

    11.13.2.5. ************************************

   First, try setting hw.acpi.disable_on_poweroff="0" in /boot/loader.conf.
   This keeps ACPI from disabling various events during the shutdown process.
   Some systems need this value set to 1 (the default) for the same reason.
   This usually fixes the problem of a system powering up spontaneously after
   a suspend or poweroff.

    11.13.2.6. BIOS ****************** Bytecode

   Some BIOS vendors provide incorrect or buggy bytecode. This is usually
   manifested by kernel console messages like this:

 ACPI-1287: *** Error: Method execution failed [\\_SB_.PCI0.LPC0.FIGD._STA] \\
 (Node 0xc3f6d160), AE_NOT_FOUND

   Often, these problems may be resolved by updating the BIOS to the latest
   revision. Most console messages are harmless, but if there are other
   problems, like the battery status is not working, these messages are a
   good place to start looking for problems.

  11.13.3. *************** AML

   The BIOS bytecode, known as ACPI Machine Language (AML), is compiled from
   a source language called ACPI Source Language (ASL). The AML is found in
   the table known as the Differentiated System Description Table (DSDT).

   The goal of FreeBSD is for everyone to have working ACPI without any user
   intervention. Workarounds are still being developed for common mistakes
   made by BIOS vendors. The Microsoft(R) interpreter (acpi.sys and
   acpiec.sys) does not strictly check for adherence to the standard, and
   thus many BIOS vendors who only test ACPI under Windows(R) never fix their
   ASL. FreeBSD developers continue to identify and document which
   non-standard behavior is allowed by Microsoft(R)'s interpreter and
   replicate it so that FreeBSD can work without forcing users to fix the
   ASL.

   To help identify buggy behavior and possibly fix it manually, a copy can
   be made of the system's ASL. To copy the system's ASL to a specified file
   name, use acpidump with -t, to show the contents of the fixed tables, and
   -d, to disassemble the AML:

 # acpidump -td > my.asl

   Some AML versions assume the user is running Windows(R). To override this,
   set hw.acpi.osname="Windows 2009" in /boot/loader.conf, using the most
   recent Windows(R) version listed in the ASL.

   Other workarounds may require my.asl to be customized. If this file is
   edited, compile the new ASL using the following command. Warnings can
   usually be ignored, but errors are bugs that will usually prevent ACPI
   from working correctly.

 # iasl -f my.asl

   Including -f forces creation of the AML, even if there are errors during
   compilation. Some errors, such as missing return statements, are
   automatically worked around by the FreeBSD interpreter.

   The default output filename for iasl is DSDT.aml. Load this file instead
   of the BIOS's buggy copy, which is still present in flash memory, by
   editing /boot/loader.conf as follows:

 acpi_dsdt_load="YES"
 acpi_dsdt_name="/boot/DSDT.aml"

   Be sure to copy DSDT.aml to /boot, then reboot the system. If this fixes
   the problem, send a diff(1) of the old and new ASL to freebsd-acpi so that
   developers can work around the buggy behavior in acpica.

  11.13.4. ***************************

   Written by Nate Lawson.
   With contributions from Peter Schultz and Tom Rhodes.

   The ACPI driver has a flexible debugging facility. A set of subsystems and
   the level of verbosity can be specified. The subsystems to debug are
   specified as layers and are broken down into components
   (ACPI_ALL_COMPONENTS) and ACPI hardware support (ACPI_ALL_DRIVERS). The
   verbosity of debugging output is specified as the level and ranges from
   just report errors (ACPI_LV_ERROR) to everything (ACPI_LV_VERBOSE). The
   level is a bitmask so multiple options can be set at once, separated by
   spaces. In practice, a serial console should be used to log the output so
   it is not lost as the console message buffer flushes. A full list of the
   individual layers and levels is found in acpi(4).

   Debugging output is not enabled by default. To enable it, add options
   ACPI_DEBUG to the custom kernel configuration file if ACPI is compiled
   into the kernel. Add ACPI_DEBUG=1 to /etc/make.conf to enable it globally.
   If a module is used instead of a custom kernel, recompile just the acpi.ko
   module as follows:

 # cd /sys/modules/acpi/acpi && make clean && make ACPI_DEBUG=1

   Copy the compiled acpi.ko to /boot/kernel and add the desired level and
   layer to /boot/loader.conf. The entries in this example enable debug
   messages for all ACPI components and hardware drivers and output error
   messages at the least verbose level:

 debug.acpi.layer="ACPI_ALL_COMPONENTS ACPI_ALL_DRIVERS"
 debug.acpi.level="ACPI_LV_ERROR"

   If the required information is triggered by a specific event, such as a
   suspend and then resume, do not modify /boot/loader.conf. Instead, use
   sysctl to specify the layer and level after booting and preparing the
   system for the specific event. The variables which can be set using sysctl
   are named the same as the tunables in /boot/loader.conf.

   Once the debugging information is gathered, it can be sent to freebsd-acpi
   so that it can be used by the FreeBSD ACPI maintainers to identify the
   root cause of the problem and to develop a solution.

  ******:

   Before submitting debugging information to this mailing list, ensure the
   latest BIOS version is installed and, if available, the embedded
   controller firmware version.

   When submitting a problem report, include the following information:

     * Description of the buggy behavior, including system type, model, and
       anything that causes the bug to appear. Note as accurately as possible
       when the bug began occurring if it is new.

     * The output of dmesg after running boot -v, including any error
       messages generated by the bug.

     * The dmesg output from boot -v with ACPI disabled, if disabling ACPI
       helps to fix the problem.

     * Output from sysctl hw.acpi. This lists which features the system
       offers.

     * The URL to a pasted version of the system's ASL. Do not send the ASL
       directly to the list as it can be very large. Generate a copy of the
       ASL by running this command:

 # acpidump -dt > name-system.asl

       Substitute the login name for name and manufacturer/model for system.
       For example, use njl-FooCo6000.asl.

   Most FreeBSD developers watch the FreeBSD-CURRENT mailing list, but one
   should submit problems to freebsd-acpi to be sure it is seen. Be patient
   when waiting for a response. If the bug is not immediately apparent,
   submit a bug report. When entering a PR, include the same information as
   requested above. This helps developers to track the problem and resolve
   it. Do not send a PR without emailing freebsd-acpi first as it is likely
   that the problem has been reported before.

  11.13.5. ************

   More information about ACPI may be found in the following locations:

     * The FreeBSD ACPI Mailing List Archives
       (https://lists.freebsd.org/pipermail/freebsd-acpi/)

     * The ACPI 2.0 Specification (http://acpi.info/spec.htm)

     * acpi(4), acpi_thermal(4), acpidump(8), iasl(8), and acpidb(8)

     ----------------------------------------------------------------------

   [2] The auto-tuning algorithm sets maxusers equal to the amount of memory
   in the system, with a minimum of 32, and a maximum of 384.

*** 12. FreeBSD ************

   ************

   12.1. ******

   12.2. FreeBSD ************

   12.3. ************************

   12.4. ************

   12.5. ************

12.1. ******

   ********************************************************* "************"
   (Bootstrap process) *** "******" (Booting)._FreeBSD
   ********************************************************************************************************,_******************************************************************._

   ******************************************._****************** FreeBSD
   ************************************************************* FreeBSD
   ******,_*********************
   init(8)._******************************************************************************._

   *************************************

     * FreeBSD *********************************************._

     * FreeBSD
       ********************************************************************._

     * *************************************** (Splash screen)._

     * ****** Device Hints *********._

     * ***************************************************************
       FreeBSD ******._

  ******:

   *************** FreeBSD *** x86 *** amd64 ******************************._

12.2. FreeBSD ************

   ******************************************************************************._*******************************************************************************************************************************._****************************************************************************************************************************************************?

   ****************** The Adventures of Baron Munchausen
   **************************************************************************
   (Bootstrap) ********************************************************
   bootstrap ***********************************************************
   "booting"._

   *** x86 ***********************/************ (Basic Input/Output System,
   BIOS) ************************._ BIOS
   *************************************** (Master Boot Record,
   MBR)**************************************************._BIOS
   ********************************************* MBR******************** MBR
   *** BIOS ************************************************************._

  ******:

   FreeBSD ************ MBR ****************** GUID ************ (GUID
   Partition Table, GPT) ****************** (Booting)._GPT
   ************************************************************ (Unified
   Extensible Firmware Interface, UEFI)
   ******************._**************FreeBSD ********************* BIOS
   ***************************** gptboot(8) *** GPT
   ***************._************ UEFI ************************************._

   *** MBR ********************************************* (Boot
   manager)***********************************************._***************************************************************************************************._************************************
   FreeBSD ****************** boot0 ****** Boot Easy ****** Grub
   *************** Linux(R) *********._

   ***********************************MBR
   *************************************** (*********) *********
   (Slice)***********************************************************************._****************************************************************************************************************************************************._

   ********* FreeBSD
   ******************************************************************************************************************************************************************************************************************************************._***************************************
   MBR
   ************************************************************._*********************************
   FreeBSD ***************************************._

   ******************************************************************._*****************************************************************************
   init(8)**********************************************************************************************************************,_************************************,_***************************************************._

   ********************************************************* FreeBSD
   ******************._

  12.2.1. ******************

   *************** MBR ******************************************
   ************ (Stage zero)**FreeBSD *************** boot0
   ******************._

   *** FreeBSD ************************ MBR ********* /boot/boot0
   *********._boot0 ****************************** 446
   ********************************* 0x55AA *************** MBR
   ************._********************************* boot0
   *************************************************

   ****** 12.1. boot0 ************

 F1 Win
 F2 FreeBSD

 Default: F2

   ************************ FreeBSD ************************************
   MBR**************************************** FreeBSD MBR ***************
   MBR ***********************

 # fdisk -B -b /boot/boot0 device

   ****** device ***************************** IDE ********* ad0***********
   IDE ********************* IDE********* ad2*********** SCSI *********
   da0._****************** MBR *************** boot0cfg(8)._

  12.2.2. *********************

   **************************************************************************************************************************************************************************._************
   FreeBSD *************** bsdlabel *** /boot/boot ************._

   **********************************************************************************************************
   (Sector) ************************** boot0
   ********************************************************************************************************._

   ****************** boot1 *********************************** 512
   ******************._*************************************** FreeBSD
   bsdlabel ********************* boot2._

   ********* boot2 ******************************** FreeBSD
   ***************************._******************************************************************************._***************************
   (loader)
   ************************************._**********************************************************************

   ****** 12.2. boot2 ************

 >> FreeBSD/i386 BOOT
 Default: 0:ad(0,a)/boot/loader
 boot:

   ********************* boot1 *** boot2 ********* bsdlabel******** diskslice
   ***************************************** ad0s1 *************** IDE
   *****************************

 # bsdlabel -B diskslice

  ******:

   ***************************** ad0**bsdlabel *********
   "*********************"
   ***********************************************._*****************************************************
   Return ************************ diskslice._

  12.2.3. *********

   loader
   **********************************************************************************************
   /boot/loader._

   loader
   ************************************************************************************************************************************._

   **************************loader ********* Console
   ***********************************************._****** Script
   *********************************************************************************._

   loader *************** /boot/loader.rc********************************
   /boot/defaults/loader.conf *********************************************
   /boot/loader.conf ************************************._loader.rc
   **************************************************************._

   *********************** loader ********************* 10
   *****************************************************._*************************************************************************************************************,_******************,_***********************************************._****** 12.1,
   "************************" *************************** loader
   ******._*********************************************** loader(8)._

   ****** 12.1. ************************

    ******                                                         ******                                                     
autoboot       ****************** (***) **************************************._********************************************  
seconds        10 ******._                                                                                                    
boot           ************************************************************************************************************** 
[-options]     unload*****************************************._*** kernelname ********************************* /boot/kernel 
[kernelname]   *** /boot/modules ******._                                                                                     
boot-conf      ************************************ kernel ***************************************._****************** unload 
               ********************************************._                                                                 
help [topic]   ********* /boot/loader.help *********************._********************* index                                 
               *********************************._                                                                            
include        ***************************************._****************************** include._                              
filename ...   
load [-t type] ************************************,_************************************._********* filename                 
filename       ******************************************._*** filename ****************************** /boot/kernel ***       
               /boot/modules ******._                                                                                         
ls [-l] [path] ***********************************************************************************._************              
               -l***********************************._                                                                        
lsdev [-v]     *****************************************************************._************ -v                             
               ******************************._                                                                               
lsmod [-v]     ************************._************ -v ******************************._                                     
more filename  ******************************** LINES *********************._                                                 
reboot         ************************._                                                                                     
set variable,                                                                                                                 
set            ***************************._
variable=value 
unload         ******************************._                                                                               

   *************** loader
   *********************._******************************************************
   (Single-user mode) *****

 boot -s

   *************************************************************************************

 unload
 load kernel.old

   ****** kernel.GENERIC ***********************************************
   kernel.old
   *********************************************************************._

   *****************************************************************

 unload
 set kernel="kernel.old"
 boot-conf

   ****************************************** Script *****

 load -t userconfig_script /boot/kernel.conf

  12.2.4. ************

   *** loader *************** loader *** boot2
   *******************************************************************************************************************._****** 12.2,
   "***************************" *****************************************
   boot(8) ***************************************._

   ****** 12.2. ***************************

   ******                               ******                                
   -a     *****************************************************************._ 
   -C     *** CDROM ***************************._                             
   -s     ******************************._                                    
   -v     ***************************************._                           

   **************************************************************************
   init(8)***************** /sbin/init ****** loader ****** init_path
   ***************************._***************************************._

   *********************************************************
   (Consistency)***** UFS ************************ fsck **************init
   **********************************************************************************************************************************._

    12.2.4.1. ******************

   ********************************* -s ****** loader ****** boot_single
   ************************._******************************************
   shutdown now
   ***************._***********************************************

 Enter full pathname of shell or RETURN for /bin/sh:

   ****************** Enter***************************** Bourne
   shell._************************ Shell ************ Shell ***************._

   ***********************************************************************************************************************************************
   root
   ********************************************************************************************._************************************._

   ********************************************************************************************************************._**********************************************************************************************************************._

   ****** /etc/ttys ****** console *********
   insecure******************************************************** root
   *********._***********************************************************
   root *********************._

   ****** 12.3. *** /etc/ttys ****************** Console

 # name  getty                           type    status          comments
 #
 # If console is marked "insecure", then init will ask for the root password
 # when going to single-user mode.
 console none                            unknown off insecure

   ********* (insecure) console ********* Console
   ************************************ (insecure)******************** root
   ******************************************._

    12.2.4.2. ******************

   *** init
   ************************************************************************************
   exit
   ****************************************************************************************************************._

   ****************** (Resource configuration system) ******
   /etc/defaults/rc.conf ****************************** /etc/rc.conf
   ************************************************************** /etc/fstab
   *****************************************,_***************
   Daemon******************************************** Script._

   ************************************************** rc(8)
   ****************** /etc/rc.d *** Script._

12.3. ************************

   Contributed by Joseph J. Barbish.

   ****** FreeBSD ****************** Console
   *********************************************._****************** (Boot
   splash screen)
   **********************************************************************************************************************************************************************************************************************************************._*********************************************************************************._

   FreeBSD
   ********************************************************************
   Console ********************************************************** Console
   ************._***********************************************************
   *** 5, X Window ******
   ************************************************************************************************************._

   ****************************************************************************************************************************************************************************************************._***************************************
   /etc/rc.conf ************ saver=
   *********._*********************************************** splash(4)
   ************._saver= ******************************
   Console********************************************************._

   ************ sysutils/bsd-splash-changer *********
   Port**************************************************._************************
   256 *************** (.bmp),_ZSoft PCX (.pcx) *** TheDraw (.bin)
   ******._.bmp, .pcx *** .bin *****************************************
   /boot._*************************** 320x200
   ********************************************* VGA
   ******************************** 256 ***,_320x200
   ***********************************************************************
   /boot/loader.conf*********** splash.bmp
   ***********************************

 splash_bmp_load="YES"
 bitmap_load="YES"
 bitmap_name="/boot/splash.bmp"

   ********* PCX *****************************

 splash_pcx_load="YES"
 bitmap_load="YES"
 bitmap_name="/boot/splash.pcx"

   *************** https://en.wikipedia.org/wiki/TheDraw ********* ASCII
   ********

 splash_txt="YES"
 bitmap_load="YES"
 bitmap_name="/boot/splash.bin"

   *********************************************************************************
   1024x768 ********VESA
   ***************************************._********************************************************************
   VESA ******************._********* VESA *********************************
   /boot/loader.conf **************************************************

 vesa_load="YES"

   *************** loader.conf **************

   beastie_disable="YES"

           **************************************************************************._********************************************************************************************************************._

   loader_logo="beastie"

           ************************************************************************************************
           "FreeBSD" ******._

   ******************************** splash(4), loader.conf(5) ****** vga(4)._

12.4. ************

   Contributed by Tom Rhodes.

   *********************************** loader(8) *********
   device.hints(5)*********************************************************************************
   "************ (Device hints)"._****** "************ (Device hints)"
   ******************************************************._

   *************************** 3 **************************************
   *** 12.2.3, "*********" ************************************** set
   ******,_****** unset ******,_****** show *****************************
   /boot/device.hints
   ****************************************************************************************************************************._

   *********************************** kenv(1) ************************._

   /boot/device.hints *********************************************** "#"
   **********************************************

 hint.driver.unit.keyword="value"

   ********* 3 ***********************************

 set hint.driver.unit.keyword=value

   ****** driver ***************************,_unit
   ************************************ keyword
   *******************************************************

     * at: ********************************* (Bus)._

     * port: ****************** I/O ************._

     * irq: ************************************._

     * drq: ****** DMA ************._

     * maddr: *********************************************._

     * flags: ******************************************._

     * disabled: ********* 1 *********************._

   **************************************************************************************************************************._******************************
   device.hints(5), kenv(1), loader.conf(5) ****** loader(8)._

12.5. ************

   ********* shutdown(8) *****************init(8) ***************
   /etc/rc.shutdown Script ************ TERM
   ************************************** KILL
   ***************************************._

   ************************************************ FreeBSD
   *********************** shutdown -p now
   ************************************** FreeBSD *************** shutdown -r
   now._****************** root ****** operator *********************
   shutdown(8)************************************** halt(8) ***
   reboot(8)*********************** shutdown(8)
   ************************************._

   ****************************** *** 3.3, "******************************"._

  ******:

   *************************** acpi(4)
   *********************************************._

*** 13. *********

   Rewritten by Tom Rhodes.
   ************

   13.1. ******

   13.2. ******

   13.3. ***************

   13.4. TCP Wrapper

   13.5. Kerberos

   13.6. OpenSSL

   13.7. VPN over IPsec

   13.8. OpenSSH

   13.9. ******************

   13.10. ******************************

   13.11. FreeBSD ************

   13.12. ************

   13.13. ************

   13.14. ****** Sudo ******************

13.1. ******

   ****************************************************************************************************************************************************************._******
   FreeBSD ***************************************._

   *********************************************._FreeBSD
   *****************************************************************************************._

   ****************************

     * ****** FreeBSD ******************._

     * FreeBSD ****************** (Crypt) ******._

     * *********************************._

     * ************ inetd(8) ****** TCP Wrapper._

     * ********* FreeBSD ****** Kerberos._

     * ************ IPsec ************ VPN._

     * ********* FreeBSD *************** OpenSSH._

     * ************************ ACL._

     * ************ pkg ************ Port
       ***************************************._

     * ************ FreeBSD ************._

     * ********************* (Process Accounting) *************** FreeBSD
       ******._

     * *********************************************************************._

   ****************************************

     * ****** FreeBSD *********************._

   ***************************************************************._******
   ****************** (Mandatory Access Control, MAC) ****** *** 15,
   ****************** (MAC) ****************************** *** 30, *********
   ******._

13.2. ******

   **************************************************************************************************************************************._*********************************************
   CIA ********************************************
   (Confidentiality),_********* (Integrity) *************** (Availability)._

   CIA
   ***********************************************************************************************************._***********************************************************************
   (*********),_****************************************** (*********)
   *************************************************** (*********)._

   *********
   CIA********************************************._************************************************************************************************************._****************************************************************************************************************,_******
   Binary
   *********************************************._**************************************************************************._

   ************************************?
   *****************************************************************************************************,_************,_***************************,_************,_******************************************._

   *****************************************************************************************************************************************************._**************************************************************************************************************************************._********************************************************************************._

   ******************************************************************************************************************************************************************._********************************************************************************************,_***************,_************,_******,_***************,_******************************._********************************************************
   (SOP)*******************************************._

   ****************************************** FreeBSD
   ******************************************._************************************
   FreeBSD ******************************************************._

  13.2.1. ************

   ********************************************************************************
   root
   **********************************************************************************************************************************._

   *******************************************************************************************
   toor ********

 # pw lock toor

   ****************************************** Shell *********
   /usr/sbin/nologin*****************************************************
   Shell**

 # chsh -s /usr/sbin/nologin toor

   /usr/sbin/nologin shell ************************ Shell
   ***************************._

  13.2.2. ******************

   **********************************************************************FreeBSD
   ***************************************._**********************************************
   wheel ********************* root
   ***********************************************************************************
   su ************ wheel
   *************************************************************************
   exit ******._******************************************** /etc/group
   *************************** wheel
   ***********************************************************************._

   ************************************************* security/sudo *********
   Port
   ***************._************************************,_**************************************************************************************************._

   *********************** visudo *********
   /usr/local/etc/sudoers._************************ webadmin
   ***************** trhodes
   ******************************************************** apache24
   **************

 # pw groupadd webadmin -M trhodes -g 6000
 # visudo
 %webadmin ALL=(ALL) /usr/sbin/service apache24 *

  13.2.3. ******************

   ****************************************************************************************************************************************************._FreeBSD
   ****** DES, MD5, SHA256, SHA512 ****** Blowfish *********************
   crypt() *********._************
   SHA512*************************************************************************
   Blowfish *********._

  ******:

   Blowfish ****** AES ******************************************************
   (Federal Information Processing Standards,
   FIPS)***********************************************************._

   *****************************************************************************************************
   FreeBSD
   ***********************************************************************************************************************************._*********
   DES *********************************** MD5 *************** $**SHA256 ***
   SHA512 ************ $6$**Blowfish ************ $2a$._******************
   dru ************************ SHA512
   ********************************************
   $6$._**************************************************************************************

 # grep dru /etc/master.passwd
 dru:$6$pzIjSvCAn.PBYQBA$PXpSeWPx3g5kscj3IMiM7tUEUSPmGexxta.8Lt9TGSi2lNQqYGKszsBPuGME0:1001:1001::0:0:dru:/usr/home/dru:/bin/csh

   *************************************************** (Login
   class)********************************** default
   ***************************************************** /etc/login.conf**

         :passwd_format=sha512:\

   ********************* Blowfish*************************

         :passwd_format=blf:\

   ********* *** 13.13.1, "******************" ***************************
   cap_mkdb
   /etc/login.conf._*************************************************************************************************************
   passwd ******************************************************._

   ***************************************** (Two-factor
   authentication)**************************
   "***************"*********************
   "******************"*************._****** OpenSSH *** FreeBSD
   ***********************************************************************************************************************************._******************************
   *** 13.8, "OpenSSH"._Kerberos
   *********************************************************************************
   OpenSSH***************** *** 13.5, "Kerberos" ***************._

  13.2.4. ******************

   *********************************************************************************._***
   FreeBSD
   ************,_************************************************************************
   (Pluggable Authentication Modules, PAM) *********._

   ******************************************************************
   pam_passwdqc.so
   ********************************************************************************************._

   *************************************************************************
   /etc/pam.d/passwd ********* pam_passwdqc.so
   ******._*****************************************

 password        requisite       pam_passwdqc.so         min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users

   ***************************************************._min
   ********************************************************************************************************************._**********************************************************************************,_******,_********************************************
   pam_passwdqc(8)
   ******************._******************************************************************************************************************************._12
   ********************************************************************* 12
   ********************10
   ****************************************************************** 10
   ******************._

   similar ******************************************************._retry
   ******************************************************._

   **********************************************************************************

 % passwd
 Changing local password for trhodes
 Old Password:

 You can now choose the new password.
 A valid password should be a mix of upper and lower case letters,
 digits and other characters.  You can use a 12 character long
 password with characters from at least 3 of these 4 classes, or
 a 10 character long password containing characters from all the
 classes.  Characters that form a common pattern are discarded by
 the check.
 Alternatively, if no one else can see your terminal now, you can
 pick this as your password: "trait-useful&knob".
 Enter new password:

   ***************************************************************************************************************************************************************._

   ******************************************************._****** FreeBSD
   ******************************** /etc/login.conf
   ************************************ passwordtime._*** default
   ********************************

 #       :passwordtime=90d:\

   ******************************************** 90
   ******************************************
   (#)*********************************** cap_mkdb /etc/login.conf._

   ***********************************************************************************************
   pw**

 # pw usermod -p 30-apr-2015 -n trhodes

   ********************************************,_************._******************************
   pw(8)._

  13.2.5. ****** Root ****** (Rootkit)

   rootkit *************************************** root
   ******************._***********************************************************************************************************._*****************************
   rootkit
   *************************************************************************************************************************************************************************._

   rootkit
   ***********************************************************************************************************************************************************************************
   rootkit ***********security/rkhunter._

   ****************** Port
   ********************************************._***************************************************
   ENTER ********

 # rkhunter -c

   ********************************************************************._*********************************************,_***************,_*********
   rootkit
   ************************._**************************************************************,_OpenSSH
   *********************************************************************************,_*********************************************************************._

   ************************************************************************************._******************
   rkhunter *** sysutils/lsof ********************* netstat *** ps
   *********************************************************************************************************************************._********************************************************************._

  13.2.6. Binary ******

   ********************* Binary
   **********************************************************************************************************************************************************************
   (Intrusion Detection System, IDS)._

   FreeBSD ************************ IDS
   ******************************************************************************************************************************************************************************************************************._*****************************************
   Binary ***************************************,_root
   ********************************* USB *************** rsync
   ***************._

   ****** mtree
   *****************************************************************************************************
   (Seed)
   **************************************************************************************************._***************************
   Binary
   ***************************************._**************************************************************************
   (Checksum) ***************************._*************************** SHA256
   ******************** /bin ********* Binary
   *********************************************************** root
   **************/root/.bin_chksum_mtree**

 # mtree -s 3483151339707503 -c -K cksum,sha256digest -p /bin > /root/.bin_chksum_mtree
 # mtree: /bin checksum: 3427012225

   3483151339707503
   ********************************************************************._

   ****** /root/.bin_cksum_mtree *****************************************

 #          user: root
 #       machine: dreadnaught
 #          tree: /bin
 #          date: Mon Feb  3 10:19:53 2014

 # .
 /set type=file uid=0 gid=0 mode=0555 nlink=1 flags=none
 .               type=dir mode=0755 nlink=2 size=1024 \
                 time=1380277977.000000000
     \133        nlink=2 size=11704 time=1380277977.000000000 \
                 cksum=484492447 \
                 sha256digest=6207490fbdb5ed1904441fbfa941279055c3e24d3a4049aeb45094596400662a
     cat         size=12096 time=1380277975.000000000 cksum=3909216944 \
                 sha256digest=65ea347b9418760b247ab10244f47a7ca2a569c9836d77f074e7a306900c1e69
     chflags     size=8168 time=1380277975.000000000 cksum=3949425175 \
                 sha256digest=c99eb6fc1c92cac335c08be004a0a5b4c24a0c0ef3712017b12c89a978b2dac3
     chio        size=18520 time=1380277975.000000000 cksum=2208263309 \
                 sha256digest=ddf7c8cb92a58750a675328345560d8cc7fe14fb3ccd3690c34954cbe69fc964
     chmod       size=8640 time=1380277975.000000000 cksum=2214429708 \
                 sha256digest=a435972263bf814ad8df082c0752aa2a7bdd8b74ff01431ccbd52ed1e490bbe7

   *********************,_*********************************,_*****************************************************************************************************************
   Binary ************,_******,_************ SHA256 ******._

   ********* Binary
   **********************************************************************************************************************._*****************************************************************

 # mtree -s 3483151339707503 -p /bin < /root/.bin_chksum_mtree >> /root/.bin_chksum_output
 # mtree: /bin checksum: 3427012225

   *************************************** /bin
   ******************************************************** Binary
   ************************** /root/.bin_chksum_output
   ******************************._***************************** touch ******
   /root/.bin_chksum_output ********************************************

 # touch /bin/cat
 # mtree -s 3483151339707503 -p /bin < /root/.bin_chksum_mtree >> /root/.bin_chksum_output
 # more /root/.bin_chksum_output
 cat changed
         modification time expected Fri Sep 27 06:32:55 2013 found Mon Feb  3 10:28:43 2014

   *************** Binary
   *****************************************************************************._************
   /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /etc *** /usr/local/etc
   ***************._

   ****************** IDS ************** security/aide._*************** mtree
   ************************************._******************************************************************************************************._************
   mtree *************** mtree(8) ******._

  13.2.7. *********************

   *** FreeBSD*********************************** sysctl
   ************************************************************** (Denial of
   Service, DoS) ************************._****************** sysctl
   **************************************************************************************
   *** 11.9, "****** sysctl(8) ******" ******._

  ******:

   ****************** *** 11.9, "****** sysctl(8) ******"
   **************************************************************************************************._*********************************************************************************************************************._

   ****** FreeBSD ****************************** -1
   ***********************"***************"***************** (Immutable)
   ******************************************************************._***************
   sysctl ************ Script
   **************************************************
   -1._************************************************ /etc/rc.conf ******
   kern_securelevel_enable *** YES ****** ****** kern_securelevel
   ***************************************._********* security(7) ******
   init(8)
   ************************************************************************._

  ******:

   ****** securelevel ********* Xorg
   **************************************************************._

   net.inet.tcp.blackhole ****** net.inet.udp.blackhole
   ********************************************* (Port) ********* SYN
   ********************* RST *********************************** RST
   *****************************************************************************
   (*********************************************)
   ************************************************** net.inet.tcp.blackhole
   *** 2 *** net.inet.udp.blackhole *** 1._********* blackhole(4)
   ******************************************._

   net.inet.icmp.drop_redirect ****** net.inet.ip.redirect
   ************************ ****************** (Redirect
   attacks)*********************** DoS ************************** ICMP ******
   5 *******************************************************
   net.inet.icmp.drop_redirect *** 1 ************ net.inet.ip.redirect *** 0
   *********************._

   ************ (Source routing)
   *******************************************************************************************************************************************************************._******************************
   net.inet.ip.sourceroute ****** net.inet.ip.accept_sourceroute *** 0._

   ***********************************************************************************************
   ICMP
   *********************************._*****************************************************************._***************************************************
   net.inet.icmp.bmcastecho *** 0._

   ****************************** security(7) *********._

13.3. ***************

   ****** FreeBSD ************************ (One-time Passwords In Everything,
   OPIE)._OPIE ****************************** (Replay
   attack)*******************************************************************************************************._*********
   OPIE
   **********************************************************************************************************._OPIE
   ***************************************/************ (Challenge/response
   system) ***************._FreeBSD ************************ MD5 ******._

   OPIE *********************************************************** UNIX(R)
   *** Kerberos *********************** opiekey
   ********************************************************************
   "************ (Secret password)"***************** UNIX(R)
   ***************************._

   *** OPIE
   ************************************************._***************"*********
   (Seed)" ******"******
   (Key)"**************************************._***************"************
   (Iteration count)"***************** 1 *** 100 ************._OPIE
   *********************************************** MD5 ***************
   (******************)**************************************************************************._********************************************************************************************************************************************._***********************************************************************************************************************._**************************************************************************************************._************************
   1 *****OPIE *********************._

   ******************************************._******************,_*********************************************************************************
   opiekey(1)._*************** OPIE
   **************************,_***************************
   opiepasswd(1)._*************** /etc/opiekeys
   ************************************************************************
   opieinfo(1)._

   *******************************************************************************************************************************************************************
   opiepasswd*************************************************************************************************************************************************._

  13.3.1. ********* OPIE

   ********************* OPIE*******************************************

 % opiepasswd -c
 Adding unfurl:
 Only use this method from the console; NEVER from remote. If you are using
 telnet, xterm, or a dial-in, type ^C now or exit with no password.
 Then run opiepasswd without the -c parameter.
 Using MD5 to compute responses.
 Enter new secret pass phrase:
 Again new secret pass phrase:

 ID unfurl OTP key is 499 to4268
 MOS MALL GOAT ARM AVID COED

   -c *************************************************** Console
   ******************************************************** SSH
   ************************************************._

   **************************************************************************************************************************************************************************************************
   10 *** 127 **************************************************._

   ID ************************ (unfurl),_********************* (499)
   ************************
   (to4268)._****************************************************************************************************************._***********************************************************************************************************************************************._

  13.3.2. *********************************

   ***************************************************************************************************************
   opiekey***********************************************
   Shell._***********************************100
   *************************************************************************************************************************
   opiepasswd(1)**

 % opiepasswd

 Updating unfurl:
 You need the response from an OTP generator.
 Old secret pass phrase:
         otp-md5 498 to4268 ext
         Response: GAME GAG WELT OUT DOWN CHAT
 New secret pass phrase:
         otp-md5 499 to4269
         Response: LINE PAP MILK NELL BUOY TROY

 ID mark OTP key is 499 gr4269
 LINE PAP MILK NELL BUOY TROY

   ******************************************** Return
   ************._***********************************************************************************************

 % opiekey 498 to4268
 Using the MD5 algorithm to compute response.
 Reminder: Do not use opiekey from telnet or dial-in sessions.
 Enter secret pass phrase:
 GAME GAG WELT OUT DOWN CHAT

   ***********************************************************************._

  13.3.3. ***************************

   ************ OPIE **************************************************

 % telnet example.com
 Trying 10.0.0.1...
 Connected to example.com
 Escape character is '^]'.

 FreeBSD/i386 (example.com) (ttypa)

 login: <username>
 otp-md5 498 gr4269 ext
 Password:

   OPIE
   ***********************************************************************
   Return**********************************************************************************************************************._

   ****************************************************************************************************
   opiekey(1) ******************._********************* Windows(R), Mac OS(R)
   *** FreeBSD
   **********************************************************************************************************************************._

   *****************************

 % opiekey 498 to4268
 Using the MD5 algorithm to compute response.
 Reminder: Do not use opiekey from telnet or dial-in sessions.
 Enter secret pass phrase:
 GAME GAG WELT OUT DOWN CHAT

   ***********************************************************._

  13.3.4. ***************************

   **********************************************************************************************
   opiekey(1) **********************************************

 % opiekey -n 5 30 zz99999
 Using the MD5 algorithm to compute response.
 Reminder: Do not use opiekey from telnet or dial-in sessions.
 Enter secret pass phrase: <secret password>
 26: JOAN BORE FOSS DES NAY QUIT
 27: LATE BIAS SLAY FOLK MUCH TRIG
 28: SALT TIN ANTI LOON NEAL USE
 29: RIO ODIN GO BYE FURY TIC
 30: GREW JIVE SAN GIRD BOIL PHI

   -n 5 ************************************** 30
   ***************************************._***************************************************************._*****************************************************************************._*****************************************************************************************._

  13.3.5. ************ UNIX(R) ******

   OPIE *************************** IP ****************** UNIX(R)
   **************************
   /etc/opieaccess*****************************._********* opieaccess(5)
   ************************************************************************************._

   ********************* opieaccess**

 permit 192.168.0.0 255.255.0.0

   ********************* IP ****** (***************************)
   ************************************************************ UNIX(R)
   ************._

   ****** opieaccess ******************************************** OPIE
   *********._

13.4. TCP Wrapper

   Written by Tom Rhodes.

   TCP Wrapper is a host-based access control system which extends the
   abilities of *** 29.2, "inetd ***************". It can be configured to
   provide logging support, return messages, and connection restrictions for
   the server daemons under the control of inetd. Refer to tcpd(8) for more
   information about TCP Wrapper and its features.

   TCP Wrapper should not be considered a replacement for a properly
   configured firewall. Instead, TCP Wrapper should be used in conjunction
   with a firewall and other security enhancements in order to provide
   another layer of protection in the implementation of a security policy.

  13.4.1. ************

   To enable TCP Wrapper in FreeBSD, add the following lines to /etc/rc.conf:

 inetd_enable="YES"
 inetd_flags="-Ww"

   Then, properly configure /etc/hosts.allow.

  ******:

   Unlike other implementations of TCP Wrapper, the use of hosts.deny is
   deprecated in FreeBSD. All configuration options should be placed in
   /etc/hosts.allow.

   In the simplest configuration, daemon connection policies are set to
   either permit or block, depending on the options in /etc/hosts.allow. The
   default configuration in FreeBSD is to allow all connections to the
   daemons started with inetd.

   Basic configuration usually takes the form of daemon : address : action,
   where daemon is the daemon which inetd started, address is a valid
   hostname, IP address, or an IPv6 address enclosed in brackets ([ ]), and
   action is either allow or deny. TCP Wrapper uses a first rule match
   semantic, meaning that the configuration file is scanned from the
   beginning for a matching rule. When a match is found, the rule is applied
   and the search process stops.

   For example, to allow POP3 connections via the mail/qpopper daemon, the
   following lines should be appended to hosts.allow:

 # This line is required for POP3 connections:
 qpopper : ALL : allow

   Whenever this file is edited, restart inetd:

 # service inetd restart

  13.4.2. ************

   TCP Wrapper provides advanced options to allow more control over the way
   connections are handled. In some cases, it may be appropriate to return a
   comment to certain hosts or daemon connections. In other cases, a log
   entry should be recorded or an email sent to the administrator. Other
   situations may require the use of a service for local connections only.
   This is all possible through the use of configuration options known as
   wildcards, expansion characters, and external command execution.

   Suppose that a situation occurs where a connection should be denied yet a
   reason should be sent to the host who attempted to establish that
   connection. That action is possible with twist. When a connection attempt
   is made, twist executes a shell command or script. An example exists in
   hosts.allow:

 # The rest of the daemons are protected.
 ALL : ALL \
         : severity auth.info \
         : twist /bin/echo "You are not welcome to use %d from %h."

   In this example, the message "You are not allowed to use daemon name from
   hostname." will be returned for any daemon not configured in hosts.allow.
   This is useful for sending a reply back to the connection initiator right
   after the established connection is dropped. Any message returned must be
   wrapped in quote (") characters.

  ******:

   It may be possible to launch a denial of service attack on the server if
   an attacker floods these daemons with connection requests.

   Another possibility is to use spawn. Like twist, spawn implicitly denies
   the connection and may be used to run external shell commands or scripts.
   Unlike twist, spawn will not send a reply back to the host who established
   the connection. For example, consider the following configuration:

 # We do not allow connections from example.com:
 ALL : .example.com \
         : spawn (/bin/echo %a from %h attempted to access %d >> \
           /var/log/connections.log) \
         : deny

   This will deny all connection attempts from *.example.com and log the
   hostname, IP address, and the daemon to which access was attempted to
   /var/log/connections.log. This example uses the substitution characters %a
   and %h. Refer to hosts_access(5) for the complete list.

   To match every instance of a daemon, domain, or IP address, use ALL.
   Another wildcard is PARANOID which may be used to match any host which
   provides an IP address that may be forged because the IP address differs
   from its resolved hostname. In this example, all connection requests to
   Sendmail which have an IP address that varies from its hostname will be
   denied:

 # Block possibly spoofed requests to sendmail:
 sendmail : PARANOID : deny

  ******:

   Using the PARANOID wildcard will result in denied connections if the
   client or server has a broken DNS setup.

   To learn more about wildcards and their associated functionality, refer to
   hosts_access(5).

  ******:

   When adding new configuration lines, make sure that any unneeded entries
   for that daemon are commented out in hosts.allow.

13.5. Kerberos

   Contributed by Tillman Hodgson.
   Based on a contribution by Mark Murray.

   Kerberos is a network authentication protocol which was originally created
   by the Massachusetts Institute of Technology (MIT) as a way to securely
   provide authentication across a potentially hostile network. The Kerberos
   protocol uses strong cryptography so that both a client and server can
   prove their identity without sending any unencrypted secrets over the
   network. Kerberos can be described as an identity-verifying proxy system
   and as a trusted third-party authentication system. After a user
   authenticates with Kerberos, their communications can be encrypted to
   assure privacy and data integrity.

   The only function of Kerberos is to provide the secure authentication of
   users and servers on the network. It does not provide authorization or
   auditing functions. It is recommended that Kerberos be used with other
   security methods which provide authorization and audit services.

   The current version of the protocol is version 5, described in RFC 4120.
   Several free implementations of this protocol are available, covering a
   wide range of operating systems. MIT continues to develop their Kerberos
   package. It is commonly used in the US as a cryptography product, and has
   historically been subject to US export regulations. In FreeBSD, MIT
   Kerberos is available as the security/krb5 package or port. The Heimdal
   Kerberos implementation was explicitly developed outside of the US to
   avoid export regulations. The Heimdal Kerberos distribution is included in
   the base FreeBSD installation, and another distribution with more
   configurable options is available as security/heimdal in the Ports
   Collection.

   In Kerberos users and services are identified as "principals" which are
   contained within an administrative grouping, called a "realm". A typical
   user principal would be of the form user@REALM (realms are traditionally
   uppercase).

   This section provides a guide on how to set up Kerberos using the Heimdal
   distribution included in FreeBSD.

   For purposes of demonstrating a Kerberos installation, the name spaces
   will be as follows:

     * The DNS domain (zone) will be example.org.

     * The Kerberos realm will be EXAMPLE.ORG.

  ******:

   Use real domain names when setting up Kerberos, even if it will run
   internally. This avoids DNS problems and assures inter-operation with
   other Kerberos realms.

  13.5.1. ****** Heimdal KDC

   The Key Distribution Center (KDC) is the centralized authentication
   service that Kerberos provides, the "trusted third party" of the system.
   It is the computer that issues Kerberos tickets, which are used for
   clients to authenticate to servers. Because the KDC is considered trusted
   by all other computers in the Kerberos realm, it has heightened security
   concerns. Direct access to the KDC should be limited.

   While running a KDC requires few computing resources, a dedicated machine
   acting only as a KDC is recommended for security reasons.

   To begin setting up a KDC, add these lines to /etc/rc.conf:

 kdc_enable="YES"
 kadmind_enable="YES"

   Next, edit /etc/krb5.conf as follows:

 [libdefaults]
     default_realm = EXAMPLE.ORG
 [realms]
     EXAMPLE.ORG = {
         kdc = kerberos.example.org
         admin_server = kerberos.example.org
     }
 [domain_realm]
     .example.org = EXAMPLE.ORG

   In this example, the KDC will use the fully-qualified hostname
   kerberos.example.org. The hostname of the KDC must be resolvable in the
   DNS.

   Kerberos can also use the DNS to locate KDCs, instead of a [realms]
   section in /etc/krb5.conf. For large organizations that have their own DNS
   servers, the above example could be trimmed to:

 [libdefaults]
       default_realm = EXAMPLE.ORG
 [domain_realm]
     .example.org = EXAMPLE.ORG

   With the following lines being included in the example.org zone file:

 _kerberos._udp      IN  SRV     01 00 88 kerberos.example.org.
 _kerberos._tcp      IN  SRV     01 00 88 kerberos.example.org.
 _kpasswd._udp       IN  SRV     01 00 464 kerberos.example.org.
 _kerberos-adm._tcp  IN  SRV     01 00 749 kerberos.example.org.
 _kerberos           IN  TXT     EXAMPLE.ORG

  ******:

   In order for clients to be able to find the Kerberos services, they must
   have either a fully configured /etc/krb5.conf or a minimally configured
   /etc/krb5.conf and a properly configured DNS server.

   Next, create the Kerberos database which contains the keys of all
   principals (users and hosts) encrypted with a master password. It is not
   required to remember this password as it will be stored in
   /var/heimdal/m-key; it would be reasonable to use a 45-character random
   password for this purpose. To create the master key, run kstash and enter
   a password:

 # kstash
 Master key: xxxxxxxxxxxxxxxxxxxxxxx
 Verifying password - Master key: xxxxxxxxxxxxxxxxxxxxxxx

   Once the master key has been created, the database should be initialized.
   The Kerberos administrative tool kadmin(8) can be used on the KDC in a
   mode that operates directly on the database, without using the kadmind(8)
   network service, as kadmin -l. This resolves the chicken-and-egg problem
   of trying to connect to the database before it is created. At the kadmin
   prompt, use init to create the realm's initial database:

 # kadmin -l
 kadmin> init EXAMPLE.ORG
 Realm max ticket life [unlimited]:

   Lastly, while still in kadmin, create the first principal using add. Stick
   to the default options for the principal for now, as these can be changed
   later with modify. Type ? at the prompt to see the available options.

 kadmin> add tillman
 Max ticket life [unlimited]:
 Max renewable life [unlimited]:
 Attributes []:
 Password: xxxxxxxx
 Verifying password - Password: xxxxxxxx

   Next, start the KDC services by running service kdc start and service
   kadmind start. While there will not be any kerberized daemons running at
   this point, it is possible to confirm that the KDC is functioning by
   obtaining a ticket for the principal that was just created:

 % kinit tillman
 tillman@EXAMPLE.ORG's Password:

   Confirm that a ticket was successfully obtained using klist:

 % klist
 Credentials cache: FILE:/tmp/krb5cc_1001
         Principal: tillman@EXAMPLE.ORG

   Issued                Expires               Principal
 Aug 27 15:37:58 2013  Aug 28 01:37:58 2013  krbtgt/EXAMPLE.ORG@EXAMPLE.ORG

   The temporary ticket can be destroyed when the test is finished:

 % kdestroy

  13.5.2. ********************* Kerberos

   The first step in configuring a server to use Kerberos authentication is
   to ensure that it has the correct configuration in /etc/krb5.conf. The
   version from the KDC can be used as-is, or it can be regenerated on the
   new system.

   Next, create /etc/krb5.keytab on the server. This is the main part of
   "Kerberizing" a service - it corresponds to generating a secret shared
   between the service and the KDC. The secret is a cryptographic key, stored
   in a "keytab". The keytab contains the server's host key, which allows it
   and the KDC to verify each others' identity. It must be transmitted to the
   server in a secure fashion, as the security of the server can be broken if
   the key is made public. Typically, the keytab is generated on an
   administrator's trusted machine using kadmin, then securely transferred to
   the server, e.g., with scp(1); it can also be created directly on the
   server if that is consistent with the desired security policy. It is very
   important that the keytab is transmitted to the server in a secure
   fashion: if the key is known by some other party, that party can
   impersonate any user to the server! Using kadmin on the server directly is
   convenient, because the entry for the host principal in the KDC database
   is also created using kadmin.

   Of course, kadmin is a kerberized service; a Kerberos ticket is needed to
   authenticate to the network service, but to ensure that the user running
   kadmin is actually present (and their session has not been hijacked),
   kadmin will prompt for the password to get a fresh ticket. The principal
   authenticating to the kadmin service must be permitted to use the kadmin
   interface, as specified in kadmind.acl. See the section titled "Remote
   administration" in info heimdal for details on designing access control
   lists. Instead of enabling remote kadmin access, the administrator could
   securely connect to the KDC via the local console or ssh(1), and perform
   administration locally using kadmin -l.

   After installing /etc/krb5.conf, use add --random-key in kadmin. This adds
   the server's host principal to the database, but does not extract a copy
   of the host principal key to a keytab. To generate the keytab, use ext to
   extract the server's host principal key to its own keytab:

 # kadmin
 kadmin> add --random-key host/myserver.example.org
 Max ticket life [unlimited]:
 Max renewable life [unlimited]:
 Principal expiration time [never]:
 Password expiration time [never]:
 Attributes []:
 kadmin> ext_keytab host/myserver.example.org
 kadmin> exit

   Note that ext_keytab stores the extracted key in /etc/krb5.keytab by
   default. This is good when being run on the server being kerberized, but
   the --keytab path/to/file argument should be used when the keytab is being
   extracted elsewhere:

 # kadmin
 kadmin> ext_keytab --keytab=/tmp/example.keytab host/myserver.example.org
 kadmin> exit

   The keytab can then be securely copied to the server using scp(1) or a
   removable media. Be sure to specify a non-default keytab name to avoid
   inserting unneeded keys into the system's keytab.

   At this point, the server can read encrypted messages from the KDC using
   its shared key, stored in krb5.keytab. It is now ready for the
   Kerberos-using services to be enabled. One of the most common such
   services is sshd(8), which supports Kerberos via the GSS-API. In
   /etc/ssh/sshd_config, add the line:

 GSSAPIAuthentication yes

   *********************************************** sshd(8)
   *****************************service sshd restart._

  13.5.3. ********************* Kerberos

   As it was for the server, the client requires configuration in
   /etc/krb5.conf. Copy the file in place (securely) or re-enter it as
   needed.

   Test the client by using kinit, klist, and kdestroy from the client to
   obtain, show, and then delete a ticket for an existing principal. Kerberos
   applications should also be able to connect to Kerberos enabled servers.
   If that does not work but obtaining a ticket does, the problem is likely
   with the server and not with the client or the KDC. In the case of
   kerberized ssh(1), GSS-API is disabled by default, so test using ssh -o
   GSSAPIAuthentication=yes hostname.

   When testing a Kerberized application, try using a packet sniffer such as
   tcpdump to confirm that no sensitive information is sent in the clear.

   Various Kerberos client applications are available. With the advent of a
   bridge so that applications using SASL for authentication can use GSS-API
   mechanisms as well, large classes of client applications can use Kerberos
   for authentication, from Jabber clients to IMAP clients.

   Users within a realm typically have their Kerberos principal mapped to a
   local user account. Occasionally, one needs to grant access to a local
   user account to someone who does not have a matching Kerberos principal.
   For example, tillman@EXAMPLE.ORG may need access to the local user account
   webdevelopers. Other principals may also need access to that local
   account.

   The .k5login and .k5users files, placed in a user's home directory, can be
   used to solve this problem. For example, if the following .k5login is
   placed in the home directory of webdevelopers, both principals listed will
   have access to that account without requiring a shared password:

 tillman@example.org
 jdoe@example.org

   Refer to ksu(1) for more information about .k5users.

  13.5.4. *** MIT *********

   The major difference between the MIT and Heimdal implementations is that
   kadmin has a different, but equivalent, set of commands and uses a
   different protocol. If the KDC is MIT, the Heimdal version of kadmin
   cannot be used to administer the KDC remotely, and vice versa.

   Client applications may also use slightly different command line options
   to accomplish the same tasks. Following the instructions at
   http://web.mit.edu/Kerberos/www/ is recommended. Be careful of path
   issues: the MIT port installs into /usr/local/ by default, and the FreeBSD
   system applications run instead of the MIT versions if PATH lists the
   system directories first.

   When using MIT Kerberos as a KDC on FreeBSD, the following edits should
   also be made to rc.conf:

 kerberos5_server="/usr/local/sbin/krb5kdc"
 kadmind5_server="/usr/local/sbin/kadmind"
 kerberos5_server_flags=""
 kerberos5_server_enable="YES"
 kadmind5_server_enable="YES"

  13.5.5. Kerberos ******,_*********************

   When configuring and troubleshooting Kerberos, keep the following points
   in mind:

     * When using either Heimdal or MIT Kerberos from ports, ensure that the
       PATH lists the port's versions of the client applications before the
       system versions.

     * If all the computers in the realm do not have synchronized time
       settings, authentication may fail. *** 29.11, "NTP ************"
       describes how to synchronize clocks using NTP.

     * If the hostname is changed, the host/ principal must be changed and
       the keytab updated. This also applies to special keytab entries like
       the HTTP/ principal used for Apache's www/mod_auth_kerb.

     * All hosts in the realm must be both forward and reverse resolvable in
       DNS or, at a minimum, exist in /etc/hosts. CNAMEs will work, but the A
       and PTR records must be correct and in place. The error message for
       unresolvable hosts is not intuitive: Kerberos5 refuses authentication
       because Read req failed: Key table entry not found.

     * Some operating systems that act as clients to the KDC do not set the
       permissions for ksu to be setuid root. This means that ksu does not
       work. This is a permissions problem, not a KDC error.

     * With MIT Kerberos, to allow a principal to have a ticket life longer
       than the default lifetime of ten hours, use modify_principal at the
       kadmin(8) prompt to change the maxlife of both the principal in
       question and the krbtgt principal. The principal can then use kinit -l
       to request a ticket with a longer lifetime.

     * When running a packet sniffer on the KDC to aid in troubleshooting
       while running kinit from a workstation, the Ticket Granting Ticket
       (TGT) is sent immediately, even before the password is typed. This is
       because the Kerberos server freely transmits a TGT to any unauthorized
       request. However, every TGT is encrypted in a key derived from the
       user's password. When a user types their password, it is not sent to
       the KDC, it is instead used to decrypt the TGT that kinit already
       obtained. If the decryption process results in a valid ticket with a
       valid time stamp, the user has valid Kerberos credentials. These
       credentials include a session key for establishing secure
       communications with the Kerberos server in the future, as well as the
       actual TGT, which is encrypted with the Kerberos server's own key.
       This second layer of encryption allows the Kerberos server to verify
       the authenticity of each TGT.

     * Host principals can have a longer ticket lifetime. If the user
       principal has a lifetime of a week but the host being connected to has
       a lifetime of nine hours, the user cache will have an expired host
       principal and the ticket cache will not work as expected.

     * When setting up krb5.dict to prevent specific bad passwords from being
       used as described in kadmind(8), remember that it only applies to
       principals that have a password policy assigned to them. The format
       used in krb5.dict is one string per line. Creating a symbolic link to
       /usr/share/dict/words might be useful.

  13.5.6. ****** Kerberos *********

   Since Kerberos is an all or nothing approach, every service enabled on the
   network must either be modified to work with Kerberos or be otherwise
   secured against network attacks. This is to prevent user credentials from
   being stolen and re-used. An example is when Kerberos is enabled on all
   remote shells but the non-Kerberized POP3 mail server sends passwords in
   plain text.

   The KDC is a single point of failure. By design, the KDC must be as secure
   as its master password database. The KDC should have absolutely no other
   services running on it and should be physically secure. The danger is high
   because Kerberos stores all passwords encrypted with the same master key
   which is stored as a file on the KDC.

   A compromised master key is not quite as bad as one might fear. The master
   key is only used to encrypt the Kerberos database and as a seed for the
   random number generator. As long as access to the KDC is secure, an
   attacker cannot do much with the master key.

   If the KDC is unavailable, network services are unusable as authentication
   cannot be performed. This can be alleviated with a single master KDC and
   one or more slaves, and with careful implementation of secondary or
   fall-back authentication using PAM.

   Kerberos allows users, hosts and services to authenticate between
   themselves. It does not have a mechanism to authenticate the KDC to the
   users, hosts, or services. This means that a trojanned kinit could record
   all user names and passwords. File system integrity checking tools like
   security/tripwire can alleviate this.

  13.5.7. ***************************

     * The Kerberos FAQ

     * Designing an Authentication System: a Dialog in Four Scenes

     * RFC 4120, The Kerberos Network Authentication Service (V5)

     * MIT Kerberos home page

     * Heimdal Kerberos home page

13.6. OpenSSL

   Written by Tom Rhodes.

   OpenSSL is an open source implementation of the SSL and TLS protocols. It
   provides an encryption transport layer on top of the normal communications
   layer, allowing it to be intertwined with many network applications and
   services.

   The version of OpenSSL included in FreeBSD supports the Secure Sockets
   Layer 3.0 (SSLv3) and Transport Layer Security 1.0/1.1/1.2
   (TLSv1/TLSv1.1/TLSv1.2) network security protocols and can be used as a
   general cryptographic library. In FreeBSD 12.0-RELEASE and above, OpenSSL
   also supports Transport Layer Security 1.3 (TLSv1.3).

   OpenSSL is often used to encrypt authentication of mail clients and to
   secure web based transactions such as credit card payments. Some ports,
   such as www/apache24 and databases/postgresql11-server, include a compile
   option for building with OpenSSL. If selected, the port will add support
   using OpenSSL from the base system. To instead have the port compile
   against OpenSSL from the security/openssl port, add the following to
   /etc/make.conf:

 DEFAULT_VERSIONS+= ssl=openssl

   Another common use of OpenSSL is to provide certificates for use with
   software applications. Certificates can be used to verify the credentials
   of a company or individual. If a certificate has not been signed by an
   external Certificate Authority (CA), such as http://www.verisign.com, the
   application that uses the certificate will produce a warning. There is a
   cost associated with obtaining a signed certificate and using a signed
   certificate is not mandatory as certificates can be self-signed. However,
   using an external authority will prevent warnings and can put users at
   ease.

   This section demonstrates how to create and use certificates on a FreeBSD
   system. Refer to *** 29.5.2, "****** LDAP *********" for an example of how
   to create a CA for signing one's own certificates.

   For more information about SSL, read the free OpenSSL Cookbook.

  13.6.1. ************

   To generate a certificate that will be signed by an external CA, issue the
   following command and input the information requested at the prompts. This
   input information will be written to the certificate. At the Common Name
   prompt, input the fully qualified name for the system that will use the
   certificate. If this name does not match the server, the application
   verifying the certificate will issue a warning to the user, rendering the
   verification provided by the certificate as useless.

 # openssl req -new -nodes -out req.pem -keyout cert.key -sha256 -newkey rsa:2048
 Generating a 2048 bit RSA private key
 ..................+++
 .............................................................+++
 writing new private key to 'cert.key'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [AU]:US
 State or Province Name (full name) [Some-State]:PA
 Locality Name (eg, city) []:Pittsburgh
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
 Organizational Unit Name (eg, section) []:Systems Administrator
 Common Name (eg, YOUR name) []:localhost.example.org
 Email Address []:trhodes@FreeBSD.org

 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:Another Name

   Other options, such as the expire time and alternate encryption
   algorithms, are available when creating a certificate. A complete list of
   options is described in openssl(1).

   This command will create two files in the current directory. The
   certificate request, req.pem, can be sent to a CA who will validate the
   entered credentials, sign the request, and return the signed certificate.
   The second file, cert.key, is the private key for the certificate and
   should be stored in a secure location. If this falls in the hands of
   others, it can be used to impersonate the user or the server.

   Alternately, if a signature from a CA is not required, a self-signed
   certificate can be created. First, generate the RSA key:

 # openssl genrsa -rand -genkey -out cert.key 2048
 0 semi-random bytes loaded
 Generating RSA private key, 2048 bit long modulus
 .............................................+++
 .................................................................................................................+++
 e is 65537 (0x10001)

   Use this key to create a self-signed certificate. Follow the usual prompts
   for creating a certificate:

 # openssl req -new -x509 -days 365 -key cert.key -out cert.crt -sha256
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [AU]:US
 State or Province Name (full name) [Some-State]:PA
 Locality Name (eg, city) []:Pittsburgh
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
 Organizational Unit Name (eg, section) []:Systems Administrator
 Common Name (e.g. server FQDN or YOUR name) []:localhost.example.org
 Email Address []:trhodes@FreeBSD.org

   This will create two new files in the current directory: a private key
   file cert.key, and the certificate itself, cert.crt. These should be
   placed in a directory, preferably under /etc/ssl/, which is readable only
   by root. Permissions of 0700 are appropriate for these files and can be
   set using chmod.

  13.6.2. ************

   One use for a certificate is to encrypt connections to the Sendmail mail
   server in order to prevent the use of clear text authentication.

  ******:

   Some mail clients will display an error if the user has not installed a
   local copy of the certificate. Refer to the documentation included with
   the software for more information on certificate installation.

   In FreeBSD 10.0-RELEASE and above, it is possible to create a self-signed
   certificate for Sendmail automatically. To enable this, add the following
   lines to /etc/rc.conf:

 sendmail_enable="YES"
 sendmail_cert_create="YES"
 sendmail_cert_cn="localhost.example.org"

   This will automatically create a self-signed certificate,
   /etc/mail/certs/host.cert, a signing key, /etc/mail/certs/host.key, and a
   CA certificate, /etc/mail/certs/cacert.pem. The certificate will use the
   Common Name specified in sendmail_cert_cn. After saving the edits, restart
   Sendmail:

 # service sendmail restart

   If all went well, there will be no error messages in /var/log/maillog. For
   a simple test, connect to the mail server's listening port using telnet:

 # telnet example.com 25
 Trying 192.0.34.166...
 Connected to example.com.
 Escape character is '^]'.
 220 example.com ESMTP Sendmail 8.14.7/8.14.7; Fri, 18 Apr 2014 11:50:32 -0400 (EDT)
 ehlo example.com
 250-example.com Hello example.com [192.0.34.166], pleased to meet you
 250-ENHANCEDSTATUSCODES
 250-PIPELINING
 250-8BITMIME
 250-SIZE
 250-DSN
 250-ETRN
 250-AUTH LOGIN PLAIN
 250-STARTTLS
 250-DELIVERBY
 250 HELP
 quit
 221 2.0.0 example.com closing connection
 Connection closed by foreign host.

   If the STARTTLS line appears in the output, everything is working
   correctly.

13.7. VPN over IPsec

   Written by Nik Clayton.
   Written by Hiten M. Pandya.

   Internet Protocol Security (IPsec) is a set of protocols which sit on top
   of the Internet Protocol (IP) layer. It allows two or more hosts to
   communicate in a secure manner by authenticating and encrypting each IP
   packet of a communication session. The FreeBSD IPsec network stack is
   based on the http://www.kame.net/ implementation and supports both IPv4
   and IPv6 sessions.

   IPsec is comprised of the following sub-protocols:

     * Encapsulated Security Payload (ESP): this protocol protects the IP
       packet data from third party interference by encrypting the contents
       using symmetric cryptography algorithms such as Blowfish and 3DES.

     * Authentication Header (AH): this protocol protects the IP packet
       header from third party interference and spoofing by computing a
       cryptographic checksum and hashing the IP packet header fields with a
       secure hashing function. This is then followed by an additional header
       that contains the hash, to allow the information in the packet to be
       authenticated.

     * IP Payload Compression Protocol (IPComp): this protocol tries to
       increase communication performance by compressing the IP payload in
       order to reduce the amount of data sent.

   These protocols can either be used together or separately, depending on
   the environment.

   IPsec supports two modes of operation. The first mode, Transport Mode,
   protects communications between two hosts. The second mode, Tunnel Mode,
   is used to build virtual tunnels, commonly known as Virtual Private
   Networks (VPNs). Consult ipsec(4) for detailed information on the IPsec
   subsystem in FreeBSD.

   *** FreeBSD 11 ********************************* IPsec
   *********************** FreeBSD
   ********************************************************* *** 8, ******
   FreeBSD ****** ********************************

 options   IPSEC        #IP security
 device    crypto

   If IPsec debugging support is desired, the following kernel option should
   also be added:

 options   IPSEC_DEBUG  #debug for IP security

   This rest of this chapter demonstrates the process of setting up an IPsec
   VPN between a home network and a corporate network. In the example
   scenario:

     * Both sites are connected to the Internet through a gateway that is
       running FreeBSD.

     * The gateway on each network has at least one external IP address. In
       this example, the corporate LAN's external IP address is 172.16.5.4
       and the home LAN's external IP address is 192.168.1.12.

     * The internal addresses of the two networks can be either public or
       private IP addresses. However, the address space must not collide. For
       example, both networks cannot use 192.168.1.x. In this example, the
       corporate LAN's internal IP address is 10.246.38.1 and the home LAN's
       internal IP address is 10.0.0.5.

  13.7.1. *** FreeBSD ********* VPN

   Written by Tom Rhodes.

   To begin, security/ipsec-tools must be installed from the Ports
   Collection. This software provides a number of applications which support
   the configuration.

   The next requirement is to create two gif(4) pseudo-devices which will be
   used to tunnel packets and allow both networks to communicate properly. As
   root, run the following commands, replacing internal and external with the
   real IP addresses of the internal and external interfaces of the two
   gateways:

 # ifconfig gif0 create
 # ifconfig gif0 internal1 internal2
 # ifconfig gif0 tunnel external1 external2

   Verify the setup on each gateway, using ifconfig. Here is the output from
   Gateway 1:

 gif0: flags=8051 mtu 1280
 tunnel inet 172.16.5.4 --> 192.168.1.12
 inet6 fe80::2e0:81ff:fe02:5881%gif0 prefixlen 64 scopeid 0x6
 inet 10.246.38.1 --> 10.0.0.5 netmask 0xffffff00

   Here is the output from Gateway 2:

 gif0: flags=8051 mtu 1280
 tunnel inet 192.168.1.12 --> 172.16.5.4
 inet 10.0.0.5 --> 10.246.38.1 netmask 0xffffff00
 inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4

   Once complete, both internal IP addresses should be reachable using
   ping(8):

 priv-net# ping 10.0.0.5
 PING 10.0.0.5 (10.0.0.5): 56 data bytes
 64 bytes from 10.0.0.5: icmp_seq=0 ttl=64 time=42.786 ms
 64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=19.255 ms
 64 bytes from 10.0.0.5: icmp_seq=2 ttl=64 time=20.440 ms
 64 bytes from 10.0.0.5: icmp_seq=3 ttl=64 time=21.036 ms
 --- 10.0.0.5 ping statistics ---
 4 packets transmitted, 4 packets received, 0% packet loss
 round-trip min/avg/max/stddev = 19.255/25.879/42.786/9.782 ms

 corp-net# ping 10.246.38.1
 PING 10.246.38.1 (10.246.38.1): 56 data bytes
 64 bytes from 10.246.38.1: icmp_seq=0 ttl=64 time=28.106 ms
 64 bytes from 10.246.38.1: icmp_seq=1 ttl=64 time=42.917 ms
 64 bytes from 10.246.38.1: icmp_seq=2 ttl=64 time=127.525 ms
 64 bytes from 10.246.38.1: icmp_seq=3 ttl=64 time=119.896 ms
 64 bytes from 10.246.38.1: icmp_seq=4 ttl=64 time=154.524 ms
 --- 10.246.38.1 ping statistics ---
 5 packets transmitted, 5 packets received, 0% packet loss
 round-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 ms

   As expected, both sides have the ability to send and receive ICMP packets
   from the privately configured addresses. Next, both gateways must be told
   how to route packets in order to correctly send traffic from either
   network. The following commands will achieve this goal:

 corp-net# route add 10.0.0.0 10.0.0.5 255.255.255.0
 corp-net# route add net 10.0.0.0: gateway 10.0.0.5
 priv-net# route add 10.246.38.0 10.246.38.1 255.255.255.0
 priv-net# route add host 10.246.38.0: gateway 10.246.38.1

   At this point, internal machines should be reachable from each gateway as
   well as from machines behind the gateways. Again, use ping(8) to confirm:

 corp-net# ping 10.0.0.8
 PING 10.0.0.8 (10.0.0.8): 56 data bytes
 64 bytes from 10.0.0.8: icmp_seq=0 ttl=63 time=92.391 ms
 64 bytes from 10.0.0.8: icmp_seq=1 ttl=63 time=21.870 ms
 64 bytes from 10.0.0.8: icmp_seq=2 ttl=63 time=198.022 ms
 64 bytes from 10.0.0.8: icmp_seq=3 ttl=63 time=22.241 ms
 64 bytes from 10.0.0.8: icmp_seq=4 ttl=63 time=174.705 ms
 --- 10.0.0.8 ping statistics ---
 5 packets transmitted, 5 packets received, 0% packet loss
 round-trip min/avg/max/stddev = 21.870/101.846/198.022/74.001 ms

 priv-net# ping 10.246.38.107
 PING 10.246.38.1 (10.246.38.107): 56 data bytes
 64 bytes from 10.246.38.107: icmp_seq=0 ttl=64 time=53.491 ms
 64 bytes from 10.246.38.107: icmp_seq=1 ttl=64 time=23.395 ms
 64 bytes from 10.246.38.107: icmp_seq=2 ttl=64 time=23.865 ms
 64 bytes from 10.246.38.107: icmp_seq=3 ttl=64 time=21.145 ms
 64 bytes from 10.246.38.107: icmp_seq=4 ttl=64 time=36.708 ms
 --- 10.246.38.107 ping statistics ---
 5 packets transmitted, 5 packets received, 0% packet loss
 round-trip min/avg/max/stddev = 21.145/31.721/53.491/12.179 ms

   Setting up the tunnels is the easy part. Configuring a secure link is a
   more in depth process. The following configuration uses pre-shared (PSK)
   RSA keys. Other than the IP addresses, the
   /usr/local/etc/racoon/racoon.conf on both gateways will be identical and
   look similar to:

 path    pre_shared_key  "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
 log     debug;  #log verbosity setting: set to 'notify' when testing and debugging is complete

 padding # options are not to be changed
 {
         maximum_length  20;
         randomize       off;
         strict_check    off;
         exclusive_tail  off;
 }

 timer   # timing options. change as needed
 {
         counter         5;
         interval        20 sec;
         persend         1;
 #       natt_keepalive  15 sec;
         phase1          30 sec;
         phase2          15 sec;
 }

 listen  # address [port] that racoon will listen on
 {
         isakmp          172.16.5.4 [500];
         isakmp_natt     172.16.5.4 [4500];
 }

 remote  192.168.1.12 [500]
 {
         exchange_mode   main,aggressive;
         doi             ipsec_doi;
         situation       identity_only;
         my_identifier   address 172.16.5.4;
         peers_identifier        address 192.168.1.12;
         lifetime        time 8 hour;
         passive         off;
         proposal_check  obey;
 #       nat_traversal   off;
         generate_policy off;

                         proposal {
                                 encryption_algorithm    blowfish;
                                 hash_algorithm          md5;
                                 authentication_method   pre_shared_key;
                                 lifetime time           30 sec;
                                 dh_group                1;
                         }
 }

 sainfo  (address 10.246.38.0/24 any address 10.0.0.0/24 any)    # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
 {                                                               # $network must be the two internal networks you are joining.
         pfs_group       1;
         lifetime        time    36000 sec;
         encryption_algorithm    blowfish,3des;
         authentication_algorithm        hmac_md5,hmac_sha1;
         compression_algorithm   deflate;
 }

   For descriptions of each available option, refer to the manual page for
   racoon.conf.

   The Security Policy Database (SPD) needs to be configured so that FreeBSD
   and racoon are able to encrypt and decrypt network traffic between the
   hosts.

   This can be achieved with a shell script, similar to the following, on the
   corporate gateway. This file will be used during system initialization and
   should be saved as /usr/local/etc/racoon/setkey.conf.

 flush;
 spdflush;
 # To the home network
 spdadd 10.246.38.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/172.16.5.4-192.168.1.12/use;
 spdadd 10.0.0.0/24 10.246.38.0/24 any -P in ipsec esp/tunnel/192.168.1.12-172.16.5.4/use;

   Once in place, racoon may be started on both gateways using the following
   command:

 # /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log

   The output should be similar to the following:

 corp-net# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf
 Foreground mode.
 2006-01-30 01:35:47: INFO: begin Identity Protection mode.
 2006-01-30 01:35:48: INFO: received Vendor ID: KAME/racoon
 2006-01-30 01:35:55: INFO: received Vendor ID: KAME/racoon
 2006-01-30 01:36:04: INFO: ISAKMP-SA established 172.16.5.4[500]-192.168.1.12[500] spi:623b9b3bd2492452:7deab82d54ff704a
 2006-01-30 01:36:05: INFO: initiate new phase 2 negotiation: 172.16.5.4[0]192.168.1.12[0]
 2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.12[0]->172.16.5.4[0] spi=28496098(0x1b2d0e2)
 2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]->192.168.1.12[0] spi=47784998(0x2d92426)
 2006-01-30 01:36:13: INFO: respond new phase 2 negotiation: 172.16.5.4[0]192.168.1.12[0]
 2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.12[0]->172.16.5.4[0] spi=124397467(0x76a279b)
 2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]->192.168.1.12[0] spi=175852902(0xa7b4d66)

   To ensure the tunnel is working properly, switch to another console and
   use tcpdump(1) to view network traffic using the following command.
   Replace em0 with the network interface card as required:

 # tcpdump -i em0 host 172.16.5.4 and dst 192.168.1.12

   Data similar to the following should appear on the console. If not, there
   is an issue and debugging the returned data will be required.

 01:47:32.021683 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xa)
 01:47:33.022442 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xb)
 01:47:34.024218 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xc)

   At this point, both networks should be available and seem to be part of
   the same network. Most likely both networks are protected by a firewall.
   To allow traffic to flow between them, rules need to be added to pass
   packets. For the ipfw(8) firewall, add the following lines to the firewall
   configuration file:

 ipfw add 00201 allow log esp from any to any
 ipfw add 00202 allow log ah from any to any
 ipfw add 00203 allow log ipencap from any to any
 ipfw add 00204 allow log udp from any 500 to any

  ******:

   The rule numbers may need to be altered depending on the current host
   configuration.

   For users of pf(4) or ipf(8), the following rules should do the trick:

 pass in quick proto esp from any to any
 pass in quick proto ah from any to any
 pass in quick proto ipencap from any to any
 pass in quick proto udp from any port = 500 to any port = 500
 pass in quick on gif0 from any to any
 pass out quick proto esp from any to any
 pass out quick proto ah from any to any
 pass out quick proto ipencap from any to any
 pass out quick proto udp from any port = 500 to any port = 500
 pass out quick on gif0 from any to any

   Finally, to allow the machine to start support for the VPN during system
   initialization, add the following lines to /etc/rc.conf:

 ipsec_enable="YES"
 ipsec_program="/usr/local/sbin/setkey"
 ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
 racoon_enable="yes"

13.8. OpenSSH

   Contributed by Chern Lee.

   OpenSSH
   ******************************************************************************
   SSH ****************** TCP/IP ****************************** TCP/IP
   *********._OpenSSH
   **************************************************************
   (Eavesdropping),_*************** (Connection hijacking)
   ***************************._

   OpenSSH *** OpenBSD ********************* FreeBSD
   *********************************** SSH ****** 1 *** 2 ************._

   **************************************************************************************************************
   (Network sniffer)
   *********************/**************************************************OpenSSH
   ***************************************************************._************
   OpenSSH *************** http://www.openssh.com/ ******._

   ***************************************************************************************************************
   FreeBSD ************************************** FreeBSD ************ SSH
   *********._****************************************************** (Man
   page) ******._

  13.8.1. ****** SSH ***************

   *************** SSH ******************** ssh
   ****************************************************** IP
   *********************************._**********************************************************************************************************

 # ssh user@example.com
 The authenticity of host 'example.com (10.0.0.1)' can't be established.
 ECDSA key fingerprint is 25:cc:73:b5:b3:96:75:3d:56:19:49:d2:5c:1f:91:3b.
 Are you sure you want to continue connecting (yes/no)? yes
 Permanently added 'example.com' (ECDSA) to the list of known hosts.
 Password for user@example.com: user_password

   SSH ****************************************** (Key fingerprint)
   **************************************************************************
   yes
   **************************************************************************************
   .ssh/known_hosts*************************************************************************************************************************************._**************************************************************************************._

   *************** OpenSSH ****************** SSHv2
   *********._*************************************** 2
   ******************************************** 2
   *************************************** 1 *********._********* ssh
   ******************************************** -1 *** -2********************
   ssh(1) ************._

   ****** scp(1)
   **************************************************************************************
   COPYRIGHT ********************************

 # scp user@example.com:/COPYRIGHT COPYRIGHT
 Password for user@example.com: *******
 COPYRIGHT            100% |*****************************|  4735
 00:00
 #

   ***********************************************************************************************************._

   ****** scp ****************** cp
   ***************._***************************************************************************************************************************
   user@host:<path_to_remote_file> ******._*********** scp
   ****************************** -r******** cp ****** -R._

   *************************************************** sftp***********
   sftp(1) ************ sftp ******************************._

    13.8.1.1. ***************************

   *****************************************************************************************._*********
   RSA *********************
   ssh-keygen._*****************************************************************************._*********************************************************************._

 % ssh-keygen -t rsa
 Generating public/private rsa key pair.
 Enter file in which to save the key (/home/user/.ssh/id_rsa):
 Enter passphrase (empty for no passphrase):  1
 Enter same passphrase again:                 2
 Your identification has been saved in /home/user/.ssh/id_rsa.
 Your public key has been saved in /home/user/.ssh/id_rsa.pub.
 The key fingerprint is:
 SHA256:54Xm9Uvtv6H4NOo6yjP/YCfODryvUU7yWHzMqeXwhq8 user@host.example.com
 The key's randomart image is:
 +---[RSA 2048]----+
 |                 |
 |                 |
 |                 |
 |        . o..    |
 |       .S*+*o    |
 |      . O=Oo . . |
 |       = Oo= oo..|
 |      .oB.* +.oo.|
 |       =OE**.o..=|
 +----[SHA256]-----+

   1   *****************************************************._  
   2   ***************************._                            

   ****************** ~/.ssh/id_rsa *********************
   ~/.ssh/id_rsa.pub._************************************~/.ssh/authorized_keys
   *********************************************._

  ******:

   ********************************************************************************************************************._*****************************************************************************************************
   ENCRYPTED
   **************************************************._**********************************************************************************
   from************* ssh-rsa ********* from="192.168.10.5"
   ************************************ IP ************._

   ************ OpenSSH
   ***********************************************************
   ssh-keygen(1)._

   ***********************************************************************************._******
   SSH
   *****************************************************************************
   ssh-agent(1) *** ssh-add(1)._

   ************ ssh-agent **********************************ssh-agent
   ************************************** Shell *********************._

   ****** Shell ****** ssh-agent******** Shell *********************
   ssh-agent._****** ssh-add
   ***********************************************._********************* ssh
   *******************************************************

 % ssh-agent csh
 % ssh-add
 Enter passphrase for key '/usr/home/user/.ssh/id_rsa':  1
 Identity added: /usr/home/user/.ssh/id_rsa (/usr/home/user/.ssh/id_rsa)
 %

   1   *********************._  

   ****** Xorg ****** ssh-agent ****** ~/.xinitrc
   *********************************** ssh-agent ************ Xorg
   ******************************._~/.xinitrc **************

 exec ssh-agent startxfce4

   ********************* Xorg *********************** ssh-agent ************
   XFCE******** Xorg **************************************************
   ssh-add ****************** SSH ******._

    13.8.1.2. SSH ******

   OpenSSH ************************ (Tunnel)
   ***************************************************._

   ********************* ssh *************** telnet *****************

 % ssh -2 -N -f -L 5023:localhost:23 user@foo.example.com
 %

   ***********************************

   -2

           ****** ssh ************ 2 *********************************._

   -N

           *********************,_***************._********************* ssh
           *********************************._

   -f

           ****** ssh ***************._

   -L

           **************************************
           localport:remotehost:remoteport ******._

   user@foo.example.com

           ****************** SSH *********************************._

   SSH *************************** localhost ****** localport *** Socket
   ***************** SSH ********************* localport
   ***************._************************************ Port 5023
   ****************************** Port 23******** Port 23 ****** telnet
   ************************** SSH *************************** telnet ******._

   ********************************************* TCP ********************
   SMTP, POP3 ****** FTP*****************._

   ****** 13.1. ********* SMTP *********************

 % ssh -2 -N -f -L 5025:localhost:25 user@mailserver.example.com
 user@mailserver.example.com's password: *****
 % telnet localhost 5025
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 220 mailserver.example.com ESMTP

   ************ ssh-keygen
   ********************************************************* SSH
   **********************************************************************************************************._

   ****** 13.2. ************ POP3 *********

   *************************** SSH
   *****************************************************************************************
   POP3
   *********._******************************************************************
   SSH ********* SSH *****************************************************

 % ssh -2 -N -f -L 2110:mail.example.com:110 user@ssh-server.example.com
 user@ssh-server.example.com's password: ******

   ******************************************************** POP3
   *************** localhost *** Port
   2110*****************************************************
   mail.example.com._

   ****** 13.3. ***************

   ******************************************************._*****************************************************************
   Port 22 *** 80 ********* SSH ************************************** Port
   ****** 22 *** 80 ***************************._

   *************************************** SSH
   **************************************************************************************************

 % ssh -2 -N -f -L 8888:music.example.com:8000 user@unfirewalled-system.example.org
 user@unfirewalled-system.example.org's password: *******

   ************************** Ogg Vorbis ***************************
   localhost Port 8888************************** music.example.com *** Port
   8000**************************._

  13.8.2. ****** SSH *********

   ********************* SSH *********************************** FreeBSD
   *************** SSH ******************************** SSH
   ******************._

   ********* sshd ***************************** service(8) ********

 # service sshd status

   ************************************** /etc/rc.conf._

 sshd_enable="YES"

   ************************************ OpenSSH *** Daemon ******
   sshd._********************

 # service sshd start

   *** FreeBSD ********************* sshd
   *************************************************************** Console
   **************************************************************************._

   ********* sshd(8) ****************** sshd
   ******************************************************,_***************************************._

   ********sshd
   ************************************************************************._

  13.8.3. SSH ******************

   *** FreeBSD ************ sshd
   **************************************************************************************************************
   (Brute force attack) *************** (Drive by
   attack)._************************************************************._

   ********* OpenSSH ********************* AllowUsers
   ****************************** SSH
   ******************************************************._************************
   192.168.1.32 *** root ************************** /etc/ssh/sshd_config**

 AllowUsers root@192.168.1.32

   ****************************** admin
   ********************************************** IP ********

 AllowUsers admin

   *************************************************

 AllowUsers root@192.168.1.32 admin

   ****** /etc/ssh/sshd_config ***************************************** sshd
   ***********************

 # service sshd reload

  ******:

   *************************************************************************************************************************************************._***********
   OpenSSH
   *****************************************************************************************
   (***************)**********************************************************************************************************************._*********
   sshd_config(5) ***************************************._

   **************************************************************************
   (Two factor authentication)._*****************************************
   ssh-keygen(1)
   ********************************************************************************************************************
   authorized_keys._****************************************************************************

 AuthenticationMethods publickey

  ******:

   ************ /etc/ssh/sshd_config ****** /etc/ssh/ssh_config ******
   (************************************
   d)*******************************************************************************._*********
   ssh_config(5) ***************************************._

13.9. ******************

   Contributed by Tom Rhodes.

   Access Control Lists (ACLs) extend the standard UNIX(R) permission model
   in a POSIX(R).1e compatible way. This permits an administrator to take
   advantage of a more fine-grained permissions model.

   The FreeBSD GENERIC kernel provides ACL support for UFS file systems.
   Users who prefer to compile a custom kernel must include the following
   option in their custom kernel configuration file:

 options UFS_ACL

   If this option is not compiled in, a warning message will be displayed
   when attempting to mount a file system with ACL support. ACLs rely on
   extended attributes which are natively supported in UFS2.

   This chapter describes how to enable ACL support and provides some usage
   examples.

  13.9.1. ****** ACL ******

   ACLs are enabled by the mount-time administrative flag, acls, which may be
   added to /etc/fstab. The mount-time flag can also be automatically set in
   a persistent manner using tunefs(8) to modify a superblock ACLs flag in
   the file system header. In general, it is preferred to use the superblock
   flag for several reasons:

     * The superblock flag cannot be changed by a remount using mount -u as
       it requires a complete umount and fresh mount. This means that ACLs
       cannot be enabled on the root file system after boot. It also means
       that ACL support on a file system cannot be changed while the system
       is in use.

     * Setting the superblock flag causes the file system to always be
       mounted with ACLs enabled, even if there is not an fstab entry or if
       the devices re-order. This prevents accidental mounting of the file
       system without ACL support.

  ******:

   It is desirable to discourage accidental mounting without ACLs enabled
   because nasty things can happen if ACLs are enabled, then disabled, then
   re-enabled without flushing the extended attributes. In general, once ACLs
   are enabled on a file system, they should not be disabled, as the
   resulting file protections may not be compatible with those intended by
   the users of the system, and re-enabling ACLs may re-attach the previous
   ACLs to files that have since had their permissions changed, resulting in
   unpredictable behavior.

   File systems with ACLs enabled will show a plus (+) sign in their
   permission settings:

 drwx------  2 robert  robert  512 Dec 27 11:54 private
 drwxrwx---+ 2 robert  robert  512 Dec 23 10:57 directory1
 drwxrwx---+ 2 robert  robert  512 Dec 22 10:20 directory2
 drwxrwx---+ 2 robert  robert  512 Dec 27 11:57 directory3
 drwxr-xr-x  2 robert  robert  512 Nov 10 11:54 public_html

   In this example, directory1, directory2, and directory3 are all taking
   advantage of ACLs, whereas public_html is not.

  13.9.2. ****** ACL

   File system ACLs can be viewed using getfacl. For instance, to view the
   ACL settings on test:

 % getfacl test
         #file:test
         #owner:1001
         #group:1001
         user::rw-
         group::r--
         other::r--

   To change the ACL settings on this file, use setfacl. To remove all of the
   currently defined ACLs from a file or file system, include -k. However,
   the preferred method is to use -b as it leaves the basic fields required
   for ACLs to work.

 % setfacl -k test

   To modify the default ACL entries, use -m:

 % setfacl -m u:trhodes:rwx,group:web:r--,o::--- test

   In this example, there were no pre-defined entries, as they were removed
   by the previous command. This command restores the default options and
   assigns the options listed. If a user or group is added which does not
   exist on the system, an Invalid argument error will be displayed.

   Refer to getfacl(1) and setfacl(1) for more information about the options
   available for these commands.

13.10. ******************************

   Contributed by Tom Rhodes.

   In recent years, the security world has made many improvements to how
   vulnerability assessment is handled. The threat of system intrusion
   increases as third party utilities are installed and configured for
   virtually any operating system available today.

   Vulnerability assessment is a key factor in security. While FreeBSD
   releases advisories for the base system, doing so for every third party
   utility is beyond the FreeBSD Project's capability. There is a way to
   mitigate third party vulnerabilities and warn administrators of known
   security issues. A FreeBSD add on utility known as pkg includes options
   explicitly for this purpose.

   pkg polls a database for security issues. The database is updated and
   maintained by the FreeBSD Security Team and ports developers.

   Please refer to instructions for installing pkg.

   Installation provides periodic(8) configuration files for maintaining the
   pkg audit database, and provides a programmatic method of keeping it
   updated. This functionality is enabled if
   daily_status_security_pkgaudit_enable is set to YES in periodic.conf(5).
   Ensure that daily security run emails, which are sent to root's email
   account, are being read.

   After installation, and to audit third party utilities as part of the
   Ports Collection at any time, an administrator may choose to update the
   database and view known vulnerabilities of installed packages by invoking:

 # pkg audit -F

   pkg displays messages any published vulnerabilities in installed packages:

 Affected package: cups-base-1.1.22.0_1
 Type of problem: cups-base -- HPGL buffer overflow vulnerability.
 Reference: <https://www.FreeBSD.org/ports/portaudit/40a3bca2-6809-11d9-a9e7-0001020eed82.html>

 1 problem(s) in your installed packages found.

 You are advised to update or deinstall the affected package(s) immediately.

   By pointing a web browser to the displayed URL, an administrator may
   obtain more information about the vulnerability. This will include the
   versions affected, by FreeBSD port version, along with other web sites
   which may contain security advisories.

   pkg is a powerful utility and is extremely useful when coupled with
   ports-mgmt/portmaster.

13.11. FreeBSD ************

   Contributed by Tom Rhodes.

   Like many producers of quality operating systems, the FreeBSD Project has
   a security team which is responsible for determining the End-of-Life (EoL)
   date for each FreeBSD release and to provide security updates for
   supported releases which have not yet reached their EoL. More information
   about the FreeBSD security team and the supported releases is available on
   the FreeBSD security page.

   One task of the security team is to respond to reported security
   vulnerabilities in the FreeBSD operating system. Once a vulnerability is
   confirmed, the security team verifies the steps necessary to fix the
   vulnerability and updates the source code with the fix. It then publishes
   the details as a "Security Advisory". Security advisories are published on
   the FreeBSD website and mailed to the freebsd-security-notifications,
   freebsd-security, and freebsd-announce mailing lists.

   This section describes the format of a FreeBSD security advisory.

  13.11.1. *********************

   Here is an example of a FreeBSD security advisory:

 =============================================================================
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512

 =============================================================================
 FreeBSD-SA-14:04.bind                                       Security Advisory
                                                           The FreeBSD Project

 Topic:          BIND remote denial of service vulnerability

 Category:       contrib
 Module:         bind
 Announced:      2014-01-14
 Credits:        ISC
 Affects:        FreeBSD 8.x and FreeBSD 9.x
 Corrected:      2014-01-14 19:38:37 UTC (stable/9, 9.2-STABLE)
                 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3)
                 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10)
                 2014-01-14 19:38:37 UTC (stable/8, 8.4-STABLE)
                 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7)
                 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14)
 CVE Name:       CVE-2014-0591

 For general information regarding FreeBSD Security Advisories,
 including descriptions of the fields above, security branches, and the
 following sections, please visit <URL:http://security.FreeBSD.org/>.

 I.   Background

 BIND 9 is an implementation of the Domain Name System (DNS) protocols.
 The named(8) daemon is an Internet Domain Name Server.

 II.  Problem Description

 Because of a defect in handling queries for NSEC3-signed zones, BIND can
 crash with an "INSIST" failure in name.c when processing queries possessing
 certain properties.  This issue only affects authoritative nameservers with
 at least one NSEC3-signed zone.  Recursive-only servers are not at risk.

 III. Impact

 An attacker who can send a specially crafted query could cause named(8)
 to crash, resulting in a denial of service.

 IV.  Workaround

 No workaround is available, but systems not running authoritative DNS service
 with at least one NSEC3-signed zone using named(8) are not vulnerable.

 V.   Solution

 Perform one of the following:

 1) Upgrade your vulnerable system to a supported FreeBSD stable or
 release / security branch (releng) dated after the correction date.

 2) To update your vulnerable system via a source code patch:

 The following patches have been verified to apply to the applicable
 FreeBSD release branches.

 a) Download the relevant patch from the location below, and verify the
 detached PGP signature using your PGP utility.

 [FreeBSD 8.3, 8.4, 9.1, 9.2-RELEASE and 8.4-STABLE]
 # fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch
 # fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch.asc
 # gpg --verify bind-release.patch.asc

 [FreeBSD 9.2-STABLE]
 # fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch
 # fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch.asc
 # gpg --verify bind-stable-9.patch.asc

 b) Execute the following commands as root:

 # cd /usr/src
 # patch < /path/to/patch

 Recompile the operating system using buildworld and installworld as
 described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

 Restart the applicable daemons, or reboot the system.

 3) To update your vulnerable system via a binary patch:

 Systems running a RELEASE version of FreeBSD on the i386 or amd64
 platforms can be updated via the freebsd-update(8) utility:

 # freebsd-update fetch
 # freebsd-update install

 VI.  Correction details

 The following list contains the correction revision numbers for each
 affected branch.

 Branch/path                                                      Revision
 - -------------------------------------------------------------------------
 stable/8/                                                         r260646
 releng/8.3/                                                       r260647
 releng/8.4/                                                       r260647
 stable/9/                                                         r260646
 releng/9.1/                                                       r260647
 releng/9.2/                                                       r260647
 - -------------------------------------------------------------------------

 To see which files were modified by a particular revision, run the
 following command, replacing NNNNNN with the revision number, on a
 machine with Subversion installed:

 # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

 Or visit the following URL, replacing NNNNNN with the revision number:

 <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

 VII. References

 <URL:https://kb.isc.org/article/AA-01078>

 <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591>

 The latest revision of this advisory is available at
 <URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:04.bind.asc>
 -----BEGIN PGP SIGNATURE-----

 iQIcBAEBCgAGBQJS1ZTYAAoJEO1n7NZdz2rnOvQP/2/68/s9Cu35PmqNtSZVVxVG
 ZSQP5EGWx/lramNf9566iKxOrLRMq/h3XWcC4goVd+gZFrvITJSVOWSa7ntDQ7TO
 XcinfRZ/iyiJbs/Rg2wLHc/t5oVSyeouyccqODYFbOwOlk35JjOTMUG1YcX+Zasg
 ax8RV+7Zt1QSBkMlOz/myBLXUjlTZ3Xg2FXVsfFQW5/g2CjuHpRSFx1bVNX6ysoG
 9DT58EQcYxIS8WfkHRbbXKh9I1nSfZ7/Hky/kTafRdRMrjAgbqFgHkYTYsBZeav5
 fYWKGQRJulYfeZQ90yMTvlpF42DjCC3uJYamJnwDIu8OhS1WRBI8fQfr9DRzmRua
 OK3BK9hUiScDZOJB6OqeVzUTfe7MAA4/UwrDtTYQ+PqAenv1PK8DZqwXyxA9ThHb
 zKO3OwuKOVHJnKvpOcr+eNwo7jbnHlis0oBksj/mrq2P9m2ueF9gzCiq5Ri5Syag
 Wssb1HUoMGwqU0roS8+pRpNC8YgsWpsttvUWSZ8u6Vj/FLeHpiV3mYXPVMaKRhVm
 067BA2uj4Th1JKtGleox+Em0R7OFbCc/9aWC67wiqI6KRyit9pYiF3npph+7D5Eq
 7zPsUdDd+qc+UTiLp3liCRp5w6484wWdhZO6wRtmUgxGjNkxFoNnX8CitzF8AaqO
 UWWemqWuz3lAZuORQ9KX
 =OQzQ
 -----END PGP SIGNATURE-----

   Every security advisory uses the following format:

     * Each security advisory is signed by the PGP key of the Security
       Officer. The public key for the Security Officer can be verified at
       ****** D, OpenPGP ******.

     * The name of the security advisory always begins with FreeBSD-SA- (for
       FreeBSD Security Advisory), followed by the year in two digit format
       (14:), followed by the advisory number for that year (04.), followed
       by the name of the affected application or subsystem (bind). The
       advisory shown here is the fourth advisory for 2014 and it affects
       BIND.

     * The Topic field summarizes the vulnerability.

     * The Category refers to the affected part of the system which may be
       one of core, contrib, or ports. The core category means that the
       vulnerability affects a core component of the FreeBSD operating
       system. The contrib category means that the vulnerability affects
       software included with FreeBSD, such as BIND. The ports category
       indicates that the vulnerability affects software available through
       the Ports Collection.

     * The Module field refers to the component location. In this example,
       the bind module is affected; therefore, this vulnerability affects an
       application installed with the operating system.

     * The Announced field reflects the date the security advisory was
       published. This means that the security team has verified that the
       problem exists and that a patch has been committed to the FreeBSD
       source code repository.

     * The Credits field gives credit to the individual or organization who
       noticed the vulnerability and reported it.

     * The Affects field explains which releases of FreeBSD are affected by
       this vulnerability.

     * The Corrected field indicates the date, time, time offset, and
       releases that were corrected. The section in parentheses shows each
       branch for which the fix has been merged, and the version number of
       the corresponding release from that branch. The release identifier
       itself includes the version number and, if appropriate, the patch
       level. The patch level is the letter p followed by a number,
       indicating the sequence number of the patch, allowing users to track
       which patches have already been applied to the system.

     * The CVE Name field lists the advisory number, if one exists, in the
       public cve.mitre.org security vulnerabilities database.

     * The Background field provides a description of the affected module.

     * The Problem Description field explains the vulnerability. This can
       include information about the flawed code and how the utility could be
       maliciously used.

     * The Impact field describes what type of impact the problem could have
       on a system.

     * The Workaround field indicates if a workaround is available to system
       administrators who cannot immediately patch the system .

     * The Solution field provides the instructions for patching the affected
       system. This is a step by step tested and verified method for getting
       a system patched and working securely.

     * The Correction Details field displays each affected Subversion branch
       with the revision number that contains the corrected code.

     * The References field offers sources of additional information
       regarding the vulnerability.

13.12. ************

   Contributed by Tom Rhodes.

   Process accounting is a security method in which an administrator may keep
   track of system resources used and their allocation among users, provide
   for system monitoring, and minimally track a user's commands.

   Process accounting has both positive and negative points. One of the
   positives is that an intrusion may be narrowed down to the point of entry.
   A negative is the amount of logs generated by process accounting, and the
   disk space they may require. This section walks an administrator through
   the basics of process accounting.

  ******:

   If more fine-grained accounting is needed, refer to *** 16,
   ******************.

  13.12.1. ***************************

   Before using process accounting, it must be enabled using the following
   commands:

 # sysrc accounting_enable=yes
 # service accounting start

   The accounting information is stored in files located in /var/account,
   which is automatically created, if necessary, the first time the
   accounting service starts. These files contain sensitive information,
   including all the commands issued by all users. Write access to the files
   is limited to root, and read access is limited to root and members of the
   wheel group. To also prevent members of wheel from reading the files,
   change the mode of the /var/account directory to allow access only by
   root.

   Once enabled, accounting will begin to track information such as CPU
   statistics and executed commands. All accounting logs are in a non-human
   readable format which can be viewed using sa. If issued without any
   options, sa prints information relating to the number of per-user calls,
   the total elapsed time in minutes, total CPU and user time in minutes, and
   the average number of I/O operations. Refer to sa(8) for the list of
   available options which control the output.

   To display the commands issued by users, use lastcomm. For example, this
   command prints out all usage of ls by trhodes on the ttyp1 terminal:

 # lastcomm ls trhodes ttyp1

   Many other useful options exist and are explained in lastcomm(1), acct(5),
   and sa(8).

13.13. ************

   Contributed by Tom Rhodes.

   FreeBSD provides several methods for an administrator to limit the amount
   of system resources an individual may use. Disk quotas limit the amount of
   disk space available to users. Quotas are discussed in *** 17.11,
   "************".

   Limits to other resources, such as CPU and memory, can be set using either
   a flat file or a command to configure a resource limits database. The
   traditional method defines login classes by editing /etc/login.conf. While
   this method is still supported, any changes require a multi-step process
   of editing this file, rebuilding the resource database, making necessary
   changes to /etc/master.passwd, and rebuilding the password database. This
   can become time consuming, depending upon the number of users to
   configure.

   rctl can be used to provide a more fine-grained method for controlling
   resource limits. This command supports more than user limits as it can
   also be used to set resource constraints on processes and jails.

   This section demonstrates both methods for controlling resources,
   beginning with the traditional method.

  13.13.1. ******************

   In the traditional method, login classes and the resource limits to apply
   to a login class are defined in /etc/login.conf. Each user account can be
   assigned to a login class, where default is the default login class. Each
   login class has a set of login capabilities associated with it. A login
   capability is a name=value pair, where name is a well-known identifier and
   value is an arbitrary string which is processed accordingly depending on
   the name.

  ******:

   Whenever /etc/login.conf is edited, the /etc/login.conf.db must be updated
   by executing the following command:

 # cap_mkdb /etc/login.conf

   Resource limits differ from the default login capabilities in two ways.
   First, for every limit, there is a soft and hard limit. A soft limit may
   be adjusted by the user or application, but may not be set higher than the
   hard limit. The hard limit may be lowered by the user, but can only be
   raised by the superuser. Second, most resource limits apply per process to
   a specific user.

   ****** 13.1, "******************************" lists the most commonly used
   resource limits. All of the available resource limits and capabilities are
   described in detail in login.conf(5).

   ****** 13.1. ******************************

   ************                            ******                             
                The limit on the size of a core file generated by a program   
                is subordinate to other limits on disk usage, such as         
                filesize or disk quotas. This limit is often used as a less   
   coredumpsize severe method of controlling disk space consumption. Since    
                users do not generate core files and often do not delete      
                them, this setting may save them from running out of disk     
                space should a large program crash.                           
                The maximum amount of CPU time a user's process may consume.  
   cputime      Offending processes will be killed by the kernel. This is a   
                limit on CPU time consumed, not the percentage of the CPU as  
                displayed in some of the fields generated by top and ps.      
                The maximum size of a file the user may own. Unlike disk      
   filesize     quotas (*** 17.11, "************"), this limit is enforced on 
                individual files, not the set of all files a user owns.       
                The maximum number of foreground and background processes a   
                user can run. This limit may not be larger than the system    
   maxproc      limit specified by kern.maxproc. Setting this limit too small 
                may hinder a user's productivity as some tasks, such as       
                compiling a large program, start lots of processes.           
                The maximum amount of memory a process may request to be      
                locked into main memory using mlock(2). Some system-critical  
   memorylocked programs, such as amd(8), lock into main memory so that if    
                the system begins to swap, they do not contribute to disk     
                thrashing.                                                    
                The maximum amount of memory a process may consume at any     
   memoryuse    given time. It includes both core memory and swap usage. This 
                is not a catch-all limit for restricting memory consumption,  
                but is a good start.                                          
                The maximum number of files a process may have open. In       
   openfiles    FreeBSD, files are used to represent sockets and IPC          
                channels, so be careful not to set this too low. The          
                system-wide limit for this is defined by kern.maxfiles.       
   sbsize       The limit on the amount of network memory a user may consume. 
                This can be generally used to limit network communications.   
                The maximum size of a process stack. This alone is not        
   stacksize    sufficient to limit the amount of memory a program may use,   
                so it should be used in conjunction with other limits.        

   There are a few other things to remember when setting resource limits:

     * Processes started at system startup by /etc/rc are assigned to the
       daemon login class.

     * Although the default /etc/login.conf is a good source of reasonable
       values for most limits, they may not be appropriate for every system.
       Setting a limit too high may open the system up to abuse, while
       setting it too low may put a strain on productivity.

     * Xorg takes a lot of resources and encourages users to run more
       programs simultaneously.

     * Many limits apply to individual processes, not the user as a whole.
       For example, setting openfiles to 50 means that each process the user
       runs may open up to 50 files. The total amount of files a user may
       open is the value of openfiles multiplied by the value of maxproc.
       This also applies to memory consumption.

   For further information on resource limits and login classes and
   capabilities in general, refer to cap_mkdb(1), getrlimit(2), and
   login.conf(5).

  13.13.2. ***************************

   The kern.racct.enable tunable must be set to a non-zero value. Custom
   kernels require specific configuration:

 options         RACCT
 options         RCTL

   Once the system has rebooted into the new kernel, rctl may be used to set
   rules for the system.

   Rule syntax is controlled through the use of a subject, subject-id,
   resource, and action, as seen in this example rule:

 user:trhodes:maxproc:deny=10/user

   In this rule, the subject is user, the subject-id is trhodes, the
   resource, maxproc, is the maximum number of processes, and the action is
   deny, which blocks any new processes from being created. This means that
   the user, trhodes, will be constrained to no greater than 10 processes.
   Other possible actions include logging to the console, passing a
   notification to devd(8), or sending a sigterm to the process.

   Some care must be taken when adding rules. Since this user is constrained
   to 10 processes, this example will prevent the user from performing other
   tasks after logging in and executing a screen session. Once a resource
   limit has been hit, an error will be printed, as in this example:

 % man test
     /usr/bin/man: Cannot fork: Resource temporarily unavailable
 eval: Cannot fork: Resource temporarily unavailable

   As another example, a jail can be prevented from exceeding a memory limit.
   This rule could be written as:

 # rctl -a jail:httpd:memoryuse:deny=2G/jail

   Rules will persist across reboots if they have been added to
   /etc/rctl.conf. The format is a rule, without the preceding command. For
   example, the previous rule could be added as:

 # Block jail from using more than 2G memory:
 jail:httpd:memoryuse:deny=2G/jail

   To remove a rule, use rctl to remove it from the list:

 # rctl -r user:trhodes:maxproc:deny=10/user

   A method for removing all rules is documented in rctl(8). However, if
   removing all rules for a single user is required, this command may be
   issued:

 # rctl -r user:trhodes

   Many other resources exist which can be used to exert additional control
   over various subjects. See rctl(8) to learn about them.

13.14. ****** Sudo ******************

   Contributed by Tom Rhodes.

   *****************************************************************************************************************************._******************************
   FreeBSD
   *************************************************************************************************************************************************************************************************************************************************************._*******************************************************************************************************._

   ***************************************************************************************************************************************************************************************************************************._**************************************************************
   Script
   ********************************************************************************************,_************,_*********
   su(1)
   *****************************************************************************************************************************************************************************************************
   Sudo._

   Sudo
   ************************************************************************************************._*****************************
   Port ***************************** security/sudo*********** pkg(8)
   ************************** pkg(8) ***********

 # pkg install sudo

   *********************************** visudo
   ***************************************************** visudo
   *****************************************************************************************************._

   *********************************************************************************************************************************
   user1 ************,_****************************** webservice
   *********************
   ._********************************************************************
   /usr/local/etc/sudoers ***********

 user1   ALL=(ALL)       /usr/sbin/service webservice *

   ****************************************** webservice**

 % sudo /usr/sbin/service webservice start

   ************************************************ webservice
   ******************************************************************************************************************************************************************************,_****************************************************************************************

 # pw groupadd -g 6001 -n webteam

   ************ pw(8) *************************** webteam ********

 # pw groupmod -m user1 -n webteam

   *********** /usr/local/etc/sudoers *************************** webteam
   ********************************* webservice**

 %webteam   ALL=(ALL)       /usr/sbin/service webservice *

   *** su(1) ************ Sudo
   **********************************************************************************************************************************************************************************._

   ****** Sudo
   **************************************************************************************************
   su(1) ************************** su(1) ************ root
   ********************************************* root ******._

  ******:

   ****************************************************** (Two factor
   authentication)*******************************************************Sudo
   ********* NOPASSWD
   *****************************************************************************************
   webteam ***********************************************************

 %webteam   ALL=(ALL)       NOPASSWD: /usr/sbin/service webservice *

  13.14.1. ************

   ****** Sudo
   ******************************************************._***************************************
   sudoreplay ******************** Sudo
   ******************************************************._******************************************************************************************************************************************************************************
   sudoreplay ***************************************._

 Defaults iolog_dir=/var/log/sudo-io/%{user}

  ******:

   ************************************************************************************************************************************************************************
   sudoreplay ********************************************************
   sudoers ************************._

   *************************** sudoers
   ****************************************************************************************
   webteam ***********************************************

 %webteam ALL=(ALL) NOPASSWD: LOG_INPUT: LOG_OUTPUT: /usr/sbin/service webservice *

   ******************** webteam ****** webservice
   ************************************************._**************************************************

 # sudoreplay -l

   *************************************************************** TSID=
   *********************** sudoreplay
   **********************************************************************

 # sudoreplay user1/00/00/02

  ******:

   ************************************************************************************************************************************************************************
   (IDS)
   *****************************************************************************************._

   sudoreplay
   ********************************************************************._

*** 14. Jail

   Contributed by Matteo Riondato.
   ************

   14.1. ******

   14.2. Jail ************

   14.3. *************** Jail

   14.4. ***************

   14.5. ************ Jail

   14.6. ****** ezjail ****** Jail

14.1. ******

   **************************************************************************************************._******************************************,_***************************._*********************************
   FreeBSD ********************************* Jail._Jail ****** FreeBSD 4.X
   ***************************************,_******,_************************._

   Jail ********* chroot(2)
   **************************************************._*****************************************************************************._***
   chroot
   ************************************************************************._**************************
   chroot
   ******************************************************************._***
   chroot
   **********************************************************************************,_*********************._**************************************
   chroot
   ********************************************************************************************._

   Jail ****************************** chroot ***************._*********
   chroot
   *****************************************************************._*********************,_***************,_***************************************
   chroot ******************************************._Jail
   *********************************,_***********************************************************************************************
   Jail ***********************Jail
   *********************************************._

   Jail *****************

     * ***************************** Jail ************************** Jail
       ***********************************************._

     * ***************************** Jail *********._

     * ****** IP *********************** Jail._Jail *** IP
       ************************************************._

     * ******************** Jail
       ************************************._************ Jail
       ******************************._

   Jail ****************************** root ***************** Jail
   ***************._Jail ****** root ************************ Jail
   *********************************._

   *************** FreeBSD Jail ********************************Jail
   ***************************************************************************._

   ****************************

     * Jail ****************** FreeBSD ******************._

     * ************,_*************** Jail._

     * Jail **************************************._

  ******:

   Jail ***********************************************************._******
   Jail
   **************************************************************************
   Jail ********************************* Jail
   *********************************************************************._

   ********************************************* Jail
   ***************************************************._**************************************
   Jail ***************************************************._

14.2. Jail ************

   ************************ FreeBSD ************ Jail ********
   *************** FreeBSD ***********************************
   **************************************

   chroot(8) (******)

           ******************** chroot(2) FreeBSD ************ (System call)
           *********************************************._

   chroot(2) (******)

           ************ "chroot"
           ******************._**************************************************,_***************************
           ID,_********************* IPC *********._

   jail(8) (******)

           ********* Jail ******************************************._

   ****** (******,_******,_************)

           Jail *********************._
           *****************************************************************
           Jail *********************._*************** Jail
           *****************************************************************************
           Jail ************************._

   ****** (******,_******,_************)

           ****************** FreeBSD Jail
           *********************,_************************._

14.3. *************** Jail

   ****************** Jail ********************"*********"
   Jail*********************** FreeBSD ************ "*********"
   Jail*************************************************************************._*****************************************
   Jail ***************************************._******************
   "*********" Jail**Userland ********************************************
   Binary (*************************** Binary) *********************._

   ************************ Userland***************************** Jail
   ******._****************************** DESTDIR
   ******************************._

   ****** Shell ********* DESTDIR**

 # sh
 # export DESTDIR=/here/is/the/jail

   *************** ISO *********** mdconfig(8)
   ********************************

 # mount -t cd9660 /dev/`mdconfig -f cdimage.iso` /mnt
 # cd /mnt/usr/freebsd-dist/

   ************************ Tarball ***********

 # sh
 # export DESTRELEASE=12.0-RELEASE
 # export DESTARCH=`uname -m`
 # export SOURCEURL=http://ftp.freebsd.org/pub/FreeBSD/releases/$DESTARCH/$DESTRELEASE/
 # for set in base ports; do fetch $SOURCEURL/$set.txz ; done

   ********************* Tarball ********* Binary
   ******************************************** Base set
   **************************************._

   ********************* (Base system)**

 # tar -xf base.txz -C $DESTDIR

   **************************

 # for set in base ports; do tar -xf $set.txz -C $DESTDIR ; done

   *** jail(8) ********************************* Jail**

 # setenv D /here/is/the/jail
 # mkdir -p $D      1
 # cd /usr/src
 # make buildworld  2
 # make installworld DESTDIR=$D  3
 # make distribution DESTDIR=$D  4
 # mount -t devfs devfs $D/dev   5

1 ****** Jail ****************** Jail ************************** Jail *************** Jail ***************._****************** /usr/jail/jailname********      
  jailname *************** Jail ***************._********* /usr/ ************************ Jail *********************** "*********" Jail ********************   
  FreeBSD ******************************************._                                                                                                         
2 ****************** make world *** make buildworld ****************** Userland***************************************************** Userland ********* Jail._ 
3 ************************************ Jail *************************************************** Binary,_*********,_***************************._               
4 make *** distribution ***************************************._******************************** /usr/src/etc/ ************************ Jail *********        
  /etc********$D/etc/._                                                                                                                                        
5 *** Jail ********* devfs(8)                                                                                                                                  
  *********************************._************************************************************************************************************************* 
  Jail ************************************************************************************** Jail ******************._*** devfs(8) ******************         
  Ruleset***** devfs(8) *** devfs.conf(5) ******************************._                                                                                     

   Jail ******************************** jail(8) ***************._jail(8)
   *********************************** *** 14.1, "******"
   *********._**************************************************************************************
   Jail *********._command ********* Jail ********************************
   ************ ********/etc/rc
   ***************************************************** FreeBSD
   ***************._****** ********* *** Jail ***************** Jail
   *********************************************._

   Jail ***************************************** FreeBSD rc
   ***************************************._

     * *** jail.conf ********* jail ********

 www {
     host.hostname = www.example.org;           # Hostname
     ip4.addr = 192.168.0.10;                   # IP address of the jail
     path ="/usr/jail/www";                     # Path to the jail
     devfs_ruleset = "www_ruleset";             # devfs ruleset
     mount.devfs;                               # Mount devfs inside the jail
     exec.start = "/bin/sh /etc/rc";            # Start command
     exec.stop = "/bin/sh /etc/rc.shutdown";    # Stop command
 }

       *** rc.conf ************************ Jail**

 jail_enable="YES"   # Set to NO to disable starting of any jails

       ****************** Jail ****** jail.conf(5) ************** Jail
       ************************************************** Jail ****** /etc/rc
       Script._****************** Jail ****************** exec.start
       ********************* Jail *********************._

  ******:

       ***********************************************
       jail.conf(5)************._

   *** Jail *************** jail.conf *****************************
   service(8) ************************ Jail ********

 # service jail start www
 # service jail stop www

   Jail ************ jexec(8) *********._********* jls(8) ********* Jail ***
   JID************** jexec(8) ****** Jail *************** Script._

 # jls
    JID  IP Address      Hostname                      Path
      3  192.168.0.10    www                           /usr/jail/www
 # jexec 3 /etc/rc.shutdown

   ************ Jail *************** jail(8) ******************._

14.4. ***************

   ********************************* Jail ***************************** Jail
   ********* FreeBSD
   ***************************************************************._
   *****************

     * Some of the options available for tuning the behavior and security
       restrictions implemented by a jail installation.

     * Some of the high-level applications for jail management, which are
       available through the FreeBSD Ports Collection, and can be used to
       implement overall jail-based solutions.

  14.4.1. *** FreeBSD ********* Jail ***************

   Fine tuning of a jail's configuration is mostly done by setting sysctl(8)
   variables. A special subtree of sysctl exists as a basis for organizing
   all the relevant options: the security.jail.* hierarchy of FreeBSD kernel
   options. Here is a list of the main jail-related sysctls, complete with
   their default value. Names should be self-explanatory, but for more
   information about them, please refer to the jail(8) and sysctl(8) manual
   pages.

     * security.jail.set_hostname_allowed: 1

     * security.jail.socket_unixiproute_only: 1

     * security.jail.sysvipc_allowed: 0

     * security.jail.enforce_statfs: 2

     * security.jail.allow_raw_sockets: 0

     * security.jail.chflags_allowed: 0

     * security.jail.jailed: 0

   These variables can be used by the system administrator of the host system
   to add or remove some of the limitations imposed by default on the root
   user. Note that there are some limitations which cannot be removed. The
   root user is not allowed to mount or unmount file systems from within a
   jail(8). The root inside a jail may not load or unload devfs(8) rulesets,
   set firewall rules, or do many other administrative tasks which require
   modifications of in-kernel data, such as setting the securelevel of the
   kernel.

   The base system of FreeBSD contains a basic set of tools for viewing
   information about the active jails, and attaching to a jail to run
   administrative commands. The jls(8) and jexec(8) commands are part of the
   base FreeBSD system, and can be used to perform the following simple
   tasks:

     * Print a list of active jails and their corresponding jail identifier
       (JID), IP address, hostname and path.

     * Attach to a running jail, from its host system, and run a command
       inside the jail or perform administrative tasks inside the jail
       itself. This is especially useful when the root user wants to cleanly
       shut down a jail. The jexec(8) utility can also be used to start a
       shell in a jail to do administration in it; for example:

 # jexec 1 tcsh

  14.4.2. *** FreeBSD Port ************************************

   Among the many third-party utilities for jail administration, one of the
   most complete and useful is sysutils/ezjail. It is a set of scripts that
   contribute to jail(8) management. Please refer to the handbook section on
   ezjail for more information.

  14.4.3. ****** Jail ******************

   Jails should be kept up to date from the host operating system as
   attempting to patch userland from within the jail may likely fail as the
   default behavior in FreeBSD is to disallow the use of chflags(1) in a jail
   which prevents the replacement of some files. It is possible to change
   this behavior but it is recommended to use freebsd-update(8) to maintain
   jails instead. Use -b to specify the path of the jail to be updated.

 # freebsd-update -b /here/is/the/jail fetch
 # freebsd-update -b /here/is/the/jail install

14.5. ************ Jail

   Contributed by Daniel Gerzo.
   Based upon an idea presented by Simon L. B. Nielsen.
   And an article written by Ken Tom.

   The management of multiple jails can become problematic because every jail
   has to be rebuilt from scratch whenever it is upgraded. This can be time
   consuming and tedious if a lot of jails are created and manually updated.

   This section demonstrates one method to resolve this issue by safely
   sharing as much as is possible between jails using read-only
   mount_nullfs(8) mounts, so that updating is simpler. This makes it more
   attractive to put single services, such as HTTP, DNS, and SMTP, into
   individual jails. Additionally, it provides a simple way to add, remove,
   and upgrade jails.

  ******:

   Simpler solutions exist, such as ezjail, which provides an easier method
   of administering FreeBSD jails but is less versatile than this setup.
   ezjail is covered in more detail in *** 14.6, "****** ezjail ****** Jail".

   The goals of the setup described in this section are:

     * Create a simple and easy to understand jail structure that does not
       require running a full installworld on each and every jail.

     * Make it easy to add new jails or remove existing ones.

     * Make it easy to update or upgrade existing jails.

     * Make it possible to run a customized FreeBSD branch.

     * Be paranoid about security, reducing as much as possible the
       possibility of compromise.

     * Save space and inodes, as much as possible.

   This design relies on a single, read-only master template which is mounted
   into each jail and one read-write device per jail. A device can be a
   separate physical disc, a partition, or a vnode backed memory device. This
   example uses read-write nullfs mounts.

   The file system layout is as follows:

     * The jails are based under the /home partition.

     * Each jail will be mounted under the /home/j directory.

     * The template for each jail and the read-only partition for all of the
       jails is /home/j/mroot.

     * A blank directory will be created for each jail under the /home/j
       directory.

     * Each jail will have a /s directory that will be linked to the
       read-write portion of the system.

     * Each jail will have its own read-write system that is based upon
       /home/j/skel.

     * The read-write portion of each jail will be created in /home/js.

  14.5.1. ************

   This section describes the steps needed to create the master template.

   It is recommended to first update the host FreeBSD system to the latest
   -RELEASE branch using the instructions in *** 23.5, "******************
   FreeBSD". Additionally, this template uses the sysutils/cpdup package or
   port and portsnap will be used to download the FreeBSD Ports Collection.

    1. First, create a directory structure for the read-only file system
       which will contain the FreeBSD binaries for the jails. Then, change
       directory to the FreeBSD source tree and install the read-only file
       system to the jail template:

 # mkdir /home/j /home/j/mroot
 # cd /usr/src
 # make installworld DESTDIR=/home/j/mroot

    2. Next, prepare a FreeBSD Ports Collection for the jails as well as a
       FreeBSD source tree, which is required for mergemaster:

 # cd /home/j/mroot
 # mkdir usr/ports
 # portsnap -p /home/j/mroot/usr/ports fetch extract
 # cpdup /usr/src /home/j/mroot/usr/src

    3. Create a skeleton for the read-write portion of the system:

 # mkdir /home/j/skel /home/j/skel/home /home/j/skel/usr-X11R6 /home/j/skel/distfiles
 # mv etc /home/j/skel
 # mv usr/local /home/j/skel/usr-local
 # mv tmp /home/j/skel
 # mv var /home/j/skel
 # mv root /home/j/skel

    4. Use mergemaster to install missing configuration files. Then, remove
       the extra directories that mergemaster creates:

 # mergemaster -t /home/j/skel/var/tmp/temproot -D /home/j/skel -i
 # cd /home/j/skel
 # rm -R bin boot lib libexec mnt proc rescue sbin sys usr dev

    5. Now, symlink the read-write file system to the read-only file system.
       Ensure that the symlinks are created in the correct s/ locations as
       the creation of directories in the wrong locations will cause the
       installation to fail.

 # cd /home/j/mroot
 # mkdir s
 # ln -s s/etc etc
 # ln -s s/home home
 # ln -s s/root root
 # ln -s ../s/usr-local usr/local
 # ln -s ../s/usr-X11R6 usr/X11R6
 # ln -s ../../s/distfiles usr/ports/distfiles
 # ln -s s/tmp tmp
 # ln -s s/var var

    6. As a last step, create a generic /home/j/skel/etc/make.conf containing
       this line:

 WRKDIRPREFIX?=  /s/portbuild

       This makes it possible to compile FreeBSD ports inside each jail.
       Remember that the ports directory is part of the read-only system. The
       custom path for WRKDIRPREFIX allows builds to be done in the
       read-write portion of every jail.

  14.5.2. ****** Jail

   The jail template can now be used to setup and configure the jails in
   /etc/rc.conf. This example demonstrates the creation of 3 jails: NS, MAIL
   and WWW.

    1. Add the following lines to /etc/fstab, so that the read-only template
       for the jails and the read-write space will be available in the
       respective jails:

 /home/j/mroot   /home/j/ns     nullfs  ro  0   0
 /home/j/mroot   /home/j/mail   nullfs  ro  0   0
 /home/j/mroot   /home/j/www    nullfs  ro  0   0
 /home/js/ns     /home/j/ns/s   nullfs  rw  0   0
 /home/js/mail   /home/j/mail/s nullfs  rw  0   0
 /home/js/www    /home/j/www/s  nullfs  rw  0   0

       To prevent fsck from checking nullfs mounts during boot and dump from
       backing up the read-only nullfs mounts of the jails, the last two
       columns are both set to 0.

    2. Configure the jails in /etc/rc.conf:

 jail_enable="YES"
 jail_set_hostname_allow="NO"
 jail_list="ns mail www"
 jail_ns_hostname="ns.example.org"
 jail_ns_ip="192.168.3.17"
 jail_ns_rootdir="/usr/home/j/ns"
 jail_ns_devfs_enable="YES"
 jail_mail_hostname="mail.example.org"
 jail_mail_ip="192.168.3.18"
 jail_mail_rootdir="/usr/home/j/mail"
 jail_mail_devfs_enable="YES"
 jail_www_hostname="www.example.org"
 jail_www_ip="62.123.43.14"
 jail_www_rootdir="/usr/home/j/www"
 jail_www_devfs_enable="YES"

       The jail_name_rootdir variable is set to /usr/home instead of /home
       because the physical path of /home on a default FreeBSD installation
       is /usr/home. The jail_name_rootdir variable must not be set to a path
       which includes a symbolic link, otherwise the jails will refuse to
       start.

    3. Create the required mount points for the read-only file system of each
       jail:

 # mkdir /home/j/ns /home/j/mail /home/j/www

    4. Install the read-write template into each jail using sysutils/cpdup:

 # mkdir /home/js
 # cpdup /home/j/skel /home/js/ns
 # cpdup /home/j/skel /home/js/mail
 # cpdup /home/j/skel /home/js/www

    5. In this phase, the jails are built and prepared to run. First, mount
       the required file systems for each jail, and then start them:

 # mount -a
 # service jail start

   The jails should be running now. To check if they have started correctly,
   use jls. Its output should be similar to the following:

 # jls
    JID  IP Address      Hostname                      Path
      3  192.168.3.17    ns.example.org                /home/j/ns
      2  192.168.3.18    mail.example.org              /home/j/mail
      1  62.123.43.14    www.example.org               /home/j/www

   At this point, it should be possible to log onto each jail, add new users,
   or configure daemons. The JID column indicates the jail identification
   number of each running jail. Use the following command to perform
   administrative tasks in the jail whose JID is 3:

 # jexec 3 tcsh

  14.5.3. ******

   The design of this setup provides an easy way to upgrade existing jails
   while minimizing their downtime. Also, it provides a way to roll back to
   the older version should a problem occur.

    1. The first step is to upgrade the host system. Then, create a new
       temporary read-only template in /home/j/mroot2.

 # mkdir /home/j/mroot2
 # cd /usr/src
 # make installworld DESTDIR=/home/j/mroot2
 # cd /home/j/mroot2
 # cpdup /usr/src usr/src
 # mkdir s

       The installworld creates a few unnecessary directories, which should
       be removed:

 # chflags -R 0 var
 # rm -R etc var root usr/local tmp

    2. Recreate the read-write symlinks for the master file system:

 # ln -s s/etc etc
 # ln -s s/root root
 # ln -s s/home home
 # ln -s ../s/usr-local usr/local
 # ln -s ../s/usr-X11R6 usr/X11R6
 # ln -s s/tmp tmp
 # ln -s s/var var

    3. Next, stop the jails:

 # service jail stop

    4. Unmount the original file systems as the read-write systems are
       attached to the read-only system (/s):

 # umount /home/j/ns/s
 # umount /home/j/ns
 # umount /home/j/mail/s
 # umount /home/j/mail
 # umount /home/j/www/s
 # umount /home/j/www

    5. Move the old read-only file system and replace it with the new one.
       This will serve as a backup and archive of the old read-only file
       system should something go wrong. The naming convention used here
       corresponds to when a new read-only file system has been created. Move
       the original FreeBSD Ports Collection over to the new file system to
       save some space and inodes:

 # cd /home/j
 # mv mroot mroot.20060601
 # mv mroot2 mroot
 # mv mroot.20060601/usr/ports mroot/usr

    6. At this point the new read-only template is ready, so the only
       remaining task is to remount the file systems and start the jails:

 # mount -a
 # service jail start

   Use jls to check if the jails started correctly. Run mergemaster in each
   jail to update the configuration files.

14.6. ****** ezjail ****** Jail

   Originally contributed by Warren Block.

   Creating and managing multiple jails can quickly become tedious and
   error-prone. Dirk Engling's ezjail automates and greatly simplifies many
   jail tasks. A basejail is created as a template. Additional jails use
   mount_nullfs(8) to share many of the basejail directories without using
   additional disk space. Each additional jail takes only a few megabytes of
   disk space before applications are installed. Upgrading the copy of the
   userland in the basejail automatically upgrades all of the other jails.

   Additional benefits and features are described in detail on the ezjail web
   site, https://erdgeist.org/arts/software/ezjail/.

  14.6.1. ****** ezjail

   Installing ezjail consists of adding a loopback interface for use in
   jails, installing the port or package, and enabling the service.

    1. To keep jail loopback traffic off the host's loopback network
       interface lo0, a second loopback interface is created by adding an
       entry to /etc/rc.conf:

 cloned_interfaces="lo1"

       The second loopback interface lo1 will be created when the system
       starts. It can also be created manually without a restart:

 # service netif cloneup
 Created clone interfaces: lo1.

       Jails can be allowed to use aliases of this secondary loopback
       interface without interfering with the host.

       Inside a jail, access to the loopback address 127.0.0.1 is redirected
       to the first IP address assigned to the jail. To make the jail
       loopback correspond with the new lo1 interface, that interface must be
       specified first in the list of interfaces and IP addresses given when
       creating a new jail.

       Give each jail a unique loopback address in the 127.0.0.0/8 netblock.

    2. Install sysutils/ezjail:

 # cd /usr/ports/sysutils/ezjail
 # make install clean

    3. Enable ezjail by adding this line to /etc/rc.conf:

 ezjail_enable="YES"

    4. The service will automatically start on system boot. It can be started
       immediately for the current session:

 # service ezjail start

  14.6.2. ************

   With ezjail installed, the basejail directory structure can be created and
   populated. This step is only needed once on the jail host computer.

   In both of these examples, -p causes the ports tree to be retrieved with
   portsnap(8) into the basejail. That single copy of the ports directory
   will be shared by all the jails. Using a separate copy of the ports
   directory for jails isolates them from the host. The ezjail FAQ explains
   in more detail: http://erdgeist.org/arts/software/ezjail/#FAQ.

     *    * To Populate the Jail with FreeBSD-RELEASE

            For a basejail based on the FreeBSD RELEASE matching that of the
            host computer, use install. For example, on a host computer
            running FreeBSD 10-STABLE, the latest RELEASE version of
            FreeBSD -10 will be installed in the jail):

 # ezjail-admin install -p

          * To Populate the Jail with installworld

            The basejail can be installed from binaries created by buildworld
            on the host with ezjail-admin update.

            In this example, FreeBSD 10-STABLE has been built from source.
            The jail directories are created. Then installworld is executed,
            installing the host's /usr/obj into the basejail.

 # ezjail-admin update -i -p

            The host's /usr/src is used by default. A different source
            directory on the host can be specified with -s and a path, or set
            with ezjail_sourcetree in /usr/local/etc/ezjail.conf.

  ******:

   The basejail's ports tree is shared by other jails. However, downloaded
   distfiles are stored in the jail that downloaded them. By default, these
   files are stored in /var/ports/distfiles within each jail. /var/ports
   inside each jail is also used as a work directory when building ports.

  ******:

   The FTP protocol is used by default to download packages for the
   installation of the basejail. Firewall or proxy configurations can prevent
   or interfere with FTP transfers. The HTTP protocol works differently and
   avoids these problems. It can be chosen by specifying a full URL for a
   particular download mirror in /usr/local/etc/ezjail.conf:

 ezjail_ftphost=http://ftp.FreeBSD.org

   See *** A.2, "FTP ***" for a list of sites.

  14.6.3. ********************* Jail

   New jails are created with ezjail-admin create. In these examples, the lo1
   loopback interface is used as described above.

   ****** 14.1. Create and Start a New Jail
    1. Create the jail, specifying a name and the loopback and network
       interfaces to use, along with their IP addresses. In this example, the
       jail is named dnsjail.

 # ezjail-admin create dnsjail 'lo1|127.0.1.1,em0|192.168.1.50'

  ******:

       Most network services run in jails without problems. A few network
       services, most notably ping(8), use raw network sockets. In jails, raw
       network sockets are disabled by default for security. Services that
       require them will not work.

       Occasionally, a jail genuinely needs raw sockets. For example, network
       monitoring applications often use ping(8) to check the availability of
       other computers. When raw network sockets are actually needed in a
       jail, they can be enabled by editing the ezjail configuration file for
       the individual jail, /usr/local/etc/ezjail/jailname. Modify the
       parameters entry:

 export jail_jailname_parameters="allow.raw_sockets=1"

       Do not enable raw network sockets unless services in the jail actually
       require them.

    2. Start the jail:

 # ezjail-admin start dnsjail

    3. Use a console on the jail:

 # ezjail-admin console dnsjail

   The jail is operating and additional configuration can be completed.
   Typical settings added at this point include:

    1. Set the root Password

       Connect to the jail and set the root user's password:

 # ezjail-admin console dnsjail
 # passwd
 Changing local password for root
 New Password:
 Retype New Password:

    2. Time Zone Configuration

       The jail's time zone can be set with tzsetup(8). To avoid spurious
       error messages, the adjkerntz(8) entry in /etc/crontab can be
       commented or removed. This job attempts to update the computer's
       hardware clock with time zone changes, but jails are not allowed to
       access that hardware.

    3. DNS Servers

       Enter domain name server lines in /etc/resolv.conf so DNS works in the
       jail.

    4. Edit /etc/hosts

       Change the address and add the jail name to the localhost entries in
       /etc/hosts.

    5. Configure /etc/rc.conf

       Enter configuration settings in /etc/rc.conf. This is much like
       configuring a full computer. The host name and IP address are not set
       here. Those values are already provided by the jail configuration.

   With the jail configured, the applications for which the jail was created
   can be installed.

  ******:

   Some ports must be built with special options to be used in a jail. For
   example, both of the network monitoring plugin packages
   net-mgmt/nagios-plugins and net-mgmt/monitoring-plugins have a JAIL option
   which must be enabled for them to work correctly inside a jail.

  14.6.4. ****** Jail

    14.6.4.1. ******************

   Because the basejail's copy of the userland is shared by the other jails,
   updating the basejail automatically updates all of the other jails. Either
   source or binary updates can be used.

   To build the world from source on the host, then install it in the
   basejail, use:

 # ezjail-admin update -b

   If the world has already been compiled on the host, install it in the
   basejail with:

 # ezjail-admin update -i

   Binary updates use freebsd-update(8). These updates have the same
   limitations as if freebsd-update(8) were being run directly. The most
   important one is that only -RELEASE versions of FreeBSD are available with
   this method.

   Update the basejail to the latest patched release of the version of
   FreeBSD on the host. For example, updating from RELEASE-p1 to RELEASE-p2.

 # ezjail-admin update -u

   To upgrade the basejail to a new version, first upgrade the host system as
   described in *** 23.2.3, "*********************************". Once the
   host has been upgraded and rebooted, the basejail can then be upgraded.
   freebsd-update(8) has no way of determining which version is currently
   installed in the basejail, so the original version must be specified. Use
   file(1) to determine the original version in the basejail:

 # file /usr/jails/basejail/bin/sh
 /usr/jails/basejail/bin/sh: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 9.3, stripped

   Now use this information to perform the upgrade from 9.3-RELEASE to the
   current version of the host system:

 # ezjail-admin update -U -s 9.3-RELEASE

   After updating the basejail, mergemaster(8) must be run to update each
   jail's configuration files.

   How to use mergemaster(8) depends on the purpose and trustworthiness of a
   jail. If a jail's services or users are not trusted, then mergemaster(8)
   should only be run from within that jail:

   ****** 14.1. *************** Jail *** mergemaster(8)

   Delete the link from the jail's /usr/src into the basejail and create a
   new /usr/src in the jail as a mountpoint. Mount the host computer's
   /usr/src read-only on the jail's new /usr/src mountpoint:

 # rm /usr/jails/jailname/usr/src
 # mkdir /usr/jails/jailname/usr/src
 # mount -t nullfs -o ro /usr/src /usr/jails/jailname/usr/src

   Get a console in the jail:

 # ezjail-admin console jailname

   Inside the jail, run mergemaster. Then exit the jail console:

 # cd /usr/src
 # mergemaster -U
 # exit

   Finally, unmount the jail's /usr/src:

 # umount /usr/jails/jailname/usr/src

   ****** 14.2. ************ Jail *** mergemaster(8)

   If the users and services in a jail are trusted, mergemaster(8) can be run
   from the host:

 # mergemaster -U -D /usr/jails/jailname

    14.6.4.2. ****** Port

   The ports tree in the basejail is shared by the other jails. Updating that
   copy of the ports tree gives the other jails the updated version also.

   The basejail ports tree is updated with portsnap(8):

 # ezjail-admin update -P

  14.6.5. ****** Jail

    14.6.5.1. *************** Jail

   ezjail automatically starts jails when the computer is started. Jails can
   be manually stopped and restarted with stop and start:

 # ezjail-admin stop sambajail
 Stopping jails: sambajail.

   By default, jails are started automatically when the host computer starts.
   Autostarting can be disabled with config:

 # ezjail-admin config -r norun seldomjail

   This takes effect the next time the host computer is started. A jail that
   is already running will not be stopped.

   Enabling autostart is very similar:

 # ezjail-admin config -r run oftenjail

    14.6.5.2. *************** Jail

   Use archive to create a .tar.gz archive of a jail. The file name is
   composed from the name of the jail and the current date. Archive files are
   written to the archive directory, /usr/jails/ezjail_archives. A different
   archive directory can be chosen by setting ezjail_archivedir in the
   configuration file.

   The archive file can be copied elsewhere as a backup, or an existing jail
   can be restored from it with restore. A new jail can be created from the
   archive, providing a convenient way to clone existing jails.

   Stop and archive a jail named wwwserver:

 # ezjail-admin stop wwwserver
 Stopping jails: wwwserver.
 # ezjail-admin archive wwwserver
 # ls /usr/jails/ezjail-archives/
 wwwserver-201407271153.13.tar.gz

   Create a new jail named wwwserver-clone from the archive created in the
   previous step. Use the em1 interface and assign a new IP address to avoid
   conflict with the original:

 # ezjail-admin create -a /usr/jails/ezjail_archives/wwwserver-201407271153.13.tar.gz wwwserver-clone 'lo1|127.0.3.1,em1|192.168.1.51'

  14.6.6. ***************** Jail ********* BIND

   Putting the BIND DNS server in a jail improves security by isolating it.
   This example creates a simple caching-only name server.

     * The jail will be called dns1.

     * The jail will use IP address 192.168.1.240 on the host's re0
       interface.

     * The upstream ISP's DNS servers are at 10.0.0.62 and 10.0.0.61.

     * The basejail has already been created and a ports tree installed as
       shown in *** 14.6.2, "************".

   ****** 14.3. *** Jail ********* BIND

   Create a cloned loopback interface by adding a line to /etc/rc.conf:

 cloned_interfaces="lo1"

   Immediately create the new loopback interface:

 # service netif cloneup
 Created clone interfaces: lo1.

   Create the jail:

 # ezjail-admin create dns1 'lo1|127.0.2.1,re0|192.168.1.240'

   Start the jail, connect to a console running on it, and perform some basic
   configuration:

 # ezjail-admin start dns1
 # ezjail-admin console dns1
 # passwd
 Changing local password for root
 New Password:
 Retype New Password:
 # tzsetup
 # sed -i .bak -e '/adjkerntz/ s/^/#/' /etc/crontab
 # sed -i .bak -e 's/127.0.0.1/127.0.2.1/g; s/localhost.my.domain/dns1.my.domain dns1/' /etc/hosts

   Temporarily set the upstream DNS servers in /etc/resolv.conf so ports can
   be downloaded:

 nameserver 10.0.0.62
 nameserver 10.0.0.61

   Still using the jail console, install dns/bind99.

 # make -C /usr/ports/dns/bind99 install clean

   Configure the name server by editing /usr/local/etc/namedb/named.conf.

   Create an Access Control List (ACL) of addresses and networks that are
   permitted to send DNS queries to this name server. This section is added
   just before the options section already in the file:

 ...
 // or cause huge amounts of useless Internet traffic.

 acl "trusted" {
         192.168.1.0/24;
         localhost;
         localnets;
 };

 options {
 ...

   Use the jail IP address in the listen-on setting to accept DNS queries
   from other computers on the network:

         listen-on       { 192.168.1.240; };

   A simple caching-only DNS name server is created by changing the
   forwarders section. The original file contains:

 /*
         forwarders {
                 127.0.0.1;
         };
 */

   Uncomment the section by removing the /* and */ lines. Enter the IP
   addresses of the upstream DNS servers. Immediately after the forwarders
   section, add references to the trusted ACL defined earlier:

         forwarders {
                 10.0.0.62;
                 10.0.0.61;
         };

         allow-query       { any; };
         allow-recursion   { trusted; };
         allow-query-cache { trusted; };

   Enable the service in /etc/rc.conf:

 named_enable="YES"

   Start and test the name server:

 # service named start
 wrote key file "/usr/local/etc/namedb/rndc.key"
 Starting named.
 # /usr/local/bin/dig @192.168.1.240 freebsd.org

   A response that includes

 ;; Got answer;

   shows that the new DNS server is working. A long delay followed by a
   response including

 ;; connection timed out; no servers could be reached

   shows a problem. Check the configuration settings and make sure any local
   firewalls allow the new DNS access to the upstream DNS servers.

   The new DNS server can use itself for local name resolution, just like
   other local computers. Set the address of the DNS server in the client
   computer's /etc/resolv.conf:

 nameserver 192.168.1.240

   A local DHCP server can be configured to provide this address for a local
   DNS server, providing automatic configuration on DHCP clients.

*** 15. ****************** (MAC)

   Written by Tom Rhodes.
   ************

   15.1. ******

   15.2. *********

   15.3. ****** MAC ******

   15.4. ******************

   15.5. ********* MAC ************

   15.6. User Lock Down

   15.7. *** MAC Jail ********* Nagios

   15.8. MAC ******************

15.1. ******

   FreeBSD supports security extensions based on the POSIX(R).1e draft. These
   security mechanisms include file system Access Control Lists (*** 13.9,
   "******************") and Mandatory Access Control (MAC). MAC allows
   access control modules to be loaded in order to implement security
   policies. Some modules provide protections for a narrow subset of the
   system, hardening a particular service. Others provide comprehensive
   labeled security across all subjects and objects. The mandatory part of
   the definition indicates that enforcement of controls is performed by
   administrators and the operating system. This is in contrast to the
   default security mechanism of Discretionary Access Control (DAC) where
   enforcement is left to the discretion of users.

   This chapter focuses on the MAC framework and the set of pluggable
   security policy modules FreeBSD provides for enabling various security
   mechanisms.

   ****************************

     * The terminology associated with the MAC framework.

     * The capabilities of MAC security policy modules as well as the
       difference between a labeled and non-labeled policy.

     * The considerations to take into account before configuring a system to
       use the MAC framework.

     * Which MAC security policy modules are included in FreeBSD and how to
       configure them.

     * How to implement a more secure environment using the MAC framework.

     * How to test the MAC configuration to ensure the framework has been
       properly implemented.

   ****************************************

     * ****** UNIX(R) *** FreeBSD ****** (*** 3, FreeBSD ******)._

     * Have some familiarity with security and how it pertains to FreeBSD
       (*** 13, *********).

  ******:

   Improper MAC configuration may cause loss of system access, aggravation of
   users, or inability to access the features provided by Xorg. More
   importantly, MAC should not be relied upon to completely secure a system.
   The MAC framework only augments an existing security policy. Without sound
   security practices and regular security checks, the system will never be
   completely secure.

   The examples contained within this chapter are for demonstration purposes
   and the example settings should not be implemented on a production system.
   Implementing any security policy takes a good deal of understanding,
   proper design, and thorough testing.

   While this chapter covers a broad range of security issues relating to the
   MAC framework, the development of new MAC security policy modules will not
   be covered. A number of security policy modules included with the MAC
   framework have specific characteristics which are provided for both
   testing and new module development. Refer to mac_test(4), mac_stub(4) and
   mac_none(4) for more information on these security policy modules and the
   various mechanisms they provide.

15.2. *********

   The following key terms are used when referring to the MAC framework:

     * compartment: a set of programs and data to be partitioned or
       separated, where users are given explicit access to specific component
       of a system. A compartment represents a grouping, such as a work
       group, department, project, or topic. Compartments make it possible to
       implement a need-to-know-basis security policy.

     * integrity: the level of trust which can be placed on data. As the
       integrity of the data is elevated, so does the ability to trust that
       data.

     * level: the increased or decreased setting of a security attribute. As
       the level increases, its security is considered to elevate as well.

     * label: a security attribute which can be applied to files,
       directories, or other items in the system. It could be considered a
       confidentiality stamp. When a label is placed on a file, it describes
       the security properties of that file and will only permit access by
       files, users, and resources with a similar security setting. The
       meaning and interpretation of label values depends on the policy
       configuration. Some policies treat a label as representing the
       integrity or secrecy of an object while other policies might use
       labels to hold rules for access.

     * multilabel: this property is a file system option which can be set in
       single-user mode using tunefs(8), during boot using fstab(5), or
       during the creation of a new file system. This option permits an
       administrator to apply different MAC labels on different objects. This
       option only applies to security policy modules which support labeling.

     * single label: a policy where the entire file system uses one label to
       enforce access control over the flow of data. Whenever multilabel is
       not set, all files will conform to the same label setting.

     * object: an entity through which information flows under the direction
       of a subject. This includes directories, files, fields, screens,
       keyboards, memory, magnetic storage, printers or any other data
       storage or moving device. An object is a data container or a system
       resource. Access to an object effectively means access to its data.

     * subject: any active entity that causes information to flow between
       objects such as a user, user process, or system process. On FreeBSD,
       this is almost always a thread acting in a process on behalf of a
       user.

     * policy: a collection of rules which defines how objectives are to be
       achieved. A policy usually documents how certain items are to be
       handled. This chapter considers a policy to be a collection of rules
       which controls the flow of data and information and defines who has
       access to that data and information.

     * high-watermark: this type of policy permits the raising of security
       levels for the purpose of accessing higher level information. In most
       cases, the original level is restored after the process is complete.
       Currently, the FreeBSD MAC framework does not include this type of
       policy.

     * low-watermark: this type of policy permits lowering security levels
       for the purpose of accessing information which is less secure. In most
       cases, the original security level of the user is restored after the
       process is complete. The only security policy module in FreeBSD to use
       this is mac_lomac(4).

     * sensitivity: usually used when discussing Multilevel Security (MLS). A
       sensitivity level describes how important or secret the data should
       be. As the sensitivity level increases, so does the importance of the
       secrecy, or confidentiality, of the data.

15.3. ****** MAC ******

   A MAC label is a security attribute which may be applied to subjects and
   objects throughout the system. When setting a label, the administrator
   must understand its implications in order to prevent unexpected or
   undesired behavior of the system. The attributes available on an object
   depend on the loaded policy module, as policy modules interpret their
   attributes in different ways.

   The security label on an object is used as a part of a security access
   control decision by a policy. With some policies, the label contains all
   of the information necessary to make a decision. In other policies, the
   labels may be processed as part of a larger rule set.

   There are two types of label policies: single label and multi label. By
   default, the system will use single label. The administrator should be
   aware of the pros and cons of each in order to implement policies which
   meet the requirements of the system's security model.

   A single label security policy only permits one label to be used for every
   subject or object. Since a single label policy enforces one set of access
   permissions across the entire system, it provides lower administration
   overhead, but decreases the flexibility of policies which support
   labeling. However, in many environments, a single label policy may be all
   that is required.

   A single label policy is somewhat similar to DAC as root configures the
   policies so that users are placed in the appropriate categories and access
   levels. A notable difference is that many policy modules can also restrict
   root. Basic control over objects will then be released to the group, but
   root may revoke or modify the settings at any time.

   When appropriate, a multi label policy can be set on a UFS file system by
   passing multilabel to tunefs(8). A multi label policy permits each subject
   or object to have its own independent MAC label. The decision to use a
   multi label or single label policy is only required for policies which
   implement the labeling feature, such as biba, lomac, and mls. Some
   policies, such as seeotheruids, portacl and partition, do not use labels
   at all.

   Using a multi label policy on a partition and establishing a multi label
   security model can increase administrative overhead as everything in that
   file system has a label. This includes directories, files, and even device
   nodes.

   The following command will set multilabel on the specified UFS file
   system. This may only be done in single-user mode and is not a requirement
   for the swap file system:

 # tunefs -l enable /

  ******:

   Some users have experienced problems with setting the multilabel flag on
   the root partition. If this is the case, please review *** 15.8, "MAC
   ******************".

   Since the multi label policy is set on a per-file system basis, a multi
   label policy may not be needed if the file system layout is well designed.
   Consider an example security MAC model for a FreeBSD web server. This
   machine uses the single label, biba/high, for everything in the default
   file systems. If the web server needs to run at biba/low to prevent write
   up capabilities, it could be installed to a separate UFS /usr/local file
   system set at biba/low.

  15.3.1. ************

   Virtually all aspects of label policy module configuration will be
   performed using the base system utilities. These commands provide a simple
   interface for object or subject configuration or the manipulation and
   verification of the configuration.

   All configuration may be done using setfmac, which is used to set MAC
   labels on system objects, and setpmac, which is used to set the labels on
   system subjects. For example, to set the biba MAC label to high on test:

 # setfmac biba/high test

   If the configuration is successful, the prompt will be returned without
   error. A common error is Permission denied which usually occurs when the
   label is being set or modified on a restricted object. Other conditions
   may produce different failures. For instance, the file may not be owned by
   the user attempting to relabel the object, the object may not exist, or
   the object may be read-only. A mandatory policy will not allow the process
   to relabel the file, maybe because of a property of the file, a property
   of the process, or a property of the proposed new label value. For
   example, if a user running at low integrity tries to change the label of a
   high integrity file, or a user running at low integrity tries to change
   the label of a low integrity file to a high integrity label, these
   operations will fail.

   The system administrator may use setpmac to override the policy module's
   settings by assigning a different label to the invoked process:

 # setfmac biba/high test
 Permission denied
 # setpmac biba/low setfmac biba/high test
 # getfmac test
 test: biba/high

   For currently running processes, such as sendmail, getpmac is usually used
   instead. This command takes a process ID (PID) in place of a command name.
   If users attempt to manipulate a file not in their access, subject to the
   rules of the loaded policy modules, the Operation not permitted error will
   be displayed.

  15.3.2. *********************

   A few FreeBSD policy modules which support the labeling feature offer
   three predefined labels: low, equal, and high, where:

     * low is considered the lowest label setting an object or subject may
       have. Setting this on objects or subjects blocks their access to
       objects or subjects marked high.

     * equal sets the subject or object to be disabled or unaffected and
       should only be placed on objects considered to be exempt from the
       policy.

     * high grants an object or subject the highest setting available in the
       Biba and MLS policy modules.

   Such policy modules include mac_biba(4), mac_mls(4) and mac_lomac(4). Each
   of the predefined labels establishes a different information flow
   directive. Refer to the manual page of the module to determine the traits
   of the generic label configurations.

  15.3.3. ************

   The Biba and MLS policy modules support a numeric label which may be set
   to indicate the precise level of hierarchical control. This numeric level
   is used to partition or sort information into different groups of
   classification, only permitting access to that group or a higher group
   level. For example:

 biba/10:2+3+6(5:2+3-20:2+3+4+5+6)

   may be interpreted as "Biba Policy Label/Grade 10:Compartments 2, 3 and 6:
   (grade 5 ...")

   In this example, the first grade would be considered the effective grade
   with effective compartments, the second grade is the low grade, and the
   last one is the high grade. In most configurations, such fine-grained
   settings are not needed as they are considered to be advanced
   configurations.

   System objects only have a current grade and compartment. System subjects
   reflect the range of available rights in the system, and network
   interfaces, where they are used for access control.

   The grade and compartments in a subject and object pair are used to
   construct a relationship known as dominance, in which a subject dominates
   an object, the object dominates the subject, neither dominates the other,
   or both dominate each other. The "both dominate" case occurs when the two
   labels are equal. Due to the information flow nature of Biba, a user has
   rights to a set of compartments that might correspond to projects, but
   objects also have a set of compartments. Users may have to subset their
   rights using su or setpmac in order to access objects in a compartment
   from which they are not restricted.

  15.3.4. ***************

   Users are required to have labels so that their files and processes
   properly interact with the security policy defined on the system. This is
   configured in /etc/login.conf using login classes. Every policy module
   that uses labels will implement the user class setting.

   To set the user class default label which will be enforced by MAC, add a
   label entry. An example label entry containing every policy module is
   displayed below. Note that in a real configuration, the administrator
   would never enable every policy module. It is recommended that the rest of
   this chapter be reviewed before any configuration is implemented.

 default:\
         :copyright=/etc/COPYRIGHT:\
         :welcome=/etc/motd:\
         :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
         :path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:\
         :manpath=/usr/share/man /usr/local/man:\
         :nologin=/usr/sbin/nologin:\
         :cputime=1h30m:\
         :datasize=8M:\
         :vmemoryuse=100M:\
         :stacksize=2M:\
         :memorylocked=4M:\
         :memoryuse=8M:\
         :filesize=8M:\
         :coredumpsize=8M:\
         :openfiles=24:\
         :maxproc=32:\
         :priority=0:\
         :requirehome:\
         :passwordtime=91d:\
         :umask=022:\
         :ignoretime@:\
         :label=partition/13,mls/5,biba/10(5-15),lomac/10[2]:

   While users can not modify the default value, they may change their label
   after they login, subject to the constraints of the policy. The example
   above tells the Biba policy that a process's minimum integrity is 5, its
   maximum is 15, and the default effective label is 10. The process will run
   at 10 until it chooses to change label, perhaps due to the user using
   setpmac, which will be constrained by Biba to the configured range.

   After any change to login.conf, the login class capability database must
   be rebuilt using cap_mkdb.

   Many sites have a large number of users requiring several different user
   classes. In depth planning is required as this can become difficult to
   manage.

  15.3.5. ******************

   Labels may be set on network interfaces to help control the flow of data
   across the network. Policies using network interface labels function in
   the same way that policies function with respect to objects. Users at high
   settings in Biba, for example, will not be permitted to access network
   interfaces with a label of low.

   When setting the MAC label on network interfaces, maclabel may be passed
   to ifconfig:

 # ifconfig bge0 maclabel biba/equal

   This example will set the MAC label of biba/equal on the bge0 interface.
   When using a setting similar to biba/high(low-high), the entire label
   should be quoted to prevent an error from being returned.

   Each policy module which supports labeling has a tunable which may be used
   to disable the MAC label on network interfaces. Setting the label to equal
   will have a similar effect. Review the output of sysctl, the policy manual
   pages, and the information in the rest of this chapter for more
   information on those tunables.

15.4. ******************

   Before implementing any MAC policies, a planning phase is recommended.
   During the planning stages, an administrator should consider the
   implementation requirements and goals, such as:

     * How to classify information and resources available on the target
       systems.

     * Which information or resources to restrict access to along with the
       type of restrictions that should be applied.

     * Which MAC modules will be required to achieve this goal.

   A trial run of the trusted system and its configuration should occur
   before a MAC implementation is used on production systems. Since different
   environments have different needs and requirements, establishing a
   complete security profile will decrease the need of changes once the
   system goes live.

   Consider how the MAC framework augments the security of the system as a
   whole. The various security policy modules provided by the MAC framework
   could be used to protect the network and file systems or to block users
   from accessing certain ports and sockets. Perhaps the best use of the
   policy modules is to load several security policy modules at a time in
   order to provide a MLS environment. This approach differs from a hardening
   policy, which typically hardens elements of a system which are used only
   for specific purposes. The downside to MLS is increased administrative
   overhead.

   The overhead is minimal when compared to the lasting effect of a framework
   which provides the ability to pick and choose which policies are required
   for a specific configuration and which keeps performance overhead down.
   The reduction of support for unneeded policies can increase the overall
   performance of the system as well as offer flexibility of choice. A good
   implementation would consider the overall security requirements and
   effectively implement the various security policy modules offered by the
   framework.

   A system utilizing MAC guarantees that a user will not be permitted to
   change security attributes at will. All user utilities, programs, and
   scripts must work within the constraints of the access rules provided by
   the selected security policy modules and control of the MAC access rules
   is in the hands of the system administrator.

   It is the duty of the system administrator to carefully select the correct
   security policy modules. For an environment that needs to limit access
   control over the network, the mac_portacl(4), mac_ifoff(4), and
   mac_biba(4) policy modules make good starting points. For an environment
   where strict confidentiality of file system objects is required, consider
   the mac_bsdextended(4) and mac_mls(4) policy modules.

   Policy decisions could be made based on network configuration. If only
   certain users should be permitted access to ssh(1), the mac_portacl(4)
   policy module is a good choice. In the case of file systems, access to
   objects might be considered confidential to some users, but not to others.
   As an example, a large development team might be broken off into smaller
   projects where developers in project A might not be permitted to access
   objects written by developers in project B. Yet both projects might need
   to access objects created by developers in project C. Using the different
   security policy modules provided by the MAC framework, users could be
   divided into these groups and then given access to the appropriate
   objects.

   Each security policy module has a unique way of dealing with the overall
   security of a system. Module selection should be based on a well thought
   out security policy which may require revision and reimplementation.
   Understanding the different security policy modules offered by the MAC
   framework will help administrators choose the best policies for their
   situations.

   The rest of this chapter covers the available modules, describes their use
   and configuration, and in some cases, provides insight on applicable
   situations.

  ******:

   Implementing MAC is much like implementing a firewall since care must be
   taken to prevent being completely locked out of the system. The ability to
   revert back to a previous configuration should be considered and the
   implementation of MAC over a remote connection should be done with extreme
   caution.

15.5. ********* MAC ************

   The default FreeBSD kernel includes options MAC. This means that every
   module included with the MAC framework can be loaded with kldload as a
   run-time kernel module. After testing the module, add the module name to
   /boot/loader.conf so that it will load during boot. Each module also
   provides a kernel option for those administrators who choose to compile
   their own custom kernel.

   FreeBSD includes a group of policies that will cover most security
   requirements. Each policy is summarized below. The last three policies
   support integer settings in place of the three default labels.

  15.5.1. MAC See Other UIDs ******

   Module name: mac_seeotheruids.ko

   Kernel configuration line: options MAC_SEEOTHERUIDS

   Boot option: mac_seeotheruids_load="YES"

   The mac_seeotheruids(4) module extends the security.bsd.see_other_uids and
   security.bsd.see_other_gids sysctl tunables. This option does not require
   any labels to be set before configuration and can operate transparently
   with other modules.

   After loading the module, the following sysctl tunables may be used to
   control its features:

     * security.mac.seeotheruids.enabled enables the module and implements
       the default settings which deny users the ability to view processes
       and sockets owned by other users.

     * security.mac.seeotheruids.specificgid_enabled allows specified groups
       to be exempt from this policy. To exempt specific groups, use the
       security.mac.seeotheruids.specificgid=XXX sysctl tunable, replacing
       XXX with the numeric group ID to be exempted.

     * security.mac.seeotheruids.primarygroup_enabled is used to exempt
       specific primary groups from this policy. When using this tunable,
       security.mac.seeotheruids.specificgid_enabled may not be set.

  15.5.2. MAC BSD Extended ******

   Module name: mac_bsdextended.ko

   Kernel configuration line: options MAC_BSDEXTENDED

   Boot option: mac_bsdextended_load="YES"

   The mac_bsdextended(4) module enforces a file system firewall. It provides
   an extension to the standard file system permissions model, permitting an
   administrator to create a firewall-like ruleset to protect files,
   utilities, and directories in the file system hierarchy. When access to a
   file system object is attempted, the list of rules is iterated until
   either a matching rule is located or the end is reached. This behavior may
   be changed using security.mac.bsdextended.firstmatch_enabled. Similar to
   other firewall modules in FreeBSD, a file containing the access control
   rules can be created and read by the system at boot time using an
   rc.conf(5) variable.

   The rule list may be entered using ugidfw(8) which has a syntax similar to
   ipfw(8). More tools can be written by using the functions in the
   libugidfw(3) library.

   After the mac_bsdextended(4) module has been loaded, the following command
   may be used to list the current rule configuration:

 # ugidfw list
 0 slots, 0 rules

   By default, no rules are defined and everything is completely accessible.
   To create a rule which blocks all access by users but leaves root
   unaffected:

 # ugidfw add subject not uid root new object not uid root mode n

   While this rule is simple to implement, it is a very bad idea as it blocks
   all users from issuing any commands. A more realistic example blocks user1
   all access, including directory listings, to user2's home directory:

 # ugidfw set 2 subject uid user1 object uid user2 mode n
 # ugidfw set 3 subject uid user1 object gid user2 mode n

   Instead of user1, not uid user2 could be used in order to enforce the same
   access restrictions for all users. However, the root user is unaffected by
   these rules.

  ******:

   Extreme caution should be taken when working with this module as incorrect
   use could block access to certain parts of the file system.

  15.5.3. MAC Interface Silencing ******

   Module name: mac_ifoff.ko

   Kernel configuration line: options MAC_IFOFF

   Boot option: mac_ifoff_load="YES"

   The mac_ifoff(4) module is used to disable network interfaces on the fly
   and to keep network interfaces from being brought up during system boot.
   It does not use labels and does not depend on any other MAC modules.

   Most of this module's control is performed through these sysctl tunables:

     * security.mac.ifoff.lo_enabled enables or disables all traffic on the
       loopback, lo(4), interface.

     * security.mac.ifoff.bpfrecv_enabled enables or disables all traffic on
       the Berkeley Packet Filter interface, bpf(4).

     * security.mac.ifoff.other_enabled enables or disables traffic on all
       other interfaces.

   One of the most common uses of mac_ifoff(4) is network monitoring in an
   environment where network traffic should not be permitted during the boot
   sequence. Another use would be to write a script which uses an application
   such as security/aide to automatically block network traffic if it finds
   new or altered files in protected directories.

  15.5.4. MAC Port Access Control ******

   Module name: mac_portacl.ko

   Kernel configuration line: MAC_PORTACL

   Boot option: mac_portacl_load="YES"

   The mac_portacl(4) module is used to limit binding to local TCP and UDP
   ports, making it possible to allow non-root users to bind to specified
   privileged ports below 1024.

   Once loaded, this module enables the MAC policy on all sockets. The
   following tunables are available:

     * security.mac.portacl.enabled enables or disables the policy
       completely.

     * security.mac.portacl.port_high sets the highest port number that
       mac_portacl(4) protects.

     * security.mac.portacl.suser_exempt, when set to a non-zero value,
       exempts the root user from this policy.

     * security.mac.portacl.rules specifies the policy as a text string of
       the form rule[,rule,...], with as many rules as needed, and where each
       rule is of the form idtype:id:protocol:port. The idtype is either uid
       or gid. The protocol parameter can be tcp or udp. The port parameter
       is the port number to allow the specified user or group to bind to.
       Only numeric values can be used for the user ID, group ID, and port
       parameters.

   By default, ports below 1024 can only be used by privileged processes
   which run as root. For mac_portacl(4) to allow non-privileged processes to
   bind to ports below 1024, set the following tunables as follows:

 # sysctl security.mac.portacl.port_high=1023
 # sysctl net.inet.ip.portrange.reservedlow=0
 # sysctl net.inet.ip.portrange.reservedhigh=0

   To prevent the root user from being affected by this policy, set
   security.mac.portacl.suser_exempt to a non-zero value.

 # sysctl security.mac.portacl.suser_exempt=1

   To allow the www user with UID 80 to bind to port 80 without ever needing
   root privilege:

 # sysctl security.mac.portacl.rules=uid:80:tcp:80

   This next example permits the user with the UID of 1001 to bind to TCP
   ports 110 (POP3) and 995 (POP3s):

 # sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995

  15.5.5. MAC Partition ******

   Module name: mac_partition.ko

   Kernel configuration line: options MAC_PARTITION

   Boot option: mac_partition_load="YES"

   The mac_partition(4) policy drops processes into specific "partitions"
   based on their MAC label. Most configuration for this policy is done using
   setpmac(8). One sysctl tunable is available for this policy:

     * security.mac.partition.enabled enables the enforcement of MAC process
       partitions.

   When this policy is enabled, users will only be permitted to see their
   processes, and any others within their partition, but will not be
   permitted to work with utilities outside the scope of this partition. For
   instance, a user in the insecure class will not be permitted to access top
   as well as many other commands that must spawn a process.

   This example adds top to the label set on users in the insecure class. All
   processes spawned by users in the insecure class will stay in the
   partition/13 label.

 # setpmac partition/13 top

   This command displays the partition label and the process list:

 # ps Zax

   This command displays another user's process partition label and that
   user's currently running processes:

 # ps -ZU trhodes

  ******:

   Users can see processes in root's label unless the mac_seeotheruids(4)
   policy is loaded.

  15.5.6. MAC Multi-Level Security ******

   Module name: mac_mls.ko

   Kernel configuration line: options MAC_MLS

   Boot option: mac_mls_load="YES"

   The mac_mls(4) policy controls access between subjects and objects in the
   system by enforcing a strict information flow policy.

   In MLS environments, a "clearance" level is set in the label of each
   subject or object, along with compartments. Since these clearance levels
   can reach numbers greater than several thousand, it would be a daunting
   task to thoroughly configure every subject or object. To ease this
   administrative overhead, three labels are included in this policy:
   mls/low, mls/equal, and mls/high, where:

     * Anything labeled with mls/low will have a low clearance level and not
       be permitted to access information of a higher level. This label also
       prevents objects of a higher clearance level from writing or passing
       information to a lower level.

     * mls/equal should be placed on objects which should be exempt from the
       policy.

     * mls/high is the highest level of clearance possible. Objects assigned
       this label will hold dominance over all other objects in the system;
       however, they will not permit the leaking of information to objects of
       a lower class.

   MLS provides:

     * A hierarchical security level with a set of non-hierarchical
       categories.

     * Fixed rules of no read up, no write down. This means that a subject
       can have read access to objects on its own level or below, but not
       above. Similarly, a subject can have write access to objects on its
       own level or above, but not beneath.

     * Secrecy, or the prevention of inappropriate disclosure of data.

     * A basis for the design of systems that concurrently handle data at
       multiple sensitivity levels without leaking information between secret
       and confidential.

   The following sysctl tunables are available:

     * security.mac.mls.enabled is used to enable or disable the MLS policy.

     * security.mac.mls.ptys_equal labels all pty(4) devices as mls/equal
       during creation.

     * security.mac.mls.revocation_enabled revokes access to objects after
       their label changes to a label of a lower grade.

     * security.mac.mls.max_compartments sets the maximum number of
       compartment levels allowed on a system.

   To manipulate MLS labels, use setfmac(8). To assign a label to an object:

 # setfmac mls/5 test

   To get the MLS label for the file test:

 # getfmac test

   Another approach is to create a master policy file in /etc/ which
   specifies the MLS policy information and to feed that file to setfmac.

   When using the MLS policy module, an administrator plans to control the
   flow of sensitive information. The default block read up block write down
   sets everything to a low state. Everything is accessible and an
   administrator slowly augments the confidentiality of the information.

   Beyond the three basic label options, an administrator may group users and
   groups as required to block the information flow between them. It might be
   easier to look at the information in clearance levels using descriptive
   words, such as classifications of Confidential, Secret, and Top Secret.
   Some administrators instead create different groups based on project
   levels. Regardless of the classification method, a well thought out plan
   must exist before implementing a restrictive policy.

   Some example situations for the MLS policy module include an e-commerce
   web server, a file server holding critical company information, and
   financial institution environments.

  15.5.7. MAC Biba ******

   Module name: mac_biba.ko

   Kernel configuration line: options MAC_BIBA

   Boot option: mac_biba_load="YES"

   The mac_biba(4) module loads the MAC Biba policy. This policy is similar
   to the MLS policy with the exception that the rules for information flow
   are slightly reversed. This is to prevent the downward flow of sensitive
   information whereas the MLS policy prevents the upward flow of sensitive
   information.

   In Biba environments, an "integrity" label is set on each subject or
   object. These labels are made up of hierarchical grades and
   non-hierarchical components. As a grade ascends, so does its integrity.

   Supported labels are biba/low, biba/equal, and biba/high, where:

     * biba/low is considered the lowest integrity an object or subject may
       have. Setting this on objects or subjects blocks their write access to
       objects or subjects marked as biba/high, but will not prevent read
       access.

     * biba/equal should only be placed on objects considered to be exempt
       from the policy.

     * biba/high permits writing to objects set at a lower label, but does
       not permit reading that object. It is recommended that this label be
       placed on objects that affect the integrity of the entire system.

   Biba provides:

     * Hierarchical integrity levels with a set of non-hierarchical integrity
       categories.

     * Fixed rules are no write up, no read down, the opposite of MLS. A
       subject can have write access to objects on its own level or below,
       but not above. Similarly, a subject can have read access to objects on
       its own level or above, but not below.

     * Integrity by preventing inappropriate modification of data.

     * Integrity levels instead of MLS sensitivity levels.

   The following tunables can be used to manipulate the Biba policy:

     * security.mac.biba.enabled is used to enable or disable enforcement of
       the Biba policy on the target machine.

     * security.mac.biba.ptys_equal is used to disable the Biba policy on
       pty(4) devices.

     * security.mac.biba.revocation_enabled forces the revocation of access
       to objects if the label is changed to dominate the subject.

   To access the Biba policy setting on system objects, use setfmac and
   getfmac:

 # setfmac biba/low test
 # getfmac test
 test: biba/low

   Integrity, which is different from sensitivity, is used to guarantee that
   information is not manipulated by untrusted parties. This includes
   information passed between subjects and objects. It ensures that users
   will only be able to modify or access information they have been given
   explicit access to. The mac_biba(4) security policy module permits an
   administrator to configure which files and programs a user may see and
   invoke while assuring that the programs and files are trusted by the
   system for that user.

   During the initial planning phase, an administrator must be prepared to
   partition users into grades, levels, and areas. The system will default to
   a high label once this policy module is enabled, and it is up to the
   administrator to configure the different grades and levels for users.
   Instead of using clearance levels, a good planning method could include
   topics. For instance, only allow developers modification access to the
   source code repository, source code compiler, and other development
   utilities. Other users would be grouped into other categories such as
   testers, designers, or end users and would only be permitted read access.

   A lower integrity subject is unable to write to a higher integrity subject
   and a higher integrity subject cannot list or read a lower integrity
   object. Setting a label at the lowest possible grade could make it
   inaccessible to subjects. Some prospective environments for this security
   policy module would include a constrained web server, a development and
   test machine, and a source code repository. A less useful implementation
   would be a personal workstation, a machine used as a router, or a network
   firewall.

  15.5.8. MAC Low-watermark ******

   Module name: mac_lomac.ko

   Kernel configuration line: options MAC_LOMAC

   Boot option: mac_lomac_load="YES"

   Unlike the MAC Biba policy, the mac_lomac(4) policy permits access to
   lower integrity objects only after decreasing the integrity level to not
   disrupt any integrity rules.

   The Low-watermark integrity policy works almost identically to Biba, with
   the exception of using floating labels to support subject demotion via an
   auxiliary grade compartment. This secondary compartment takes the form
   [auxgrade]. When assigning a policy with an auxiliary grade, use the
   syntax lomac/10[2], where 2 is the auxiliary grade.

   This policy relies on the ubiquitous labeling of all system objects with
   integrity labels, permitting subjects to read from low integrity objects
   and then downgrading the label on the subject to prevent future writes to
   high integrity objects using [auxgrade]. The policy may provide greater
   compatibility and require less initial configuration than Biba.

   Like the Biba and MLS policies, setfmac and setpmac are used to place
   labels on system objects:

 # setfmac /usr/home/trhodes lomac/high[low]
 # getfmac /usr/home/trhodes lomac/high[low]

   The auxiliary grade low is a feature provided only by the MAC LOMAC
   policy.

15.6. User Lock Down

   This example considers a relatively small storage system with fewer than
   fifty users. Users will have login capabilities and are permitted to store
   data and access resources.

   For this scenario, the mac_bsdextended(4) and mac_seeotheruids(4) policy
   modules could co-exist and block access to system objects while hiding
   user processes.

   Begin by adding the following line to /boot/loader.conf:

 mac_seeotheruids_load="YES"

   The mac_bsdextended(4) security policy module may be activated by adding
   this line to /etc/rc.conf:

 ugidfw_enable="YES"

   Default rules stored in /etc/rc.bsdextended will be loaded at system
   initialization. However, the default entries may need modification. Since
   this machine is expected only to service users, everything may be left
   commented out except the last two lines in order to force the loading of
   user owned system objects by default.

   Add the required users to this machine and reboot. For testing purposes,
   try logging in as a different user across two consoles. Run ps aux to see
   if processes of other users are visible. Verify that running ls(1) on
   another user's home directory fails.

   Do not try to test with the root user unless the specific sysctls have
   been modified to block super user access.

  ******:

   When a new user is added, their mac_bsdextended(4) rule will not be in the
   ruleset list. To update the ruleset quickly, unload the security policy
   module and reload it again using kldunload(8) and kldload(8).

15.7. *** MAC Jail ********* Nagios

   This section demonstrates the steps that are needed to implement the
   Nagios network monitoring system in a MAC environment. This is meant as an
   example which still requires the administrator to test that the
   implemented policy meets the security requirements of the network before
   using in a production environment.

   This example requires multilabel to be set on each file system. It also
   assumes that net-mgmt/nagios-plugins, net-mgmt/nagios, and www/apache22
   are all installed, configured, and working correctly before attempting the
   integration into the MAC framework.

  15.7.1. *********************************

   Begin the procedure by adding the following user class to /etc/login.conf:

 insecure:\
 :copyright=/etc/COPYRIGHT:\
 :welcome=/etc/motd:\
 :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
 :path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
 :manpath=/usr/share/man /usr/local/man:\
 :nologin=/usr/sbin/nologin:\
 :cputime=1h30m:\
 :datasize=8M:\
 :vmemoryuse=100M:\
 :stacksize=2M:\
 :memorylocked=4M:\
 :memoryuse=8M:\
 :filesize=8M:\
 :coredumpsize=8M:\
 :openfiles=24:\
 :maxproc=32:\
 :priority=0:\
 :requirehome:\
 :passwordtime=91d:\
 :umask=022:\
 :ignoretime@:\
 :label=biba/10(10-10):

   Then, add the following line to the default user class section:

 :label=biba/high:

   Save the edits and issue the following command to rebuild the database:

 # cap_mkdb /etc/login.conf

  15.7.2. ***************

   Set the root user to the default class using:

 # pw usermod root -L default

   All user accounts that are not root will now require a login class. The
   login class is required, otherwise users will be refused access to common
   commands. The following sh script should do the trick:

 # for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \
         /etc/passwd`; do pw usermod $x -L default; done;

   Next, drop the nagios and www accounts into the insecure class:

 # pw usermod nagios -L insecure
 # pw usermod www -L insecure

  15.7.3. *************** (Context File)

   A contexts file should now be created as /etc/policy.contexts:

 # This is the default BIBA policy for this system.

 # System:
 /var/run(/.*)?                  biba/equal

 /dev/(/.*)?                     biba/equal

 /var                            biba/equal
 /var/spool(/.*)?                biba/equal

 /var/log(/.*)?                  biba/equal

 /tmp(/.*)?                      biba/equal
 /var/tmp(/.*)?                  biba/equal

 /var/spool/mqueue               biba/equal
 /var/spool/clientmqueue         biba/equal

 # For Nagios:
 /usr/local/etc/nagios(/.*)?     biba/10

 /var/spool/nagios(/.*)?         biba/10

 # For apache
 /usr/local/etc/apache(/.*)?     biba/10

   This policy enforces security by setting restrictions on the flow of
   information. In this specific configuration, users, including root, should
   never be allowed to access Nagios. Configuration files and processes that
   are a part of Nagios will be completely self contained or jailed.

   This file will be read after running setfsmac on every file system. This
   example sets the policy on the root file system:

 # setfsmac -ef /etc/policy.contexts /

   Next, add these edits to the main section of /etc/mac.conf:

 default_labels file ?biba
 default_labels ifnet ?biba
 default_labels process ?biba
 default_labels socket ?biba

  15.7.4. ******************

   To finish the configuration, add the following lines to /boot/loader.conf:

 mac_biba_load="YES"
 mac_seeotheruids_load="YES"
 security.mac.biba.trust_all_interfaces=1

   And the following line to the network card configuration stored in
   /etc/rc.conf. If the primary network configuration is done via DHCP, this
   may need to be configured manually after every system boot:

 maclabel biba/equal

  15.7.5. ************

   First, ensure that the web server and Nagios will not be started on system
   initialization and reboot. Ensure that root cannot access any of the files
   in the Nagios configuration directory. If root can list the contents of
   /var/spool/nagios, something is wrong. Instead, a "permission denied"
   error should be returned.

   If all seems well, Nagios, Apache, and Sendmail can now be started:

 # cd /etc/mail && make stop && \
 setpmac biba/equal make start && setpmac biba/10\(10-10\) apachectl start && \
 setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart

   Double check to ensure that everything is working properly. If not, check
   the log files for error messages. If needed, use sysctl(8) to disable the
   mac_biba(4) security policy module and try starting everything again as
   usual.

  ******:

   The root user can still change the security enforcement and edit its
   configuration files. The following command will permit the degradation of
   the security policy to a lower grade for a newly spawned shell:

 # setpmac biba/10 csh

   To block this from happening, force the user into a range using
   login.conf(5). If setpmac(8) attempts to run a command outside of the
   compartment's range, an error will be returned and the command will not be
   executed. In this case, set root to biba/high(high-high).

15.8. MAC ******************

   This section discusses common configuration errors and how to resolve
   them.

   The multilabel flag does not stay enabled on the root (/) partition:

           The following steps may resolve this transient error:

             1. Edit /etc/fstab and set the root partition to ro for
                read-only.

             2. Reboot into single user mode.

             3. Run tunefs -l enable on /.

             4. Reboot the system.

             5. Run mount -urw / and change the ro back to rw in /etc/fstab
                and reboot the system again.

             6. Double-check the output from mount to ensure that multilabel
                has been properly set on the root file system.

   After establishing a secure environment with MAC, Xorg no longer starts:

           This could be caused by the MAC partition policy or by a
           mislabeling in one of the MAC labeling policies. To debug, try the
           following:

             1. Check the error message. If the user is in the insecure
                class, the partition policy may be the culprit. Try setting
                the user's class back to the default class and rebuild the
                database with cap_mkdb. If this does not alleviate the
                problem, go to step two.

             2. Double-check that the label policies are set correctly for
                the user, Xorg, and the /dev entries.

             3. If neither of these resolve the problem, send the error
                message and a description of the environment to the FreeBSD
                general questions mailing list.

   The _secure_path: unable to stat .login_conf error appears:

           This error can appear when a user attempts to switch from the root
           user to another user in the system. This message usually occurs
           when the user has a higher label setting than that of the user
           they are attempting to become. For instance, if joe has a default
           label of biba/low and root has a label of biba/high, root cannot
           view joe's home directory. This will happen whether or not root
           has used su to become joe as the Biba integrity model will not
           permit root to view objects set at a lower integrity level.

   The system no longer recognizes root:

           When this occurs, whoami returns 0 and su returns who are you?.

           This can happen if a labeling policy has been disabled by
           sysctl(8) or the policy module was unloaded. If the policy is
           disabled, the login capabilities database needs to be
           reconfigured. Double check /etc/login.conf to ensure that all
           label options have been removed and rebuild the database with
           cap_mkdb.

           This may also happen if a policy restricts access to
           master.passwd. This is usually caused by an administrator altering
           the file under a label which conflicts with the general policy
           being used by the system. In these cases, the user information
           would be read by the system and access would be blocked as the
           file has inherited the new label. Disable the policy using
           sysctl(8) and everything should return to normal.

*** 16. ******************

   Written by Tom Rhodes and Robert Watson.
   ************

   16.1. ******

   16.2. *********

   16.3. ************

   16.4. ******************

16.1. ******

   The FreeBSD operating system includes support for security event auditing.
   Event auditing supports reliable, fine-grained, and configurable logging
   of a variety of security-relevant system events, including logins,
   configuration changes, and file and network access. These log records can
   be invaluable for live system monitoring, intrusion detection, and
   postmortem analysis. FreeBSD implements Sun(TM)'s published Basic Security
   Module (BSM) Application Programming Interface (API) and file format, and
   is interoperable with the Solaris(TM) and Mac OS(R) X audit
   implementations.

   This chapter focuses on the installation and configuration of event
   auditing. It explains audit policies and provides an example audit
   configuration.

   ****************************

     * What event auditing is and how it works.

     * How to configure event auditing on FreeBSD for users and processes.

     * How to review the audit trail using the audit reduction and review
       tools.

   ****************************************

     * ****** UNIX(R) *** FreeBSD ****** (*** 3, FreeBSD ******)._

     * Be familiar with the basics of kernel configuration/compilation
       (*** 8, ****** FreeBSD ******).

     * Have some familiarity with security and how it pertains to FreeBSD
       (*** 13, *********).

  ******:

   The audit facility has some known limitations. Not all security-relevant
   system events are auditable and some login mechanisms, such as Xorg-based
   display managers and third-party daemons, do not properly configure
   auditing for user login sessions.

   The security event auditing facility is able to generate very detailed
   logs of system activity. On a busy system, trail file data can be very
   large when configured for high detail, exceeding gigabytes a week in some
   configurations. Administrators should take into account the disk space
   requirements associated with high volume audit configurations. For
   example, it may be desirable to dedicate a file system to /var/audit so
   that other file systems are not affected if the audit file system becomes
   full.

16.2. *********

   The following terms are related to security event auditing:

     * event: an auditable event is any event that can be logged using the
       audit subsystem. Examples of security-relevant events include the
       creation of a file, the building of a network connection, or a user
       logging in. Events are either "attributable", meaning that they can be
       traced to an authenticated user, or "non-attributable". Examples of
       non-attributable events are any events that occur before
       authentication in the login process, such as bad password attempts.

     * class: a named set of related events which are used in selection
       expressions. Commonly used classes of events include "file creation"
       (fc), "exec" (ex), and "login_logout" (lo).

     * record: an audit log entry describing a security event. Records
       contain a record event type, information on the subject (user)
       performing the action, date and time information, information on any
       objects or arguments, and a success or failure condition.

     * trail: a log file consisting of a series of audit records describing
       security events. Trails are in roughly chronological order with
       respect to the time events completed. Only authorized processes are
       allowed to commit records to the audit trail.

     * selection expression: a string containing a list of prefixes and audit
       event class names used to match events.

     * preselection: the process by which the system identifies which events
       are of interest to the administrator. The preselection configuration
       uses a series of selection expressions to identify which classes of
       events to audit for which users, as well as global settings that apply
       to both authenticated and unauthenticated processes.

     * reduction: the process by which records from existing audit trails are
       selected for preservation, printing, or analysis. Likewise, the
       process by which undesired audit records are removed from the audit
       trail. Using reduction, administrators can implement policies for the
       preservation of audit data. For example, detailed audit trails might
       be kept for one month, but after that, trails might be reduced in
       order to preserve only login information for archival purposes.

16.3. ************

   User space support for event auditing is installed as part of the base
   FreeBSD operating system. Kernel support is available in the GENERIC
   kernel by default, and auditd(8) can be enabled by adding the following
   line to /etc/rc.conf:

 auditd_enable="YES"

   Then, start the audit daemon:

 # service auditd start

   Users who prefer to compile a custom kernel must include the following
   line in their custom kernel configuration file:

 options AUDIT

  16.3.1. *********************

   Selection expressions are used in a number of places in the audit
   configuration to determine which events should be audited. Expressions
   contain a list of event classes to match. Selection expressions are
   evaluated from left to right, and two expressions are combined by
   appending one onto the other.

   ****** 16.1, "************************" summarizes the default audit event
   classes:

   ****** 16.1. ************************

   ************        ******                         ******                  
   all          all                   Match all event classes.                
   aa           authentication and                                            
                authorization         
   ad           administrative        Administrative actions performed on the 
                                      system as a whole.                      
   ap           application           Application defined action.             
   cl           file close            Audit calls to the close system call.   
                                      Audit program execution. Auditing of    
                                      command line arguments and              
   ex           exec                  environmental variables is controlled   
                                      via audit_control(5) using the argv and 
                                      envv parameters to the policy setting.  
   fa           file attribute access Audit the access of object attributes   
                                      such as stat(1) and pathconf(2).        
   fc           file create           Audit events where a file is created as 
                                      a result.                               
   fd           file delete           Audit events where file deletion        
                                      occurs.                                 
                                      Audit events where file attribute       
   fm           file attribute modify modification occurs, such as by         
                                      chown(8), chflags(1), and flock(2).     
   fr           file read             Audit events in which data is read or   
                                      files are opened for reading.           
   fw           file write            Audit events in which data is written   
                                      or files are written or modified.       
   io           ioctl                 Audit use of the ioctl system call.     
                                      Audit various forms of Inter-Process    
   ip           ipc                   Communication, including POSIX pipes    
                                      and System V IPC operations.            
   lo           login_logout          Audit login(1) and logout(1) events.    
   na           non attributable      Audit non-attributable events.          
   no           invalid class         Match no audit events.                  
   nt           network               Audit events related to network actions 
                                      such as connect(2) and accept(2).       
   ot           other                 Audit miscellaneous events.             
   pc           process               Audit process operations such as        
                                      exec(3) and exit(3).                    

   These audit event classes may be customized by modifying the audit_class
   and audit_event configuration files.

   Each audit event class may be combined with a prefix indicating whether
   successful/failed operations are matched, and whether the entry is adding
   or removing matching for the class and type. ****** 16.2,
   "************************" summarizes the available prefixes:

   ****** 16.2. ************************

     ******                                ******                             
   +           Audit successful events in this class.                         
   -           Audit failed events in this class.                             
   ^           Audit neither successful nor failed events in this class.      
   ^+          Do not audit successful events in this class.                  
   ^-          Do not audit failed events in this class.                      

   If no prefix is present, both successful and failed instances of the event
   will be audited.

   The following example selection string selects both successful and failed
   login/logout events, but only successful execution events:

 lo,+ex

  16.3.2. *********

   The following configuration files for security event auditing are found in
   /etc/security:

     * audit_class: contains the definitions of the audit classes.

     * audit_control: controls aspects of the audit subsystem, such as
       default audit classes, minimum disk space to leave on the audit log
       volume, and maximum audit trail size.

     * audit_event: textual names and descriptions of system audit events and
       a list of which classes each event is in.

     * audit_user: user-specific audit requirements to be combined with the
       global defaults at login.

     * audit_warn: a customizable shell script used by auditd(8) to generate
       warning messages in exceptional situations, such as when space for
       audit records is running low or when the audit trail file has been
       rotated.

  ******:

   Audit configuration files should be edited and maintained carefully, as
   errors in configuration may result in improper logging of events.

   In most cases, administrators will only need to modify audit_control and
   audit_user. The first file controls system-wide audit properties and
   policies and the second file may be used to fine-tune auditing by user.

    16.3.2.1. The audit_control File

   A number of defaults for the audit subsystem are specified in
   audit_control:

 dir:/var/audit
 dist:off
 flags:lo,aa
 minfree:5
 naflags:lo,aa
 policy:cnt,argv
 filesz:2M
 expire-after:10M

   The dir entry is used to set one or more directories where audit logs will
   be stored. If more than one directory entry appears, they will be used in
   order as they fill. It is common to configure audit so that audit logs are
   stored on a dedicated file system, in order to prevent interference
   between the audit subsystem and other subsystems if the file system fills.

   If the dist field is set to on or yes, hard links will be created to all
   trail files in /var/audit/dist.

   The flags field sets the system-wide default preselection mask for
   attributable events. In the example above, successful and failed
   login/logout events as well as authentication and authorization are
   audited for all users.

   The minfree entry defines the minimum percentage of free space for the
   file system where the audit trail is stored.

   The naflags entry specifies audit classes to be audited for non-attributed
   events, such as the login/logout process and authentication and
   authorization.

   The policy entry specifies a comma-separated list of policy flags
   controlling various aspects of audit behavior. The cnt indicates that the
   system should continue running despite an auditing failure (this flag is
   highly recommended). The other flag, argv, causes command line arguments
   to the execve(2) system call to be audited as part of command execution.

   The filesz entry specifies the maximum size for an audit trail before
   automatically terminating and rotating the trail file. A value of 0
   disables automatic log rotation. If the requested file size is below the
   minimum of 512k, it will be ignored and a log message will be generated.

   The expire-after field specifies when audit log files will expire and be
   removed.

    16.3.2.2. The audit_user File

   The administrator can specify further audit requirements for specific
   users in audit_user. Each line configures auditing for a user via two
   fields: the alwaysaudit field specifies a set of events that should always
   be audited for the user, and the neveraudit field specifies a set of
   events that should never be audited for the user.

   The following example entries audit login/logout events and successful
   command execution for root and file creation and successful command
   execution for www. If used with the default audit_control, the lo entry
   for root is redundant, and login/logout events will also be audited for
   www.

 root:lo,+ex:no
 www:fc,+ex:no

16.4. ******************

   Since audit trails are stored in the BSM binary format, several built-in
   tools are available to modify or convert these trails to text. To convert
   trail files to a simple text format, use praudit. To reduce the audit
   trail file for analysis, archiving, or printing purposes, use auditreduce.
   This utility supports a variety of selection parameters, including event
   type, event class, user, date or time of the event, and the file path or
   object acted on.

   For example, to dump the entire contents of a specified audit log in plain
   text:

 # praudit /var/audit/AUDITFILE

   Where AUDITFILE is the audit log to dump.

   Audit trails consist of a series of audit records made up of tokens, which
   praudit prints sequentially, one per line. Each token is of a specific
   type, such as header (an audit record header) or path (a file path from a
   name lookup). The following is an example of an execve event:

 header,133,10,execve(2),0,Mon Sep 25 15:58:03 2006, + 384 msec
 exec arg,finger,doug
 path,/usr/bin/finger
 attribute,555,root,wheel,90,24918,104944
 subject,robert,root,wheel,root,wheel,38439,38032,42086,128.232.9.100
 return,success,0
 trailer,133

   This audit represents a successful execve call, in which the command
   finger doug has been run. The exec arg token contains the processed
   command line presented by the shell to the kernel. The path token holds
   the path to the executable as looked up by the kernel. The attribute token
   describes the binary and includes the file mode. The subject token stores
   the audit user ID, effective user ID and group ID, real user ID and group
   ID, process ID, session ID, port ID, and login address. Notice that the
   audit user ID and real user ID differ as the user robert switched to the
   root account before running this command, but it is audited using the
   original authenticated user. The return token indicates the successful
   execution and the trailer concludes the record.

   XML output format is also supported and can be selected by including -x.

   Since audit logs may be very large, a subset of records can be selected
   using auditreduce. This example selects all audit records produced for the
   user trhodes stored in AUDITFILE:

 # auditreduce -u trhodes /var/audit/AUDITFILE | praudit

   Members of the audit group have permission to read audit trails in
   /var/audit. By default, this group is empty, so only the root user can
   read audit trails. Users may be added to the audit group in order to
   delegate audit review rights. As the ability to track audit log contents
   provides significant insight into the behavior of users and processes, it
   is recommended that the delegation of audit review rights be performed
   with caution.

  16.4.1. ****** Audit Pipes ************

   Audit pipes are cloning pseudo-devices which allow applications to tap the
   live audit record stream. This is primarily of interest to authors of
   intrusion detection and system monitoring applications. However, the audit
   pipe device is a convenient way for the administrator to allow live
   monitoring without running into problems with audit trail file ownership
   or log rotation interrupting the event stream. To track the live audit
   event stream:

 # praudit /dev/auditpipe

   By default, audit pipe device nodes are accessible only to the root user.
   To make them accessible to the members of the audit group, add a devfs
   rule to /etc/devfs.rules:

 add path 'auditpipe*' mode 0440 group audit

   See devfs.rules(5) for more information on configuring the devfs file
   system.

  ******:

   It is easy to produce audit event feedback cycles, in which the viewing of
   each audit event results in the generation of more audit events. For
   example, if all network I/O is audited, and praudit is run from an SSH
   session, a continuous stream of audit events will be generated at a high
   rate, as each event being printed will generate another event. For this
   reason, it is advisable to run praudit on an audit pipe device from
   sessions without fine-grained I/O auditing.

  16.4.2. *************** Audit Trail ***

   Audit trails are written to by the kernel and managed by the audit daemon,
   auditd(8). Administrators should not attempt to use newsyslog.conf(5) or
   other tools to directly rotate audit logs. Instead, audit should be used
   to shut down auditing, reconfigure the audit system, and perform log
   rotation. The following command causes the audit daemon to create a new
   audit log and signal the kernel to switch to using the new log. The old
   log will be terminated and renamed, at which point it may then be
   manipulated by the administrator:

 # audit -n

   If auditd(8) is not currently running, this command will fail and an error
   message will be produced.

   Adding the following line to /etc/crontab will schedule this rotation
   every twelve hours:

 0     */12       *       *       *       root    /usr/sbin/audit -n

   The change will take effect once /etc/crontab is saved.

   Automatic rotation of the audit trail file based on file size is possible
   using filesz in audit_control as described in *** 16.3.2.1, "The
   audit_control File".

   As audit trail files can become very large, it is often desirable to
   compress or otherwise archive trails once they have been closed by the
   audit daemon. The audit_warn script can be used to perform customized
   operations for a variety of audit-related events, including the clean
   termination of audit trails when they are rotated. For example, the
   following may be added to /etc/security/audit_warn to compress audit
   trails on close:

 #
 # Compress audit trail files on close.
 #
 if [ "$1" = closefile ]; then
         gzip -9 $2
 fi

   Other archiving activities might include copying trail files to a
   centralized server, deleting old trail files, or reducing the audit trail
   to remove unneeded records. This script will be run only when audit trail
   files are cleanly terminated, so will not be run on trails left
   unterminated following an improper shutdown.

*** 17. ************

   ************

   17.1. ******

   17.2. ************

   17.3. ***************************

   17.4. USB ************

   17.5. *************** CD ******

   17.6. *************** DVD ******

   17.7. *********************

   17.8. ******************

   17.9. ***************

   17.10. ******************

   17.11. ************

   17.12. *********************

   17.13. ******************

   17.14. ********************* (HAST)

17.1. ******

   ********************* FreeBSD *****************************************
   SCSI *** IDE ******,_CD *** DVD ******,_****************** USB
   ************._

   ****************************

     * ********* FreeBSD ***************************._

     * ********* FreeBSD ******************************._

     * ************ FreeBSD ****** USB ************._

     * ********* FreeBSD ************ CD *** DVD ******._

     * *************** FreeBSD ************************._

     * ***************************._

     * *************************** (Snapshot) ************************._

     * ****************** (Quota) ******************************._

     * ***************************************************._

     * ************************ (Highly available) ***************._

   ****************************************

     * ************ ********************* FreeBSD ******._

17.2. ************

   Originally contributed by David O'Brien.

   ********************************* SATA
   *********************************************._
   ************************************,_******************************************************************._***************************
   root._

   ****** /var/run/dmesg.boot
   *********************************._******************** ada1
   ****************** SATA ******._

   ********************************************************************** GPT
   ************************************************ MBR ******._

  ******:

   ************************************************** gpart delete
   ******************************._********* gpart(8) ******************._

   **************************************************************************************************************************
   (Block size)*********************** 1 MB ***********

 # gpart create -s GPT ada1
 # gpart add -t freebsd-ufs -a 1M ada1

   *****************************************************._********* gpart(8)
   ***************************************._

   ********************************* gpart show ********

 % gpart show ada1
 =>        34  1465146988  ada1  GPT  (699G)
           34        2014        - free -  (1.0M)
         2048  1465143296     1  freebsd-ufs  (699G)
   1465145344        1678        - free -  (839K)

   **************************************************

 # newfs -U /dev/ada1p1

   *********************************************
   (mountpoint)****************************************************************************

 # mkdir /newdisk

   ********************************
   /etc/fstab*******************************************

 /dev/ada1p1     /newdisk        ufs     rw      2       2

   **********************************************************

 # mount /newdisk

17.3. ***************************

   Originally contributed by Allan Jude.

   *********************************************************************._***********************************************************************._************************************
   USB
   ********************************************._******************************************
   ****** ************************************._

   ******************************************************
   /var/run/dmesg.boot._************************************** SATA
   *********************** ada0 ******._

   ********************************************************

 # gpart show ada0
 =>      34  83886013  ada0  GPT  (48G) [CORRUPT]
         34       128     1  freebsd-boot  (64k)
        162  79691648     2  freebsd-ufs  (38G)
   79691810   4194236     3  freebsd-swap  (2G)
   83886046         1        - free -  (512B)

  ******:

   ****************** GPT ***********************************************
   "********* (corrupted)" ****** GPT
   ******************************************._ ****** gpart
   **************************

 # gpart recover ada0
 ada0 recovered

   *******************************************************************************************************************

 # gpart show ada0
 =>       34  102399933  ada0  GPT  (48G)
          34        128     1  freebsd-boot  (64k)
         162   79691648     2  freebsd-ufs  (38G)
    79691810    4194236     3  freebsd-swap  (2G)
    83886046   18513921        - free -  (8.8G)

   *********************************************************._********************************************************
   (Swap)
   ********************************************************************._***********************************************************************************,_***********************************************************************************._

   ***********************

 # swapoff /dev/ada0p3

   ****** ada0 ***************************************** -i
   ************************._

 # gpart delete -i 3 ada0
 ada0p3 deleted
 # gpart show ada0
 =>       34  102399933  ada0  GPT  (48G)
          34        128     1  freebsd-boot  (64k)
         162   79691648     2  freebsd-ufs  (38G)
    79691810   22708157        - free -  (10G)

  ******:

   ************************************************************************._******************************************************
   (****** Live CD-ROM *** USB ******)
   ******************._************************************************* GEOM
   **************************************************************************

 # sysctl kern.geom.debugflags=16

   ***********************************************************************************************************
   -i ************************************** -s
   ********************************************
   -a._***********************************************************************************************._

 # gpart resize -i 2 -s 47G -a 4k ada0
 ada0p2 resized
 # gpart show ada0
 =>       34  102399933  ada0  GPT  (48G)
          34        128     1  freebsd-boot  (64k)
         162   98566144     2  freebsd-ufs  (47G)
    98566306    3833661        - free -  (1.8G)

   *********************************************** -s
   ***********************************************

 # gpart add -t freebsd-swap -a 4k ada0
 ada0p3 added
 # gpart show ada0
 =>       34  102399933  ada0  GPT  (48G)
          34        128     1  freebsd-boot  (64k)
         162   98566144     2  freebsd-ufs  (47G)
    98566306    3833661     3  freebsd-swap  (1.8G)
 # swapon /dev/ada0p3

   ****** UFS **************************************************************

 # growfs /dev/ada0p2
 Device is mounted read-write; resizing will result in temporary write suspension for /.
 It's strongly recommended to make a backup before growing the file system.
 OK to grow file system on /dev/ada0p2, mounted on /, from 38GB to 47GB? [Yes/No] Yes
 super-block backups (for fsck -b #) at:
  80781312, 82063552, 83345792, 84628032, 85910272, 87192512, 88474752,
  89756992, 91039232, 92321472, 93603712, 94885952, 96168192, 97450432

   ********************* ZFS*********************** online ******************
   -e *****************

 # zpool online -e zroot /dev/ada0p2

   ************************************************************************************._

17.4. USB ************

   Contributed by Marc Fonvieille.

   *****************************************************,_USB ************ CD
   *** DVD *************************************** (Universal Serial Bus,
   USB)**FreeBSD ************ USB 1.x, 2.0 *** 3.0 ***************._

  ******:

   ************************ USB 3.0******** Haswell (Lynx point)
   ************** FreeBSD ************ failed with error 19
   ******************** BIOS ****** xHCI/USB3._

   *** USB ********************************* GENERIC
   ************************************************************************************

 device scbus    # SCSI bus (required for ATA/SCSI)
 device da       # Direct Access (disks)
 device pass     # Passthrough device (direct ATA/SCSI access)
 device uhci     # provides USB 1.x support
 device ohci     # provides USB 1.x support
 device ehci     # provides USB 2.0 support
 device xhci     # provides USB 3.0 support
 device usb      # USB Bus (required)
 device umass    # Disks/Mass storage - Requires scbus and da
 device cd       # needed for CD and DVD burners

   FreeBSD ****** umass(4) ****************** SCSI ****************** USB
   ************************************** USB *************** SCSI
   ***************** USB ********* CD *** DVD
   ***************************************************** device atapicam._

   ****************************************** FreeBSD ************ USB
   ***************************************._

  17.4.1. ************

   ********* USB ******************** USB ******************** dmesg
   *************************************************************************

 umass0: <STECH Simple Drive, class 0/0, rev 2.00/1.04, addr 3> on usbus0
 umass0:  SCSI over Bulk-Only; quirks = 0x0100
 umass0:4:0:-1: Attached to scbus4
 da0 at umass-sim0 bus 0 scbus4 target 0 lun 0
 da0: <STECH Simple Drive 1.04> Fixed Direct Access SCSI-4 device
 da0: Serial Number WD-WXE508CAN263
 da0: 40.000MB/s transfers
 da0: 152627MB (312581808 512 byte sectors: 255H 63S/T 19457C)
 da0: quirks=0x2<NO_6_BYTE>

   ************************************,_************
   (da0),_***************._

   *** USB ****************** SCSI *********************** camcontrol
   *************************** USB **************

 # camcontrol devlist
 <STECH Simple Drive 1.04>          at scbus4 target 0 lun 0 (pass3,da0)

   ******************** usbconfig ************************** usbconfig(8)
   ***************************************._

 # usbconfig
 ugen0.3: <Simple Drive STECH> at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (2mA)

   ***************************************** *** 17.2, "************"
   ****************** USB
   ******************************************._***********************************
   root ****** *** 3.7, "***************************"
   ************************._

  ******:

   **************************************************************
   vfs.usermount********************._**************************************************************************************************._

   *****************************************************************************
   pw(8) ********************************* operator
   ***************._***************************** /etc/devfs.rules *********
   operator *****************************

 [localrules=5]
 add path 'da*' mode 0660 group operator

  ******:

   ********************************* SCSI **********************************

 add path 'da[3-9]*' mode 0660 group operator

   ********* operator ************************ SCSI ****** (da0 ***
   da2)************** 3 ********* SCSI ***************._*********
   devfs.rules(5) ***************************************._

   *********** /etc/rc.conf **************

 devfs_system_ruleset="localrules"

   ************************** /etc/sysctl.conf
   *****************************************************

 vfs.usermount=1

   ***************************************************** sysctl
   *****************************

 # sysctl vfs.usermount=1
 vfs.usermount: 0 -> 1

   ***********************************************************************************************************************._************************
   root ***************************************
   /mnt/username._*********************** username
   ****************************************** usergroup
   **************************************

 # mkdir /mnt/username
 # chown username:usergroup /mnt/username

   ****************** USB *********************** /dev/da0s1
   ******._*************** FAT
   *******************************************************************************

 % mount -t msdosfs -o -m=644,-M=755 /dev/da0s1 /mnt/username

   **********************************************

 % umount /mnt/username

   *******************************************************************

 umass0: at uhub3, port 2, addr 3 (disconnected)
 da0 at umass-sim0 bus 0 scbus4 target 0 lun 0
 da0: <STECH Simple Drive 1.04> s/n WD-WXE508CAN263          detached
 (da0:umass-sim0:0:0:0): Periph destroyed

  17.4.2. ******************************

   ********************* /etc/auto_master *************************** USB
   ********

 /media          -media          -nosuid

   ************************ /etc/devd.conf**

 notify 100 {
         match "system" "GEOM";
         match "subsystem" "DEV";
         action "/usr/sbin/automount -c";
 };

   *** autofs(5) ****** devd(8)
   **********************************************

 # service automount restart
 # service devd restart

   ************ autofs(5) ***************************************
   /etc/rc.conf**

 autofs_enable="YES"

   autofs(5) ************ devd(8)********************._

   ********************

 # service automount start
 # service automountd start
 # service autounmountd start
 # service devd start

   ****************************************** /media/
   ************************************************************************************************************._

   ********************************************************************************************._*****************************************

 # automount -fu

   *************************************** USB *****************************
   Block ************************** iSCSI LUN._

17.5. *************** CD ******

   Contributed by Mike Meyer.

   Compact Disc (CD) media provide a number of features that differentiate
   them from conventional disks. They are designed so that they can be read
   continuously without delays to move the head between tracks. While CD
   media do have tracks, these refer to a section of data to be read
   continuously, and not a physical property of the disk. The ISO 9660 file
   system was designed to deal with these differences.

   The FreeBSD Ports Collection provides several utilities for burning and
   duplicating audio and data CDs. This chapter demonstrates the use of
   several command line utilities. For CD burning software with a graphical
   utility, consider installing the sysutils/xcdroast or sysutils/k3b
   packages or ports.

  17.5.1. ***************

   Contributed by Marc Fonvieille.

   The GENERIC kernel provides support for SCSI, USB, and ATAPI CD readers
   and burners. If a custom kernel is used, the options that need to be
   present in the kernel configuration file vary by the type of device.

   For a SCSI burner, make sure these options are present:

 device scbus    # SCSI bus (required for ATA/SCSI)
 device da       # Direct Access (disks)
 device pass     # Passthrough device (direct ATA/SCSI access)
 device cd       # needed for CD and DVD burners

   For a USB burner, make sure these options are present:

 device scbus    # SCSI bus (required for ATA/SCSI)
 device da       # Direct Access (disks)
 device pass     # Passthrough device (direct ATA/SCSI access)
 device cd       # needed for CD and DVD burners
 device uhci     # provides USB 1.x support
 device ohci     # provides USB 1.x support
 device ehci     # provides USB 2.0 support
 device xhci     # provides USB 3.0 support
 device usb      # USB Bus (required)
 device umass    # Disks/Mass storage - Requires scbus and da

   For an ATAPI burner, make sure these options are present:

 device ata      # Legacy ATA/SATA controllers
 device scbus    # SCSI bus (required for ATA/SCSI)
 device pass     # Passthrough device (direct ATA/SCSI access)
 device cd       # needed for CD and DVD burners

  ******:

   On FreeBSD versions prior to 10.x, this line is also needed in the kernel
   configuration file if the burner is an ATAPI device:

 device atapicam

   Alternately, this driver can be loaded at boot time by adding the
   following line to /boot/loader.conf:

 atapicam_load="YES"

   This will require a reboot of the system as this driver can only be loaded
   at boot time.

   To verify that FreeBSD recognizes the device, run dmesg and look for an
   entry for the device. On systems prior to 10.x, the device name in the
   first line of the output will be acd0 instead of cd0.

 % dmesg | grep cd
 cd0 at ahcich1 bus 0 scbus1 target 0 lun 0
 cd0: <HL-DT-ST DVDRAM GU70N LT20> Removable CD-ROM SCSI-0 device
 cd0: Serial Number M3OD3S34152
 cd0: 150.000MB/s transfers (SATA 1.x, UDMA6, ATAPI 12bytes, PIO 8192bytes)
 cd0: Attempt to query device size failed: NOT READY, Medium not present - tray closed

  17.5.2. ****** CD

   In FreeBSD, cdrecord can be used to burn CDs. This command is installed
   with the sysutils/cdrtools package or port.

   While cdrecord has many options, basic usage is simple. Specify the name
   of the ISO file to burn and, if the system has multiple burner devices,
   specify the name of the device to use:

 # cdrecord dev=device imagefile.iso

   To determine the device name of the burner, use -scanbus which might
   produce results like this:

 # cdrecord -scanbus
 ProDVD-ProBD-Clone 3.00 (amd64-unknown-freebsd10.0) Copyright (C) 1995-2010 Jo:rg Schilling
 Using libscg version 'schily-0.9'
 scsibus0:
         0,0,0     0) 'SEAGATE ' 'ST39236LW       ' '0004' Disk
         0,1,0     1) 'SEAGATE ' 'ST39173W        ' '5958' Disk
         0,2,0     2) *
         0,3,0     3) 'iomega  ' 'jaz 1GB         ' 'J.86' Removable Disk
         0,4,0     4) 'NEC     ' 'CD-ROM DRIVE:466' '1.26' Removable CD-ROM
         0,5,0     5) *
         0,6,0     6) *
         0,7,0     7) *
 scsibus1:
         1,0,0   100) *
         1,1,0   101) *
         1,2,0   102) *
         1,3,0   103) *
         1,4,0   104) *
         1,5,0   105) 'YAMAHA  ' 'CRW4260         ' '1.0q' Removable CD-ROM
         1,6,0   106) 'ARTEC   ' 'AM12S           ' '1.06' Scanner
         1,7,0   107) *

   Locate the entry for the CD burner and use the three numbers separated by
   commas as the value for dev. In this case, the Yamaha burner device is
   1,5,0, so the appropriate input to specify that device is dev=1,5,0. Refer
   to the manual page for cdrecord for other ways to specify this value and
   for information on writing audio tracks and controlling the write speed.

   Alternately, run the following command to get the device address of the
   burner:

 # camcontrol devlist
 <MATSHITA CDRW/DVD UJDA740 1.00>   at scbus1 target 0 lun 0 (cd0,pass0)

   Use the numeric values for scbus, target, and lun. For this example, 1,0,0
   is the device name to use.

  17.5.3. ********************* ISO ************

   In order to produce a data CD, the data files that are going to make up
   the tracks on the CD must be prepared before they can be burned to the CD.
   In FreeBSD, sysutils/cdrtools installs mkisofs, which can be used to
   produce an ISO 9660 file system that is an image of a directory tree
   within a UNIX(R) file system. The simplest usage is to specify the name of
   the ISO file to create and the path to the files to place into the ISO
   9660 file system:

 # mkisofs -o imagefile.iso /path/to/tree

   This command maps the file names in the specified path to names that fit
   the limitations of the standard ISO 9660 file system, and will exclude
   files that do not meet the standard for ISO file systems.

   A number of options are available to overcome the restrictions imposed by
   the standard. In particular, -R enables the Rock Ridge extensions common
   to UNIX(R) systems and -J enables Joliet extensions used by Microsoft(R)
   systems.

   For CDs that are going to be used only on FreeBSD systems, -U can be used
   to disable all filename restrictions. When used with -R, it produces a
   file system image that is identical to the specified FreeBSD tree, even if
   it violates the ISO 9660 standard.

   The last option of general use is -b. This is used to specify the location
   of a boot image for use in producing an "El Torito" bootable CD. This
   option takes an argument which is the path to a boot image from the top of
   the tree being written to the CD. By default, mkisofs creates an ISO image
   in "floppy disk emulation" mode, and thus expects the boot image to be
   exactly 1200, 1440 or 2880 KB in size. Some boot loaders, like the one
   used by the FreeBSD distribution media, do not use emulation mode. In this
   case, -no-emul-boot should be used. So, if /tmp/myboot holds a bootable
   FreeBSD system with the boot image in /tmp/myboot/boot/cdboot, this
   command would produce /tmp/bootable.iso:

 # mkisofs -R -no-emul-boot -b boot/cdboot -o /tmp/bootable.iso /tmp/myboot

   The resulting ISO image can be mounted as a memory disk with:

 # mdconfig -a -t vnode -f /tmp/bootable.iso -u 0
 # mount -t cd9660 /dev/md0 /mnt

   One can then verify that /mnt and /tmp/myboot are identical.

   There are many other options available for mkisofs to fine-tune its
   behavior. Refer to mkisofs(8) for details.

  ******:

   It is possible to copy a data CD to an image file that is functionally
   equivalent to the image file created with mkisofs. To do so, use dd with
   the device name as the input file and the name of the ISO to create as the
   output file:

 # dd if=/dev/cd0 of=file.iso bs=2048

   The resulting image file can be burned to CD as described in *** 17.5.2,
   "****** CD".

  17.5.4. ************ CD

   Once an ISO has been burned to a CD, it can be mounted by specifying the
   file system type, the name of the device containing the CD, and an
   existing mount point:

 # mount -t cd9660 /dev/cd0 /mnt

   Since mount assumes that a file system is of type ufs, a Incorrect super
   block error will occur if -t cd9660 is not included when mounting a data
   CD.

   While any data CD can be mounted this way, disks with certain ISO 9660
   extensions might behave oddly. For example, Joliet disks store all
   filenames in two-byte Unicode characters. If some non-English characters
   show up as question marks, specify the local charset with -C. For more
   information, refer to mount_cd9660(8).

  ******:

   In order to do this character conversion with the help of -C, the kernel
   requires the cd9660_iconv.ko module to be loaded. This can be done either
   by adding this line to loader.conf:

 cd9660_iconv_load="YES"

   and then rebooting the machine, or by directly loading the module with
   kldload.

   Occasionally, Device not configured will be displayed when trying to mount
   a data CD. This usually means that the CD drive has not detected a disk in
   the tray, or that the drive is not visible on the bus. It can take a
   couple of seconds for a CD drive to detect media, so be patient.

   Sometimes, a SCSI CD drive may be missed because it did not have enough
   time to answer the bus reset. To resolve this, a custom kernel can be
   created which increases the default SCSI delay. Add the following option
   to the custom kernel configuration file and rebuild the kernel using the
   instructions in *** 8.5, "***************************":

 options SCSI_DELAY=15000

   This tells the SCSI bus to pause 15 seconds during boot, to give the CD
   drive every possible chance to answer the bus reset.

  ******:

   It is possible to burn a file directly to CD, without creating an ISO 9660
   file system. This is known as burning a raw data CD and some people do
   this for backup purposes.

   This type of disk can not be mounted as a normal data CD. In order to
   retrieve the data burned to such a CD, the data must be read from the raw
   device node. For example, this command will extract a compressed tar file
   located on the second CD device into the current working directory:

 # tar xzvf /dev/cd1

   In order to mount a data CD, the data must be written using mkisofs.

  17.5.5. ************ CD

   To duplicate an audio CD, extract the audio data from the CD to a series
   of files, then write these files to a blank CD.

   ****** 17.1, "Duplicating an Audio CD" describes how to duplicate and burn
   an audio CD. If the FreeBSD version is less than 10.0 and the device is
   ATAPI, the atapicam module must be first loaded using the instructions in
   *** 17.5.1, "***************".

   ****** 17.1. Duplicating an Audio CD
    1. The sysutils/cdrtools package or port installs cdda2wav. This command
       can be used to extract all of the audio tracks, with each track
       written to a separate WAV file in the current working directory:

 % cdda2wav -vall -B -Owav

       A device name does not need to be specified if there is only one CD
       device on the system. Refer to the cdda2wav manual page for
       instructions on how to specify a device and to learn more about the
       other options available for this command.

    2. Use cdrecord to write the .wav files:

 % cdrecord -v dev=2,0 -dao -useinfo  *.wav

       Make sure that 2,0 is set appropriately, as described in *** 17.5.2,
       "****** CD".

17.6. *************** DVD ******

   Contributed by Marc Fonvieille.
   With inputs from Andy Polyakov.

   Compared to the CD, the DVD is the next generation of optical media
   storage technology. The DVD can hold more data than any CD and is the
   standard for video publishing.

   Five physical recordable formats can be defined for a recordable DVD:

     * DVD-R: This was the first DVD recordable format available. The DVD-R
       standard is defined by the DVD Forum. This format is write once.

     * DVD-RW: This is the rewritable version of the DVD-R standard. A DVD-RW
       can be rewritten about 1000 times.

     * DVD-RAM: This is a rewritable format which can be seen as a removable
       hard drive. However, this media is not compatible with most DVD-ROM
       drives and DVD-Video players as only a few DVD writers support the
       DVD-RAM format. Refer to *** 17.6.8, "****** DVD-RAM" for more
       information on DVD-RAM use.

     * DVD+RW: This is a rewritable format defined by the DVD+RW Alliance. A
       DVD+RW can be rewritten about 1000 times.

     * DVD+R: This format is the write once variation of the DVD+RW format.

   A single layer recordable DVD can hold up to 4,700,000,000 bytes which is
   actually 4.38 GB or 4485 MB as 1 kilobyte is 1024 bytes.

  ******:

   A distinction must be made between the physical media and the application.
   For example, a DVD-Video is a specific file layout that can be written on
   any recordable DVD physical media such as DVD-R, DVD+R, or DVD-RW. Before
   choosing the type of media, ensure that both the burner and the DVD-Video
   player are compatible with the media under consideration.

  17.6.1. ******

   To perform DVD recording, use growisofs(1). This command is part of the
   sysutils/dvd+rw-tools utilities which support all DVD media types.

   These tools use the SCSI subsystem to access the devices, therefore
   ATAPI/CAM support must be loaded or statically compiled into the kernel.
   This support is not needed if the burner uses the USB interface. Refer to
   *** 17.4, "USB ************" for more details on USB device configuration.

   DMA access must also be enabled for ATAPI devices, by adding the following
   line to /boot/loader.conf:

 hw.ata.atapi_dma="1"

   Before attempting to use dvd+rw-tools, consult the Hardware Compatibility
   Notes.

  ******:

   For a graphical user interface, consider using sysutils/k3b which provides
   a user friendly interface to growisofs(1) and many other burning tools.

  17.6.2. ************ DVD

   Since growisofs(1) is a front-end to mkisofs, it will invoke mkisofs(8) to
   create the file system layout and perform the write on the DVD. This means
   that an image of the data does not need to be created before the burning
   process.

   To burn to a DVD+R or a DVD-R the data in /path/to/data, use the following
   command:

 # growisofs -dvd-compat -Z /dev/cd0 -J -R /path/to/data

   In this example, -J -R is passed to mkisofs(8) to create an ISO 9660 file
   system with Joliet and Rock Ridge extensions. Refer to mkisofs(8) for more
   details.

   For the initial session recording, -Z is used for both single and multiple
   sessions. Replace /dev/cd0, with the name of the DVD device. Using
   -dvd-compat indicates that the disk will be closed and that the recording
   will be unappendable. This should also provide better media compatibility
   with DVD-ROM drives.

   To burn a pre-mastered image, such as imagefile.iso, use:

 # growisofs -dvd-compat -Z /dev/cd0=imagefile.iso

   The write speed should be detected and automatically set according to the
   media and the drive being used. To force the write speed, use -speed=.
   Refer to growisofs(1) for example usage.

  ******:

   In order to support working files larger than 4.38GB, an UDF/ISO-9660
   hybrid file system must be created by passing -udf -iso-level 3 to
   mkisofs(8) and all related programs, such as growisofs(1). This is
   required only when creating an ISO image file or when writing files
   directly to a disk. Since a disk created this way must be mounted as an
   UDF file system with mount_udf(8), it will be usable only on an UDF aware
   operating system. Otherwise it will look as if it contains corrupted
   files.

   To create this type of ISO file:

 % mkisofs -R -J -udf -iso-level 3 -o imagefile.iso /path/to/data

   To burn files directly to a disk:

 # growisofs -dvd-compat -udf -iso-level 3 -Z /dev/cd0 -J -R /path/to/data

   When an ISO image already contains large files, no additional options are
   required for growisofs(1) to burn that image on a disk.

   Be sure to use an up-to-date version of sysutils/cdrtools, which contains
   mkisofs(8), as an older version may not contain large files support. If
   the latest version does not work, install sysutils/cdrtools-devel and read
   its mkisofs(8).

  17.6.3. ****** DVD-Video

   A DVD-Video is a specific file layout based on the ISO 9660 and micro-UDF
   (M-UDF) specifications. Since DVD-Video presents a specific data structure
   hierarchy, a particular program such as multimedia/dvdauthor is needed to
   author the DVD.

   If an image of the DVD-Video file system already exists, it can be burned
   in the same way as any other image. If dvdauthor was used to make the DVD
   and the result is in /path/to/video, the following command should be used
   to burn the DVD-Video:

 # growisofs -Z /dev/cd0 -dvd-video /path/to/video

   -dvd-video is passed to mkisofs(8) to instruct it to create a DVD-Video
   file system layout. This option implies the -dvd-compat growisofs(1)
   option.

  17.6.4. ****** DVD+RW

   Unlike CD-RW, a virgin DVD+RW needs to be formatted before first use. It
   is recommended to let growisofs(1) take care of this automatically
   whenever appropriate. However, it is possible to use dvd+rw-format to
   format the DVD+RW:

 # dvd+rw-format /dev/cd0

   Only perform this operation once and keep in mind that only virgin DVD+RW
   medias need to be formatted. Once formatted, the DVD+RW can be burned as
   usual.

   To burn a totally new file system and not just append some data onto a
   DVD+RW, the media does not need to be blanked first. Instead, write over
   the previous recording like this:

 # growisofs -Z /dev/cd0 -J -R /path/to/newdata

   The DVD+RW format supports appending data to a previous recording. This
   operation consists of merging a new session to the existing one as it is
   not considered to be multi-session writing. growisofs(1) will grow the ISO
   9660 file system present on the media.

   For example, to append data to a DVD+RW, use the following:

 # growisofs -M /dev/cd0 -J -R /path/to/nextdata

   The same mkisofs(8) options used to burn the initial session should be
   used during next writes.

  ******:

   Use -dvd-compat for better media compatibility with DVD-ROM drives. When
   using DVD+RW, this option will not prevent the addition of data.

   To blank the media, use:

 # growisofs -Z /dev/cd0=/dev/zero

  17.6.5. ****** DVD-RW

   A DVD-RW accepts two disc formats: incremental sequential and restricted
   overwrite. By default, DVD-RW discs are in sequential format.

   A virgin DVD-RW can be directly written without being formatted. However,
   a non-virgin DVD-RW in sequential format needs to be blanked before
   writing a new initial session.

   To blank a DVD-RW in sequential mode:

 # dvd+rw-format -blank=full /dev/cd0

  ******:

   A full blanking using -blank=full will take about one hour on a 1x media.
   A fast blanking can be performed using -blank, if the DVD-RW will be
   recorded in Disk-At-Once (DAO) mode. To burn the DVD-RW in DAO mode, use
   the command:

 # growisofs -use-the-force-luke=dao -Z /dev/cd0=imagefile.iso

   Since growisofs(1) automatically attempts to detect fast blanked media and
   engage DAO write, -use-the-force-luke=dao should not be required.

   One should instead use restricted overwrite mode with any DVD-RW as this
   format is more flexible than the default of incremental sequential.

   To write data on a sequential DVD-RW, use the same instructions as for the
   other DVD formats:

 # growisofs -Z /dev/cd0 -J -R /path/to/data

   To append some data to a previous recording, use -M with growisofs(1).
   However, if data is appended on a DVD-RW in incremental sequential mode, a
   new session will be created on the disc and the result will be a
   multi-session disc.

   A DVD-RW in restricted overwrite format does not need to be blanked before
   a new initial session. Instead, overwrite the disc with -Z. It is also
   possible to grow an existing ISO 9660 file system written on the disc with
   -M. The result will be a one-session DVD.

   To put a DVD-RW in restricted overwrite format, the following command must
   be used:

 # dvd+rw-format /dev/cd0

   To change back to sequential format, use:

 # dvd+rw-format -blank=full /dev/cd0

  17.6.6. *************** (Multi-Session)

   Few DVD-ROM drives support multi-session DVDs and most of the time only
   read the first session. DVD+R, DVD-R and DVD-RW in sequential format can
   accept multiple sessions. The notion of multiple sessions does not exist
   for the DVD+RW and the DVD-RW restricted overwrite formats.

   Using the following command after an initial non-closed session on a
   DVD+R, DVD-R, or DVD-RW in sequential format, will add a new session to
   the disc:

 # growisofs -M /dev/cd0 -J -R /path/to/nextdata

   Using this command with a DVD+RW or a DVD-RW in restricted overwrite mode
   will append data while merging the new session to the existing one. The
   result will be a single-session disc. Use this method to add data after an
   initial write on these types of media.

  ******:

   Since some space on the media is used between each session to mark the end
   and start of sessions, one should add sessions with a large amount of data
   to optimize media space. The number of sessions is limited to 154 for a
   DVD+R, about 2000 for a DVD-R, and 127 for a DVD+R Double Layer.

  17.6.7. ******************

   To obtain more information about a DVD, use dvd+rw-mediainfo /dev/cd0
   while the disc in the specified drive.

   More information about dvd+rw-tools can be found in growisofs(1), on the
   dvd+rw-tools web site, and in the cdwrite mailing list archives.

  ******:

   When creating a problem report related to the use of dvd+rw-tools, always
   include the output of dvd+rw-mediainfo.

  17.6.8. ****** DVD-RAM

   DVD-RAM writers can use either a SCSI or ATAPI interface. For ATAPI
   devices, DMA access has to be enabled by adding the following line to
   /boot/loader.conf:

 hw.ata.atapi_dma="1"

   A DVD-RAM can be seen as a removable hard drive. Like any other hard
   drive, the DVD-RAM must be formatted before it can be used. In this
   example, the whole disk space will be formatted with a standard UFS2 file
   system:

 # dd if=/dev/zero of=/dev/acd0 bs=2k count=1
 # bsdlabel -Bw acd0
 # newfs /dev/acd0

   The DVD device, acd0, must be changed according to the configuration.

   Once the DVD-RAM has been formatted, it can be mounted as a normal hard
   drive:

 # mount /dev/acd0 /mnt

   Once mounted, the DVD-RAM will be both readable and writeable.

17.7. *********************

   This section explains how to format a 3.5 inch floppy disk in FreeBSD.

   ****** 17.2. Steps to Format a Floppy

   A floppy disk needs to be low-level formatted before it can be used. This
   is usually done by the vendor, but formatting is a good way to check media
   integrity. To low-level format the floppy disk on FreeBSD, use
   fdformat(1). When using this utility, make note of any error messages, as
   these can help determine if the disk is good or bad.

    1. To format the floppy, insert a new 3.5 inch floppy disk into the first
       floppy drive and issue:

 # /usr/sbin/fdformat -f 1440 /dev/fd0

    2. After low-level formatting the disk, create a disk label as it is
       needed by the system to determine the size of the disk and its
       geometry. The supported geometry values are listed in /etc/disktab.

       To write the disk label, use bsdlabel(8):

 # /sbin/bsdlabel -B -w /dev/fd0 fd1440

    3. The floppy is now ready to be high-level formatted with a file system.
       The floppy's file system can be either UFS or FAT, where FAT is
       generally a better choice for floppies.

       To format the floppy with FAT, issue:

 # /sbin/newfs_msdos /dev/fd0

   The disk is now ready for use. To use the floppy, mount it with
   mount_msdosfs(8). One can also install and use emulators/mtools from the
   Ports Collection.

17.8. ******************

   ******************************,_******************,_*************************************************************************************************************._

   *****************************************************************************,_*********************************************************._***********************************

     * *****************************************,_************._*************************************************************************************************************************************._

     * ******************
       (Snapshot)********************************************************************._

     * ***************************************************** net/rsync
       ***************************************._

     * ***************
       RAID********************************************************._

   *********************************************************************************************************************************************
   ZFS
   *********************._**************************************************************************._

   *************************************** FreeBSD
   ***************************************._

  17.8.1. ******************

   ************************************** dump(8) ************ UNIX(R)
   *********************************** restore(8)
   ***************._********************************************************************************************,_****************************************************************************dump
   ****************************************************************************************************************dump
   **************************************************************************************._

  ******:

   ****************** dump***************** /home, /usr
   ********************************************************************************************************************************._

   *****************restore ******************************
   /tmp/***************** /tmp *********************************** TMPDIR
   ************************************************************************._

   ********* dump *********************** AT&T UNIX(R),circa 1975 ********* 6
   ***************************************************************** 9
   ****************************************************************************************************************************._

   ****************** rdump(8) *** rrestore(8)
   ********************************************************************************************************************************************************************._

   ************************ SSH *************** dump ***
   restore._*********************************,_********* /usr ***************
   SSH ******************************************._

   ****** 17.1. *** ssh ****** dump

 # /sbin/dump -0uan -f - /usr | gzip -2 | ssh -c blowfish \
           targetuser@targetmachine.example.com dd of=/mybigfiles/dump-usr-l0.gz

   ********************* RSH************** SSH
   ***********************************************

   ****** 17.2. *** ssh ****** dump ****** RSH ******

 # env RSH=/usr/bin/ssh /sbin/dump -0uan -f targetuser@targetmachine.example.com:/dev/sa0 /usr

  17.8.2. ************

   ******************************************************************************************._

   *********************************************************
   tar(1)*********************************** AT&T UNIX(R) ****** 6
   ****************************************************************************************************************._

   ************************************************************
   /tmp/mybackup.tgz****************************************************************************************************._

   ****** 17.3. ****** tar ******************

 # tar czvf /tmp/mybackup.tgz .

   ************************** cd
   *********************************************************._******************************************************************************************************************************************************************************._

   ****** 17.4. ****** tar ******************

 # tar xzvf /tmp/mybackup.tgz

   ****************************************** tar(1)
   ***************._************************************ (Exclude pattern)
   *********************************************************************************._

   ****************************************************** cpio(1)
   ******************._************ tar**cpio
   ***********************************************************************************._

   *********************************** ls *** find
   *********._******************************************************************
   (Piped) *** cpio ****************** /tmp/mybackup.cpio ************._

   ****** 17.5. ****** ls *** cpio ************************************

 # ls -R | cpio -ovF /tmp/mybackup.cpio

   ********************************* tar *** cpio **************************
   pax(1)._***************************** tar *** cpio
   ***************************._POSIX(R) *********
   pax************************************** cpio and tar
   *********************************._

   *************************** pax ********

   ****** 17.6. ****** pax ******************

 # pax -wf /tmp/mybackup.pax .

  17.8.3. ************************

   ***********************************************************************************************************._FreeBSD
   ****************** SCSI ***************** LTO ***
   DAT*********************** SATA *** USB *********._

   SCSI ************ FreeBSD ********* sa(4) ****************** /dev/sa0,
   /dev/nsa0 *** /dev/esa0 ***************************** /dev/sa0***********
   /dev/nsa0
   ************************************************************************************************************
   /dev/esa0 *****************************************._

   *** FreeBSD ************ mt
   **************************************************************************************************._*********************************************************************************************

 # mt -f /dev/nsa0 fsf 3

   ******************************************** mt(1) ************._

   ********* tar
   *************************************************************************************

 # tar cvf /dev/sa0 file

   ****************** tar ********************************************

 # tar xvf /dev/sa0

   *************** UFS ********************* dump._********************* /usr
   *****************************

 # dump -0aL -b64 -f /dev/nsa0 /usr

   ************************************ dump *****************************

 # restore -i -f /dev/nsa0

  17.8.4. *********************

   FreeBSD Port
   *****************************************************************************************************************._******************************************/***********************************************************************************._

   ************************ Amanda, Bacula, rsync ****** duplicity._

  17.8.5. ************

   ***********************************************************************************._

   ********************************************************

     * gpart show

     * more /etc/fstab

     * dmesg

   **********************************************************************************************************************************************
   Live CD *************** Shell (Rescue
   shell)******************************************************************************************************************************._

  ******:

   FreeBSD/i386 11.2-RELEASE ******************************
   Shell****************************
   ftp://ftp.FreeBSD.org/pub/FreeBSD/releases/i386/ISO-IMAGES/11.2/FreeBSD-11.2-RELEASE-i386-livefs.iso
   ****** Livefs CD ******************._

   ******************** Shell
   ************._***********************************************,_************,_*****************************************************************************************************************._

   ***********************************************************************************************************************._

17.9. ***************

   Reorganized and enhanced by Marc Fonvieille.

   In addition to physical disks, FreeBSD also supports the creation and use
   of memory disks. One possible use for a memory disk is to access the
   contents of an ISO file system without the overhead of first burning it to
   a CD or DVD, then mounting the CD/DVD media.

   In FreeBSD, the md(4) driver is used to provide support for memory disks.
   The GENERIC kernel includes this driver. When using a custom kernel
   configuration file, ensure it includes this line:

 device md

  17.9.1. ***************************************

   To mount an existing file system image, use mdconfig to specify the name
   of the ISO file and a free unit number. Then, refer to that unit number to
   mount it on an existing mount point. Once mounted, the files in the ISO
   will appear in the mount point. This example attaches diskimage.iso to the
   memory device /dev/md0 then mounts that memory device on /mnt:

 # mdconfig -f diskimage.iso -u 0
 # mount -t cd9660 /dev/md0 /mnt

   Notice that -t cd9660 was used to mount an ISO format. If a unit number is
   not specified with -u, mdconfig will automatically allocate an unused
   memory device and output the name of the allocated unit, such as md4.
   Refer to mdconfig(8) for more details about this command and its options.

   When a memory disk is no longer in use, its resources should be released
   back to the system. First, unmount the file system, then use mdconfig to
   detach the disk from the system and release its resources. To continue
   this example:

 # umount /mnt
 # mdconfig -d -u 0

   To determine if any memory disks are still attached to the system, type
   mdconfig -l.

  17.9.2. *********************************************

   FreeBSD also supports memory disks where the storage to use is allocated
   from either a hard disk or an area of memory. The first method is commonly
   referred to as a file-backed file system and the second method as a
   memory-backed file system. Both types can be created using mdconfig.

   To create a new memory-backed file system, specify a type of swap and the
   size of the memory disk to create. Then, format the memory disk with a
   file system and mount as usual. This example creates a 5M memory disk on
   unit 1. That memory disk is then formatted with the UFS file system before
   it is mounted:

 # mdconfig -a -t swap -s 5m -u 1
 # newfs -U md1
 /dev/md1: 5.0MB (10240 sectors) block size 16384, fragment size 2048
         using 4 cylinder groups of 1.27MB, 81 blks, 192 inodes.
         with soft updates
 super-block backups (for fsck -b #) at:
  160, 2752, 5344, 7936
 # mount /dev/md1 /mnt
 # df /mnt
 Filesystem 1K-blocks Used Avail Capacity  Mounted on
 /dev/md1        4718    4  4338     0%    /mnt

   To create a new file-backed memory disk, first allocate an area of disk to
   use. This example creates an empty 5MB file named newimage:

 # dd if=/dev/zero of=newimage bs=1k count=5k
 5120+0 records in
 5120+0 records out

   Next, attach that file to a memory disk, label the memory disk and format
   it with the UFS file system, mount the memory disk, and verify the size of
   the file-backed disk:

 # mdconfig -f newimage -u 0
 # bsdlabel -w md0 auto
 # newfs -U md0a
 /dev/md0a: 5.0MB (10224 sectors) block size 16384, fragment size 2048
         using 4 cylinder groups of 1.25MB, 80 blks, 192 inodes.
 super-block backups (for fsck -b #) at:
  160, 2720, 5280, 7840
 # mount /dev/md0a /mnt
 # df /mnt
 Filesystem 1K-blocks Used Avail Capacity  Mounted on
 /dev/md0a       4710    4  4330     0%    /mnt

   It takes several commands to create a file- or memory-backed file system
   using mdconfig. FreeBSD also comes with mdmfs which automatically
   configures a memory disk, formats it with the UFS file system, and mounts
   it. For example, after creating newimage with dd, this one command is
   equivalent to running the bsdlabel, newfs, and mount commands shown above:

 # mdmfs -F newimage -s 5m md0 /mnt

   To instead create a new memory-based memory disk with mdmfs, use this one
   command:

 # mdmfs -s 5m md1 /mnt

   If the unit number is not specified, mdmfs will automatically select an
   unused memory device. For more details about mdmfs, refer to mdmfs(8).

17.10. ******************

   Contributed by Tom Rhodes.

   FreeBSD offers a feature in conjunction with Soft Updates: file system
   snapshots.

   UFS snapshots allow a user to create images of specified file systems, and
   treat them as a file. Snapshot files must be created in the file system
   that the action is performed on, and a user may create no more than 20
   snapshots per file system. Active snapshots are recorded in the superblock
   so they are persistent across unmount and remount operations along with
   system reboots. When a snapshot is no longer required, it can be removed
   using rm(1). While snapshots may be removed in any order, all the used
   space may not be acquired because another snapshot will possibly claim
   some of the released blocks.

   The un-alterable snapshot file flag is set by mksnap_ffs(8) after initial
   creation of a snapshot file. unlink(1) makes an exception for snapshot
   files since it allows them to be removed.

   Snapshots are created using mount(8). To place a snapshot of /var in the
   file /var/snapshot/snap, use the following command:

 # mount -u -o snapshot /var/snapshot/snap /var

   Alternatively, use mksnap_ffs(8) to create the snapshot:

 # mksnap_ffs /var /var/snapshot/snap

   One can find snapshot files on a file system, such as /var, using find(1):

 # find /var -flags snapshot

   Once a snapshot has been created, it has several uses:

     * Some administrators will use a snapshot file for backup purposes,
       because the snapshot can be transferred to CDs or tape.

     * The file system integrity checker, fsck(8), may be run on the
       snapshot. Assuming that the file system was clean when it was mounted,
       this should always provide a clean and unchanging result.

     * Running dump(8) on the snapshot will produce a dump file that is
       consistent with the file system and the timestamp of the snapshot.
       dump(8) can also take a snapshot, create a dump image, and then remove
       the snapshot in one command by using -L.

     * The snapshot can be mounted as a frozen image of the file system. To
       mount(8) the snapshot /var/snapshot/snap run:

 # mdconfig -a -t vnode -o readonly -f /var/snapshot/snap -u 4
 # mount -r /dev/md4 /mnt

   The frozen /var is now available through /mnt. Everything will initially
   be in the same state it was during the snapshot creation time. The only
   exception is that any earlier snapshots will appear as zero length files.
   To unmount the snapshot, use:

 # umount /mnt
 # mdconfig -d -u 4

   For more information about softupdates and file system snapshots,
   including technical papers, visit Marshall Kirk McKusick's website at
   http://www.mckusick.com/.

17.11. ************

   ***************************************************************************************************************************._******************************************************************************._

   *************************** UFS ***************************._****** ZFS
   ************************************** *** 19.4.8,
   "*********,_***************************"

  17.11.1. ******************

   ****** FreeBSD ********************************

 % sysctl kern.features.ufs_quota
 kern.features.ufs_quota: 1

   ******************** 1 ********************************
   0************************************************************** *** 8,
   ****** FreeBSD ****** *****************************

 options QUOTA

   *********** /etc/rc.conf ********************

 quota_enable="YES"

   ***************************** quotacheck(8)
   *****************************************************************************************************************************************._*************************************************************************************************************************
   /etc/rc.conf**

 check_quotas="NO"

   ************** /etc/fstab
   ************************************************._***************************************************************
   userquota ********* /etc/fstab
   ******************************************._********

 /dev/da1s2g   /home    ufs rw,userquota 1 2

   ********************************
   groupquota._**********************************************************************

 /dev/da1s2g    /home    ufs rw,userquota,groupquota 1 2

   ********************************************************* quota.user ***
   quota.group*********** fstab(5)
   **************************************************************************._

   ****************************************/etc/rc
   ****************************************** /etc/fstab
   ******************************************************._

   *********************************************** quotacheck(8), quotaon(8)
   ******
   quotaoff(8)*************************************************************************************._

  17.11.2. ******************

   ****************************************

 # quota -v

   ************************************************************************************************._

   ************************************ edquota ******************._

   ************************************************************************************************************._*********************
   (block ******)************** (inode ******)
   ************************._********************************************************
   (Hard) ********* (Soft) ******._

   *********************************._**************************************************************************************************._***********************************************************
   500 KB ***************************************** 490
   KB***************************** 10 KB ************************** 11 KB
   *********************._

   ***********************************************************************
   (Grace
   period)*****************._***********************************************************************************************************************._********************************************************************************._

   ******************************** test *********._********* edquota
   ***************** EDITOR
   ***************************************._********************* vi._

 # edquota -u test
 Quotas for user test:
 /usr: kbytes in use: 65, limits (soft = 50, hard = 75)
         inodes in use: 7, limits (soft = 50, hard = 60)
 /usr/var: kbytes in use: 0, limits (soft = 50, hard = 75)
         inodes in use: 0, limits (soft = 50, hard = 60)

   *****************************************************************************************
   (Block limit) ****************************** (inode
   limit)*****************************************._******************** /usr
   ****************************** 500 *********************
   600*******************************

 /usr: kbytes in use: 65, limits (soft = 500, hard = 600)

   ************************************************._

   **********************************************************************************************************************************
   -p ****************************************** ID
   (UID)._************************************ UID 10,000 *** 19,999
   **************

 # edquota -p test 10000-19999

   ******************************** edquota(8)._

  17.11.3. ***************************************

   ******************************************************************
   quota(1)._**************************************************************************************************************************************._********************************************************************************************
   repquota(8)._

   ***********************************************************************************
   quota
   *************************************************************************************
   -v ******************************._********************* quota -v
   ***************************************************************************._

 Disk quotas for user test (uid 1002):
      Filesystem  usage    quota   limit   grace   files   quota   limit   grace
            /usr      65*     50      75   5days       7      50      60
        /usr/var       0      50      75               0      50      60

   *********************************** /usr *************** 50 KB
   *************** 15 KB *************** 5 ************._****** *
   *********************************************._

  17.11.4. NFS ************

   *** NFS
   *******************************************************rpc.rquotad(8)
   Daemon ************************ NFS ************
   quota***********************************************************************._

   *** NFS *************** /etc/inetd.conf *** rpc.rquotad ********* #
   *****************

 rquotad/1      dgram rpc/udp wait root /usr/libexec/rpc.rquotad rpc.rquotad

   ****************** inetd**

 # service inetd restart

17.12. *********************

   Contributed by Lucky Green.

   FreeBSD offers excellent online protections against unauthorized data
   access. File permissions and Mandatory Access Control (MAC) help prevent
   unauthorized users from accessing data while the operating system is
   active and the computer is powered up. However, the permissions enforced
   by the operating system are irrelevant if an attacker has physical access
   to a computer and can move the computer's hard drive to another system to
   copy and analyze the data.

   Regardless of how an attacker may have come into possession of a hard
   drive or powered-down computer, the GEOM-based cryptographic subsystems
   built into FreeBSD are able to protect the data on the computer's file
   systems against even highly-motivated attackers with significant
   resources. Unlike encryption methods that encrypt individual files, the
   built-in gbde and geli utilities can be used to transparently encrypt
   entire file systems. No cleartext ever touches the hard drive's platter.

   This chapter demonstrates how to create an encrypted file system on
   FreeBSD. It first demonstrates the process using gbde and then
   demonstrates the same example using geli.

  17.12.1. ****** gbde ***************

   The objective of the gbde(4) facility is to provide a formidable challenge
   for an attacker to gain access to the contents of a cold storage device.
   However, if the computer is compromised while up and running and the
   storage device is actively attached, or the attacker has access to a valid
   passphrase, it offers no protection to the contents of the storage device.
   Thus, it is important to provide physical security while the system is
   running and to protect the passphrase used by the encryption mechanism.

   This facility provides several barriers to protect the data stored in each
   disk sector. It encrypts the contents of a disk sector using 128-bit AES
   in CBC mode. Each sector on the disk is encrypted with a different AES
   key. For more information on the cryptographic design, including how the
   sector keys are derived from the user-supplied passphrase, refer to
   gbde(4).

   FreeBSD provides a kernel module for gbde which can be loaded with this
   command:

 # kldload geom_bde

   If using a custom kernel configuration file, ensure it contains this line:

   options GEOM_BDE

   The following example demonstrates adding a new hard drive to a system
   that will hold a single encrypted partition that will be mounted as
   /private.

   ****** 17.3. Encrypting a Partition with gbde
    1. Add the New Hard Drive

       Install the new drive to the system as explained in *** 17.2,
       "************". For the purposes of this example, a new hard drive
       partition has been added as /dev/ad4s1c and /dev/ad0s1* represents the
       existing standard FreeBSD partitions.

 # ls /dev/ad*
 /dev/ad0        /dev/ad0s1b     /dev/ad0s1e     /dev/ad4s1
 /dev/ad0s1      /dev/ad0s1c     /dev/ad0s1f     /dev/ad4s1c
 /dev/ad0s1a     /dev/ad0s1d     /dev/ad4

    2. Create a Directory to Hold gbde Lock Files

 # mkdir /etc/gbde

       The gbde lock file contains information that gbde requires to access
       encrypted partitions. Without access to the lock file, gbde will not
       be able to decrypt the data contained in the encrypted partition
       without significant manual intervention which is not supported by the
       software. Each encrypted partition uses a separate lock file.

    3. Initialize the gbde Partition

       A gbde partition must be initialized before it can be used. This
       initialization needs to be performed only once. This command will open
       the default editor, in order to set various configuration options in a
       template. For use with the UFS file system, set the sector_size to
       2048:

 # gbde init /dev/ad4s1c -i -L /etc/gbde/ad4s1c.lock
 # $FreeBSD$
 #
 # Sector size is the smallest unit of data which can be read or written.
 # Making it too small decreases performance and decreases available space.
 # Making it too large may prevent filesystems from working.  512 is the
 # minimum and always safe.  For UFS, use the fragment size
 #
 sector_size     =       2048
 [...]

       Once the edit is saved, the user will be asked twice to type the
       passphrase used to secure the data. The passphrase must be the same
       both times. The ability of gbde to protect data depends entirely on
       the quality of the passphrase. For tips on how to select a secure
       passphrase that is easy to remember, see
       http://world.std.com/~reinhold/diceware.htm.

       This initialization creates a lock file for the gbde partition. In
       this example, it is stored as /etc/gbde/ad4s1c.lock. Lock files must
       end in ".lock" in order to be correctly detected by the /etc/rc.d/gbde
       start up script.

  ******:

       Lock files must be backed up together with the contents of any
       encrypted partitions. Without the lock file, the legitimate owner will
       be unable to access the data on the encrypted partition.

    4. Attach the Encrypted Partition to the Kernel

 # gbde attach /dev/ad4s1c -l /etc/gbde/ad4s1c.lock

       This command will prompt to input the passphrase that was selected
       during the initialization of the encrypted partition. The new
       encrypted device will appear in /dev as /dev/device_name.bde:

 # ls /dev/ad*
 /dev/ad0        /dev/ad0s1b     /dev/ad0s1e     /dev/ad4s1
 /dev/ad0s1      /dev/ad0s1c     /dev/ad0s1f     /dev/ad4s1c
 /dev/ad0s1a     /dev/ad0s1d     /dev/ad4        /dev/ad4s1c.bde

    5. Create a File System on the Encrypted Device

       Once the encrypted device has been attached to the kernel, a file
       system can be created on the device. This example creates a UFS file
       system with soft updates enabled. Be sure to specify the partition
       which has a *.bde extension:

 # newfs -U /dev/ad4s1c.bde

    6. Mount the Encrypted Partition

       Create a mount point and mount the encrypted file system:

 # mkdir /private
 # mount /dev/ad4s1c.bde /private

    7. Verify That the Encrypted File System is Available

       The encrypted file system should now be visible and available for use:

 % df -H
 Filesystem        Size   Used  Avail Capacity  Mounted on
 /dev/ad0s1a      1037M    72M   883M     8%    /
 /devfs            1.0K   1.0K     0B   100%    /dev
 /dev/ad0s1f       8.1G    55K   7.5G     0%    /home
 /dev/ad0s1e      1037M   1.1M   953M     0%    /tmp
 /dev/ad0s1d       6.1G   1.9G   3.7G    35%    /usr
 /dev/ad4s1c.bde   150G   4.1K   138G     0%    /private

   After each boot, any encrypted file systems must be manually re-attached
   to the kernel, checked for errors, and mounted, before the file systems
   can be used. To configure these steps, add the following lines to
   /etc/rc.conf:

 gbde_autoattach_all="YES"
 gbde_devices="ad4s1c"
 gbde_lockdir="/etc/gbde"

   This requires that the passphrase be entered at the console at boot time.
   After typing the correct passphrase, the encrypted partition will be
   mounted automatically. Additional gbde boot options are available and
   listed in rc.conf(5).

  ******:

   sysinstall is incompatible with gbde-encrypted devices. All *.bde devices
   must be detached from the kernel before starting sysinstall or it will
   crash during its initial probing for devices. To detach the encrypted
   device used in the example, use the following command:

 # gbde detach /dev/ad4s1c

  17.12.2. ****** geli ***************

   Contributed by Daniel Gerzo.

   An alternative cryptographic GEOM class is available using geli. This
   control utility adds some features and uses a different scheme for doing
   cryptographic work. It provides the following features:

     * Utilizes the crypto(9) framework and automatically uses cryptographic
       hardware when it is available.

     * Supports multiple cryptographic algorithms such as AES, Blowfish, and
       3DES.

     * Allows the root partition to be encrypted. The passphrase used to
       access the encrypted root partition will be requested during system
       boot.

     * Allows the use of two independent keys.

     * It is fast as it performs simple sector-to-sector encryption.

     * Allows backup and restore of master keys. If a user destroys their
       keys, it is still possible to get access to the data by restoring keys
       from the backup.

     * Allows a disk to attach with a random, one-time key which is useful
       for swap partitions and temporary file systems.

   More features and usage examples can be found in geli(8).

   The following example describes how to generate a key file which will be
   used as part of the master key for the encrypted provider mounted under
   /private. The key file will provide some random data used to encrypt the
   master key. The master key will also be protected by a passphrase. The
   provider's sector size will be 4kB. The example describes how to attach to
   the geli provider, create a file system on it, mount it, work with it, and
   finally, how to detach it.

   ****** 17.4. Encrypting a Partition with geli
    1. Load geli Support

       Support for geli is available as a loadable kernel module. To
       configure the system to automatically load the module at boot time,
       add the following line to /boot/loader.conf:

 geom_eli_load="YES"

       To load the kernel module now:

 # kldload geom_eli

       For a custom kernel, ensure the kernel configuration file contains
       these lines:

 options GEOM_ELI
 device crypto

    2. Generate the Master Key

       The following commands generate a master key (/root/da2.key) that is
       protected with a passphrase. The data source for the key file is
       /dev/random and the sector size of the provider (/dev/da2.eli) is 4kB
       as a bigger sector size provides better performance:

 # dd if=/dev/random of=/root/da2.key bs=64 count=1
 # geli init -s 4096 -K /root/da2.key /dev/da2
 Enter new passphrase:
 Reenter new passphrase:

       It is not mandatory to use both a passphrase and a key file as either
       method of securing the master key can be used in isolation.

       If the key file is given as "-", standard input will be used. For
       example, this command generates three key files:

 # cat keyfile1 keyfile2 keyfile3 | geli init -K - /dev/da2

    3. Attach the Provider with the Generated Key

       To attach the provider, specify the key file, the name of the disk,
       and the passphrase:

 # geli attach -k /root/da2.key /dev/da2
 Enter passphrase:

       This creates a new device with an .eli extension:

 # ls /dev/da2*
 /dev/da2  /dev/da2.eli

    4. Create the New File System

       Next, format the device with the UFS file system and mount it on an
       existing mount point:

 # dd if=/dev/random of=/dev/da2.eli bs=1m
 # newfs /dev/da2.eli
 # mount /dev/da2.eli /private

       The encrypted file system should now be available for use:

 # df -H
 Filesystem     Size   Used  Avail Capacity  Mounted on
 /dev/ad0s1a    248M    89M   139M    38%    /
 /devfs         1.0K   1.0K     0B   100%    /dev
 /dev/ad0s1f    7.7G   2.3G   4.9G    32%    /usr
 /dev/ad0s1d    989M   1.5M   909M     0%    /tmp
 /dev/ad0s1e    3.9G   1.3G   2.3G    35%    /var
 /dev/da2.eli   150G   4.1K   138G     0%    /private

   Once the work on the encrypted partition is done, and the /private
   partition is no longer needed, it is prudent to put the device into cold
   storage by unmounting and detaching the geli encrypted partition from the
   kernel:

 # umount /private
 # geli detach da2.eli

   A rc.d script is provided to simplify the mounting of geli-encrypted
   devices at boot time. For this example, add these lines to /etc/rc.conf:

 geli_devices="da2"
 geli_da2_flags="-k /root/da2.key"

   This configures /dev/da2 as a geli provider with a master key of
   /root/da2.key. The system will automatically detach the provider from the
   kernel before the system shuts down. During the startup process, the
   script will prompt for the passphrase before attaching the provider. Other
   kernel messages might be shown before and after the password prompt. If
   the boot process seems to stall, look carefully for the password prompt
   among the other messages. Once the correct passphrase is entered, the
   provider is attached. The file system is then mounted, typically by an
   entry in /etc/fstab. Refer to *** 3.7, "***************************" for
   instructions on how to configure a file system to mount at boot time.

17.13. ******************

   Written by Christian Brueffer.

   Like the encryption of disk partitions, encryption of swap space is used
   to protect sensitive information. Consider an application that deals with
   passwords. As long as these passwords stay in physical memory, they are
   not written to disk and will be cleared after a reboot. However, if
   FreeBSD starts swapping out memory pages to free space, the passwords may
   be written to the disk unencrypted. Encrypting swap space can be a
   solution for this scenario.

   This section demonstrates how to configure an encrypted swap partition
   using gbde(8) or geli(8) encryption. It assumes that /dev/ada0s1b is the
   swap partition.

  17.13.1. ******************************

   Swap partitions are not encrypted by default and should be cleared of any
   sensitive data before continuing. To overwrite the current swap partition
   with random garbage, execute the following command:

 # dd if=/dev/random of=/dev/ada0s1b bs=1m

   To encrypt the swap partition using gbde(8), add the .bde suffix to the
   swap line in /etc/fstab:

 # Device                Mountpoint      FStype  Options         Dump    Pass#
 /dev/ada0s1b.bde        none            swap    sw              0       0

   To instead encrypt the swap partition using geli(8), use the .eli suffix:

 # Device                Mountpoint      FStype  Options         Dump    Pass#
 /dev/ada0s1b.eli        none            swap    sw              0       0

   By default, geli(8) uses the AES algorithm with a key length of 128 bits.
   Normally the default settings will suffice. If desired, these defaults can
   be altered in the options field in /etc/fstab. The possible flags are:

   aalgo

           Data integrity verification algorithm used to ensure that the
           encrypted data has not been tampered with. See geli(8) for a list
           of supported algorithms.

   ealgo

           Encryption algorithm used to protect the data. See geli(8) for a
           list of supported algorithms.

   keylen

           The length of the key used for the encryption algorithm. See
           geli(8) for the key lengths that are supported by each encryption
           algorithm.

   sectorsize

           The size of the blocks data is broken into before it is encrypted.
           Larger sector sizes increase performance at the cost of higher
           storage overhead. The recommended size is 4096 bytes.

   This example configures an encrypted swap partition using the Blowfish
   algorithm with a key length of 128 bits and a sectorsize of 4 kilobytes:

 # Device                Mountpoint      FStype  Options                         Dump    Pass#
 /dev/ada0s1b.eli        none            swap    sw,ealgo=blowfish,keylen=128,sectorsize=4096    0       0

  17.13.2. ***************************

   Once the system has rebooted, proper operation of the encrypted swap can
   be verified using swapinfo.

   If gbde(8) is being used:

 % swapinfo
 Device          1K-blocks     Used    Avail Capacity
 /dev/ada0s1b.bde   542720        0   542720     0%

   If geli(8) is being used:

 % swapinfo
 Device          1K-blocks     Used    Avail Capacity
 /dev/ada0s1b.eli   542720        0   542720     0%

17.14. ********************* (HAST)

   Contributed by Daniel Gerzo.
   With inputs from Freddie Cash, Pawel Jakub Dawidek, Michael W. Lucas and
   Viktor Petersson.

   High availability is one of the main requirements in serious business
   applications and highly-available storage is a key component in such
   environments. In FreeBSD, the Highly Available STorage (HAST) framework
   allows transparent storage of the same data across several physically
   separated machines connected by a TCP/IP network. HAST can be understood
   as a network-based RAID1 (mirror), and is similar to the DRBD(R) storage
   system used in the GNU/Linux(R) platform. In combination with other
   high-availability features of FreeBSD like CARP, HAST makes it possible to
   build a highly-available storage cluster that is resistant to hardware
   failures.

   The following are the main features of HAST:

     * Can be used to mask I/O errors on local hard drives.

     * File system agnostic as it works with any file system supported by
       FreeBSD.

     * Efficient and quick resynchronization as only the blocks that were
       modified during the downtime of a node are synchronized.

     * Can be used in an already deployed environment to add additional
       redundancy.

     * Together with CARP, Heartbeat, or other tools, it can be used to build
       a robust and durable storage system.

   After reading this section, you will know:

     * What HAST is, how it works, and which features it provides.

     * How to set up and use HAST on FreeBSD.

     * How to integrate CARP and devd(8) to build a robust storage system.

   Before reading this section, you should:

     * ****** UNIX(R) *** FreeBSD ****** (*** 3, FreeBSD ******)._

     * Know how to configure network interfaces and other core FreeBSD
       subsystems (*** 11, ***************).

     * Have a good understanding of FreeBSD networking (*** IV,
       "************").

   The HAST project was sponsored by The FreeBSD Foundation with support from
   http://www.omc.net/ and http://www.transip.nl/.

  17.14.1. HAST ************

   HAST provides synchronous block-level replication between two physical
   machines: the primary, also known as the master node, and the secondary,
   or slave node. These two machines together are referred to as a cluster.

   Since HAST works in a primary-secondary configuration, it allows only one
   of the cluster nodes to be active at any given time. The primary node,
   also called active, is the one which will handle all the I/O requests to
   HAST-managed devices. The secondary node is automatically synchronized
   from the primary node.

   The physical components of the HAST system are the local disk on primary
   node, and the disk on the remote, secondary node.

   HAST operates synchronously on a block level, making it transparent to
   file systems and applications. HAST provides regular GEOM providers in
   /dev/hast/ for use by other tools or applications. There is no difference
   between using HAST-provided devices and raw disks or partitions.

   Each write, delete, or flush operation is sent to both the local disk and
   to the remote disk over TCP/IP. Each read operation is served from the
   local disk, unless the local disk is not up-to-date or an I/O error
   occurs. In such cases, the read operation is sent to the secondary node.

   HAST tries to provide fast failure recovery. For this reason, it is
   important to reduce synchronization time after a node's outage. To provide
   fast synchronization, HAST manages an on-disk bitmap of dirty extents and
   only synchronizes those during a regular synchronization, with an
   exception of the initial sync.

   There are many ways to handle synchronization. HAST implements several
   replication modes to handle different synchronization methods:

     * memsync: This mode reports a write operation as completed when the
       local write operation is finished and when the remote node
       acknowledges data arrival, but before actually storing the data. The
       data on the remote node will be stored directly after sending the
       acknowledgement. This mode is intended to reduce latency, but still
       provides good reliability. This mode is the default.

     * fullsync: This mode reports a write operation as completed when both
       the local write and the remote write complete. This is the safest and
       the slowest replication mode.

     * async: This mode reports a write operation as completed when the local
       write completes. This is the fastest and the most dangerous
       replication mode. It should only be used when replicating to a distant
       node where latency is too high for other modes.

  17.14.2. HAST ******

   The HAST framework consists of several components:

     * The hastd(8) daemon which provides data synchronization. When this
       daemon is started, it will automatically load geom_gate.ko.

     * The userland management utility, hastctl(8).

     * The hast.conf(5) configuration file. This file must exist before
       starting hastd.

   Users who prefer to statically build GEOM_GATE support into the kernel
   should add this line to the custom kernel configuration file, then rebuild
   the kernel using the instructions in *** 8, ****** FreeBSD ******:

 options GEOM_GATE

   The following example describes how to configure two nodes in
   master-slave/primary-secondary operation using HAST to replicate the data
   between the two. The nodes will be called hasta, with an IP address of
   172.16.0.1, and hastb, with an IP address of 172.16.0.2. Both nodes will
   have a dedicated hard drive /dev/ad6 of the same size for HAST operation.
   The HAST pool, sometimes referred to as a resource or the GEOM provider in
   /dev/hast/, will be called test.

   Configuration of HAST is done using /etc/hast.conf. This file should be
   identical on both nodes. The simplest configuration is:

 resource test {
         on hasta {
                 local /dev/ad6
                 remote 172.16.0.2
         }
         on hastb {
                 local /dev/ad6
                 remote 172.16.0.1
         }
 }

   For more advanced configuration, refer to hast.conf(5).

  ******:

   It is also possible to use host names in the remote statements if the
   hosts are resolvable and defined either in /etc/hosts or in the local DNS.

   Once the configuration exists on both nodes, the HAST pool can be created.
   Run these commands on both nodes to place the initial metadata onto the
   local disk and to start hastd(8):

 # hastctl create test
 # service hastd onestart

  ******:

   It is not possible to use GEOM providers with an existing file system or
   to convert an existing storage to a HAST-managed pool. This procedure
   needs to store some metadata on the provider and there will not be enough
   required space available on an existing provider.

   A HAST node's primary or secondary role is selected by an administrator,
   or software like Heartbeat, using hastctl(8). On the primary node, hasta,
   issue this command:

 # hastctl role primary test

   Run this command on the secondary node, hastb:

 # hastctl role secondary test

   Verify the result by running hastctl on each node:

 # hastctl status test

   Check the status line in the output. If it says degraded, something is
   wrong with the configuration file. It should say complete on each node,
   meaning that the synchronization between the nodes has started. The
   synchronization completes when hastctl status reports 0 bytes of dirty
   extents.

   The next step is to create a file system on the GEOM provider and mount
   it. This must be done on the primary node. Creating the file system can
   take a few minutes, depending on the size of the hard drive. This example
   creates a UFS file system on /dev/hast/test:

 # newfs -U /dev/hast/test
 # mkdir /hast/test
 # mount /dev/hast/test /hast/test

   Once the HAST framework is configured properly, the final step is to make
   sure that HAST is started automatically during system boot. Add this line
   to /etc/rc.conf:

 hastd_enable="YES"

    17.14.2.1. ******************

   The goal of this example is to build a robust storage system which is
   resistant to the failure of any given node. If the primary node fails, the
   secondary node is there to take over seamlessly, check and mount the file
   system, and continue to work without missing a single bit of data.

   To accomplish this task, the Common Address Redundancy Protocol (CARP) is
   used to provide for automatic failover at the IP layer. CARP allows
   multiple hosts on the same network segment to share an IP address. Set up
   CARP on both nodes of the cluster according to the documentation available
   in *** 31.10, "************************ (CARP)". In this example, each
   node will have its own management IP address and a shared IP address of
   172.16.0.254. The primary HAST node of the cluster must be the master CARP
   node.

   The HAST pool created in the previous section is now ready to be exported
   to the other hosts on the network. This can be accomplished by exporting
   it through NFS or Samba, using the shared IP address 172.16.0.254. The
   only problem which remains unresolved is an automatic failover should the
   primary node fail.

   In the event of CARP interfaces going up or down, the FreeBSD operating
   system generates a devd(8) event, making it possible to watch for state
   changes on the CARP interfaces. A state change on the CARP interface is an
   indication that one of the nodes failed or came back online. These state
   change events make it possible to run a script which will automatically
   handle the HAST failover.

   To catch state changes on the CARP interfaces, add this configuration to
   /etc/devd.conf on each node:

 notify 30 {
         match "system" "IFNET";
         match "subsystem" "carp0";
         match "type" "LINK_UP";
         action "/usr/local/sbin/carp-hast-switch master";
 };

 notify 30 {
         match "system" "IFNET";
         match "subsystem" "carp0";
         match "type" "LINK_DOWN";
         action "/usr/local/sbin/carp-hast-switch slave";
 };

  ******:

   If the systems are running FreeBSD 10 or higher, replace carp0 with the
   name of the CARP-configured interface.

   Restart devd(8) on both nodes to put the new configuration into effect:

 # service devd restart

   When the specified interface state changes by going up or down , the
   system generates a notification, allowing the devd(8) subsystem to run the
   specified automatic failover script, /usr/local/sbin/carp-hast-switch. For
   further clarification about this configuration, refer to devd.conf(5).

   Here is an example of an automated failover script:

 #!/bin/sh

 # Original script by Freddie Cash <fjwcash@gmail.com>
 # Modified by Michael W. Lucas <mwlucas@BlackHelicopters.org>
 # and Viktor Petersson <vpetersson@wireload.net>

 # The names of the HAST resources, as listed in /etc/hast.conf
 resources="test"

 # delay in mounting HAST resource after becoming master
 # make your best guess
 delay=3

 # logging
 log="local0.debug"
 name="carp-hast"

 # end of user configurable stuff

 case "$1" in
         master)
                 logger -p $log -t $name "Switching to primary provider for ${resources}."
                 sleep ${delay}

                 # Wait for any "hastd secondary" processes to stop
                 for disk in ${resources}; do
                         while $( pgrep -lf "hastd: ${disk} \(secondary\)" > /dev/null 2>&1 ); do
                                 sleep 1
                         done

                         # Switch role for each disk
                         hastctl role primary ${disk}
                         if [ $? -ne 0 ]; then
                                 logger -p $log -t $name "Unable to change role to primary for resource ${disk}."
                                 exit 1
                         fi
                 done

                 # Wait for the /dev/hast/* devices to appear
                 for disk in ${resources}; do
                         for I in $( jot 60 ); do
                                 [ -c "/dev/hast/${disk}" ] && break
                                 sleep 0.5
                         done

                         if [ ! -c "/dev/hast/${disk}" ]; then
                                 logger -p $log -t $name "GEOM provider /dev/hast/${disk} did not appear."
                                 exit 1
                         fi
                 done

                 logger -p $log -t $name "Role for HAST resources ${resources} switched to primary."


                 logger -p $log -t $name "Mounting disks."
                 for disk in ${resources}; do
                         mkdir -p /hast/${disk}
                         fsck -p -y -t ufs /dev/hast/${disk}
                         mount /dev/hast/${disk} /hast/${disk}
                 done

         ;;

         slave)
                 logger -p $log -t $name "Switching to secondary provider for ${resources}."

                 # Switch roles for the HAST resources
                 for disk in ${resources}; do
                         if ! mount | grep -q "^/dev/hast/${disk} on "
                         then
                         else
                                 umount -f /hast/${disk}
                         fi
                         sleep $delay
                         hastctl role secondary ${disk} 2>&1
                         if [ $? -ne 0 ]; then
                                 logger -p $log -t $name "Unable to switch role to secondary for resource ${disk}."
                                 exit 1
                         fi
                         logger -p $log -t $name "Role switched to secondary for resource ${disk}."
                 done
         ;;
 esac

   In a nutshell, the script takes these actions when a node becomes master:

     * Promotes the HAST pool to primary on the other node.

     * Checks the file system under the HAST pool.

     * Mounts the pool.

   When a node becomes secondary:

     * Unmounts the HAST pool.

     * Degrades the HAST pool to secondary.

  ******:

   This is just an example script which serves as a proof of concept. It does
   not handle all the possible scenarios and can be extended or altered in
   any way, for example, to start or stop required services.

  ******:

   For this example, a standard UFS file system was used. To reduce the time
   needed for recovery, a journal-enabled UFS or ZFS file system can be used
   instead.

   More detailed information with additional examples can be found at
   http://wiki.FreeBSD.org/HAST.

  17.14.3. ************

   HAST should generally work without issues. However, as with any other
   software product, there may be times when it does not work as supposed.
   The sources of the problems may be different, but the rule of thumb is to
   ensure that the time is synchronized between the nodes of the cluster.

   When troubleshooting HAST, the debugging level of hastd(8) should be
   increased by starting hastd with -d. This argument may be specified
   multiple times to further increase the debugging level. Consider also
   using -F, which starts hastd in the foreground.

    17.14.3.1. *** Split-brain ************

   Split-brain occurs when the nodes of the cluster are unable to communicate
   with each other, and both are configured as primary. This is a dangerous
   condition because it allows both nodes to make incompatible changes to the
   data. This problem must be corrected manually by the system administrator.

   The administrator must either decide which node has more important
   changes, or perform the merge manually. Then, let HAST perform full
   synchronization of the node which has the broken data. To do this, issue
   these commands on the node which needs to be resynchronized:

 # hastctl role init test
 # hastctl create test
 # hastctl role secondary test

*** 18. GEOM: ***************************

   Written by Tom Rhodes.
   ************

   18.1. ******

   18.2. RAID0 - ****** (Striping)

   18.3. RAID1 - ****** (Mirroring)

   18.4. RAID3 - ************************************

   18.5. ****** RAID ******

   18.6. GEOM Gate Network

   18.7. ******************

   18.8. UFS Journaling ****** GEOM

18.1. ******

   *** FreeBSD *****GEOM
   ************************************************************* (Master Boot
   Record) *** BSD ************************************* /dev
   ******************._****************** RAID ***********GEOM
   ***************************************************************._

   This chapter covers the use of disks under the GEOM framework in FreeBSD.
   This includes the major RAID control utilities which use the framework for
   configuration. This chapter is not a definitive guide to RAID
   configurations and only GEOM-supported RAID classifications are discussed.

   ****************************

     * What type of RAID support is available through GEOM.

     * How to use the base utilities to configure, maintain, and manipulate
       the various RAID levels.

     * How to mirror, stripe, encrypt, and remotely connect disk devices
       through GEOM.

     * How to troubleshoot disks attached to the GEOM framework.

   ****************************************

     * Understand how FreeBSD treats disk devices (*** 17, ************).

     * *************************************** (*** 8, ****** FreeBSD
       ******)._

18.2. RAID0 - ****** (Striping)

   Written by Tom Rhodes and Murray Stokely.

   ************************************************
   (Volume)************************** RAID ************************._GEOM
   ***********************************************************************
   RAID0************** RAID ***************._

   *** RAID0 ******************************************** (Block)
   *********************************************._***********************************************
   256k ************************** RAID0 ****************** 64k
   ******************************************************************** I/O
   **************************************************************._

                           Disk Striping Illustration

   *** RAID0 ***************************************************** I/O
   *********************************************************._

  ******:

   RAID0 ************************ (Redundancy)
   ******._*****************************************************************************************************._*************************************************************************************._

   The process for creating a software, GEOM-based RAID0 on a FreeBSD system
   using commodity disks is as follows. Once the stripe is created, refer to
   gstripe(8) for more information on how to control an existing stripe.

   ****** 18.1. Creating a Stripe of Unformatted ATA Disks
    1. Load the geom_stripe.ko module:

 # kldload geom_stripe

    2. Ensure that a suitable mount point exists. If this volume will become
       a root partition, then temporarily use another mount point such as
       /mnt.

    3. Determine the device names for the disks which will be striped, and
       create the new stripe device. For example, to stripe two unused and
       unpartitioned ATA disks with device names of /dev/ad2 and /dev/ad3:

 # gstripe label -v st0 /dev/ad2 /dev/ad3
 Metadata value stored on /dev/ad2.
 Metadata value stored on /dev/ad3.
 Done.

    4. Write a standard label, also known as a partition table, on the new
       volume and install the default bootstrap code:

 # bsdlabel -wB /dev/stripe/st0

    5. This process should create two other devices in /dev/stripe in
       addition to st0. Those include st0a and st0c. At this point, a UFS
       file system can be created on st0a using newfs:

 # newfs -U /dev/stripe/st0a

       Many numbers will glide across the screen, and after a few seconds,
       the process will be complete. The volume has been created and is ready
       to be mounted.

    6. To manually mount the created disk stripe:

 # mount /dev/stripe/st0a /mnt

    7. To mount this striped file system automatically during the boot
       process, place the volume information in /etc/fstab. In this example,
       a permanent mount point, named stripe, is created:

 # mkdir /stripe
 # echo "/dev/stripe/st0a /stripe ufs rw 2 2" \
 >> /etc/fstab

    8. The geom_stripe.ko module must also be automatically loaded during
       system initialization, by adding a line to /boot/loader.conf:

 # sysrc -f /boot/loader.conf geom_stripe_load=YES

18.3. RAID1 - ****** (Mirroring)

   RAID1
   *********************************************************************._**************************************************************************************************************************************************************************************************************************._*******************************************************************************************************._

   Two common situations are illustrated in these examples. The first creates
   a mirror out of two new drives and uses it as a replacement for an
   existing single drive. The second example creates a mirror on a single new
   drive, copies the old drive's data to it, then inserts the old drive into
   the mirror. While this procedure is slightly more complicated, it only
   requires one new drive.

   Traditionally, the two drives in a mirror are identical in model and
   capacity, but gmirror(8) does not require that. Mirrors created with
   dissimilar drives will have a capacity equal to that of the smallest drive
   in the mirror. Extra space on larger drives will be unused. Drives
   inserted into the mirror later must have at least as much capacity as the
   smallest drive already in the mirror.

  ******:

   The mirroring procedures shown here are non-destructive, but as with any
   major disk operation, make a full backup first.

  ******:

   While dump(8) is used in these procedures to copy file systems, it does
   not work on file systems with soft updates journaling. See tunefs(8) for
   information on detecting and disabling soft updates journaling.

  18.3.1. Metadata ******

   Many disk systems store metadata at the end of each disk. Old metadata
   should be erased before reusing the disk for a mirror. Most problems are
   caused by two particular types of leftover metadata: GPT partition tables
   and old metadata from a previous mirror.

   GPT metadata can be erased with gpart(8). This example erases both primary
   and backup GPT partition tables from disk ada8:

 # gpart destroy -F ada8

   A disk can be removed from an active mirror and the metadata erased in one
   step using gmirror(8). Here, the example disk ada8 is removed from the
   active mirror gm4:

 # gmirror remove gm4 ada8

   If the mirror is not running, but old mirror metadata is still on the
   disk, use gmirror clear to remove it:

 # gmirror clear ada8

   gmirror(8) stores one block of metadata at the end of the disk. Because
   GPT partition schemes also store metadata at the end of the disk,
   mirroring entire GPT disks with gmirror(8) is not recommended. MBR
   partitioning is used here because it only stores a partition table at the
   start of the disk and does not conflict with the mirror metadata.

  18.3.2. *********************************

   In this example, FreeBSD has already been installed on a single disk,
   ada0. Two new disks, ada1 and ada2, have been connected to the system. A
   new mirror will be created on these two disks and used to replace the old
   single disk.

   The geom_mirror.ko kernel module must either be built into the kernel or
   loaded at boot- or run-time. Manually load the kernel module now:

 # gmirror load

   Create the mirror with the two new drives:

 # gmirror label -v gm0 /dev/ada1 /dev/ada2

   gm0 is a user-chosen device name assigned to the new mirror. After the
   mirror has been started, this device name appears in /dev/mirror/.

   MBR and bsdlabel partition tables can now be created on the mirror with
   gpart(8). This example uses a traditional file system layout, with
   partitions for /, swap, /var, /tmp, and /usr. A single / and a swap
   partition will also work.

   Partitions on the mirror do not have to be the same size as those on the
   existing disk, but they must be large enough to hold all the data already
   present on ada0.

 # gpart create -s MBR mirror/gm0
 # gpart add -t freebsd -a 4k mirror/gm0
 # gpart show mirror/gm0
 =>       63  156301423  mirror/gm0  MBR  (74G)
          63         63                    - free -  (31k)
         126  156301299                 1  freebsd  (74G)
   156301425         61                    - free -  (30k)

 # gpart create -s BSD mirror/gm0s1
 # gpart add -t freebsd-ufs  -a 4k -s 2g mirror/gm0s1
 # gpart add -t freebsd-swap -a 4k -s 4g mirror/gm0s1
 # gpart add -t freebsd-ufs  -a 4k -s 2g mirror/gm0s1
 # gpart add -t freebsd-ufs  -a 4k -s 1g mirror/gm0s1
 # gpart add -t freebsd-ufs  -a 4k       mirror/gm0s1
 # gpart show mirror/gm0s1
 =>        0  156301299  mirror/gm0s1  BSD  (74G)
           0          2                      - free -  (1.0k)
           2    4194304                   1  freebsd-ufs  (2.0G)
     4194306    8388608                   2  freebsd-swap  (4.0G)
    12582914    4194304                   4  freebsd-ufs  (2.0G)
    16777218    2097152                   5  freebsd-ufs  (1.0G)
    18874370  137426928                   6  freebsd-ufs  (65G)
   156301298          1                      - free -  (512B)

   Make the mirror bootable by installing bootcode in the MBR and bsdlabel
   and setting the active slice:

 # gpart bootcode -b /boot/mbr mirror/gm0
 # gpart set -a active -i 1 mirror/gm0
 # gpart bootcode -b /boot/boot mirror/gm0s1

   Format the file systems on the new mirror, enabling soft-updates.

 # newfs -U /dev/mirror/gm0s1a
 # newfs -U /dev/mirror/gm0s1d
 # newfs -U /dev/mirror/gm0s1e
 # newfs -U /dev/mirror/gm0s1f

   File systems from the original ada0 disk can now be copied onto the mirror
   with dump(8) and restore(8).

 # mount /dev/mirror/gm0s1a /mnt
 # dump -C16 -b64 -0aL -f - / | (cd /mnt && restore -rf -)
 # mount /dev/mirror/gm0s1d /mnt/var
 # mount /dev/mirror/gm0s1e /mnt/tmp
 # mount /dev/mirror/gm0s1f /mnt/usr
 # dump -C16 -b64 -0aL -f - /var | (cd /mnt/var && restore -rf -)
 # dump -C16 -b64 -0aL -f - /tmp | (cd /mnt/tmp && restore -rf -)
 # dump -C16 -b64 -0aL -f - /usr | (cd /mnt/usr && restore -rf -)

   Edit /mnt/etc/fstab to point to the new mirror file systems:

 # Device                Mountpoint      FStype  Options Dump    Pass#
 /dev/mirror/gm0s1a      /               ufs     rw      1       1
 /dev/mirror/gm0s1b      none            swap    sw      0       0
 /dev/mirror/gm0s1d      /var            ufs     rw      2       2
 /dev/mirror/gm0s1e      /tmp            ufs     rw      2       2
 /dev/mirror/gm0s1f      /usr            ufs     rw      2       2

   If the geom_mirror.ko kernel module has not been built into the kernel,
   /mnt/boot/loader.conf is edited to load the module at boot:

 geom_mirror_load="YES"

   Reboot the system to test the new mirror and verify that all data has been
   copied. The BIOS will see the mirror as two individual drives rather than
   a mirror. Because the drives are identical, it does not matter which is
   selected to boot.

   See *** 18.3.4, "************" if there are problems booting. Powering
   down and disconnecting the original ada0 disk will allow it to be kept as
   an offline backup.

   In use, the mirror will behave just like the original single drive.

  18.3.3. ******************************

   In this example, FreeBSD has already been installed on a single disk,
   ada0. A new disk, ada1, has been connected to the system. A one-disk
   mirror will be created on the new disk, the existing system copied onto
   it, and then the old disk will be inserted into the mirror. This slightly
   complex procedure is required because gmirror needs to put a 512-byte
   block of metadata at the end of each disk, and the existing ada0 has
   usually had all of its space already allocated.

   Load the geom_mirror.ko kernel module:

 # gmirror load

   Check the media size of the original disk with diskinfo:

 # diskinfo -v ada0 | head -n3
 /dev/ada0
         512             # sectorsize
         1000204821504   # mediasize in bytes (931G)

   Create a mirror on the new disk. To make certain that the mirror capacity
   is not any larger than the original ada0 drive, gnop(8) is used to create
   a fake drive of the exact same size. This drive does not store any data,
   but is used only to limit the size of the mirror. When gmirror(8) creates
   the mirror, it will restrict the capacity to the size of gzero.nop, even
   if the new ada1 drive has more space. Note that the 1000204821504 in the
   second line is equal to ada0's media size as shown by diskinfo above.

 # geom zero load
 # gnop create -s 1000204821504 gzero
 # gmirror label -v gm0 gzero.nop ada1
 # gmirror forget gm0

   Since gzero.nop does not store any data, the mirror does not see it as
   connected. The mirror is told to "forget" unconnected components, removing
   references to gzero.nop. The result is a mirror device containing only a
   single disk, ada1.

   After creating gm0, view the partition table on ada0. This output is from
   a 1 TB drive. If there is some unallocated space at the end of the drive,
   the contents may be copied directly from ada0 to the new mirror.

   However, if the output shows that all of the space on the disk is
   allocated, as in the following listing, there is no space available for
   the 512-byte mirror metadata at the end of the disk.

 # gpart show ada0
 =>        63  1953525105        ada0  MBR  (931G)
           63  1953525105           1  freebsd  [active]  (931G)

   In this case, the partition table must be edited to reduce the capacity by
   one sector on mirror/gm0. The procedure will be explained later.

   In either case, partition tables on the primary disk should be first
   copied using gpart backup and gpart restore.

 # gpart backup ada0 > table.ada0
 # gpart backup ada0s1 > table.ada0s1

   These commands create two files, table.ada0 and table.ada0s1. This example
   is from a 1 TB drive:

 # cat table.ada0
 MBR 4
 1 freebsd         63 1953525105   [active]

 # cat table.ada0s1
 BSD 8
 1  freebsd-ufs          0    4194304
 2 freebsd-swap    4194304   33554432
 4  freebsd-ufs   37748736   50331648
 5  freebsd-ufs   88080384   41943040
 6  freebsd-ufs  130023424  838860800
 7  freebsd-ufs  968884224  984640881

   If no free space is shown at the end of the disk, the size of both the
   slice and the last partition must be reduced by one sector. Edit the two
   files, reducing the size of both the slice and last partition by one.
   These are the last numbers in each listing.

 # cat table.ada0
 MBR 4
 1 freebsd         63 1953525104   [active]

 # cat table.ada0s1
 BSD 8
 1  freebsd-ufs          0    4194304
 2 freebsd-swap    4194304   33554432
 4  freebsd-ufs   37748736   50331648
 5  freebsd-ufs   88080384   41943040
 6  freebsd-ufs  130023424  838860800
 7  freebsd-ufs  968884224  984640880

   If at least one sector was unallocated at the end of the disk, these two
   files can be used without modification.

   Now restore the partition table into mirror/gm0:

 # gpart restore mirror/gm0 < table.ada0
 # gpart restore mirror/gm0s1 < table.ada0s1

   Check the partition table with gpart show. This example has gm0s1a for /,
   gm0s1d for /var, gm0s1e for /usr, gm0s1f for /data1, and gm0s1g for
   /data2.

 # gpart show mirror/gm0
 =>        63  1953525104  mirror/gm0  MBR  (931G)
           63  1953525042           1  freebsd  [active]  (931G)
   1953525105          62              - free -  (31k)

 # gpart show mirror/gm0s1
 =>         0  1953525042  mirror/gm0s1  BSD  (931G)
            0     2097152             1  freebsd-ufs  (1.0G)
      2097152    16777216             2  freebsd-swap  (8.0G)
     18874368    41943040             4  freebsd-ufs  (20G)
     60817408    20971520             5  freebsd-ufs  (10G)
     81788928   629145600             6  freebsd-ufs  (300G)
    710934528  1242590514             7  freebsd-ufs  (592G)
   1953525042          63                - free -  (31k)

   Both the slice and the last partition must have at least one free block at
   the end of the disk.

   Create file systems on these new partitions. The number of partitions will
   vary to match the original disk, ada0.

 # newfs -U /dev/mirror/gm0s1a
 # newfs -U /dev/mirror/gm0s1d
 # newfs -U /dev/mirror/gm0s1e
 # newfs -U /dev/mirror/gm0s1f
 # newfs -U /dev/mirror/gm0s1g

   Make the mirror bootable by installing bootcode in the MBR and bsdlabel
   and setting the active slice:

 # gpart bootcode -b /boot/mbr mirror/gm0
 # gpart set -a active -i 1 mirror/gm0
 # gpart bootcode -b /boot/boot mirror/gm0s1

   Adjust /etc/fstab to use the new partitions on the mirror. Back up this
   file first by copying it to /etc/fstab.orig.

 # cp /etc/fstab /etc/fstab.orig

   Edit /etc/fstab, replacing /dev/ada0 with mirror/gm0.

 # Device                Mountpoint      FStype  Options Dump    Pass#
 /dev/mirror/gm0s1a      /               ufs     rw      1       1
 /dev/mirror/gm0s1b      none            swap    sw      0       0
 /dev/mirror/gm0s1d      /var            ufs     rw      2       2
 /dev/mirror/gm0s1e      /usr            ufs     rw      2       2
 /dev/mirror/gm0s1f      /data1          ufs     rw      2       2
 /dev/mirror/gm0s1g      /data2          ufs     rw      2       2

   If the geom_mirror.ko kernel module has not been built into the kernel,
   edit /boot/loader.conf to load it at boot:

 geom_mirror_load="YES"

   File systems from the original disk can now be copied onto the mirror with
   dump(8) and restore(8). Each file system dumped with dump -L will create a
   snapshot first, which can take some time.

 # mount /dev/mirror/gm0s1a /mnt
 # dump -C16 -b64 -0aL -f - /    | (cd /mnt && restore -rf -)
 # mount /dev/mirror/gm0s1d /mnt/var
 # mount /dev/mirror/gm0s1e /mnt/usr
 # mount /dev/mirror/gm0s1f /mnt/data1
 # mount /dev/mirror/gm0s1g /mnt/data2
 # dump -C16 -b64 -0aL -f - /usr | (cd /mnt/usr && restore -rf -)
 # dump -C16 -b64 -0aL -f - /var | (cd /mnt/var && restore -rf -)
 # dump -C16 -b64 -0aL -f - /data1 | (cd /mnt/data1 && restore -rf -)
 # dump -C16 -b64 -0aL -f - /data2 | (cd /mnt/data2 && restore -rf -)

   Restart the system, booting from ada1. If everything is working, the
   system will boot from mirror/gm0, which now contains the same data as ada0
   had previously. See *** 18.3.4, "************" if there are problems
   booting.

   At this point, the mirror still consists of only the single ada1 disk.

   After booting from mirror/gm0 successfully, the final step is inserting
   ada0 into the mirror.

  ******:

   When ada0 is inserted into the mirror, its former contents will be
   overwritten by data from the mirror. Make certain that mirror/gm0 has the
   same contents as ada0 before adding ada0 to the mirror. If the contents
   previously copied by dump(8) and restore(8) are not identical to what was
   on ada0, revert /etc/fstab to mount the file systems on ada0, reboot, and
   start the whole procedure again.

 # gmirror insert gm0 ada0
 GEOM_MIRROR: Device gm0: rebuilding provider ada0

   Synchronization between the two disks will start immediately. Use gmirror
   status to view the progress.

 # gmirror status
       Name    Status  Components
 mirror/gm0  DEGRADED  ada1 (ACTIVE)
                       ada0 (SYNCHRONIZING, 64%)

   After a while, synchronization will finish.

 GEOM_MIRROR: Device gm0: rebuilding provider ada0 finished.
 # gmirror status
       Name    Status  Components
 mirror/gm0  COMPLETE  ada1 (ACTIVE)
                       ada0 (ACTIVE)

   mirror/gm0 now consists of the two disks ada0 and ada1, and the contents
   are automatically synchronized with each other. In use, mirror/gm0 will
   behave just like the original single drive.

  18.3.4. ************

   If the system no longer boots, BIOS settings may have to be changed to
   boot from one of the new mirrored drives. Either mirror drive can be used
   for booting, as they contain identical data.

   If the boot stops with this message, something is wrong with the mirror
   device:

 Mounting from ufs:/dev/mirror/gm0s1a failed with error 19.

 Loader variables:
   vfs.root.mountfrom=ufs:/dev/mirror/gm0s1a
   vfs.root.mountfrom.options=rw

 Manual root filesystem specification:
   <fstype>:<device> [options]
       Mount <device> using filesystem <fstype>
       and with the specified (optional) option list.

     eg. ufs:/dev/da0s1a
         zfs:tank
         cd9660:/dev/acd0 ro
           (which is equivalent to: mount -t cd9660 -o ro /dev/acd0 /)

   ?               List valid disk boot devices
   .               Yield 1 second (for background tasks)
   <empty line>    Abort manual input

 mountroot>

   Forgetting to load the geom_mirror.ko module in /boot/loader.conf can
   cause this problem. To fix it, boot from a FreeBSD installation media and
   choose Shell at the first prompt. Then load the mirror module and mount
   the mirror device:

 # gmirror load
 # mount /dev/mirror/gm0s1a /mnt

   Edit /mnt/boot/loader.conf, adding a line to load the mirror module:

 geom_mirror_load="YES"

   Save the file and reboot.

   Other problems that cause error 19 require more effort to fix. Although
   the system should boot from ada0, another prompt to select a shell will
   appear if /etc/fstab is incorrect. Enter ufs:/dev/ada0s1a at the boot
   loader prompt and press Enter. Undo the edits in /etc/fstab then mount the
   file systems from the original disk (ada0) instead of the mirror. Reboot
   the system and try the procedure again.

 Enter full pathname of shell or RETURN for /bin/sh:
 # cp /etc/fstab.orig /etc/fstab
 # reboot

  18.3.5. *********************

   The benefit of disk mirroring is that an individual disk can fail without
   causing the mirror to lose any data. In the above example, if ada0 fails,
   the mirror will continue to work, providing data from the remaining
   working drive, ada1.

   To replace the failed drive, shut down the system and physically replace
   the failed drive with a new drive of equal or greater capacity.
   Manufacturers use somewhat arbitrary values when rating drives in
   gigabytes, and the only way to really be sure is to compare the total
   count of sectors shown by diskinfo -v. A drive with larger capacity than
   the mirror will work, although the extra space on the new drive will not
   be used.

   After the computer is powered back up, the mirror will be running in a
   "degraded" mode with only one drive. The mirror is told to forget drives
   that are not currently connected:

 # gmirror forget gm0

   Any old metadata should be cleared from the replacement disk using the
   instructions in *** 18.3.1, "Metadata ******". Then the replacement disk,
   ada4 for this example, is inserted into the mirror:

 # gmirror insert gm0 /dev/ada4

   Resynchronization begins when the new drive is inserted into the mirror.
   This process of copying mirror data to a new drive can take a while.
   Performance of the mirror will be greatly reduced during the copy, so
   inserting new drives is best done when there is low demand on the
   computer.

   Progress can be monitored with gmirror status, which shows drives that are
   being synchronized and the percentage of completion. During
   resynchronization, the status will be DEGRADED, changing to COMPLETE when
   the process is finished.

18.4. RAID3 - ************************************

   Written by Mark Gladman and Daniel Gerzo.
   Based on documentation by Tom Rhodes and Murray Stokely.

   RAID3 is a method used to combine several disk drives into a single volume
   with a dedicated parity disk. In a RAID3 system, data is split up into a
   number of bytes that are written across all the drives in the array except
   for one disk which acts as a dedicated parity disk. This means that disk
   reads from a RAID3 implementation access all disks in the array.
   Performance can be enhanced by using multiple disk controllers. The RAID3
   array provides a fault tolerance of 1 drive, while providing a capacity of
   1 - 1/n times the total capacity of all drives in the array, where n is
   the number of hard drives in the array. Such a configuration is mostly
   suitable for storing data of larger sizes such as multimedia files.

   At least 3 physical hard drives are required to build a RAID3 array. Each
   disk must be of the same size, since I/O requests are interleaved to read
   or write to multiple disks in parallel. Also, due to the nature of RAID3,
   the number of drives must be equal to 3, 5, 9, 17, and so on, or 2^n + 1.

   This section demonstrates how to create a software RAID3 on a FreeBSD
   system.

  ******:

   While it is theoretically possible to boot from a RAID3 array on FreeBSD,
   that configuration is uncommon and is not advised.

  18.4.1. ****** Dedicated RAID3 ******

   In FreeBSD, support for RAID3 is implemented by the graid3(8) GEOM class.
   Creating a dedicated RAID3 array on FreeBSD requires the following steps.

    1. First, load the geom_raid3.ko kernel module by issuing one of the
       following commands:

 # graid3 load

       or:

 # kldload geom_raid3

    2. Ensure that a suitable mount point exists. This command creates a new
       directory to use as the mount point:

 # mkdir /multimedia

    3. Determine the device names for the disks which will be added to the
       array, and create the new RAID3 device. The final device listed will
       act as the dedicated parity disk. This example uses three
       unpartitioned ATA drives: ada1 and ada2 for data, and ada3 for parity.

 # graid3 label -v gr0 /dev/ada1 /dev/ada2 /dev/ada3
 Metadata value stored on /dev/ada1.
 Metadata value stored on /dev/ada2.
 Metadata value stored on /dev/ada3.
 Done.

    4. Partition the newly created gr0 device and put a UFS file system on
       it:

 # gpart create -s GPT /dev/raid3/gr0
 # gpart add -t freebsd-ufs /dev/raid3/gr0
 # newfs -j /dev/raid3/gr0p1

       Many numbers will glide across the screen, and after a bit of time,
       the process will be complete. The volume has been created and is ready
       to be mounted:

 # mount /dev/raid3/gr0p1 /multimedia/

       The RAID3 array is now ready to use.

   Additional configuration is needed to retain this setup across system
   reboots.

    1. The geom_raid3.ko module must be loaded before the array can be
       mounted. To automatically load the kernel module during system
       initialization, add the following line to /boot/loader.conf:

 geom_raid3_load="YES"

    2. The following volume information must be added to /etc/fstab in order
       to automatically mount the array's file system during the system boot
       process:

 /dev/raid3/gr0p1        /multimedia     ufs     rw      2       2

18.5. ****** RAID ******

   Originally contributed by Warren Block.

   Some motherboards and expansion cards add some simple hardware, usually
   just a ROM, that allows the computer to boot from a RAID array. After
   booting, access to the RAID array is handled by software running on the
   computer's main processor. This "hardware-assisted software RAID" gives
   RAID arrays that are not dependent on any particular operating system, and
   which are functional even before an operating system is loaded.

   Several levels of RAID are supported, depending on the hardware in use.
   See graid(8) for a complete list.

   graid(8) requires the geom_raid.ko kernel module, which is included in the
   GENERIC kernel starting with FreeBSD 9.1. If needed, it can be loaded
   manually with graid load.

  18.5.1. ************

   Software RAID devices often have a menu that can be entered by pressing
   special keys when the computer is booting. The menu can be used to create
   and delete RAID arrays. graid(8) can also create arrays directly from the
   command line.

   graid label is used to create a new array. The motherboard used for this
   example has an Intel software RAID chipset, so the Intel metadata format
   is specified. The new array is given a label of gm0, it is a mirror
   (RAID1), and uses drives ada0 and ada1.

  ******:

   Some space on the drives will be overwritten when they are made into a new
   array. Back up existing data first!

 # graid label Intel gm0 RAID1 ada0 ada1
 GEOM_RAID: Intel-a29ea104: Array Intel-a29ea104 created.
 GEOM_RAID: Intel-a29ea104: Disk ada0 state changed from NONE to ACTIVE.
 GEOM_RAID: Intel-a29ea104: Subdisk gm0:0-ada0 state changed from NONE to ACTIVE.
 GEOM_RAID: Intel-a29ea104: Disk ada1 state changed from NONE to ACTIVE.
 GEOM_RAID: Intel-a29ea104: Subdisk gm0:1-ada1 state changed from NONE to ACTIVE.
 GEOM_RAID: Intel-a29ea104: Array started.
 GEOM_RAID: Intel-a29ea104: Volume gm0 state changed from STARTING to OPTIMAL.
 Intel-a29ea104 created
 GEOM_RAID: Intel-a29ea104: Provider raid/r0 for volume gm0 created.

   A status check shows the new mirror is ready for use:

 # graid status
    Name   Status  Components
 raid/r0  OPTIMAL  ada0 (ACTIVE (ACTIVE))
                   ada1 (ACTIVE (ACTIVE))

   The array device appears in /dev/raid/. The first array is called r0.
   Additional arrays, if present, will be r1, r2, and so on.

   The BIOS menu on some of these devices can create arrays with special
   characters in their names. To avoid problems with those special
   characters, arrays are given simple numbered names like r0. To show the
   actual labels, like gm0 in the example above, use sysctl(8):

 # sysctl kern.geom.raid.name_format=1

  18.5.2. ************

   Some software RAID devices support more than one volume on an array.
   Volumes work like partitions, allowing space on the physical drives to be
   split and used in different ways. For example, Intel software RAID devices
   support two volumes. This example creates a 40 G mirror for safely storing
   the operating system, followed by a 20 G RAID0 (stripe) volume for fast
   temporary storage:

 # graid label -S 40G Intel gm0 RAID1 ada0 ada1
 # graid add -S 20G gm0 RAID0

   Volumes appear as additional rX entries in /dev/raid/. An array with two
   volumes will show r0 and r1.

   See graid(8) for the number of volumes supported by different software
   RAID devices.

  18.5.3. ***************************

   Under certain specific conditions, it is possible to convert an existing
   single drive to a graid(8) array without reformatting. To avoid data loss
   during the conversion, the existing drive must meet these minimum
   requirements:

     * The drive must be partitioned with the MBR partitioning scheme. GPT or
       other partitioning schemes with metadata at the end of the drive will
       be overwritten and corrupted by the graid(8) metadata.

     * There must be enough unpartitioned and unused space at the end of the
       drive to hold the graid(8) metadata. This metadata varies in size, but
       the largest occupies 64 M, so at least that much free space is
       recommended.

   If the drive meets these requirements, start by making a full backup. Then
   create a single-drive mirror with that drive:

 # graid label Intel gm0 RAID1 ada0 NONE

   graid(8) metadata was written to the end of the drive in the unused space.
   A second drive can now be inserted into the mirror:

 # graid insert raid/r0 ada1

   Data from the original drive will immediately begin to be copied to the
   second drive. The mirror will operate in degraded status until the copy is
   complete.

  18.5.4. ************************

   Drives can be inserted into an array as replacements for drives that have
   failed or are missing. If there are no failed or missing drives, the new
   drive becomes a spare. For example, inserting a new drive into a working
   two-drive mirror results in a two-drive mirror with one spare drive, not a
   three-drive mirror.

   In the example mirror array, data immediately begins to be copied to the
   newly-inserted drive. Any existing information on the new drive will be
   overwritten.

 # graid insert raid/r0 ada1
 GEOM_RAID: Intel-a29ea104: Disk ada1 state changed from NONE to ACTIVE.
 GEOM_RAID: Intel-a29ea104: Subdisk gm0:1-ada1 state changed from NONE to NEW.
 GEOM_RAID: Intel-a29ea104: Subdisk gm0:1-ada1 state changed from NEW to REBUILD.
 GEOM_RAID: Intel-a29ea104: Subdisk gm0:1-ada1 rebuild start at 0.

  18.5.5. *********************

   Individual drives can be permanently removed from a from an array and
   their metadata erased:

 # graid remove raid/r0 ada1
 GEOM_RAID: Intel-a29ea104: Disk ada1 state changed from ACTIVE to OFFLINE.
 GEOM_RAID: Intel-a29ea104: Subdisk gm0:1-[unknown] state changed from ACTIVE to NONE.
 GEOM_RAID: Intel-a29ea104: Volume gm0 state changed from OPTIMAL to DEGRADED.

  18.5.6. ************

   An array can be stopped without removing metadata from the drives. The
   array will be restarted when the system is booted.

 # graid stop raid/r0

  18.5.7. ******************

   Array status can be checked at any time. After a drive was added to the
   mirror in the example above, data is being copied from the original drive
   to the new drive:

 # graid status
    Name    Status  Components
 raid/r0  DEGRADED  ada0 (ACTIVE (ACTIVE))
                    ada1 (ACTIVE (REBUILD 28%))

   Some types of arrays, like RAID0 or CONCAT, may not be shown in the status
   report if disks have failed. To see these partially-failed arrays, add
   -ga:

 # graid status -ga
           Name  Status  Components
 Intel-e2d07d9a  BROKEN  ada6 (ACTIVE (ACTIVE))

  18.5.8. ************

   Arrays are destroyed by deleting all of the volumes from them. When the
   last volume present is deleted, the array is stopped and metadata is
   removed from the drives:

 # graid delete raid/r0

  18.5.9. ***************************

   Drives may unexpectedly contain graid(8) metadata, either from previous
   use or manufacturer testing. graid(8) will detect these drives and create
   an array, interfering with access to the individual drive. To remove the
   unwanted metadata:

    1. Boot the system. At the boot menu, select 2 for the loader prompt.
       Enter:

 OK set kern.geom.raid.enable=0
 OK boot

       The system will boot with graid(8) disabled.

    2. Back up all data on the affected drive.

    3. As a workaround, graid(8) array detection can be disabled by adding

 kern.geom.raid.enable=0

       to /boot/loader.conf.

       To permanently remove the graid(8) metadata from the affected drive,
       boot a FreeBSD installation CD-ROM or memory stick, and select Shell.
       Use status to find the name of the array, typically raid/r0:

 # graid status
    Name   Status  Components
 raid/r0  OPTIMAL  ada0 (ACTIVE (ACTIVE))
                   ada1 (ACTIVE (ACTIVE))

       Delete the volume by name:

 # graid delete raid/r0

       If there is more than one volume shown, repeat the process for each
       volume. After the last array has been deleted, the volume will be
       destroyed.

       Reboot and verify data, restoring from backup if necessary. After the
       metadata has been removed, the kern.geom.raid.enable=0 entry in
       /boot/loader.conf can also be removed.

18.6. GEOM Gate Network

   GEOM provides a simple mechanism for providing remote access to devices
   such as disks, CDs, and file systems through the use of the GEOM Gate
   network daemon, ggated. The system with the device runs the server daemon
   which handles requests made by clients using ggatec. The devices should
   not contain any sensitive data as the connection between the client and
   the server is not encrypted.

   Similar to NFS, which is discussed in *** 29.3, "******************
   (NFS)", ggated is configured using an exports file. This file specifies
   which systems are permitted to access the exported resources and what
   level of access they are offered. For example, to give the client
   192.168.1.5 read and write access to the fourth slice on the first SCSI
   disk, create /etc/gg.exports with this line:

 192.168.1.5 RW /dev/da0s4d

   Before exporting the device, ensure it is not currently mounted. Then,
   start ggated:

 # ggated

   Several options are available for specifying an alternate listening port
   or changing the default location of the exports file. Refer to ggated(8)
   for details.

   To access the exported device on the client machine, first use ggatec to
   specify the IP address of the server and the device name of the exported
   device. If successful, this command will display a ggate device name to
   mount. Mount that specified device name on a free mount point. This
   example connects to the /dev/da0s4d partition on 192.168.1.1, then mounts
   /dev/ggate0 on /mnt:

 # ggatec create -o rw 192.168.1.1 /dev/da0s4d
 ggate0
 # mount /dev/ggate0 /mnt

   The device on the server may now be accessed through /mnt on the client.
   For more details about ggatec and a few usage examples, refer to
   ggatec(8).

  ******:

   The mount will fail if the device is currently mounted on either the
   server or any other client on the network. If simultaneous access is
   needed to network resources, use NFS instead.

   When the device is no longer needed, unmount it with umount so that the
   resource is available to other clients.

18.7. ******************

   During system initialization, the FreeBSD kernel creates device nodes as
   devices are found. This method of probing for devices raises some issues.
   For instance, what if a new disk device is added via USB? It is likely
   that a flash device may be handed the device name of da0 and the original
   da0 shifted to da1. This will cause issues mounting file systems if they
   are listed in /etc/fstab which may also prevent the system from booting.

   One solution is to chain SCSI devices in order so a new device added to
   the SCSI card will be issued unused device numbers. But what about USB
   devices which may replace the primary SCSI disk? This happens because USB
   devices are usually probed before the SCSI card. One solution is to only
   insert these devices after the system has been booted. Another method is
   to use only a single ATA drive and never list the SCSI devices in
   /etc/fstab.

   A better solution is to use glabel to label the disk devices and use the
   labels in /etc/fstab. Because glabel stores the label in the last sector
   of a given provider, the label will remain persistent across reboots. By
   using this label as a device, the file system may always be mounted
   regardless of what device node it is accessed through.

  ******:

   glabel can create both transient and permanent labels. Only permanent
   labels are consistent across reboots. Refer to glabel(8) for more
   information on the differences between labels.

  18.7.1. *********************

   Permanent labels can be a generic or a file system label. Permanent file
   system labels can be created with tunefs(8) or newfs(8). These types of
   labels are created in a sub-directory of /dev, and will be named according
   to the file system type. For example, UFS2 file system labels will be
   created in /dev/ufs. Generic permanent labels can be created with glabel
   label. These are not file system specific and will be created in
   /dev/label.

   Temporary labels are destroyed at the next reboot. These labels are
   created in /dev/label and are suited to experimentation. A temporary label
   can be created using glabel create.

   To create a permanent label for a UFS2 file system without destroying any
   data, issue the following command:

 # tunefs -L home /dev/da3

   A label should now exist in /dev/ufs which may be added to /etc/fstab:

 /dev/ufs/home           /home            ufs     rw              2      2

  ******:

   The file system must not be mounted while attempting to run tunefs.

   Now the file system may be mounted:

 # mount /home

   From this point on, so long as the geom_label.ko kernel module is loaded
   at boot with /boot/loader.conf or the GEOM_LABEL kernel option is present,
   the device node may change without any ill effect on the system.

   File systems may also be created with a default label by using the -L flag
   with newfs. Refer to newfs(8) for more information.

   The following command can be used to destroy the label:

 # glabel destroy home

   The following example shows how to label the partitions of a boot disk.

   ****** 18.1. ************************************

   By permanently labeling the partitions on the boot disk, the system should
   be able to continue to boot normally, even if the disk is moved to another
   controller or transferred to a different system. For this example, it is
   assumed that a single ATA disk is used, which is currently recognized by
   the system as ad0. It is also assumed that the standard FreeBSD partition
   scheme is used, with /, /var, /usr and /tmp, as well as a swap partition.

   Reboot the system, and at the loader(8) prompt, press 4 to boot into
   single user mode. Then enter the following commands:

 # glabel label rootfs /dev/ad0s1a
 GEOM_LABEL: Label for provider /dev/ad0s1a is label/rootfs
 # glabel label var /dev/ad0s1d
 GEOM_LABEL: Label for provider /dev/ad0s1d is label/var
 # glabel label usr /dev/ad0s1f
 GEOM_LABEL: Label for provider /dev/ad0s1f is label/usr
 # glabel label tmp /dev/ad0s1e
 GEOM_LABEL: Label for provider /dev/ad0s1e is label/tmp
 # glabel label swap /dev/ad0s1b
 GEOM_LABEL: Label for provider /dev/ad0s1b is label/swap
 # exit

   The system will continue with multi-user boot. After the boot completes,
   edit /etc/fstab and replace the conventional device names, with their
   respective labels. The final /etc/fstab will look like this:

 # Device                Mountpoint      FStype  Options         Dump    Pass#
 /dev/label/swap         none            swap    sw              0       0
 /dev/label/rootfs       /               ufs     rw              1       1
 /dev/label/tmp          /tmp            ufs     rw              2       2
 /dev/label/usr          /usr            ufs     rw              2       2
 /dev/label/var          /var            ufs     rw              2       2

   The system can now be rebooted. If everything went well, it will come up
   normally and mount will show:

 # mount
 /dev/label/rootfs on / (ufs, local)
 devfs on /dev (devfs, local)
 /dev/label/tmp on /tmp (ufs, local, soft-updates)
 /dev/label/usr on /usr (ufs, local, soft-updates)
 /dev/label/var on /var (ufs, local, soft-updates)

   The glabel(8) class supports a label type for UFS file systems, based on
   the unique file system id, ufsid. These labels may be found in /dev/ufsid
   and are created automatically during system startup. It is possible to use
   ufsid labels to mount partitions using /etc/fstab. Use glabel status to
   receive a list of file systems and their corresponding ufsid labels:

 % glabel status
                   Name  Status  Components
 ufsid/486b6fc38d330916     N/A  ad4s1d
 ufsid/486b6fc16926168e     N/A  ad4s1f

   In the above example, ad4s1d represents /var, while ad4s1f represents
   /usr. Using the ufsid values shown, these partitions may now be mounted
   with the following entries in /etc/fstab:

 /dev/ufsid/486b6fc38d330916        /var        ufs        rw        2      2
 /dev/ufsid/486b6fc16926168e        /usr        ufs        rw        2      2

   Any partitions with ufsid labels can be mounted in this way, eliminating
   the need to manually create permanent labels, while still enjoying the
   benefits of device name independent mounting.

18.8. UFS Journaling ****** GEOM

   Support for journals on UFS file systems is available on FreeBSD. The
   implementation is provided through the GEOM subsystem and is configured
   using gjournal. Unlike other file system journaling implementations, the
   gjournal method is block based and not implemented as part of the file
   system. It is a GEOM extension.

   Journaling stores a log of file system transactions, such as changes that
   make up a complete disk write operation, before meta-data and file writes
   are committed to the disk. This transaction log can later be replayed to
   redo file system transactions, preventing file system inconsistencies.

   This method provides another mechanism to protect against data loss and
   inconsistencies of the file system. Unlike Soft Updates, which tracks and
   enforces meta-data updates, and snapshots, which create an image of the
   file system, a log is stored in disk space specifically for this task. For
   better performance, the journal may be stored on another disk. In this
   configuration, the journal provider or storage device should be listed
   after the device to enable journaling on.

   The GENERIC kernel provides support for gjournal. To automatically load
   the geom_journal.ko kernel module at boot time, add the following line to
   /boot/loader.conf:

 geom_journal_load="YES"

   If a custom kernel is used, ensure the following line is in the kernel
   configuration file:

 options GEOM_JOURNAL

   Once the module is loaded, a journal can be created on a new file system
   using the following steps. In this example, da4 is a new SCSI disk:

 # gjournal load
 # gjournal label /dev/da4

   This will load the module and create a /dev/da4.journal device node on
   /dev/da4.

   A UFS file system may now be created on the journaled device, then mounted
   on an existing mount point:

 # newfs -O 2 -J /dev/da4.journal
 # mount /dev/da4.journal /mnt

  ******:

   In the case of several slices, a journal will be created for each
   individual slice. For instance, if ad4s1 and ad4s2 are both slices, then
   gjournal will create ad4s1.journal and ad4s2.journal.

   Journaling may also be enabled on current file systems by using tunefs.
   However, always make a backup before attempting to alter an existing file
   system. In most cases, gjournal will fail if it is unable to create the
   journal, but this does not protect against data loss incurred as a result
   of misusing tunefs. Refer to gjournal(8) and tunefs(8) for more
   information about these commands.

   It is possible to journal the boot disk of a FreeBSD system. Refer to the
   article Implementing UFS Journaling on a Desktop PC for detailed
   instructions.

*** 19. Z ************ (ZFS)

   Written by Tom Rhodes, Allan Jude, Benedict Reuschling and Warren Block.
   ************

   19.1. ********* ZFS ************

   19.2. ******************

   19.3. zpool ******

   19.4. zfs ******

   19.5. ************

   19.6. ************

   19.7. ************

   19.8. ZFS ***************

   Z ************ *** ZFS
   *********************************************************************************************._

   ********* Sun(TM) *********************************** ZFS ***************
   OpenZFS ******._

   ZFS ********************************

     * **************************************************************
       (checksum)****************************************************************************************************************************************************************************************************************
       (Data redundancy)**ZFS ***************************._

     * ********************************************************************
       (Pool)**********************************************************************************************************************************************************._

     * ***********************************************._******,_*********************************************
       ARC._***************************************************
       L2ARC***************************************************** ZIL._

   ********************************* *** 19.8, "ZFS ***************"
   ************._

19.1. ********* ZFS ************

   ZFS
   ****************************************************************************************ZFS
   *********************************************************************
   (Volume Manager)
   **************************************************************************************._**********************************************************************************************************************************************************************
   RAID
   *******************************************************************************************************************************************************************************************
   GEOM *************** RAID ***************************** UFS
   ****************** RAID Transform
   ************************************._ZFS ******************************
   (Volume Manager)
   *********************************************************************************************
   (Pool)._ZFS
   *************************************************************************************************************************************************************************************************._ZFS
   ****************************************************************************************************************************************
   (Dataset) *********************._

19.2. ******************

   *********************************** FreeBSD ***************************
   ZFS *********._***************************************** /etc/rc.conf**

 zfs_enable="YES"

   ********************

 # service zfs start

   ********************************* SCSI *********************** da0, da1
   *** da2._SATA ************************************ ada ._

  19.2.1. ******************

   *********************************************,_**************************

 # zpool create example /dev/da0

   ***************************************** df *****************

 # df
 Filesystem  1K-blocks    Used    Avail Capacity  Mounted on
 /dev/ad0s1a   2026030  235230  1628718    13%    /
 devfs               1       1        0   100%    /dev
 /dev/ad0s1d  54098308 1032846 48737598     2%    /usr
 example      17547136       0 17547136     0%    /example

   ************************ example
   *********************************************************************************************************************************

 # cd /example
 # ls
 # touch testfile
 # ls -al
 total 4
 drwxr-xr-x   2 root  wheel    3 Aug 29 23:15 .
 drwxr-xr-x  21 root  wheel  512 Aug 29 23:12 ..
 -rw-r--r--   1 root  wheel    0 Aug 29 23:15 testfile

   ******************************************** ZFS
   **********************************************************************************

 # zfs create example/compressed
 # zfs set compression=gzip example/compressed

   example/compressed ************************ ZFS
   ***********************************************************
   /example/compressed._

   ***********************************************

 # zfs set compression=off example/compressed

   ***************************** zfs umount *************** df ********

 # zfs umount example/compressed
 # df
 Filesystem  1K-blocks    Used    Avail Capacity  Mounted on
 /dev/ad0s1a   2026030  235232  1628716    13%    /
 devfs               1       1        0   100%    /dev
 /dev/ad0s1d  54098308 1032864 48737580     2%    /usr
 example      17547008       0 17547008     0%    /example

   ***************************************************** zfs mount *********
   df ********

 # zfs mount example/compressed
 # df
 Filesystem         1K-blocks    Used    Avail Capacity  Mounted on
 /dev/ad0s1a          2026030  235234  1628714    13%    /
 devfs                      1       1        0   100%    /dev
 /dev/ad0s1d         54098308 1032864 48737580     2%    /usr
 example             17547008       0 17547008     0%    /example
 example/compressed  17547008       0 17547008     0%    /example/compressed

   ************************************ mount ********************

 # mount
 /dev/ad0s1a on / (ufs, local)
 devfs on /dev (devfs, local)
 /dev/ad0s1d on /usr (ufs, local, soft-updates)
 example on /example (zfs, local)
 example/compressed on /example/compressed (zfs, local)

   *****************ZFS
   ***********************************************************************************************************._*****************************************************************
   data***************************** (Data block) ***********************

 # zfs create example/data
 # zfs set copies=2 example/data

   ******************** df ********************************************

 # df
 Filesystem         1K-blocks    Used    Avail Capacity  Mounted on
 /dev/ad0s1a          2026030  235234  1628714    13%    /
 devfs                      1       1        0   100%    /dev
 /dev/ad0s1d         54098308 1032864 48737580     2%    /usr
 example             17547008       0 17547008     0%    /example
 example/compressed  17547008       0 17547008     0%    /example/compressed
 example/data        17547008       0 17547008     0%    /example/data

   ****************************************************************************************************************************************
   df
   ****************************************************************************************************************._ZFS
   ****************** (Volume) ************ (Partition)
   **************************************************************._

   **************************************************************

 # zfs destroy example/compressed
 # zfs destroy example/data
 # zpool destroy example

  19.2.2. RAID-Z

   ***********************************************************************
   RAID._ZFS ************************************************._RAID-Z
   ***********************************************************************
   (Mirror) ******************************._

   *************************** RAID-Z
   *******************************************************

 # zpool create storage raidz da0 da1 da2

  ******:

   Sun(TM) ************ RAID-Z
   ***************************************._************ 10
   **************************************************************************
   RAID-Z ******._************************************************
   (Redundancy)***************** ZFS ****** (Mirror)._********* zpool(8)
   ************************._

   ****************************** storage *********
   (zpool)**********************************************************************************
   home**

 # zfs create storage/home

   ***********************************************************************

 # zfs set copies=2 storage/home
 # zfs set compression=gzip storage/home

   *****************************************************************************************************************************
   (Symbolic link)**

 # cp -rp /home/* /storage/home
 # rm -rf /home /usr/home
 # ln -s /storage/home /home
 # ln -s /storage/home /usr/home

   ************************************************
   /storage/home********************************************************._

   ****************************** (Snapshot)***********************
   (Rollback)**

 # zfs snapshot storage/home@08-30-08

   ********************************************************************************._

   @ ************************************ (File system) ************ (Volume)
   **********************************************************************************************************************
   (Snapshot)**

 # zfs rollback storage/home@08-30-08

   ***************************************************** .zfs/snapshot
   ************ ls************************************************

 # ls /storage/home/.zfs/snapshot

   ****************** Script
   **************************************************************************************************._*****************************************

 # zfs destroy storage/home@08-30-08

   ************************** /storage/home *************** /home
   *****************

 # zfs set mountpoint=/home storage/home

   ****** df *** mount
   ************************************************************ /home**

 # mount
 /dev/ad0s1a on / (ufs, local)
 devfs on /dev (devfs, local)
 /dev/ad0s1d on /usr (ufs, local, soft-updates)
 storage on /storage (zfs, local)
 storage/home on /home (zfs, local)
 # df
 Filesystem   1K-blocks    Used    Avail Capacity  Mounted on
 /dev/ad0s1a    2026030  235240  1628708    13%    /
 devfs                1       1        0   100%    /dev
 /dev/ad0s1d   54098308 1032826 48737618     2%    /usr
 storage       26320512       0 26320512     0%    /storage
 storage/home  26320512       0 26320512     0%    /home

   ****************** RAID-Z
   *****************************************************************************
   periodic(8) *********************************._***************
   /etc/periodic.conf**

 daily_status_zfs_enable="YES"

  19.2.3. ****** RAID-Z

   ************ RAID ********************* (state) ************** RAID-Z
   **************************************************

 # zpool status -x

   ****************************** (Online) *******************************

 all pools are healthy

   ************************************************** (Offline)
   *******************************************

   pool: storage
  state: DEGRADED
 status: One or more devices has been taken offline by the administrator.
         Sufficient replicas exist for the pool to continue functioning in a
         degraded state.
 action: Online the device using 'zpool online' or replace the device with
         'zpool replace'.
  scrub: none requested
 config:

         NAME        STATE     READ WRITE CKSUM
         storage     DEGRADED     0     0     0
           raidz1    DEGRADED     0     0     0
             da0     ONLINE       0     0     0
             da1     OFFLINE      0     0     0
             da2     ONLINE       0     0     0

 errors: No known data errors

   *****************************************************************

 # zpool offline storage da1

   ************************************
   da1************************************************************************

 # zpool replace storage da1

   ********************************************************** -x
   ***********************************

 # zpool status storage
  pool: storage
  state: ONLINE
  scrub: resilver completed with 0 errors on Sat Aug 30 19:44:11 2008
 config:

         NAME        STATE     READ WRITE CKSUM
         storage     ONLINE       0     0     0
           raidz1    ONLINE       0     0     0
             da0     ONLINE       0     0     0
             da1     ONLINE       0     0     0
             da2     ONLINE       0     0     0

 errors: No known data errors

   *****************************************************._

  19.2.4. ************

   ZFS *************** (Checksum) ***************************
   (Integrity)********************************************._

  ******:

   ********* (Checksum)
   *******************************************************************************************************._******************************
   ZFS
   *****************************************************************************._

   *********************************************
   (Scrub)*********************************** storage
   *****************************

 # zpool scrub storage

   ********************************************************************************************************************._************
   I/O
   ***************************************************************._***********************************
   status *****************

 # zpool status storage
  pool: storage
  state: ONLINE
  scrub: scrub completed with 0 errors on Sat Jan 26 19:57:37 2013
 config:

         NAME        STATE     READ WRITE CKSUM
         storage     ONLINE       0     0     0
           raidz1    ONLINE       0     0     0
             da0     ONLINE       0     0     0
             da1     ONLINE       0     0     0
             da2     ONLINE       0     0     0

 errors: No known data errors

   ************************************************************************************._************************************************************************************._

   ********* zfs(8) *** zpool(8) *************** ZFS ******._

19.3. zpool ******

   ZFS *********************************._zpool
   ***************************************************************,_******,_***************._zfs
   ******************,_*************************** (File system) ************
   (Volume) ************._

  19.3.1. ************************

   ****** ZFS ********* (zpool)
   ********************************************************************************************************._************************************************
   vdev ************************************._********* vdev ******
   ***************************************************._************ vdev
   ***********************************************************************
   (Mirror) *************************************** vdev
   ********************************************
   (Stripe)******************************** vdev
   ******************._*************************** vdev
   ********************************************************************************************************************************************************._

   **************************************

 # zpool create mypool mirror /dev/ada1 /dev/ada2
 # zpool status
   pool: mypool
  state: ONLINE
   scan: none requested
 config:

         NAME        STATE     READ WRITE CKSUM
         mypool      ONLINE       0     0     0
           mirror-0  ONLINE       0     0     0
             ada1    ONLINE       0     0     0
             ada2    ONLINE       0     0     0

 errors: No known data errors

   ************************ vdev*********************** vdev
   *********************************************** mirror**

 # zpool create mypool mirror /dev/ada1 /dev/ada2 mirror /dev/ada3 /dev/ada4
   pool: mypool
  state: ONLINE
   scan: none requested
 config:

         NAME        STATE     READ WRITE CKSUM
         mypool      ONLINE       0     0     0
           mirror-0  ONLINE       0     0     0
             ada1    ONLINE       0     0     0
             ada2    ONLINE       0     0     0
           mirror-1  ONLINE       0     0     0
             ada3    ONLINE       0     0     0
             ada4    ONLINE       0     0     0

 errors: No known data errors

   ************************************************************ (Partition)
   *********._*** ZFS
   **************************************************************************************************
   Bootcode
   ********************************************************************************************************************._***
   FreeBSD
   ************************************************************._******************************************************
   **********************************************************************************************************************************************************************************************************._

   *************************** RAID-Z2 ***********

 # zpool create mypool raidz2 /dev/ada0p3 /dev/ada1p3 /dev/ada2p3 /dev/ada3p3 /dev/ada4p3 /dev/ada5p3
 # zpool status
   pool: mypool
  state: ONLINE
   scan: none requested
 config:

         NAME        STATE     READ WRITE CKSUM
         mypool      ONLINE       0     0     0
           raidz2-0  ONLINE       0     0     0
             ada0p3  ONLINE       0     0     0
             ada1p3  ONLINE       0     0     0
             ada2p3  ONLINE       0     0     0
             ada3p3  ONLINE       0     0     0
             ada4p3  ONLINE       0     0     0
             ada5p3  ONLINE       0     0     0

 errors: No known data errors

   ********************************************************************._***************************************************************._*****************************************************************************._******************************
   -f
   *****************************************************************************************************************._

  19.3.2. *********************

   ************************ (zpool) ************************** zpool attach
   ****************************** vdev*********** zpool add ****** vdev
   ************._************ vdev ****** ********* vdev
   ************************._

   ************************************************ (Redundancy)
   *******************************************************************************************._*********
   (Copies) **************************************************************
   (Bad sector)***************************** RAID-Z
   *********************._************************************************
   zpool attach *************************** vdev*****************._zpool
   attach
   ********************************************************************************._**********************************************************************************************
   gpart backup *** gpart restore ******************************._

   ****** ada1p3 *************************** (stripe) vdev ada0p3
   ****************** (mirror)**

 # zpool status
   pool: mypool
  state: ONLINE
   scan: none requested
 config:

         NAME        STATE     READ WRITE CKSUM
         mypool      ONLINE       0     0     0
           ada0p3    ONLINE       0     0     0

 errors: No known data errors
 # zpool attach mypool ada0p3 ada1p3
 Make sure to wait until resilver is done before rebooting.

 If you boot from pool 'mypool', you may need to update
 boot code on newly attached disk 'ada1p3'.

 Assuming you use GPT partitioning and 'da0' is your new boot disk
 you may use the following command:

         gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 da0
 # gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada1
 bootcode written to ada1
 # zpool status
   pool: mypool
  state: ONLINE
 status: One or more devices is currently being resilvered.  The pool will
         continue to function, possibly in a degraded state.
 action: Wait for the resilver to complete.
   scan: resilver in progress since Fri May 30 08:19:19 2014
         527M scanned out of 781M at 47.9M/s, 0h0m to go
         527M resilvered, 67.53% done
 config:

         NAME        STATE     READ WRITE CKSUM
         mypool      ONLINE       0     0     0
           mirror-0  ONLINE       0     0     0
             ada0p3  ONLINE       0     0     0
             ada1p3  ONLINE       0     0     0  (resilvering)

 errors: No known data errors
 # zpool status
   pool: mypool
  state: ONLINE
   scan: resilvered 781M in 0h0m with 0 errors on Fri May 30 08:15:58 2014
 config:

         NAME        STATE     READ WRITE CKSUM
         mypool      ONLINE       0     0     0
           mirror-0  ONLINE       0     0     0
             ada0p3  ONLINE       0     0     0
             ada1p3  ONLINE       0     0     0

 errors: No known data errors

   *************************************** vdev ***** RAID-Z
   ******************************************************* vdev
   ************._********* vdev
   ************************************************** vdev **************
   vdev ************************._****************************** vdev
   ******************************************* mirror ***
   RAID-Z************************** vdev *************** mirror *** RAID-Z
   vdev
   *******************************************************************************************************************************************************************************************._

   ********* vdev ******************************************* mirror
   vdev******** RAID 10 *************** mirror
   ******************************************************* vdev
   ************************ 100% *********._*** vdev
   **************************************************************************************************************
   vdev._

   **************************************************************************
   Bootcode._

   *************** mirror ****** (ada2p3 *** ada3p3) ************ mirror**

 # zpool status
   pool: mypool
  state: ONLINE
   scan: resilvered 781M in 0h0m with 0 errors on Fri May 30 08:19:35 2014
 config:

         NAME        STATE     READ WRITE CKSUM
         mypool      ONLINE       0     0     0
           mirror-0  ONLINE       0     0     0
             ada0p3  ONLINE       0     0     0
             ada1p3  ONLINE       0     0     0

 errors: No known data errors
 # zpool add mypool mirror ada2p3 ada3p3
 # gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada2
 bootcode written to ada2
 # gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada3
 bootcode written to ada3
 # zpool status
   pool: mypool
  state: ONLINE
   scan: scrub repaired 0 in 0h0m with 0 errors on Fri May 30 08:29:51 2014
 config:

         NAME        STATE     READ WRITE CKSUM
         mypool      ONLINE       0     0     0
           mirror-0  ONLINE       0     0     0
             ada0p3  ONLINE       0     0     0
             ada1p3  ONLINE       0     0     0
           mirror-1  ONLINE       0     0     0
             ada2p3  ONLINE       0     0     0
             ada3p3  ONLINE       0     0     0

 errors: No known data errors

   ************************************
   vdev*********************************************************** mirror
   ************** mirror ******************************************** mirror
   ***************
   stripe****************************************************************._

   *************** mirror **************************

 # zpool status
   pool: mypool
  state: ONLINE
   scan: scrub repaired 0 in 0h0m with 0 errors on Fri May 30 08:29:51 2014
 config:

         NAME        STATE     READ WRITE CKSUM
         mypool      ONLINE       0     0     0
           mirror-0  ONLINE       0     0     0
             ada0p3  ONLINE       0     0     0
             ada1p3  ONLINE       0     0     0
             ada2p3  ONLINE       0     0     0

 errors: No known data errors
 # zpool detach mypool ada2p3
 # zpool status
   pool: mypool
  state: ONLINE
   scan: scrub repaired 0 in 0h0m with 0 errors on Fri May 30 08:29:51 2014
 config:

         NAME        STATE     READ WRITE CKSUM
         mypool      ONLINE       0     0     0
           mirror-0  ONLINE       0     0     0
             ada0p3  ONLINE       0     0     0
             ada1p3  ONLINE       0     0     0

 errors: No known data errors

  19.3.3. *********************

   ********************************************************************,_******************
   (Checksum) *****************************************._status
   ************************************************************************************._******************************************
   (Scrub) *********************************._

 # zpool status
   pool: mypool
  state: ONLINE
   scan: scrub repaired 0 in 2h25m with 0 errors on Sat Sep 14 04:25:50 2013
 config:

         NAME        STATE     READ WRITE CKSUM
         mypool      ONLINE       0     0     0
           raidz2-0  ONLINE       0     0     0
             ada0p3  ONLINE       0     0     0
             ada1p3  ONLINE       0     0     0
             ada2p3  ONLINE       0     0     0
             ada3p3  ONLINE       0     0     0
             ada4p3  ONLINE       0     0     0
             ada5p3  ONLINE       0     0     0

 errors: No known data errors

  19.3.4. ************

   ********************************,_****************** (Checksum)
   *********************._****** zpool clear mypool
   ***************************************._***************************************************************
   Script
   **************************************************************************************************._

  19.3.5. ************************

   ************************************************************************************************************************************************************************************************
   (Degraded) *****************************************._zpool replace
   ***********************************************************************************
   vdev
   ************._**********************************************************************************************
   ***************._

   *****************************************

 # zpool status
   pool: mypool
  state: ONLINE
   scan: none requested
 config:

         NAME        STATE     READ WRITE CKSUM
         mypool      ONLINE       0     0     0
           mirror-0  ONLINE       0     0     0
             ada0p3  ONLINE       0     0     0
             ada1p3  ONLINE       0     0     0

 errors: No known data errors
 # zpool replace mypool ada1p3 ada2p3
 Make sure to wait until resilver is done before rebooting.

 If you boot from pool 'zroot', you may need to update
 boot code on newly attached disk 'ada2p3'.

 Assuming you use GPT partitioning and 'da0' is your new boot disk
 you may use the following command:

         gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 da0
 # gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada2
 # zpool status
   pool: mypool
  state: ONLINE
 status: One or more devices is currently being resilvered.  The pool will
         continue to function, possibly in a degraded state.
 action: Wait for the resilver to complete.
   scan: resilver in progress since Mon Jun  2 14:21:35 2014
         604M scanned out of 781M at 46.5M/s, 0h0m to go
         604M resilvered, 77.39% done
 config:

         NAME             STATE     READ WRITE CKSUM
         mypool           ONLINE       0     0     0
           mirror-0       ONLINE       0     0     0
             ada0p3       ONLINE       0     0     0
             replacing-1  ONLINE       0     0     0
               ada1p3     ONLINE       0     0     0
               ada2p3     ONLINE       0     0     0  (resilvering)

 errors: No known data errors
 # zpool status
   pool: mypool
  state: ONLINE
   scan: resilvered 781M in 0h0m with 0 errors on Mon Jun  2 14:21:52 2014
 config:

         NAME        STATE     READ WRITE CKSUM
         mypool      ONLINE       0     0     0
           mirror-0  ONLINE       0     0     0
             ada0p3  ONLINE       0     0     0
             ada2p3  ONLINE       0     0     0

 errors: No known data errors

  19.3.6. ******************

   ******************************************************** vdev
   ****************** (Degraded)
   ************************************************************************************************************************************._******
   vdev ************************************************************._******
   ZFS ****************** (Resilver************************** Resilver)
   **************************************************************************************************._*********
   vdev ************************ (Online) *********._

   *** vdev
   **********************************************************************************************************************
   (Faulted) *********._

   ********************************************************************
   GUID******************************************************* zpool replace
   *********************************._

   ****** zpool replace ***********************

 # zpool status
   pool: mypool
  state: DEGRADED
 status: One or more devices could not be opened.  Sufficient replicas exist for
         the pool to continue functioning in a degraded state.
 action: Attach the missing device and online it using 'zpool online'.
    see: http://illumos.org/msg/ZFS-8000-2Q
   scan: none requested
 config:

         NAME                    STATE     READ WRITE CKSUM
         mypool                  DEGRADED     0     0     0
           mirror-0              DEGRADED     0     0     0
             ada0p3              ONLINE       0     0     0
             316502962686821739  UNAVAIL      0     0     0  was /dev/ada1p3

 errors: No known data errors
 # zpool replace mypool 316502962686821739 ada2p3
 # zpool status
   pool: mypool
  state: DEGRADED
 status: One or more devices is currently being resilvered.  The pool will
         continue to function, possibly in a degraded state.
 action: Wait for the resilver to complete.
   scan: resilver in progress since Mon Jun  2 14:52:21 2014
         641M scanned out of 781M at 49.3M/s, 0h0m to go
         640M resilvered, 82.04% done
 config:

         NAME                        STATE     READ WRITE CKSUM
         mypool                      DEGRADED     0     0     0
           mirror-0                  DEGRADED     0     0     0
             ada0p3                  ONLINE       0     0     0
             replacing-1             UNAVAIL      0     0     0
               15732067398082357289  UNAVAIL      0     0     0  was /dev/ada1p3/old
               ada2p3                ONLINE       0     0     0  (resilvering)

 errors: No known data errors
 # zpool status
   pool: mypool
  state: ONLINE
   scan: resilvered 781M in 0h0m with 0 errors on Mon Jun  2 14:52:38 2014
 config:

         NAME        STATE     READ WRITE CKSUM
         mypool      ONLINE       0     0     0
           mirror-0  ONLINE       0     0     0
             ada0p3  ONLINE       0     0     0
             ada2p3  ONLINE       0     0     0

 errors: No known data errors

  19.3.7. ***************

   ******************************
   (Scrub)***********************************._ scrub
   **************************************************************************._*********
   scrub ******************************************** vfs.zfs.scrub_delay
   ********* scrub ************************************************._

 # zpool scrub mypool
 # zpool status
   pool: mypool
  state: ONLINE
   scan: scrub in progress since Wed Feb 19 20:52:54 2014
         116G scanned out of 8.60T at 649M/s, 3h48m to go
         0 repaired, 1.32% done
 config:

         NAME        STATE     READ WRITE CKSUM
         mypool      ONLINE       0     0     0
           raidz2-0  ONLINE       0     0     0
             ada0p3  ONLINE       0     0     0
             ada1p3  ONLINE       0     0     0
             ada2p3  ONLINE       0     0     0
             ada3p3  ONLINE       0     0     0
             ada4p3  ONLINE       0     0     0
             ada5p3  ONLINE       0     0     0

 errors: No known data errors

   ************************************************** zpool scrub -s mypool._

  19.3.8. ************

   ********* (Checksum)
   *****************************************************************************._******************************************************************************************._**************************************
   (Mirror)************************************************************************************************************************************************._*********************************************************************
   fsck(8)*************************************************************************************************._***
   ZFS
   *************************************************************************************************************************************._*********************************************************************************************._

   ******************************************************._************************
   /dev/ada0 *** /dev/ada1 *********************._

 # zpool create healer mirror /dev/ada0 /dev/ada1
 # zpool status healer
   pool: healer
  state: ONLINE
   scan: none requested
 config:

     NAME        STATE     READ WRITE CKSUM
     healer      ONLINE       0     0     0
       mirror-0  ONLINE       0     0     0
        ada0     ONLINE       0     0     0
        ada1     ONLINE       0     0     0

 errors: No known data errors
 # zpool list
 NAME     SIZE  ALLOC   FREE   CKPOINT  EXPANDSZ   FRAG   CAP  DEDUP  HEALTH  ALTROOT
 healer   960M  92.5K   960M         -         -     0%    0%  1.00x  ONLINE  -

   **************************************************************************************************************************************************._

 # cp /some/important/data /healer
 # zfs list
 NAME     SIZE  ALLOC   FREE    CAP  DEDUP  HEALTH  ALTROOT
 healer   960M  67.7M   892M     7%  1.00x  ONLINE  -
 # sha1 /healer > checksum.txt
 # cat checksum.txt
 SHA1 (/healer) = 2753eff56d77d9a536ece6694bf0a82740344d1f

   ******************************************************************************._*********
   ZFS
   ****************************************************************************************************._

  ******:

   *****************************************************._***********************************************************************************************************************************************************************************************************************************************************************************************************

 # zpool export healer
 # dd if=/dev/random of=/dev/ada1 bs=1m count=200
 200+0 records in
 200+0 records out
 209715200 bytes transferred in 62.992162 secs (3329227 bytes/sec)
 # zpool import healer

   ******************************************************._**********************************************************************************ZFS
   ****** ada0 ***************************************._************ CKSUM
   ******************************************************._

 # zpool status healer
     pool: healer
    state: ONLINE
   status: One or more devices has experienced an unrecoverable error.  An
           attempt was made to correct the error.  Applications are unaffected.
   action: Determine if the device needs to be replaced, and clear the errors
           using 'zpool clear' or replace the device with 'zpool replace'.
      see: http://illumos.org/msg/ZFS-8000-4J
     scan: none requested
   config:

       NAME        STATE     READ WRITE CKSUM
       healer      ONLINE       0     0     0
         mirror-0  ONLINE       0     0     0
          ada0     ONLINE       0     0     0
          ada1     ONLINE       0     0     1

 errors: No known data errors

   ************************************************ ada0
   ************************************._************************************************************************._

 # sha1 /healer >> checksum.txt
 # cat checksum.txt
 SHA1 (/healer) = 2753eff56d77d9a536ece6694bf0a82740344d1f
 SHA1 (/healer) = 2753eff56d77d9a536ece6694bf0a82740344d1f

   ***************************************************************************
   ZFS
   *********************************************************._**********************************************************************************************************************************._*********************
   ZFS *****************************************************._*********
   fsck(8)
   ***********************************************************************************************************************************._***************************************
   ada1 ******************._

 # zpool scrub healer
 # zpool status healer
   pool: healer
  state: ONLINE
 status: One or more devices has experienced an unrecoverable error.  An
             attempt was made to correct the error.  Applications are unaffected.
 action: Determine if the device needs to be replaced, and clear the errors
             using 'zpool clear' or replace the device with 'zpool replace'.
    see: http://illumos.org/msg/ZFS-8000-4J
   scan: scrub in progress since Mon Dec 10 12:23:30 2012
         10.4M scanned out of 67.0M at 267K/s, 0h3m to go
         9.63M repaired, 15.56% done
 config:

     NAME        STATE     READ WRITE CKSUM
     healer      ONLINE       0     0     0
       mirror-0  ONLINE       0     0     0
        ada0     ONLINE       0     0     0
        ada1     ONLINE       0     0   627  (repairing)

 errors: No known data errors

   ****************** ada0 ************************************ ada1
   ******************************._********************* zpool status
   *************************** (repairing)
   ******************._*******************************************************

 # zpool status healer
   pool: healer
  state: ONLINE
 status: One or more devices has experienced an unrecoverable error.  An
         attempt was made to correct the error.  Applications are unaffected.
 action: Determine if the device needs to be replaced, and clear the errors
              using 'zpool clear' or replace the device with 'zpool replace'.
    see: http://illumos.org/msg/ZFS-8000-4J
   scan: scrub repaired 66.5M in 0h2m with 0 errors on Mon Dec 10 12:26:25 2012
 config:

     NAME        STATE     READ WRITE CKSUM
     healer      ONLINE       0     0     0
       mirror-0  ONLINE       0     0     0
        ada0     ONLINE       0     0     0
        ada1     ONLINE       0     0 2.72K

 errors: No known data errors

   ****************************** ada0 *** ada1 ******************._******
   zpool clear ************ (Clear) ******************************._

 # zpool clear healer
 # zpool status healer
   pool: healer
  state: ONLINE
   scan: scrub repaired 66.5M in 0h2m with 0 errors on Mon Dec 10 12:26:25 2012
 config:

     NAME        STATE     READ WRITE CKSUM
     healer      ONLINE       0     0     0
       mirror-0  ONLINE       0     0     0
        ada0     ONLINE       0     0     0
        ada1     ONLINE       0     0     0

 errors: No known data errors

   *********************************************************************._

  19.3.9. ***************

   ********************************************* vdev
   ******************************._********************************************************
   (Replace) ********* (Resilver)
   **************************************************************._********************
   1 TB ****************** 2 TB ***************************************** 1
   TB***** 1 TB ****************************** 2 TB
   *******************************************************************************************************
   2 TB ***************************************************** 2 TB._

   ************************ zpool online -e
   *******************************************************************************************._

  19.3.10. ************************

   ******************************************************
   (Export)***********************************************************************************************************************************************._***************************************
   ZFS ***************,_***************************
   (Import)******************************** (********************************
   zpool(8))._******************************************** zpool export -f
   ************************************************************************************************************************************************************************************._

   *****************************

 # zpool export mypool

   ****************************************************************************
   zpool import -N._zpool import -o
   *********************************************._zpool import altroot=
   ************************************ (Base mount point)
   ******************************._********************************************************************************
   zpool import -f ***************._zpool import -a
   ******************************************************._

   **************************************

 # zpool import
    pool: mypool
      id: 9930174748043525076
   state: ONLINE
  action: The pool can be imported using its name or numeric identifier.
  config:

         mypool      ONLINE
           ada2p3    ONLINE

   *****************************************

 # zpool import -o altroot=/mnt mypool
 # zfs list
 zfs list
 NAME                 USED  AVAIL  REFER  MOUNTPOINT
 mypool               110K  47.0G    31K  /mnt/mypool

  19.3.11. *********************

   ********* FreeBSD ****************************************** ZFS
   ************************************************************** ZFS
   *********************._******************************************************************************************************************************************************************************._

   ************ v28 ****************************** (Feature Flags)**

 # zpool status
   pool: mypool
  state: ONLINE
 status: The pool is formatted using a legacy on-disk format.  The pool can
         still be used, but some features are unavailable.
 action: Upgrade the pool using 'zpool upgrade'.  Once this is done, the
         pool will no longer be accessible on software that does not support feat
         flags.
   scan: none requested
 config:

         NAME        STATE     READ WRITE CKSUM
         mypool      ONLINE       0     0     0
           mirror-0  ONLINE       0     0     0
             ada0    ONLINE       0     0     0
             ada1    ONLINE       0     0     0

 errors: No known data errors
 # zpool upgrade
 This system supports ZFS pool feature flags.

 The following pools are formatted with legacy version numbers and can
 be upgraded to use feature flags.  After being upgraded, these pools
 will no longer be accessible by software that does not support feature
 flags.

 VER  POOL
 ---  ------------
 28   mypool

 Use 'zpool upgrade -v' for a list of available legacy versions.
 Every feature flags pool has all supported features enabled.
 # zpool upgrade mypool
 This system supports ZFS pool feature flags.

 Successfully upgraded 'mypool' from version 28 to feature flags.
 Enabled the following features on 'mypool':
   async_destroy
   empty_bpobj
   lz4_compress
   multi_vdev_crash_dump

   ZFS *************** zpool upgrade
   ******************************._********* zpool upgrade -v
   ********************************************************************************._

   ****************************************** (Feature flags)**

 # zpool status
   pool: mypool
  state: ONLINE
 status: Some supported features are not enabled on the pool. The pool can
         still be used, but some features are unavailable.
 action: Enable all features using 'zpool upgrade'. Once this is done,
         the pool may no longer be accessible by software that does not support
         the features. See zpool-features(7) for details.
   scan: none requested
 config:

         NAME        STATE     READ WRITE CKSUM
         mypool      ONLINE       0     0     0
           mirror-0  ONLINE       0     0     0
             ada0    ONLINE       0     0     0
             ada1    ONLINE       0     0     0

 errors: No known data errors
 # zpool upgrade
 This system supports ZFS pool feature flags.

 All pools are formatted using feature flags.


 Some supported features are not enabled on the following pools. Once a
 feature is enabled the pool may become incompatible with software
 that does not support the feature. See zpool-features(7) for details.

 POOL  FEATURE
 ---------------
 zstore
       multi_vdev_crash_dump
       spacemap_histogram
       enabled_txg
       hole_birth
       extensible_dataset
       bookmarks
       filesystem_limits
 # zpool upgrade mypool
 This system supports ZFS pool feature flags.

 Enabled the following features on 'mypool':
   spacemap_histogram
   enabled_txg
   hole_birth
   extensible_dataset
   bookmarks
   filesystem_limits

  ******:

   ****************************************** Boot code
   ***************************************************************** Boot
   code ****************** gpart bootcode *********._*************** Boot
   code **********************************************GPT
   (******************) ****** EFI (***************)._

   ****************** GPT *******************************************

 # gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada1

   ************ EFI *****************************************

 # gpart bootcode -p /boot/boot1.efifat -i 1 ada1

   ****** Boot code ***************************************._*********
   gpart(8) *********************._

  19.3.12. ***************************************

   *******************************************************************************************************************._******************************************************,_************,_*********************._************************************
   (Log
   file)**************************._******************************************
   zpool history**

 # zpool history
 History for 'tank':
 2013-02-26.23:02:35 zpool create tank mirror /dev/ada0 /dev/ada1
 2013-02-27.18:50:58 zfs set atime=off tank
 2013-02-27.18:51:09 zfs set checksum=fletcher4 tank
 2013-02-27.18:51:18 zfs create tank/backup

   ************************************************ zpool *** zfs
   ************************._********************************************************************
   zfs list
   ******************************._***********************************************************************._

   *************** -i *** -l *** zpool history
   ***************************._-i
   ***************************************************************** ZFS
   ******._

 # zpool history -i
 History for 'tank':
 2013-02-26.23:02:35 [internal pool create txg:5] pool spa 28; zfs spa 28; zpl 5;uts  9.1-RELEASE 901000 amd64
 2013-02-27.18:50:53 [internal property set txg:50] atime=0 dataset = 21
 2013-02-27.18:50:58 zfs set atime=off tank
 2013-02-27.18:51:04 [internal property set txg:53] checksum=7 dataset = 21
 2013-02-27.18:51:09 zfs set checksum=fletcher4 tank
 2013-02-27.18:51:13 [internal create txg:55] dataset = 39
 2013-02-27.18:51:18 zfs create tank/backup

   ****************************** -l
   ****************************************************************************************************,_*********************************._

 # zpool history -l
 History for 'tank':
 2013-02-26.23:02:35 zpool create tank mirror /dev/ada0 /dev/ada1 [user 0 (root) on :global]
 2013-02-27.18:50:58 zfs set atime=off tank [user 0 (root) on myzfsbox:global]
 2013-02-27.18:51:09 zfs set checksum=fletcher4 tank [user 0 (root) on myzfsbox:global]
 2013-02-27.18:51:18 zfs create tank/backup [user 0 (root) on myzfsbox:global]

   ****************** root *************** /dev/ada0 *** /dev/ada1
   ************************._************ myzfsbox
   ******************************************._*************************************************************************************************************************************************************************************************._

   ****** zpool history
   ******************************************************************._*********************************************************************************************************************._

  19.3.13. ************

   *************************************************** I/O
   ************._****************************************************************************************************************
   I/O
   ***************._***********************************************************************************************************************************._**************************

 # zpool iostat
                capacity     operations    bandwidth
 pool        alloc   free   read  write   read  write
 ----------  -----  -----  -----  -----  -----  -----
 data         288G  1.53T      2     11  11.3K  57.1K

   *************** I/O
   ***********************************************************************************************************._**************************************************************************
   Ctrl+C
   ******************._********************************************************************************************************._

   ****** -v ************************ I/O
   ************._************************************************************._**************************************************************************************************************************************************._********************************************************

 # zpool iostat -v
                             capacity     operations    bandwidth
 pool                     alloc   free   read  write   read  write
 -----------------------  -----  -----  -----  -----  -----  -----
 data                      288G  1.53T      2     12  9.23K  61.5K
   mirror                  288G  1.53T      2     12  9.23K  61.5K
     ada1                     -      -      0      4  5.61K  61.7K
     ada2                     -      -      1      4  5.04K  61.7K
 -----------------------  -----  -----  -----  -----  -----  -----

  19.3.14. *********************

   ************************ vdev
   ******************************************************._***********************************************************************************************************************************._******************************************
   -n*******************************************************************************************************************._

19.4. zfs ******

   zfs ******************,_********************************************* ZFS
   *********._*************** zpool *********._

  19.4.1. ************************

   ************************************************ (Volume manager) *****
   ZFS
   *********************************._***********************************************************************************************************************._***
   ZFS******************************************************* (Dataset)
   *********************************** (Compression),_*********
   (Deduplication),_****** (Caching) ********* (Quota)
   ****************************************** (Readonly),_***************
   (Case sensitivity),_****************** (Network file sharing)
   *************** (Mount
   point)._********************************************************************************************._***************************************************,_******
   (Delegate),_****** (Replicate),_****** (Snapshot),_****** (Jail) *********
   (Destroy)**************************************************************************************._*****************************************************************************
   zfs list
   *****************************************************************************
   FreeBSD *********************._

   ********************************* LZ4 ********

 # zfs list
 NAME                  USED  AVAIL  REFER  MOUNTPOINT
 mypool                781M  93.2G   144K  none
 mypool/ROOT           777M  93.2G   144K  none
 mypool/ROOT/default   777M  93.2G   777M  /
 mypool/tmp            176K  93.2G   176K  /tmp
 mypool/usr            616K  93.2G   144K  /usr
 mypool/usr/home       184K  93.2G   184K  /usr/home
 mypool/usr/ports      144K  93.2G   144K  /usr/ports
 mypool/usr/src        144K  93.2G   144K  /usr/src
 mypool/var           1.20M  93.2G   608K  /var
 mypool/var/crash      148K  93.2G   148K  /var/crash
 mypool/var/log        178K  93.2G   178K  /var/log
 mypool/var/mail       144K  93.2G   144K  /var/mail
 mypool/var/tmp        152K  93.2G   152K  /var/tmp
 # zfs create -o compress=lz4 mypool/usr/mydataset
 # zfs list
 NAME                   USED  AVAIL  REFER  MOUNTPOINT
 mypool                 781M  93.2G   144K  none
 mypool/ROOT            777M  93.2G   144K  none
 mypool/ROOT/default    777M  93.2G   777M  /
 mypool/tmp             176K  93.2G   176K  /tmp
 mypool/usr             704K  93.2G   144K  /usr
 mypool/usr/home        184K  93.2G   184K  /usr/home
 mypool/usr/mydataset  87.5K  93.2G  87.5K  /usr/mydataset
 mypool/usr/ports       144K  93.2G   144K  /usr/ports
 mypool/usr/src         144K  93.2G   144K  /usr/src
 mypool/var            1.20M  93.2G   610K  /var
 mypool/var/crash       148K  93.2G   148K  /var/crash
 mypool/var/log         178K  93.2G   178K  /var/log
 mypool/var/mail        144K  93.2G   144K  /var/mail
 mypool/var/tmp         152K  93.2G   152K  /var/tmp

   *****************************************************************************************************************************************************
   Metadata._

   ********************************

 # zfs list
 NAME                   USED  AVAIL  REFER  MOUNTPOINT
 mypool                 880M  93.1G   144K  none
 mypool/ROOT            777M  93.1G   144K  none
 mypool/ROOT/default    777M  93.1G   777M  /
 mypool/tmp             176K  93.1G   176K  /tmp
 mypool/usr             101M  93.1G   144K  /usr
 mypool/usr/home        184K  93.1G   184K  /usr/home
 mypool/usr/mydataset   100M  93.1G   100M  /usr/mydataset
 mypool/usr/ports       144K  93.1G   144K  /usr/ports
 mypool/usr/src         144K  93.1G   144K  /usr/src
 mypool/var            1.20M  93.1G   610K  /var
 mypool/var/crash       148K  93.1G   148K  /var/crash
 mypool/var/log         178K  93.1G   178K  /var/log
 mypool/var/mail        144K  93.1G   144K  /var/mail
 mypool/var/tmp         152K  93.1G   152K  /var/tmp
 # zfs destroy mypool/usr/mydataset
 # zfs list
 NAME                  USED  AVAIL  REFER  MOUNTPOINT
 mypool                781M  93.2G   144K  none
 mypool/ROOT           777M  93.2G   144K  none
 mypool/ROOT/default   777M  93.2G   777M  /
 mypool/tmp            176K  93.2G   176K  /tmp
 mypool/usr            616K  93.2G   144K  /usr
 mypool/usr/home       184K  93.2G   184K  /usr/home
 mypool/usr/ports      144K  93.2G   144K  /usr/ports
 mypool/usr/src        144K  93.2G   144K  /usr/src
 mypool/var           1.21M  93.2G   612K  /var
 mypool/var/crash      148K  93.2G   148K  /var/crash
 mypool/var/log        178K  93.2G   178K  /var/log
 mypool/var/mail       144K  93.2G   144K  /var/mail
 mypool/var/tmp        152K  93.2G   152K  /var/tmp

   ****************** ZFS**zfs destroy
   ****************************************************************************************************
   zpool get freeing poolname ********* freeing
   ********************************************************************************._*****************************
   (Snapshot)
   **************************************************************._***********************************************************
   -r *********************************************************** -n -v
   ****************************************************************************************************************************************._

  19.4.2. ************************

   ********* (Volume)
   ****************************************************************************************************************
   /dev/zvol/poolname/dataset
   ***._*********************************************,_*********************************************
   iSCSI *** HAST ******************._

   ***********************************************************************************************._*************************************************************************************************
   zvols
   *****************************************************************._***********************************
   250 MB ************************************ FAT ************._

 # zfs create -V 250m -o compression=on tank/fat32
 # zfs list tank
 NAME USED AVAIL REFER MOUNTPOINT
 tank 258M  670M   31K /tank
 # newfs_msdos -F32 /dev/zvol/tank/fat32
 # mount -t msdosfs /dev/zvol/tank/fat32 /mnt
 # df -h /mnt | grep fat32
 Filesystem           Size Used Avail Capacity Mounted on
 /dev/zvol/tank/fat32 249M  24k  249M     0%   /mnt
 # mount | grep fat32
 /dev/zvol/tank/fat32 on /mnt (msdosfs, local)

   ***************************************************************************._***********************************************************************************************._

  19.4.3. *********************

   ****************************** zfs rename
   ******._************************************************************._************************************************************************************************._***********************************************************************
   (*********************************)*********** -u *********************._

   **************************************************************************

 # zfs list
 NAME                   USED  AVAIL  REFER  MOUNTPOINT
 mypool                 780M  93.2G   144K  none
 mypool/ROOT            777M  93.2G   144K  none
 mypool/ROOT/default    777M  93.2G   777M  /
 mypool/tmp             176K  93.2G   176K  /tmp
 mypool/usr             704K  93.2G   144K  /usr
 mypool/usr/home        184K  93.2G   184K  /usr/home
 mypool/usr/mydataset  87.5K  93.2G  87.5K  /usr/mydataset
 mypool/usr/ports       144K  93.2G   144K  /usr/ports
 mypool/usr/src         144K  93.2G   144K  /usr/src
 mypool/var            1.21M  93.2G   614K  /var
 mypool/var/crash       148K  93.2G   148K  /var/crash
 mypool/var/log         178K  93.2G   178K  /var/log
 mypool/var/mail        144K  93.2G   144K  /var/mail
 mypool/var/tmp         152K  93.2G   152K  /var/tmp
 # zfs rename mypool/usr/mydataset mypool/var/newname
 # zfs list
 NAME                  USED  AVAIL  REFER  MOUNTPOINT
 mypool                780M  93.2G   144K  none
 mypool/ROOT           777M  93.2G   144K  none
 mypool/ROOT/default   777M  93.2G   777M  /
 mypool/tmp            176K  93.2G   176K  /tmp
 mypool/usr            616K  93.2G   144K  /usr
 mypool/usr/home       184K  93.2G   184K  /usr/home
 mypool/usr/ports      144K  93.2G   144K  /usr/ports
 mypool/usr/src        144K  93.2G   144K  /usr/src
 mypool/var           1.29M  93.2G   614K  /var
 mypool/var/crash      148K  93.2G   148K  /var/crash
 mypool/var/log        178K  93.2G   178K  /var/log
 mypool/var/mail       144K  93.2G   144K  /var/mail
 mypool/var/newname   87.5K  93.2G  87.5K  /var/newname
 mypool/var/tmp        152K  93.2G   152K  /var/tmp

   **************************************************************************************************************._************************************
   -r**************************************************************************._

 # zfs list -t snapshot
 NAME                                USED  AVAIL  REFER  MOUNTPOINT
 mypool/var/newname@first_snapshot      0      -  87.5K  -
 # zfs rename mypool/var/newname@first_snapshot new_snapshot_name
 # zfs list -t snapshot
 NAME                                   USED  AVAIL  REFER  MOUNTPOINT
 mypool/var/newname@new_snapshot_name      0      -  87.5K  -

  19.4.4. *********************

   ****** ZFS
   ***************************************************._*****************************************************************************._************************************
   zfs set property=value dataset._**************************************zfs
   get
   ******************************************************._*********************
   zfs inherit ************************._

   ************************************._*****************************************************************************************************************._************************
   ZFS ******************************** (:)
   ***************************************************._

 # zfs set custom:costcenter=1234 tank
 # zfs get custom:costcenter tank
 NAME PROPERTY           VALUE SOURCE
 tank custom:costcenter  1234  local

   ***************************** zfs inherit ******
   -r._**************************************************************************
   (***************************************************)._

 # zfs inherit -r custom:costcenter tank
 # zfs get custom:costcenter tank
 NAME    PROPERTY           VALUE              SOURCE
 tank    custom:costcenter  -                  -
 # zfs get all tank | grep custom:costcenter
 #

    19.4.4.1. ***************************

   Two commonly used and useful dataset properties are the NFS and SMB share
   options. Setting these define if and how ZFS datasets may be shared on the
   network. At present, only setting sharing via NFS is supported on FreeBSD.
   To get the current status of a share, enter:

 # zfs get sharenfs mypool/usr/home
 NAME             PROPERTY  VALUE    SOURCE
 mypool/usr/home  sharenfs  on       local
 # zfs get sharesmb mypool/usr/home
 NAME             PROPERTY  VALUE    SOURCE
 mypool/usr/home  sharesmb  off      local

   To enable sharing of a dataset, enter:

 #  zfs set sharenfs=on mypool/usr/home

   It is also possible to set additional options for sharing datasets through
   NFS, such as -alldirs, -maproot and -network. To set additional options to
   a dataset shared through NFS, enter:

 #  zfs set sharenfs="-alldirs,-maproot=root,-network=192.168.1.0/24" mypool/usr/home

  19.4.5. ************ (Snapshot)

   ****** (Snapshot) *** ZFS
   ************************._******************************,_***************
   (Point-in-Time) ***************************************** (Copy-On-Write,
   COW)
   *****************************************************************************._*************************************************************************************._********************************************************************************************._**************************************************************************._**********************************************************************************************************,_******,_******,_************._**************************************************************************************************************._******
   -r
   ***********************************************************************************************************
   (Moment-in-time)
   ***********************************************************************************************************************************._******************************************************************._

   ZFS
   *****************************************************************************************._******************************************************************************************************************************************************************************************************************
   (Roll back)
   **********************************************************************************************._***********************************************************************
   (Restore)
   ***********************************,_************************************************************._****************************************************************************************************************._***************************
   TB
   ******************************************************._*****************************************************************************************************************************._

    19.4.5.1. ************

   ****************** zfs snapshot dataset@snapshotname *********._****** -r
   ******************************************************._

   ********************************************

 # zfs list -t all
 NAME                                   USED  AVAIL  REFER  MOUNTPOINT
 mypool                                 780M  93.2G   144K  none
 mypool/ROOT                            777M  93.2G   144K  none
 mypool/ROOT/default                    777M  93.2G   777M  /
 mypool/tmp                             176K  93.2G   176K  /tmp
 mypool/usr                             616K  93.2G   144K  /usr
 mypool/usr/home                        184K  93.2G   184K  /usr/home
 mypool/usr/ports                       144K  93.2G   144K  /usr/ports
 mypool/usr/src                         144K  93.2G   144K  /usr/src
 mypool/var                            1.29M  93.2G   616K  /var
 mypool/var/crash                       148K  93.2G   148K  /var/crash
 mypool/var/log                         178K  93.2G   178K  /var/log
 mypool/var/mail                        144K  93.2G   144K  /var/mail
 mypool/var/newname                    87.5K  93.2G  87.5K  /var/newname
 mypool/var/newname@new_snapshot_name      0      -  87.5K  -
 mypool/var/tmp                         152K  93.2G   152K  /var/tmp
 # zfs snapshot -r mypool@my_recursive_snapshot
 # zfs list -t snapshot
 NAME                                        USED  AVAIL  REFER  MOUNTPOINT
 mypool@my_recursive_snapshot                   0      -   144K  -
 mypool/ROOT@my_recursive_snapshot              0      -   144K  -
 mypool/ROOT/default@my_recursive_snapshot      0      -   777M  -
 mypool/tmp@my_recursive_snapshot               0      -   176K  -
 mypool/usr@my_recursive_snapshot               0      -   144K  -
 mypool/usr/home@my_recursive_snapshot          0      -   184K  -
 mypool/usr/ports@my_recursive_snapshot         0      -   144K  -
 mypool/usr/src@my_recursive_snapshot           0      -   144K  -
 mypool/var@my_recursive_snapshot               0      -   616K  -
 mypool/var/crash@my_recursive_snapshot         0      -   148K  -
 mypool/var/log@my_recursive_snapshot           0      -   178K  -
 mypool/var/mail@my_recursive_snapshot          0      -   144K  -
 mypool/var/newname@new_snapshot_name           0      -  87.5K  -
 mypool/var/newname@my_recursive_snapshot       0      -  87.5K  -
 mypool/var/tmp@my_recursive_snapshot           0      -   152K  -

   *************************************** zfs list
   *********************************** zfs list ********* -t snapshot********
   -t all ************************************************._

   *********************************** MOUNTPOINT
   ***************************._*** AVAIL
   ********************************************************************************._***********************************************

 # zfs list -rt all mypool/usr/home
 NAME                                    USED  AVAIL  REFER  MOUNTPOINT
 mypool/usr/home                         184K  93.2G   184K  /usr/home
 mypool/usr/home@my_recursive_snapshot      0      -   184K  -

   ************************************************************ COW
   ***************._*************************** (******)
   **************************************************************************************************************************************************************************************************************************************

 # cp /etc/passwd /var/tmp
 # zfs snapshot mypool/var/tmp@after_cp
 # zfs list -rt all mypool/var/tmp
 NAME                                   USED  AVAIL  REFER  MOUNTPOINT
 mypool/var/tmp                         206K  93.2G   118K  /var/tmp
 mypool/var/tmp@my_recursive_snapshot    88K      -   152K  -
 mypool/var/tmp@after_cp                   0      -   118K  -

   **************************************************************************************************************._***************************
   mypool/var/tmp@my_recursive_snapshot *** USED
   **************************************************************************************************._

    19.4.5.2. ************

   ZFS *************************************************** (Snapshot)
   **************************************************************************************************._******
   zfs diff
   *********************************************************************._*****************************************************************************

 # zfs list -rt all mypool/var/tmp
 NAME                                   USED  AVAIL  REFER  MOUNTPOINT
 mypool/var/tmp                         206K  93.2G   118K  /var/tmp
 mypool/var/tmp@my_recursive_snapshot    88K      -   152K  -
 mypool/var/tmp@after_cp                   0      -   118K  -
 # zfs diff mypool/var/tmp@my_recursive_snapshot
 M       /var/tmp/
 +       /var/tmp/passwd

   *************************** (*********************
   mypool/var/tmp@my_recursive_snapshot)
   *********************************._***********************************

   +------------------------------------------------------------------------+
   | +                 | ***************************._                      |
   |-------------------+----------------------------------------------------|
   | -                 | ***************************._                      |
   |-------------------+----------------------------------------------------|
   | M                 | ***************************._                      |
   |-------------------+----------------------------------------------------|
   | R                 | *********************************._                |
   +------------------------------------------------------------------------+

   ************************************************************** passwd
   ************ mypool/var/tmp@my_recursive_snapshot
   *********************************************************** /var/tmp
   ******************************._

   ********* ZFS
   ***************************************************************************************************._

   **************************************************************************************

 # cp /var/tmp/passwd /var/tmp/passwd.copy
 # zfs snapshot mypool/var/tmp@diff_snapshot
 # zfs diff mypool/var/tmp@my_recursive_snapshot mypool/var/tmp@diff_snapshot
 M       /var/tmp/
 +       /var/tmp/passwd
 +       /var/tmp/passwd.copy
 # zfs diff mypool/var/tmp@my_recursive_snapshot mypool/var/tmp@after_cp
 M       /var/tmp/
 +       /var/tmp/passwd

   ******************************************************************************************************************._*********
   ****** ***************************._

    19.4.5.3. ******************

   *********************************************************._***************************************************************************************************************************,_*********************************************************************************************
   ...
   ********************************._********************************************************
   zfs rollback
   snapshotname._*****************************************************************************************************._*******************************************************************************
   ACID
   ******************************._********************************************************************************._**************************************************************************************************************************************************************************************************************************************************************************************************************************************************************._

   ***************************** rm
   **************************************************************._

 # zfs list -rt all mypool/var/tmp
 NAME                                   USED  AVAIL  REFER  MOUNTPOINT
 mypool/var/tmp                         262K  93.2G   120K  /var/tmp
 mypool/var/tmp@my_recursive_snapshot    88K      -   152K  -
 mypool/var/tmp@after_cp               53.5K      -   118K  -
 mypool/var/tmp@diff_snapshot              0      -   120K  -
 # ls /var/tmp
 passwd          passwd.copy     vi.recover
 # rm /var/tmp/passwd*
 # ls /var/tmp
 vi.recover

   ***********************************************************************._ZFS
   ***********************************************************
   (Rollback)**************************************************************._****************************************************************************

 # zfs rollback mypool/var/tmp@diff_snapshot
 # ls /var/tmp
 passwd          passwd.copy     vi.recover

   ***************************************************************._***********************************************************************._*****************ZFS
   ***********************

 # zfs list -rt snapshot mypool/var/tmp
 AME                                   USED  AVAIL  REFER  MOUNTPOINT
 mypool/var/tmp@my_recursive_snapshot    88K      -   152K  -
 mypool/var/tmp@after_cp               53.5K      -   118K  -
 mypool/var/tmp@diff_snapshot              0      -   120K  -
 # zfs rollback mypool/var/tmp@my_recursive_snapshot
 cannot rollback to 'mypool/var/tmp@my_recursive_snapshot': more recent snapshots exist
 use '-r' to force deletion of the following snapshots:
 mypool/var/tmp@after_cp
 mypool/var/tmp@diff_snapshot

   *****************************************************************************************************************************._*************************************************************************
   ZFS *********************************************._*********************
   -r **************************ZFS
   ******************************._***************************************************************************************************************

 # zfs rollback -r mypool/var/tmp@my_recursive_snapshot
 # zfs list -rt snapshot mypool/var/tmp
 NAME                                   USED  AVAIL  REFER  MOUNTPOINT
 mypool/var/tmp@my_recursive_snapshot     8K      -   152K  -
 # ls /var/tmp
 vi.recover

   ****** zfs list -t snapshot ****************** zfs rollback -r
   ******************._

    19.4.5.4. ***************************

   **************************************************.zfs/snapshots/snapshotname._********************************************
   ls -a
   ******._*************************************************************************************************._***************
   snapdir
   ***********************************************************************************************
   (visible) ****************************** ls
   ******************************************._

 # zfs get snapdir mypool/var/tmp
 NAME            PROPERTY  VALUE    SOURCE
 mypool/var/tmp  snapdir   hidden   default
 # ls -a /var/tmp
 .               ..              passwd          vi.recover
 # zfs set snapdir=visible mypool/var/tmp
 # ls -a /var/tmp
 .               ..              .zfs            passwd          vi.recover

   **************************************************************************************************._***
   .zfs/snapshot
   ***********************************************************************************************._***********************************************
   .zfs
   ****************************************************************************

 # rm /var/tmp/passwd
 # ls -a /var/tmp
 .               ..              .zfs            vi.recover
 # ls /var/tmp/.zfs/snapshot
 after_cp                my_recursive_snapshot
 # ls /var/tmp/.zfs/snapshot/after_cp
 passwd          vi.recover
 # cp /var/tmp/.zfs/snapshot/after_cp/passwd /var/tmp

   ****** ls .zfs/snapshot *********** snapdir
   **************************************************************************************************************************************************************************************._******************
   .zfs/snapshot
   ************************************************************************************************

 # cp /etc/rc.conf /var/tmp/.zfs/snapshot/after_cp/
 cp: /var/tmp/.zfs/snapshot/after_cp/rc.conf: Read-only file system

   ********************************************************************************._********************************************************************************************************._

   *****************************************************************************************************
   written *********************************************************._

   ****** zfs destroy dataset@snapshot
   *********************************._****** -r
   ***************************************************************._****** -n
   -v
   *****************************************************************************************************._

  19.4.6. ************ (Clone)

   ****** (Clone)
   ************************************************************************************************
   (******)****************************************._****** zfs clone
   *****************************************************************._*********************/*********************
   zfs promote *********._******************
   *****************************************************************************************************************************************************************._************************
   ZFS
   ***********************************************************************************._

   *****************************************************

 # zfs list -rt all camino/home/joe
 NAME                    USED  AVAIL  REFER  MOUNTPOINT
 camino/home/joe         108K   1.3G    87K  /usr/home/joe
 camino/home/joe@plans    21K      -  85.5K  -
 camino/home/joe@backup    0K      -    87K  -

   ****************************************************************************************************************************************************************************************/******************._****************************************************************************************************************._*******************************************************************************************._

 # zfs clone camino/home/joe@backup camino/home/joenew
 # ls /usr/home/joe*
 /usr/home/joe:
 backup.txz     plans.txt

 /usr/home/joenew:
 backup.txz     plans.txt
 # df -h /usr/home
 Filesystem          Size    Used   Avail Capacity  Mounted on
 usr/home/joe        1.3G     31k    1.3G     0%    /usr/home/joe
 usr/home/joenew     1.3G     31k    1.3G     0%    /usr/home/joenew

   *****************************************************************************************************************************._*****************************************************ZFS
   ************ origin
   *****************************************************************************
   zfs promote ***************************** origin
   *********************************************************._***********************************

 # zfs get origin camino/home/joenew
 NAME                  PROPERTY  VALUE                     SOURCE
 camino/home/joenew    origin    camino/home/joe@backup    -
 # zfs promote camino/home/joenew
 # zfs get origin camino/home/joenew
 NAME                  PROPERTY  VALUE   SOURCE
 camino/home/joenew    origin    -       -

   ************************************** loader.conf
   **************************************************************************************************************************************************************************************
   zfs destroy ******************************
   (*********************************) ****************** zfs rename._

 # cp /boot/defaults/loader.conf /usr/home/joenew
 # zfs destroy -f camino/home/joe
 # zfs rename camino/home/joenew camino/home/joe
 # ls /usr/home/joe
 backup.txz     loader.conf     plans.txt
 # df -h /usr/home
 Filesystem          Size    Used   Avail Capacity  Mounted on
 usr/home/joe        1.3G    128k    1.3G     0%    /usr/home/joe

   *******************************************************************************************************************************************************
   loader.conf._*************************************************** ZFS
   *************************************Jail
   *************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
   Jail ************************._

  19.4.7. ****** (Replication)

   ******************************************************************************,_*************************************************************************ZFS
   *************************** (Serialization)
   ***************************************************._*********************************************************************************************************************************************************************************************
   (*************** ZFS ******(Snapshot))._****************************** zfs
   send *** zfs receive._

   ************************************************ ZFS ********

 # zpool list
 NAME    SIZE  ALLOC   FREE   CKPOINT  EXPANDSZ   FRAG   CAP  DEDUP  HEALTH  ALTROOT
 backup  960M    77K   896M         -         -     0%    0%  1.00x  ONLINE  -
 mypool  984M  43.7M   940M         -         -     0%    4%  1.00x  ONLINE  -

   ****** mypool
   **************************************************************************._******************
   backup ************
   (Standby)***********************************************._********ZFS
   ******************************
   (Fail-over)***********************************************************._********************************************************************mypool
   ***************************************** backup
   *******************************************************************************************************._

 # zfs snapshot mypool@backup1
 # zfs list -t snapshot
 NAME                    USED  AVAIL  REFER  MOUNTPOINT
 mypool@backup1             0      -  43.6M  -

   *********************************** zfs send
   ********************************************************************************************************._*********************************************************************************************************************

 # zfs send mypool@backup1
 Error: Stream can not be written to a terminal.
 You must redirect standard output.

   ********* zfs send
   ***********************************************************************************************._****************************************************************************************************************************************************************._

 # zfs send mypool@backup1 > /backup/backup1
 # zpool list
 NAME    SIZE  ALLOC   FREE   CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP  HEALTH  ALTROOT
 backup  960M  63.7M   896M         -         -     0%     6%  1.00x  ONLINE  -
 mypool  984M  43.7M   940M         -         -     0%     4%  1.00x  ONLINE  -

   zfs send ****************** backup1 ******************************
   backup._************ cron(8)
   ***************************************************._

   *****************************************ZFS
   ***********************************************************************************._***************************************************
   zfs receive
   *********************************._************************************
   zfs send *** zfs
   receive*************************************************************************************************************._************************************************************._

 # zfs snapshot mypool@replica1
 # zfs send -v mypool@replica1 | zfs receive backup/mypool
 send from @ to mypool@replica1 estimated size is 50.1M
 total estimated size is 50.1M
 TIME        SENT   SNAPSHOT

 # zpool list
 NAME    SIZE  ALLOC   FREE   CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP  HEALTH  ALTROOT
 backup  960M  63.7M   896M         -         -     0%     6%  1.00x  ONLINE  -
 mypool  984M  43.7M   940M         -         -     0%     4%  1.00x  ONLINE  -

    19.4.7.1. ***************

   zfs send
   **********************************************************************************************************************************._********

 # zfs snapshot mypool@replica2
 # zfs list -t snapshot
 NAME                    USED  AVAIL  REFER  MOUNTPOINT
 mypool@replica1         5.72M      -  43.6M  -
 mypool@replica2             0      -  44.1M  -
 # zpool list
 NAME    SIZE  ALLOC   FREE   CKPOINT  EXPANDSZ   FRAG   CAP  DEDUP  HEALTH  ALTROOT
 backup  960M  61.7M   898M         -         -     0%    6%  1.00x  ONLINE  -
 mypool  960M  50.2M   910M         -         -     0%    5%  1.00x  ONLINE  -

   ********************* replica2
   ***********************************************************************
   replica1 *********************************._****** zfs send -i
   ***********************************************************************************************._************************************************************._

 # zfs send -v -i mypool@replica1 mypool@replica2 | zfs receive /backup/mypool
 send from @replica1 to mypool@replica2 estimated size is 5.02M
 total estimated size is 5.02M
 TIME        SENT   SNAPSHOT

 # zpool list
 NAME    SIZE  ALLOC   FREE   CKPOINT  EXPANDSZ   FRAG  CAP  DEDUP  HEALTH  ALTROOT
 backup  960M  80.8M   879M         -         -     0%   8%  1.00x  ONLINE  -
 mypool  960M  50.2M   910M         -         -     0%   5%  1.00x  ONLINE  -

 # zfs list
 NAME                         USED  AVAIL  REFER  MOUNTPOINT
 backup                      55.4M   240G   152K  /backup
 backup/mypool               55.3M   240G  55.2M  /backup/mypool
 mypool                      55.6M  11.6G  55.0M  /mypool

 # zfs list -t snapshot
 NAME                                         USED  AVAIL  REFER  MOUNTPOINT
 backup/mypool@replica1                       104K      -  50.2M  -
 backup/mypool@replica2                          0      -  55.2M  -
 mypool@replica1                             29.9K      -  50.0M  -
 mypool@replica2                                 0      -  55.0M  -

   ***************************************************************************************************************
   replica1._***************************************************************************************************************************************************************************************************._

   ************ mypool *********************************************
   backup/mypool ***************._*********
   -P**************************************************** (Compression)
   ************** (Quota) ************ (Mount point)._*********
   -R*************************************************************************************._************************************************************************._

    19.4.7.2. ****** SSH *********************

   **********************************************************************************************************************************************************************************************************************************************************************************************************************************************._SSH
   ******************************************************** ZFS
   ***********************************************************************************
   SSH._***************************************************************************************************
   PEFS._

   ******************************************************************** zfs
   send ************************************************************** SSH
   ****************** *** 13.8, "OpenSSH"._

   ***********************

     * ****** SSH ************************************************ SSH ******

     * *************** root
       ************************************************** root
       ************************._********************************************
       root ******._ZFS ****** (ZFS Delegation)
       ********************************* root
       ***************************************************************._

     * ***********************

 # zfs allow -u someuser send,snapshot mypool

     * *****************************************************************************************************************._***********************

 # sysctl vfs.usermount=1
 vfs.usermount: 0 -> 1
 # sysrc -f /etc/sysctl.conf vfs.usermount=1
 # zfs create recvpool/backup
 # zfs allow -u someuser create,mount,receive recvpool/backup
 # chown someuser /recvpool/backup

   ***********************************************************************
   home *****************************************

 % zfs snapshot -r mypool/home@monday
 % zfs send -R mypool/home@monday | ssh someuser@backuphost zfs recv -dvu recvpool/backup

   ********************* mypool *************************** home
   ************************ monday************** zfs send -R
   ***************************************************,_******,_************************._*********************
   SSH ********************* backuphost ****************** zfs
   receive***************************************** IP
   ******._************************************ recvpool ***************
   backup ************** zfs recv ****** -d
   ******************************************************** -u
   ********************************************************
   -v**********************************************************************************************._

  19.4.8. *********,_***************************

   *************** (Dataset quota)
   *********************************************************._************
   (Reference Quota)
   *******************************************************************************************************************._********************
   (User) ********* (Group)
   ************************************************************************************._

   ********* storage/home/bob ********************* 10 GB**

 # zfs set quota=10G storage/home/bob

   ********* storage/home/bob ****************** 10 GB**

 # zfs set refquota=10G storage/home/bob

   ********* storage/home/bob *** 10 GB ********

 # zfs set quota=none storage/home/bob

   *************************************** userquota@user=size
   ********************************************

     * POSIX ******************** joe._

     * POSIX ****** ID***** 789._

     * SID *********** joe.bloggs@example.com._

     * SID ****** ID***** S-1-123-456-789._

   ******************************** joe ********************* 50 GB**

 # zfs set userquota@joe=50G

   ***********************

 # zfs set userquota@joe=none

  ******:

   *************************************** zfs get all._*** root
   ********************************************************************
   userquota
   *****************************************************************************._

   *****************************************groupquota@group=size._

   *************** firstgroup ************ 50 GB ***********

 # zfs set groupquota@firstgroup=50G

   *************** firstgroup
   *******************************************************

 # zfs set groupquota@firstgroup=none

   ******************************** root
   ***************************************************._*** root *********
   groupquota
   ********************************************************************._

   ******************************************************************************************
   zfs userspace************************************** zfs
   groupspace**************************************************************************************
   zfs(1)._

   ****************************** root ******************************
   storage/home/bob ***********

 # zfs get quota storage/home/bob

  19.4.9. ************

   ************ (Reservation)
   *******************************************************************************************************************************************************************************************************._

   reservation ************************ reservation=size**************
   storage/home/bob ************ 10 GB ********************

 # zfs set reservation=10G storage/home/bob

   *****************************

 # zfs set reservation=none storage/home/bob

   ****************************** refreservation
   ********************************* (Reference
   Reservation)************************************** refreservation=size._

   *************************************** storage/home/bob *** reservation
   *** refreservation**

 # zfs get reservation storage/home/bob
 # zfs get refreservation storage/home/bob

  19.4.10. ****** (Compression)

   ZFS
   **********************************************************************************************************************._******************
   25%****************************************************************************************************************************
   125%._************************************ (Deduplication)
   ********************************************************._

   ZFS
   *******************************************************************************
   ZFS v5000 ********* LZ4
   *********************************************************************************************************************************
   LZ4 ****** ************ ************** LZ4
   ********************************************* 12.5%
   ***********************************************************************
   CPU
   *********************************************************************._*********************
   ZFS
   **************************************************************************
   (Compression) ******._

   ***************************************************************._

 # zfs get used,compressratio,compression,logicalused mypool/compressed_dataset
 NAME        PROPERTY          VALUE     SOURCE
 mypool/compressed_dataset  used              449G      -
 mypool/compressed_dataset  compressratio     1.11x     -
 mypool/compressed_dataset  compression       lz4       local
 mypool/compressed_dataset  logicalused       496G      -

   ************************ 449 GB ********* (*** used
   ******)._*********************************************** 496 GB *********
   (*** logicalused ******)***************************************** 1.11:1._

   ********************************* (User Quota)
   ******************************************************._**************************************************************************************************************
   ********* ************************************************* 10 GB
   ******************** 10 GB
   ********************************************************************._****************************************************************************************************************************************************************************************************************************************************************
   (*** logicalused
   ******)*************************************************************************._

   ********************************************************************************************************************************************************************************._***********************************************************************************************************************************._

  19.4.11. ********* (Deduplication)

   ******************** (Deduplication)
   ********************************************* (Checksum)
   *************************************************************************************ZFS
   ***********************************************************************************************************************************************************************************************************************************************************************************************************************************************._

   ***************************************************** dedup ********

 # zfs set dedup=on pool

   **************************************************************************************************************************************************************._*****************************************************

 # zpool list
 NAME  SIZE ALLOC  FREE   CKPOINT  EXPANDSZ   FRAG   CAP   DEDUP   HEALTH   ALTROOT
 pool 2.84G 2.19M 2.83G         -         -     0%    0%   1.00x   ONLINE   -

   DEDUP ******************************************************** 1.00x
   ******************************._***************************************************************************
   Port ************************._

 # for d in dir1 dir2 dir3; do
 > mkdir $d && cp -R /usr/ports $d &
 > done

   ***********************************************

 # zpool list
 NAME SIZE  ALLOC  FREE   CKPOINT  EXPANDSZ   FRAG  CAP   DEDUP   HEALTH   ALTROOT
 pool 2.84G 20.9M 2.82G         -         -     0%   0%   3.00x   ONLINE   -

   DEDUP *************** 3.00x
   ***************************************************** Port
   ***********************************************************************************._********************************************************************************************************************************._

   ********************************************************************************************._ZFS
   ********************************************************************************************

 # zdb -S pool
 Simulated DDT histogram:

 bucket              allocated                       referenced
 ______   ______________________________   ______________________________
 refcnt   blocks   LSIZE   PSIZE   DSIZE   blocks   LSIZE   PSIZE   DSIZE
 ------   ------   -----   -----   -----   ------   -----   -----   -----
      1    2.58M    289G    264G    264G    2.58M    289G    264G    264G
      2     206K   12.6G   10.4G   10.4G     430K   26.4G   21.6G   21.6G
      4    37.6K    692M    276M    276M     170K   3.04G   1.26G   1.26G
      8    2.18K   45.2M   19.4M   19.4M    20.0K    425M    176M    176M
     16      174   2.83M   1.20M   1.20M    3.33K   48.4M   20.4M   20.4M
     32       40   2.17M    222K    222K    1.70K   97.2M   9.91M   9.91M
     64        9     56K   10.5K   10.5K      865   4.96M    948K    948K
    128        2   9.50K      2K      2K      419   2.11M    438K    438K
    256        5   61.5K     12K     12K    1.90K   23.0M   4.47M   4.47M
     1K        2      1K      1K      1K    2.98K   1.49M   1.49M   1.49M
  Total    2.82M    303G    275G    275G    3.20M    319G    287G    287G

 dedup = 1.05, compress = 1.11, copies = 1.00, dedup * compress / copies = 1.16

   *** zdb -S
   *********************************************************************************._**************1.16
   ***********************************************************************************._***********************************************************************************************************************************************._************
   ratio = dedup * compress /
   copies**********************************************************************************************************************************************._************************************************************************************************************************************************._******************************************************************************
   DDT ************._

  19.4.12. ZFS *** Jail

   zfs jail *************** jailed *************************** ZFS
   ************************ Jail ******._zfs jail jailid
   ************************************************ Jail***** zfs unjail
   ******************._********************* Jail ****************** jailed
   ****************************************************************************************************************._

19.5. ************

   ********************************************************************* ZFS
   ***************._*************************************************************************************************************************************._******************************************************._************************
   Script
   ***************************************************************************._********************************************************************************************************._

  19.5.1. *********************

   zfs allow someuser create mydataset
   ************************************************************************************._****************************************************************************
   FreeBSD *** vfs.usermount sysctl(8) *** 1 ************ root
   ************************************._**************************************************
   root
   *********************************************************************************._

  19.5.2. ******************

   zfs allow someuser allow mydataset
   ***************************************************************************************************************************._*********************
   snapshot ********* allow *********************************** snapshot
   ************************._

19.6. ************

  19.6.1. ******

   ***************************************************** ZFS
   ************************************************._

     * vfs.zfs.arc_max - Maximum size of the ARC. The default is all RAM but
       1 GB, or 5/8 of all RAM, whichever is more. However, a lower value
       should be used if the system will be running any other daemons or
       processes that may require memory. This value can be adjusted at
       runtime with sysctl(8) and can be set in /boot/loader.conf or
       /etc/sysctl.conf.

     * vfs.zfs.arc_meta_limit - Limit the portion of the ARC that can be used
       to store metadata. The default is one fourth of vfs.zfs.arc_max.
       Increasing this value will improve performance if the workload
       involves operations on a large number of files and directories, or
       frequent metadata operations, at the cost of less file data fitting in
       the ARC. This value can be adjusted at runtime with sysctl(8) and can
       be set in /boot/loader.conf or /etc/sysctl.conf.

     * vfs.zfs.arc_min - Minimum size of the ARC. The default is one half of
       vfs.zfs.arc_meta_limit. Adjust this value to prevent other
       applications from pressuring out the entire ARC. This value can be
       adjusted at runtime with sysctl(8) and can be set in /boot/loader.conf
       or /etc/sysctl.conf.

     * vfs.zfs.vdev.cache.size - A preallocated amount of memory reserved as
       a cache for each device in the pool. The total amount of memory used
       will be this value multiplied by the number of devices. This value can
       only be adjusted at boot time, and is set in /boot/loader.conf.

     * vfs.zfs.min_auto_ashift - Minimum ashift (sector size) that will be
       used automatically at pool creation time. The value is a power of two.
       The default value of 9 represents 2^9 = 512, a sector size of 512
       bytes. To avoid write amplification and get the best performance, set
       this value to the largest sector size used by a device in the pool.

       Many drives have 4 KB sectors. Using the default ashift of 9 with
       these drives results in write amplification on these devices. Data
       that could be contained in a single 4 KB write must instead be written
       in eight 512-byte writes. ZFS tries to read the native sector size
       from all devices when creating a pool, but many drives with 4 KB
       sectors report that their sectors are 512 bytes for compatibility.
       Setting vfs.zfs.min_auto_ashift to 12 (2^12 = 4096) before creating a
       pool forces ZFS to use 4 KB blocks for best performance on these
       drives.

       Forcing 4 KB blocks is also useful on pools where disk upgrades are
       planned. Future disks are likely to use 4 KB sectors, and ashift
       values cannot be changed after a pool is created.

       In some specific cases, the smaller 512-byte block size might be
       preferable. When used with 512-byte disks for databases, or as storage
       for virtual machines, less data is transferred during small random
       reads. This can provide better performance, especially when using a
       smaller ZFS record size.

     * vfs.zfs.prefetch_disable - Disable prefetch. A value of 0 is enabled
       and 1 is disabled. The default is 0, unless the system has less than
       4 GB of RAM. Prefetch works by reading larger blocks than were
       requested into the ARC in hopes that the data will be needed soon. If
       the workload has a large number of random reads, disabling prefetch
       may actually improve performance by reducing unnecessary reads. This
       value can be adjusted at any time with sysctl(8).

     * vfs.zfs.vdev.trim_on_init - Control whether new devices added to the
       pool have the TRIM command run on them. This ensures the best
       performance and longevity for SSDs, but takes extra time. If the
       device has already been secure erased, disabling this setting will
       make the addition of the new device faster. This value can be adjusted
       at any time with sysctl(8).

     * vfs.zfs.vdev.max_pending - Limit the number of pending I/O requests
       per device. A higher value will keep the device command queue full and
       may give higher throughput. A lower value will reduce latency. This
       value can be adjusted at any time with sysctl(8).

     * vfs.zfs.top_maxinflight - Maxmimum number of outstanding I/Os per
       top-level vdev. Limits the depth of the command queue to prevent high
       latency. The limit is per top-level vdev, meaning the limit applies to
       each mirror, RAID-Z, or other vdev independently. This value can be
       adjusted at any time with sysctl(8).

     * vfs.zfs.l2arc_write_max - Limit the amount of data written to the
       L2ARC per second. This tunable is designed to extend the longevity of
       SSDs by limiting the amount of data written to the device. This value
       can be adjusted at any time with sysctl(8).

     * vfs.zfs.l2arc_write_boost - The value of this tunable is added to
       vfs.zfs.l2arc_write_max and increases the write speed to the SSD until
       the first block is evicted from the L2ARC. This "Turbo Warmup Phase"
       is designed to reduce the performance loss from an empty L2ARC after a
       reboot. This value can be adjusted at any time with sysctl(8).

     * vfs.zfs.scrub_delay - Number of ticks to delay between each I/O during
       a scrub. To ensure that a scrub does not interfere with the normal
       operation of the pool, if any other I/O is happening the scrub will
       delay between each command. This value controls the limit on the total
       IOPS (I/Os Per Second) generated by the scrub. The granularity of the
       setting is determined by the value of kern.hz which defaults to 1000
       ticks per second. This setting may be changed, resulting in a
       different effective IOPS limit. The default value is 4, resulting in a
       limit of: 1000 ticks/sec / 4 = 250 IOPS. Using a value of 20 would
       give a limit of: 1000 ticks/sec / 20 = 50 IOPS. The speed of scrub is
       only limited when there has been recent activity on the pool, as
       determined by vfs.zfs.scan_idle. This value can be adjusted at any
       time with sysctl(8).

     * vfs.zfs.resilver_delay - Number of milliseconds of delay inserted
       between each I/O during a resilver. To ensure that a resilver does not
       interfere with the normal operation of the pool, if any other I/O is
       happening the resilver will delay between each command. This value
       controls the limit of total IOPS (I/Os Per Second) generated by the
       resilver. The granularity of the setting is determined by the value of
       kern.hz which defaults to 1000 ticks per second. This setting may be
       changed, resulting in a different effective IOPS limit. The default
       value is 2, resulting in a limit of: 1000 ticks/sec / 2 = 500 IOPS.
       Returning the pool to an Online state may be more important if another
       device failing could Fault the pool, causing data loss. A value of 0
       will give the resilver operation the same priority as other
       operations, speeding the healing process. The speed of resilver is
       only limited when there has been other recent activity on the pool, as
       determined by vfs.zfs.scan_idle. This value can be adjusted at any
       time with sysctl(8).

     * vfs.zfs.scan_idle - Number of milliseconds since the last operation
       before the pool is considered idle. When the pool is idle the rate
       limiting for scrub and resilver are disabled. This value can be
       adjusted at any time with sysctl(8).

     * vfs.zfs.txg.timeout - Maximum number of seconds between transaction
       groups. The current transaction group will be written to the pool and
       a fresh transaction group started if this amount of time has elapsed
       since the previous transaction group. A transaction group my be
       triggered earlier if enough data is written. The default value is 5
       seconds. A larger value may improve read performance by delaying
       asynchronous writes, but this may cause uneven performance when the
       transaction group is written. This value can be adjusted at any time
       with sysctl(8).

  19.6.2. i386 ****** ZFS

   ZFS
   *****************************************************************************
   RAM ***************************************._

    19.6.2.1. *********

   ******************************************** 1 GB*********** RAM
   ****************************************** ZFS
   ************._*************************** 1 TB ********************* 1 GB
   *** RAM************************************************************* 1 TB
   *************************************** 5 GB ***
   RAM._********************************************* RAM *********
   ZFS*******************************************************************************************************
   RAM ***************************************************************._

    19.6.2.2. ************

   ********* i386(TM) *********************************** i386(TM)
   ************ ZFS
   **********************************************************************************************

 options        KVA_PAGES=512

   ***************************************************** vm.kvm_size
   *************** 1 GB ************ PAE *** 2 GB
   ******._********************************************************************************
   MB ************ 4******************* 2 GB *************** 512._

    19.6.2.3. ************************

   ************ FreeBSD ********************* kmem
   ******************************** 1 GB
   ********************************************************
   /boot/loader.conf***************************************

 vm.kmem_size="330M"
 vm.kmem_size_max="330M"
 vfs.zfs.arc_max="40M"
 vfs.zfs.vdev.cache.size="5M"

   ************************ ZFS **************************************
   https://wiki.freebsd.org/ZFSTuningGuide._

19.7. ************

     * FreeBSD Wiki - ZFS

     * FreeBSD Wiki - ZFS Tuning

     * Illumos Wiki - ZFS

     * Oracle Solaris ZFS Administration Guide

     * Calomel Blog - ZFS Raidz Performance, Capacity and Integrity

19.8. ZFS ***************

   ZFS
   *******************************************************************************************ZFS
   **************************************************************************************************************************************************************************._***********************************************ZFS
   ****************** RAID
   *********************************._***************************************
   vdev*********************************************** RAID ************
   RAID-Z ******._ZFS *************** (****** ********* (Dataset))
   ************************************************************************************************************************************************************************************************************************************************************************************._

+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|********* (Pool)     |********* (Pool) ********* ZFS ******************._************************************ vdev ***********************************************._****************************************************** (********* Dataset) *************** (********* Volume)********************************************************************._********************************* GUID *********._************************************ ZFS ******************._                                                                                                            |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|vdev ******          |****************************** vdev ***********vdev *************************** RAID Transform ***************._*************** vdev**ZFS *************************** vdev ***************************************._                                                                                                                                                                                                                                                                                                                                        |
|(vdev Types)         |  * ****** (Disk) - ************ vdev ************************************************************************** (****** /dev/ada0 *** /dev/da0) ****************** (/dev/ada0p3)._*** FreeBSD ************************************************************************* Solaris ************************************._                                                                                                                                                                                                                                     |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |  * ****** (File) - *****************ZFS ********************************************************************************._*** zpool create ************************************************._****** vdev *************** 128 MB *********._                                                                                                                                                                                                                                                                                                                |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |  * ****** (Mirror) - ************************** mirror **************************************************************._***********************************************************************************************************._****** vdev ************************************************************************._                                                                                                                                                                                                                                 |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |  ******:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |    ********************* vdev ************ zpool attach ************************ vdev._                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |  * RAID-Z - ZFS ********* RAID-Z************** RAID-5 *********************************** (Parity) ****************************** "RAID-5 write hole" ******************************************************************************._ZFS ********************* RAID-Z********************************************************************************************************************************************************************************************* RAID-Z1 *** RAID-Z3 ._                                                                 |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |    *** RAID-Z1 ****** 4 *********************** 1 TB***************************** 3 TB*********************************************** (Degraded) ******************************************************** (Resilver) ********************************************************************._                                                                                                                                                                                                                                                                |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |    *** RAID-Z3 ****** 8 *** 1 TB ************************************** 5 TB ********************* 3 ***************************************._Sun(TM) *************** vdev ****************** 9 *********._***************************************************** vdev************************************************** vdev._                                                                                                                                                                                                                             |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |    ************ RAID-Z2 ****** 8 ****************** vdev ********************************* RAID-60 *********._RAID-Z ***************************************************************************************._4 *** 1 TB ********* RAID-Z1 ************ 3 TB ***************************** 8 *** 1 TB *************** RAID-Z3 ************ 5 TB ***************._                                                                                                                                                                                          |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |  * ****** (Spare) - ZFS ****************** vdev *************************************************** (Hot spare)._**************************************************************************************** zfs replace ***************************._                                                                                                                                                                                                                                                                                                        |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |  * ****** (Log) - ZFS ************************** ZFS ************ (ZFS Intent Log, ZIL) ************************************************************************************** SSD._****************************************************************************************************************._******************************************** RAID-Z**********************************************************************************._                                                                                                              |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |  * ****** (Cache) - ************ vdev *************************************** L2ARC ******._**********************************************************************************************************************._                                                                                                                                                                                                                                                                                                                                       |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|************         |********************************************************************************************************._*************** ZFS ************************************._*************************************************** 64-bit ************._*************************************************************************************************************                                                                                                                                                                                                  |
|(Transaction Group,  |  * ****** (Open) - **************************************************************************************._**************************************************************************************************************._************************************************ vfs.zfs.txg.timeout***********************************************._                                                                                                                                                                                                           |
|TXG)                 |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |  * ********* (Quiescing) - **********************************************************************************************************._********************************************************************************._                                                                                                                                                                                                                                                                                                                                  |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |  * ********* (Syncing) - ************************************************************************************************************************************************************* Metadata ******************._****************************************************************************************************************** Metadata*****************************************._*********************************************************                                                                                                        |
|                     |    Metadata*****************************************************************************************************._*************************** synctask ***********Synctask ********************************************************************* uberblock***********************._********************************************************************************************._                                                                                                                                                                          |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |*************************** (Snapshot) ***************************************._*** synctask *******************************************************************************************************************************************._                                                                                                                                                                                                                                                                                                                  |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|Adaptive Replacement |ZFS ****************************** (Adaptive Replacement Cache, ARC)************************************** (Least Recently Used, LRU) ********LRU ***************************************************************************************************************************************************************************************************************************************._ARC *********************************************** (Most Recently Used, MRU) *************** (Most Frequently Used, MFU)                                        |
|Cache (ARC)          |********************************************* (Ghost list)*************************************************************************************************************************************************************************._************ MRU *** MFU ********************************************************************* MRU *** LRU **************************************************************._****** ZFS ****** MFU ******************************************************************************._                                      |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|L2ARC                |L2ARC *** ZFS *********************************** ARC ************ RAM ***************** RAM ************************************** ZFS *************** ****** vdev (Cache vdev)._************ (Solid State Disk, SSD) *******************************************************************************************************************************._L2ARC ******************************************************** SSD ********************************************************._L2ARC ****************************** (Deduplication)******** DDT       |
|                     |****************** RAM***************** L2ARC****************************************************._************ SSD ********************************************************************************************************** (******************************************) ***************** L2ARC *************************************** (Write limit) *************** (Boost limit) ********************************************************************************** sysctl(8) *************** vfs.zfs.l2arc_write_max                                |
|                     |******************************************************** vfs.zfs.l2arc_write_boost ****** "******************" (***************) *********************._                                                                                                                                                                                                                                                                                                                                                                                                    |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|ZIL                  |ZIL ****************************************************************************** (Synchronous transaction)***** SSD._************************************************ (**************************************************************************)************************************** ZIL *****************************************************._******************************************._ZIL ********************************************************************************************************************** ZIL._                          |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|***************      |******************************** ZFS******************************************************************************************************************************************************************** Metadata ******************._***************************** (******************************************************) ********************************************************************************************************* ZFS ********************************************* fsck(8)._                                                          |
|(Copy-On-Write)      |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|********* (Dataset)  |********* (Dataset) *** ZFS ************,_*********,_******************************._************************************************ poolname/path@snapshot ******._********************************************************************************************************************** mypool/home**home ************ mypool ***************************************._*********************************                                                                                                                                                |
|                     |mypool/home/user*****************************************************._************************************************************************._****************************************************** (Delegate) *********._                                                                                                                                                                                                                                                                                                                              |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|************ (File   |ZFS ******************************************._**************************************ZFS ************************************************************************************,_********* Metadata ******************._                                                                                                                                                                                                                                                                                                                                     |
|system)              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|********* (Volume)   |********************************************ZFS ************************ (Volume)********************************._********************************************************************,_******,_************************._****** ZFS ***************************************************************************** UFS ****************** iSCSI ************ (Extent)._                                                                                                                                                                                    |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|****** (Snapshot)    |ZFS ****************** (Copy-On-Write, COW) ***************************************************,_***************._****************************************************** (******************************)                                                                                                                                                                                                                                                                                                                                                   |
|                     |*************************************************************************************************************************************************************************************************************************************************************._**************************************************************************************************._****************** (Apparent size)                                                                                                                                                       |
|                     |**************************************************************************************._***************************************************************************************** (Rollback)                                                                                                                                                                                                                                                                                                                                                                |
|                     |**************************************************************************************._***********************************************************************************************************,_******,_*************************************************************************************************************************************************************************************._****************** hold *********************** hold ******************************************************** EBUSY                                     |
|                     |************************************************************** hold***** release ********************* hold**************************._****************************************************************************************._                                                                                                                                                                                                                                                                                                                           |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|****** (Clone)       |**********************************************************************************************************._********************************************************************************************************************************************* (Apparent size) *******************************************************************************************************************************._*********************************************************************************************************._*********************                 |
|                     |(promoted),_******************************************************************************************************._******************************************************************************** (Quota) *************** (Reservation)._                                                                                                                                                                                                                                                                                                                |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|********* (Checksum) |**************************************************************************************************************************************** set._*********************************************************** ZFS **********************************************************************ZFS ************************************************************** (Mirror) *** RAID-Z._*************************************************** (Scrub)*******************************                                                                                      |
|                     |  * fletcher2                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |  * fletcher4                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |  * sha256                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |fletcher ******************** sha256 ***********************************************************************._*****************************************._                                                                                                                                                                                                                                                                                                                                                                                                   |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|****** (Compression) |*************************** (Compression) *******************************************************************************************************************************************._*******************************************************************************************************************************._                                                                                                                                                                                                                                    |
|                     |  * LZ4 - ZFS *************** 5000 (************) **************LZ4 ***************************************************************** LZ4 ********* LZJB ********* 50%****************************************************LZ4 *************** LZJB ****** 80%._************ CPU *****LZ4 ****************** 500 MB/s ************************************** 1.5 GB/s (****** CPU ******)._                                                                                                                                                                  |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |  * LZJB - ************************._*** Jeff Bonwick ********* (ZFS ******************)._LZJB *** GZIP *********************** CPU ***************************._************************************************ LZ4._                                                                                                                                                                                                                                                                                                                                     |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |  * GZIP - *** ZFS ************************************._****** GZIP ************************************************._********* compress *********************************************************************** gzip1 ************************ gzip9._****************************************** CPU *********************._                                                                                                                                                                                                                              |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |  * ZLE - *****************************************************************************._*********************************************************************************._                                                                                                                                                                                                                                                                                                                                                                                |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|********* (Copies)   |*************** 1 **************copies *************** ZFS *************************** (File System) ************ (Volume) *********************._***************************************************************************************************************._***************************************************************************************************************************************************************************************************************************._                                                            |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|*********            |*******************************************************************************************,_*********************************************************._*************************************************************************** (Deduplication table, DDT)**************************************************,_************************************************._*****************************************************************************************************************._****************** SHA256                                            |
|(Deduplication)      |********************************************************************************************** dedup ****** on ******************************************************** dedup ****** verify **************************************************************************************************************************************************************************._****** DDT ************************************************************************************************************* 1 TB ****************************** 5-6 GB                 |
|                     |************._********************* RAM *************** DDT ***************************************************************************************** DDT *********************************************************** L2ARC ****** DDT ***************************************************************************._*****************************************************************************************************************************************._                                                                                             |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|****** (Scrub)       |ZFS *** scrub ********* fsck(8) ************************._scrub ************************************************************************ Metadata                                                                                                                                                                                                                                                                                                                                                                                                           |
|                     |***********************************************************************************************************************************************************************************************._***********************************************************************************************._***************************************************************************************************************************************************************************************************************************************************._scrub|
|                     |************ vfs.zfs.scrub_delay *********************************************************************************._                                                                                                                                                                                                                                                                                                                                                                                                                                        |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|***************      |********************************ZFS ***************************************,_********************************************************************************************************************************._                                                                                                                                                                                                                                                                                                                                             |
|(Dataset Quota)      |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |ZFS supports different types of quotas: the dataset quota, the reference quota (refquota), the user quota, and the group quota.                                                                                                                                                                                                                                                                                                                                                                                                                             |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |*********************************************************,_*********************************************************._                                                                                                                                                                                                                                                                                                                                                                                                                                      |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |  ******:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
|                     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |************************************** volsize ***************************************._                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|************         |****************************************** (Hard limit) ********************************************************************************************************************************************************************._                                                                                                                                                                                                                                                                                                                              |
|(Reference Quota)    |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|*************** (User|*********************************************************************************._                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
|Quota)               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|************ (Group  |*********************************************************._                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
|Quota)               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|*********************|reservation ******************************************************************************** storage/home/bob ****** 10 GB ************************************************************************************** 10 GB *********************************._************ storage/home/bob ***********************************************************************._ refreservation ******************************************** ********* **********************._                                                                                           |
|(Dataset Reservation)|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|                     |******************************************************************************************************************************************************************************************************************._                                                                                                                                                                                                                                                                                                                                        |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|******************   |refreservation ************************************ ********* *********************************************** storage/home/bob ****** 10 GB ************************************************************************************** 10 GB *********************************._********* reservation ********************************************************************************************._************************** storage/home/bob ************** refreservation                                                                                   |
|(Reference           |*********************************************************************************************************** refreservation **************************************************._                                                                                                                                                                                                                                                                                                                                                                             |
|Reservation)         |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|****** (Resilver)    |******************************************************************************************************************************************************************************************************************* ****** (Resilvering)._                                                                                                                                                                                                                                                                                                                  |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|****** (Online)      |****************** vdev ************ (Online) ******************************************************************._************************ (Online) ***************************._                                                                                                                                                                                                                                                                                                                                                                           |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|****** (Offline)     |****************************************** vdev ************ (Faulted) ************************************************** (Offline) ********************************************************************************************************._                                                                                                                                                                                                                                                                                                              |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|****** (Degraded)    |****************** vdev ************ (Degraded) *********************************************************************************************************************************************************._******************************************************************************** (Resilver) ********************************* (Online) ******._                                                                                                                                                                                                  |
|---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|****** (Faulted)     |****************** vdev ************ (Faulted) *****************************************************************._****** vdev ***************************************************************** vdev *************** (Faulted) ******._******************************************************************** (Online) ******._***************************************************************************************************************._                                                                                                              |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

*** 20. ******************

   Written by Tom Rhodes.
   ************

   20.1. ******

   20.2. Linux(R) ************

20.1. ******

   File systems are an integral part of any operating system. They allow
   users to upload and store files, provide access to data, and make hard
   drives useful. Different operating systems differ in their native file
   system. Traditionally, the native FreeBSD file system has been the Unix
   File System UFS which has been modernized as UFS2. Since FreeBSD 7.0, the
   Z File System (ZFS) is also available as a native file system. See *** 19,
   Z ************ (ZFS) for more information.

   In addition to its native file systems, FreeBSD supports a multitude of
   other file systems so that data from other operating systems can be
   accessed locally, such as data stored on locally attached USB storage
   devices, flash drives, and hard disks. This includes support for the
   Linux(R) Extended File System (EXT).

   There are different levels of FreeBSD support for the various file
   systems. Some require a kernel module to be loaded and others may require
   a toolset to be installed. Some non-native file system support is full
   read-write while others are read-only.

   ****************************

     * The difference between native and supported file systems.

     * Which file systems are supported by FreeBSD.

     * How to enable, configure, access, and make use of non-native file
       systems.

   ****************************************

     * Understand UNIX(R) and FreeBSD basics.

     * Be familiar with the basics of kernel configuration and compilation.

     * Feel comfortable installing software in FreeBSD.

     * Have some familiarity with disks, storage, and device names in
       FreeBSD.

20.2. Linux(R) ************

   FreeBSD provides built-in support for several Linux(R) file systems. This
   section demonstrates how to load support for and how to mount the
   supported Linux(R) file systems.

  20.2.1. ext2

   Kernel support for ext2 file systems has been available since FreeBSD 2.2.
   In FreeBSD 8.x and earlier, the code is licensed under the GPL. Since
   FreeBSD 9.0, the code has been rewritten and is now BSD licensed.

   The ext2fs(5) driver allows the FreeBSD kernel to both read and write to
   ext2 file systems.

  ******:

   This driver can also be used to access ext3 and ext4 file systems. The
   ext2fs(5) filesystem has full read and write support for ext4 as of
   FreeBSD 12.0-RELEASE. Additionally, extended attributes and ACLs are also
   supported, while journalling and encryption are not. Starting with
   FreeBSD 12.1-RELEASE, a DTrace provider will be available as well. Prior
   versions of FreeBSD can access ext4 in read and write mode using
   sysutils/fusefs-ext2.

   To access an ext file system, first load the kernel loadable module:

 # kldload ext2fs

   Then, mount the ext volume by specifying its FreeBSD partition name and an
   existing mount point. This example mounts /dev/ad1s1 on /mnt:

 # mount -t ext2fs /dev/ad1s1 /mnt

*** 21. *********

   Contributed by Murray Stokely.
   bhyve section by Allan Jude.
   Xen section by Benedict Reuschling.
   ************

   21.1. ******

   21.2. *** Mac OS(R) X *** Parallels ****** FreeBSD *********

   21.3. *** Windows(R) *** Virtual PC ****** FreeBSD *********

   21.4. *** Mac OS(R) *** VMware Fusion ****** FreeBSD *********

   21.5. *** VirtualBox(TM) ****** FreeBSD ************

   21.6. *** FreeBSD ****************** VirtualBox(TM)

   21.7. *** FreeBSD ****************** bhyve

   21.8. *** FreeBSD ****************** Xen(TM)

21.1. ******

   ***************************************************************************._***
   PC
   ******************************************************************************
   (Host) ************************************************ (Guest)
   ************._

   ****************************

     * ************************************************._

     * ********* Intel(R)-based Apple(R) Mac(R) ************ FreeBSD ._

     * ********* Microsoft(R) Windows(R) ****** Virtual PC ****** FreeBSD._

     * ********* FreeBSD ********************* bhyve._

     * ************ FreeBSD ***************************************._

   ****************************************

     * ****** UNIX(R) *** FreeBSD *********._

     * ****************** FreeBSD._

     * ******************************._

     * ***************************************._

21.2. *** Mac OS(R) X *** Parallels ****** FreeBSD *********

   Mac(R) *** Parallels Desktop *************************** Intel(R)
   ************ Apple(R) Mac(R) *** Mac OS(R) 10.4.6
   ************************._ *************************** FreeBSD
   ************************._ *** Mac OS(R) X ****** Parallels
   ********************************************************************************************._

  21.2.1. *** Parallels/Mac OS(R) X ****** FreeBSD

   *** Parallels ********* FreeBSD ****************************** FreeBSD
   ************************._************************ Guest OS Type ***
   FreeBSD**

   ********************* FreeBSD
   *****************************************************************************
   Parallels ****** FreeBSD ************ 4GB ****************** 512MB *** RAM
   ***********

   **************************************

   ***********************

   *** FreeBSD ************************************************** FreeBSD._
   ************************************************** FreeBSD CD/DVD
   ****************** FTP ************ ISO *********._ *************** ISO
   ************ Mac(R) ****************************** CD/DVD *** Mac(R) ***
   CD-ROM *********._*** FreeBSD Parallels
   ***********************************************************************************************
   CD-ROM ********************* ISO *************** CD-ROM
   ******************._

   ********* CD-ROM ********************************************************
   FreeBSD ************._Parallels ************************************ BIOS
   ************************ CD-ROM._

   ****************** FreeBSD ****************************** FreeBSD
   ************._******************************************** Xorg._

   ******************************************************** FreeBSD
   ************._

  21.2.2. *** Parallels ****** FreeBSD

   ************ FreeBSD ********* Mac OS(R) X *** Parallels
   ********************************************************************************._

    1. ****** Boot Loader ******

       ********************************* kern.hz *************** FreeBSD ***
       Parallels ************ CPU ************._******************
       /boot/loader.conf ***********************

 kern.hz=100

       *********************************** FreeBSD Parallels
       *************************************** iMac(R) ****** 15% ***
       CPU._****************************************** 5%._

    2. ************************

       ********* SCSI, FireWire *** USB
       ************************************************._Parallels
       ****************************** ed(4) ************************** ed(4)
       ****** miibus(4) ************************************************._

    3. ************

       ********************************* DHCP
       ************************************ Mac(R)
       ******************************************** ifconfig_ed0="DHCP" ***
       /etc/rc.conf *********._*************************** *** 31,
       ****************** *********._

21.3. *** Windows(R) *** Virtual PC ****** FreeBSD *********

   *** Windows(R) ********* Virtual PC ***************************
   Microsoft(R) **************************************************._Virtual
   PC *** Microsoft(R) Windows(R)
   *****************************************************************************************************._

  21.3.1. *** Virtual PC ****** FreeBSD

   ****** FreeBSD *** Virtual PC
   ******************************************************
   FreeBSD._*********************************** Create a virtual machine**

   ******************************** Operating system *** Other**

   ***************************** FreeBSD
   *****************************************************************************
   Virtual PC ****** FreeBSD ************ 4GB ****************** 512MB ***
   RAM ***********

   ***********************

   ****** FreeBSD ************************
   Settings**********************************************

   FreeBSD ******************************************** FreeBSD
   ******************._************************ FreeBSD CD/DVD
   ****************** FTP ************ ISO *********._*************** ISO
   ****************** Windows(R) ********************* CD/DVD *** CD
   ***************************** FreeBSD
   *********************._************** CD ****** Virtual PC ************
   Capture ISO
   Image...*********************************************************** CD-ROM
   *** ISO ********************* CD-ROM ************************._

   ********* CD-ROM ************************** Action *** Reset ************
   FreeBSD ************._Virtual PC ********************************* BIOS
   ****** CD-ROM ******************._

   *************************** FreeBSD *********************************
   FreeBSD ******._************************************************** Xorg._

   *********************************** CD/DVD ********* ISO
   *********._************************************** FreeBSD ************._

  21.3.2. *** Virtual PC ****** FreeBSD

   ************ FreeBSD ********* Microsoft(R) Windows(R) *** Virtual PC
   ********************************************************************************._

    1. ****** Boot Loader ******

       ********************************* kern.hz*********** FreeBSD ***
       Virtual PC ********* CPU
       ************._************************************ /boot/loader.conf
       ***********

 kern.hz=100

       *********************************** FreeBSD Virtual PC ****** OS
       ************************************ 40% ***
       CPU._****************************************** 3%._

    2. ************************

       ********* SCSI, FireWire *** USB
       ************************************************._Virtual PC
       ****************************** de(4) ************************** de(4)
       ****** miibus(4) ************************************************._

    3. ************

       ********************************* DHCP
       ************************************ Microsoft(R) Windows(R)
       ******************************************** ifconfig_de0="DHCP" ***
       /etc/rc.conf *********._*************************** *** 31,
       ****************** *********._

21.4. *** Mac OS(R) *** VMware Fusion ****** FreeBSD *********

   VMware Fusion *************************** Intel(R) ************ Apple(R)
   Mac(R) *** Mac OS(R) 10.4.9 ************************._
   *************************** FreeBSD ************************._ ***
   Mac OS(R) X ****** VMware Fusion
   ********************************************************************************************._

  21.4.1. *** VMware Fusion ****** FreeBSD

   ************************ VMware Fusion ****** Virtual Machine
   Library******** New ********************

   ********************* New Virtual Machine Assistant******** Continue
   ********

   ****** Operating System *** Other ********* Version *********************
   FreeBSD *** FreeBSD 64-bit**

   *****************************************************************

   ********************* Virtual Hard Disk ********

   ***************************************** ISO *************** CD/DVD**

   ****** Finish *****************************

   ********************* FreeBSD**

   ******************************************************************************

  ******:

   *************** System Hardware
   ******************************************._

   ************************ CPU ********

   CD-ROM ***************************** CD/DVD/ISO
   ************************************************._

   **********************************************************************************************************************************
   Connect directly to the physical network (Bridged)._*********************
   Share the host's internet connection (NAT)
   **************************************************************************************._

   *********************************************** FreeBSD ************._

  21.4.2. *** VMware Fusion ****** FreeBSD

   ************ FreeBSD ********* Mac OS(R) X *** VMware Fusion
   ********************************************************************************._

    1. ****** Boot Loader ******

       ********************************* kern.hz*********** FreeBSD ***
       VMware Fusion ********* CPU
       ************._************************************ /boot/loader.conf
       ***********

 kern.hz=100

       *********************************** FreeBSD VMware Fusion
       *************************************** iMac(R) ****** 15% ***
       CPU._****************************************** 5%._

    2. ************************

       ********* SCSI, FireWire *** USB
       ************************************************._VMware Fusion
       ****************************** em(4) ************************** em(4)
       ************************************************._

    3. ************

       ********************************* DHCP
       ************************************ Mac(R)
       ******************************************** ifconfig_em0="DHCP" ***
       /etc/rc.conf *********._*************************** *** 31,
       ****************** *********._

21.5. *** VirtualBox(TM) ****** FreeBSD ************

   *** VirtualBox(TM) ********* FreeBSD
   *******************************************************************************************************************
   FreeBSD._

   VirtualBox(TM) guest additions ********************

     * ***************._

     * ******************._

     * ******************._

     * ************._

     * ************._

  ******:

   ********************* FreeBSD ***************._

   *********** FreeBSD ************ emulators/virtualbox-ose-additions
   ********* Port*********************** Port**

 # cd /usr/ports/emulators/virtualbox-ose-additions && make install clean

   *************** /etc/rc.conf**

 vboxguest_enable="YES"
 vboxservice_enable="YES"

   ************ ntpd(8) ***
   ntpdate(8)****************************************

 vboxservice_flags="--disable-timesync"

   Xorg *************** vboxvideo *****************************
   /etc/X11/xorg.conf ***********

 Section "Device"
         Identifier "Card0"
         Driver "vboxvideo"
         VendorName "InnoTek Systemberatung GmbH"
         BoardName "VirtualBox Graphics Adapter"
 EndSection

   ********* vboxmouse ************************** /etc/X11/xorg.conf
   *****************************

 Section "InputDevice"
         Identifier "Mouse0"
         Driver "vboxmouse"
 EndSection

   HAL ***************************
   /usr/local/etc/hal/fdi/policy/90-vboxguest.fdi ************
   /usr/local/share/hal/fdi/policy/10osvendor/90-vboxguest.fdi**

 <?xml version="1.0" encoding="utf-8"?>
 <!--
 # Sun VirtualBox
 # Hal driver description for the vboxmouse driver
 # $Id: chapter.xml,v 1.33 2012-03-17 04:53:52 eadler Exp $

         Copyright (C) 2008-2009 Sun Microsystems, Inc.

         This file is part of VirtualBox Open Source Edition (OSE, as
         available from http://www.virtualbox.org. This file is free software;
         you can redistribute it and/or modify it under the terms of the GNU
         General Public License (GPL) as published by the Free Software
         Foundation, in version 2 as it comes in the "COPYING" file of the
         VirtualBox OSE distribution. VirtualBox OSE is distributed in the
         hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.

         Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa
         Clara, CA 95054 USA or visit http://www.sun.com if you need
         additional information or have any questions.
 -->
 <deviceinfo version="0.2">
   <device>
     <match key="info.subsystem" string="pci">
       <match key="info.product" string="VirtualBox guest Service">
         <append key="info.capabilities" type="strlist">input</append>
         <append key="info.capabilities" type="strlist">input.mouse</append>
         <merge key="input.x11_driver" type="string">vboxmouse</merge>
         <merge key="input.device" type="string">/dev/vboxguest</merge>
       </match>
     </match>
   </device>
 </deviceinfo>

   Shared folders for file transfers between host and VM are accessible by
   mounting them using mount_vboxvfs. A shared folder can be created on the
   host using the VirtualBox GUI or via vboxmanage. For example, to create a
   shared folder called myshare under /mnt/bsdboxshare for the VM named
   BSDBox, run:

 # vboxmanage sharedfolder add 'BSDBox' --name myshare --hostpath /mnt/bsdboxshare

   Note that the shared folder name must not contain spaces. Mount the shared
   folder from within the guest system like this:

 # mount_vboxvfs -w myshare /mnt

21.6. *** FreeBSD ****************** VirtualBox(TM)

   VirtualBox(TM)
   *********************,_*************************************************************
   Windows(R), Mac OS(R), Linux(R) *** FreeBSD**************************
   Windows(R) *** UNIX(R)
   ***************._**********************************************************************************************************
   USB 2.0 ***************._****************** VirtualBox(TM) wiki ***
   "Downloads" ******._************************************** FreeBSD._

  21.6.1. ****** VirtualBox(TM)

   VirtualBox(TM) ****** emulators/virtualbox-ose *** FreeBSD ********* Port
   ***************._********* Port ***********************

 # cd /usr/ports/emulators/virtualbox-ose
 # make install clean

   *** Port ****************** GuestAdditions
   *******************************************************************************************************************************
   (********************************************************************************)
   ******************************************** Windows(R)
   ***************._Guest additions ************************************
   Devices ************._

   *************************** VirtualBox(TM)
   *****************************Port ******************************
   /boot/modules*************************************

 # kldload vboxdrv

   *****************************************************************
   /boot/loader.conf**

 vboxdrv_load="YES"

   *************************************** (Host-only)
   ***************************** /etc/rc.conf****************************

 vboxnet_enable="YES"

   ********* VirtualBox(TM) ********************* vboxusers
   ************************** VirtualBox(TM)
   *****************************************************pw
   *****************************

 # pw groupmod vboxusers -m yourusername

   /dev/vboxnetctl
   **********************************************************************

 # chown root:vboxusers /dev/vboxnetctl
 # chmod 0660 /dev/vboxnetctl

   *********************************************** /etc/devfs.conf**

 own     vboxnetctl root:vboxusers
 perm    vboxnetctl 0660

   ********* VirtualBox(TM)******** Xorg ********************

 % VirtualBox

   ************************************ VirtualBox(TM) ********************
   ************._*** FreeBSD
   ***************************************************** FreeBSD wiki
   ******************._

  21.6.2. VirtualBox(TM) USB ******

   VirtualBox(TM) can be configured to pass USB devices through to the guest
   operating system. The host controller of the OSE version is limited to
   emulating USB 1.1 devices until the extension pack supporting USB 2.0 and
   3.0 devices becomes available on FreeBSD.

   For VirtualBox(TM) to be aware of USB devices attached to the machine, the
   user needs to be a member of the operator group.

 # pw groupmod operator -m yourusername

   Then, add the following to /etc/devfs.rules, or create this file if it
   does not exist yet:

 [system=10]
 add path 'usb/*' mode 0660 group operator

   ************************************** /etc/rc.conf**

 devfs_system_ruleset="system"

   ****************** devfs**

 # service devfs restart

   *************************** VirtualBox(TM)
   ******************************************** USB ************._

  21.6.3. VirtualBox(TM) Host DVD/CD ******

   ************************************************************************
   DVD/CD *********._*** VirtualBox(TM)
   ***************************************************** (Storage)
   ***************._*********************************** IDE CD/DVD
   ******************************************************** CD/DVD
   *********************************************************** Passthrough
   ************************************************************************************************
   CD ******************************************************._

   VirtualBox(TM) DVD/CD ****************************** HAL**************
   /etc/rc.conf ***************************************************

 hald_enable="YES"

 # service hald start

   ****************************** VirtualBox(TM) DVD/CD
   *********************************** /dev/xpt0, /dev/cdN ******
   /dev/passN************************************** operator
   ******************._*********************************************
   /etc/devfs.conf ***********

 perm cd* 0660
 perm xpt0 0660
 perm pass* 0660

 # service devfs restart

21.7. *** FreeBSD ****************** bhyve

   The bhyve BSD-licensed hypervisor became part of the base system with
   FreeBSD 10.0-RELEASE. This hypervisor supports a number of guests,
   including FreeBSD, OpenBSD, and many Linux(R) distributions. By default,
   bhyve provides access to serial console and does not emulate a graphical
   console. Virtualization offload features of newer CPUs are used to avoid
   the legacy methods of translating instructions and manually managing
   memory mappings.

   The bhyve design requires a processor that supports Intel(R) Extended Page
   Tables (EPT) or AMD(R) Rapid Virtualization Indexing (RVI) or Nested Page
   Tables (NPT). Hosting Linux(R) guests or FreeBSD guests with more than one
   vCPU requires VMX unrestricted mode support (UG). Most newer processors,
   specifically the Intel(R) Core(TM) i3/i5/i7 and Intel(R) Xeon(TM)
   E3/E5/E7, support these features. UG support was introduced with Intel's
   Westmere micro-architecture. For a complete list of Intel(R) processors
   that support EPT, refer to
   https://ark.intel.com/content/www/us/en/ark/search/featurefilter.html?productType=873&0_ExtendedPageTables=True.
   RVI is found on the third generation and later of the AMD Opteron(TM)
   (Barcelona) processors. The easiest way to tell if a processor supports
   bhyve is to run dmesg or look in /var/run/dmesg.boot for the POPCNT
   processor feature flag on the Features2 line for AMD(R) processors or EPT
   and UG on the VT-x line for Intel(R) processors.

  21.7.1. ************

   The first step to creating a virtual machine in bhyve is configuring the
   host system. First, load the bhyve kernel module:

 # kldload vmm

   Then, create a tap interface for the network device in the virtual machine
   to attach to. In order for the network device to participate in the
   network, also create a bridge interface containing the tap interface and
   the physical interface as members. In this example, the physical interface
   is igb0:

 # ifconfig tap0 create
 # sysctl net.link.tap.up_on_open=1
 net.link.tap.up_on_open: 0 -> 1
 # ifconfig bridge0 create
 # ifconfig bridge0 addm igb0 addm tap0
 # ifconfig bridge0 up

  21.7.2. ****** FreeBSD ******

   Create a file to use as the virtual disk for the guest machine. Specify
   the size and name of the virtual disk:

 # truncate -s 16G guest.img

   Download an installation image of FreeBSD to install:

 # fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/10.3/FreeBSD-10.3-RELEASE-amd64-bootonly.iso
 FreeBSD-10.3-RELEASE-amd64-bootonly.iso       100% of  230 MB  570 kBps 06m17s

   FreeBSD comes with an example script for running a virtual machine in
   bhyve. The script will start the virtual machine and run it in a loop, so
   it will automatically restart if it crashes. The script takes a number of
   options to control the configuration of the machine: -c controls the
   number of virtual CPUs, -m limits the amount of memory available to the
   guest, -t defines which tap device to use, -d indicates which disk image
   to use, -i tells bhyve to boot from the CD image instead of the disk, and
   -I defines which CD image to use. The last parameter is the name of the
   virtual machine, used to track the running machines. This example starts
   the virtual machine in installation mode:

 # sh /usr/share/examples/bhyve/vmrun.sh -c 1 -m 1024M -t tap0 -d guest.img -i -I FreeBSD-10.3-RELEASE-amd64-bootonly.iso guestname

   The virtual machine will boot and start the installer. After installing a
   system in the virtual machine, when the system asks about dropping in to a
   shell at the end of the installation, choose Yes.

   Reboot the virtual machine. While rebooting the virtual machine causes
   bhyve to exit, the vmrun.sh script runs bhyve in a loop and will
   automatically restart it. When this happens, choose the reboot option from
   the boot loader menu in order to escape the loop. Now the guest can be
   started from the virtual disk:

 # sh /usr/share/examples/bhyve/vmrun.sh -c 4 -m 1024M -t tap0 -d guest.img guestname

  21.7.3. ****** Linux(R) ******

   In order to boot operating systems other than FreeBSD, the
   sysutils/grub2-bhyve port must be first installed.

   Next, create a file to use as the virtual disk for the guest machine:

 # truncate -s 16G linux.img

   Starting a virtual machine with bhyve is a two step process. First a
   kernel must be loaded, then the guest can be started. The Linux(R) kernel
   is loaded with sysutils/grub2-bhyve. Create a device.map that grub will
   use to map the virtual devices to the files on the host system:

 (hd0) ./linux.img
 (cd0) ./somelinux.iso

   Use sysutils/grub2-bhyve to load the Linux(R) kernel from the ISO image:

 # grub-bhyve -m device.map -r cd0 -M 1024M linuxguest

   This will start grub. If the installation CD contains a grub.cfg, a menu
   will be displayed. If not, the vmlinuz and initrd files must be located
   and loaded manually:

 grub> ls
 (hd0) (cd0) (cd0,msdos1) (host)
 grub> ls (cd0)/isolinux
 boot.cat boot.msg grub.conf initrd.img isolinux.bin isolinux.cfg memtest
 splash.jpg TRANS.TBL vesamenu.c32 vmlinuz
 grub> linux (cd0)/isolinux/vmlinuz
 grub> initrd (cd0)/isolinux/initrd.img
 grub> boot

   Now that the Linux(R) kernel is loaded, the guest can be started:

 # bhyve -A -H -P -s 0:0,hostbridge -s 1:0,lpc -s 2:0,virtio-net,tap0 -s 3:0,virtio-blk,./linux.img \
     -s 4:0,ahci-cd,./somelinux.iso -l com1,stdio -c 4 -m 1024M linuxguest

   The system will boot and start the installer. After installing a system in
   the virtual machine, reboot the virtual machine. This will cause bhyve to
   exit. The instance of the virtual machine needs to be destroyed before it
   can be started again:

 # bhyvectl --destroy --vm=linuxguest

   Now the guest can be started directly from the virtual disk. Load the
   kernel:

 # grub-bhyve -m device.map -r hd0,msdos1 -M 1024M linuxguest
 grub> ls
 (hd0) (hd0,msdos2) (hd0,msdos1) (cd0) (cd0,msdos1) (host)
 (lvm/VolGroup-lv_swap) (lvm/VolGroup-lv_root)
 grub> ls (hd0,msdos1)/
 lost+found/ grub/ efi/ System.map-2.6.32-431.el6.x86_64 config-2.6.32-431.el6.x
 86_64 symvers-2.6.32-431.el6.x86_64.gz vmlinuz-2.6.32-431.el6.x86_64
 initramfs-2.6.32-431.el6.x86_64.img
 grub> linux (hd0,msdos1)/vmlinuz-2.6.32-431.el6.x86_64 root=/dev/mapper/VolGroup-lv_root
 grub> initrd (hd0,msdos1)/initramfs-2.6.32-431.el6.x86_64.img
 grub> boot

   Boot the virtual machine:

 # bhyve -A -H -P -s 0:0,hostbridge -s 1:0,lpc -s 2:0,virtio-net,tap0 \
     -s 3:0,virtio-blk,./linux.img -l com1,stdio -c 4 -m 1024M linuxguest

   Linux(R) will now boot in the virtual machine and eventually present you
   with the login prompt. Login and use the virtual machine. When you are
   finished, reboot the virtual machine to exit bhyve. Destroy the virtual
   machine instance:

 # bhyvectl --destroy --vm=linuxguest

  21.7.4. ****** UEFI ************ bhyve ************

   In addition to bhyveload and grub-bhyve, the bhyve hypervisor can also
   boot virtual machines using the UEFI userspace firmware. This option may
   support guest operating systems that are not supported by the other
   loaders.

   In order to make use of the UEFI support in bhyve, first obtain the UEFI
   firmware images. This can be done by installing sysutils/bhyve-firmware
   port or package.

   With the firmware in place, add the flags -l bootrom,/path/to/firmware to
   your bhyve command line. The actual bhyve command may look like this:

 # bhyve -AHP -s 0:0,hostbridge -s 1:0,lpc \
 -s 2:0,virtio-net,tap1 -s 3:0,virtio-blk,./disk.img \
 -s 4:0,ahci-cd,./install.iso -c 4 -m 1024M \
 -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
 guest

   sysutils/bhyve-firmware also contains a CSM-enabled firmware, to boot
   guests with no UEFI support in legacy BIOS mode:

 # bhyve -AHP -s 0:0,hostbridge -s 1:0,lpc \
 -s 2:0,virtio-net,tap1 -s 3:0,virtio-blk,./disk.img \
 -s 4:0,ahci-cd,./install.iso -c 4 -m 1024M \
 -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CSM.fd \
 guest

  21.7.5. *** bhyve ********************* UEFI Framebuffer

   The UEFI firmware support is particularly useful with predominantly
   graphical guest operating systems such as Microsoft Windows(R).

   Support for the UEFI-GOP framebuffer may also be enabled with the -s
   29,fbuf,tcp=0.0.0.0:5900 flags. The framebuffer resolution may be
   configured with w=800 and h=600, and bhyve can be instructed to wait for a
   VNC connection before booting the guest by adding wait. The framebuffer
   may be accessed from the host or over the network via the VNC protocol.

   bhyve **************************

 # bhyve -AHP -s 0:0,hostbridge -s 31:0,lpc \
 -s 2:0,virtio-net,tap1 -s 3:0,virtio-blk,./disk.img \
 -s 4:0,ahci-cd,./install.iso -c 4 -m 1024M \
 -s 29,fbuf,tcp=0.0.0.0:5900,w=800,h=600,wait \
 -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
 guest

   Note, in BIOS emulation mode, the framebuffer will cease receiving updates
   once control is passed from firmware to guest operating system.

  21.7.6. *** bhyve ************ ZFS

   If ZFS is available on the host machine, using ZFS volumes instead of disk
   image files can provide significant performance benefits for the guest
   VMs. A ZFS volume can be created by:

 # zfs create -V16G -o volmode=dev zroot/linuxdisk0

   When starting the VM, specify the ZFS volume as the disk drive:

 # bhyve -A -H -P -s 0:0,hostbridge -s 1:0,lpc -s 2:0,virtio-net,tap0 -s3:0,virtio-blk,/dev/zvol/zroot/linuxdisk0 \
     -l com1,stdio -c 4 -m 1024M linuxguest

  21.7.7. ************ Console

   It is advantageous to wrap the bhyve console in a session management tool
   such as sysutils/tmux or sysutils/screen in order to detach and reattach
   to the console. It is also possible to have the console of bhyve be a null
   modem device that can be accessed with cu. To do this, load the nmdm
   kernel module and replace -l com1,stdio with -l com1,/dev/nmdm0A. The
   /dev/nmdm devices are created automatically as needed, where each is a
   pair, corresponding to the two ends of the null modem cable (/dev/nmdm0A
   and /dev/nmdm0B). See nmdm(4) for more information.

 # kldload nmdm
 # bhyve -A -H -P -s 0:0,hostbridge -s 1:0,lpc -s 2:0,virtio-net,tap0 -s 3:0,virtio-blk,./linux.img \
     -l com1,/dev/nmdm0A -c 4 -m 1024M linuxguest
 # cu -l /dev/nmdm0B
 Connected

 Ubuntu 13.10 handbook ttyS0

 handbook login:

  21.7.8. ******************

   A device node is created in /dev/vmm for each virtual machine. This allows
   the administrator to easily see a list of the running virtual machines:

 # ls -al /dev/vmm
 total 1
 dr-xr-xr-x   2 root  wheel    512 Mar 17 12:19 ./
 dr-xr-xr-x  14 root  wheel    512 Mar 17 06:38 ../
 crw-------   1 root  wheel  0x1a2 Mar 17 12:20 guestname
 crw-------   1 root  wheel  0x19f Mar 17 12:19 linuxguest
 crw-------   1 root  wheel  0x1a1 Mar 17 12:19 otherguest

   A specified virtual machine can be destroyed using bhyvectl:

 # bhyvectl --destroy --vm=guestname

  21.7.9. Persistent ******

   In order to configure the system to start bhyve guests at boot time, the
   following configurations must be made in the specified files:

    1. /etc/sysctl.conf

 net.link.tap.up_on_open=1

    2. /etc/rc.conf

 cloned_interfaces="bridge0 tap0"
 ifconfig_bridge0="addm igb0 addm tap0"
 kld_list="nmdm vmm"

21.8. *** FreeBSD ****************** Xen(TM)

   Xen is a GPLv2-licensed type 1 hypervisor for Intel(R) and ARM(R)
   architectures. FreeBSD has included i386(TM) and AMD(R) 64-Bit DomU and
   Amazon EC2 unprivileged domain (virtual machine) support since FreeBSD 8.0
   and includes Dom0 control domain (host) support in FreeBSD 11.0. Support
   for para-virtualized (PV) domains has been removed from FreeBSD 11 in
   favor of hardware virtualized (HVM) domains, which provides better
   performance.

   Xen(TM) is a bare-metal hypervisor, which means that it is the first
   program loaded after the BIOS. A special privileged guest called the
   Domain-0 (Dom0 for short) is then started. The Dom0 uses its special
   privileges to directly access the underlying physical hardware, making it
   a high-performance solution. It is able to access the disk controllers and
   network adapters directly. The Xen(TM) management tools to manage and
   control the Xen(TM) hypervisor are also used by the Dom0 to create, list,
   and destroy VMs. Dom0 provides virtual disks and networking for
   unprivileged domains, often called DomU. Xen(TM) Dom0 can be compared to
   the service console of other hypervisor solutions, while the DomU is where
   individual guest VMs are run.

   Xen(TM) can migrate VMs between different Xen(TM) servers. When the two
   xen hosts share the same underlying storage, the migration can be done
   without having to shut the VM down first. Instead, the migration is
   performed live while the DomU is running and there is no need to restart
   it or plan a downtime. This is useful in maintenance scenarios or upgrade
   windows to ensure that the services provided by the DomU are still
   provided. Many more features of Xen(TM) are listed on the Xen Wiki
   Overview page. Note that not all features are supported on FreeBSD yet.

  21.8.1. Xen(TM) Dom0 ***************

   To run the Xen(TM) hypervisor on a host, certain hardware functionality is
   required. Hardware virtualized domains require Extended Page Table (EPT)
   and Input/Output Memory Management Unit (IOMMU) support in the host
   processor.

  ******:

   In order to run a FreeBSD Xen(TM) Dom0 the box must be booted using legacy
   boot (BIOS).

  21.8.2. Xen(TM) Dom0 ******************

   Users of FreeBSD 11 should install the emulators/xen-kernel47 and
   sysutils/xen-tools47 packages that are based on Xen version 4.7. Systems
   running on FreeBSD-12.0 or newer can use Xen 4.11 provided by
   emulators/xen-kernel411 and sysutils/xen-tools411, respectively.

   Configuration files must be edited to prepare the host for the Dom0
   integration after the Xen packages are installed. An entry to
   /etc/sysctl.conf disables the limit on how many pages of memory are
   allowed to be wired. Otherwise, DomU VMs with higher memory requirements
   will not run.

 # echo 'vm.max_wired=-1' >> /etc/sysctl.conf

   Another memory-related setting involves changing /etc/login.conf, setting
   the memorylocked option to unlimited. Otherwise, creating DomU domains may
   fail with Cannot allocate memory errors. After making the change to
   /etc/login.conf, run cap_mkdb to update the capability database. See
   *** 13.13, "************" for details.

 # sed -i '' -e 's/memorylocked=64K/memorylocked=unlimited/' /etc/login.conf
 # cap_mkdb /etc/login.conf

   Add an entry for the Xen(TM) console to /etc/ttys:

 # echo 'xc0     "/usr/libexec/getty Pc"         xterm   onifconsole  secure' >> /etc/ttys

   Selecting a Xen(TM) kernel in /boot/loader.conf activates the Dom0.
   Xen(TM) also requires resources like CPU and memory from the host machine
   for itself and other DomU domains. How much CPU and memory depends on the
   individual requirements and hardware capabilities. In this example, 8 GB
   of memory and 4 virtual CPUs are made available for the Dom0. The serial
   console is also activated and logging options are defined.

   The following command is used for Xen 4.7 packages:

 # sysrc -f /boot/loader.conf hw.pci.mcfg=0
 # sysrc -f /boot/loader.conf if_tap_load="YES"
 # sysrc -f /boot/loader.conf xen_kernel="/boot/xen"
 # sysrc -f /boot/loader.conf xen_cmdline="dom0_mem=8192M dom0_max_vcpus=4 dom0pvh=1 console=com1,vga com1=115200,8n1 guest_loglvl=all loglvl=all"

   For Xen versions 4.11 and higher, the following command should be used
   instead:

 # sysrc -f /boot/loader.conf if_tap_load="YES"
 # sysrc -f /boot/loader.conf xen_kernel="/boot/xen"
 # sysrc -f /boot/loader.conf xen_cmdline="dom0_mem=8192M dom0_max_vcpus=4 dom0=pvh console=com1,vga com1=115200,8n1 guest_loglvl=all loglvl=all"

  ******:

   Log files that Xen(TM) creates for the DomU VMs are stored in
   /var/log/xen. Please be sure to check the contents of that directory if
   experiencing issues.

   Activate the xencommons service during system startup:

 # sysrc xencommons_enable=yes

   These settings are enough to start a Dom0-enabled system. However, it
   lacks network functionality for the DomU machines. To fix that, define a
   bridged interface with the main NIC of the system which the DomU VMs can
   use to connect to the network. Replace em0 with the host network interface
   name.

 # sysrc cloned_interfaces="bridge0"
 # sysrc ifconfig_bridge0="addm em0 SYNCDHCP"
 # sysrc ifconfig_em0="up"

   Restart the host to load the Xen(TM) kernel and start the Dom0.

 # reboot

   After successfully booting the Xen(TM) kernel and logging into the system
   again, the Xen(TM) management tool xl is used to show information about
   the domains.

 # xl list
 Name                                        ID   Mem VCPUs      State   Time(s)
 Domain-0                                     0  8192     4     r-----     962.0

   The output confirms that the Dom0 (called Domain-0) has the ID 0 and is
   running. It also has the memory and virtual CPUs that were defined in
   /boot/loader.conf earlier. More information can be found in the Xen(TM)
   Documentation. DomU guest VMs can now be created.

  21.8.3. Xen(TM) DomU ****** VM ******

   Unprivileged domains consist of a configuration file and virtual or
   physical hard disks. Virtual disk storage for the DomU can be files
   created by truncate(1) or ZFS volumes as described in *** 19.4.2,
   "************************". In this example, a 20 GB volume is used. A VM
   is created with the ZFS volume, a FreeBSD ISO image, 1 GB of RAM and two
   virtual CPUs. The ISO installation file is retrieved with fetch(1) and
   saved locally in a file called freebsd.iso.

 # fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/12.0/FreeBSD-12.0-RELEASE-amd64-bootonly.iso -o freebsd.iso

   A ZFS volume of 20 GB called xendisk0 is created to serve as the disk
   space for the VM.

 # zfs create -V20G -o volmode=dev zroot/xendisk0

   The new DomU guest VM is defined in a file. Some specific definitions like
   name, keymap, and VNC connection details are also defined. The following
   freebsd.cfg contains a minimum DomU configuration for this example:

 # cat freebsd.cfg
 builder = "hvm" 1
 name = "freebsd" 2
 memory = 1024 3
 vcpus = 2 4
 vif = [ 'mac=00:16:3E:74:34:32,bridge=bridge0' ] 5
 disk = [
 '/dev/zvol/tank/xendisk0,raw,hda,rw', 6
 '/root/freebsd.iso,raw,hdc:cdrom,r' 7
   ]
 vnc = 1 8
 vnclisten = "0.0.0.0"
 serial = "pty"
 usbdevice = "tablet"

   These lines are explained in more detail:

   1 This defines what kind of virtualization to use. hvm refers to           
     hardware-assisted virtualization or hardware virtual machine. Guest      
     operating systems can run unmodified on CPUs with virtualization         
     extensions, providing nearly the same performance as running on physical 
     hardware. generic is the default value and creates a PV domain.          
   2 Name of this virtual machine to distinguish it from others running on    
     the same Dom0. Required.                                                 
   3 Quantity of RAM in megabytes to make available to the VM. This amount is 
     subtracted from the hypervisor's total available memory, not the memory  
     of the Dom0.                                                             
   4 Number of virtual CPUs available to the guest VM. For best performance,  
     do not create guests with more virtual CPUs than the number of physical  
     CPUs on the host.                                                        
   5 Virtual network adapter. This is the bridge connected to the network     
     interface of the host. The mac parameter is the MAC address set on the   
     virtual network interface. This parameter is optional, if no MAC is      
     provided Xen(TM) will generate a random one.                             
   6 Full path to the disk, file, or ZFS volume of the disk storage for this  
     VM. Options and multiple disk definitions are separated by commas.       
   7 Defines the Boot medium from which the initial operating system is       
     installed. In this example, it is the ISO imaged downloaded earlier.     
     Consult the Xen(TM) documentation for other kinds of devices and options 
     to set.                                                                  
   8 Options controlling VNC connectivity to the serial console of the DomU.  
     In order, these are: active VNC support, define IP address on which to   
     listen, device node for the serial console, and the input method for     
     precise positioning of the mouse and other input methods. keymap defines 
     which keymap to use, and is english by default.                          

   After the file has been created with all the necessary options, the DomU
   is created by passing it to xl create as a parameter.

 # xl create freebsd.cfg

  ******:

   Each time the Dom0 is restarted, the configuration file must be passed to
   xl create again to re-create the DomU. By default, only the Dom0 is
   created after a reboot, not the individual VMs. The VMs can continue where
   they left off as they stored the operating system on the virtual disk. The
   virtual machine configuration can change over time (for example, when
   adding more memory). The virtual machine configuration files must be
   properly backed up and kept available to be able to re-create the guest VM
   when needed.

   The output of xl list confirms that the DomU has been created.

 # xl list
 Name                                        ID   Mem VCPUs      State   Time(s)
 Domain-0                                     0  8192     4     r-----  1653.4
 freebsd                                      1  1024     1     -b----   663.9

   To begin the installation of the base operating system, start the VNC
   client, directing it to the main network address of the host or to the IP
   address defined on the vnclisten line of freebsd.cfg. After the operating
   system has been installed, shut down the DomU and disconnect the VNC
   viewer. Edit freebsd.cfg, removing the line with the cdrom definition or
   commenting it out by inserting a # character at the beginning of the line.
   To load this new configuration, it is necessary to remove the old DomU
   with xl destroy, passing either the name or the id as the parameter.
   Afterwards, recreate it using the modified freebsd.cfg.

 # xl destroy freebsd
 # xl create freebsd.cfg

   The machine can then be accessed again using the VNC viewer. This time, it
   will boot from the virtual disk where the operating system has been
   installed and can be used as a virtual machine.

  21.8.4. ************

   This section contains basic information in order to help troubleshoot
   issues found when using FreeBSD as a Xen(TM) host or guest.

    21.8.4.1. ************************

   Please note that the following troubleshooting tips are intended for
   Xen(TM) 4.11 or newer. If you are still using Xen(TM) 4.7 and having
   issues consider migrating to a newer version of Xen(TM).

   In order to troubleshoot host boot issues you will likely need a serial
   cable, or a debug USB cable. Verbose Xen(TM) boot output can be obtained
   by adding options to the xen_cmdline option found in loader.conf. A couple
   of relevant debug options are:

     * iommu=debug: can be used to print additional diagnostic information
       about the iommu.

     * dom0=verbose: can be used to print additional diagnostic information
       about the dom0 build process.

     * sync_console: flag to force synchronous console output. Useful for
       debugging to avoid losing messages due to rate limiting. Never use
       this option in production environments since it can allow malicious
       guests to perform DoS attacks against Xen(TM) using the console.

   FreeBSD should also be booted in verbose mode in order to identify any
   issues. To activate verbose booting, run this command:

 # sysrc -f /boot/loader.conf boot_verbose="YES"

   If none of these options help solving the problem, please send the serial
   boot log to <freebsd-xen@FreeBSD.org> and <xen-devel@lists.xenproject.org>
   for further analysis.

    21.8.4.2. ************************

   Issues can also arise when creating guests, the following attempts to
   provide some help for those trying to diagnose guest creation issues.

   The most common cause of guest creation failures is the xl command
   spitting some error and exiting with a return code different than 0. If
   the error provided is not enough to help identify the issue, more verbose
   output can also be obtained from xl by using the v option repeatedly.

 # xl -vvv create freebsd.cfg
 Parsing config from freebsd.cfg
 libxl: debug: libxl_create.c:1693:do_domain_create: Domain 0:ao 0x800d750a0: create: how=0x0 callback=0x0 poller=0x800d6f0f0
 libxl: debug: libxl_device.c:397:libxl__device_disk_set_backend: Disk vdev=xvda spec.backend=unknown
 libxl: debug: libxl_device.c:432:libxl__device_disk_set_backend: Disk vdev=xvda, using backend phy
 libxl: debug: libxl_create.c:1018:initiate_domain_create: Domain 1:running bootloader
 libxl: debug: libxl_bootloader.c:328:libxl__bootloader_run: Domain 1:not a PV/PVH domain, skipping bootloader
 libxl: debug: libxl_event.c:689:libxl__ev_xswatch_deregister: watch w=0x800d96b98: deregister unregistered
 domainbuilder: detail: xc_dom_allocate: cmdline="", features=""
 domainbuilder: detail: xc_dom_kernel_file: filename="/usr/local/lib/xen/boot/hvmloader"
 domainbuilder: detail: xc_dom_malloc_filemap    : 326 kB
 libxl: debug: libxl_dom.c:988:libxl__load_hvm_firmware_module: Loading BIOS: /usr/local/share/seabios/bios.bin
 ...

   If the verbose output does not help diagnose the issue there are also QEMU
   and Xen(TM) toolstack logs in /var/log/xen. Note that the name of the
   domain is appended to the log name, so if the domain is named freebsd you
   should find a /var/log/xen/xl-freebsd.log and likely a
   /var/log/xen/qemu-dm-freebsd.log. Both log files can contain useful
   information for debugging. If none of this helps solve the issue, please
   send the description of the issue you are facing and as much information
   as possible to <freebsd-xen@FreeBSD.org> and
   <xen-devel@lists.xenproject.org> in order to get help.

*** 22. ********* - i18n/L10n ***************

   Contributed by Andrey Chernov.
   Rewritten by Michael C. Wu.
   ************

   22.1. ******

   22.2. ************

   22.3. ****** i18n ************

   22.4. ***************************

22.1. ******

   FreeBSD **************************************************************
   FreeBSD
   *****************************************************************,_*********************._**********************************************************************************,_******,_******,_******,_******,_******************._

   ********* (Internationalization) ********************* i18n*****
   ******************************************************._L10n
   ***************************************** ********* (Localization)._
   i18n/L10n
   *********,_******************************************************************._

   *************** FreeBSD
   ******************************._*************************************

     * ************************._

     * ****************** Shell *********._

     * ************ Console ******************************._

     * ************ Xorg ******************._

     * ****************** i18n ***************._

     * ***************************************************._

   ****************************************

     * ************ *********************************._

22.2. ************

   *****************************************************,_*********************._***********************************

 LanguageCode_CountryCode.Encoding

   LanguageCode *** CountryCode
   *********************************._****** 22.1,
   "***************************" *************** LanguageCode_CountryCode
   ***********

   ****** 22.1. ***************************

          ************_************                      ******               
   en_US                                   **************                     
   ru_RU                                   **************                     
   zh_TW                                   ********************               

   *****************************************************

 % locale -a | more

   ***********************************

 % locale

   *************************** ISO8859-1, ISO8859-15, KOI8-R *** CP437 ***
   multibyte(3) ***************._************************ IANA Registry
   ******._

   ********************************************** ASCII
   ******************************** (Wide) ********************* (Multibyte)
   ******************************._EUC *** Big5
   ***************************************************._******************************************************************************************************************************************************************************************************************************************************._

  ******:

   FreeBSD ****** Xorg *********************._

   *************************************** FreeBSD
   ******************************._***************************************************
   i18n *********************._

  22.2.1. ************ Shell *********

   ****************************** ~/.login_conf *************** Shell
   ********************~/.profile, ~/.bashrc *** ~/.cshrc._

   ***********************************

     * LANG ******************

     * MM_CHARSET ************************************ MIME *********

   ****************** Shell
   ***************************************************************** Xorg
   ******._

   ************************************************************** (Login
   class) *** (*********) *** ********* (Startup file)
   ***._************************************************._

    22.2.1.1. ************ (Login Class) ***

   *******************************************************************************
   Shell ************************ MIME
   ***************._*********************************************************************************************._

   ************************************************************ .login_conf
   ****** Latin-1 ***********************************

 me:\
         :charset=ISO-8859-1:\
         :lang=de_DE.ISO8859-1:

   ****************** ~/.login_conf ****************************** BIG-5
   ******************************._************************************************,_**********************************************************************

 #Users who do not wish to use monetary units or time formats
 #of Taiwan can manually change each variable
 me:\
         :lang=zh_TW.Big5:\
         :setenv=LC_ALL=zh_TW.Big5,LC_COLLATE=zh_TW.Big5,LC_CTYPE=zh_TW.Big5,LC_MESSAGES=zh_TW.Big5,LC_MONETARY=zh_TW.Big5,LC_NUMERIC=zh_TW.Big5,LC_TIME=zh_TW.Big5:\
         :charset=big5:\
         :xmodifiers="@im=gcin": #Set gcin as the XIM Input Server

   *****************************************************************._*********
   /etc/login.conf ************************************ MIME ***********

 language_name|Account Type Description:\
         :charset=MIME_charset:\
         :lang=locale_name:\
         :tc=default:

   ****************** Latin-1 ********************

 german|German Users Accounts:\
         :charset=ISO-8859-1:\
         :lang=de_DE.ISO8859-1:\
         :tc=default:

   ********* login.conf(5)
   ************************************************._*****************************************
   russian class._

   ************ /etc/login.conf
   *****************************************************************************(Capability
   database)**

 # cap_mkdb /etc/login.conf

      22.2.1.1.1. ***************************

   ****************** /etc/login.conf
   ***********************************************************************._

   ********* vipw ******************************** language *****************

 user:password:1111:11:language:0:0:User Name:/home/user:/bin/sh

   ********* adduser
   ********************************************************************************************._

   ******************************************************** /etc/adduser.conf
   ****** defaultclass=language._

   **********************************************************************************************

 Enter login class: default []:

   ********* adduser *****************

 # adduser -class language

   ********* pw **********************************************

 # pw useradd user_name -L language

   To change the login class of an existing user, chpass can be used. Invoke
   it as superuser and provide the username to edit as the argument.

 # chpass user_name

    22.2.1.2. Shell ********* (Startup File) ***

   ************************************************************* Shell
   *********************************** Shell
   ************************************._*************************** sh shell
   *****************************************
   ~/.profile************************** Shell
   ********************************************* /etc/profile ***
   /usr/share/skel/dot.profile**

 LANG=de_DE.ISO8859-1; export LANG
 MM_CHARSET=ISO-8859-1; export MM_CHARSET

   *********** csh shell
   ******************************************._************************************
   ~/.csh.login, /etc/csh.login *** /usr/share/skel/dot.login**

 setenv LANG de_DE.ISO8859-1
 setenv MM_CHARSET ISO-8859-1

   **************************Xorg *** ~/.xinitrc ***************************
   Shell ***************._************************ sh shell
   ************************ csh shell**

 LANG=de_DE.ISO8859-1; export LANG

 setenv LANG de_DE.ISO8859-1

  22.2.2. Console ******

   ********************************* Console
   ************************************************* ls
   /usr/share/syscons/fonts._********* Console ***************** /etc/rc.conf
   ************ .fnt ********************* font_name**

 font8x16=font_name
 font8x14=font_name
 font8x8=font_name

   *************** (Keymap) ****************** (Screenmap)
   ********************* /etc/rc.conf ***********

 scrnmap=screenmap_name
 keymap=keymap_name
 keychange="fkey_number sequence"

   ******************************************** ls
   /usr/share/syscons/scrnmaps._************************ screenmap_name
   ************ .scm ******._*** VGA Adapter
   ********************************* 8 ********* 9
   *****************************************************************************************************
   8 ***************************************** (Pseudographics area)._

   ******************************************** ls
   /usr/share/syscons/keymaps._************************ keymap_name
   ************ .kbd ******._************************************************
   kbdmap(1)._

   keychange
   *****************************************************************************************************************._

   ************** /etc/ttys *********************************************
   Console ***************._****** 22.2,
   "***************************************************"
   ***********************************

   ****** 22.2. ***************************************************

                   *********                         ***************          
   ISO8859-1 or ISO8859-15                   cons25l1                         
   ISO8859-2                                 cons25l2                         
   ISO8859-7                                 cons25l7                         
   KOI8-R                                    cons25r                          
   KOI8-U                                    cons25u                          
   CP437 (VGA *********)                     cons25                           
   US-ASCII                                  cons25w                          

   *********************************************************** Port
   ********************************* Console._ ********* Port *********
   ****** 22.3, "Port *********************
   Console"._***************************** Port *** pkg-message
   *********************************************._

   ****** 22.3. Port ********************* Console

                  ******                             Port ******              
   ************ (BIG-5)                  chinese/big5con                      
   ******/******/******                  chinese/cce                          
   ******/******/******                  chinese/zhcon                        
   ******                                chinese/kon2                         
   ******                                japanese/kon2-14dot                  
   ******                                japanese/kon2-16dot                  

   ****** /etc/rc.conf *********
   moused********************************._****** syscons(4)
   ********************************************* 0xd0-0xd3
   ****************************************************************
   /etc/rc.conf **************************

 mousechar_start=3

  22.2.3. Xorg ******

   *** 5, X Window ****** ****************************** Xorg._************
   Xorg ******************** FreeBSD Port
   ***************************************************._*********************
   i18n ************************************** ~/.Xresources
   ***************************************************************************************._

   X ********* (X Input Method, XIM) ********* Xorg
   ************************************._****** 22.4, "******************"
   ************ FreeBSD
   ******************************************._********************* Fcitx
   *** Uim ************._

   ****** 22.4. ******************

            ******                              *********                     
   ******                   chinese/gcin                                      
   ******                   chinese/ibus-chewing                              
   ******                   chinese/ibus-pinyin                               
   ******                   chinese/oxim                                      
   ******                   chinese/scim-fcitx                                
   ******                   chinese/scim-pinyin                               
   ******                   chinese/scim-tables                               
   ******                   japanese/ibus-anthy                               
   ******                   japanese/ibus-mozc                                
   ******                   japanese/ibus-skk                                 
   ******                   japanese/im-ja                                    
   ******                   japanese/kinput2                                  
   ******                   japanese/scim-anthy                               
   ******                   japanese/scim-canna                               
   ******                   japanese/scim-honoka                              
   ******                   japanese/scim-honoka-plugin-romkan                
   ******                   japanese/scim-honoka-plugin-wnn                   
   ******                   japanese/scim-prime                               
   ******                   japanese/scim-skk                                 
   ******                   japanese/scim-tables                              
   ******                   japanese/scim-tomoe                               
   ******                   japanese/scim-uim                                 
   ******                   japanese/skkinput                                 
   ******                   japanese/skkinput3                                
   ******                   japanese/uim-anthy                                
   ******                   korean/ibus-hangul                                
   ******                   korean/imhangul                                   
   ******                   korean/nabi                                       
   ******                   korean/scim-hangul                                
   ******                   korean/scim-tables                                
   *********                vietnamese/xvnkb                                  
   *********                vietnamese/x-unikey                               

22.3. ****** i18n ************

   i18n ********************* i18n
   ******************************._************************************************************************************************._

   FreeBSD Port
   ******************************************************************************************************._*********************************************
   i18n
   ***************._*****************************************************._

   ***************************************************************._************
   Port *** Makefile ******************************** configure._************
   FreeBSD Port *************** i18n
   ************************************************************ Port ***
   Makefile *********************************************************._

22.4. ***************************

   This section provides configuration examples for localizing a FreeBSD
   system for the Russian language. It then provides some additional
   resources for localizing other languages.

  22.4.1. ****** (KOI8-R ******)

   Originally contributed by Andrey Chernov.

   This section shows the specific settings needed to localize a FreeBSD
   system for the Russian language. Refer to Using Localization for a more
   complete description of each type of setting.

   To set this locale for the login shell, add the following lines to each
   user's ~/.login_conf:

 me:My Account:\
         :charset=KOI8-R:\
         :lang=ru_RU.KOI8-R:

   To configure the console, add the following lines to /etc/rc.conf:

 keymap="ru.koi8-r"
 scrnmap="koi8-r2cp866"
 font8x16="cp866b-8x16"
 font8x14="cp866-8x14"
 font8x8="cp866-8x8"
 mousechar_start=3

   For each ttyv entry in /etc/ttys, use cons25r as the terminal type.

   To configure printing, a special output filter is needed to convert from
   KOI8-R to CP866 since most printers with Russian characters come with
   hardware code page CP866. FreeBSD includes a default filter for this
   purpose, /usr/libexec/lpr/ru/koi2alt. To use this filter, add this entry
   to /etc/printcap:

 lp|Russian local line printer:\
         :sh:of=/usr/libexec/lpr/ru/koi2alt:\
         :lp=/dev/lpt0:sd=/var/spool/output/lpd:lf=/var/log/lpd-errs:

   Refer to printcap(5) for a more detailed explanation.

   To configure support for Russian filenames in mounted MS-DOS(R) file
   systems, include -L and the locale name when adding an entry to
   /etc/fstab:

 /dev/ad0s2      /dos/c  msdos   rw,-Lru_RU.KOI8-R 0 0

   Refer to mount_msdosfs(8) for more details.

   To configure Russian fonts for Xorg, install the
   x11-fonts/xorg-fonts-cyrillic package. Then, check the "Files" section in
   /etc/X11/xorg.conf. The following line must be added before any other
   FontPath entries:

 FontPath   "/usr/local/lib/X11/fonts/cyrillic"

   Additional Cyrillic fonts are available in the Ports Collection.

   To activate a Russian keyboard, add the following to the "Keyboard"
   section of /etc/xorg.conf:

 Option "XkbLayout"   "us,ru"
 Option "XkbOptions"  "grp:toggle"

   Make sure that XkbDisable is commented out in that file.

   For grp:toggle use Right Alt, for grp:ctrl_shift_toggle use Ctrl+Shift.
   For grp:caps_toggle use CapsLock. The old CapsLock function is still
   available in LAT mode only using Shift+CapsLock. grp:caps_toggle does not
   work in Xorg for some unknown reason.

   If the keyboard has "Windows(R)" keys, and some non-alphabetical keys are
   mapped incorrectly, add the following line to /etc/xorg.conf:

 Option "XkbVariant" ",winkeys"

  ******:

   The Russian XKB keyboard may not work with non-localized applications.
   Minimally localized applications should call a XtSetLanguageProc (NULL,
   NULL, NULL); function early in the program.

   See http://koi8.pp.ru/xwin.html for more instructions on localizing Xorg
   applications. For more general information about KOI8-R encoding, refer to
   http://koi8.pp.ru/.

  22.4.2. ************************

   This section lists some additional resources for configuring other
   locales.

   Traditional Chinese for Taiwan

           The FreeBSD-Taiwan Project has a Chinese HOWTO for FreeBSD at
           http://netlab.cse.yzu.edu.tw/~statue/freebsd/zh-tut/.

   Greek Language Localization

           A complete article on Greek support in FreeBSD is available here,
           in Greek only, as part of the official FreeBSD Greek
           documentation.

   Japanese and Korean Language Localization

           For Japanese, refer to http://www.jp.FreeBSD.org/, and for Korean,
           refer to http://www.kr.FreeBSD.org/.

   Non-English FreeBSD Documentation

           Some FreeBSD contributors have translated parts of the FreeBSD
           documentation to other languages. They are available through links
           on the FreeBSD web site or in /usr/share/doc.

*** 23. *************** FreeBSD

   Restructured, reorganized, and parts updated by Jim Mock.
   Original work by Jordan Hubbard, Poul-Henning Kamp, John Polstra and Nik
   Clayton.
   ************

   23.1. ******

   23.2. FreeBSD ******

   23.3. ***************

   23.4. ******************

   23.5. ****************** FreeBSD

   23.6. ******************

23.1. ******

   FreeBSD
   ***************************************._*****************************************************************************************._********************************************************************************************************************************FreeBSD
   ***********************************************************************************************************._******************************************************
   FreeBSD ***************************************._

   ****************************

     * ************ freebsd-update, Subversion ********* FreeBSD
       ******************._

     * ************************************************************._

     * ************ Subversion *************** Port
       ************************************._

     * ********************************FreeBSD-STABLE *** FreeBSD-CURRENT._

     * *************************************************** (Base system)._

   ****************************************

     * *************************** (*** 31, ******************)._

     * *************************************** (*** 4,
       ***************************** Port)._

  ******:

   ********************* svnlite ****************** FreeBSD
   *********._****************** devel/subversion Port *********._

23.2. FreeBSD ******

   Written by Tom Rhodes.
   Based on notes provided by Colin Percival.

   **************************************************************************************************************************************FreeBSD
   ******************************************************** freebsd-update._

   ****************************** Binary *** FreeBSD
   ********************************************************************
   (Patch) ************._*************************************** Binary
   ******************************************._******************************************************
   https://www.FreeBSD.org/security/._

   *********************************************************************************************************._*******************************************************************************************************************************************._******************
   https://www.FreeBSD.org/releases/ ******._

  ******:

   *************** crontab *********
   freebsd-update(8)********************************************._

   *************** freebsd-update ********************
   ***********************************************************************************************************************************************._

  23.2.1. *********

   freebsd-update ******************************************._
   ****************************************** /etc/freebsd-update.conf
   ************************************************._**********************************************************************************************************

 # Components of the base system which should be kept updated.
 Components world kernel

   ****************** FreeBSD ******************************._
   ********************************* (Base system) *********._
   *******************************src/base *** src/sys._
   *******************************************************************************************************************._***************************************
   Binary ******************************************._

 # Paths which start with anything matching an entry in an IgnorePaths
 # statement will be ignored.
 IgnorePaths /boot/kernel/linker.hints

   *********************************************************** /bin ***
   /sbin********************************************._
   ************************ freebsd-update *********************._

 # Paths which start with anything matching an entry in an UpdateIfUnmodified
 # statement will only be updated if the contents of the file have not been
 # modified by the user (unless changes are merged; see below).
 UpdateIfUnmodified /etc/ /var/ /root/ /.cshrc /.profile

   ************************************************************._***************************************************._
   ****************** KeepModifiedMetadata ****** freebsd-update
   ***************************************._

 # When upgrading to a new FreeBSD release, files which match MergeChanges
 # will have any local changes merged into the version from the new release.
 MergeChanges /etc/ /var/named/etc/ /boot/device.hints

   ****** freebsd-update *********************************._
   *************************************** mergemaster(8) ****** diff(1)
   ************** *********************._
   ***************************,_*********************** freebsd-update
   ******._ ***************************** /etc***********************._
   ************ mergemaster *********** ****** mergemaster(8)._

 # Directory in which to store downloaded updates and temporary
 # files used by FreeBSD Update.
 # WorkDir /var/db/freebsd-update

   ******************************************************._*****************************************************************
   1GB *********************._

 # When upgrading between releases, should the list of Components be
 # read strictly (StrictComponents yes) or merely as a list of components
 # which *might* be installed of which FreeBSD Update should figure out
 # which actually are installed and upgrade those (StrictComponents no)?
 # StrictComponents no

   ************************ yes *****freebsd-update ************ Components
   ***********************************************************._ *********
   freebsd-update ********************************* Components
   ******************._

  23.2.2. *********************

   ****** FreeBSD
   ********************************************************************
   freebsd-update *********************._************ FreeBSD
   ************************************ *** 13.11, "FreeBSD ************"._

   FreeBSD ******************************************************._
   ****************************************************************************************************************._*********************************._

 # freebsd-update fetch
 # freebsd-update install

   **************************************************************************************************._***************************************
   Binary**************************************************************
   Binary ******._

   ********************* /etc/crontab
   ***********************************************

 @daily                                  root    freebsd-update cron

   *******************************************************************._root
   ******************************************************************
   freebsd-update install ******._

   *****************************freebsd-update
   *****************************************************

 # freebsd-update rollback
 Uninstalling updates... done.

   **********************************************************************************************************
   Binary ***************._

   ****** GENERIC *************** freebsd-update ************._
   *********************************** freebsd-update
   ********************************************************._
   ************************ GENERIC*********** uname(1)
   ******************************._

  ******:

   ********* /boot/GENERIC ************ GENERIC
   ******************************************************************._*********
   *** 23.2.3.1, "*** FreeBSD 9.X ***************************"
   *************************** GENERIC *********************._

   ********* /etc/freebsd-update.conf ***********************************
   freebsd-update
   ***********************************************************************************************************************._

   *** freebsd-update
   ******************************************._******************************
   freebsd-update install
   *********************************************._************ freebsd-update
   *************** /usr/src/sys/conf/newvers.sh**************************
   uname -r ****************** -p
   *****************************._*****************************************************************
   uname
   ******************************************._**************************************************************************************************._

  23.2.3. *********************************

   *** FreeBSD ************************************************** FreeBSD 9.0
   *** FreeBSD 9.1, ****** ************ (Minor version) ******._ ************
   (Major version) ****************** FreeBSD
   **************************************************************************************
   FreeBSD 9.X *** FreeBSD 10.X._ *********************************
   freebsd-update ******************************._

  ******:

   *************************************************************************************
   GENERIC ****************** /boot/GENERIC._ ********* *** 23.2.3.1, "***
   FreeBSD 9.X ***************************" ****************** GENERIC
   *********************._

   *** FreeBSD 9.0 ************************************************** FreeBSD
   9.1**

 # freebsd-update -r 9.1-RELEASE upgrade

   ***********************freebsd-update
   ************************************************************************._
   ******************************************************._********

 Looking up update.FreeBSD.org mirrors... 1 mirrors found.
 Fetching metadata signature for 9.0-RELEASE from update1.FreeBSD.org... done.
 Fetching metadata index... done.
 Inspecting system... done.

 The following components of FreeBSD seem to be installed:
 kernel/smp src/base src/bin src/contrib src/crypto src/etc src/games
 src/gnu src/include src/krb5 src/lib src/libexec src/release src/rescue
 src/sbin src/secure src/share src/sys src/tools src/ubin src/usbin
 world/base world/info world/lib32 world/manpages

 The following components of FreeBSD do not seem to be installed:
 kernel/generic world/catpages world/dict world/doc world/games
 world/proflibs

 Does this look reasonable (y/n)? y

   ********freebsd-update *********************************************._
   ********************************************************************************._

   *******************************************************************

 WARNING: This system is running a "MYKERNEL" kernel, which is not a
 kernel configuration distributed as part of FreeBSD 9.0-RELEASE.
 This kernel will not be updated: you MUST update the kernel manually
 before running "/usr/sbin/freebsd-update install"

   **************************************************************************
   GENERIC ***************._

   ***********************************************
   ************************._***********************************************************************._************************._
   ******************************************************************************************************._
   *****************************************************************************************************************._***************************
   /etc **********************************************master.passwd ***
   group._

  ******:

   ********************************************************************************._******************************************************************************************************************************

 # freebsd-update install

   *******************************************************************************
   nextboot(8) *************************************** /boot/GENERIC**

 # nextboot -k GENERIC

  ******:

   ******************************************** GENERIC
   *****************************************************************************************************************._***********************************************************************************************************************
   /boot/loader.conf ****************** GENERIC
   ******._******************************************************************************._

   *****************************************************

 # shutdown -r now

   ************************************************** freebsd-update._
   ***********************************freebsd-update
   ***********************************************************************************************._

 # freebsd-update install

  ******:

   *****************************************************************************************************._

   ***************************._**************************************************
   *** 23.2.3.2, "************************************"
   ****************************** Port *********._

    23.2.3.1. *** FreeBSD 9.X ***************************

   ********* freebsd-update ******************** GENERIC ******************
   /boot/GENERIC._***************************************** /boot/kernel.old
   ****** GENERIC ******************************************** /boot/kernel._

   ****************************************************************************************************************************************
   GENERIC
   ************._**************************************************************
   GENERIC **************

 # mount /cdrom
 # cd /cdrom/usr/freebsd-dist
 # tar -C/ -xvf kernel.txz boot/kernel/kernel

   ************************************** GENERIC ********

 # cd /usr/src
 # make kernel __MAKE_CONF=/dev/null SRCCONF=/dev/null

   ****************** freebsd-update ****** GENERIC ********GENERIC
   ***********************************************************************************************._

   freebsd-update ********* /boot/GENERIC
   ******************************************** GENERIC._

    23.2.3.2. ************************************

   *****************************************************************************************._***************************************************
   Binary ****** (Application Binary Interfaces,
   ABIs)***********************************************************._
   ***********************************************************************
   Port******************** pkg upgrade ************** Port ************
   ports-mgmt/portmaster ******._

   *****************************************************************************************************************************._***************
   FreeBSD ************************ ABI
   ********************************._***********************************************

 # pkg-static upgrade -f

   *****************************************************************************

 # portmaster -af

   ******************************************************************************************************************************************************************************************************
   -G ******._

   ************************************** freebsd-update
   ********************************

 # freebsd-update install

   ****************** GENERIC ***************************** *** 8, ******
   FreeBSD ****** ******************************************._

   ************************ FreeBSD **************************************._

  23.2.4. ******************

   ************ FreeBSD ************************ freebsd-update IDS
   ***************************************************._
   **********************************************************************************************************************
   (Intrusion Detection System, IDS)._

  ******:

   *************************************** IDS***** security/snort._******
   freebsd-update
   **********************************************************************************************
   kern.securelevel ********* freebsd-update
   **********************************************************************************************
   DVD ********************* USB
   ************************._*************************************** IDS
   *********** *** 13.2.6, "Binary ******" ***************

   **********************************************************

 # freebsd-update IDS >> outfile.ids

   **************************************************************************************************************************
   SHA256 ***************************************._

   ***********************************************************************************._******************************************************************************

 # cat outfile.ids | awk '{ print $1 }' | more
 /etc/master.passwd
 /etc/motd
 /etc/passwd
 /etc/pf.conf

   *****************************************************._***************************************._******
   /etc/passwd
   *****************************************************************************
   freebsd-update
   *********************._*********************************************************************
   /etc/freebsd-update.conf ****** IDSIgnorePaths ******._

23.3. ***************

   *************** FreeBSD
   ************************************._*************** FreeBSD
   ****************** FreeBSD ****** (https://www.freebsd.org/doc/)
   ***************************************** FreeBSD
   ******,_************,_FAQ ***************._

   *************************************** FreeBSD Port
   ****************************** FreeBSD ******************._

   *********************************************************** FreeBSD
   *********************
   (https://www.freebsd.org/doc/en_US.ISO8859-1/books/fdp-primer/)._

  23.3.1. ******************************

   ************************ FreeBSD *************************** FreeBSD
   *********************._*************************** FreeBSD
   ************************ textproc/docproj ********* Port._

   ***************************** svnlite
   *****************************************

 # svnlite checkout https://svn.FreeBSD.org/doc/head /usr/doc

   *****************************************************************************._

   **************************************

 # svnlite update /usr/doc

   ********************************* /usr/doc
   ********************************************************._

   ***********************************************

 # cd /usr/doc
 # make install clean

   ************************************** /usr/doc
   ********************************* make**

 # cd /usr/doc/en_US.ISO8859-1
 # make install clean

   ************************************ /usr/doc
   ***********************************************

 # make update

   *************************************** FORMATS ***********

 # cd /usr/doc
 # make FORMATS='html html-split' install clean

   *********************************************************************************._******************
   /etc/make.conf
   ************************************************************** make._

   ***********

   DOC_LANG

           ************************************************** en_US.ISO8859-1
           ******************._

   FORMATS

           ******************************************** html, html-split,
           txt, ps ****** pdf._

   DOCDIR

           *********************************** /usr/share/doc._

   ************************ FreeBSD ********************* make
   ***************** make.conf(5)._

  23.3.2. *** Port ******************

   Based on the work of Marc Fonvieille.

   ************************************ FreeBSD
   ************************************** Port
   ****************************************************

     * ***********************************************************************************************._

     * ****** Port
       *****************************************************************************._

   ************ FreeBSD
   ***********************************************************
   <doceng@FreeBSD.org> ********************* Port
   *********._****************** FreeBSD Port ************ docs *********
   (http://www.freshports.org/docs/)._

   ****** Port ***********************

     * misc/freebsd-doc-en ********* Port ******************************._

     * misc/freebsd-doc-all ********* Port
       ************************************._

     * ********************************* Port***** misc/freebsd-doc-hu
       *********************._

   ********* Binary ******************************** FreeBSD
   ***************************._**************************************************************

 # pkg install hu-freebsd-doc

  ******:

   ****************************** Port
   *****************lang-freebsd-doc******** lang
   ******************************** hu ********************zh_cn
   ******************._

   ************************************** Port
   *********************._**************************************

 # cd /usr/ports/misc/freebsd-doc-en
 # make install clean

   Port
   ********************************************************************************
   HTML (****** http://www.FreeBSD.org ***************) ****** PDF._

   ******************** Port ********************* make ****************

   WITH_HTML

           ****************************** HTML ****** HTML
           ******._****************************************** article.html
           *** book.html *********._

   WITH_PDF

           *************************************** article.pdf *** book.pdf
           *********._

   DOCBASE

           *****************************************
           /usr/local/share/doc/freebsd._

   ********************************* PDF
   **************************************

 # cd /usr/ports/misc/freebsd-doc-hu
 # make -DWITH_PDF DOCBASE=share/doc/freebsd/hu install clean

   *************** Port ********* *** 4, ***************************** Port
   ***************._*************************** ports-mgmt/portmaster
   **************************************

 # portmaster -PP hu-freebsd-doc

23.4. ******************

   FreeBSD ***********************FreeBSD-CURRENT *** FreeBSD-STABLE._

   **************************************************************************************************************._

  23.4.1. ****** FreeBSD-CURRENT

   FreeBSD-CURRENT *** FreeBSD ********* "*********"**FreeBSD-CURRENT
   ******************************************._******************************************
   FreeBSD-STABLE ************._

   FreeBSD-CURRENT *** FreeBSD
   ***********************************************************,_************************************************************************************._
   ****** FreeBSD ********************* FreeBSD-CURRENT
   *****************************************************************._**************************************************
   FreeBSD-CURRENT
   ***********************************************************************._

   FreeBSD-CURRENT *****************************

    1. ****************************************** FreeBSD ************._

    2. FreeBSD ************************************._
       ************************************** FreeBSD
       ******************************************************._

    3. *************************************************************************************************************._

   ********* FreeBSD-CURRENT
   *******************************************************************************************************************************._*****************************************************************************************************************._
   ****** FreeBSD-CURRENT ****** "************" ************._

   ************ FreeBSD-CURRENT**

    1. ****** freebsd-current *** svn-src-head ************._****** ******
       ***********************************************************************************
       FreeBSD-CURRENT ***************************._

       svn-src-head
       **************************************************************************************************._

       *****************************************
       http://lists.FreeBSD.org/mailman/listinfo
       ********************************************************************._*****************************************
       FreeBSD-CURRENT ******************** svn-src-all ************._

    2. ****** FreeBSD-CURRENT *********._ *************** svnlite *********
       *** A.3.6, "Subversion *********" ****************** Subversion
       ************ head *************** -CURRENT ************._

    3. ***********************************************************************************************************._********
       ******************************************************************
       ****** *** FreeBSD-CURRENT*****************************._

       ****** FreeBSD-CURRENT *********************** /usr/src/Makefile
       ********* *** 23.5, "****************** FreeBSD" ***************._
       ****** FreeBSD-CURRENT ************ ****** /usr/src/UPDATING
       **************************************************************************************._

    4. ***************************** FreeBSD-CURRENT
       ******************************************************************************._
       *****************************************************************._

  23.4.2. ****** FreeBSD-STABLE

   FreeBSD-STABLE
   ***************************************************************************************************************************************
   FreeBSD-CURRENT
   **************************************************************************************************FreeBSD-STABLE
   ******************************************************************************************************************************************************************************************************
   FreeBSD *********._

   ********************************* FreeBSD
   ********************************************************************************
   FreeBSD******************** FreeBSD-STABLE._

   ****** FreeBSD-STABLE
   *****************************************************************************************._************
   FreeBSD-STABLE ********* FreeBSD-CURRENT
   ********************************************** FreeBSD-STABLE
   *************** FreeBSD-CURRENT
   *********************************._*****************************************************
   FreeBSD-STABLE******************** ***
   ************************************************************************************
   FreeBSD-STABLE._

   ************ FreeBSD-STABLE**

    1. ****** freebsd-stable *************************** FreeBSD-STABLE
       *****************************************************************************************************************************************************************************************************************************************************************._

       ************************************ svn
       ******************************* 9-STABLE ***************************
       svn-src-stable-9
       ****************************************************************************************************************************._

       **************************************
       http://lists.FreeBSD.org/mailman/listinfo
       ********************************************************************._***********************************************
       svn-src-all ************._

    2. *************** FreeBSD-STABLE ******************** FreeBSD *********
       ************ FreeBSD-STABLE ******************************
       FreeBSD-STABLE ****************** (Snapshot)***********
       www.freebsd.org/snapshots *********************************._

       *************************** FreeBSD ********* FreeBSD-STABLE *********
       svn
       ****************************************************************stable/9
       ********* www.freebsd.org/releng._

    3. ****** FreeBSD-STABLE *********************** /usr/src/Makefile
       ********* *** 23.5, "****************** FreeBSD" ***************._
       ****** FreeBSD-STABLE ************ ****** /usr/src/UPDATING
       **************************************************************************************._

23.5. ****************** FreeBSD

   *************************** FreeBSD ********* Binary
   *********************************************************************************************************************************************************************************************************._************************************************
   Binary
   **************************************************************************
   FreeBSD._

  23.5.1. ************

   ********************************* FreeBSD
   ********************************************************************************._

     * ***************

 # svnlite update /usr/src  1
 check /usr/src/UPDATING  2
 # cd /usr/src          3
 # make -j4 buildworld  4
 # make -j4 kernel      5
 # shutdown -r now      6
 # cd /usr/src          7
 # make installworld    8
 # mergemaster -Ui      9
 # shutdown -r now      10

1  ***************************************** *** 23.5.3, "***************"          
   ************************************************._                               
2  ****** /usr/src/UPDATING                                                         
   ******************************************************************************._ 
3  *********************._                                                          
4  ************ (World)***************** (Kernel) ******************._              
5  ***************************************** make buildkernel installkernel._       
6  ***************************************._                                        
7  *********************._                                                          
8  ************._                                                                   
9  ****************** /etc/ ******************._                                    
10 *********************************************************._                      

  23.5.2. *********************

   ******
   /usr/src/UPDATING*****************************************************************************************._

  23.5.3. ***************

   FreeBSD ****************** /usr/src/***************** Subversion
   *******************************************************************************************************

 # svnlite info /usr/src
 Path: /usr/src
 Working Copy Root Path: /usr/src
 ...

   *************** /usr/src/
   ****************************************************** svnlite(1)
   ***********

 # svnlite update /usr/src

   ***********************************************************************************._*******************************************************************************************************._

  ***************:

   ********************* '/usr/src' is not a working copy
   **********************************************************************************************
   (checkout) *********._

   ****** 23.1. FreeBSD ************************

+------------------------------------------------------------------------------------------------------------------------------------------------------+
|   uname -r    |***************|                                                        ******                                                        |
|***************|               |                                                                                                                      |
|---------------+---------------+----------------------------------------------------------------------------------------------------------------------|
|X.Y-RELEASE    |base/releng/X.Y|**************************************************************************************************._                  |
|---------------+---------------+----------------------------------------------------------------------------------------------------------------------|
|               |               |*****************************************************************STABLE ****************************** Binary ******  |
|               |               |(Applications Binary Interface,                                                                                       |
|               |               |ABI)****************************************************************************************** FreeBSD 10.1           |
|X.Y-STABLE     |base/stable/X  |****************************** FreeBSD 10-STABLE *********************._                                              |
|               |               |                                                                                                                      |
|               |               |STABLE                                                                                                                |
|               |               |********************************************************************************************************************._|
|---------------+---------------+----------------------------------------------------------------------------------------------------------------------|
|X-CURRENT      |base/head/     |****************** FreeBSD **************CURRENT                                                                      |
|               |               |**************************************************************************************._                              |
+------------------------------------------------------------------------------------------------------------------------------------------------------+

   ****** FreeBSD ****************************** uname(1)**

 # uname -r
 10.3-RELEASE

   ****** ****** 23.1, "FreeBSD ************************"***********
   10.3-RELEASE ***************************************
   base/releng/10.3*********** (checkout)
   **************************************

 # mv /usr/src /usr/src.bak  1
 # svnlite checkout https://svn.freebsd.org/base/releng/10.3 /usr/src  2

1 ****************************************************************************************************************._ 
2 ****** ****** 23.1, "FreeBSD ************************" ****************************** URL                          
  ******._***************************************************************._                                          

  23.5.4. ******************

   ************ (world) ***************************************
   (Kernel)*********************************************************************************************

 # cd /usr/src
 # make buildworld
 # make buildkernel

   ****************************** /usr/obj._

   ********************************************************************************************._

    23.5.4.1. ******************

   ****** FreeBSD
   ************************************************************************
   /usr/obj****************************************************************************************************************************************************
   cleanworld**

 # make cleanworld

    23.5.4.2. ******************

   ********************************************************************************
   sysctl hw.ncpu
   ************************************************************** FreeBSD
   ***********************************************************************************************._***************************************
   1/2 *** 2 ***************************************************** -j
   *********._

   ****** 23.1. *********************

   ********************************************

 # make -j4 buildworld buildkernel

    23.5.4.3. ***************

   ***********************************
   buildworld********************************** buildkernel
   *******************************************

 # cd /usr/src
 # make buildkernel

    23.5.4.4. ******************

   ********* FreeBSD ************************ GENERIC ******************
   (Kernel config file)***********GENERIC
   *******************************************************************************************************************************************************************************************************._

   *********************** RAM
   **************************************************************************************************************._

   ********************* /usr/src/sys/arch/conf/***************** arch ******
   uname -m **************************************
   amd64***************************** /usr/src/sys/amd64/conf/._

  ******:

   /usr/src
   *******************************************************************************************
   /root************************************** conf
   *******************************************************************************************._

   *************************** GENERIC
   ***************************************************************************************************
   STORAGESERVER**

 # cp /usr/src/sys/amd64/conf/GENERIC /root/STORAGESERVER
 # cd /usr/src/sys/amd64/conf
 # ln -s /root/STORAGESERVER .

   ************ /root/STORAGESERVER*****************************************
   config(5)._

   ********************************* KERNCONF *****************************

 # make buildkernel KERNCONF=STORAGESERVER

  23.5.5. ************************

   ********* buildworld *** buildkernel
   *******************************************************

 # cd /usr/src
 # make installkernel
 # shutdown -r now
 # cd /usr/src
 # make installworld
 # shutdown -r now

   ***************************************** KERNCONF
   *****************************

 # cd /usr/src
 # make installkernel KERNCONF=STORAGESERVER
 # shutdown -r now
 # cd /usr/src
 # make installworld
 # shutdown -r now

  23.5.6. ************

   **************************************************************************************************************,_********************************************************._

    23.5.6.1. ****** mergemaster(8) ******************

   mergemaster(8)
   ******************************************************************._

   ****** -Ui**mergemaster(8)
   *****************************************************************************************

 # mergemaster -Ui

   *************************************************************************************************************
   mergemaster(8) ******************._

    23.5.6.2. *********************************

   ****************************************************************************************************

 # make check-old

   **************************

 # make delete-old

   **********************************************************************************************

 # make check-old-libs

   ***************************

 # make delete-old-libs

   ********************************************************************************************************************************************************._

  ******:

   *****************************************************************************************************
   y *** Enter ********************* BATCH_DELETE_OLD_FILES**********

 # make BATCH_DELETE_OLD_FILES=yes delete-old-libs

    23.5.6.3. *********************

   ****************************************************************************************

 # shutdown -r now

23.6. ******************

   Contributed by Mike Meyer.

   ***********************************************************************************************************************************************************,_***************
   CPU
   ****************************************************************************************************************
   NFS
   ******************************._*********************************._***************************
   NFS ****************** *** 29.3, "****************** (NFS)"._

   ************************************** Binary
   ************************************** ********* (Build
   set)*************************************************************************
   Userland binary._********************************************* (Build
   machine)******************************** World *********
   (Kernel)**********************************************,_************ CPU
   ************ make buildworld *** make buildkernel *********._

   *************************************** (Test
   machine)**************,******************************************************************************************************************************************************************************._

   ********************************************* NFS
   *************************** /usr/obj ***
   /usr/src._**************************/usr/src
   ***************************************************************** NFS
   ******._

   *************************************** /etc/make.conf *** /etc/src.conf
   *****************************************************************************
   (Base system)
   ************************************._***********************************
   /etc/make.conf ****** KERNCONF
   ********************************************************************************
   KERNCONF***********************************************._************************************************************
   /usr/src/sys/arch/conf._

   *********************************** World *** *** 23.5,
   "****************** FreeBSD"
   *********************************************************************************************************************************************
   NFS ****** /usr/src *** /usr/obj._************ shutdown now
   ************************************************ World
   *********************
   mergemaster._*****************************************************************._

   ***********************************************************************************************************************************************._

   *************************** Port ***************************** NFS ******
   /usr/ports *********************************._********* /etc/make.conf
   *************** distfiles*********** DISTDIR ****** NFS
   *************************** root
   ******************************._************************ WRKDIRPREFIX
   *********************************** Port
   ******************._**************************************************************************************************
   PACKAGES *************** DISTDIR *********._

*** 24. DTrace

   Written by Tom Rhodes.
   ************

   24.1. ******

   24.2. ************

   24.3. ****** DTrace ******

   24.4. ****** DTrace

24.1. ******

   DTrace, also known as Dynamic Tracing, was developed by Sun(TM) as a tool
   for locating performance bottlenecks in production and pre-production
   systems. In addition to diagnosing performance problems, DTrace can be
   used to help investigate and debug unexpected behavior in both the FreeBSD
   kernel and in userland programs.

   DTrace is a remarkable profiling tool, with an impressive array of
   features for diagnosing system issues. It may also be used to run
   pre-written scripts to take advantage of its capabilities. Users can
   author their own utilities using the DTrace D Language, allowing them to
   customize their profiling based on specific needs.

   The FreeBSD implementation provides full support for kernel DTrace and
   experimental support for userland DTrace. Userland DTrace allows users to
   perform function boundary tracing for userland programs using the pid
   provider, and to insert static probes into userland programs for later
   tracing. Some ports, such as databases/postgres-server and lang/php56 have
   a DTrace option to enable static probes. FreeBSD 10.0-RELEASE has
   reasonably good userland DTrace support, but it is not considered
   production ready. In particular, it is possible to crash traced programs.

   The official guide to DTrace is maintained by the Illumos project at
   DTrace Guide.

   ****************************

     * What DTrace is and what features it provides.

     * Differences between the Solaris(TM) DTrace implementation and the one
       provided by FreeBSD.

     * How to enable and use DTrace on FreeBSD.

   ****************************************

     * ****** UNIX(R) *** FreeBSD ****** (*** 3, FreeBSD ******)._

     * Have some familiarity with security and how it pertains to FreeBSD
       (*** 13, *********).

24.2. ************

   While the DTrace in FreeBSD is similar to that found in Solaris(TM),
   differences do exist. The primary difference is that in FreeBSD, DTrace is
   implemented as a set of kernel modules and DTrace can not be used until
   the modules are loaded. To load all of the necessary modules:

 # kldload dtraceall

   Beginning with FreeBSD 10.0-RELEASE, the modules are automatically loaded
   when dtrace is run.

   FreeBSD uses the DDB_CTF kernel option to enable support for loading CTF
   data from kernel modules and the kernel itself. CTF is the Solaris(TM)
   Compact C Type Format which encapsulates a reduced form of debugging
   information similar to DWARF and the venerable stabs. CTF data is added to
   binaries by the ctfconvert and ctfmerge build tools. The ctfconvert
   utility parses DWARF ELF debug sections created by the compiler and
   ctfmerge merges CTF ELF sections from objects into either executables or
   shared libraries.

   Some different providers exist for FreeBSD than for Solaris(TM). Most
   notable is the dtmalloc provider, which allows tracing malloc() by type in
   the FreeBSD kernel. Some of the providers found in Solaris(TM), such as
   cpc and mib, are not present in FreeBSD. These may appear in future
   versions of FreeBSD. Moreover, some of the providers available in both
   operating systems are not compatible, in the sense that their probes have
   different argument types. Thus, D scripts written on Solaris(TM) may or
   may not work unmodified on FreeBSD, and vice versa.

   Due to security differences, only root may use DTrace on FreeBSD.
   Solaris(TM) has a few low level security checks which do not yet exist in
   FreeBSD. As such, the /dev/dtrace/dtrace is strictly limited to root.

   DTrace falls under the Common Development and Distribution License (CDDL)
   license. To view this license on FreeBSD, see
   /usr/src/cddl/contrib/opensolaris/OPENSOLARIS.LICENSE or view it online at
   http://opensource.org/licenses/CDDL-1.0. While a FreeBSD kernel with
   DTrace support is BSD licensed, the CDDL is used when the modules are
   distributed in binary form or the binaries are loaded.

24.3. ****** DTrace ******

   In FreeBSD 9.2 and 10.0, DTrace support is built into the GENERIC kernel.
   Users of earlier versions of FreeBSD or who prefer to statically compile
   in DTrace support should add the following lines to a custom kernel
   configuration file and recompile the kernel using the instructions in
   *** 8, ****** FreeBSD ******:

 options         KDTRACE_HOOKS
 options         DDB_CTF
 makeoptions     DEBUG=-g
 makeoptions     WITH_CTF=1

   Users of the AMD64 architecture should also add this line:

 options         KDTRACE_FRAME

   This option provides support for FBT. While DTrace will work without this
   option, there will be limited support for function boundary tracing.

   Once the FreeBSD system has rebooted into the new kernel, or the DTrace
   kernel modules have been loaded using kldload dtraceall, the system will
   need support for the Korn shell as the DTrace Toolkit has several
   utilities written in ksh. Make sure that the shells/ksh93 package or port
   is installed. It is also possible to run these tools under shells/pdksh or
   shells/mksh.

   Finally, install the current DTrace Toolkit, a collection of ready-made
   scripts for collecting system information. There are scripts to check open
   files, memory, CPU usage, and a lot more. FreeBSD 10 installs a few of
   these scripts into /usr/share/dtrace. On other FreeBSD versions, or to
   install the full DTrace Toolkit, use the sysutils/DTraceToolkit package or
   port.

  ******:

   The scripts found in /usr/share/dtrace have been specifically ported to
   FreeBSD. Not all of the scripts found in the DTrace Toolkit will work
   as-is on FreeBSD and some scripts may require some effort in order for
   them to work on FreeBSD.

   The DTrace Toolkit includes many scripts in the special language of
   DTrace. This language is called the D language and it is very similar to
   C++. An in depth discussion of the language is beyond the scope of this
   document. It is covered extensively in the Illumos Dynamic Tracing Guide.

24.4. ****** DTrace

   DTrace scripts consist of a list of one or more probes, or instrumentation
   points, where each probe is associated with an action. Whenever the
   condition for a probe is met, the associated action is executed. For
   example, an action may occur when a file is opened, a process is started,
   or a line of code is executed. The action might be to log some information
   or to modify context variables. The reading and writing of context
   variables allows probes to share information and to cooperatively analyze
   the correlation of different events.

   To view all probes, the administrator can execute the following command:

 # dtrace -l | more

   Each probe has an ID, a PROVIDER (dtrace or fbt), a MODULE, and a FUNCTION
   NAME. Refer to dtrace(1) for more information about this command.

   The examples in this section provide an overview of how to use two of the
   fully supported scripts from the DTrace Toolkit: the hotkernel and
   procsystime scripts.

   The hotkernel script is designed to identify which function is using the
   most kernel time. It will produce output similar to the following:

 # cd /usr/share/dtrace/toolkit
 # ./hotkernel
 Sampling... Hit Ctrl-C to end.

   As instructed, use the Ctrl+C key combination to stop the process. Upon
   termination, the script will display a list of kernel functions and timing
   information, sorting the output in increasing order of time:

 kernel`_thread_lock_flags                                   2   0.0%
 0xc1097063                                                  2   0.0%
 kernel`sched_userret                                        2   0.0%
 kernel`kern_select                                          2   0.0%
 kernel`generic_copyin                                       3   0.0%
 kernel`_mtx_assert                                          3   0.0%
 kernel`vm_fault                                             3   0.0%
 kernel`sopoll_generic                                       3   0.0%
 kernel`fixup_filename                                       4   0.0%
 kernel`_isitmyx                                             4   0.0%
 kernel`find_instance                                        4   0.0%
 kernel`_mtx_unlock_flags                                    5   0.0%
 kernel`syscall                                              5   0.0%
 kernel`DELAY                                                5   0.0%
 0xc108a253                                                  6   0.0%
 kernel`witness_lock                                         7   0.0%
 kernel`read_aux_data_no_wait                                7   0.0%
 kernel`Xint0x80_syscall                                     7   0.0%
 kernel`witness_checkorder                                   7   0.0%
 kernel`sse2_pagezero                                        8   0.0%
 kernel`strncmp                                              9   0.0%
 kernel`spinlock_exit                                       10   0.0%
 kernel`_mtx_lock_flags                                     11   0.0%
 kernel`witness_unlock                                      15   0.0%
 kernel`sched_idletd                                       137   0.3%
 0xc10981a5                                              42139  99.3%

   This script will also work with kernel modules. To use this feature, run
   the script with -m:

 # ./hotkernel -m
 Sampling... Hit Ctrl-C to end.
 ^C
 MODULE                                                  COUNT   PCNT
 0xc107882e                                                  1   0.0%
 0xc10e6aa4                                                  1   0.0%
 0xc1076983                                                  1   0.0%
 0xc109708a                                                  1   0.0%
 0xc1075a5d                                                  1   0.0%
 0xc1077325                                                  1   0.0%
 0xc108a245                                                  1   0.0%
 0xc107730d                                                  1   0.0%
 0xc1097063                                                  2   0.0%
 0xc108a253                                                 73   0.0%
 kernel                                                    874   0.4%
 0xc10981a5                                             213781  99.6%

   The procsystime script captures and prints the system call time usage for
   a given process ID (PID) or process name. In the following example, a new
   instance of /bin/csh was spawned. Then, procsystime was executed and
   remained waiting while a few commands were typed on the other incarnation
   of csh. These are the results of this test:

 # ./procsystime -n csh
 Tracing... Hit Ctrl-C to end...
 ^C

 Elapsed Times for processes csh,

          SYSCALL          TIME (ns)
           getpid               6131
        sigreturn               8121
            close              19127
            fcntl              19959
              dup              26955
          setpgid              28070
             stat              31899
        setitimer              40938
            wait4              62717
        sigaction              67372
      sigprocmask             119091
     gettimeofday             183710
            write             263242
           execve             492547
            ioctl             770073
            vfork            3258923
       sigsuspend            6985124
             read         3988049784

   As shown, the read() system call used the most time in nanoseconds while
   the getpid() system call used the least amount of time.

*** 25. USB Device Mode / USB OTG

   ************

   25.1. ******

   25.2. USB ***************

   25.3. USB ************************

   25.4. USB ******************

25.1. ******

   Written by Edward Tomasz Napierala.

   This chapter covers the use of USB Device Mode and USB On The Go (USB OTG)
   in FreeBSD. This includes virtual serial consoles, virtual network
   interfaces, and virtual USB drives.

   When running on hardware that supports USB device mode or USB OTG, like
   that built into many embedded boards, the FreeBSD USB stack can run in
   device mode. Device mode makes it possible for the computer to present
   itself as different kinds of USB device classes, including serial ports,
   network adapters, and mass storage, or a combination thereof. A USB host
   like a laptop or desktop computer is able to access them just like
   physical USB devices. Device mode is sometimes called the "USB gadget
   mode".

   There are two basic ways the hardware can provide the device mode
   functionality: with a separate "client port", which only supports the
   device mode, and with a USB OTG port, which can provide both device and
   host mode. For USB OTG ports, the USB stack switches between host-side and
   device-side automatically, depending on what is connected to the port.
   Connecting a USB device like a memory stick to the port causes FreeBSD to
   switch to host mode. Connecting a USB host like a computer causes FreeBSD
   to switch to device mode. Single purpose "client ports" always work in
   device mode.

   What FreeBSD presents to the USB host depends on the hw.usb.template
   sysctl. Some templates provide a single device, such as a serial terminal;
   others provide multiple ones, which can all be used at the same time. An
   example is the template 10, which provides a mass storage device, a serial
   console, and a network interface. See usb_template(4) for the list of
   available values.

   Note that in some cases, depending on the hardware and the hosts operating
   system, for the host to notice the configuration change, it must be either
   physically disconnected and reconnected, or forced to rescan the USB bus
   in a system-specific way. When FreeBSD is running on the host,
   usbconfig(8) reset can be used. This also must be done after loading
   usb_template.ko if the USB host was already connected to the USB OTG
   socket.

   ****************************

     * How to set up USB Device Mode functionality on FreeBSD.

     * How to configure the virtual serial port on FreeBSD.

     * How to connect to the virtual serial port from various operating
       systems.

     * How to configure FreeBSD to provide a virtual USB network interface.

     * How to configure FreeBSD to provide a virtual USB storage device.

25.2. USB ***************

  25.2.1. ****** USB *********************

   Virtual serial port support is provided by templates number 3, 8, and 10.
   Note that template 3 works with Microsoft Windows 10 without the need for
   special drivers and INF files. Other host operating systems work with all
   three templates. Both usb_template(4) and umodem(4) kernel modules must be
   loaded.

   To enable USB device mode serial ports, add those lines to /etc/ttys:

 ttyU0   "/usr/libexec/getty 3wire"      vt100   onifconsole secure
 ttyU1   "/usr/libexec/getty 3wire"      vt100   onifconsole secure

   ************************ /etc/devd.conf**

 notify 100 {
         match "system"          "DEVFS";
         match "subsystem"       "CDEV";
         match "type"            "CREATE";
         match "cdev"            "ttyU[0-9]+";
         action "/sbin/init q";
 };

   Reload the configuration if devd(8) is already running:

 # service devd restart

   Make sure the necessary modules are loaded and the correct template is set
   at boot by adding those lines to /boot/loader.conf, creating it if it does
   not already exist:

 umodem_load="YES"
 hw.usb.template=3

   To load the module and set the template without rebooting use:

 # kldload umodem
 # sysctl hw.usb.template=3

  25.2.2. *** FreeBSD ********* USB *********************

   To connect to a board configured to provide USB device mode serial ports,
   connect the USB host, such as a laptop, to the boards USB OTG or USB
   client port. Use pstat -t on the host to list the terminal lines. Near the
   end of the list you should see a USB serial port, eg "ttyU0". To open the
   connection, use:

 # cu -l /dev/ttyU0

   After pressing the Enter key a few times you will see a login prompt.

  25.2.3. *** macOS ********* USB *********************

   To connect to a board configured to provide USB device mode serial ports,
   connect the USB host, such as a laptop, to the boards USB OTG or USB
   client port. To open the connection, use:

 # cu -l /dev/cu.usbmodemFreeBSD1

  25.2.4. *** Linux ********* USB *********************

   To connect to a board configured to provide USB device mode serial ports,
   connect the USB host, such as a laptop, to the boards USB OTG or USB
   client port. To open the connection, use:

 # minicom -D /dev/ttyACM0

  25.2.5. *** Microsoft Windows 10 ********* USB *********************

   To connect to a board configured to provide USB device mode serial ports,
   connect the USB host, such as a laptop, to the boards USB OTG or USB
   client port. To open a connection you will need a serial terminal program,
   such as PuTTY. To check the COM port name used by Windows, run Device
   Manager, expand "Ports (COM & LPT)". You will see a name similar to "USB
   Serial Device (COM4)". Run serial terminal program of your choice, for
   example PuTTY. In the PuTTY dialog set "Connection type" to "Serial", type
   the COMx obtained from Device Manager in the "Serial line" dialog box and
   click Open.

25.3. USB ************************

   Virtual network interfaces support is provided by templates number 1, 8,
   and 10. Note that none of them works with Microsoft Windows. Other host
   operating systems work with all three templates. Both usb_template(4) and
   if_cdce(4) kernel modules must be loaded.

   Make sure the necessary modules are loaded and the correct template is set
   at boot by adding those lines to /boot/loader.conf, creating it if it does
   not already exist:

 if_cdce_load="YES"
 hw.usb.template=1

   To load the module and set the template without rebooting use:

 # kldload if_cdce
 # sysctl hw.usb.template=1

25.4. USB ******************

  ******:

   cfumass(4) ************************ FreeBSD 12.0 ****************** USB
   ************************._

   Mass Storage target is provided by templates 0 and 10. Both
   usb_template(4) and cfumass(4) kernel modules must be loaded. cfumass(4)
   interfaces to the CTL subsystem, the same one that is used for iSCSI or
   Fibre Channel targets. On the host side, USB Mass Storage initiators can
   only access a single LUN, LUN 0.

  25.4.1. ****** cfumass ****** Script ****** USB *********************

   The simplest way to set up a read-only USB storage target is to use the
   cfumass rc script. To configure it this way, copy the files to be
   presented to the USB host machine into the /var/cfumass directory, and add
   this line to /etc/rc.conf:

 cfumass_enable="YES"

   To configure the target without restarting, run this command:

 # service cfumass start

   Differently from serial and network functionality, the template should not
   be set to 0 or 10 in /boot/loader.conf. This is because the LUN must be
   set up before setting the template. The cfumass startup script sets the
   correct template number automatically when started.

  25.4.2. ************************ USB *********************

   The rest of this chapter provides detailed description of setting the
   target without using the cfumass rc file. This is necessary if eg one
   wants to provide a writeable LUN.

   USB Mass Storage does not require the ctld(8) daemon to be running,
   although it can be used if desired. This is different from iSCSI. Thus,
   there are two ways to configure the target: ctladm(8), or ctld(8). Both
   require the cfumass.ko kernel module to be loaded. The module can be
   loaded manually:

 # kldload cfumass

   If cfumass.ko has not been built into the kernel, /boot/loader.conf can be
   set to load the module at boot:

 cfumass_load="YES"

   A LUN can be created without the ctld(8) daemon:

 # ctladm create -b block -o file=/data/target0

   This presents the contents of the image file /data/target0 as a LUN to the
   USB host. The file must exist before executing the command. To configure
   the LUN at system startup, add the command to /etc/rc.local.

   ctld(8) can also be used to manage LUNs. Create /etc/ctl.conf, add a line
   to /etc/rc.conf to make sure ctld(8) is automatically started at boot, and
   then start the daemon.

   This is an example of a simple /etc/ctl.conf configuration file. Refer to
   ctl.conf(5) for a more complete description of the options.

 target naa.50015178f369f092 {
         lun 0 {
                 path /data/target0
                 size 4G
         }
 }

   The example creates a single target with a single LUN. The
   naa.50015178f369f092 is a device identifier composed of 32 random
   hexadecimal digits. The path line defines the full path to a file or zvol
   backing the LUN. That file must exist before starting ctld(8). The second
   line is optional and specifies the size of the LUN.

   To make sure the ctld(8) daemon is started at boot, add this line to
   /etc/rc.conf:

 ctld_enable="YES"

   To start ctld(8) now, run this command:

 # service ctld start

   *** ctld(8) Daemon ***********************
   /etc/ctl.conf******************** Daemon
   ****************************************************************************

 # service ctld reload

                              *** IV. ************

   FreeBSD
   ****************************************************************************************************

     * ************

     * PPP ************************ PPP

     * ************

     * *********************

     * *********

     * ***************************

   ************************************************************._
   ********************************************************************************************
   FreeBSD *********************._

   ************

   26. ************

                26.1. ******

                26.2. *********************

                26.3. *********

                26.4. ************

                26.5. ************

                26.6. ************ Console

   27. PPP

                27.1. ******

                27.2. ****** PPP

                27.3. PPP ******************

                27.4. ********************* PPP (PPPoE)

                27.5. *** ATM ****** PPP (PPPoA)

   28. ************

                28.1. ******

                28.2. ************

                28.3. Sendmail *********

                28.4. ******************************

                28.5. ************

                28.6. ************

                28.7. ************

                28.8. ***************************

                28.9. SMTP ******

                28.10. ***************************

                28.11. ****** fetchmail

                28.12. ****** procmail

   29. ***************

                29.1. ******

                29.2. inetd ***************

                29.3. ****************** (NFS)

                29.4. ****************** (NIS)

                29.5. *************************** (LDAP)

                29.6. ************************ (DHCP)

                29.7. ****************** (DNS)

                29.8. Apache HTTP *********

                29.9. ****************** (FTP)

                29.10. Microsoft(R) Windows(R) ******************************
                (Samba)

                29.11. NTP ************

                29.12. iSCSI Initiator *** Target ******

   30. *********

                30.1. ******

                30.2. ***************

                30.3. PF

                30.4. IPFW

                30.5. IPFILTER (IPF)

                30.6. Blacklistd

   31. ******************

                31.1. ******

                31.2. ******************

                31.3. ************

                31.4. USB ************

                31.5. ******

                31.6. ******

                31.7. Link Aggregation ***************

                31.8. PXE ***************

                31.9. IPv6

                31.10. ************************ (CARP)

                31.11. VLANs

*** 26. ************

   ************

   26.1. ******

   26.2. *********************

   26.3. *********

   26.4. ************

   26.5. ************

   26.6. ************ Console

26.1. ******

   UNIX(R) ********************* UNIX(R)
   ***********************************************************************************************
   10
   *********************************************************************************._***************************
   FreeBSD ***************************._

   ****************************

     * ************************ FreeBSD ******._

     * ******************************************._

     * *************************************************** FreeBSD ******._

     * *************** Console ****** FreeBSD ******._

   ****************************************

     * ************ ***************************._

     * ****** FreeBSD ******************._

     * ****************** FreeBSD ************************************._

26.2. *********************

   The following terms are often used in serial communications:

   bps

           Bits per Second (bps) is the rate at which data is transmitted.

   DTE

           Data Terminal Equipment (DTE) is one of two endpoints in a serial
           communication. An example would be a computer.

   DCE

           Data Communications Equipment (DTE) is the other endpoint in a
           serial communication. Typically, it is a modem or serial terminal.

   RS-232

           The original standard which defined hardware serial
           communications. It has since been renamed to TIA-232.

   When referring to communication data rates, this section does not use the
   term baud. Baud refers to the number of electrical state transitions made
   in a period of time, while bps is the correct term to use.

   To connect a serial terminal to a FreeBSD system, a serial port on the
   computer and the proper cable to connect to the serial device are needed.
   Users who are already familiar with serial hardware and cabling can safely
   skip this section.

  26.2.1. ***************

   There are several different kinds of serial cables. The two most common
   types are null-modem cables and standard RS-232 cables. The documentation
   for the hardware should describe the type of cable required.

   These two types of cables differ in how the wires are connected to the
   connector. Each wire represents a signal, with the defined signals
   summarized in ****** 26.1, "RS-232C ************". A standard serial cable
   passes all of the RS-232C signals straight through. For example, the
   "Transmitted Data" pin on one end of the cable goes to the "Transmitted
   Data" pin on the other end. This is the type of cable used to connect a
   modem to the FreeBSD system, and is also appropriate for some terminals.

   A null-modem cable switches the "Transmitted Data" pin of the connector on
   one end with the "Received Data" pin on the other end. The connector can
   be either a DB-25 or a DB-9.

   A null-modem cable can be constructed using the pin connections summarized
   in ****** 26.2, "DB-25 *** DB-25 Null-Modem ***", ****** 26.3, "DB-9 ***
   DB-9 Null-Modem ***", and ****** 26.4, "DB-9 *** DB-25 Null-Modem ***".
   While the standard calls for a straight-through pin 1 to pin 1 "Protective
   Ground" line, it is often omitted. Some terminals work using only pins 2,
   3, and 7, while others require different configurations. When in doubt,
   refer to the documentation for the hardware.

   ****** 26.1. RS-232C ************

   ******                         Names                                       
   RD                             Received Data                               
   TD                             Transmitted Data                            
   DTR                            Data Terminal Ready                         
   DSR                            Data Set Ready                              
   DCD                            Data Carrier Detect                         
   SG                             Signal Ground                               
   RTS                            Request to Send                             
   CTS                            Clear to Send                               

   ****** 26.2. DB-25 *** DB-25 Null-Modem ***

   ******        ****** #                         ****** #       ******       
   SG            7              connects to       7              SG           
   TD            2              connects to       3              RD           
   RD            3              connects to       2              TD           
   RTS           4              connects to       5              CTS          
   CTS           5              connects to       4              RTS          
   DTR           20             connects to       6              DSR          
   DTR           20             connects to       8              DCD          
   DSR           6              connects to       20             DTR          
   DCD           8              connects to       20             DTR          

   ****** 26.3. DB-9 *** DB-9 Null-Modem ***

   ******        ****** #                         ****** #       ******       
   RD            2              connects to       3              TD           
   TD            3              connects to       2              RD           
   DTR           4              connects to       6              DSR          
   DTR           4              connects to       1              DCD          
   SG            5              connects to       5              SG           
   DSR           6              connects to       4              DTR          
   DCD           1              connects to       4              DTR          
   RTS           7              connects to       8              CTS          
   CTS           8              connects to       7              RTS          

   ****** 26.4. DB-9 *** DB-25 Null-Modem ***

   ******        ****** #                         ****** #       ******       
   RD            2              connects to       2              TD           
   TD            3              connects to       3              RD           
   DTR           4              connects to       6              DSR          
   DTR           4              connects to       8              DCD          
   SG            5              connects to       7              SG           
   DSR           6              connects to       20             DTR          
   DCD           1              connects to       20             DTR          
   RTS           7              connects to       5              CTS          
   CTS           8              connects to       4              RTS          

  ******:

   When one pin at one end connects to a pair of pins at the other end, it is
   usually implemented with one short wire between the pair of pins in their
   connector and a long wire to the other single pin.

   Serial ports are the devices through which data is transferred between the
   FreeBSD host computer and the terminal. Several kinds of serial ports
   exist. Before purchasing or constructing a cable, make sure it will fit
   the ports on the terminal and on the FreeBSD system.

   Most terminals have DB-25 ports. Personal computers may have DB-25 or DB-9
   ports. A multiport serial card may have RJ-12 or RJ-45/ ports. See the
   documentation that accompanied the hardware for specifications on the kind
   of port or visually verify the type of port.

   In FreeBSD, each serial port is accessed through an entry in /dev. There
   are two different kinds of entries:

     * Call-in ports are named /dev/ttyuN where N is the port number,
       starting from zero. If a terminal is connected to the first serial
       port (COM1), use /dev/ttyu0 to refer to the terminal. If the terminal
       is on the second serial port (COM2), use /dev/ttyu1, and so forth.
       Generally, the call-in port is used for terminals. Call-in ports
       require that the serial line assert the "Data Carrier Detect" signal
       to work correctly.

     * Call-out ports are named /dev/cuauN on FreeBSD versions 8.X and higher
       and /dev/cuadN on FreeBSD versions 7.X and lower. Call-out ports are
       usually not used for terminals, but are used for modems. The call-out
       port can be used if the serial cable or the terminal does not support
       the "Data Carrier Detect" signal.

   FreeBSD also provides initialization devices (/dev/ttyuN.init and
   /dev/cuauN.init or /dev/cuadN.init) and locking devices (/dev/ttyuN.lock
   and /dev/cuauN.lock or /dev/cuadN.lock). The initialization devices are
   used to initialize communications port parameters each time a port is
   opened, such as crtscts for modems which use RTS/CTS signaling for flow
   control. The locking devices are used to lock flags on ports to prevent
   users or programs changing certain parameters. Refer to termios(4),
   sio(4), and stty(1) for information on terminal settings, locking and
   initializing devices, and setting terminal options, respectively.

  26.2.2. ***************

   By default, FreeBSD supports four serial ports which are commonly known as
   COM1, COM2, COM3, and COM4. FreeBSD also supports dumb multi-port serial
   interface cards, such as the BocaBoard 1008 and 2016, as well as more
   intelligent multi-port cards such as those made by Digiboard. However, the
   default kernel only looks for the standard COM ports.

   To see if the system recognizes the serial ports, look for system boot
   messages that start with uart:

 # grep uart /var/run/dmesg.boot

   If the system does not recognize all of the needed serial ports,
   additional entries can be added to /boot/device.hints. This file already
   contains hint.uart.0.* entries for COM1 and hint.uart.1.* entries for
   COM2. When adding a port entry for COM3 use 0x3E8, and for COM4 use 0x2E8.
   Common IRQ addresses are 5 for COM3 and 9 for COM4.

   To determine the default set of terminal I/O settings used by the port,
   specify its device name. This example determines the settings for the
   call-in port on COM2:

 # stty -a -f /dev/ttyu1

   System-wide initialization of serial devices is controlled by
   /etc/rc.d/serial. This file affects the default settings of serial
   devices. To change the settings for a device, use stty. By default, the
   changed settings are in effect until the device is closed and when the
   device is reopened, it goes back to the default set. To permanently change
   the default set, open and adjust the settings of the initialization
   device. For example, to turn on CLOCAL mode, 8 bit communication, and
   XON/XOFF flow control for ttyu5, type:

 # stty -f /dev/ttyu5.init clocal cs8 ixon ixoff

   To prevent certain settings from being changed by an application, make
   adjustments to the locking device. For example, to lock the speed of ttyu5
   to 57600 bps, type:

 # stty -f /dev/ttyu5.lock 57600

   Now, any application that opens ttyu5 and tries to change the speed of the
   port will be stuck with 57600 bps.

26.3. *********

   Contributed by Sean Kelly.

   Terminals provide a convenient and low-cost way to access a FreeBSD system
   when not at the computer's console or on a connected network. This section
   describes how to use terminals with FreeBSD.

   The original UNIX(R) systems did not have consoles. Instead, users logged
   in and ran programs through terminals that were connected to the
   computer's serial ports.

   The ability to establish a login session on a serial port still exists in
   nearly every UNIX(R)-like operating system today, including FreeBSD. By
   using a terminal attached to an unused serial port, a user can log in and
   run any text program that can normally be run on the console or in an
   xterm window.

   Many terminals can be attached to a FreeBSD system. An older spare
   computer can be used as a terminal wired into a more powerful computer
   running FreeBSD. This can turn what might otherwise be a single-user
   computer into a powerful multiple-user system.

   FreeBSD supports three types of terminals:

   Dumb terminals

           Dumb terminals are specialized hardware that connect to computers
           over serial lines. They are called "dumb" because they have only
           enough computational power to display, send, and receive text. No
           programs can be run on these devices. Instead, dumb terminals
           connect to a computer that runs the needed programs.

           There are hundreds of kinds of dumb terminals made by many
           manufacturers, and just about any kind will work with FreeBSD.
           Some high-end terminals can even display graphics, but only
           certain software packages can take advantage of these advanced
           features.

           Dumb terminals are popular in work environments where workers do
           not need access to graphical applications.

   Computers Acting as Terminals

           Since a dumb terminal has just enough ability to display, send,
           and receive text, any spare computer can be a dumb terminal. All
           that is needed is the proper cable and some terminal emulation
           software to run on the computer.

           This configuration can be useful. For example, if one user is busy
           working at the FreeBSD system's console, another user can do some
           text-only work at the same time from a less powerful personal
           computer hooked up as a terminal to the FreeBSD system.

           There are at least two utilities in the base-system of FreeBSD
           that can be used to work through a serial connection: cu(1) and
           tip(1).

           For example, to connect from a client system that runs FreeBSD to
           the serial connection of another system:

 # cu -l /dev/cuauN

           Ports are numbered starting from zero. This means that COM1 is
           /dev/cuau0.

           Additional programs are available through the Ports Collection,
           such as comms/minicom.

   X Terminals

           X terminals are the most sophisticated kind of terminal available.
           Instead of connecting to a serial port, they usually connect to a
           network like Ethernet. Instead of being relegated to text-only
           applications, they can display any Xorg application.

           This chapter does not cover the setup, configuration, or use of X
           terminals.

  26.3.1. ***************

   This section describes how to configure a FreeBSD system to enable a login
   session on a serial terminal. It assumes that the system recognizes the
   serial port to which the terminal is connected and that the terminal is
   connected with the correct cable.

   In FreeBSD, init reads /etc/ttys and starts a getty process on the
   available terminals. The getty process is responsible for reading a login
   name and starting the login program. The ports on the FreeBSD system which
   allow logins are listed in /etc/ttys. For example, the first virtual
   console, ttyv0, has an entry in this file, allowing logins on the console.
   This file also contains entries for the other virtual consoles, serial
   ports, and pseudo-ttys. For a hardwired terminal, the serial port's /dev
   entry is listed without the /dev part. For example, /dev/ttyv0 is listed
   as ttyv0.

   The default /etc/ttys configures support for the first four serial ports,
   ttyu0 through ttyu3:

 ttyu0   "/usr/libexec/getty std.9600"   dialup  off secure
 ttyu1   "/usr/libexec/getty std.9600"   dialup  off secure
 ttyu2   "/usr/libexec/getty std.9600"   dialup  off secure
 ttyu3   "/usr/libexec/getty std.9600"   dialup  off secure

   When attaching a terminal to one of those ports, modify the default entry
   to set the required speed and terminal type, to turn the device on and, if
   needed, to change the port's secure setting. If the terminal is connected
   to another port, add an entry for the port.

   ****** 26.1, "*********************" configures two terminals in
   /etc/ttys. The first entry configures a Wyse-50 connected to COM2. The
   second entry configures an old computer running Procomm terminal software
   emulating a VT-100 terminal. The computer is connected to the sixth serial
   port on a multi-port serial card.

   ****** 26.1. *********************

 ttyu11  "/usr/libexec/getty std.38400"2  wy503  on4  insecure5
 ttyu5   "/usr/libexec/getty std.19200"  vt100  on insecure

   1 The first field specifies the device name of the serial terminal.        
   2 The second field tells getty to initialize and open the line, set the    
     line speed, prompt for a user name, and then execute the login program.  
     The optional getty type configures characteristics on the terminal line, 
     like bps rate and parity. The available getty types are listed in        
     /etc/gettytab. In almost all cases, the getty types that start with std  
     will work for hardwired terminals as these entries ignore parity. There  
     is a std entry for each bps rate from 110 to 115200. Refer to            
     gettytab(5) for more information.                                        
                                                                              
     When setting the getty type, make sure to match the communications       
     settings used by the terminal. For this example, the Wyse-50 uses no     
     parity and connects at 38400 bps. The computer uses no parity and        
     connects at 19200 bps.                                                   
   3 The third field is the type of terminal. For dial-up ports, unknown or   
     dialup is typically used since users may dial up with practically any    
     type of terminal or software. Since the terminal type does not change    
     for hardwired terminals, a real terminal type from /etc/termcap can be   
     specified. For this example, the Wyse-50 uses the real terminal type     
     while the computer running Procomm is set to emulate a VT-100.           
   4 The fourth field specifies if the port should be enabled. To enable      
     logins on this port, this field must be set to on.                       
   5 The final field is used to specify whether the port is secure. Marking a 
     port as secure means that it is trusted enough to allow root to login    
     from that port. Insecure ports do not allow root logins. On an insecure  
     port, users must login from unprivileged accounts and then use su or a   
     similar mechanism to gain superuser privileges, as described in          
     *** 3.3.1.3, "*********************". For security reasons, it is        
     recommended to change this setting to insecure.                          

   After making any changes to /etc/ttys, send a SIGHUP (hangup) signal to
   the init process to force it to re-read its configuration file:

 # kill -HUP 1

   Since init is always the first process run on a system, it always has a
   process ID of 1.

   If everything is set up correctly, all cables are in place, and the
   terminals are powered up, a getty process should now be running on each
   terminal and login prompts should be available on each terminal.

  26.3.2. ******************

   Even with the most meticulous attention to detail, something could still
   go wrong while setting up a terminal. Here is a list of common symptoms
   and some suggested fixes.

   If no login prompt appears, make sure the terminal is plugged in and
   powered up. If it is a personal computer acting as a terminal, make sure
   it is running terminal emulation software on the correct serial port.

   Make sure the cable is connected firmly to both the terminal and the
   FreeBSD computer. Make sure it is the right kind of cable.

   Make sure the terminal and FreeBSD agree on the bps rate and parity
   settings. For a video display terminal, make sure the contrast and
   brightness controls are turned up. If it is a printing terminal, make sure
   paper and ink are in good supply.

   Use ps to make sure that a getty process is running and serving the
   terminal. For example, the following listing shows that a getty is running
   on the second serial port, ttyu1, and is using the std.38400 entry in
   /etc/gettytab:

 # ps -axww|grep ttyu
 22189  d1  Is+    0:00.03 /usr/libexec/getty std.38400 ttyu1

   If no getty process is running, make sure the port is enabled in
   /etc/ttys. Remember to run kill -HUP 1 after modifying /etc/ttys.

   If the getty process is running but the terminal still does not display a
   login prompt, or if it displays a prompt but will not accept typed input,
   the terminal or cable may not support hardware handshaking. Try changing
   the entry in /etc/ttys from std.38400 to 3wire.38400, then run kill -HUP 1
   after modifying /etc/ttys. The 3wire entry is similar to std, but ignores
   hardware handshaking. The baud rate may need to be reduced or software
   flow control enabled when using 3wire to prevent buffer overflows.

   If garbage appears instead of a login prompt, make sure the terminal and
   FreeBSD agree on the bps rate and parity settings. Check the getty
   processes to make sure the correct getty type is in use. If not, edit
   /etc/ttys and run kill -HUP 1.

   If characters appear doubled and the password appears when typed, switch
   the terminal, or the terminal emulation software, from "half duplex" or
   "local echo" to "full duplex."

26.4. ************

   Contributed by Guy Helmer.
   Additions by Sean Kelly.

   Configuring a FreeBSD system for dial-in service is similar to configuring
   terminals, except that modems are used instead of terminal devices.
   FreeBSD supports both external and internal modems.

   External modems are more convenient because they often can be configured
   via parameters stored in non-volatile RAM and they usually provide lighted
   indicators that display the state of important RS-232 signals, indicating
   whether the modem is operating properly.

   Internal modems usually lack non-volatile RAM, so their configuration may
   be limited to setting DIP switches. If the internal modem has any signal
   indicator lights, they are difficult to view when the system's cover is in
   place.

   When using an external modem, a proper cable is needed. A standard RS-232C
   serial cable should suffice.

   FreeBSD needs the RTS and CTS signals for flow control at speeds above
   2400 bps, the CD signal to detect when a call has been answered or the
   line has been hung up, and the DTR signal to reset the modem after a
   session is complete. Some cables are wired without all of the needed
   signals, so if a login session does not go away when the line hangs up,
   there may be a problem with the cable. Refer to *** 26.2.1,
   "***************" for more information about these signals.

   Like other UNIX(R)-like operating systems, FreeBSD uses the hardware
   signals to find out when a call has been answered or a line has been hung
   up and to hangup and reset the modem after a call. FreeBSD avoids sending
   commands to the modem or watching for status reports from the modem.

   FreeBSD supports the NS8250, NS16450, NS16550, and NS16550A-based RS-232C
   (CCITT V.24) communications interfaces. The 8250 and 16450 devices have
   single-character buffers. The 16550 device provides a 16-character buffer,
   which allows for better system performance. Bugs in plain 16550 devices
   prevent the use of the 16-character buffer, so use 16550A devices if
   possible. Because single-character-buffer devices require more work by the
   operating system than the 16-character-buffer devices, 16550A-based serial
   interface cards are preferred. If the system has many active serial ports
   or will have a heavy load, 16550A-based cards are better for
   low-error-rate communications.

   The rest of this section demonstrates how to configure a modem to receive
   incoming connections, how to communicate with the modem, and offers some
   troubleshooting tips.

  26.4.1. ***************

   As with terminals, init spawns a getty process for each configured serial
   port used for dial-in connections. When a user dials the modem's line and
   the modems connect, the "Carrier Detect" signal is reported by the modem.
   The kernel notices that the carrier has been detected and instructs getty
   to open the port and display a login: prompt at the specified initial line
   speed. In a typical configuration, if garbage characters are received,
   usually due to the modem's connection speed being different than the
   configured speed, getty tries adjusting the line speeds until it receives
   reasonable characters. After the user enters their login name, getty
   executes login, which completes the login process by asking for the user's
   password and then starting the user's shell.

   There are two schools of thought regarding dial-up modems. One
   configuration method is to set the modems and systems so that no matter at
   what speed a remote user dials in, the dial-in RS-232 interface runs at a
   locked speed. The benefit of this configuration is that the remote user
   always sees a system login prompt immediately. The downside is that the
   system does not know what a user's true data rate is, so full-screen
   programs like Emacs will not adjust their screen-painting methods to make
   their response better for slower connections.

   The second method is to configure the RS-232 interface to vary its speed
   based on the remote user's connection speed. Because getty does not
   understand any particular modem's connection speed reporting, it gives a
   login: message at an initial speed and watches the characters that come
   back in response. If the user sees junk, they should press Enter until
   they see a recognizable prompt. If the data rates do not match, getty sees
   anything the user types as junk, tries the next speed, and gives the
   login: prompt again. This procedure normally only takes a keystroke or two
   before the user sees a good prompt. This login sequence does not look as
   clean as the locked-speed method, but a user on a low-speed connection
   should receive better interactive response from full-screen programs.

   When locking a modem's data communications rate at a particular speed, no
   changes to /etc/gettytab should be needed. However, for a matching-speed
   configuration, additional entries may be required in order to define the
   speeds to use for the modem. This example configures a 14.4 Kbps modem
   with a top interface speed of 19.2 Kbps using 8-bit, no parity
   connections. It configures getty to start the communications rate for a
   V.32bis connection at 19.2 Kbps, then cycles through 9600 bps, 2400 bps,
   1200 bps, 300 bps, and back to 19.2 Kbps. Communications rate cycling is
   implemented with the nx= (next table) capability. Each line uses a tc=
   (table continuation) entry to pick up the rest of the settings for a
   particular data rate.

 #
 # Additions for a V.32bis Modem
 #
 um|V300|High Speed Modem at 300,8-bit:\
         :nx=V19200:tc=std.300:
 un|V1200|High Speed Modem at 1200,8-bit:\
         :nx=V300:tc=std.1200:
 uo|V2400|High Speed Modem at 2400,8-bit:\
         :nx=V1200:tc=std.2400:
 up|V9600|High Speed Modem at 9600,8-bit:\
         :nx=V2400:tc=std.9600:
 uq|V19200|High Speed Modem at 19200,8-bit:\
         :nx=V9600:tc=std.19200:

   For a 28.8 Kbps modem, or to take advantage of compression on a 14.4 Kbps
   modem, use a higher communications rate, as seen in this example:

 #
 # Additions for a V.32bis or V.34 Modem
 # Starting at 57.6 Kbps
 #
 vm|VH300|Very High Speed Modem at 300,8-bit:\
         :nx=VH57600:tc=std.300:
 vn|VH1200|Very High Speed Modem at 1200,8-bit:\
         :nx=VH300:tc=std.1200:
 vo|VH2400|Very High Speed Modem at 2400,8-bit:\
         :nx=VH1200:tc=std.2400:
 vp|VH9600|Very High Speed Modem at 9600,8-bit:\
         :nx=VH2400:tc=std.9600:
 vq|VH57600|Very High Speed Modem at 57600,8-bit:\
         :nx=VH9600:tc=std.57600:

   For a slow CPU or a heavily loaded system without 16550A-based serial
   ports, this configuration may produce sio "silo" errors at 57.6 Kbps.

   The configuration of /etc/ttys is similar to ****** 26.1,
   "*********************", but a different argument is passed to getty and
   dialup is used for the terminal type. Replace xxx with the process init
   will run on the device:

 ttyu0   "/usr/libexec/getty xxx"   dialup on

   The dialup terminal type can be changed. For example, setting vt102 as the
   default terminal type allows users to use VT102 emulation on their remote
   systems.

   For a locked-speed configuration, specify the speed with a valid type
   listed in /etc/gettytab. This example is for a modem whose port speed is
   locked at 19.2 Kbps:

 ttyu0   "/usr/libexec/getty std.19200"   dialup on

   In a matching-speed configuration, the entry needs to reference the
   appropriate beginning "auto-baud" entry in /etc/gettytab. To continue the
   example for a matching-speed modem that starts at 19.2 Kbps, use this
   entry:

 ttyu0   "/usr/libexec/getty V19200"   dialup on

   After editing /etc/ttys, wait until the modem is properly configured and
   connected before signaling init:

 # kill -HUP 1

   High-speed modems, like V.32, V.32bis, and V.34 modems, use hardware
   (RTS/CTS) flow control. Use stty to set the hardware flow control flag for
   the modem port. This example sets the crtscts flag on COM2's dial-in and
   dial-out initialization devices:

 # stty -f /dev/ttyu1.init crtscts
 # stty -f /dev/cuau1.init crtscts

  26.4.2. ************

   This section provides a few tips for troubleshooting a dial-up modem that
   will not connect to a FreeBSD system.

   Hook up the modem to the FreeBSD system and boot the system. If the modem
   has status indication lights, watch to see whether the modem's DTR
   indicator lights when the login: prompt appears on the system's console.
   If it lights up, that should mean that FreeBSD has started a getty process
   on the appropriate communications port and is waiting for the modem to
   accept a call.

   If the DTR indicator does not light, login to the FreeBSD system through
   the console and type ps ax to see if FreeBSD is running a getty process on
   the correct port:

   114 ??  I      0:00.10 /usr/libexec/getty V19200 ttyu0

   If the second column contains a d0 instead of a ?? and the modem has not
   accepted a call yet, this means that getty has completed its open on the
   communications port. This could indicate a problem with the cabling or a
   misconfigured modem because getty should not be able to open the
   communications port until the carrier detect signal has been asserted by
   the modem.

   If no getty processes are waiting to open the port, double-check that the
   entry for the port is correct in /etc/ttys. Also, check /var/log/messages
   to see if there are any log messages from init or getty.

   Next, try dialing into the system. Be sure to use 8 bits, no parity, and 1
   stop bit on the remote system. If a prompt does not appear right away, or
   the prompt shows garbage, try pressing Enter about once per second. If
   there is still no login: prompt, try sending a BREAK. When using a
   high-speed modem, try dialing again after locking the dialing modem's
   interface speed.

   If there is still no login: prompt, check /etc/gettytab again and
   double-check that:

     * The initial capability name specified in the entry in /etc/ttys
       matches the name of a capability in /etc/gettytab.

     * Each nx= entry matches another gettytab capability name.

     * Each tc= entry matches another gettytab capability name.

   If the modem on the FreeBSD system will not answer, make sure that the
   modem is configured to answer the phone when DTR is asserted. If the modem
   seems to be configured correctly, verify that the DTR line is asserted by
   checking the modem's indicator lights.

   If it still does not work, try sending an email to the FreeBSD general
   questions mailing list describing the modem and the problem.

26.5. ************

   The following are tips for getting the host to connect over the modem to
   another computer. This is appropriate for establishing a terminal session
   with a remote host.

   This kind of connection can be helpful to get a file on the Internet if
   there are problems using PPP. If PPP is not working, use the terminal
   session to FTP the needed file. Then use zmodem to transfer it to the
   machine.

  26.5.1. ****** Stock Hayes *********

   A generic Hayes dialer is built into tip. Use at=hayes in /etc/remote.

   The Hayes driver is not smart enough to recognize some of the advanced
   features of newer modems messages like BUSY, NO DIALTONE, or CONNECT
   115200. Turn those messages off when using tip with ATX0&W.

   The dial timeout for tip is 60 seconds. The modem should use something
   less, or else tip will think there is a communication problem. Try
   ATS7=45&W.

  26.5.2. ****** AT ******

   Create a "direct" entry in /etc/remote. For example, if the modem is
   hooked up to the first serial port, /dev/cuau0, use the following line:

 cuau0:dv=/dev/cuau0:br#19200:pa=none

   Use the highest bps rate the modem supports in the br capability. Then,
   type tip cuau0 to connect to the modem.

   Or, use cu as root with the following command:

 # cu -lline -sspeed

   line is the serial port, such as /dev/cuau0, and speed is the speed, such
   as 57600. When finished entering the AT commands, type ~. to exit.

  26.5.3. @ ******************

   The @ sign in the phone number capability tells tip to look in /etc/phones
   for a phone number. But, the @ sign is also a special character in
   capability files like /etc/remote, so it needs to be escaped with a
   backslash:

 pn=\@

  26.5.4. ******************

   Put a "generic" entry in /etc/remote. For example:

 tip115200|Dial any phone number at 115200 bps:\
         :dv=/dev/cuau0:br#115200:at=hayes:pa=none:du:
 tip57600|Dial any phone number at 57600 bps:\
         :dv=/dev/cuau0:br#57600:at=hayes:pa=none:du:

   This should now work:

 # tip -115200 5551234

   Users who prefer cu over tip, can use a generic cu entry:

 cu115200|Use cu to dial any number at 115200bps:\
         :dv=/dev/cuau1:br#57600:at=hayes:pa=none:du:

   and type:

 # cu 5551234 -s 115200

  26.5.5. ****** bps ***

   Put in an entry for tip1200 or cu1200, but go ahead and use whatever bps
   rate is appropriate with the br capability. tip thinks a good default is
   1200 bps which is why it looks for a tip1200 entry. 1200 bps does not have
   to be used, though.

  26.5.6. ***************************************

   Rather than waiting until connected and typing CONNECT host each time, use
   tip's cm capability. For example, these entries in /etc/remote will let
   you type tip pain or tip muffin to connect to the hosts pain or muffin,
   and tip deep13 to connect to the terminal server.

 pain|pain.deep13.com|Forrester's machine:\
         :cm=CONNECT pain\n:tc=deep13:
 muffin|muffin.deep13.com|Frank's machine:\
         :cm=CONNECT muffin\n:tc=deep13:
 deep13:Gizmonics Institute terminal server:\
         :dv=/dev/cuau2:br#38400:at=hayes:du:pa=none:pn=5551234:

  26.5.7. *** tip ******************

   This is often a problem where a university has several modem lines and
   several thousand students trying to use them.

   Make an entry in /etc/remote and use @ for the pn capability:

 big-university:\
         :pn=\@:tc=dialout
 dialout:\
         :dv=/dev/cuau3:br#9600:at=courier:du:pa=none:

   Then, list the phone numbers in /etc/phones:

 big-university 5551111
 big-university 5551112
 big-university 5551113
 big-university 5551114

   tip will try each number in the listed order, then give up. To keep
   retrying, run tip in a while loop.

  26.5.8. ******************

   Ctrl+P is the default "force" character, used to tell tip that the next
   character is literal data. The force character can be set to any other
   character with the ~s escape, which means "set a variable."

   Type ~sforce=single-char followed by a newline. single-char is any single
   character. If single-char is left out, then the force character is the
   null character, which is accessed by typing Ctrl+2 or Ctrl+Space. A pretty
   good value for single-char is Shift+Ctrl+6, which is only used on some
   terminal servers.

   To change the force character, specify the following in ~/.tiprc:

 force=single-char

  26.5.9. ************

   This happens when Ctrl+A is pressed, which is tip's "raise character",
   specially designed for people with broken caps-lock keys. Use ~s to set
   raisechar to something reasonable. It can be set to be the same as the
   force character, if neither feature is used.

   Here is a sample ~/.tiprc for Emacs users who need to type Ctrl+2 and
   Ctrl+A:

 force=^^
 raisechar=^^

   The ^^ is Shift+Ctrl+6.

  26.5.10. ****** tip ************

   When talking to another UNIX(R)-like operating system, files can be sent
   and received using ~p (put) and ~t (take). These commands run cat and echo
   on the remote system to accept and send files. The syntax is:

   ~p local-file [remote-file]

   ~t remote-file [local-file]

   There is no error checking, so another protocol, like zmodem, should
   probably be used.

  26.5.11. *** zmodem ****** tip?

   To receive files, start the sending program on the remote end. Then, type
   ~C rz to begin receiving them locally.

   To send files, start the receiving program on the remote end. Then, type
   ~C sz files to send them to the remote system.

26.6. ************ Console

   Contributed by Kazutaka YOKOTA.
   Based on a document by Bill Paul.

   FreeBSD has the ability to boot a system with a dumb terminal on a serial
   port as a console. This configuration is useful for system administrators
   who wish to install FreeBSD on machines that have no keyboard or monitor
   attached, and developers who want to debug the kernel or device drivers.

   As described in *** 12, FreeBSD ************, FreeBSD employs a three
   stage bootstrap. The first two stages are in the boot block code which is
   stored at the beginning of the FreeBSD slice on the boot disk. The boot
   block then loads and runs the boot loader as the third stage code.

   In order to set up booting from a serial console, the boot block code, the
   boot loader code, and the kernel need to be configured.

  26.6.1. ************ Console ******

   This section provides a fast overview of setting up the serial console.
   This procedure can be used when the dumb terminal is connected to COM1.

   ****** 26.1. Configuring a Serial Console on COM1
    1. Connect the serial cable to COM1 and the controlling terminal.

    2. To configure boot messages to display on the serial console, issue the
       following command as the superuser:

 # sysrc -f /boot/loader.conf console=comconsole

    3. Edit /etc/ttys and change off to on and dialup to vt100 for the ttyu0
       entry. Otherwise, a password will not be required to connect via the
       serial console, resulting in a potential security hole.

    4. Reboot the system to see if the changes took effect.

   If a different configuration is required, see the next section for a more
   in-depth configuration explanation.

  26.6.2. ************ Console ******

   This section provides a more detailed explanation of the steps needed to
   setup a serial console in FreeBSD.

   ****** 26.2. Configuring a Serial Console
    1. Prepare a serial cable.

       Use either a null-modem cable or a standard serial cable and a
       null-modem adapter. See *** 26.2.1, "***************" for a discussion
       on serial cables.

    2. Unplug the keyboard.

       Many systems probe for the keyboard during the Power-On Self-Test
       (POST) and will generate an error if the keyboard is not detected.
       Some machines will refuse to boot until the keyboard is plugged in.

       If the computer complains about the error, but boots anyway, no
       further configuration is needed.

       If the computer refuses to boot without a keyboard attached, configure
       the BIOS so that it ignores this error. Consult the motherboard's
       manual for details on how to do this.

  ******:

       Try setting the keyboard to "Not installed" in the BIOS. This setting
       tells the BIOS not to probe for a keyboard at power-on so it should
       not complain if the keyboard is absent. If that option is not present
       in the BIOS, look for an "Halt on Error" option instead. Setting this
       to "All but Keyboard" or to "No Errors" will have the same effect.

       If the system has a PS/2(R) mouse, unplug it as well. PS/2(R) mice
       share some hardware with the keyboard and leaving the mouse plugged in
       can fool the keyboard probe into thinking the keyboard is still there.

  ******:

       While most systems will boot without a keyboard, quite a few will not
       boot without a graphics adapter. Some systems can be configured to
       boot with no graphics adapter by changing the "graphics adapter"
       setting in the BIOS configuration to "Not installed". Other systems do
       not support this option and will refuse to boot if there is no display
       hardware in the system. With these machines, leave some kind of
       graphics card plugged in, even if it is just a junky mono board. A
       monitor does not need to be attached.

    3. Plug a dumb terminal, an old computer with a modem program, or the
       serial port on another UNIX(R) box into the serial port.

    4. Add the appropriate hint.sio.* entries to /boot/device.hints for the
       serial port. Some multi-port cards also require kernel configuration
       options. Refer to sio(4) for the required options and device hints for
       each supported serial port.

    5. Create boot.config in the root directory of the a partition on the
       boot drive.

       This file instructs the boot block code how to boot the system. In
       order to activate the serial console, one or more of the following
       options are needed. When using multiple options, include them all on
       the same line:

            -h

                    Toggles between the internal and serial consoles. Use
                    this to switch console devices. For instance, to boot
                    from the internal (video) console, use -h to direct the
                    boot loader and the kernel to use the serial port as its
                    console device. Alternatively, to boot from the serial
                    port, use -h to tell the boot loader and the kernel to
                    use the video display as the console instead.

            -D

                    Toggles between the single and dual console
                    configurations. In the single configuration, the console
                    will be either the internal console (video display) or
                    the serial port, depending on the state of -h. In the
                    dual console configuration, both the video display and
                    the serial port will become the console at the same time,
                    regardless of the state of -h. However, the dual console
                    configuration takes effect only while the boot block is
                    running. Once the boot loader gets control, the console
                    specified by -h becomes the only console.

            -P

                    Makes the boot block probe the keyboard. If no keyboard
                    is found, the -D and -h options are automatically set.

  ******:

                    Due to space constraints in the current version of the
                    boot blocks, -P is capable of detecting extended
                    keyboards only. Keyboards with less than 101 keys and
                    without F11 and F12 keys may not be detected. Keyboards
                    on some laptops may not be properly found because of this
                    limitation. If this is the case, do not use -P.

       Use either -P to select the console automatically or -h to activate
       the serial console. Refer to boot(8) and boot.config(5) for more
       details.

       The options, except for -P, are passed to the boot loader. The boot
       loader will determine whether the internal video or the serial port
       should become the console by examining the state of -h. This means
       that if -D is specified but -h is not specified in /boot.config, the
       serial port can be used as the console only during the boot block as
       the boot loader will use the internal video display as the console.

    6. Boot the machine.

       When FreeBSD starts, the boot blocks echo the contents of /boot.config
       to the console. For example:

 /boot.config: -P
 Keyboard: no

       The second line appears only if -P is in /boot.config and indicates
       the presence or absence of the keyboard. These messages go to either
       the serial or internal console, or both, depending on the option in
       /boot.config:

       Options                         Message goes to                        
       none                            internal console                       
       -h                              serial console                         
       -D                              serial and internal consoles           
       -Dh                             serial and internal consoles           
       -P, keyboard present            internal console                       
       -P, keyboard absent             serial console                         

       After the message, there will be a small pause before the boot blocks
       continue loading the boot loader and before any further messages are
       printed to the console. Under normal circumstances, there is no need
       to interrupt the boot blocks, but one can do so in order to make sure
       things are set up correctly.

       Press any key, other than Enter, at the console to interrupt the boot
       process. The boot blocks will then prompt for further action:

 >> FreeBSD/i386 BOOT
 Default: 0:ad(0,a)/boot/loader
 boot:

       Verify that the above message appears on either the serial or internal
       console, or both, according to the options in /boot.config. If the
       message appears in the correct console, press Enter to continue the
       boot process.

       If there is no prompt on the serial terminal, something is wrong with
       the settings. Enter -h then Enter or Return to tell the boot block
       (and then the boot loader and the kernel) to choose the serial port
       for the console. Once the system is up, go back and check what went
       wrong.

   During the third stage of the boot process, one can still switch between
   the internal console and the serial console by setting appropriate
   environment variables in the boot loader. See loader(8) for more
   information.

  ******:

   This line in /boot/loader.conf or /boot/loader.conf.local configures the
   boot loader and the kernel to send their boot messages to the serial
   console, regardless of the options in /boot.config:

 console="comconsole"

   That line should be the first line of /boot/loader.conf so that boot
   messages are displayed on the serial console as early as possible.

   If that line does not exist, or if it is set to console="vidconsole", the
   boot loader and the kernel will use whichever console is indicated by -h
   in the boot block. See loader.conf(5) for more information.

   At the moment, the boot loader has no option equivalent to -P in the boot
   block, and there is no provision to automatically select the internal
   console and the serial console based on the presence of the keyboard.

  ******:

   While it is not required, it is possible to provide a login prompt over
   the serial line. To configure this, edit the entry for the serial port in
   /etc/ttys using the instructions in *** 26.3.1, "***************". If the
   speed of the serial port has been changed, change std.9600 to match the
   new setting.

  26.6.3. ************************************

   By default, the serial port settings are 9600 baud, 8 bits, no parity, and
   1 stop bit. To change the default console speed, use one of the following
   options:

     * Edit /etc/make.conf and set BOOT_COMCONSOLE_SPEED to the new console
       speed. Then, recompile and install the boot blocks and the boot
       loader:

 # cd /sys/boot
 # make clean
 # make
 # make install

       If the serial console is configured in some other way than by booting
       with -h, or if the serial console used by the kernel is different from
       the one used by the boot blocks, add the following option, with the
       desired speed, to a custom kernel configuration file and compile a new
       kernel:

 options CONSPEED=19200

     * Add the -S19200 boot option to /boot.config, replacing 19200 with the
       speed to use.

     * Add the following options to /boot/loader.conf. Replace 115200 with
       the speed to use.

 boot_multicons="YES"
 boot_serial="YES"
 comconsole_speed="115200"
 console="comconsole,vidconsole"

  26.6.4. *************** (Serial Line) ****** DDB ************

   To configure the ability to drop into the kernel debugger from the serial
   console, add the following options to a custom kernel configuration file
   and compile the kernel using the instructions in *** 8, ****** FreeBSD
   ******. Note that while this is useful for remote diagnostics, it is also
   dangerous if a spurious BREAK is generated on the serial port. Refer to
   ddb(4) and ddb(8) for more information about the kernel debugger.

 options BREAK_TO_DEBUGGER
 options DDB

*** 27. PPP

   ************

   27.1. ******

   27.2. ****** PPP

   27.3. PPP ******************

   27.4. ********************* PPP (PPPoE)

   27.5. *** ATM ****** PPP (PPPoA)

27.1. ******

   FreeBSD *************** (Point-to-Point, PPP)
   *****************************************************************************._******************************
   FreeBSD ***************************************._

   ****************************

     * ************,_****** PPP *********************._

     * *************************** (Ethernet) ****** PPP (PPPoE)._

     * *************** ATM ****** PPP (PPPoA)._

   ****************************************

     * ************************._

     * ********************* PPP ******************._

27.2. ****** PPP

   FreeBSD provides built-in support for managing dial-up PPP connections
   using ppp(8). The default FreeBSD kernel provides support for tun which is
   used to interact with a modem hardware. Configuration is performed by
   editing at least one configuration file, and configuration files
   containing examples are provided. Finally, ppp is used to start and manage
   connections.

   In order to use a PPP connection, the following items are needed:

     * A dial-up account with an Internet Service Provider (ISP).

     * A dial-up modem.

     * The dial-up number for the ISP.

     * The login name and password assigned by the ISP.

     * The IP address of one or more DNS servers. Normally, the ISP provides
       these addresses. If it did not, FreeBSD can be configured to use DNS
       negotiation.

   If any of the required information is missing, contact the ISP.

   The following information may be supplied by the ISP, but is not
   necessary:

     * The IP address of the default gateway. If this information is unknown,
       the ISP will automatically provide the correct value during connection
       setup. When configuring PPP on FreeBSD, this address is referred to as
       HISADDR.

     * The subnet mask. If the ISP has not provided one, 255.255.255.255 will
       be used in the ppp(8) configuration file.

     * If the ISP has assigned a static IP address and hostname, it should be
       input into the configuration file. Otherwise, this information will be
       automatically provided during connection setup.

   The rest of this section demonstrates how to configure FreeBSD for common
   PPP connection scenarios. The required configuration file is
   /etc/ppp/ppp.conf and additional files and examples are available in
   /usr/share/examples/ppp/.

  ******:

   Throughout this section, many of the file examples display line numbers.
   These line numbers have been added to make it easier to follow the
   discussion and are not meant to be placed in the actual file.

   When editing a configuration file, proper indentation is important. Lines
   that end in a : start in the first column (beginning of the line) while
   all other lines should be indented as shown using spaces or tabs.

  27.2.1. ************

   In order to configure a PPP connection, first edit /etc/ppp/ppp.conf with
   the dial-in information for the ISP. This file is described as follows:

 1     default:
 2       set log Phase Chat LCP IPCP CCP tun command
 3       ident user-ppp VERSION
 4       set device /dev/cuau0
 5       set speed 115200
 6       set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
 7                 \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
 8       set timeout 180
 9       enable dns
 10
 11    provider:
 12      set phone "(123) 456 7890"
 13      set authname foo
 14      set authkey bar
 15      set timeout 300
 16      set ifaddr x.x.x.x/0 y.y.y.y/0 255.255.255.255 0.0.0.0
 17      add default HISADDR

   Line 1:

           Identifies the default entry. Commands in this entry (lines 2
           through 9) are executed automatically when ppp is run.

   Line 2:

           Enables verbose logging parameters for testing the connection.
           Once the configuration is working satisfactorily, this line should
           be reduced to:

 set log phase tun

   Line 3:

           Displays the version of ppp(8) to the PPP software running on the
           other side of the connection.

   Line 4:

           Identifies the device to which the modem is connected, where COM1
           is /dev/cuau0 and COM2 is /dev/cuau1.

   Line 5:

           Sets the connection speed. If 115200 does not work on an older
           modem, try 38400 instead.

   Lines 6 & 7:

           The dial string written as an expect-send syntax. Refer to chat(8)
           for more information.

           Note that this command continues onto the next line for
           readability. Any command in ppp.conf may do this if the last
           character on the line is \.

   Line 8:

           Sets the idle timeout for the link in seconds.

   Line 9:

           Instructs the peer to confirm the DNS settings. If the local
           network is running its own DNS server, this line should be
           commented out, by adding a # at the beginning of the line, or
           removed.

   Line 10:

           A blank line for readability. Blank lines are ignored by ppp(8).

   Line 11:

           Identifies an entry called provider. This could be changed to the
           name of the ISP so that load ISP can be used to start the
           connection.

   Line 12:

           Use the phone number for the ISP. Multiple phone numbers may be
           specified using the colon (:) or pipe character (|) as a
           separator. To rotate through the numbers, use a colon. To always
           attempt to dial the first number first and only use the other
           numbers if the first number fails, use the pipe character. Always
           enclose the entire set of phone numbers between quotation marks
           (") to prevent dialing failures.

   Lines 13 & 14:

           Use the user name and password for the ISP.

   Line 15:

           Sets the default idle timeout in seconds for the connection. In
           this example, the connection will be closed automatically after
           300 seconds of inactivity. To prevent a timeout, set this value to
           zero.

   Line 16:

           Sets the interface addresses. The values used depend upon whether
           a static IP address has been obtained from the ISP or if it
           instead negotiates a dynamic IP address during connection.

           If the ISP has allocated a static IP address and default gateway,
           replace x.x.x.x with the static IP address and replace y.y.y.y
           with the IP address of the default gateway. If the ISP has only
           provided a static IP address without a gateway address, replace
           y.y.y.y with 10.0.0.2/0.

           If the IP address changes whenever a connection is made, change
           this line to the following value. This tells ppp(8) to use the IP
           Configuration Protocol (IPCP) to negotiate a dynamic IP address:

 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.255 0.0.0.0

   Line 17:

           Keep this line as-is as it adds a default route to the gateway.
           The HISADDR will automatically be replaced with the gateway
           address specified on line 16. It is important that this line
           appears after line 16.

   Depending upon whether ppp(8) is started manually or automatically, a
   /etc/ppp/ppp.linkup may also need to be created which contains the
   following lines. This file is required when running ppp in -auto mode.
   This file is used after the connection has been established. At this
   point, the IP address will have been assigned and it is now be possible to
   add the routing table entries. When creating this file, make sure that
   provider matches the value demonstrated in line 11 of ppp.conf.

 provider:
       add default HISADDR

   This file is also needed when the default gateway address is "guessed" in
   a static IP address configuration. In this case, remove line 17 from
   ppp.conf and create /etc/ppp/ppp.linkup with the above two lines. More
   examples for this file can be found in /usr/share/examples/ppp/.

   By default, ppp must be run as root. To change this default, add the
   account of the user who should run ppp to the network group in /etc/group.

   Then, give the user access to one or more entries in /etc/ppp/ppp.conf
   with allow. For example, to give fred and mary permission to only the
   provider: entry, add this line to the provider: section:

 allow users fred mary

   To give the specified users access to all entries, put that line in the
   default section instead.

  27.2.2. ************

   It is possible to configure PPP to supply DNS and NetBIOS nameserver
   addresses on demand.

   To enable these extensions with PPP version 1.x, the following lines might
   be added to the relevant section of /etc/ppp/ppp.conf.

 enable msext
 set ns 203.14.100.1 203.14.100.2
 set nbns 203.14.100.5

   And for PPP version 2 and above:

 accept dns
 set dns 203.14.100.1 203.14.100.2
 set nbns 203.14.100.5

   This will tell the clients the primary and secondary name server
   addresses, and a NetBIOS nameserver host.

   In version 2 and above, if the set dns line is omitted, PPP will use the
   values found in /etc/resolv.conf.

    27.2.2.1. PAP *** CHAP ******

   Some ISPs set their system up so that the authentication part of the
   connection is done using either of the PAP or CHAP authentication
   mechanisms. If this is the case, the ISP will not give a login: prompt at
   connection, but will start talking PPP immediately.

   PAP is less secure than CHAP, but security is not normally an issue here
   as passwords, although being sent as plain text with PAP, are being
   transmitted down a serial line only. There is not much room for crackers
   to "eavesdrop".

   The following alterations must be made:

 13      set authname MyUserName
 14      set authkey MyPassword
 15      set login

   Line 13:

           This line specifies the PAP/CHAP user name. Insert the correct
           value for MyUserName.

   Line 14:

           This line specifies the PAP/CHAP password. Insert the correct
           value for MyPassword. You may want to add an additional line, such
           as:

 16      accept PAP

           ***

 16      accept CHAP

           to make it obvious that this is the intention, but PAP and CHAP
           are both accepted by default.

   Line 15:

           The ISP will not normally require a login to the server when using
           PAP or CHAP. Therefore, disable the "set login" string.

    27.2.2.2. ****** PPP ************************

   PPP has ability to use internal NAT without kernel diverting capabilities.
   This functionality may be enabled by the following line in
   /etc/ppp/ppp.conf:

 nat enable yes

   Alternatively, NAT may be enabled by command-line option -nat. There is
   also /etc/rc.conf knob named ppp_nat, which is enabled by default.

   When using this feature, it may be useful to include the following
   /etc/ppp/ppp.conf options to enable incoming connections forwarding:

 nat port tcp 10.0.0.2:ftp ftp
 nat port tcp 10.0.0.2:http http

   or do not trust the outside at all

 nat deny_incoming yes

  27.2.3. ******************

   While ppp is now configured, some edits still need to be made to
   /etc/rc.conf.

   Working from the top down in this file, make sure the hostname= line is
   set:

 hostname="foo.example.com"

   If the ISP has supplied a static IP address and name, use this name as the
   host name.

   Look for the network_interfaces variable. To configure the system to dial
   the ISP on demand, make sure the tun0 device is added to the list,
   otherwise remove it.

 network_interfaces="lo0 tun0"
 ifconfig_tun0=

  ******:

   The ifconfig_tun0 variable should be empty, and a file called
   /etc/start_if.tun0 should be created. This file should contain the line:

 ppp -auto mysystem

   This script is executed at network configuration time, starting the ppp
   daemon in automatic mode. If this machine acts as a gateway, consider
   including -alias. Refer to the manual page for further details.

   Make sure that the router program is set to NO with the following line in
   /etc/rc.conf:

 router_enable="NO"

   It is important that the routed daemon is not started, as routed tends to
   delete the default routing table entries created by ppp.

   It is probably a good idea to ensure that the sendmail_flags line does not
   include the -q option, otherwise sendmail will attempt to do a network
   lookup every now and then, possibly causing your machine to dial out. You
   may try:

 sendmail_flags="-bd"

   The downside is that sendmail is forced to re-examine the mail queue
   whenever the ppp link. To automate this, include !bg in ppp.linkup:

 1     provider:
 2       delete ALL
 3       add 0 0 HISADDR
 4       !bg sendmail -bd -q30m

   An alternative is to set up a "dfilter" to block SMTP traffic. Refer to
   the sample files for further details.

  27.2.4. ****** ppp

   All that is left is to reboot the machine. After rebooting, either type:

 # ppp

   and then dial provider to start the PPP session, or, to configure ppp to
   establish sessions automatically when there is outbound traffic and
   start_if.tun0 does not exist, type:

 # ppp -auto provider

   It is possible to talk to the ppp program while it is running in the
   background, but only if a suitable diagnostic port has been set up. To do
   this, add the following line to the configuration:

 set server /var/run/ppp-tun%d DiagnosticPassword 0177

   This will tell PPP to listen to the specified UNIX(R) domain socket,
   asking clients for the specified password before allowing access. The %d
   in the name is replaced with the tun device number that is in use.

   Once a socket has been set up, the pppctl(8) program may be used in
   scripts that wish to manipulate the running program.

  27.2.5. ******************

   *** 26.4, "************" provides a good description on enabling dial-up
   services using getty(8).

   An alternative to getty is comms/mgetty+sendfax port), a smarter version
   of getty designed with dial-up lines in mind.

   The advantages of using mgetty is that it actively talks to modems,
   meaning if port is turned off in /etc/ttys then the modem will not answer
   the phone.

   Later versions of mgetty (from 0.99beta onwards) also support the
   automatic detection of PPP streams, allowing clients scriptless access to
   the server.

   Refer to http://mgetty.greenie.net/doc/mgetty_toc.html for more
   information on mgetty.

   By default the comms/mgetty+sendfax port comes with the AUTO_PPP option
   enabled allowing mgetty to detect the LCP phase of PPP connections and
   automatically spawn off a ppp shell. However, since the default
   login/password sequence does not occur it is necessary to authenticate
   users using either PAP or CHAP.

   This section assumes the user has successfully compiled, and installed the
   comms/mgetty+sendfax port on his system.

   Ensure that /usr/local/etc/mgetty+sendfax/login.config has the following:

 /AutoPPP/ -     - /etc/ppp/ppp-pap-dialup

   This tells mgetty to run ppp-pap-dialup for detected PPP connections.

   Create an executable file called /etc/ppp/ppp-pap-dialup containing the
   following:

 #!/bin/sh
 exec /usr/sbin/ppp -direct pap$IDENT

   For each dial-up line enabled in /etc/ttys, create a corresponding entry
   in /etc/ppp/ppp.conf. This will happily co-exist with the definitions we
   created above.

 pap:
   enable pap
   set ifaddr 203.14.100.1 203.14.100.20-203.14.100.40
   enable proxy

   Each user logging in with this method will need to have a
   username/password in /etc/ppp/ppp.secret, or alternatively add the
   following option to authenticate users via PAP from /etc/passwd.

 enable passwdauth

   To assign some users a static IP number, specify the number as the third
   argument in /etc/ppp/ppp.secret. See
   /usr/share/examples/ppp/ppp.secret.sample for examples.

27.3. PPP ******************

   This section covers a few issues which may arise when using PPP over a
   modem connection. Some ISPs present the ssword prompt while others present
   password. If the ppp script is not written accordingly, the login attempt
   will fail. The most common way to debug ppp connections is by connecting
   manually as described in this section.

  27.3.1. ******************

   When using a custom kernel, make sure to include the following line in the
   kernel configuration file:

 device   uart

   The uart device is already included in the GENERIC kernel, so no
   additional steps are necessary in this case. Just check the dmesg output
   for the modem device with:

 # dmesg | grep uart

   This should display some pertinent output about the uart devices. These
   are the COM ports we need. If the modem acts like a standard serial port,
   it should be listed on uart1, or COM2. If so, a kernel rebuild is not
   required. When matching up, if the modem is on uart1, the modem device
   would be /dev/cuau1.

  27.3.2. ************

   Connecting to the Internet by manually controlling ppp is quick, easy, and
   a great way to debug a connection or just get information on how the ISP
   treats ppp client connections. Lets start PPP from the command line. Note
   that in all of our examples we will use example as the hostname of the
   machine running PPP. To start ppp:

 # ppp

 ppp ON example> set device /dev/cuau1

   This second command sets the modem device to cuau1.

 ppp ON example> set speed 115200

   This sets the connection speed to 115,200 kbps.

 ppp ON example> enable dns

   This tells ppp to configure the resolver and add the nameserver lines to
   /etc/resolv.conf. If ppp cannot determine the hostname, it can manually be
   set later.

 ppp ON example> term

   This switches to "terminal" mode in order to manually control the modem.

 deflink: Entering terminal mode on /dev/cuau1
 type '~h' for help

 at
 OK
 atdt123456789

   Use at to initialize the modem, then use atdt and the number for the ISP
   to begin the dial in process.

 CONNECT

   Confirmation of the connection, if we are going to have any connection
   problems, unrelated to hardware, here is where we will attempt to resolve
   them.

 ISP Login:myusername

   At this prompt, return the prompt with the username that was provided by
   the ISP.

 ISP Pass:mypassword

   At this prompt, reply with the password that was provided by the ISP. Just
   like logging into FreeBSD, the password will not echo.

 Shell or PPP:ppp

   Depending on the ISP, this prompt might not appear. If it does, it is
   asking whether to use a shell on the provider or to start ppp. In this
   example, ppp was selected in order to establish an Internet connection.

 Ppp ON example>

   Notice that in this example the first p has been capitalized. This shows
   that we have successfully connected to the ISP.

 PPp ON example>

   We have successfully authenticated with our ISP and are waiting for the
   assigned IP address.

 PPP ON example>

   We have made an agreement on an IP address and successfully completed our
   connection.

 PPP ON example>add default HISADDR

   Here we add our default route, we need to do this before we can talk to
   the outside world as currently the only established connection is with the
   peer. If this fails due to existing routes, put a bang character ! in
   front of the add. Alternatively, set this before making the actual
   connection and it will negotiate a new route accordingly.

   If everything went good we should now have an active connection to the
   Internet, which could be thrown into the background using CTRL+z If PPP
   returns to ppp then the connection has bee lost. This is good to know
   because it shows the connection status. Capital P's represent a connection
   to the ISP and lowercase p's show that the connection has been lost.

  27.3.3. ******

   If a connection cannot be established, turn hardware flow CTS/RTS to off
   using set ctsrts off. This is mainly the case when connected to some
   PPP-capable terminal servers, where PPP hangs when it tries to write data
   to the communication link, and waits for a Clear To Send (CTS) signal
   which may never come. When using this option, include set accmap as it may
   be required to defeat hardware dependent on passing certain characters
   from end to end, most of the time XON/XOFF. Refer to ppp(8) for more
   information on this option and how it is used.

   An older modem may need set parity even. Parity is set at none be default,
   but is used for error checking with a large increase in traffic, on older
   modems.

   PPP may not return to the command mode, which is usually a negotiation
   error where the ISP is waiting for negotiating to begin. At this point,
   using ~p will force ppp to start sending the configuration information.

   If a login prompt never appears, PAP or CHAP authentication is most likely
   required. To use PAP or CHAP, add the following options to PPP before
   going into terminal mode:

 ppp ON example> set authname myusername

   Where myusername should be replaced with the username that was assigned by
   the ISP.

 ppp ON example> set authkey mypassword

   Where mypassword should be replaced with the password that was assigned by
   the ISP.

   If a connection is established, but cannot seem to find any domain name,
   try to ping(8) an IP address. If there is 100 percent (100%) packet loss,
   it is likely that a default route was not assigned. Double check that add
   default HISADDR was set during the connection. If a connection can be made
   to a remote IP address, it is possible that a resolver address has not
   been added to /etc/resolv.conf. This file should look like:

 domain example.com
 nameserver x.x.x.x
 nameserver y.y.y.y

   Where x.x.x.x and y.y.y.y should be replaced with the IP address of the
   ISP's DNS servers.

   To configure syslog(3) to provide logging for the PPP connection, make
   sure this line exists in /etc/syslog.conf:

 !ppp
 *.*     /var/log/ppp.log

27.4. ********************* PPP (PPPoE)

   *************************** ****************** PPP (PPPoE)._

   *************************** ppp.conf ********

 default:
   set log Phase tun command # you can add more detailed logging if you wish
   set ifaddr 10.0.0.1/0 10.0.0.2/0

 name_of_service_provider:
   set device PPPoE:xl1 # replace xl1 with your Ethernet device
   set authname YOURLOGINNAME
   set authkey YOURPASSWORD
   set dial
   set login
   add default HISADDR

   *** root **************

 # ppp -ddial name_of_service_provider

   ********************* /etc/rc.conf**

 ppp_enable="YES"
 ppp_mode="ddial"
 ppp_nat="YES"   # if you want to enable nat for your local network, otherwise NO
 ppp_profile="name_of_service_provider"

  27.4.1. ****** PPPoE ************

   ****************************** (Service Tag)
   **************************************************************************
   PPPoE *********._

   *************************************** ISP ***************************._

   ****************************** net/rr-pppoe *********
   Port._**********************************************************************************************************._********************************************************************
   System ******************** (Profile name)
   ************************************** ISP *********._

   ****************** (Profile Name) ***************************** ppp.conf
   ****** PPPoE **************set device ************ (Provider)
   ******._********* ppp(8) ****************************************

 set device PPPoE:xl1:ISP

   *************** xl1 *********************************._

   *************** ISP *********************._

   ************************************** Renaud Waldura ********* Cheaper
   Broadband with FreeBSD on DSL._

  27.4.2. *** 3Com(R) HomeConnect(R) ADSL Modem Dual Link ****** PPPoE

   *************************** RFC 2516 ******************._

   ************ FreeBSD *****************************************
   sysctl*********************** /etc/sysctl.conf
   ***************************._

 net.graph.nonstandard_pppoe=1

   *****************************************

 # sysctl net.graph.nonstandard_pppoe=1

   *************************************************************************
   PPPoE ****************************** 3Com(R) HomeConnect(R) ADSL
   *********************._

27.5. *** ATM ****** PPP (PPPoA)

   The following describes how to set up PPP over ATM (PPPoA). PPPoA is a
   popular choice among European DSL providers.

  27.5.1. ****** mpd

   The mpd application can be used to connect to a variety of services, in
   particular PPTP services. It can be installed using the net/mpd5 package
   or port. Many ADSL modems require that a PPTP tunnel is created between
   the modem and computer.

   Once installed, configure mpd to suit the provider's settings. The port
   places a set of sample configuration files which are well documented in
   /usr/local/etc/mpd/. A complete guide to configure mpd is available in
   HTML format in /usr/ports/share/doc/mpd/. Here is a sample configuration
   for connecting to an ADSL service with mpd. The configuration is spread
   over two files, first the mpd.conf:

  ******:

   This example mpd.conf only works with mpd 4.x.

 default:
     load adsl

 adsl:
     new -i ng0 adsl adsl
     set bundle authname username 1
     set bundle password password 2
     set bundle disable multilink

     set link no pap acfcomp protocomp
     set link disable chap
     set link accept chap
     set link keep-alive 30 10

     set ipcp no vjcomp
     set ipcp ranges 0.0.0.0/0 0.0.0.0/0

     set iface route default
     set iface disable on-demand
     set iface enable proxy-arp
     set iface idle 0

     open

   1   The username used to authenticate with your ISP.  
   2   The password used to authenticate with your ISP.  

   Information about the link, or links, to establish is found in mpd.links.
   An example mpd.links to accompany the above example is given beneath:

 adsl:
     set link type pptp
     set pptp mode active
     set pptp enable originate outcall
     set pptp self 10.0.0.1 1
     set pptp peer 10.0.0.138 2

   1 The IP address of FreeBSD computer running mpd.                          
   2 The IP address of the ADSL modem. The Alcatel SpeedTouch(TM) Home        
     defaults to 10.0.0.138.                                                  

   It is possible to initialize the connection easily by issuing the
   following command as root:

 # mpd -b adsl

   To view the status of the connection:

 % ifconfig ng0
 ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1500
      inet 216.136.204.117 --> 204.152.186.171 netmask 0xffffffff

   Using mpd is the recommended way to connect to an ADSL service with
   FreeBSD.

  27.5.2. ****** pptpclient

   It is also possible to use FreeBSD to connect to other PPPoA services
   using net/pptpclient.

   To use net/pptpclient to connect to a DSL service, install the port or
   package, then edit /etc/ppp/ppp.conf. An example section of ppp.conf is
   given below. For further information on ppp.conf options consult ppp(8).

 adsl:
  set log phase chat lcp ipcp ccp tun command
  set timeout 0
  enable dns
  set authname username 1
  set authkey password 2
  set ifaddr 0 0
  add default HISADDR

   1   The username for the DSL provider.  
   2   The password for your account.      

  ******:

   Since the account's password is added to ppp.confin plain text form, make
   sure nobody can read the contents of this file:

 # chown root:wheel /etc/ppp/ppp.conf
 # chmod 600 /etc/ppp/ppp.conf

   This will open a tunnel for a PPP session to the DSL router. Ethernet DSL
   modems have a preconfigured LAN IP address to connect to. In the case of
   the Alcatel SpeedTouch(TM) Home, this address is 10.0.0.138. The router's
   documentation should list the address the device uses. To open the tunnel
   and start a PPP session:

 # pptp address adsl

  ******:

   If an ampersand ("&") is added to the end of this command, pptp will
   return the prompt.

   A tun virtual tunnel device will be created for interaction between the
   pptp and ppp processes. Once the prompt is returned, or the pptp process
   has confirmed a connection, examine the tunnel:

 % ifconfig tun0
 tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
         inet 216.136.204.21 --> 204.152.186.171 netmask 0xffffff00
         Opened by PID 918

   If the connection fails, check the configuration of the router, which is
   usually accessible using a web browser. Also, examine the output of pptp
   and the contents of the log file, /var/log/ppp.log for clues.

*** 28. ************

   Original work by Bill Lloyd.
   Rewritten by Jim Mock.
   ************

   28.1. ******

   28.2. ************

   28.3. Sendmail *********

   28.4. ******************************

   28.5. ************

   28.6. ************

   28.7. ************

   28.8. ***************************

   28.9. SMTP ******

   28.10. ***************************

   28.11. ****** fetchmail

   28.12. ****** procmail

28.1. ******

   "************" ******
   email***********************************************._***************************
   FreeBSD ******************************************** FreeBSD
   ***************************************** ****** B, ************
   ******************._

   ****************************

     * *********************************************._

     * FreeBSD ****** Sendmail ***************._

     * ************ (Mailbox) ************************._

     * ********************************* (Spammer)
       ******************************************._

     * ****************************************************** (Mail Transfer
       Agent) ********* Sendmail._

     * ******************************************._

     * ************************************._

     * ************************************._

     * ************ SMTP ************************._

     * ************************************************ (Mail User Agent) ***
       mutt ******************************._

     * ****************** POP *** IMAP *********************._

     * ***************************************************************._

   ****************************************

     * *************************** (*** 31, ******************)._

     * ****************************** DNS ****** (*** 29, ***************)._

     * *************************************** (*** 4,
       ***************************** Port)._

28.2. ************

   There are five major parts involved in an email exchange: the Mail User
   Agent (MUA), the Mail Transfer Agent (MTA), a mail host, a remote or local
   mailbox, and DNS. This section provides an overview of these components.

   *************************** (Mail User Agent, MUA)

           The Mail User Agent (MUA) is an application which is used to
           compose, send, and receive emails. This application can be a
           command line program, such as the built-in mail utility or a
           third-party application from the Ports Collection, such as mutt,
           alpine, or elm. Dozens of graphical programs are also available in
           the Ports Collection, including Claws Mail, Evolution, and
           Thunderbird. Some organizations provide a web mail program which
           can be accessed through a web browser. More information about
           installing and using a MUA on FreeBSD can be found in *** 28.10,
           "***************************".

   ************************ (Mail Transfer Agent, MTA)

           The Mail Transfer Agent (MTA) is responsible for receiving
           incoming mail and delivering outgoing mail. FreeBSD ships with
           Sendmail as the default MTA, but it also supports numerous other
           mail server daemons, including Exim, Postfix, and qmail. Sendmail
           configuration is described in *** 28.3, "Sendmail *********". If
           another MTA is installed using the Ports Collection, refer to its
           post-installation message for FreeBSD-specific configuration
           details and the application's website for more general
           configuration instructions.

   ************ (Mail Host) *************** (Mailbox)

           The mail host is a server that is responsible for delivering and
           receiving mail for a host or a network. The mail host collects all
           mail sent to the domain and stores it either in the default mbox
           or the alternative Maildir format, depending on the configuration.
           Once mail has been stored, it may either be read locally using a
           MUA or remotely accessed and collected using protocols such as POP
           or IMAP. If mail is read locally, a POP or IMAP server does not
           need to be installed.

           To access mailboxes remotely, a POP or IMAP server is required as
           these protocols allow users to connect to their mailboxes from
           remote locations. IMAP offers several advantages over POP. These
           include the ability to store a copy of messages on a remote server
           after they are downloaded and concurrent updates. IMAP can be
           useful over low-speed links as it allows users to fetch the
           structure of messages without downloading them. It can also
           perform tasks such as searching on the server in order to minimize
           data transfer between clients and servers.

           Several POP and IMAP servers are available in the Ports
           Collection. These include mail/qpopper, mail/imap-uw,
           mail/courier-imap, and mail/dovecot2.

  ******:

           It should be noted that both POP and IMAP transmit information,
           including username and password credentials, in clear-text. To
           secure the transmission of information across these protocols,
           consider tunneling sessions over ssh(1) (*** 13.8.1.2, "SSH
           ******") or using SSL (*** 13.6, "OpenSSL").

   ****************** (DNS)

           The Domain Name System (DNS) and its daemon named play a large
           role in the delivery of email. In order to deliver mail from one
           site to another, the MTA will look up the remote site in DNS to
           determine which host will receive mail for the destination. This
           process also occurs when mail is sent from a remote host to the
           MTA.

           In addition to mapping hostnames to IP addresses, DNS is
           responsible for storing information specific to mail delivery,
           known as Mail eXchanger MX records. The MX record specifies which
           hosts will receive mail for a particular domain.

           To view the MX records for a domain, specify the type of record.
           Refer to host(1), for more details about this command:

 % host -t mx FreeBSD.org
 FreeBSD.org mail is handled by 10 mx1.FreeBSD.org

           Refer to *** 29.7, "****************** (DNS)" for more information
           about DNS and its configuration.

28.3. Sendmail *********

   Contributed by Christopher Shumway.

   Sendmail is the default MTA installed with FreeBSD. It accepts mail from
   MUAs and delivers it to the appropriate mail host, as defined by its
   configuration. Sendmail can also accept network connections and deliver
   mail to local mailboxes or to another program.

   The configuration files for Sendmail are located in /etc/mail. This
   section describes these files in more detail.

   /etc/mail/access

           This access database file defines which hosts or IP addresses have
           access to the local mail server and what kind of access they have.
           Hosts listed as OK, which is the default option, are allowed to
           send mail to this host as long as the mail's final destination is
           the local machine. Hosts listed as REJECT are rejected for all
           mail connections. Hosts listed as RELAY are allowed to send mail
           for any destination using this mail server. Hosts listed as ERROR
           will have their mail returned with the specified mail error. If a
           host is listed as SKIP, Sendmail will abort the current search for
           this entry without accepting or rejecting the mail. Hosts listed
           as QUARANTINE will have their messages held and will receive the
           specified text as the reason for the hold.

           Examples of using these options for both IPv4 and IPv6 addresses
           can be found in the FreeBSD sample configuration,
           /etc/mail/access.sample:

 # $FreeBSD$
 #
 # Mail relay access control list.  Default is to reject mail unless the
 # destination is local, or listed in /etc/mail/local-host-names
 #
 ## Examples (commented out for safety)
 #From:cyberspammer.com          ERROR:"550 We don't accept mail from spammers"
 #From:okay.cyberspammer.com     OK
 #Connect:sendmail.org           RELAY
 #To:sendmail.org                RELAY
 #Connect:128.32                 RELAY
 #Connect:128.32.2               SKIP
 #Connect:IPv6:1:2:3:4:5:6:7     RELAY
 #Connect:suspicious.example.com QUARANTINE:Mail from suspicious host
 #Connect:[127.0.0.3]            OK
 #Connect:[IPv6:1:2:3:4:5:6:7:8] OK

           To configure the access database, use the format shown in the
           sample to make entries in /etc/mail/access, but do not put a
           comment symbol (#) in front of the entries. Create an entry for
           each host or network whose access should be configured. Mail
           senders that match the left side of the table are affected by the
           action on the right side of the table.

           Whenever this file is updated, update its database and restart
           Sendmail:

 # makemap hash /etc/mail/access < /etc/mail/access
 # service sendmail restart

   /etc/mail/aliases

           This database file contains a list of virtual mailboxes that are
           expanded to users, files, programs, or other aliases. Here are a
           few entries to illustrate the file format:

 root: localuser
 ftp-bugs: joe,eric,paul
 bit.bucket:  /dev/null
 procmail: "|/usr/local/bin/procmail"

           The mailbox name on the left side of the colon is expanded to the
           target(s) on the right. The first entry expands the root mailbox
           to the localuser mailbox, which is then looked up in the
           /etc/mail/aliases database. If no match is found, the message is
           delivered to localuser. The second entry shows a mail list. Mail
           to ftp-bugs is expanded to the three local mailboxes joe, eric,
           and paul. A remote mailbox could be specified as user@example.com.
           The third entry shows how to write mail to a file, in this case
           /dev/null. The last entry demonstrates how to send mail to a
           program, /usr/local/bin/procmail, through a UNIX(R) pipe. Refer to
           aliases(5) for more information about the format of this file.

           Whenever this file is updated, run newaliases to update and
           initialize the aliases database.

   /etc/mail/sendmail.cf

           This is the master configuration file for Sendmail. It controls
           the overall behavior of Sendmail, including everything from
           rewriting email addresses to printing rejection messages to remote
           mail servers. Accordingly, this configuration file is quite
           complex. Fortunately, this file rarely needs to be changed for
           standard mail servers.

           The master Sendmail configuration file can be built from m4(1)
           macros that define the features and behavior of Sendmail. Refer to
           /usr/src/contrib/sendmail/cf/README for some of the details.

           Whenever changes to this file are made, Sendmail needs to be
           restarted for the changes to take effect.

   /etc/mail/virtusertable

           This database file maps mail addresses for virtual domains and
           users to real mailboxes. These mailboxes can be local, remote,
           aliases defined in /etc/mail/aliases, or files. This allows
           multiple virtual domains to be hosted on one machine.

           FreeBSD provides a sample configuration file in
           /etc/mail/virtusertable.sample to further demonstrate its format.
           The following example demonstrates how to create custom entries
           using that format:

 root@example.com                root
 postmaster@example.com          postmaster@noc.example.net
 @example.com                    joe

           This file is processed in a first match order. When an email
           address matches the address on the left, it is mapped to the local
           mailbox listed on the right. The format of the first entry in this
           example maps a specific email address to a local mailbox, whereas
           the format of the second entry maps a specific email address to a
           remote mailbox. Finally, any email address from example.com which
           has not matched any of the previous entries will match the last
           mapping and be sent to the local mailbox joe. When creating custom
           entries, use this format and add them to /etc/mail/virtusertable.
           Whenever this file is edited, update its database and restart
           Sendmail:

 # makemap hash /etc/mail/virtusertable < /etc/mail/virtusertable
 # service sendmail restart

   /etc/mail/relay-domains

           In a default FreeBSD installation, Sendmail is configured to only
           send mail from the host it is running on. For example, if a POP
           server is available, users will be able to check mail from remote
           locations but they will not be able to send outgoing emails from
           outside locations. Typically, a few moments after the attempt, an
           email will be sent from MAILER-DAEMON with a 5.7 Relaying Denied
           message.

           The most straightforward solution is to add the ISP's FQDN to
           /etc/mail/relay-domains. If multiple addresses are needed, add
           them one per line:

 your.isp.example.com
 other.isp.example.net
 users-isp.example.org
 www.example.org

           After creating or editing this file, restart Sendmail with service
           sendmail restart.

           Now any mail sent through the system by any host in this list,
           provided the user has an account on the system, will succeed. This
           allows users to send mail from the system remotely without opening
           the system up to relaying SPAM from the Internet.

28.4. ******************************

   Written by Andrew Boothman.
   Information taken from emails written by Gregory Neil Shapiro.

   FreeBSD comes with Sendmail already installed as the MTA which is in
   charge of outgoing and incoming mail. However, the system administrator
   can change the system's MTA. A wide choice of alternative MTAs is
   available from the mail category of the FreeBSD Ports Collection.

   Once a new MTA is installed, configure and test the new software before
   replacing Sendmail. Refer to the documentation of the new MTA for
   information on how to configure the software.

   Once the new MTA is working, use the instructions in this section to
   disable Sendmail and configure FreeBSD to use the replacement MTA.

  28.4.1. ****** Sendmail

  ******:

   If Sendmail's outgoing mail service is disabled, it is important that it
   is replaced with an alternative mail delivery system. Otherwise, system
   functions such as periodic(8) will be unable to deliver their results by
   email. Many parts of the system expect a functional MTA. If applications
   continue to use Sendmail's binaries to try to send email after they are
   disabled, mail could go into an inactive Sendmail queue and never be
   delivered.

   In order to completely disable Sendmail, add or edit the following lines
   in /etc/rc.conf:

 sendmail_enable="NO"
 sendmail_submit_enable="NO"
 sendmail_outbound_enable="NO"
 sendmail_msp_queue_enable="NO"

   To only disable Sendmail's incoming mail service, use only this entry in
   /etc/rc.conf:

 sendmail_enable="NO"

   More information on Sendmail's startup options is available in
   rc.sendmail(8).

  28.4.2. *************** MTA

   When a new MTA is installed using the Ports Collection, its startup script
   is also installed and startup instructions are mentioned in its package
   message. Before starting the new MTA, stop the running Sendmail processes.
   This example stops all of these services, then starts the Postfix service:

 # service sendmail stop
 # service postfix start

   To start the replacement MTA at system boot, add its configuration line to
   /etc/rc.conf. This entry enables the Postfix MTA:

 postfix_enable="YES"

   Some extra configuration is needed as Sendmail is so ubiquitous that some
   software assumes it is already installed and configured. Check
   /etc/periodic.conf and make sure that these values are set to NO. If this
   file does not exist, create it with these entries:

 daily_clean_hoststat_enable="NO"
 daily_status_mail_rejects_enable="NO"
 daily_status_include_submit_mailq="NO"
 daily_submit_queuerun="NO"

   Some alternative MTAs provide their own compatible implementations of the
   Sendmail command-line interface in order to facilitate using them as
   drop-in replacements for Sendmail. However, some MUAs may try to execute
   standard Sendmail binaries instead of the new MTA's binaries. FreeBSD uses
   /etc/mail/mailer.conf to map the expected Sendmail binaries to the
   location of the new binaries. More information about this mapping can be
   found in mailwrapper(8).

   The default /etc/mail/mailer.conf looks like this:

 # $FreeBSD$
 #
 # Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
 #
 sendmail        /usr/libexec/sendmail/sendmail
 send-mail       /usr/libexec/sendmail/sendmail
 mailq           /usr/libexec/sendmail/sendmail
 newaliases      /usr/libexec/sendmail/sendmail
 hoststat        /usr/libexec/sendmail/sendmail
 purgestat       /usr/libexec/sendmail/sendmail

   When any of the commands listed on the left are run, the system actually
   executes the associated command shown on the right. This system makes it
   easy to change what binaries are executed when these default binaries are
   invoked.

   Some MTAs, when installed using the Ports Collection, will prompt to
   update this file for the new binaries. For example, Postfix will update
   the file like this:

 #
 # Execute the Postfix sendmail program, named /usr/local/sbin/sendmail
 #
 sendmail        /usr/local/sbin/sendmail
 send-mail       /usr/local/sbin/sendmail
 mailq           /usr/local/sbin/sendmail
 newaliases      /usr/local/sbin/sendmail

   If the installation of the MTA does not automatically update
   /etc/mail/mailer.conf, edit this file in a text editor so that it points
   to the new binaries. This example points to the binaries installed by
   mail/ssmtp:

 sendmail        /usr/local/sbin/ssmtp
 send-mail       /usr/local/sbin/ssmtp
 mailq           /usr/local/sbin/ssmtp
 newaliases      /usr/local/sbin/ssmtp
 hoststat        /usr/bin/true
 purgestat       /usr/bin/true

   Once everything is configured, it is recommended to reboot the system.
   Rebooting provides the opportunity to ensure that the system is correctly
   configured to start the new MTA automatically on boot.

28.5. ************

   28.5.1. Why do I have to use the FQDN for hosts on my site?

   28.5.2. How can I run a mail server on a dial-up PPP host?

28.5.1. Why do I have to use the FQDN for hosts on my site?                        
        The host may actually be in a different domain. For example, in order for  
        a host in foo.bar.edu to reach a host called mumble in the bar.edu domain, 
        refer to it by the Fully-Qualified Domain Name FQDN, mumble.bar.edu,       
        instead of just mumble.                                                    
                                                                                   
        This is because the version of BIND which ships with FreeBSD no longer     
        provides default abbreviations for non-FQDNs other than the local domain.  
        An unqualified host such as mumble must either be found as                 
        mumble.foo.bar.edu, or it will be searched for in the root domain.         
                                                                                   
        In older versions of BIND, the search continued across mumble.bar.edu, and 
        mumble.edu. RFC 1535 details why this is considered bad practice or even a 
        security hole.                                                             
                                                                                   
        As a good workaround, place the line:                                      
                                                                                   
        search foo.bar.edu bar.edu                                                 
                                                                                   
        instead of the previous:                                                   
                                                                                   
        domain foo.bar.edu                                                         
                                                                                   
        into /etc/resolv.conf. However, make sure that the search order does not   
        go beyond the "boundary between local and public administration", as RFC   
        1535 calls it.                                                             
28.5.2. How can I run a mail server on a dial-up PPP host?                         
        Connect to a FreeBSD mail gateway on the LAN. The PPP connection is        
        non-dedicated.                                                             
                                                                                   
        One way to do this is to get a full-time Internet server to provide        
        secondary MX services for the domain. In this example, the domain is       
        example.com and the ISP has configured example.net to provide secondary MX 
        services to the domain:                                                    
                                                                                   
        example.com.          MX        10      example.com.                       
                              MX        20      example.net.                       
                                                                                   
        Only one host should be specified as the final recipient. For Sendmail,    
        add Cw example.com in /etc/mail/sendmail.cf on example.com.                
                                                                                   
        When the sending MTA attempts to deliver mail, it will try to connect to   
        the system, example.com, over the PPP link. This will time out if the      
        destination is offline. The MTA will automatically deliver it to the       
        secondary MX site at the Internet Service Provider (ISP), example.net. The 
        secondary MX site will periodically try to connect to the primary MX host, 
        example.com.                                                               
                                                                                   
        Use something like this as a login script:                                 
                                                                                   
        #!/bin/sh                                                                  
        # Put me in /usr/local/bin/pppmyisp                                        
        ( sleep 60 ; /usr/sbin/sendmail -q ) &                                     
        /usr/sbin/ppp -direct pppmyisp                                             
                                                                                   
        When creating a separate login script for users, instead use sendmail      
        -qRexample.com in the script above. This will force all mail in the queue  
        for example.com to be processed immediately.                               
                                                                                   
        A further refinement of the situation can be seen from this example from   
        the FreeBSD Internet service provider's mailing list:                      
                                                                                   
        > we provide the secondary MX for a customer. The customer connects to     
        > our services several times a day automatically to get the mails to       
        > his primary MX (We do not call his site when a mail for his domains      
        > arrived). Our sendmail sends the mailqueue every 30 minutes. At the      
        > moment he has to stay 30 minutes online to be sure that all mail is      
        > gone to the primary MX.                                                  
        >                                                                          
        > Is there a command that would initiate sendmail to send all the mails    
        > now? The user has not root-privileges on our machine of course.          
                                                                                   
        In the "privacy flags" section of sendmail.cf, there is a                  
        definition Opgoaway,restrictqrun                                           
                                                                                   
        Remove restrictqrun to allow non-root users to start the queue processing. 
        You might also like to rearrange the MXs. We are the 1st MX for our        
        customers like this, and we have defined:                                  
                                                                                   
        # If we are the best MX for a host, try directly instead of generating     
        # local config error.                                                      
        OwTrue                                                                     
                                                                                   
        That way a remote site will deliver straight to you, without trying        
        the customer connection.  You then send to your customer.  Only works for  
        "hosts", so you need to get your customer to name their mail               
        machine "customer.com" as well as                                          
        "hostname.customer.com" in the DNS.  Just put an A record in               
        the DNS for "customer.com".                                                

28.6. ************

   This section covers more involved topics such as mail configuration and
   setting up mail for an entire domain.

  28.6.1. ************

   Out of the box, one can send email to external hosts as long as
   /etc/resolv.conf is configured or the network has access to a configured
   DNS server. To have email delivered to the MTA on the FreeBSD host, do one
   of the following:

     * Run a DNS server for the domain.

     * Get mail delivered directly to the FQDN for the machine.

   In order to have mail delivered directly to a host, it must have a
   permanent static IP address, not a dynamic IP address. If the system is
   behind a firewall, it must be configured to allow SMTP traffic. To receive
   mail directly at a host, one of these two must be configured:

     * Make sure that the lowest-numbered MX record in DNS points to the
       host's static IP address.

     * Make sure there is no MX entry in the DNS for the host.

   Either of the above will allow mail to be received directly at the host.

   Try this:

 # hostname
 example.FreeBSD.org
 # host example.FreeBSD.org
 example.FreeBSD.org has address 204.216.27.XX

   In this example, mail sent directly to <yourlogin@example.FreeBSD.org>
   should work without problems, assuming Sendmail is running correctly on
   example.FreeBSD.org.

   For this example:

 # host example.FreeBSD.org
 example.FreeBSD.org has address 204.216.27.XX
 example.FreeBSD.org mail is handled (pri=10) by nevdull.FreeBSD.org

   All mail sent to example.FreeBSD.org will be collected on hub under the
   same username instead of being sent directly to your host.

   The above information is handled by the DNS server. The DNS record that
   carries mail routing information is the MX entry. If no MX record exists,
   mail will be delivered directly to the host by way of its IP address.

   The MX entry for freefall.FreeBSD.org at one time looked like this:

 freefall                MX      30      mail.crl.net
 freefall                MX      40      agora.rdrop.com
 freefall                MX      10      freefall.FreeBSD.org
 freefall                MX      20      who.cdrom.com

   freefall had many MX entries. The lowest MX number is the host that
   receives mail directly, if available. If it is not accessible for some
   reason, the next lower-numbered host will accept messages temporarily, and
   pass it along when a lower-numbered host becomes available.

   Alternate MX sites should have separate Internet connections in order to
   be most useful. Your ISP can provide this service.

  28.6.2. ******************

   When configuring a MTA for a network, any mail sent to hosts in its domain
   should be diverted to the MTA so that users can receive their mail on the
   master mail server.

   To make life easiest, a user account with the same username should exist
   on both the MTA and the system with the MUA. Use adduser(8) to create the
   user accounts.

   The MTA must be the designated mail exchanger for each workstation on the
   network. This is done in theDNS configuration with an MX record:

 example.FreeBSD.org     A       204.216.27.XX           ; Workstation
                         MX      10 nevdull.FreeBSD.org  ; Mailhost

   This will redirect mail for the workstation to the MTA no matter where the
   A record points. The mail is sent to the MX host.

   This must be configured on a DNS server. If the network does not run its
   own DNS server, talk to the ISP or DNS provider.

   The following is an example of virtual email hosting. Consider a customer
   with the domain customer1.org, where all the mail for customer1.org should
   be sent to mail.myhost.com. The DNS entry should look like this:

 customer1.org           MX      10      mail.myhost.com

   An A> record is not needed for customer1.org in order to only handle email
   for that domain. However, running ping against customer1.org will not work
   unless an A record exists for it.

   Tell the MTA which domains and/or hostnames it should accept mail for.
   Either of the following will work for Sendmail:

     * Add the hosts to /etc/mail/local-host-names when using the
       FEATURE(use_cw_file).

     * Add a Cwyour.host.com line to /etc/sendmail.cf.

28.7. ************

   Contributed by Bill Moran.

   There are many instances where one may only want to send mail through a
   relay. Some examples are:

     * The computer is a desktop machine that needs to use programs such as
       mail(1), using the ISP's mail relay.

     * The computer is a server that does not handle mail locally, but needs
       to pass off all mail to a relay for processing.

   While any MTA is capable of filling this particular niche, it can be
   difficult to properly configure a full-featured MTA just to handle
   offloading mail. Programs such as Sendmail and Postfix are overkill for
   this use.

   Additionally, a typical Internet access service agreement may forbid one
   from running a "mail server".

   The easiest way to fulfill those needs is to install the mail/ssmtp port:

 # cd /usr/ports/mail/ssmtp
 # make install replace clean

   Once installed, mail/ssmtp can be configured with
   /usr/local/etc/ssmtp/ssmtp.conf:

 root=yourrealemail@example.com
 mailhub=mail.example.com
 rewriteDomain=example.com
 hostname=_HOSTNAME_

   Use the real email address for root. Enter the ISP's outgoing mail relay
   in place of mail.example.com. Some ISPs call this the "outgoing mail
   server" or "SMTP server".

   Make sure to disable Sendmail, including the outgoing mail service. See
   *** 28.4.1, "****** Sendmail" for details.

   mail/ssmtp has some other options available. Refer to the examples in
   /usr/local/etc/ssmtp or the manual page of ssmtp for more information.

   Setting up ssmtp in this manner allows any software on the computer that
   needs to send mail to function properly, while not violating the ISP's
   usage policy or allowing the computer to be hijacked for spamming.

28.8. ***************************

   When using a static IP address, one should not need to adjust the default
   configuration. Set the hostname to the assigned Internet name and Sendmail
   will do the rest.

   When using a dynamically assigned IP address and a dialup PPP connection
   to the Internet, one usually has a mailbox on the ISP's mail server. In
   this example, the ISP's domain is example.net, the user name is user, the
   hostname is bsd.home, and the ISP has allowed relay.example.net as a mail
   relay.

   In order to retrieve mail from the ISP's mailbox, install a retrieval
   agent from the Ports Collection. mail/fetchmail is a good choice as it
   supports many different protocols. Usually, the ISP will provide POP. When
   using user PPP, email can be automatically fetched when an Internet
   connection is established with the following entry in /etc/ppp/ppp.linkup:

 MYADDR:
 !bg su user -c fetchmail

   When using Sendmail to deliver mail to non-local accounts, configure
   Sendmail to process the mail queue as soon as the Internet connection is
   established. To do this, add this line after the above fetchmail entry in
   /etc/ppp/ppp.linkup:

   !bg su user -c "sendmail -q"

   In this example, there is an account for user on bsd.home. In the home
   directory of user on bsd.home, create a .fetchmailrc which contains this
   line:

 poll example.net protocol pop3 fetchall pass MySecret

   This file should not be readable by anyone except user as it contains the
   password MySecret.

   In order to send mail with the correct from: header, configure Sendmail to
   use <user@example.net> rather than <user@bsd.home> and to send all mail
   via relay.example.net, allowing quicker mail transmission.

   The following .mc should suffice:

 VERSIONID(`bsd.home.mc version 1.0')
 OSTYPE(bsd4.4)dnl
 FEATURE(nouucp)dnl
 MAILER(local)dnl
 MAILER(smtp)dnl
 Cwlocalhost
 Cwbsd.home
 MASQUERADE_AS(`example.net')dnl
 FEATURE(allmasquerade)dnl
 FEATURE(masquerade_envelope)dnl
 FEATURE(nocanonify)dnl
 FEATURE(nodns)dnl
 define(`SMART_HOST', `relay.example.net')
 Dmbsd.home
 define(`confDOMAIN_NAME',`bsd.home')dnl
 define(`confDELIVERY_MODE',`deferred')dnl

   Refer to the previous section for details of how to convert this file into
   the sendmail.cf format. Do not forget to restart Sendmail after updating
   sendmail.cf.

28.9. SMTP ******

   Written by James Gorham.

   Configuring SMTP authentication on the MTA provides a number of benefits.
   SMTP authentication adds a layer of security to Sendmail, and provides
   mobile users who switch hosts the ability to use the same MTA without the
   need to reconfigure their mail client's settings each time.

    1. Install security/cyrus-sasl2 from the Ports Collection. This port
       supports a number of compile-time options. For the SMTP authentication
       method demonstrated in this example, make sure that LOGIN is not
       disabled.

    2. After installing security/cyrus-sasl2, edit
       /usr/local/lib/sasl2/Sendmail.conf, or create it if it does not exist,
       and add the following line:

 pwcheck_method: saslauthd

    3. Next, install security/cyrus-sasl2-saslauthd and add the following
       line to /etc/rc.conf:

 saslauthd_enable="YES"

       Finally, start the saslauthd daemon:

 # service saslauthd start

       This daemon serves as a broker for Sendmail to authenticate against
       the FreeBSD passwd(5) database. This saves the trouble of creating a
       new set of usernames and passwords for each user that needs to use
       SMTP authentication, and keeps the login and mail password the same.

    4. Next, edit /etc/make.conf and add the following lines:

 SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL
 SENDMAIL_LDFLAGS=-L/usr/local/lib
 SENDMAIL_LDADD=-lsasl2

       These lines provide Sendmail the proper configuration options for
       linking to cyrus-sasl2 at compile time. Make sure that cyrus-sasl2 has
       been installed before recompiling Sendmail.

    5. Recompile Sendmail by executing the following commands:

 # cd /usr/src/lib/libsmutil
 # make cleandir && make obj && make
 # cd /usr/src/lib/libsm
 # make cleandir && make obj && make
 # cd /usr/src/usr.sbin/sendmail
 # make cleandir && make obj && make && make install

       This compile should not have any problems if /usr/src has not changed
       extensively and the shared libraries it needs are available.

    6. After Sendmail has been compiled and reinstalled, edit
       /etc/mail/freebsd.mc or the local .mc. Many administrators choose to
       use the output from hostname(1) as the name of .mc for uniqueness. Add
       these lines:

 dnl set SASL options
 TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
 define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl

       These options configure the different methods available to Sendmail
       for authenticating users. To use a method other than pwcheck, refer to
       the Sendmail documentation.

    7. Finally, run make(1) while in /etc/mail. That will run the new .mc and
       create a .cf named either freebsd.cf or the name used for the local
       .mc. Then, run make install restart, which will copy the file to
       sendmail.cf, and properly restart Sendmail. For more information about
       this process, refer to /etc/mail/Makefile.

   To test the configuration, use a MUA to send a test message. For further
   investigation, set the LogLevel of Sendmail to 13 and watch
   /var/log/maillog for any errors.

   For more information, refer to SMTP authentication.

28.10. ***************************

   Contributed by Marc Silver.

   A MUA is an application that is used to send and receive email. As email
   "evolves" and becomes more complex, MUAs are becoming increasingly
   powerful and provide users increased functionality and flexibility. The
   mail category of the FreeBSD Ports Collection contains numerous MUAs.
   These include graphical email clients such as Evolution or Balsa and
   console based clients such as mutt or alpine.

  28.10.1. mail

   mail(1) is the default MUA installed with FreeBSD. It is a console based
   MUA that offers the basic functionality required to send and receive
   text-based email. It provides limited attachment support and can only
   access local mailboxes.

   Although mail does not natively support interaction with POP or IMAP
   servers, these mailboxes may be downloaded to a local mbox using an
   application such as fetchmail.

   In order to send and receive email, run mail:

 % mail

   The contents of the user's mailbox in /var/mail are automatically read by
   mail. Should the mailbox be empty, the utility exits with a message
   indicating that no mail could be found. If mail exists, the application
   interface starts, and a list of messages will be displayed. Messages are
   automatically numbered, as can be seen in the following example:

 Mail version 8.1 6/6/93.  Type ? for help.
 "/var/mail/marcs": 3 messages 3 new
 >N  1 root@localhost        Mon Mar  8 14:05  14/510   "test"
  N  2 root@localhost        Mon Mar  8 14:05  14/509   "user account"
  N  3 root@localhost        Mon Mar  8 14:05  14/509   "sample"

   Messages can now be read by typing t followed by the message number. This
   example reads the first email:

 & t 1
 Message 1:
 From root@localhost  Mon Mar  8 14:05:52 2004
 X-Original-To: marcs@localhost
 Delivered-To: marcs@localhost
 To: marcs@localhost
 Subject: test
 Date: Mon,  8 Mar 2004 14:05:52 +0200 (SAST)
 From: root@localhost (Charlie Root)

 This is a test message, please reply if you receive it.

   As seen in this example, the message will be displayed with full headers.
   To display the list of messages again, press h.

   If the email requires a reply, press either R or r mail keys. R instructs
   mail to reply only to the sender of the email, while r replies to all
   other recipients of the message. These commands can be suffixed with the
   mail number of the message to reply to. After typing the response, the end
   of the message should be marked by a single . on its own line. An example
   can be seen below:

 & R 1
 To: root@localhost
 Subject: Re: test

 Thank you, I did get your email.
 .
 EOT

   In order to send a new email, press m, followed by the recipient email
   address. Multiple recipients may be specified by separating each address
   with the , delimiter. The subject of the message may then be entered,
   followed by the message contents. The end of the message should be
   specified by putting a single . on its own line.

 & mail root@localhost
 Subject: I mastered mail

 Now I can send and receive email using mail ... :)
 .
 EOT

   While using mail, press ? to display help at any time. Refer to mail(1)
   for more help on how to use mail.

  ******:

   mail(1) was not designed to handle attachments and thus deals with them
   poorly. Newer MUAs handle attachments in a more intelligent way. Users who
   prefer to use mail may find the converters/mpack port to be of
   considerable use.

  28.10.2. mutt

   mutt is a powerful MUA, with many features, including:

     * The ability to thread messages.

     * PGP support for digital signing and encryption of email.

     * MIME support.

     * Maildir support.

     * Highly customizable.

   Refer to http://www.mutt.org for more information on mutt.

   mutt may be installed using the mail/mutt port. After the port has been
   installed, mutt can be started by issuing the following command:

 % mutt

   mutt will automatically read and display the contents of the user mailbox
   in /var/mail. If no mails are found, mutt will wait for commands from the
   user. The example below shows mutt displaying a list of messages:

   To read an email, select it using the cursor keys and press Enter. An
   example of mutt displaying email can be seen below:

   Similar to mail(1), mutt can be used to reply only to the sender of the
   message as well as to all recipients. To reply only to the sender of the
   email, press r. To send a group reply to the original sender as well as
   all the message recipients, press g.

  ******:

   By default, mutt uses the vi(1) editor for creating and replying to
   emails. Each user can customize this by creating or editing the .muttrc in
   their home directory and setting the editor variable or by setting the
   EDITOR environment variable. Refer to http://www.mutt.org/ for more
   information about configuring mutt.

   To compose a new mail message, press m. After a valid subject has been
   given, mutt will start vi(1) so the email can be written. Once the
   contents of the email are complete, save and quit from vi. mutt will
   resume, displaying a summary screen of the mail that is to be delivered.
   In order to send the mail, press y. An example of the summary screen can
   be seen below:

   mutt contains extensive help which can be accessed from most of the menus
   by pressing ?. The top line also displays the keyboard shortcuts where
   appropriate.

  28.10.3. alpine

   alpine is aimed at a beginner user, but also includes some advanced
   features.

  ******:

   alpine has had several remote vulnerabilities discovered in the past,
   which allowed remote attackers to execute arbitrary code as users on the
   local system, by the action of sending a specially-prepared email. While
   known problems have been fixed, alpine code is written in an insecure
   style and the FreeBSD Security Officer believes there are likely to be
   other undiscovered vulnerabilities. Users install alpine at their own
   risk.

   The current version of alpine may be installed using the mail/alpine port.
   Once the port has installed, alpine can be started by issuing the
   following command:

 % alpine

   The first time alpine runs, it displays a greeting page with a brief
   introduction, as well as a request from the alpine development team to
   send an anonymous email message allowing them to judge how many users are
   using their client. To send this anonymous message, press Enter.
   Alternatively, press E to exit the greeting without sending an anonymous
   message. An example of the greeting page is shown below:

   The main menu is then presented, which can be navigated using the cursor
   keys. This main menu provides shortcuts for the composing new mails,
   browsing mail directories, and administering address book entries. Below
   the main menu, relevant keyboard shortcuts to perform functions specific
   to the task at hand are shown.

   The default directory opened by alpine is inbox. To view the message
   index, press I, or select the MESSAGE INDEX option shown below:

   The message index shows messages in the current directory and can be
   navigated by using the cursor keys. Highlighted messages can be read by
   pressing Enter.

   In the screenshot below, a sample message is displayed by alpine.
   Contextual keyboard shortcuts are displayed at the bottom of the screen.
   An example of one of a shortcut is r, which tells the MUA to reply to the
   current message being displayed.

   Replying to an email in alpine is done using the pico editor, which is
   installed by default with alpine. pico makes it easy to navigate the
   message and is easier for novice users to use than vi(1) or mail(1). Once
   the reply is complete, the message can be sent by pressing Ctrl+X. alpine
   will ask for confirmation before sending the message.

   alpine can be customized using the SETUP option from the main menu.
   Consult http://www.washington.edu/alpine/ for more information.

28.11. ****** fetchmail

   Contributed by Marc Silver.

   fetchmail is a full-featured IMAP and POP client. It allows users to
   automatically download mail from remote IMAP and POP servers and save it
   into local mailboxes where it can be accessed more easily. fetchmail can
   be installed using the mail/fetchmail port, and offers various features,
   including:

     * Support for the POP3, APOP, KPOP, IMAP, ETRN and ODMR protocols.

     * Ability to forward mail using SMTP, which allows filtering,
       forwarding, and aliasing to function normally.

     * May be run in daemon mode to check periodically for new messages.

     * Can retrieve multiple mailboxes and forward them, based on
       configuration, to different local users.

   This section explains some of the basic features of fetchmail. This
   utility requires a .fetchmailrc configuration in the user's home directory
   in order to run correctly. This file includes server information as well
   as login credentials. Due to the sensitive nature of the contents of this
   file, it is advisable to make it readable only by the user, with the
   following command:

 % chmod 600 .fetchmailrc

   The following .fetchmailrc serves as an example for downloading a single
   user mailbox using POP. It tells fetchmail to connect to example.com using
   a username of joesoap and a password of XXX. This example assumes that the
   user joesoap exists on the local system.

 poll example.com protocol pop3 username "joesoap" password "XXX"

   The next example connects to multiple POP and IMAP servers and redirects
   to different local usernames where applicable:

 poll example.com proto pop3:
 user "joesoap", with password "XXX", is "jsoap" here;
 user "andrea", with password "XXXX";
 poll example2.net proto imap:
 user "john", with password "XXXXX", is "myth" here;

   fetchmail can be run in daemon mode by running it with -d, followed by the
   interval (in seconds) that fetchmail should poll servers listed in
   .fetchmailrc. The following example configures fetchmail to poll every 600
   seconds:

 % fetchmail -d 600

   More information on fetchmail can be found at http://www.fetchmail.info/.

28.12. ****** procmail

   Contributed by Marc Silver.

   procmail is a powerful application used to filter incoming mail. It allows
   users to define "rules" which can be matched to incoming mails to perform
   specific functions or to reroute mail to alternative mailboxes or email
   addresses. procmail can be installed using the mail/procmail port. Once
   installed, it can be directly integrated into most MTAs. Consult the MTA
   documentation for more information. Alternatively, procmail can be
   integrated by adding the following line to a .forward in the home
   directory of the user:

 "|exec /usr/local/bin/procmail || exit 75"

   The following section displays some basic procmail rules, as well as brief
   descriptions of what they do. Rules must be inserted into a .procmailrc,
   which must reside in the user's home directory.

   The majority of these rules can be found in procmailex(5).

   To forward all mail from <user@example.com> to an external address of
   <goodmail@example2.com>:

 :0
 * ^From.*user@example.com
 ! goodmail@example2.com

   To forward all mails shorter than 1000 bytes to an external address of
   <goodmail@example2.com>:

 :0
 * < 1000
 ! goodmail@example2.com

   To send all mail sent to <alternate@example.com> to a mailbox called
   alternate:

 :0
 * ^TOalternate@example.com
 alternate

   To send all mail with a subject of "Spam" to /dev/null:

 :0
 ^Subject:.*Spam
 /dev/null

   A useful recipe that parses incoming FreeBSD.org mailing lists and places
   each list in its own mailbox:

 :0
 * ^Sender:.owner-freebsd-\/[^@]+@FreeBSD.ORG
 {
         LISTNAME=${MATCH}
         :0
         * LISTNAME??^\/[^@]+
         FreeBSD-${MATCH}
 }

*** 29. ***************

   ************

   29.1. ******

   29.2. inetd ***************

   29.3. ****************** (NFS)

   29.4. ****************** (NIS)

   29.5. *************************** (LDAP)

   29.6. ************************ (DHCP)

   29.7. ****************** (DNS)

   29.8. Apache HTTP *********

   29.9. ****************** (FTP)

   29.10. Microsoft(R) Windows(R) ****************************** (Samba)

   29.11. NTP ************

   29.12. iSCSI Initiator *** Target ******

29.1. ******

   ************************ UNIX(R)
   *****************************************,_******,_************************************************._******************************************._

   ****************************

     * ************ inetd Daemon._

     * ****************************** (Network File System, NFS)._

     * ********************************* (Network Information Server, NIS)
       ***************************************._

     * ************ FreeBSD ****** LDAP *********************

     * ****************** DHCP ******************._

     * ********************************* (Domain Name Server, DNS)._

     * ************ Apache HTTP *********._

     * ****************************** (File Transfer Protocol, FTP)
       *********._

     * ************ Samba *************************** Windows(R)
       ***************._

     * ******************************************************** (Network Time
       Protocol, NTP) *********************._

     * ************ iSCSI._

   **************************************

     * /etc/rc Script._

     * ************._

     * *************************** (*** 4, *****************************
       Port)._

29.2. inetd ***************

   The inetd(8) daemon is sometimes referred to as a Super-Server because it
   manages connections for many services. Instead of starting multiple
   applications, only the inetd service needs to be started. When a
   connection is received for a service that is managed by inetd, it
   determines which program the connection is destined for, spawns a process
   for that program, and delegates the program a socket. Using inetd for
   services that are not heavily used can reduce system load, when compared
   to running each daemon individually in stand-alone mode.

   Primarily, inetd is used to spawn other daemons, but several trivial
   protocols are handled internally, such as chargen, auth, time, echo,
   discard, and daytime.

   This section covers the basics of configuring inetd.

  29.2.1. *********

   Configuration of inetd is done by editing /etc/inetd.conf. Each line of
   this configuration file represents an application which can be started by
   inetd. By default, every line starts with a comment (#), meaning that
   inetd is not listening for any applications. To configure inetd to listen
   for an application's connections, remove the # at the beginning of the
   line for that application.

   After saving your edits, configure inetd to start at system boot by
   editing /etc/rc.conf:

 inetd_enable="YES"

   To start inetd now, so that it listens for the service you configured,
   type:

 # service inetd start

   Once inetd is started, it needs to be notified whenever a modification is
   made to /etc/inetd.conf:

   ****** 29.1. ************ inetd *********

 # service inetd reload

   Typically, the default entry for an application does not need to be edited
   beyond removing the #. In some situations, it may be appropriate to edit
   the default entry.

   As an example, this is the default entry for ftpd(8) over IPv4:

 ftp     stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -l

   The seven columns in an entry are as follows:

 service-name
 socket-type
 protocol
 {wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]]
 user[:group][/login-class]
 server-program
 server-program-arguments

   where:

   service-name

           The service name of the daemon to start. It must correspond to a
           service listed in /etc/services. This determines which port inetd
           listens on for incoming connections to that service. When using a
           custom service, it must first be added to /etc/services.

   socket-type

           Either stream, dgram, raw, or seqpacket. Use stream for TCP
           connections and dgram for UDP services.

   protocol

           Use one of the following protocol names:

                  Protocol Name                      Explanation              
           tcp or tcp4                  TCP IPv4                              
           udp or udp4                  UDP IPv4                              
           tcp6                         TCP IPv6                              
           udp6                         UDP IPv6                              
           tcp46                        Both TCP IPv4 and IPv6                
           udp46                        Both UDP IPv4 and IPv6                

   {wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]]

           In this field, wait or nowait must be specified. max-child,
           max-connections-per-ip-per-minute and max-child-per-ip are
           optional.

           wait|nowait indicates whether or not the service is able to handle
           its own socket. dgram socket types must use wait while stream
           daemons, which are usually multi-threaded, should use nowait. wait
           usually hands off multiple sockets to a single daemon, while
           nowait spawns a child daemon for each new socket.

           The maximum number of child daemons inetd may spawn is set by
           max-child. For example, to limit ten instances of the daemon,
           place a /10 after nowait. Specifying /0 allows an unlimited number
           of children.

           max-connections-per-ip-per-minute limits the number of connections
           from any particular IP address per minute. Once the limit is
           reached, further connections from this IP address will be dropped
           until the end of the minute. For example, a value of /10 would
           limit any particular IP address to ten connection attempts per
           minute. max-child-per-ip limits the number of child processes that
           can be started on behalf on any single IP address at any moment.
           These options can limit excessive resource consumption and help to
           prevent Denial of Service attacks.

           An example can be seen in the default settings for fingerd(8):

 finger stream  tcp     nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s

   user

           The username the daemon will run as. Daemons typically run as
           root, daemon, or nobody.

   server-program

           The full path to the daemon. If the daemon is a service provided
           by inetd internally, use internal.

   server-program-arguments

           Used to specify any command arguments to be passed to the daemon
           on invocation. If the daemon is an internal service, use internal.

  29.2.2. ***************

   Like most server daemons, inetd has a number of options that can be used
   to modify its behavior. By default, inetd is started with -wW -C 60. These
   options enable TCP wrappers for all services, including internal services,
   and prevent any IP address from requesting any service more than 60 times
   per minute.

   To change the default options which are passed to inetd, add an entry for
   inetd_flags in /etc/rc.conf. If inetd is already running, restart it with
   service inetd restart.

   The available rate limiting options are:

   -c maximum

           Specify the default maximum number of simultaneous invocations of
           each service, where the default is unlimited. May be overridden on
           a per-service basis by using max-child in /etc/inetd.conf.

   -C rate

           Specify the default maximum number of times a service can be
           invoked from a single IP address per minute. May be overridden on
           a per-service basis by using max-connections-per-ip-per-minute in
           /etc/inetd.conf.

   -R rate

           Specify the maximum number of times a service can be invoked in
           one minute, where the default is 256. A rate of 0 allows an
           unlimited number.

   -s maximum

           Specify the maximum number of times a service can be invoked from
           a single IP address at any one time, where the default is
           unlimited. May be overridden on a per-service basis by using
           max-child-per-ip in /etc/inetd.conf.

   Additional options are available. Refer to inetd(8) for the full list of
   options.

  29.2.3. ******************

   Many of the daemons which can be managed by inetd are not
   security-conscious. Some daemons, such as fingerd, can provide information
   that may be useful to an attacker. Only enable the services which are
   needed and monitor the system for excessive connection attempts.
   max-connections-per-ip-per-minute, max-child and max-child-per-ip can be
   used to limit such attacks.

   By default, TCP wrappers is enabled. Consult hosts_access(5) for more
   information on placing TCP restrictions on various inetd invoked daemons.

29.3. ****************** (NFS)

   Reorganized and enhanced by Tom Rhodes.
   Written by Bill Swingle.

   FreeBSD supports the Network File System (NFS), which allows a server to
   share directories and files with clients over a network. With NFS, users
   and programs can access files on remote systems as if they were stored
   locally.

   NFS has many practical uses. Some of the more common uses include:

     * Data that would otherwise be duplicated on each client can be kept in
       a single location and accessed by clients on the network.

     * Several clients may need access to the /usr/ports/distfiles directory.
       Sharing that directory allows for quick access to the source files
       without having to download them to each client.

     * On large networks, it is often more convenient to configure a central
       NFS server on which all user home directories are stored. Users can
       log into a client anywhere on the network and have access to their
       home directories.

     * Administration of NFS exports is simplified. For example, there is
       only one file system where security or backup policies must be set.

     * Removable media storage devices can be used by other machines on the
       network. This reduces the number of devices throughout the network and
       provides a centralized location to manage their security. It is often
       more convenient to install software on multiple machines from a
       centralized installation media.

   NFS consists of a server and one or more clients. The client remotely
   accesses the data that is stored on the server machine. In order for this
   to function properly, a few processes have to be configured and running.

   These daemons must be running on the server:

   Daemon                                ******                               
   nfsd    The NFS daemon which services requests from NFS clients.           
   mountd  The NFS mount daemon which carries out requests received from      
           nfsd.                                                              
   rpcbind This daemon allows NFS clients to discover which port the NFS      
           server is using.                                                   

   Running nfsiod(8) on the client can improve performance, but is not
   required.

  29.3.1. ***************

   The file systems which the NFS server will share are specified in
   /etc/exports. Each line in this file specifies a file system to be
   exported, which clients have access to that file system, and any access
   options. When adding entries to this file, each exported file system, its
   properties, and allowed hosts must occur on a single line. If no clients
   are listed in the entry, then any client on the network can mount that
   file system.

   The following /etc/exports entries demonstrate how to export file systems.
   The examples can be modified to match the file systems and client names on
   the reader's network. There are many options that can be used in this
   file, but only a few will be mentioned here. See exports(5) for the full
   list of options.

   This example shows how to export /cdrom to three hosts named alpha, bravo,
   and charlie:

 /cdrom -ro alpha bravo charlie

   The -ro flag makes the file system read-only, preventing clients from
   making any changes to the exported file system. This example assumes that
   the host names are either in DNS or in /etc/hosts. Refer to hosts(5) if
   the network does not have a DNS server.

   The next example exports /home to three clients by IP address. This can be
   useful for networks without DNS or /etc/hosts entries. The -alldirs flag
   allows subdirectories to be mount points. In other words, it will not
   automatically mount the subdirectories, but will permit the client to
   mount the directories that are required as needed.

 /usr/home  -alldirs  10.0.0.2 10.0.0.3 10.0.0.4

   This next example exports /a so that two clients from different domains
   may access that file system. The -maproot=root allows root on the remote
   system to write data on the exported file system as root. If -maproot=root
   is not specified, the client's root user will be mapped to the server's
   nobody account and will be subject to the access limitations defined for
   nobody.

 /a  -maproot=root  host.example.com box.example.org

   A client can only be specified once per file system. For example, if /usr
   is a single file system, these entries would be invalid as both entries
   specify the same host:

 # Invalid when /usr is one file system
 /usr/src   client
 /usr/ports client

   The correct format for this situation is to use one entry:

 /usr/src /usr/ports  client

   The following is an example of a valid export list, where /usr and
   /exports are local file systems:

 # Export src and ports to client01 and client02, but only
 # client01 has root privileges on it
 /usr/src /usr/ports -maproot=root    client01
 /usr/src /usr/ports               client02
 # The client machines have root and can mount anywhere
 # on /exports. Anyone in the world can mount /exports/obj read-only
 /exports -alldirs -maproot=root      client01 client02
 /exports/obj -ro

   To enable the processes required by the NFS server at boot time, add these
   options to /etc/rc.conf:

 rpcbind_enable="YES"
 nfs_server_enable="YES"
 mountd_flags="-r"

   The server can be started now by running this command:

 # service nfsd start

   Whenever the NFS server is started, mountd also starts automatically.
   However, mountd only reads /etc/exports when it is started. To make
   subsequent /etc/exports edits take effect immediately, force mountd to
   reread it:

 # service mountd reload

  29.3.2. ***************

   To enable NFS clients, set this option in each client's /etc/rc.conf:

 nfs_client_enable="YES"

   Then, run this command on each NFS client:

 # service nfsclient start

   The client now has everything it needs to mount a remote file system. In
   these examples, the server's name is server and the client's name is
   client. To mount /home on server to the /mnt mount point on client:

 # mount server:/home /mnt

   The files and directories in /home will now be available on client, in the
   /mnt directory.

   To mount a remote file system each time the client boots, add it to
   /etc/fstab:

 server:/home    /mnt    nfs     rw      0       0

   Refer to fstab(5) for a description of all available options.

  29.3.3. ******

   Some applications require file locking to operate correctly. To enable
   locking, add these lines to /etc/rc.conf on both the client and server:

 rpc_lockd_enable="YES"
 rpc_statd_enable="YES"

   Then start the applications:

 # service lockd start
 # service statd start

   If locking is not required on the server, the NFS client can be configured
   to lock locally by including -L when running mount. Refer to mount_nfs(8)
   for further details.

  29.3.4. ****** amd(8) ************

   Contributed by Wylie Stilwell.
   Rewritten by Chern Lee.

   The automatic mounter daemon, amd, automatically mounts a remote file
   system whenever a file or directory within that file system is accessed.
   File systems that are inactive for a period of time will be automatically
   unmounted by amd.

   This daemon provides an alternative to modifying /etc/fstab to list every
   client. It operates by attaching itself as an NFS server to the /host and
   /net directories. When a file is accessed within one of these directories,
   amd looks up the corresponding remote mount and automatically mounts it.
   /net is used to mount an exported file system from an IP address while
   /host is used to mount an export from a remote hostname. For instance, an
   attempt to access a file within /host/foobar/usr would tell amd to mount
   the /usr export on the host foobar.

   ****** 29.2. ****** amd ****** Export

   In this example, showmount -e shows the exported file systems that can be
   mounted from the NFS server, foobar:

 % showmount -e foobar
 Exports list on foobar:
 /usr                               10.10.10.0
 /a                                 10.10.10.0
 % cd /host/foobar/usr

   The output from showmount shows /usr as an export. When changing
   directories to /host/foobar/usr, amd intercepts the request and attempts
   to resolve the hostname foobar. If successful, amd automatically mounts
   the desired export.

   To enable amd at boot time, add this line to /etc/rc.conf:

 amd_enable="YES"

   To start amd now:

 # service amd start

   Custom flags can be passed to amd from the amd_flags environment variable.
   By default, amd_flags is set to:

 amd_flags="-a /.amd_mnt -l syslog /host /etc/amd.map /net /etc/amd.map"

   The default options with which exports are mounted are defined in
   /etc/amd.map. Some of the more advanced features of amd are defined in
   /etc/amd.conf.

   Consult amd(8) and amd.conf(5) for more information.

  29.3.5. ****** autofs(5) ************

  ******:

   The autofs(5) automount facility is supported starting with
   FreeBSD 10.1-RELEASE. To use the automounter functionality in older
   versions of FreeBSD, use amd(8) instead. This chapter only describes the
   autofs(5) automounter.

   The autofs(5) facility is a common name for several components that,
   together, allow for automatic mounting of remote and local filesystems
   whenever a file or directory within that file system is accessed. It
   consists of the kernel component, autofs(5), and several userspace
   applications: automount(8), automountd(8) and autounmountd(8). It serves
   as an alternative for amd(8) from previous FreeBSD releases. Amd is still
   provided for backward compatibility purposes, as the two use different map
   format; the one used by autofs is the same as with other SVR4
   automounters, such as the ones in Solaris, MacOS X, and Linux.

   The autofs(5) virtual filesystem is mounted on specified mountpoints by
   automount(8), usually invoked during boot.

   Whenever a process attempts to access file within the autofs(5)
   mountpoint, the kernel will notify automountd(8) daemon and pause the
   triggering process. The automountd(8) daemon will handle kernel requests
   by finding the proper map and mounting the filesystem according to it,
   then signal the kernel to release blocked process. The autounmountd(8)
   daemon automatically unmounts automounted filesystems after some time,
   unless they are still being used.

   The primary autofs configuration file is /etc/auto_master. It assigns
   individual maps to top-level mounts. For an explanation of auto_master and
   the map syntax, refer to auto_master(5).

   There is a special automounter map mounted on /net. When a file is
   accessed within this directory, autofs(5) looks up the corresponding
   remote mount and automatically mounts it. For instance, an attempt to
   access a file within /net/foobar/usr would tell automountd(8) to mount the
   /usr export from the host foobar.

   ****** 29.3. ****** autofs(5) ****** Export

   In this example, showmount -e shows the exported file systems that can be
   mounted from the NFS server, foobar:

 % showmount -e foobar
 Exports list on foobar:
 /usr                               10.10.10.0
 /a                                 10.10.10.0
 % cd /net/foobar/usr

   The output from showmount shows /usr as an export. When changing
   directories to /host/foobar/usr, automountd(8) intercepts the request and
   attempts to resolve the hostname foobar. If successful, automountd(8)
   automatically mounts the source export.

   To enable autofs(5) at boot time, add this line to /etc/rc.conf:

 autofs_enable="YES"

   Then autofs(5) can be started by running:

 # service automount start
 # service automountd start
 # service autounmountd start

   The autofs(5) map format is the same as in other operating systems.
   Information about this format from other sources can be useful, like the
   Mac OS X document.

   Consult the automount(8), automountd(8), autounmountd(8), and
   auto_master(5) manual pages for more information.

29.4. ****************** (NIS)

   Network Information System (NIS) is designed to centralize administration
   of UNIX(R)-like systems such as Solaris(TM), HP-UX, AIX(R), Linux, NetBSD,
   OpenBSD, and FreeBSD. NIS was originally known as Yellow Pages but the
   name was changed due to trademark issues. This is the reason why NIS
   commands begin with yp.

   NIS is a Remote Procedure Call (RPC)-based client/server system that
   allows a group of machines within an NIS domain to share a common set of
   configuration files. This permits a system administrator to set up NIS
   client systems with only minimal configuration data and to add, remove, or
   modify configuration data from a single location.

   FreeBSD uses version 2 of the NIS protocol.

  29.4.1. NIS ***************

   Table 28.1 summarizes the terms and important processes used by NIS:

   ****** 29.1. NIS ******

        ******                               ******                           
                    NIS servers and clients share an NIS domain name.         
   NIS domain name  Typically, this name does not have anything to do with    
                    DNS.                                                      
   rpcbind(8)       This service enables RPC and must be running in order to  
                    run an NIS server or act as an NIS client.                
                    This service binds an NIS client to its NIS server. It    
                    will take the NIS domain name and use RPC to connect to   
   ypbind(8)        the server. It is the core of client/server communication 
                    in an NIS environment. If this service is not running on  
                    a client machine, it will not be able to access the NIS   
                    server.                                                   
                    This is the process for the NIS server. If this service   
                    stops running, the server will no longer be able to       
   ypserv(8)        respond to NIS requests so hopefully, there is a slave    
                    server to take over. Some non-FreeBSD clients will not    
                    try to reconnect using a slave server and the ypbind      
                    process may need to be restarted on these clients.        
                    This process only runs on NIS master servers. This daemon 
   rpc.yppasswdd(8) allows NIS clients to change their NIS passwords. If this 
                    daemon is not running, users will have to login to the    
                    NIS master server and change their passwords there.       

  29.4.2. ************

   There are three types of hosts in an NIS environment:

     * NIS master server

       This server acts as a central repository for host configuration
       information and maintains the authoritative copy of the files used by
       all of the NIS clients. The passwd, group, and other various files
       used by NIS clients are stored on the master server. While it is
       possible for one machine to be an NIS master server for more than one
       NIS domain, this type of configuration will not be covered in this
       chapter as it assumes a relatively small-scale NIS environment.

     * NIS slave servers

       NIS slave servers maintain copies of the NIS master's data files in
       order to provide redundancy. Slave servers also help to balance the
       load of the master server as NIS clients always attach to the NIS
       server which responds first.

     * NIS clients

       NIS clients authenticate against the NIS server during log on.

   Information in many files can be shared using NIS. The master.passwd,
   group, and hosts files are commonly shared via NIS. Whenever a process on
   a client needs information that would normally be found in these files
   locally, it makes a query to the NIS server that it is bound to instead.

  29.4.3. ******************

   This section describes a sample NIS environment which consists of 15
   FreeBSD machines with no centralized point of administration. Each machine
   has its own /etc/passwd and /etc/master.passwd. These files are kept in
   sync with each other only through manual intervention. Currently, when a
   user is added to the lab, the process must be repeated on all 15 machines.

   The configuration of the lab will be as follows:

       Machine name            IP ******                Machine role          
   ellington             10.0.0.2               NIS master                    
   coltrane              10.0.0.3               NIS slave                     
   basie                 10.0.0.4               Faculty workstation           
   bird                  10.0.0.5               Client machine                
   cli[1-11]             10.0.0.[6-17]          Other client machines         

   If this is the first time an NIS scheme is being developed, it should be
   thoroughly planned ahead of time. Regardless of network size, several
   decisions need to be made as part of the planning process.

    29.4.3.1. ****** NIS ************

   When a client broadcasts its requests for info, it includes the name of
   the NIS domain that it is part of. This is how multiple servers on one
   network can tell which server should answer which request. Think of the
   NIS domain name as the name for a group of hosts.

   Some organizations choose to use their Internet domain name for their NIS
   domain name. This is not recommended as it can cause confusion when trying
   to debug network problems. The NIS domain name should be unique within the
   network and it is helpful if it describes the group of machines it
   represents. For example, the Art department at Acme Inc. might be in the
   "acme-art" NIS domain. This example will use the domain name test-domain.

   However, some non-FreeBSD operating systems require the NIS domain name to
   be the same as the Internet domain name. If one or more machines on the
   network have this restriction, the Internet domain name must be used as
   the NIS domain name.

    29.4.3.2. *********************

   There are several things to keep in mind when choosing a machine to use as
   a NIS server. Since NIS clients depend upon the availability of the
   server, choose a machine that is not rebooted frequently. The NIS server
   should ideally be a stand alone machine whose sole purpose is to be an NIS
   server. If the network is not heavily used, it is acceptable to put the
   NIS server on a machine running other services. However, if the NIS server
   becomes unavailable, it will adversely affect all NIS clients.

  29.4.4. ****** NIS Master *********

   The canonical copies of all NIS files are stored on the master server. The
   databases used to store the information are called NIS maps. In FreeBSD,
   these maps are stored in /var/yp/[domainname] where [domainname] is the
   name of the NIS domain. Since multiple domains are supported, it is
   possible to have several directories, one for each domain. Each domain
   will have its own independent set of maps.

   NIS master and slave servers handle all NIS requests through ypserv(8).
   This daemon is responsible for receiving incoming requests from NIS
   clients, translating the requested domain and map name to a path to the
   corresponding database file, and transmitting data from the database back
   to the client.

   Setting up a master NIS server can be relatively straight forward,
   depending on environmental needs. Since FreeBSD provides built-in NIS
   support, it only needs to be enabled by adding the following lines to
   /etc/rc.conf:

 nisdomainname="test-domain"     1
 nis_server_enable="YES"         2
 nis_yppasswdd_enable="YES"      3

   1 This line sets the NIS domain name to test-domain.                       
   2 This automates the start up of the NIS server processes when the system  
     boots.                                                                   
   3 This enables the rpc.yppasswdd(8) daemon so that users can change their  
     NIS password from a client machine.                                      

   Care must be taken in a multi-server domain where the server machines are
   also NIS clients. It is generally a good idea to force the servers to bind
   to themselves rather than allowing them to broadcast bind requests and
   possibly become bound to each other. Strange failure modes can result if
   one server goes down and others are dependent upon it. Eventually, all the
   clients will time out and attempt to bind to other servers, but the delay
   involved can be considerable and the failure mode is still present since
   the servers might bind to each other all over again.

   A server that is also a client can be forced to bind to a particular
   server by adding these additional lines to /etc/rc.conf:

 nis_client_enable="YES" # run client stuff as well
 nis_client_flags="-S NIS domain,server"

   After saving the edits, type /etc/netstart to restart the network and
   apply the values defined in /etc/rc.conf. Before initializing the NIS
   maps, start ypserv(8):

 # service ypserv start

    29.4.4.1. ********* NIS *********

   NIS maps are generated from the configuration files in /etc on the NIS
   master, with one exception: /etc/master.passwd. This is to prevent the
   propagation of passwords to all the servers in the NIS domain. Therefore,
   before the NIS maps are initialized, configure the primary password files:

 # cp /etc/master.passwd /var/yp/master.passwd
 # cd /var/yp
 # vi master.passwd

   It is advisable to remove all entries for system accounts as well as any
   user accounts that do not need to be propagated to the NIS clients, such
   as the root and any other administrative accounts.

  ******:

   Ensure that the /var/yp/master.passwd is neither group or world readable
   by setting its permissions to 600.

   After completing this task, initialize the NIS maps. FreeBSD includes the
   ypinit(8) script to do this. When generating maps for the master server,
   include -m and specify the NIS domain name:

 ellington# ypinit -m test-domain
 Server Type: MASTER Domain: test-domain
 Creating an YP server will require that you answer a few questions.
 Questions will all be asked at the beginning of the procedure.
 Do you want this procedure to quit on non-fatal errors? [y/n: n] n
 Ok, please remember to go back and redo manually whatever fails.
 If not, something might not work.
 At this point, we have to construct a list of this domains YP servers.
 rod.darktech.org is already known as master server.
 Please continue to add any slave servers, one per line. When you are
 done with the list, type a <control D>.
 master server   :  ellington
 next host to add:  coltrane
 next host to add:  ^D
 The current list of NIS servers looks like this:
 ellington
 coltrane
 Is this correct?  [y/n: y] y

 [..output from map generation..]

 NIS Map update completed.
 ellington has been setup as an YP master server without any errors.

   This will create /var/yp/Makefile from /var/yp/Makefile.dist. By default,
   this file assumes that the environment has a single NIS server with only
   FreeBSD clients. Since test-domain has a slave server, edit this line in
   /var/yp/Makefile so that it begins with a comment (#):

 NOPUSH = "True"

    29.4.4.2. ***************

   Every time a new user is created, the user account must be added to the
   master NIS server and the NIS maps rebuilt. Until this occurs, the new
   user will not be able to login anywhere except on the NIS master. For
   example, to add the new user jsmith to the test-domain domain, run these
   commands on the master server:

 # pw useradd jsmith
 # cd /var/yp
 # make test-domain

   The user could also be added using adduser jsmith instead of pw useradd
   smith.

  29.4.5. ****** NIS Slave *********

   To set up an NIS slave server, log on to the slave server and edit
   /etc/rc.conf as for the master server. Do not generate any NIS maps, as
   these already exist on the master server. When running ypinit on the slave
   server, use -s (for slave) instead of -m (for master). This option
   requires the name of the NIS master in addition to the domain name, as
   seen in this example:

 coltrane# ypinit -s ellington test-domain

 Server Type: SLAVE Domain: test-domain Master: ellington

 Creating an YP server will require that you answer a few questions.
 Questions will all be asked at the beginning of the procedure.

 Do you want this procedure to quit on non-fatal errors? [y/n: n]  n

 Ok, please remember to go back and redo manually whatever fails.
 If not, something might not work.
 There will be no further questions. The remainder of the procedure
 should take a few minutes, to copy the databases from ellington.
 Transferring netgroup...
 ypxfr: Exiting: Map successfully transferred
 Transferring netgroup.byuser...
 ypxfr: Exiting: Map successfully transferred
 Transferring netgroup.byhost...
 ypxfr: Exiting: Map successfully transferred
 Transferring master.passwd.byuid...
 ypxfr: Exiting: Map successfully transferred
 Transferring passwd.byuid...
 ypxfr: Exiting: Map successfully transferred
 Transferring passwd.byname...
 ypxfr: Exiting: Map successfully transferred
 Transferring group.bygid...
 ypxfr: Exiting: Map successfully transferred
 Transferring group.byname...
 ypxfr: Exiting: Map successfully transferred
 Transferring services.byname...
 ypxfr: Exiting: Map successfully transferred
 Transferring rpc.bynumber...
 ypxfr: Exiting: Map successfully transferred
 Transferring rpc.byname...
 ypxfr: Exiting: Map successfully transferred
 Transferring protocols.byname...
 ypxfr: Exiting: Map successfully transferred
 Transferring master.passwd.byname...
 ypxfr: Exiting: Map successfully transferred
 Transferring networks.byname...
 ypxfr: Exiting: Map successfully transferred
 Transferring networks.byaddr...
 ypxfr: Exiting: Map successfully transferred
 Transferring netid.byname...
 ypxfr: Exiting: Map successfully transferred
 Transferring hosts.byaddr...
 ypxfr: Exiting: Map successfully transferred
 Transferring protocols.bynumber...
 ypxfr: Exiting: Map successfully transferred
 Transferring ypservers...
 ypxfr: Exiting: Map successfully transferred
 Transferring hosts.byname...
 ypxfr: Exiting: Map successfully transferred

 coltrane has been setup as an YP slave server without any errors.
 Remember to update map ypservers on ellington.

   This will generate a directory on the slave server called
   /var/yp/test-domain which contains copies of the NIS master server's maps.
   Adding these /etc/crontab entries on each slave server will force the
   slaves to sync their maps with the maps on the master server:

 20      *       *       *       *       root   /usr/libexec/ypxfr passwd.byname
 21      *       *       *       *       root   /usr/libexec/ypxfr passwd.byuid

   These entries are not mandatory because the master server automatically
   attempts to push any map changes to its slaves. However, since clients may
   depend upon the slave server to provide correct password information, it
   is recommended to force frequent password map updates. This is especially
   important on busy networks where map updates might not always complete.

   To finish the configuration, run /etc/netstart on the slave server in
   order to start the NIS services.

  29.4.6. ****** NIS *********

   An NIS client binds to an NIS server using ypbind(8). This daemon
   broadcasts RPC requests on the local network. These requests specify the
   domain name configured on the client. If an NIS server in the same domain
   receives one of the broadcasts, it will respond to ypbind, which will
   record the server's address. If there are several servers available, the
   client will use the address of the first server to respond and will direct
   all of its NIS requests to that server. The client will automatically ping
   the server on a regular basis to make sure it is still available. If it
   fails to receive a reply within a reasonable amount of time, ypbind will
   mark the domain as unbound and begin broadcasting again in the hopes of
   locating another server.

   To configure a FreeBSD machine to be an NIS client:

    1. Edit /etc/rc.conf and add the following lines in order to set the NIS
       domain name and start ypbind(8) during network startup:

 nisdomainname="test-domain"
 nis_client_enable="YES"

    2. To import all possible password entries from the NIS server, use vipw
       to remove all user accounts except one from /etc/master.passwd. When
       removing the accounts, keep in mind that at least one local account
       should remain and this account should be a member of wheel. If there
       is a problem with NIS, this local account can be used to log in
       remotely, become the superuser, and fix the problem. Before saving the
       edits, add the following line to the end of the file:

 +:::::::::

       This line configures the client to provide anyone with a valid account
       in the NIS server's password maps an account on the client. There are
       many ways to configure the NIS client by modifying this line. One
       method is described in *** 29.4.8, "****** Netgroups". For more
       detailed reading, refer to the book Managing NFS and NIS, published by
       O'Reilly Media.

    3. To import all possible group entries from the NIS server, add this
       line to /etc/group:

 +:*::

   To start the NIS client immediately, execute the following commands as the
   superuser:

 # /etc/netstart
 # service ypbind start

   After completing these steps, running ypcat passwd on the client should
   show the server's passwd map.

  29.4.7. NIS *********

   Since RPC is a broadcast-based service, any system running ypbind within
   the same domain can retrieve the contents of the NIS maps. To prevent
   unauthorized transactions, ypserv(8) supports a feature called
   "securenets" which can be used to restrict access to a given set of hosts.
   By default, this information is stored in /var/yp/securenets, unless
   ypserv(8) is started with -p and an alternate path. This file contains
   entries that consist of a network specification and a network mask
   separated by white space. Lines starting with # are considered to be
   comments. A sample securenets might look like this:

 # allow connections from local host -- mandatory
 127.0.0.1     255.255.255.255
 # allow connections from any host
 # on the 192.168.128.0 network
 192.168.128.0 255.255.255.0
 # allow connections from any host
 # between 10.0.0.0 to 10.0.15.255
 # this includes the machines in the testlab
 10.0.0.0      255.255.240.0

   If ypserv(8) receives a request from an address that matches one of these
   rules, it will process the request normally. If the address fails to match
   a rule, the request will be ignored and a warning message will be logged.
   If the securenets does not exist, ypserv will allow connections from any
   host.

   *** 13.4, "TCP Wrapper" is an alternate mechanism for providing access
   control instead of securenets. While either access control mechanism adds
   some security, they are both vulnerable to "IP spoofing" attacks. All
   NIS-related traffic should be blocked at the firewall.

   Servers using securenets may fail to serve legitimate NIS clients with
   archaic TCP/IP implementations. Some of these implementations set all host
   bits to zero when doing broadcasts or fail to observe the subnet mask when
   calculating the broadcast address. While some of these problems can be
   fixed by changing the client configuration, other problems may force the
   retirement of these client systems or the abandonment of securenets.

   The use of TCP Wrapper increases the latency of the NIS server. The
   additional delay may be long enough to cause timeouts in client programs,
   especially in busy networks with slow NIS servers. If one or more clients
   suffer from latency, convert those clients into NIS slave servers and
   force them to bind to themselves.

    29.4.7.1. *********************

   In this example, the basie system is a faculty workstation within the NIS
   domain. The passwd map on the master NIS server contains accounts for both
   faculty and students. This section demonstrates how to allow faculty
   logins on this system while refusing student logins.

   To prevent specified users from logging on to a system, even if they are
   present in the NIS database, use vipw to add -username with the correct
   number of colons towards the end of /etc/master.passwd on the client,
   where username is the username of a user to bar from logging in. The line
   with the blocked user must be before the + line that allows NIS users. In
   this example, bill is barred from logging on to basie:

 basie# cat /etc/master.passwd
 root:[password]:0:0::0:0:The super-user:/root:/bin/csh
 toor:[password]:0:0::0:0:The other super-user:/root:/bin/sh
 daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
 operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
 bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/usr/sbin/nologin
 tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
 kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
 games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
 news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
 man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
 bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
 uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
 xten:*:67:67::0:0:X-10 daemon:/usr/local/xten:/usr/sbin/nologin
 pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
 nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
 -bill:::::::::
 +:::::::::

 basie#

  29.4.8. ****** Netgroups

   Barring specified users from logging on to individual systems becomes
   unscaleable on larger networks and quickly loses the main benefit of NIS:
   centralized administration.

   Netgroups were developed to handle large, complex networks with hundreds
   of users and machines. Their use is comparable to UNIX(R) groups, where
   the main difference is the lack of a numeric ID and the ability to define
   a netgroup by including both user accounts and other netgroups.

   To expand on the example used in this chapter, the NIS domain will be
   extended to add the users and systems shown in Tables 28.2 and 28.3:

   ****** 29.2. ***************

              ***************                           ******                
   alpha, beta                           IT department employees              
   charlie, delta                        IT department apprentices            
   echo, foxtrott, golf, ...             employees                            
   able, baker, ...                      interns                              

   ****** 29.3. ************

           ************                             ******                    
   war, death, famine, pollution Only IT employees are allowed to log onto    
                                 these servers.                               
   pride, greed, envy, wrath,    All members of the IT department are allowed 
   lust, sloth                   to login onto these servers.                 
   one, two, three, four, ...    Ordinary workstations used by employees.     
                                 A very old machine without any critical      
   trashcan                      data. Even interns are allowed to use this   
                                 system.                                      

   When using netgroups to configure this scenario, each user is assigned to
   one or more netgroups and logins are then allowed or forbidden for all
   members of the netgroup. When adding a new machine, login restrictions
   must be defined for all netgroups. When a new user is added, the account
   must be added to one or more netgroups. If the NIS setup is planned
   carefully, only one central configuration file needs modification to grant
   or deny access to machines.

   The first step is the initialization of the NIS netgroup map. In FreeBSD,
   this map is not created by default. On the NIS master server, use an
   editor to create a map named /var/yp/netgroup.

   This example creates four netgroups to represent IT employees, IT
   apprentices, employees, and interns:

 IT_EMP  (,alpha,test-domain)    (,beta,test-domain)
 IT_APP  (,charlie,test-domain)  (,delta,test-domain)
 USERS   (,echo,test-domain)     (,foxtrott,test-domain) \
         (,golf,test-domain)
 INTERNS (,able,test-domain)     (,baker,test-domain)

   Each entry configures a netgroup. The first column in an entry is the name
   of the netgroup. Each set of brackets represents either a group of one or
   more users or the name of another netgroup. When specifying a user, the
   three comma-delimited fields inside each group represent:

    1. The name of the host(s) where the other fields representing the user
       are valid. If a hostname is not specified, the entry is valid on all
       hosts.

    2. The name of the account that belongs to this netgroup.

    3. The NIS domain for the account. Accounts may be imported from other
       NIS domains into a netgroup.

   If a group contains multiple users, separate each user with whitespace.
   Additionally, each field may contain wildcards. See netgroup(5) for
   details.

   Netgroup names longer than 8 characters should not be used. The names are
   case sensitive and using capital letters for netgroup names is an easy way
   to distinguish between user, machine and netgroup names.

   Some non-FreeBSD NIS clients cannot handle netgroups containing more than
   15 entries. This limit may be circumvented by creating several
   sub-netgroups with 15 users or fewer and a real netgroup consisting of the
   sub-netgroups, as seen in this example:

 BIGGRP1  (,joe1,domain)  (,joe2,domain)  (,joe3,domain) [...]
 BIGGRP2  (,joe16,domain)  (,joe17,domain) [...]
 BIGGRP3  (,joe31,domain)  (,joe32,domain)
 BIGGROUP  BIGGRP1 BIGGRP2 BIGGRP3

   Repeat this process if more than 225 (15 times 15) users exist within a
   single netgroup.

   To activate and distribute the new NIS map:

 ellington# cd /var/yp
 ellington# make

   This will generate the three NIS maps netgroup, netgroup.byhost and
   netgroup.byuser. Use the map key option of ypcat(1) to check if the new
   NIS maps are available:

 ellington% ypcat -k netgroup
 ellington% ypcat -k netgroup.byhost
 ellington% ypcat -k netgroup.byuser

   The output of the first command should resemble the contents of
   /var/yp/netgroup. The second command only produces output if host-specific
   netgroups were created. The third command is used to get the list of
   netgroups for a user.

   To configure a client, use vipw(8) to specify the name of the netgroup.
   For example, on the server named war, replace this line:

 +:::::::::

   with

 +@IT_EMP:::::::::

   This specifies that only the users defined in the netgroup IT_EMP will be
   imported into this system's password database and only those users are
   allowed to login to this system.

   This configuration also applies to the ~ function of the shell and all
   routines which convert between user names and numerical user IDs. In other
   words, cd ~user will not work, ls -l will show the numerical ID instead of
   the username, and find . -user joe -print will fail with the message No
   such user. To fix this, import all user entries without allowing them to
   login into the servers. This can be achieved by adding an extra line:

 +:::::::::/usr/sbin/nologin

   This line configures the client to import all entries but to replace the
   shell in those entries with /usr/sbin/nologin.

   Make sure that extra line is placed after +@IT_EMP:::::::::. Otherwise,
   all user accounts imported from NIS will have /usr/sbin/nologin as their
   login shell and no one will be able to login to the system.

   To configure the less important servers, replace the old +::::::::: on the
   servers with these lines:

 +@IT_EMP:::::::::
 +@IT_APP:::::::::
 +:::::::::/usr/sbin/nologin

   The corresponding lines for the workstations would be:

 +@IT_EMP:::::::::
 +@USERS:::::::::
 +:::::::::/usr/sbin/nologin

   NIS supports the creation of netgroups from other netgroups which can be
   useful if the policy regarding user access changes. One possibility is the
   creation of role-based netgroups. For example, one might create a netgroup
   called BIGSRV to define the login restrictions for the important servers,
   another netgroup called SMALLSRV for the less important servers, and a
   third netgroup called USERBOX for the workstations. Each of these
   netgroups contains the netgroups that are allowed to login onto these
   machines. The new entries for the NIS netgroup map would look like this:

 BIGSRV    IT_EMP  IT_APP
 SMALLSRV  IT_EMP  IT_APP  ITINTERN
 USERBOX   IT_EMP  ITINTERN USERS

   This method of defining login restrictions works reasonably well when it
   is possible to define groups of machines with identical restrictions.
   Unfortunately, this is the exception and not the rule. Most of the time,
   the ability to define login restrictions on a per-machine basis is
   required.

   Machine-specific netgroup definitions are another possibility to deal with
   the policy changes. In this scenario, the /etc/master.passwd of each
   system contains two lines starting with "+". The first line adds a
   netgroup with the accounts allowed to login onto this machine and the
   second line adds all other accounts with /usr/sbin/nologin as shell. It is
   recommended to use the "ALL-CAPS" version of the hostname as the name of
   the netgroup:

 +@BOXNAME:::::::::
 +:::::::::/usr/sbin/nologin

   Once this task is completed on all the machines, there is no longer a need
   to modify the local versions of /etc/master.passwd ever again. All further
   changes can be handled by modifying the NIS map. Here is an example of a
   possible netgroup map for this scenario:

 # Define groups of users first
 IT_EMP    (,alpha,test-domain)    (,beta,test-domain)
 IT_APP    (,charlie,test-domain)  (,delta,test-domain)
 DEPT1     (,echo,test-domain)     (,foxtrott,test-domain)
 DEPT2     (,golf,test-domain)     (,hotel,test-domain)
 DEPT3     (,india,test-domain)    (,juliet,test-domain)
 ITINTERN  (,kilo,test-domain)     (,lima,test-domain)
 D_INTERNS (,able,test-domain)     (,baker,test-domain)
 #
 # Now, define some groups based on roles
 USERS     DEPT1   DEPT2     DEPT3
 BIGSRV    IT_EMP  IT_APP
 SMALLSRV  IT_EMP  IT_APP    ITINTERN
 USERBOX   IT_EMP  ITINTERN  USERS
 #
 # And a groups for a special tasks
 # Allow echo and golf to access our anti-virus-machine
 SECURITY  IT_EMP  (,echo,test-domain)  (,golf,test-domain)
 #
 # machine-based netgroups
 # Our main servers
 WAR       BIGSRV
 FAMINE    BIGSRV
 # User india needs access to this server
 POLLUTION  BIGSRV  (,india,test-domain)
 #
 # This one is really important and needs more access restrictions
 DEATH     IT_EMP
 #
 # The anti-virus-machine mentioned above
 ONE       SECURITY
 #
 # Restrict a machine to a single user
 TWO       (,hotel,test-domain)
 # [...more groups to follow]

   It may not always be advisable to use machine-based netgroups. When
   deploying a couple of dozen or hundreds of systems, role-based netgroups
   instead of machine-based netgroups may be used to keep the size of the NIS
   map within reasonable limits.

  29.4.9. ************

   NIS requires that all hosts within an NIS domain use the same format for
   encrypting passwords. If users have trouble authenticating on an NIS
   client, it may be due to a differing password format. In a heterogeneous
   network, the format must be supported by all operating systems, where DES
   is the lowest common standard.

   To check which format a server or client is using, look at this section of
   /etc/login.conf:

 default:\
         :passwd_format=des:\
         :copyright=/etc/COPYRIGHT:\
         [Further entries elided]

   In this example, the system is using the DES format. Other possible values
   are blf for Blowfish and md5 for MD5 encrypted passwords.

   If the format on a host needs to be edited to match the one being used in
   the NIS domain, the login capability database must be rebuilt after saving
   the change:

 # cap_mkdb /etc/login.conf

  ******:

   The format of passwords for existing user accounts will not be updated
   until each user changes their password after the login capability database
   is rebuilt.

29.5. *************************** (LDAP)

   Originally contributed by Tom Rhodes.
   Updates by Rocky Hotas.

   *************************** (Lightweight Directory Access Protocol, LDAP)
   *********************************************************,_***********************************************************************************************,_************************************._*********
   Active Directory *** OpenLDAP
   *********************************************************************************************************,_************************************************************
   LDAP ******************************************************._

   ********************* FreeBSD ************************************ LDAP
   *********._**********************************************************************************,_***************************,_*********************************************************************************************************._

  29.5.1. LDAP ***************

   LDAP
   *********************************************************._************************************
   (attributes)
   **************************************************************************
   (Distinguished Name,
   DN)******************************************************************************
   (Relative Distinguished Name, RDN)
   ******************************************************************* DN
   ********************RDN ******************._

   LDAP *********************._******************************************
   (uid),_************ (ou) ****************** (o)**

 % ldapsearch -xb "uid=trhodes,ou=users,o=example.com"
 # extended LDIF
 #
 # LDAPv3
 # base <uid=trhodes,ou=users,o=example.com> with scope subtree
 # filter: (objectclass=*)
 # requesting: ALL
 #

 # trhodes, users, example.com
 dn: uid=trhodes,ou=users,o=example.com
 mail: trhodes@example.com
 cn: Tom Rhodes
 uid: trhodes
 telephoneNumber: (123) 456-7890

 # search result
 search: 2
 result: 0 Success

 # numResponses: 2
 # numEntries: 1

   *************************** dn, mail, cn, uid ****** telephoneNumber
   ***************._*** cn ************ RDN._

   ************ LDAP ******************************
   http://www.openldap.org/doc/admin24/intro.html ******._

  29.5.2. ****** LDAP *********

   FreeBSD ********************* LDAP
   ***************************************** net/openldap-server *********
   Port**

 # pkg install openldap-server

   ***************************************************************** pkg info
   openldap-server **************************************************
   (****************** SQL
   *********)*********************************************** Port._

   *************************** /var/db/openldap-data
   **********************************************************

 # mkdir /usr/local/etc/openldap/private

   ****************************** (Certificate
   authority)._********************* /usr/local/etc/openldap/private
   *******************************************************************************************************************************************************************************
   *** 13.6, "OpenSSL"
   *********._*******************************************************************

 # openssl req -days 365 -nodes -new -x509 -keyout ca.key -out ../ca.crt

   *************************************** (Common Name)
   **************************************************************************
   ****** *********._************************************ (Self signed
   certificate)******************** CA ***************************._

   ******************************************************************************._********************************************

 # openssl req -days 365 -nodes -new -keyout server.key -out server.csr

   ****************************************** Common Name
   ******************._****************** (Certificate Signing Request)
   **************************************************************

 # openssl x509 -req -days 365 -in server.csr -out ../server.crt -CA ../ca.crt -CAkey ca.key -CAcreateserial

   ***********************************************************************

 # openssl req -days 365 -nodes -new -keyout client.key -out client.csr
 # openssl x509 -req -days 3650 -in client.csr -out ../client.crt -CA ../ca.crt -CAkey ca.key

   ************************************ Common Name
   ******._*********************************************** 8 ************._

   OpenLDAP ********************* Daemon *** slapd**OpenLDAP *********
   slapd.ldif ************** OpenLDAP *************************** slapd.conf
   ******._

   ************ slapd.ldif *** ***************
   ***********************************
   /usr/local/etc/openldap/slapd.ldif.sample
   ******************._************************ slapd-config(5)
   ******************._slapd.ldif ***************************** LDAP
   *************************************** DN *********************** dn:
   ******************************************._***************************************
   TLS *******************************************

 #
 # See slapd-config(5) for details on configuration options.
 # This file should NOT be world readable.
 #
 dn: cn=config
 objectClass: olcGlobal
 cn: config
 #
 #
 # Define global ACLs to disable default read access.
 #
 olcArgsFile: /var/run/openldap/slapd.args
 olcPidFile: /var/run/openldap/slapd.pid
 olcTLSCertificateFile: /usr/local/etc/openldap/server.crt
 olcTLSCertificateKeyFile: /usr/local/etc/openldap/private/server.key
 olcTLSCACertificateFile: /usr/local/etc/openldap/ca.crt
 #olcTLSCipherSuite: HIGH
 olcTLSProtocolMin: 3.1
 olcTLSVerifyClient: never

   *************************************** (Certificate
   Authority),_*************** (Server Certificate) ******************
   (Server Private Key)**************************************************
   (Security Cipher)******** olcTLSCipherSuite ****** (******************
   openssl ********* TLS *********)._****** olcTLSProtocolMin
   ********************************************************************._****************************************************************************
   olcTLSVerifyClient: never._

   ****************************************************************************************

 #
 # Load dynamic backend modules:
 #
 dn: cn=module,cn=config
 objectClass: olcModuleList
 cn: module
 olcModulepath:  /usr/local/libexec/openldap
 olcModuleload:  back_mdb.la
 #olcModuleload: back_bdb.la
 #olcModuleload: back_hdb.la
 #olcModuleload: back_ldap.la
 #olcModuleload: back_passwd.la
 #olcModuleload: back_shell.la

   ****************************************** ldif ******
   (Schema)**************************._

 dn: cn=schema,cn=config
 objectClass: olcSchemaConfig
 cn: schema

 include: file:///usr/local/etc/openldap/schema/core.ldif
 include: file:///usr/local/etc/openldap/schema/cosine.ldif
 include: file:///usr/local/etc/openldap/schema/inetorgperson.ldif
 include: file:///usr/local/etc/openldap/schema/nis.ldif

   ***********************************

 # Frontend settings
 #
 dn: olcDatabase={-1}frontend,cn=config
 objectClass: olcDatabaseConfig
 objectClass: olcFrontendConfig
 olcDatabase: {-1}frontend
 olcAccess: to * by * read
 #
 # Sample global access control policy:
 #       Root DSE: allow anyone to read it
 #       Subschema (sub)entry DSE: allow anyone to read it
 #       Other DSEs:
 #               Allow self write access
 #               Allow authenticated users read access
 #               Allow anonymous users to authenticate
 #
 #olcAccess: to dn.base="" by * read
 #olcAccess: to dn.base="cn=Subschema" by * read
 #olcAccess: to *
 #       by self write
 #       by users read
 #       by anonymous auth
 #
 # if no access controls are present, the default policy
 # allows anyone and everyone to read anything but restricts
 # updates to rootdn.  (e.g., "access to * by * read")
 #
 # rootdn can always read and write EVERYTHING!
 #
 olcPasswordHash: {SSHA}
 # {SSHA} is already the default for olcPasswordHash

   ******************************************************** OpenLDAP
   ******************************************************._

 dn: olcDatabase={0}config,cn=config
 objectClass: olcDatabaseConfig
 olcDatabase: {0}config
 olcAccess: to * by * none
 olcRootPW: {SSHA}iae+lrQZILpiUdf16Z9KmDmSwT77Dj4U

   ************************************ cn=config******** Shell *********
   slappasswd********************************************************
   olcRootPW *********._**************************************************
   slapd.ldif ******************************************************._

   *****************************************************

 #######################################################################
 # LMDB database definitions
 #######################################################################
 #
 dn: olcDatabase=mdb,cn=config
 objectClass: olcDatabaseConfig
 objectClass: olcMdbConfig
 olcDatabase: mdb
 olcDbMaxSize: 1073741824
 olcSuffix: dc=domain,dc=example
 olcRootDN: cn=mdbadmin,dc=domain,dc=example
 # Cleartext passwords, especially for the rootdn, should
 # be avoided.  See slappasswd(8) and slapd-config(5) for details.
 # Use of strong authentication encouraged.
 olcRootPW: {SSHA}X2wHvIWDk6G76CQyCMS1vDCvtICWgn0+
 # The database directory MUST exist prior to running slapd AND
 # should only be accessible by the slapd and slap tools.
 # Mode 700 recommended.
 olcDbDirectory: /var/db/openldap-data
 # Indices to maintain
 olcDbIndex: objectClass eq

   ********************************************* LDAP
   ******************************** mdb
   **************************************************************
   (*********************************************)**olcRootDN
   ************************ (*********)**olcRootPW
   *****************************************************************
   slappasswd ******************._

   ********************************* slapd.ldif **************************
   slapd.conf ********* slapd.ldif ***********************
   (**************************************************************)._

   ***************************** slapd.ldif
   *************************************************************

 # mkdir /usr/local/etc/openldap/slapd.d/

   ***********************

 # /usr/local/sbin/slapadd -n0 -F /usr/local/etc/openldap/slapd.d/ -l /usr/local/etc/openldap/slapd.ldif

   ****** slapd Daemon**

 # /usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d/

   ****** -d ******************************** slapd(8)
   *************************************************************************

 # ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
 # extended LDIF
 #
 # LDAPv3
 # base <> with scope baseObject
 # filter: (objectclass=*)
 # requesting: namingContexts
 #

 #
 dn:
 namingContexts: dc=domain,dc=example

 # search result
 search: 2
 result: 0 Success

 # numResponses: 2
 # numEntries: 1

   ****************************************************************************************************._******
   OpenSSL ********* Port**

 # pkg install openssl

   ****** ca.crt *************** (************************************
   /usr/local/etc/openldap)**********

 # c_rehash .

   ****** CA ********************************************************
   server.crt ********************************************

 # openssl verify -verbose -CApath . server.crt

   *** slapd ***********************************._******
   /usr/local/etc/rc.d/slapd ************** slapd
   ************************************************** /etc/rc.conf**

 lapd_enable="YES"
 slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/
 ldap://0.0.0.0/"'
 slapd_sockets="/var/run/openldap/ldapi"
 slapd_cn_config="YES"

   ************ slapd ***********************************************
   /var/log/debug.log, dmesg -a *** /var/log/messages
   ******************************._

   *************************** team ************ john *** domain.example LDAP
   *****************************************._****************** domain.ldif
   *****

 # cat domain.ldif
 dn: dc=domain,dc=example
 objectClass: dcObject
 objectClass: organization
 o: domain.example
 dc: domain

 dn: ou=groups,dc=domain,dc=example
 objectClass: top
 objectClass: organizationalunit
 ou: groups

 dn: ou=users,dc=domain,dc=example
 objectClass: top
 objectClass: organizationalunit
 ou: users

 dn: cn=team,ou=groups,dc=domain,dc=example
 objectClass: top
 objectClass: posixGroup
 cn: team
 gidNumber: 10001

 dn: uid=john,ou=users,dc=domain,dc=example
 objectClass: top
 objectClass: account
 objectClass: posixAccount
 objectClass: shadowAccount
 cn: John McUser
 uid: john
 uidNumber: 10001
 gidNumber: 10001
 homeDirectory: /home/john/
 loginShell: /usr/bin/bash
 userPassword: secret

   ********* OpenLDAP ******************************************** slappasswd
   ************************ secret ************************************
   userPassword ******._*** loginShell
   ***************************************** john
   ************************._*************** mdb **************************

 # ldapadd -W -D "cn=mdbadmin,dc=domain,dc=example" -f domain.ldif

   *********************************************************._********************************
   olcTLSCipherSuite: HIGH:MEDIUM:SSLv3
   *********************************************************************************

 # cat global_mod
 dn: cn=config
 changetype: modify
 delete: olcTLSCipherSuite

   **************************

 # ldapmodify -f global_mod -x -D "cn=config" -W

   *********************************************************************************************************************cn=config
   ***************************************._*************** ldapmodify
   ******************************** ldapdelete ******************._

   ************************************************************************************************************************************

 # rm -rf /usr/local/etc/openldap/slapd.d/

   ************ slapd.ldif
   ************************._*****************************************************************._

   *****************************************************************************************************
   LDAP *********************************._

29.6. ************************ (DHCP)

   ************************ (Dynamic Host Configuration Protocol, DHCP)
   ************************************************************************************._FreeBSD
   ****** OpenBSD *********
   dhclient***********************************************._FreeBSD
   ********************* DHCP ***************** FreeBSD Port
   ***************************************._****** DHCP
   ********************************* RFC 2131***********************
   isc.org/downloads/dhcp/ ******._

   ************************************ DHCP
   ***************************************************** DHCP *********._

  ******:

   *** FreeBSD *****bpf(4) ****************** DHCP ************ DHCP
   ******************._****************** GENERIC ***************************
   FreeBSD ******._************************************************ DHCP
   ************************._

   *************** bpf
   ******************************************************************************._

  29.6.1. ****** DHCP *********

   DHCP ****************** FreeBSD
   ***************************************************************** DHCP
   ************************************************._********* *** 2.8,
   "*********************" ***************************._

   *** dhclient
   *****************************************************************************._***************************
   UDP ****** 68._********************* UDP ****** 67 ************** IP
   **********************************************************,_***************
   DNS ***************************************************** dhcp-options(5)
   ******._

   ********* FreeBSD ******************** DHCP
   ****************************************** (Asynchronously)
   ***************** DHCP *************************** Script
   **************************************._

   ****** DHCP *** DHCP
   ******************************************************************._******
   DHCP
   ********************************************************************************
   DHCP ***************************************************._************
   (Synchronous) ************ DHCP
   ************************************************************** DHCP
   ***************._

   *** /etc/rc.conf ************************************ (***************)**

 ifconfig_fxp0="DHCP"

   ***************************************
   DHCP**************************._********************* fxp0
   ************************************************** *** 11.5,
   "*********************" ************._

   ************************************************************** DHCP
   ************** "SYNCDHCP"**

 ifconfig_fxp0="SYNCDHCP"

   ******************************************** rc.conf(5) ****** dhclient
   *********************._

   DHCP ***********************************

     * /etc/dhclient.conf

       dhclient
       ******************._**************************************************************************._******************
       dhclient.conf(5) ************._

     * /sbin/dhclient

       *************************************** dhclient(8) ******._

     * /sbin/dhclient-script

       FreeBSD ********* DHCP *************** Script._*** dhclient-script(8)
       ***********************************************************._

     * /var/db/dhclient.leases.interface

       DHCP
       *******************************************************************************************
       dhclient.leases(5) *********._

  29.6.2. *************** DHCP *********

   *************************** FreeBSD ************ DHCP *****************
   Internet Systems Consortium (ISC) ************ DHCP
   *********************************************** net/isc-dhcp43-server
   ********* Port ******._

   net/isc-dhcp43-server
   *****************************************************
   /usr/local/etc/dhcpd.conf.example *** /usr/local/etc/dhcpd.conf
   ******************************._

   ***********************************************************************************
   DHCP ******************._********************

 option domain-name "example.org";1
 option domain-name-servers ns1.example.org;2
 option subnet-mask 255.255.255.0;3

 default-lease-time 600;4
 max-lease-time 72400;5
 ddns-update-style none;6

 subnet 10.254.239.0 netmask 255.255.255.224 {
   range 10.254.239.10 10.254.239.20;7
   option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;8
 }

 host fantasia {
   hardware ethernet 08:00:07:26:c0:a5;9
   fixed-address fantasia.fugue.com;10
 }

1  ***************************************************************._********* resolv.conf(5)   
   ******************._                                                                        
2  ****************************************** DNS ***************                              
   (***************)._*********************************************************** (Fully       
   Qualified Domain Names, FQDN) *************** IP ******._                                   
3  ***************************************._                                                   
4  ************************ (***)._*********************************************._             
5  ***************************************                                                     
   (***)._*************************************************************************            
   max-lease-time *********._                                                                  
6  ********* none *************** DNS ******._*************** interim ****** DHCP              
   ****************************************** DNS ***************************** DNS            
   *************************************** IP ******._******************************** DNS     
   ********************************* DNS._                                                     
7  *************************** IP ********************************************* DHCP           
   ******************._*********************************************************************._ 
8  ****************** {                                                                        
   *********************************************************************._                     
9  ************************ MAC ************** DHCP                                            
   *********************************************************._                                 
10 ************************************ IP                                                     
   ******._******************************************** DHCP                                   
   *********************************************************._                                 

   ***********************************************************************
   dhcpd.conf(5) ******************************._

   ****** dhcpd.conf ******************** /etc/rc.conf ****** DHCP
   ***********

 dhcpd_enable="YES"
 dhcpd_ifaces="dc0"

   ****** dc0 *** DHCP ****************** DHCP ******************************
   (******************************)._

   **************************************

 # service isc-dhcpd start

   ****************************************************** service(8) ******
   dhcpd ******************._

   DHCP
   *********************************._*****************************************************._

     * /usr/local/sbin/dhcpd

       ************ dhcpd ************************ dhcpd(8) ******._

     * /usr/local/etc/dhcpd.conf

       ******************************************************************************************************._***
       dhcpd.conf(5) ************************._

     * /var/db/dhcpd.leases

       DHCP
       ********************************************************************************************._******
       dhcpd.leases(5) ************************._

     * /usr/local/sbin/dhcrelay

       ****** Daemon ***************************************** DHCP
       ************************************************************************
       DHCP ******************._***********************************
       net/isc-dhcp43-relay ********* Port*****************
       dhcrelay(8)***********************************._

29.7. ****************** (DNS)

   ****************** (Domain Name System, DNS)
   ****************************************** IP ********************._DNS
   ****************************************** (Authoritative
   root),_*************** (Top Level Domain, TLD)
   ***********************************************************************************************************._******************
   DNS *********************************************._

   ****************************** DNS *****************

   ****** 29.4. DNS ******

  ******                                                                     ******                                                                   
****** DNS                                                                                                                                            
(Forward   ********************* IP ***************._
DNS)       
******     *********************************************._                                                                                            
(Origin)   
*********  *********************************************************._                                                                                
(Resolver) 
****** DNS                                                                                                                                            
(Reverse   *** IP ***************************._
DNS)       
*********                                                                                                                                             
(Root      ****************************************************************************************************************************************._
zone)      
******     ***************,_****************************** (Authority) *************** DNS._                                                          
(Zone)     

   **************

     * . *********************************************._

     * org. ********************************************* (Top Level Domain ,
       TLD)._

     * example.org. ************ org. TLD ***************._

     * 1.168.192.in-addr.arpa ************************************
       192.168.1.* IP ********************* IP ******._

   ************************************************************* example.org.
   *** org. ***************** org.
   ****************************************************************************/dev
   **************************************._

  29.7.1. *********************************

   *********************************************** (Authoritative)
   ************************ (************) ***************._

   *****************************************************

     * ************ DNS ********************************************._

     * *********************************** example.org*********** IP
       ******************************._

     * ****** IP ************************ DNS ****** (IP ***************)._

     * ************************************************************._

   **************************************************

     * ****************************************** DNS
       ***************************************._

   ********* www.FreeBSD.org ************************************** ISP
   *****************************************************,_****** DNS
   ***************************** DNS
   *******************************************************************************************************************************************._

  29.7.2. DNS ***************

   Unbound *** FreeBSD *********************************************** DNS
   ****************************************************************************************************************************
   FreeBSD Port *************** Unbound._

   ********* Unbound ****************** /etc/rc.conf**

 local_unbound_enable="YES"

   ****************** /etc/resolv.conf *********************************
   Unbound *************************** (Forwarder)._

  ******:

   ******************************************************
   DNSSEC************** DNS
   **************************************************************************************************._***************************************
   192.168.1.1 ***********************************

 % drill -S FreeBSD.org @192.168.1.1

   ****************************************** DNSSEC ********* Unbound**

 # service local_unbound onestart

   *************** /etc/resolv.conf ****************** DNSSEC
   ****************************************************************************
   FreeBSD.org DNSSEC ***********

 % drill -S FreeBSD.org
 ;; Number of trusted keys: 1
 ;; Chasing: freebsd.org. A

 DNSSEC Trust tree:
 freebsd.org. (A)
 |---freebsd.org. (DNSKEY keytag: 36786 alg: 8 flags: 256)
     |---freebsd.org. (DNSKEY keytag: 32659 alg: 8 flags: 257)
     |---freebsd.org. (DS keytag: 32659 digest type: 2)
         |---org. (DNSKEY keytag: 49587 alg: 7 flags: 256)
             |---org. (DNSKEY keytag: 9795 alg: 7 flags: 257)
             |---org. (DNSKEY keytag: 21366 alg: 7 flags: 257)
             |---org. (DS keytag: 21366 digest type: 1)
             |   |---. (DNSKEY keytag: 40926 alg: 8 flags: 256)
             |       |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
             |---org. (DS keytag: 21366 digest type: 2)
                 |---. (DNSKEY keytag: 40926 alg: 8 flags: 256)
                     |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
 ;; Chase successful

29.8. Apache HTTP *********

   Contributed by Murray Stokely.

   *************** Apache HTTP Server
   ***********************************************FreeBSD
   ***************************************************** www/apache24
   ********* Port ******._

   ****************************************** FreeBSD *** 2.x ****** Apache
   HTTP Server***************** Apache
   ********************************************* httpd.apache.org._

  29.8.1. *************** Apache

   *** FreeBSD ******** Apache HTTP Server *********************
   /usr/local/etc/apache2x/httpd.conf******** x ******************** ASCII
   *************** #
   **********************************************************

   ServerRoot "/usr/local"

           ********* Apache ***********************Binary
           ********************************* (Server root) ****** bin ***
           sbin *********************************** etc/apache2x *********._

   ServerAdmin you@example.com

           ************************************************************************************************************************************************._

   ServerName www.example.com:80

           *********************************************************************
           (Hostname)**********www
           *****************************************************************
           DNS ************************** IP
           ******************************************************* 80
           ***************._

   DocumentRoot "/usr/local/www/apache2x/data"

           *************************************************************************************************************************._

   ****** Apache ************************************************* Apache
   ******************************************** apachectl
   ******************** apachectl configtest ****************** Syntax OK._

   *************************** Apache******************** /etc/rc.conf**

 apache24_enable="YES"

   *** Apache *****************************************************
   /etc/rc.conf ********************************

 apache24_flags=""

   *** apachectl ******************************** httpd**

 # service apache24 start

   httpd ********************************************* http://localhost
   ************** localhost *************** httpd
   ********************************* (Fully-qualified domain
   name)._***************************
   /usr/local/www/apache24/data/index.html._

   *************** httpd ****************** Apache
   *****************************************************

 # service apache24 configtest

  ******:

   ********configtest ************ rc(8)
   ******************************************** Script ***************._

  29.8.2. ************

   *************************** Apache
   ***************************************************** IP ****** (IP-based)
   ****************** (name-based)._*** IP
   ************************************************************ IP
   ******._*************************************************** HTTP/1.1
   ******************************************************************** IP
   ******._

   ********* Apache
   ***************************************************************
   VirtualHost ********************************** www.domain.tld
   ********************* www.someotherdomain.tld
   ***************************************** httpd.conf**

 <VirtualHost *>
     ServerName www.domain.tld
     DocumentRoot /www/domain.tld
 </VirtualHost>

 <VirtualHost *>
     ServerName www.someotherdomain.tld
     DocumentRoot /www/someotherdomain.tld
 </VirtualHost>

   ************************************ ServerName *** DocumentRoot
   ******************************._

   ************************************************** Apache
   ***********************http://httpd.apache.org/docs/vhosts/._

  29.8.3. Apache ******

   Apache ************ (Module)
   ************************************._*********
   http://httpd.apache.org/docs/current/mod/
   *********************************************************._

   *** FreeBSD *************************** www/apache24 Port
   ***************** /usr/ports/www/apache24 ****** make config
   ***************************************************************** Port
   **************FreeBSD Port
   ***********************************************************************************************************._

    29.8.3.1. mod_ssl

   mod_ssl *************** OpenSSL ****** Secure Sockets Layer (SSLv3) ***
   Transport Layer Security (TLSv1)
   ****************************************************************************************************************************************
   FreeBSD ***************************************._

   *** FreeBSD *** mod_ssl ************************ Port
   *****************************************
   http://httpd.apache.org/docs/current/mod/mod_ssl.html *********._

    29.8.3.2. mod_perl

   mod_perl ************************ Perl ****** Apache
   ****************************************************************************************************
   Perl *********************._

   mod_perl ************ www/mod_perl2 ********* Port
   **************************************************
   http://perl.apache.org/docs/2.0/index.html *********._

    29.8.3.3. mod_php

   Written by Tom Rhodes.

   PHP: Hypertext Preprocessor (PHP) ************************ (Script)
   **************************************************** HTML
   ***************************** C, Java(TM) ***
   Perl**************************************************************._

   ****** Apache *************************** PHP5 ********************
   www/mod_php56 ********* Port*********************************** PHP
   ***************************._************************************
   /usr/local/etc/apache24/httpd.conf**

 LoadModule php5_module        libexec/apache24/libphp5.so

   ************** graceful ********************* PHP ********

 # apachectl graceful

   *** www/mod_php56 ************ PHP
   ********************************************************
   lang/php56-extensions Port ************** Port
   *************************************** PHP ************._

   ***************************** Port
   ************************************************* PHP *** MySQL
   ************************************ databases/php56-mysql._

   ************************************************** Apache
   ***********************************

 # apachectl graceful

  29.8.4. ************

   ****** mod_perl *** mod_php
   **********************************************************************
   Django *** Ruby on Rails._

    29.8.4.1. Django

   Django ****** BSD ***************
   (Framework)***********************************************,_***************************._*********************************
   (Object-relational mapper)*********************************** Python
   ************************************************************** API
   ***********************************************
   SQL._*****************************************************************************
   HTML *********************._

   Django ****** mod_python************** SQL
   ***************************._*** FreeBSD ****** www/py-django Port
   *************** mod_python ********* PostgreSQL, MySQL *** SQLite
   ***************************** SQLite********************************
   /usr/ports/www/py-django ****** make config ****************** Port._

   Django
   ********************************************************************
   Apache *************************** Python
   ***************************************************** URL
   ***************._

   ********* Apache ************ URL
   *********************************************** httpd.conf
   **************************************

 <Location "/">
     SetHandler python-program
     PythonPath "['/dir/to/the/django/packages/'] + sys.path"
     PythonHandler django.core.handlers.modpython
     SetEnv DJANGO_SETTINGS_MODULE mysite.settings
     PythonAutoReload On
     PythonDebug On
 </Location>

   ********* https://docs.djangoproject.com ********************* Django
   ***************._

    29.8.4.2. Ruby on Rails

   Ruby on Rails ******************************************
   (Framework)************************************************************************************************************************************
   FreeBSD *************** www/rubygem-rails ********* Port ******._

   ********* http://guides.rubyonrails.org *********************************
   Ruby on Rails *********._

29.9. ****************** (FTP)

   ****************** (File Transfer Protocol, FTP)
   ************************************************************************
   FTP ***********FreeBSD ********* FTP *************** ftpd ***************
   (Base system) ***._

   FreeBSD ************************************ FTP
   *************************************************************************
   ftpd(8) *************************** FTP ************************._

  29.9.1. ******

   ****************************************************************** FTP
   ***********FreeBSD
   ************************************************************** FTP
   ************************** FTP ************************ /etc/ftpusers
   *******************************************************************************
   FTP ******************************._

   ********************************************************************************************************
   FTP*********************** /etc/ftpchroot ***************** ftpchroot(5)
   *********************************** FTP
   *********************************._

   ****************************** FTP ***************** FreeBSD
   ****************************** ftp *********************************** ftp
   *** anonymous ************************ FTP
   ******************************************************************************************************************************._***************************
   FTP ****************** chroot(2) ****************************** ftp
   *********************._

   ****************** FTP
   ********************************************************/etc/ftpwelcome
   *******************************************************************************************
   /etc/ftpmotd
   *********._****************************************************************
   ~ftp/etc/ftpmotd ***************************************._

   ********* FTP ******************** /etc/rc.conf
   *****************************************************

 ftpd_enable="YES"

   **************************

 # service ftpd start

   ************ FTP *****************************

 % ftp localhost

   ftpd daemon ********* syslog(3) *************************************
   Daemon *************** FTP ************ /var/log/xferlog**FTP
   ********************************* /etc/syslog.conf ***********************

 ftp.info      /var/log/xferlog

  ******:

   ********************* FTP
   *******************************************************************************************************************
   FTP
   ******************************************************************************._*********************
   FTP
   *************************************************************************************************************************._

29.10. Microsoft(R) Windows(R) ****************************** (Samba)

   Samba ******************************************** SMB/CIFS
   *****************************************************************
   Microsoft(R) Windows(R) ************** Microsoft(R) Windows(R)
   ************************ Samba
   ************************************._*******************************************************************************************************************************************************************************************._

   *** FreeBSD ***************** net/samba48 Port ****************** Samba
   *********************************************** FreeBSD ***************
   SMB/CIFS *** Microsoft(R) Windows(R) ************************._

   FreeBSD *************************** net/samba48 Port *********************
   Samba *********************************** FreeBSD *************** SMB/CIFS
   ************************** Microsoft(R) Windows(R) *** Samba
   ******************************************._

  29.10.1. ***************

   Samba ***************
   /usr/local/etc/smb4.conf***************************************** Samba._

   *************************************************** Windows(R)
   ****************** smb4.conf ************._************ LDAP *** Active
   Directory ************************** samba-tool(8) ******************
   smb4.conf._

 [global]
 workgroup = WORKGROUP
 server string = Samba Server Version %v
 netbios name = ExampleMachine
 wins support = Yes
 security = user
 passdb backend = tdbsam

 # Example: share /usr/src accessible only to 'developer' user
 [src]
 path = /usr/src
 valid users = developer
 writable  = yes
 browsable = yes
 read only = no
 guest ok = no
 public = no
 create mask = 0666
 directory mask = 0755

    29.10.1.1. ************

   *** /usr/local/etc/smb4.conf
   ***********************************************

   workgroup

           ******************************._

   netbios name

           Samba ****************** NetBIOS ************************** DNS
           ***************._

   server string

           ************ net view
           ***************************************************************************************._

   wins support

           ****** Samba *************** WINS
           **************************************************************
           WINS ******._

    29.10.1.2. ***************

   *** /usr/local/etc/smb4.conf
   ****************************************************************************************************

   security

           ********************* security = share ****** security =
           user******************************************** FreeBSD
           *****************************************************************
           (user)
           ***********************************************************************************************************._

           ****************** (share)
           *************************************************************************************************************************
           Samba *********************************._

   passdb backend

           Samba
           **************************************************************
           LDAP, NIS+, SQL
           ********************************************************************
           tdbsam*******************************************************************************************************
           ldapsam***** smbpasswd
           ***********************************************._

    29.10.1.3. Samba *********

   FreeBSD *************************** SambaSAMAccount *********** *********
   Windows(R) *********************************************** FreeBSD
   ************************ pdbedit(8)**

 # pdbedit -a username

   ***************************************************** ****** Samba HOWTO
   ************************************************._

  29.10.2. ****** Samba

   ********************* Samba******************** /etc/rc.conf**

 samba_server_enable="YES"

   *************** Samba**

 # service samba_server start
 Performing sanity check on Samba configuration: OK
 Starting nmbd.
 Starting smbd.

   Samba ****************** Daemon ***********nmbd *** smbd daemon *********
   samba_enable ***************************** winbind
   **************************************

 winbindd_enable="YES"

   Samba ****************************************

 # service samba_server stop

   Samba ************************ Microsoft(R) Windows(R)
   ******************************************************************************************************************
   http://www.samba.org._

29.11. NTP ************

   ****************************************************************************************************************************************************._************************************************************._******************
   (Network Time Protocol, NTP)
   ******************************************************._

   FreeBSD ****** ntpd(8) ************************ NTP
   ************************************************************************************._

   ****************************** FreeBSD ******
   ntpd*********************************** /usr/share/doc/ntp/ ****** HTML
   ***************._

  29.11.1. NTP ******

   *** FreeBSD*********** ntpd ********************************Ntpd *********
   rc.conf(5) ********************************************* /etc/ntp.conf
   *********._

   Ntpd ************************************ UDP *********************** NTP
   ***************************************************/****** 123 *** UDP
   ******._

    29.11.1.1. /etc/ntp.conf ***

   Ntpd ********* /etc/ntp.conf ********************* NTP
   ******************************************** NTP
   **********************************************************************************************
   ntpd
   ***********************************************************._************************************************
   ISP ********************************************NTP
   **************************************************************************************************************._******
   ****************** NTP
   *******************************************************************
   FreeBSD **************************************0.freebsd.pool.ntp.org._

   ****** 29.4. /etc/ntp.conf ******

   *************** ntp.conf
   ******************************************************** restrict
   ***************************************._

 # Disallow ntpq control/query access.  Allow peers to be added only
 # based on pool and server statements in this file.
 restrict default limited kod nomodify notrap noquery nopeer
 restrict source  limited kod nomodify notrap noquery

 # Allow unrestricted access from localhost for queries and control.
 restrict 127.0.0.1
 restrict ::1

 # Add a specific server.
 server ntplocal.example.com iburst

 # Add FreeBSD pool servers until 3-6 good servers are available.
 tos minclock 3 maxclock 6
 pool 0.freebsd.pool.ntp.org iburst

 # Use a local leap-seconds file.
 leapfile "/var/db/ntpd.leap-seconds.list"

   ************************ ntp.conf(5)
   ********************************************************************************************._

   ****** NTP **************************************************restrict
   *********************************************************._restrict
   **************************************************************************._*****************************************************************************************************************._************************************
   ntp.conf(5) ****** Access Control Support ******._

   server
   ***********************************************************************
   server ***********************************._pool
   ********************************Ntpd
   ***********************************************************************
   tos minclock *********._iburst ****************** ntpd
   ************************ 8
   ***********************************************************._

   leapfile ********************************* (Leap second)
   ************************************** periodic(8)
   ************._********************************************* /etc/rc.conf
   ************ ntp_db_leapfile ******._

    29.11.1.2. *** /etc/rc.conf ****** NTP ************

   ****** ntpd_enable="YES" ************************ ntpd._***
   ntpd_enable=YES ****** /etc/rc.conf ******************************** ntpd
   ********************************

 # service ntpd start

   ********* ntpd ************ ntpd_enable***************** rc.conf
   ******************************._

   ****** ntpd_sync_on_start=YES ****** ntpd
   ***********************************************************************************************
   1000
   *********************************._***************************************************************._

   ****** ntpd_oomprotect=YES ********* ntpd daemon
   ****************************************** (Out Of Memory, OOM)
   *********************._

   ****** ntpd_config= ********* ntp.conf ***************._

   ****** ntpd_flags= ********************************* ntpd
   ***************************** /etc/rc.d/ntpd *****************************

     * -p (pid ************)

     * -c (******ntpd_config= ******)

    29.11.1.3. ****************** ntpd *************** Ntpd

   *** FreeBSD ****** Ntpd
   ***********************************************************************************
   mac_ntpd(4) ************._/etc/rc.d/ntpd ****** Script ************ NTP
   ************************************** mac_ntpd
   ************************************** ntpd (user id 123) *********
   ntpd._*******************************************************************************************************
   Script *************** ntpd ************ ntpd._

   *** ntpd_flags
   ******************************************************************************
   ntpd **************************

     * -f *** --driftfile

     * -i *** --jaildir

     * -k *** --keyfile

     * -l *** --logfile

     * -s *** --statsdir

   *** ntp.conf
   *********************************************************************************
   ntpd **************************

     * crypto

     * driftfile

     * key

     * logdir

     * statsdir

   *************************** ntpd ************ ntpd ***********

     * ****** ntpd
       *********************************************************************._

     * *** mac_ntpd ***************************************** mac_ntpd(4)
       ******************._

     * *** /etc/rc.conf ********* ntpd_user="ntpd"

  29.11.2. *** PPP ************ NTP

   ntpd
   ***********************************************************************
   PPP ******************************************************** NTP
   ***********************************************************
   /etc/ppp/ppp.conf ****** filter **********************

 set filter dial 0 deny udp src eq 123
 # Prevent NTP traffic from initiating dial out
 set filter dial 1 permit 0 0
 set filter alive 0 deny udp src eq 123
 # Prevent incoming NTP traffic from keeping the connection open
 set filter alive 1 deny udp dst eq 123
 # Prevent outgoing NTP traffic from keeping the connection open
 set filter alive 2 permit 0/0 0/0

   ***************************************** ppp(8) *** PACKET FILTERING
   *************** /usr/share/examples/ppp/ ************._

  ******:

   ***********************************************************************
   NTP ********************************************************._

29.12. iSCSI Initiator *** Target ******

   iSCSI is a way to share storage over a network. Unlike NFS, which works at
   the file system level, iSCSI works at the block device level.

   In iSCSI terminology, the system that shares the storage is known as the
   target. The storage can be a physical disk, or an area representing
   multiple disks or a portion of a physical disk. For example, if the
   disk(s) are formatted with ZFS, a zvol can be created to use as the iSCSI
   storage.

   The clients which access the iSCSI storage are called initiators. To
   initiators, the storage available through iSCSI appears as a raw,
   unformatted disk known as a LUN. Device nodes for the disk appear in /dev/
   and the device must be separately formatted and mounted.

   FreeBSD provides a native, kernel-based iSCSI target and initiator. This
   section describes how to configure a FreeBSD system as a target or an
   initiator.

  29.12.1. ****** iSCSI Target

   To configure an iSCSI target, create the /etc/ctl.conf configuration file,
   add a line to /etc/rc.conf to make sure the ctld(8) daemon is
   automatically started at boot, and then start the daemon.

   The following is an example of a simple /etc/ctl.conf configuration file.
   Refer to ctl.conf(5) for a more complete description of this file's
   available options.

 portal-group pg0 {
         discovery-auth-group no-authentication
         listen 0.0.0.0
         listen [::]
 }

 target iqn.2012-06.com.example:target0 {
         auth-group no-authentication
         portal-group pg0

         lun 0 {
                 path /data/target0-0
                 size 4G
         }
 }

   The first entry defines the pg0 portal group. Portal groups define which
   network addresses the ctld(8) daemon will listen on. The
   discovery-auth-group no-authentication entry indicates that any initiator
   is allowed to perform iSCSI target discovery without authentication. Lines
   three and four configure ctld(8) to listen on all IPv4 (listen 0.0.0.0)
   and IPv6 (listen [::]) addresses on the default port of 3260.

   It is not necessary to define a portal group as there is a built-in portal
   group called default. In this case, the difference between default and pg0
   is that with default, target discovery is always denied, while with pg0,
   it is always allowed.

   The second entry defines a single target. Target has two possible
   meanings: a machine serving iSCSI or a named group of LUNs. This example
   uses the latter meaning, where iqn.2012-06.com.example:target0 is the
   target name. This target name is suitable for testing purposes. For actual
   use, change com.example to the real domain name, reversed. The 2012-06
   represents the year and month of acquiring control of that domain name,
   and target0 can be any value. Any number of targets can be defined in this
   configuration file.

   The auth-group no-authentication line allows all initiators to connect to
   the specified target and portal-group pg0 makes the target reachable
   through the pg0 portal group.

   The next section defines the LUN. To the initiator, each LUN will be
   visible as a separate disk device. Multiple LUNs can be defined for each
   target. Each LUN is identified by a number, where LUN 0 is mandatory. The
   path /data/target0-0 line defines the full path to a file or zvol backing
   the LUN. That path must exist before starting ctld(8). The second line is
   optional and specifies the size of the LUN.

   Next, to make sure the ctld(8) daemon is started at boot, add this line to
   /etc/rc.conf:

 ctld_enable="YES"

   To start ctld(8) now, run this command:

 # service ctld start

   As the ctld(8) daemon is started, it reads /etc/ctl.conf. If this file is
   edited after the daemon starts, use this command so that the changes take
   effect immediately:

 # service ctld reload

    29.12.1.1. ******

   The previous example is inherently insecure as it uses no authentication,
   granting anyone full access to all targets. To require a username and
   password to access targets, modify the configuration as follows:

 auth-group ag0 {
         chap username1 secretsecret
         chap username2 anothersecret
 }

 portal-group pg0 {
         discovery-auth-group no-authentication
         listen 0.0.0.0
         listen [::]
 }

 target iqn.2012-06.com.example:target0 {
         auth-group ag0
         portal-group pg0
         lun 0 {
                 path /data/target0-0
                 size 4G
         }
 }

   The auth-group section defines username and password pairs. An initiator
   trying to connect to iqn.2012-06.com.example:target0 must first specify a
   defined username and secret. However, target discovery is still permitted
   without authentication. To require target discovery authentication, set
   discovery-auth-group to a defined auth-group name instead of
   no-authentication.

   It is common to define a single exported target for every initiator. As a
   shorthand for the syntax above, the username and password can be specified
   directly in the target entry:

 target iqn.2012-06.com.example:target0 {
         portal-group pg0
         chap username1 secretsecret

         lun 0 {
                 path /data/target0-0
                 size 4G
         }
 }

  29.12.2. ****** iSCSI Initiator

  ******:

   The iSCSI initiator described in this section is supported starting with
   FreeBSD 10.0-RELEASE. To use the iSCSI initiator available in older
   versions, refer to iscontrol(8).

   The iSCSI initiator requires that the iscsid(8) daemon is running. This
   daemon does not use a configuration file. To start it automatically at
   boot, add this line to /etc/rc.conf:

 iscsid_enable="YES"

   To start iscsid(8) now, run this command:

 # service iscsid start

   Connecting to a target can be done with or without an /etc/iscsi.conf
   configuration file. This section demonstrates both types of connections.

    29.12.2.1. *************************** Target

   To connect an initiator to a single target, specify the IP address of the
   portal and the name of the target:

 # iscsictl -A -p 10.10.10.10 -t iqn.2012-06.com.example:target0

   To verify if the connection succeeded, run iscsictl without any arguments.
   The output should look similar to this:

 Target name                                     Target portal   State
 iqn.2012-06.com.example:target0                 10.10.10.10     Connected: da0

   In this example, the iSCSI session was successfully established, with
   /dev/da0 representing the attached LUN. If the
   iqn.2012-06.com.example:target0 target exports more than one LUN, multiple
   device nodes will be shown in that section of the output:

 Connected: da0 da1 da2.

   Any errors will be reported in the output, as well as the system logs. For
   example, this message usually means that the iscsid(8) daemon is not
   running:

 Target name                                     Target portal   State
 iqn.2012-06.com.example:target0                 10.10.10.10     Waiting for iscsid(8)

   The following message suggests a networking problem, such as a wrong IP
   address or port:

 Target name                                     Target portal   State
 iqn.2012-06.com.example:target0                 10.10.10.11     Connection refused

   This message means that the specified target name is wrong:

 Target name                                     Target portal   State
 iqn.2012-06.com.example:target0                 10.10.10.10     Not found

   This message means that the target requires authentication:

 Target name                                     Target portal   State
 iqn.2012-06.com.example:target0                 10.10.10.10     Authentication failed

   To specify a CHAP username and secret, use this syntax:

 # iscsictl -A -p 10.10.10.10 -t iqn.2012-06.com.example:target0 -u user -s secretsecret

    29.12.2.2. ************************ Target

   To connect using a configuration file, create /etc/iscsi.conf with
   contents like this:

 t0 {
         TargetAddress   = 10.10.10.10
         TargetName      = iqn.2012-06.com.example:target0
         AuthMethod      = CHAP
         chapIName       = user
         chapSecret      = secretsecret
 }

   The t0 specifies a nickname for the configuration file section. It will be
   used by the initiator to specify which configuration to use. The other
   lines specify the parameters to use during connection. The TargetAddress
   and TargetName are mandatory, whereas the other options are optional. In
   this example, the CHAP username and secret are shown.

   To connect to the defined target, specify the nickname:

 # iscsictl -An t0

   Alternately, to connect to all targets defined in the configuration file,
   use:

 # iscsictl -Aa

   To make the initiator automatically connect to all targets in
   /etc/iscsi.conf, add the following to /etc/rc.conf:

 iscsictl_enable="YES"
 iscsictl_flags="-Aa"

*** 30. *********

   Contributed by Joseph J. Barbish.
   Converted to SGML and updated by Brad Davis.
   ************

   30.1. ******

   30.2. ***************

   30.3. PF

   30.4. IPFW

   30.5. IPFILTER (IPF)

   30.6. Blacklistd

30.1. ******

   *************************************** (Incoming) ********* (Outgoing)
   ******************************************** "****** (Rules)"
   *********************************************(Network
   packets)***********************************._
   **************************************************************************************,_**************************************************************
   (Port)._

   *************************************************************************************

     * ******************************************,_***********************************************************._

     * ***************************************************************._

     * ************************ (Network address translation,
       NAT)*********************************** IP
       *************************************** IP
       ******************************************************************************._

   FreeBSD ********************************************PF, IPFW *** IPFILTER
   *** IPF._FreeBSD ************************************ (Traffic shaper)
   **************************altq(4) *** dummynet(4)**ALTQ ************ PF
   *********** dummynet *********
   IPFW._************************************************************ FreeBSD
   **************************************************************************._

   FreeBSD
   ***********************************************************************************************************************************************._

   ****************************

     * ******************************._

     * FreeBSD ******************************._

     * ********************* PF *********._

     * ********************* IPFW *********._

     * ********************* IPFILTER *********._

   ****************************************

     * ****** FreeBSD *********************._

  ******:

   **************************************************************************************************************************************
   TCP/IP
   **************************************************************************************************************************************************************
   Daryl's TCP/IP Primer._

30.2. ***************

   *************** (Ruleset)
   ************************************************************************************************************************************************************************************************************************************************************
   TCP/IP
   **************************************************************************************************************************************************************************************************************************************************************************************************************._

   ******************************************** /etc/services***********
   http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
   ******************************************._

   ****************************** ************************************._

   FTP *********************** (Active) *************** (Passive)
   ***************************************************************************************************************
   FTP ***************._************ FTP
   ********************************************
   http://www.slacksite.com/other/ftp.html._

   ************************************ ("exclusive") ***************
   ("inclusive")**********************************************************************************************************************************************************************************************._

   ***************************************************************************************************************************************************************************************************************************************************._****************************************************************************************************************************************************._

  ******:

   ***********************************************************************************************._

   ************************ ("Stateful firewall")
   ****************************************************************************************************************************************************************._

   ****************** (Stateful filtering)
   ********************************************************************************************************************
   (State)
   ***************************************************************************************************************************************************************************************************************************************************************._

   ******************************************************** (Dynamic state
   table) *********._

   Stateful filtering
   *********************************/***************************************************************************************************************************************************************._********************************************************************._Stateful
   filtering
   *****************************************************************************
   flood ******._

   NAT ****** Network Address Translation ***********************NAT
   ************************************ LAN ****************** ISP *********
   IP ****** (************************)**NAT *************** LAN
   ******************************************************** ISP
   ********************* IP *********************._

   NAT
   **************************************************************************************************
   LAN *** IP ************************ IP
   ********************************************************._

   ****** RFC1918************************** IP
   **********************************************************************************
   NAT ********

     * 10.0.0.0/8.

     * 172.16.0.0/12.

     * 192.168.0.0/16.

  ******:

   *************************************************************************************************************************************
   Console ******************************************************** ssh
   ******************._

30.3. PF

   Revised and updated by John Ferrell.

   *** FreeBSD 5.3 ******************************** OpenBSD's PF
   **************************PF
   ***************,_***************************************** ALTQ (Alternate
   Queuing) ****************** Quality of Service (QoS) ******._

   OpenBSD ****************************************** PF FAQ **Peter Hansteen
   ********************* PF ********* http://home.nuug.no/~peter/pf/._

  ******:

   When reading the PF FAQ, keep in mind that FreeBSD's version of PF has
   diverged substantially from the upstream OpenBSD version over the years.
   Not all features work the same way on FreeBSD as they do in OpenBSD and
   vice versa.

   ****************************** PF ************************ FreeBSD packet
   filter
   ****************************************************************************************************************._

   This section of the Handbook focuses on PF as it pertains to FreeBSD. It
   demonstrates how to enable PF and ALTQ. It also provides several examples
   for creating rulesets on a FreeBSD system.

  30.3.1. ****** PF

   To use PF, its kernel module must be first loaded. This section describes
   the entries that can be added to /etc/rc.conf to enable PF.

   Start by adding pf_enable=yes to /etc/rc.conf:

 # sysrc pf_enable=yes

   Additional options, described in pfctl(8), can be passed to PF when it is
   started. Add or change this entry in /etc/rc.conf and specify any required
   flags between the two quotes (""):

 pf_flags=""                     # additional flags for pfctl startup

   PF will not start if it cannot find its ruleset configuration file. By
   default, FreeBSD does not ship with a ruleset and there is no
   /etc/pf.conf. Example rulesets can be found in /usr/share/examples/pf/. If
   a custom ruleset has been saved somewhere else, add a line to /etc/rc.conf
   which specifies the full path to the file:

 pf_rules="/path/to/pf.conf"

   Logging support for PF is provided by pflog(4). To enable logging support,
   add pflog_enable=yes to /etc/rc.conf:

 # sysrc pflog_enable=yes

   The following lines can also be added to change the default location of
   the log file or to specify any additional flags to pass to pflog(4) when
   it is started:

 pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
 pflog_flags=""                  # additional flags for pflogd startup

   Finally, if there is a LAN behind the firewall and packets need to be
   forwarded for the computers on the LAN, or NAT is required, enable the
   following option:

 gateway_enable="YES"            # Enable as LAN gateway

   After saving the needed edits, PF can be started with logging support by
   typing:

 # service pf start
 # service pflog start

   By default, PF reads its configuration rules from /etc/pf.conf and
   modifies, drops, or passes packets according to the rules or definitions
   specified in this file. The FreeBSD installation includes several sample
   files located in /usr/share/examples/pf/. Refer to the PF FAQ for complete
   coverage of PF rulesets.

   To control PF, use pfctl. ****** 30.1, "********* pfctl ******" summarizes
   some useful options to this command. Refer to pfctl(8) for a description
   of all available options:

   ****** 30.1. ********* pfctl ******

              ******                               ******                     
   pfctl -e                     Enable PF.                                    
   pfctl -d                     Disable PF.                                   
   pfctl -F all -f /etc/pf.conf Flush all NAT, filter, state, and table rules 
                                and reload /etc/pf.conf.                      
   pfctl -s [ rules | nat |     Report on the filter rules, NAT rules, or     
   states ]                     state table.                                  
   pfctl -vnf /etc/pf.conf      Check /etc/pf.conf for errors, but do not     
                                load ruleset.                                 

  ******:

   security/sudo is useful for running commands like pfctl that require
   elevated privileges. It can be installed from the Ports Collection.

   To keep an eye on the traffic that passes through the PF firewall,
   consider installing the sysutils/pftop package or port. Once installed,
   pftop can be run to view a running snapshot of traffic in a format which
   is similar to top(1).

  30.3.2. PF *********

   Contributed by Peter N. M. Hansteen.

   This section demonstrates how to create a customized ruleset. It starts
   with the simplest of rulesets and builds upon its concepts using several
   examples to demonstrate real-world usage of PF's many features.

   The simplest possible ruleset is for a single machine that does not run
   any services and which needs access to one network, which may be the
   Internet. To create this minimal ruleset, edit /etc/pf.conf so it looks
   like this:

 block in all
 pass out all keep state

   The first rule denies all incoming traffic by default. The second rule
   allows connections created by this system to pass out, while retaining
   state information on those connections. This state information allows
   return traffic for those connections to pass back and should only be used
   on machines that can be trusted. The ruleset can be loaded with:

 # pfctl -e ; pfctl -f /etc/pf.conf

   In addition to keeping state, PF provides lists and macros which can be
   defined for use when creating rules. Macros can include lists and need to
   be defined before use. As an example, insert these lines at the very top
   of the ruleset:

 tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
 udp_services = "{ domain }"

   PF understands port names as well as port numbers, as long as the names
   are listed in /etc/services. This example creates two macros. The first is
   a list of seven TCP port names and the second is one UDP port name. Once
   defined, macros can be used in rules. In this example, all traffic is
   blocked except for the connections initiated by this system for the seven
   specified TCP services and the one specified UDP service:

 tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
 udp_services = "{ domain }"
 block all
 pass out proto tcp to any port $tcp_services keep state
 pass proto udp to any port $udp_services keep state

   Even though UDP is considered to be a stateless protocol, PF is able to
   track some state information. For example, when a UDP request is passed
   which asks a name server about a domain name, PF will watch for the
   response to pass it back.

   Whenever an edit is made to a ruleset, the new rules must be loaded so
   they can be used:

 # pfctl -f /etc/pf.conf

   If there are no syntax errors, pfctl will not output any messages during
   the rule load. Rules can also be tested before attempting to load them:

 # pfctl -nf /etc/pf.conf

   Including -n causes the rules to be interpreted only, but not loaded. This
   provides an opportunity to correct any errors. At all times, the last
   valid ruleset loaded will be enforced until either PF is disabled or a new
   ruleset is loaded.

  ******:

   Adding -v to a pfctl ruleset verify or load will display the fully parsed
   rules exactly the way they will be loaded. This is extremely useful when
   debugging rules.

    30.3.2.1. ****** NAT ******************

   This section demonstrates how to configure a FreeBSD system running PF to
   act as a gateway for at least one other machine. The gateway needs at
   least two network interfaces, each connected to a separate network. In
   this example, xl1 is connected to the Internet and xl0 is connected to the
   internal network.

   First, enable the gateway to let the machine forward the network traffic
   it receives on one interface to another interface. This sysctl setting
   will forward IPv4 packets:

 # sysctl net.inet.ip.forwarding=1

   To forward IPv6 traffic, use:

 # sysctl net.inet6.ip6.forwarding=1

   To enable these settings at system boot, use sysrc(8) to add them to
   /etc/rc.conf:

 # sysrc gateway_enable=yes
 # sysrc ipv6_gateway_enable=yes

   Verify with ifconfig that both of the interfaces are up and running.

   Next, create the PF rules to allow the gateway to pass traffic. While the
   following rule allows stateful traffic to pass from the Internet to hosts
   on the network, the to keyword does not guarantee passage all the way from
   source to destination:

 pass in on xl1 from xl1:network to xl0:network port $ports keep state

   That rule only lets the traffic pass in to the gateway on the internal
   interface. To let the packets go further, a matching rule is needed:

 pass out on xl0 from xl1:network to xl0:network port $ports keep state

   While these two rules will work, rules this specific are rarely needed.
   For a busy network admin, a readable ruleset is a safer ruleset. The
   remainder of this section demonstrates how to keep the rules as simple as
   possible for readability. For example, those two rules could be replaced
   with one rule:

 pass from xl1:network to any port $ports keep state

   The interface:network notation can be replaced with a macro to make the
   ruleset even more readable. For example, a $localnet macro could be
   defined as the network directly attached to the internal interface
   ($xl1:network). Alternatively, the definition of $localnet could be
   changed to an IP address/netmask notation to denote a network, such as
   192.168.100.1/24 for a subnet of private addresses.

   If required, $localnet could even be defined as a list of networks.
   Whatever the specific needs, a sensible $localnet definition could be used
   in a typical pass rule as follows:

 pass from $localnet to any port $ports keep state

   The following sample ruleset allows all traffic initiated by machines on
   the internal network. It first defines two macros to represent the
   external and internal 3COM interfaces of the gateway.

  ******:

   For dialup users, the external interface will use tun0. For an ADSL
   connection, specifically those using PPP over Ethernet (PPPoE), the
   correct external interface is tun0, not the physical Ethernet interface.

 ext_if = "xl0"  # macro for external interface - use tun0 for PPPoE
 int_if = "xl1"  # macro for internal interface
 localnet = $int_if:network
 # ext_if IP address could be dynamic, hence ($ext_if)
 nat on $ext_if from $localnet to any -> ($ext_if)
 block all
 pass from { lo0, $localnet } to any keep state

   This ruleset introduces the nat rule which is used to handle the network
   address translation from the non-routable addresses inside the internal
   network to the IP address assigned to the external interface. The
   parentheses surrounding the last part of the nat rule ($ext_if) is
   included when the IP address of the external interface is dynamically
   assigned. It ensures that network traffic runs without serious
   interruptions even if the external IP address changes.

   Note that this ruleset probably allows more traffic to pass out of the
   network than is needed. One reasonable setup could create this macro:

 client_out = "{ ftp-data, ftp, ssh, domain, pop3, auth, nntp, http, \
     https, cvspserver, 2628, 5999, 8000, 8080 }"

   to use in the main pass rule:

 pass inet proto tcp from $localnet to any port $client_out \
     flags S/SA keep state

   A few other pass rules may be needed. This one enables SSH on the external
   interface:

 pass in inet proto tcp to $ext_if port ssh

   This macro definition and rule allows DNS and NTP for internal clients:

 udp_services = "{ domain, ntp }"
 pass quick inet proto { tcp, udp } to any port $udp_services keep state

   Note the quick keyword in this rule. Since the ruleset consists of several
   rules, it is important to understand the relationships between the rules
   in a ruleset. Rules are evaluated from top to bottom, in the sequence they
   are written. For each packet or connection evaluated by PF, the last
   matching rule in the ruleset is the one which is applied. However, when a
   packet matches a rule which contains the quick keyword, the rule
   processing stops and the packet is treated according to that rule. This is
   very useful when an exception to the general rules is needed.

    30.3.2.2. ****** FTP Proxy

   Configuring working FTP rules can be problematic due to the nature of the
   FTP protocol. FTP pre-dates firewalls by several decades and is insecure
   in its design. The most common points against using FTP include:

     * Passwords are transferred in the clear.

     * The protocol demands the use of at least two TCP connections (control
       and data) on separate ports.

     * When a session is established, data is communicated using randomly
       selected ports.

   All of these points present security challenges, even before considering
   any potential security weaknesses in client or server software. More
   secure alternatives for file transfer exist, such as sftp(1) or scp(1),
   which both feature authentication and data transfer over encrypted
   connections..

   For those situations when FTP is required, PF provides redirection of FTP
   traffic to a small proxy program called ftp-proxy(8), which is included in
   the base system of FreeBSD. The role of the proxy is to dynamically insert
   and delete rules in the ruleset, using a set of anchors, to correctly
   handle FTP traffic.

   To enable the FTP proxy, add this line to /etc/rc.conf:

 ftpproxy_enable="YES"

   Then start the proxy by running service ftp-proxy start.

   For a basic configuration, three elements need to be added to
   /etc/pf.conf. First, the anchors which the proxy will use to insert the
   rules it generates for the FTP sessions:

 nat-anchor "ftp-proxy/*"
 rdr-anchor "ftp-proxy/*"

   Second, a pass rule is needed to allow FTP traffic in to the proxy.

   Third, redirection and NAT rules need to be defined before the filtering
   rules. Insert this rdr rule immediately after the nat rule:

 rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

   Finally, allow the redirected traffic to pass:

 pass out proto tcp from $proxy to any port ftp

   where $proxy expands to the address the proxy daemon is bound to.

   Save /etc/pf.conf, load the new rules, and verify from a client that FTP
   connections are working:

 # pfctl -f /etc/pf.conf

   This example covers a basic setup where the clients in the local network
   need to contact FTP servers elsewhere. This basic configuration should
   work well with most combinations of FTP clients and servers. As shown in
   ftp-proxy(8), the proxy's behavior can be changed in various ways by
   adding options to the ftpproxy_flags= line. Some clients or servers may
   have specific quirks that must be compensated for in the configuration, or
   there may be a need to integrate the proxy in specific ways such as
   assigning FTP traffic to a specific queue.

   For ways to run an FTP server protected by PF and ftp-proxy(8), configure
   a separate ftp-proxy in reverse mode, using -R, on a separate port with
   its own redirecting pass rule.

    30.3.2.3. ****** ICMP

   Many of the tools used for debugging or troubleshooting a TCP/IP network
   rely on the Internet Control Message Protocol (ICMP), which was designed
   specifically with debugging in mind.

   The ICMP protocol sends and receives control messages between hosts and
   gateways, mainly to provide feedback to a sender about any unusual or
   difficult conditions enroute to the target host. Routers use ICMP to
   negotiate packet sizes and other transmission parameters in a process
   often referred to as path MTU discovery.

   From a firewall perspective, some ICMP control messages are vulnerable to
   known attack vectors. Also, letting all diagnostic traffic pass
   unconditionally makes debugging easier, but it also makes it easier for
   others to extract information about the network. For these reasons, the
   following rule may not be optimal:

 pass inet proto icmp from any to any

   One solution is to let all ICMP traffic from the local network through
   while stopping all probes from outside the network:

 pass inet proto icmp from $localnet to any keep state
 pass inet proto icmp from any to $ext_if keep state

   Additional options are available which demonstrate some of PF's
   flexibility. For example, rather than allowing all ICMP messages, one can
   specify the messages used by ping(8) and traceroute(8). Start by defining
   a macro for that type of message:

 icmp_types = "echoreq"

   and a rule which uses the macro:

 pass inet proto icmp all icmp-type $icmp_types keep state

   If other types of ICMP packets are needed, expand icmp_types to a list of
   those packet types. Type more /usr/src/sbin/pfctl/pfctl_parser.c to see
   the list of ICMP message types supported by PF. Refer to
   http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml for
   an explanation of each message type.

   Since Unix traceroute uses UDP by default, another rule is needed to allow
   Unix traceroute:

 # allow out the default range for traceroute(8):
 pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state

   Since TRACERT.EXE on Microsoft Windows systems uses ICMP echo request
   messages, only the first rule is needed to allow network traces from those
   systems. Unix traceroute can be instructed to use other protocols as well,
   and will use ICMP echo request messages if -I is used. Check the
   traceroute(8) man page for details.

      30.3.2.3.1. Path MTU Discovery

   Internet protocols are designed to be device independent, and one
   consequence of device independence is that the optimal packet size for a
   given connection cannot always be predicted reliably. The main constraint
   on packet size is the Maximum Transmission Unit (MTU) which sets the upper
   limit on the packet size for an interface. Type ifconfig to view the MTUs
   for a system's network interfaces.

   TCP/IP uses a process known as path MTU discovery to determine the right
   packet size for a connection. This process sends packets of varying sizes
   with the "Do not fragment" flag set, expecting an ICMP return packet of
   "type 3, code 4" when the upper limit has been reached. Type 3 means
   "destination unreachable", and code 4 is short for "fragmentation needed,
   but the do-not-fragment flag is set". To allow path MTU discovery in order
   to support connections to other MTUs, add the destination unreachable type
   to the icmp_types macro:

 icmp_types = "{ echoreq, unreach }"

   Since the pass rule already uses that macro, it does not need to be
   modified to support the new ICMP type:

 pass inet proto icmp all icmp-type $icmp_types keep state

   PF allows filtering on all variations of ICMP types and codes. The list of
   possible types and codes are documented in icmp(4) and icmp6(4).

    30.3.2.4. ****** Tables

   Some types of data are relevant to filtering and redirection at a given
   time, but their definition is too long to be included in the ruleset file.
   PF supports the use of tables, which are defined lists that can be
   manipulated without needing to reload the entire ruleset, and which can
   provide fast lookups. Table names are always enclosed within < >, like
   this:

 table <clients> { 192.168.2.0/24, !192.168.2.5 }

   In this example, the 192.168.2.0/24 network is part of the table, except
   for the address 192.168.2.5, which is excluded using the ! operator. It is
   also possible to load tables from files where each item is on a separate
   line, as seen in this example /etc/clients:

 192.168.2.0/24
 !192.168.2.5

   To refer to the file, define the table like this:

 table <clients> persist file "/etc/clients"

   Once the table is defined, it can be referenced by a rule:

 pass inet proto tcp from <clients> to any port $client_out flags S/SA keep state

   A table's contents can be manipulated live, using pfctl. This example adds
   another network to the table:

 # pfctl -t clients -T add 192.168.1.0/16

   Note that any changes made this way will take affect now, making them
   ideal for testing, but will not survive a power failure or reboot. To make
   the changes permanent, modify the definition of the table in the ruleset
   or edit the file that the table refers to. One can maintain the on-disk
   copy of the table using a cron(8) job which dumps the table's contents to
   disk at regular intervals, using a command such as pfctl -t clients -T
   show >/etc/clients. Alternatively, /etc/clients can be updated with the
   in-memory table contents:

 # pfctl -t clients -T replace -f /etc/clients

    30.3.2.5. ****** Overload Tables ****** SSH

   Those who run SSH on an external interface have probably seen something
   like this in the authentication logs:

 Sep 26 03:12:34 skapet sshd[25771]: Failed password for root from 200.72.41.31 port 40992 ssh2
 Sep 26 03:12:34 skapet sshd[5279]: Failed password for root from 200.72.41.31 port 40992 ssh2
 Sep 26 03:12:35 skapet sshd[5279]: Received disconnect from 200.72.41.31: 11: Bye Bye
 Sep 26 03:12:44 skapet sshd[29635]: Invalid user admin from 200.72.41.31
 Sep 26 03:12:44 skapet sshd[24703]: input_userauth_request: invalid user admin
 Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from 200.72.41.31 port 41484 ssh2

   This is indicative of a brute force attack where somebody or some program
   is trying to discover the user name and password which will let them into
   the system.

   If external SSH access is needed for legitimate users, changing the
   default port used by SSH can offer some protection. However, PF provides a
   more elegant solution. Pass rules can contain limits on what connecting
   hosts can do and violators can be banished to a table of addresses which
   are denied some or all access. It is even possible to drop all existing
   connections from machines which overreach the limits.

   To configure this, create this table in the tables section of the ruleset:

 table <bruteforce> persist

   Then, somewhere early in the ruleset, add rules to block brute access
   while allowing legitimate access:

 block quick from <bruteforce>
 pass inet proto tcp from any to $localnet port $tcp_services \
     flags S/SA keep state \
     (max-src-conn 100, max-src-conn-rate 15/5, \
     overload <bruteforce> flush global)

   The part in parentheses defines the limits and the numbers should be
   changed to meet local requirements. It can be read as follows:

   max-src-conn is the number of simultaneous connections allowed from one
   host.

   max-src-conn-rate is the rate of new connections allowed from any single
   host (15) per number of seconds (5).

   overload <bruteforce> means that any host which exceeds these limits gets
   its address added to the bruteforce table. The ruleset blocks all traffic
   from addresses in the bruteforce table.

   Finally, flush global says that when a host reaches the limit, that all
   (global) of that host's connections will be terminated (flush).

  ******:

   These rules will not block slow bruteforcers, as described in
   http://home.nuug.no/~peter/hailmary2013/.

   This example ruleset is intended mainly as an illustration. For example,
   if a generous number of connections in general are wanted, but the desire
   is to be more restrictive when it comes to ssh, supplement the rule above
   with something like the one below, early on in the rule set:

 pass quick proto { tcp, udp } from any to any port ssh \
     flags S/SA keep state \
     (max-src-conn 15, max-src-conn-rate 5/3, \
     overload <bruteforce> flush global)

  It May Not be Necessary to Block All Overloaders:

   It is worth noting that the overload mechanism is a general technique
   which does not apply exclusively to SSH, and it is not always optimal to
   entirely block all traffic from offenders.

   For example, an overload rule could be used to protect a mail service or a
   web service, and the overload table could be used in a rule to assign
   offenders to a queue with a minimal bandwidth allocation or to redirect to
   a specific web page.

   Over time, tables will be filled by overload rules and their size will
   grow incrementally, taking up more memory. Sometimes an IP address that is
   blocked is a dynamically assigned one, which has since been assigned to a
   host who has a legitimate reason to communicate with hosts in the local
   network.

   For situations like these, pfctl provides the ability to expire table
   entries. For example, this command will remove <bruteforce> table entries
   which have not been referenced for 86400 seconds:

 # pfctl -t bruteforce -T expire 86400

   Similar functionality is provided by security/expiretable, which removes
   table entries which have not been accessed for a specified period of time.

   Once installed, expiretable can be run to remove <bruteforce> table
   entries older than a specified age. This example removes all entries older
   than 24 hours:

 /usr/local/sbin/expiretable -v -d -t 24h bruteforce

    30.3.2.6. SPAM ******

   Not to be confused with the spamd daemon which comes bundled with
   spamassassin, mail/spamd can be configured with PF to provide an outer
   defense against SPAM. This spamd hooks into the PF configuration using a
   set of redirections.

   Spammers tend to send a large number of messages, and SPAM is mainly sent
   from a few spammer friendly networks and a large number of hijacked
   machines, both of which are reported to blacklists fairly quickly.

   When an SMTP connection from an address in a blacklist is received, spamd
   presents its banner and immediately switches to a mode where it answers
   SMTP traffic one byte at a time. This technique, which is intended to
   waste as much time as possible on the spammer's end, is called tarpitting.
   The specific implementation which uses one byte SMTP replies is often
   referred to as stuttering.

   This example demonstrates the basic procedure for setting up spamd with
   automatically updated blacklists. Refer to the man pages which are
   installed with mail/spamd for more information.

   ****** 30.1. Configuring spamd
    1. Install the mail/spamd package or port. To use spamd's greylisting
       features, fdescfs(5) must be mounted at /dev/fd. Add the following
       line to /etc/fstab:

  fdescfs /dev/fd fdescfs rw 0 0

       Then, mount the filesystem:

 # mount fdescfs

    2. Next, edit the PF ruleset to include:

 table <spamd> persist
 table <spamd-white> persist
 rdr pass on $ext_if inet proto tcp from <spamd> to \
     { $ext_if, $localnet } port smtp -> 127.0.0.1 port 8025
 rdr pass on $ext_if inet proto tcp from !<spamd-white> to \
     { $ext_if, $localnet } port smtp -> 127.0.0.1 port 8025

       The two tables <spamd> and <spamd-white> are essential. SMTP traffic
       from an address listed in <spamd> but not in <spamd-white> is
       redirected to the spamd daemon listening at port 8025.

    3. The next step is to configure spamd in /usr/local/etc/spamd.conf and
       to add some rc.conf parameters.

       The installation of mail/spamd includes a sample configuration file
       (/usr/local/etc/spamd.conf.sample) and a man page for spamd.conf.
       Refer to these for additional configuration options beyond those shown
       in this example.

       One of the first lines in the configuration file that does not begin
       with a # comment sign contains the block which defines the all list,
       which specifies the lists to use:

 all:\
     :traplist:whitelist:

       This entry adds the desired blacklists, separated by colons (:). To
       use a whitelist to subtract addresses from a blacklist, add the name
       of the whitelist immediately after the name of that blacklist. For
       example: :blacklist:whitelist:.

       This is followed by the specified blacklist's definition:

 traplist:\
     :black:\
     :msg="SPAM. Your address %A has sent spam within the last 24 hours":\
     :method=http:\
     :file=www.openbsd.org/spamd/traplist.gz

       where the first line is the name of the blacklist and the second line
       specifies the list type. The msg field contains the message to display
       to blacklisted senders during the SMTP dialogue. The method field
       specifies how spamd-setup fetches the list data; supported methods are
       http, ftp, from a file in a mounted file system, and via exec of an
       external program. Finally, the file field specifies the name of the
       file spamd expects to receive.

       The definition of the specified whitelist is similar, but omits the
       msg field since a message is not needed:

 whitelist:\
     :white:\
     :method=file:\
     :file=/var/mail/whitelist.txt

  Choose Data Sources with Care:

       Using all the blacklists in the sample spamd.conf will blacklist large
       blocks of the Internet. Administrators need to edit the file to create
       an optimal configuration which uses applicable data sources and, when
       necessary, uses custom lists.

       Next, add this entry to /etc/rc.conf. Additional flags are described
       in the man page specified by the comment:

 spamd_flags="-v" # use "" and see spamd-setup(8) for flags

       When finished, reload the ruleset, start spamd by typing service
       obspamd start, and complete the configuration using spamd-setup.
       Finally, create a cron(8) job which calls spamd-setup to update the
       tables at reasonable intervals.

   On a typical gateway in front of a mail server, hosts will soon start
   getting trapped within a few seconds to several minutes.

   PF also supports greylisting, which temporarily rejects messages from
   unknown hosts with 45n codes. Messages from greylisted hosts which try
   again within a reasonable time are let through. Traffic from senders which
   are set up to behave within the limits set by RFC 1123 and RFC 2821 are
   immediately let through.

   More information about greylisting as a technique can be found at the
   greylisting.org web site. The most amazing thing about greylisting, apart
   from its simplicity, is that it still works. Spammers and malware writers
   have been very slow to adapt to bypass this technique.

   The basic procedure for configuring greylisting is as follows:

   ****** 30.2. Configuring Greylisting
    1. Make sure that fdescfs(5) is mounted as described in Step 1 of the
       previous Procedure.

    2. To run spamd in greylisting mode, add this line to /etc/rc.conf:

 spamd_grey="YES"  # use spamd greylisting if YES

       Refer to the spamd man page for descriptions of additional related
       parameters.

    3. To complete the greylisting setup:

 # service obspamd restart
 # service obspamlogd start

   Behind the scenes, the spamdb database tool and the spamlogd whitelist
   updater perform essential functions for the greylisting feature. spamdb is
   the administrator's main interface to managing the black, grey, and white
   lists via the contents of the /var/db/spamdb database.

    30.3.2.7. ************

   This section describes how block-policy, scrub, and antispoof can be used
   to make the ruleset behave sanely.

   The block-policy is an option which can be set in the options part of the
   ruleset, which precedes the redirection and filtering rules. This option
   determines which feedback, if any, PF sends to hosts that are blocked by a
   rule. The option has two possible values: drop drops blocked packets with
   no feedback, and return returns a status code such as Connection refused.

   If not set, the default policy is drop. To change the block-policy,
   specify the desired value:

 set block-policy return

   In PF, scrub is a keyword which enables network packet normalization. This
   process reassembles fragmented packets and drops TCP packets that have
   invalid flag combinations. Enabling scrub provides a measure of protection
   against certain kinds of attacks based on incorrect handling of packet
   fragments. A number of options are available, but the simplest form is
   suitable for most configurations:

 scrub in all

   Some services, such as NFS, require specific fragment handling options.
   Refer to https://home.nuug.no/~peter/pf/en/scrub.html for more
   information.

   This example reassembles fragments, clears the "do not fragment" bit, and
   sets the maximum segment size to 1440 bytes:

 scrub in all fragment reassemble no-df max-mss 1440

   The antispoof mechanism protects against activity from spoofed or forged
   IP addresses, mainly by blocking packets appearing on interfaces and in
   directions which are logically not possible.

   These rules weed out spoofed traffic coming in from the rest of the world
   as well as any spoofed packets which originate in the local network:

 antispoof for $ext_if
 antispoof for $int_if

    30.3.2.8. ****************** (Non-Routable) *********

   Even with a properly configured gateway to handle network address
   translation, one may have to compensate for other people's
   misconfigurations. A common misconfiguration is to let traffic with
   non-routable addresses out to the Internet. Since traffic from
   non-routeable addresses can play a part in several DoS attack techniques,
   consider explicitly blocking traffic from non-routeable addresses from
   entering the network through the external interface.

   In this example, a macro containing non-routable addresses is defined,
   then used in blocking rules. Traffic to and from these addresses is
   quietly dropped on the gateway's external interface.

 martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
               10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
               0.0.0.0/8, 240.0.0.0/4 }"

 block drop in quick on $ext_if from $martians to any
 block drop out quick on $ext_if from any to $martians

  30.3.3. ****** ALTQ

   On FreeBSD, ALTQ can be used with PF to provide Quality of Service (QOS).
   Once ALTQ is enabled, queues can be defined in the ruleset which determine
   the processing priority of outbound packets.

   Before enabling ALTQ, refer to altq(4) to determine if the drivers for the
   network cards installed on the system support it.

   ALTQ is not available as a loadable kernel module. If the system's
   interfaces support ALTQ, create a custom kernel using the instructions in
   *** 8, ****** FreeBSD ******. The following kernel options are available.
   The first is needed to enable ALTQ. At least one of the other options is
   necessary to specify the queueing scheduler algorithm:

 options         ALTQ
 options         ALTQ_CBQ        # Class Based Queuing (CBQ)
 options         ALTQ_RED        # Random Early Detection (RED)
 options         ALTQ_RIO        # RED In/Out
 options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
 options         ALTQ_PRIQ       # Priority Queuing (PRIQ)

   The following scheduler algorithms are available:

   CBQ

           Class Based Queuing (CBQ) is used to divide a connection's
           bandwidth into different classes or queues to prioritize traffic
           based on filter rules.

   RED

           Random Early Detection (RED) is used to avoid network congestion
           by measuring the length of the queue and comparing it to the
           minimum and maximum thresholds for the queue. When the queue is
           over the maximum, all new packets are randomly dropped.

   RIO

           In Random Early Detection In and Out (RIO) mode, RED maintains
           multiple average queue lengths and multiple threshold values, one
           for each QOS level.

   HFSC

           Hierarchical Fair Service Curve Packet Scheduler (HFSC) is
           described in http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html.

   PRIQ

           Priority Queuing (PRIQ) always passes traffic that is in a higher
           queue first.

   More information about the scheduling algorithms and example rulesets are
   available at the OpenBSD's web archive.

30.4. IPFW

   IPFW *************** FreeBSD *************************** (Stateful
   firewall)***************** IPv4 ***
   IPv6*************************************************************************************************,_************,_NAT,_dummynet(4)
   ******************,_************,_****************** ipstealth ******._

   FreeBSD ******************************
   /etc/rc.firewall**************************************************************************************************************._IPFW
   ******************************************************************************************************._

   ***************************
   IPFW,_************************************************************************._

  30.4.1. ****** IPFW

   IPFW is included in the basic FreeBSD install as a kernel loadable module,
   meaning that a custom kernel is not needed in order to enable IPFW.

   For those users who wish to statically compile IPFW support into a custom
   kernel, see *** 30.4.6, "IPFW ************".

   To configure the system to enable IPFW at boot time, add
   firewall_enable="YES" to /etc/rc.conf:

 # sysrc firewall_enable="YES"

   To use one of the default firewall types provided by FreeBSD, add another
   line which specifies the type:

 # sysrc firewall_type="open"

   The available types are:

     * open: passes all traffic.

     * client: protects only this machine.

     * simple: protects the whole network.

     * closed: entirely disables IP traffic except for the loopback
       interface.

     * workstation: protects only this machine using stateful rules.

     * UNKNOWN: disables the loading of firewall rules.

     * filename: full path of the file containing the firewall ruleset.

   If firewall_type is set to either client or simple, modify the default
   rules found in /etc/rc.firewall to fit the configuration of the system.

   Note that the filename type is used to load a custom ruleset.

   An alternate way to load a custom ruleset is to set the firewall_script
   variable to the absolute path of an executable script that includes IPFW
   commands. The examples used in this section assume that the
   firewall_script is set to /etc/ipfw.rules:

 # sysrc firewall_script="/etc/ipfw.rules"

   To enable logging through syslogd(8), include this line:

 # sysrc firewall_logging="YES"

  ******:

   Only firewall rules with the log option will be logged. The default rules
   do not include this option and it must be manually added. Therefore it is
   advisable that the default ruleset is edited for logging. In addition, log
   rotation may be desired if the logs are stored in a separate file.

   There is no /etc/rc.conf variable to set logging limits. To limit the
   number of times a rule is logged per connection attempt, specify the
   number using this line in /etc/sysctl.conf:

 # echo "net.inet.ip.fw.verbose_limit=5" >> /etc/sysctl.conf

   To enable logging through a dedicated interface named ipfw0, add this line
   to /etc/rc.conf instead:

 # sysrc firewall_logif="YES"

   Then use tcpdump to see what is being logged:

 # tcpdump -t -n -i ipfw0

  ******:

   There is no overhead due to logging unless tcpdump is attached.

   After saving the needed edits, start the firewall. To enable logging
   limits now, also set the sysctl value specified above:

 # service ipfw start
 # sysctl net.inet.ip.fw.verbose_limit=5

  30.4.2. IPFW ************

   When a packet enters the IPFW firewall, it is compared against the first
   rule in the ruleset and progresses one rule at a time, moving from top to
   bottom in sequence. When the packet matches the selection parameters of a
   rule, the rule's action is executed and the search of the ruleset
   terminates for that packet. This is referred to as "first match wins". If
   the packet does not match any of the rules, it gets caught by the
   mandatory IPFW default rule number 65535, which denies all packets and
   silently discards them. However, if the packet matches a rule that
   contains the count, skipto, or tee keywords, the search continues. Refer
   to ipfw(8) for details on how these keywords affect rule processing.

   When creating an IPFW rule, keywords must be written in the following
   order. Some keywords are mandatory while other keywords are optional. The
   words shown in uppercase represent a variable and the words shown in
   lowercase must precede the variable that follows it. The # symbol is used
   to mark the start of a comment and may appear at the end of a rule or on
   its own line. Blank lines are ignored.

   CMD RULE_NUMBER set SET_NUMBER ACTION log LOG_AMOUNT PROTO from SRC
   SRC_PORT to DST DST_PORT OPTIONS

   This section provides an overview of these keywords and their options. It
   is not an exhaustive list of every possible option. Refer to ipfw(8) for a
   complete description of the rule syntax that can be used when creating
   IPFW rules.

   CMD

           Every rule must start with ipfw add.

   RULE_NUMBER

           Each rule is associated with a number from 1 to 65534. The number
           is used to indicate the order of rule processing. Multiple rules
           can have the same number, in which case they are applied according
           to the order in which they have been added.

   SET_NUMBER

           Each rule is associated with a set number from 0 to 31. Sets can
           be individually disabled or enabled, making it possible to quickly
           add or delete a set of rules. If a SET_NUMBER is not specified,
           the rule will be added to set 0.

   ACTION

           A rule can be associated with one of the following actions. The
           specified action will be executed when the packet matches the
           selection criterion of the rule.

           allow | accept | pass | permit: these keywords are equivalent and
           allow packets that match the rule.

           check-state: checks the packet against the dynamic state table. If
           a match is found, execute the action associated with the rule
           which generated this dynamic rule, otherwise move to the next
           rule. A check-state rule does not have selection criterion. If no
           check-state rule is present in the ruleset, the dynamic rules
           table is checked at the first keep-state or limit rule.

           count: updates counters for all packets that match the rule. The
           search continues with the next rule.

           deny | drop: either word silently discards packets that match this
           rule.

           Additional actions are available. Refer to ipfw(8) for details.

   LOG_AMOUNT

           When a packet matches a rule with the log keyword, a message will
           be logged to syslogd(8) with a facility name of SECURITY. Logging
           only occurs if the number of packets logged for that particular
           rule does not exceed a specified LOG_AMOUNT. If no LOG_AMOUNT is
           specified, the limit is taken from the value of
           net.inet.ip.fw.verbose_limit. A value of zero removes the logging
           limit. Once the limit is reached, logging can be re-enabled by
           clearing the logging counter or the packet counter for that rule,
           using ipfw resetlog.

  ******:

           Logging is done after all other packet matching conditions have
           been met, and before performing the final action on the packet.
           The administrator decides which rules to enable logging on.

   PROTO

           This optional value can be used to specify any protocol name or
           number found in /etc/protocols.

   SRC

           The from keyword must be followed by the source address or a
           keyword that represents the source address. An address can be
           represented by any, me (any address configured on an interface on
           this system), me6, (any IPv6 address configured on an interface on
           this system), or table followed by the number of a lookup table
           which contains a list of addresses. When specifying an IP address,
           it can be optionally followed by its CIDR mask or subnet mask. For
           example, 1.2.3.4/25 or 1.2.3.4:255.255.255.128.

   SRC_PORT

           An optional source port can be specified using the port number or
           name from /etc/services.

   DST

           The to keyword must be followed by the destination address or a
           keyword that represents the destination address. The same keywords
           and addresses described in the SRC section can be used to describe
           the destination.

   DST_PORT

           An optional destination port can be specified using the port
           number or name from /etc/services.

   OPTIONS

           Several keywords can follow the source and destination. As the
           name suggests, OPTIONS are optional. Commonly used options include
           in or out, which specify the direction of packet flow, icmptypes
           followed by the type of ICMP message, and keep-state.

           When a keep-state rule is matched, the firewall will create a
           dynamic rule which matches bidirectional traffic between the
           source and destination addresses and ports using the same
           protocol.

           The dynamic rules facility is vulnerable to resource depletion
           from a SYN-flood attack which would open a huge number of dynamic
           rules. To counter this type of attack with IPFW, use limit. This
           option limits the number of simultaneous sessions by checking the
           open dynamic rules, counting the number of times this rule and IP
           address combination occurred. If this count is greater than the
           value specified by limit, the packet is discarded.

           Dozens of OPTIONS are available. Refer to ipfw(8) for a
           description of each available option.

  30.4.3. ***************

   This section demonstrates how to create an example stateful firewall
   ruleset script named /etc/ipfw.rules. In this example, all connection
   rules use in or out to clarify the direction. They also use via
   interface-name to specify the interface the packet is traveling over.

  ******:

   When first creating or testing a firewall ruleset, consider temporarily
   setting this tunable:

 net.inet.ip.fw.default_to_accept="1"

   This sets the default policy of ipfw(8) to be more permissive than the
   default deny ip from any to any, making it slightly more difficult to get
   locked out of the system right after a reboot.

   The firewall script begins by indicating that it is a Bourne shell script
   and flushes any existing rules. It then creates the cmd variable so that
   ipfw add does not have to be typed at the beginning of every rule. It also
   defines the pif variable which represents the name of the interface that
   is attached to the Internet.

 #!/bin/sh
 # Flush out the list before we begin.
 ipfw -q -f flush

 # Set rules command prefix
 cmd="ipfw -q add"
 pif="dc0"     # interface name of NIC attached to Internet

   The first two rules allow all traffic on the trusted internal interface
   and on the loopback interface:

 # Change xl0 to LAN NIC interface name
 $cmd 00005 allow all from any to any via xl0

 # No restrictions on Loopback Interface
 $cmd 00010 allow all from any to any via lo0

   The next rule allows the packet through if it matches an existing entry in
   the dynamic rules table:

 $cmd 00101 check-state

   The next set of rules defines which stateful connections internal systems
   can create to hosts on the Internet:

 # Allow access to public DNS
 # Replace x.x.x.x with the IP address of a public DNS server
 # and repeat for each DNS server in /etc/resolv.conf
 $cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
 $cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state

 # Allow access to ISP's DHCP server for cable/DSL configurations.
 # Use the first rule and check log for IP address.
 # Then, uncomment the second rule, input the IP address, and delete the first rule
 $cmd 00120 allow log udp from any to any 67 out via $pif keep-state
 #$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state

 # Allow outbound HTTP and HTTPS connections
 $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
 $cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

 # Allow outbound email connections
 $cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
 $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

 # Allow outbound ping
 $cmd 00250 allow icmp from any to any out via $pif keep-state

 # Allow outbound NTP
 $cmd 00260 allow udp from any to any 123 out via $pif keep-state

 # Allow outbound SSH
 $cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

 # deny and log all other outbound connections
 $cmd 00299 deny log all from any to any out via $pif

   The next set of rules controls connections from Internet hosts to the
   internal network. It starts by denying packets typically associated with
   attacks and then explicitly allows specific types of connections. All the
   authorized services that originate from the Internet use limit to prevent
   flooding.

 # Deny all inbound traffic from non-routable reserved address spaces
 $cmd 00300 deny all from 192.168.0.0/16 to any in via $pif     #RFC 1918 private IP
 $cmd 00301 deny all from 172.16.0.0/12 to any in via $pif      #RFC 1918 private IP
 $cmd 00302 deny all from 10.0.0.0/8 to any in via $pif         #RFC 1918 private IP
 $cmd 00303 deny all from 127.0.0.0/8 to any in via $pif        #loopback
 $cmd 00304 deny all from 0.0.0.0/8 to any in via $pif          #loopback
 $cmd 00305 deny all from 169.254.0.0/16 to any in via $pif     #DHCP auto-config
 $cmd 00306 deny all from 192.0.2.0/24 to any in via $pif       #reserved for docs
 $cmd 00307 deny all from 204.152.64.0/23 to any in via $pif    #Sun cluster interconnect
 $cmd 00308 deny all from 224.0.0.0/3 to any in via $pif        #Class D & E multicast

 # Deny public pings
 $cmd 00310 deny icmp from any to any in via $pif

 # Deny ident
 $cmd 00315 deny tcp from any to any 113 in via $pif

 # Deny all Netbios services.
 $cmd 00320 deny tcp from any to any 137 in via $pif
 $cmd 00321 deny tcp from any to any 138 in via $pif
 $cmd 00322 deny tcp from any to any 139 in via $pif
 $cmd 00323 deny tcp from any to any 81 in via $pif

 # Deny fragments
 $cmd 00330 deny all from any to any frag in via $pif

 # Deny ACK packets that did not match the dynamic rule table
 $cmd 00332 deny tcp from any to any established in via $pif

 # Allow traffic from ISP's DHCP server.
 # Replace x.x.x.x with the same IP address used in rule 00120.
 #$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state

 # Allow HTTP connections to internal web server
 $cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

 # Allow inbound SSH connections
 $cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

 # Reject and log all other incoming connections
 $cmd 00499 deny log all from any to any in via $pif

   The last rule logs all packets that do not match any of the rules in the
   ruleset:

 # Everything else is denied and logged
 $cmd 00999 deny log all from any to any

  30.4.4. ********* NAT

   Contributed by Chern Lee.
   Rewritten and updated by Dries Michiels.

   FreeBSD's IPFW firewall has two implementations of NAT: one being the
   userland natd(8) daemon, and the more recent IPFW's built-in NAT facility
   also known as in-kernel NAT. Both work in conjunction with IPFW to provide
   network address translation. This can be used to provide an Internet
   Connection Sharing solution so that several internal computers can connect
   to the Internet using a single public IP address.

   To do this, the FreeBSD machine connected to the Internet must act as a
   gateway. This system must have two NICs, where one is connected to the
   Internet and the other is connected to the internal LAN. Each machine
   connected to the LAN should be assigned an IP address in the private
   network space, as defined by RFC 1918.

   Some additional configuration is needed in order to enable the in-kernel
   NAT function of IPFW. To enable in-kernel NAT support at boot time, the
   following must be set in /etc/rc.conf:

 gateway_enable="YES"
 firewall_enable="YES"
 firewall_nat_enable="YES"

  ******:

   When firewall_enable is not set, but firewall_nat_enable is, it will have
   no effect and do nothing, because the in-kernel NAT implementation is only
   compatible with IPFW.

   When the ruleset contains stateful rules, the positioning of the NAT rule
   is critical and the skipto action is used. The skipto action requires a
   rule number so that it knows which rule to jump to. Furthermore, because
   of the architecture of libalias(3), a library implemented as a kernel
   module used for the in-kernel NAT facility of IPFW, it is necessary to
   disable TCP segmentation offloading, or in short TSO. TSO can be disabled
   on a per network interface basis by using ifconfig(8) or on a system wide
   basis using sysctl(8). To disable TSO system wide, the following must be
   set in /etc/sysctl.conf:

 net.inet.tcp.tso="0"

   The example below builds upon the firewall ruleset shown in the previous
   section. It adds some additional entries and modifies some existing rules
   in order to configure the firewall for in-kernel NAT. It starts by adding
   some additional variables which represent the rule number to skip to, the
   keep-state option, and a list of TCP ports which will be used to reduce
   the number of rules.

 #!/bin/sh
 ipfw -q -f flush
 cmd="ipfw -q add"
 skip="skipto 1000"
 pif=dc0
 ks="keep-state"
 good_tcpo="22,25,37,53,80,443,110"

   A NAT instance will also be configured. With in-kernel NAT it is possible
   to have multiple NAT instances each with their own configuration.
   Although, for this example only one NAT instance is needed; NAT instance
   number 1. The configuration takes a few arguments and flags such as: if
   which indicates the public interface, same_ports which takes care that
   alliased ports and local port numbers are mapped the same, unreg_only will
   result in only unregistered (private) address spaces to be processed by
   the NAT instance, and reset which will help to keep a functioning NAT
   instance even when the public IP address of the IPFW machine changes. For
   all possible options that can be passed to a single NAT instance
   configuration consult ipfw(8). Furthermore, because of the nature of a
   stateful NATing firewall, it is neseccary to allow translated packets to
   be reinjected in the firewall for further processing, this can be achieved
   by disabling one_pass behavior at the start of the firewall script.

 ipfw disable one_pass
 ipfw -q nat 1 config if $pif same_ports unreg_only reset

   The inbound NAT rule is inserted after the two rules which allow all
   traffic on the trusted and loopback interfaces and after the reassamble
   rule but before the check-state rule. It is important that the rule number
   selected for this NAT rule, in this example 100, is higher than the first
   three rules and lower than the check-state rule. Furthermore, because of
   the behavior of in-kernel NAT it is advised to place a reassamble rule
   just before the first NAT rule and after the rules that allow traffic on
   trusted interface. Normally, IP fragmentation should not happen, but when
   dealing with IPSEC/ESP/GRE tunneling traffic it might and the reassmabling
   of fragments is necessary before handing the complete packet over to the
   in-kernel NAT engine.

  ******:

   The reassemble rule was not needed with userland natd(8) because the
   internal workings of the IPFW divert action already takes care of this
   automatically as also stated in ipfw(8).

   The current NAT instance number and NAT rule number does not match with
   the default NAT instance number and rule number created by rc.firewall
   which is a script to set up the baked-in default firewall rulesets present
   in FreeBSD.

 $cmd 005 allow all from any to any via xl0  # exclude LAN traffic
 $cmd 010 allow all from any to any via lo0  # exclude loopback traffic
 $cmd 099 reass all from any to any in       # reassamble inbound packets
 $cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets
 # Allow the packet through if it has an existing entry in the dynamic rules table
 $cmd 101 check-state

   The outbound rules are modified to replace the allow action with the $skip
   variable, indicating that rule processing will continue at rule 1000. The
   seven tcp rules have been replaced by rule 125 as the $good_tcpo variable
   contains the seven allowed outbound ports.

  ******:

   Remember that IPFW's firewall performance is largely determined by the
   number of rules present in the ruleset.

 # Authorized outbound packets
 $cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks
 $cmd 121 $skip udp from any to x.x.x.x 67 out via $pif $ks
 $cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
 $cmd 130 $skip icmp from any to any out via $pif $ks

   The inbound rules remain the same, except for the very last rule which
   removes the via $pif in order to catch both inbound and outbound rules.
   The NAT rule must follow this last outbound rule, must have a higher
   number than that last rule, and the rule number must be referenced by the
   skipto action. In this ruleset, rule number 1000 handles passing all
   packets to our configured instance for NAT processing. The next rule
   allows any packet which has undergone NAT processing to pass.

 $cmd 999 deny log all from any to any
 $cmd 1000 nat 1 ip from any to any out via $pif # skipto location for outbound stateful rules
 $cmd 1001 allow ip from any to any

   In this example, rules 100, 101, 125, 1000, and 1001 control the address
   translation of the outbound and inbound packets so that the entries in the
   dynamic state table always register the private LAN IP address.

   Consider an internal web browser which initializes a new outbound HTTP
   session over port 80. When the first outbound packet enters the firewall,
   it does not match rule 100 because it is headed out rather than in. It
   passes rule 101 because this is the first packet and it has not been
   posted to the dynamic state table yet. The packet finally matches rule 125
   as it is outbound on an allowed port and has a source IP address from the
   internal LAN. On matching this rule, two actions take place. First, the
   keep-state action adds an entry to the dynamic state table and the
   specified action, skipto rule 1000, is executed. Next, the packet
   undergoes NAT and is sent out to the Internet. This packet makes its way
   to the destination web server, where a response packet is generated and
   sent back. This new packet enters the top of the ruleset. It matches rule
   100 and has its destination IP address mapped back to the original
   internal address. It then is processed by the check-state rule, is found
   in the table as an existing session, and is released to the LAN.

   On the inbound side, the ruleset has to deny bad packets and allow only
   authorized services. A packet which matches an inbound rule is posted to
   the dynamic state table and the packet is released to the LAN. The packet
   generated as a response is recognized by the check-state rule as belonging
   to an existing session. It is then sent to rule 1000 to undergo NAT before
   being released to the outbound interface.

  ******:

   Transition from userland natd(8) to in-kernel NAT might seem seamless at
   first but there is small catch. When using the GENERIC kernel, IPFW will
   load the libalias.ko kernel module, when firewall_nat_enable is enabled in
   rc.conf. Although, the loaded module only provides basic NAT
   functionality, whereas the userland implementation natd(8) has all
   functionality available without any extra configuration from its userland
   library. All functionality refers to the following kernel modules that can
   additionally be loaded when needed besides the standard libalias.ko kernel
   module: alias_cuseeme.ko, alias_ftp.ko, alias_bbt.ko, skinny.ko, irc.ko,
   alias_pptp.ko and alias_smedia.ko using the kld_list directive in rc.conf
   to mimic the full functionality of the userland implementation. If a
   custom kernel is used, the full functionality of the userland library can
   be compiled in, in the kernel, using the option LIBALIAS.

    30.4.4.1. Port ************

   The drawback with NAT in general is that the LAN clients are not
   accessible from the Internet. Clients on the LAN can make outgoing
   connections to the world but cannot receive incoming ones. This presents a
   problem if trying to run Internet services on one of the LAN client
   machines. A simple way around this is to redirect selected Internet ports
   on the NAT providing machine to a LAN client.

   For example, an IRC server runs on client A and a web server runs on
   client B. For this to work properly, connections received on ports 6667
   (IRC) and 80 (HTTP) must be redirected to the respective machines.

   With in-kernel NAT all configuration is done in the NAT instance
   configuration. For a full list of options that an in-kernel NAT instance
   can use, consult ipfw(8). The IPFW syntax follows the syntax of natd. The
   syntax for redirect_port is as follows:

 redirect_port proto targetIP:targetPORT[-targetPORT]
   [aliasIP:]aliasPORT[-aliasPORT]
   [remoteIP[:remotePORT[-remotePORT]]]

   To configure the above example setup, the arguments should be:

 redirect_port tcp 192.168.0.2:6667 6667
 redirect_port tcp 192.168.0.3:80 80

   After adding these arguments to the configuration of NAT instance 1 in the
   above ruleset, the TCP ports will be port forwarded to the LAN client
   machines running the IRC and HTTP services.

 ipfw -q nat 1 config if $pif same_ports unreg_only reset \
   redirect_port tcp 192.168.0.2:6667 6667 \
   redirect_port tcp 192.1683.0.3:80 80

   Port ranges over individual ports can be indicated with redirect_port. For
   example, tcp 192.168.0.2:2000-3000 2000-3000 would redirect all
   connections received on ports 2000 to 3000 to ports 2000 to 3000 on client
   A.

    30.4.4.2. ******************

   Address redirection is useful if more than one IP address is available.
   Each LAN client can be assigned its own external IP address by ipfw(8),
   which will then rewrite outgoing packets from the LAN clients with the
   proper external IP address and redirects all traffic incoming on that
   particular IP address back to the specific LAN client. This is also known
   as static NAT. For example, if IP addresses 128.1.1.1, 128.1.1.2, and
   128.1.1.3 are available, 128.1.1.1 can be used as the ipfw(8) machine's
   external IP address, while 128.1.1.2 and 128.1.1.3 are forwarded back to
   LAN clients A and B.

   The redirect_address syntax is as below, where localIP is the internal IP
   address of the LAN client, and publicIP the external IP address
   corresponding to the LAN client.

 redirect_address localIP publicIP

   In the example, the arguments would read:

 redirect_address 192.168.0.2 128.1.1.2
 redirect_address 192.168.0.3 128.1.1.3

   Like redirect_port, these arguments are placed in a NAT instance
   configuration. With address redirection, there is no need for port
   redirection, as all data received on a particular IP address is
   redirected.

   The external IP addresses on the ipfw(8) machine must be active and
   aliased to the external interface. Refer to rc.conf(5) for details.

    30.4.4.3. Userspace NAT

   Let us start with a statement: the userspace NAT implementation: natd(8),
   has more overhead than in-kernel NAT. For natd(8) to translate packets,
   the packets have to be copied from the kernel to userspace and back which
   brings in extra overhead that is not present with in-kernel NAT.

   ********************* Userspace *** NAT daemon natd(8) ****** /etc/rc.conf
   ******************************** natd_interface
   ********************************* NIC ********rc(8) script of natd(8)
   ************************************ IP
   ***********************************._

 gateway_enable="YES"
 natd_enable="YES"
 natd_interface="rl0"

   In general, the above ruleset as explained for in-kernel NAT can also be
   used together with natd(8). The only exceptions are the configuration of
   the in-kernel NAT instance (ipfw -q nat 1 config ...) not being applicable
   any more, rule number 100 and 1000 will have to change sligthly as below,
   and reassemble rule 99 is not needed anymore as the divert action is used
   which covers fragmentation.

 $cmd 100 divert natd ip from any to any in via $pif
 $cmd 1000 divert natd ip from any to any out via $pif

   To configure port or address redirection, a similar syntax as with
   in-kernel NAT is used. Although, now, instead of specifying the
   configuration in our ruleset script like with in-kernel NAT, configuration
   of natd(8) is best done in a configuration file. To do this, an extra flag
   must be passed via /etc/rc.conf which specifies the path of the
   configuration file.

 natd_flags="-f /etc/natd.conf"

  ******:

   The specified file must contain a list of configuration options, one per
   line. For more information about the configuration file and possible
   variables, consult natd(8). Below are two example entries, one per line:

 redirect_port tcp 192.168.0.2:6667 6667
 redirect_address 192.168.0.3 128.1.1.3

  30.4.5. IPFW ******

   ipfw can be used to make manual, single rule additions or deletions to the
   active firewall while it is running. The problem with using this method is
   that all the changes are lost when the system reboots. It is recommended
   to instead write all the rules in a file and to use that file to load the
   rules at boot time and to replace the currently running firewall rules
   whenever that file changes.

   ipfw is a useful way to display the running firewall rules to the console
   screen. The IPFW accounting facility dynamically creates a counter for
   each rule that counts each packet that matches the rule. During the
   process of testing a rule, listing the rule with its counter is one way to
   determine if the rule is functioning as expected.

   To list all the running rules in sequence:

 # ipfw list

   To list all the running rules with a time stamp of when the last time the
   rule was matched:

 # ipfw -t list

   The next example lists accounting information and the packet count for
   matched rules along with the rules themselves. The first column is the
   rule number, followed by the number of matched packets and bytes, followed
   by the rule itself.

 # ipfw -a list

   To list dynamic rules in addition to static rules:

 # ipfw -d list

   To also show the expired dynamic rules:

 # ipfw -d -e list

   To zero the counters:

 # ipfw zero

   To zero the counters for just the rule with number NUM:

 # ipfw zero NUM

    30.4.5.1. *********************

   Even with the logging facility enabled, IPFW will not generate any rule
   logging on its own. The firewall administrator decides which rules in the
   ruleset will be logged, and adds the log keyword to those rules. Normally
   only deny rules are logged. It is customary to duplicate the "ipfw default
   deny everything" rule with the log keyword included as the last rule in
   the ruleset. This way, it is possible to see all the packets that did not
   match any of the rules in the ruleset.

   Logging is a two edged sword. If one is not careful, an over abundance of
   log data or a DoS attack can fill the disk with log files. Log messages
   are not only written to syslogd, but also are displayed on the root
   console screen and soon become annoying.

   The IPFIREWALL_VERBOSE_LIMIT=5 kernel option limits the number of
   consecutive messages sent to syslogd(8), concerning the packet matching of
   a given rule. When this option is enabled in the kernel, the number of
   consecutive messages concerning a particular rule is capped at the number
   specified. There is nothing to be gained from 200 identical log messages.
   With this option set to five, five consecutive messages concerning a
   particular rule would be logged to syslogd and the remainder identical
   consecutive messages would be counted and posted to syslogd with a phrase
   like the following:

 last message repeated 45 times

   All logged packets messages are written by default to /var/log/security,
   which is defined in /etc/syslog.conf.

    30.4.5.2. ************ Script

   Most experienced IPFW users create a file containing the rules and code
   them in a manner compatible with running them as a script. The major
   benefit of doing this is the firewall rules can be refreshed in mass
   without the need of rebooting the system to activate them. This method is
   convenient in testing new rules as the procedure can be executed as many
   times as needed. Being a script, symbolic substitution can be used for
   frequently used values to be substituted into multiple rules.

   This example script is compatible with the syntax used by the sh(1),
   csh(1), and tcsh(1) shells. Symbolic substitution fields are prefixed with
   a dollar sign ($). Symbolic fields do not have the $ prefix. The value to
   populate the symbolic field must be enclosed in double quotes ("").

   Start the rules file like this:

 ############### start of example ipfw rules script #############
 #
 ipfw -q -f flush       # Delete all rules
 # Set defaults
 oif="tun0"             # out interface
 odns="192.0.2.11"      # ISP's DNS server IP address
 cmd="ipfw -q add "     # build rule prefix
 ks="keep-state"        # just too lazy to key this each time
 $cmd 00500 check-state
 $cmd 00502 deny all from any to any frag
 $cmd 00501 deny tcp from any to any established
 $cmd 00600 allow tcp from any to any 80 out via $oif setup $ks
 $cmd 00610 allow tcp from any to $odns 53 out via $oif setup $ks
 $cmd 00611 allow udp from any to $odns 53 out via $oif $ks
 ################### End of example ipfw rules script ############

   The rules are not important as the focus of this example is how the
   symbolic substitution fields are populated.

   If the above example was in /etc/ipfw.rules, the rules could be reloaded
   by the following command:

 # sh /etc/ipfw.rules

   /etc/ipfw.rules can be located anywhere and the file can have any name.

   The same thing could be accomplished by running these commands by hand:

 # ipfw -q -f flush
 # ipfw -q add check-state
 # ipfw -q add deny all from any to any frag
 # ipfw -q add deny tcp from any to any established
 # ipfw -q add allow tcp from any to any 80 out via tun0 setup keep-state
 # ipfw -q add allow tcp from any to 192.0.2.11 53 out via tun0 setup keep-state
 # ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state

  30.4.6. IPFW ************

   In order to statically compile IPFW support into a custom kernel, refer to
   the instructions in *** 8, ****** FreeBSD ******. The following options
   are available for the custom kernel configuration file:

 options    IPFIREWALL                   # enables IPFW
 options    IPFIREWALL_VERBOSE           # enables logging for rules with log keyword to syslogd(8)
 options    IPFIREWALL_VERBOSE_LIMIT=5   # limits number of logged packets per-entry
 options    IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
 options    IPFIREWALL_NAT               # enables in-kernel NAT support
 options    IPFIREWALL_NAT64             # enables in-kernel NAT64 support
 options    IPFIREWALL_NPTV6             # enables in-kernel IPv6 NPT support
 options    IPFIREWALL_PMOD              # enables protocols modification module support
 options    IPDIVERT                     # enables NAT through natd(8)

  ******:

   IPFW can be loaded as a kernel module: options above are built by default
   as modules or can be set at runtime using tunables.

30.5. IPFILTER (IPF)

   IPFILTER ******
   IPF********************,_*******************************************************************
   FreeBSD, NetBSD, OpenBSD *** Solaris(TM)._

   IPFILTER ************ (Kernel-side) *************** NAT ************
   Userland ***************************************************** ipf
   *****************NAT ****************** ipnat **************************
   ipfstat ********* IPFILTER
   ************************************************** ipmon *********
   IPFILTER ************************._

   IPF ************ "*********************************"
   ****************************************************** (Stateless)
   ***************** IPF ************************ (quick) ***************
   (keep state) *********._

   IPF FAQ ****** http://www.phildev.net/ipf/index.html**************
   IPFilter ****************************** http://marc.info/?l=ipfilter
   ******._

   ****** FreeBSD ********* IPF
   ***********************************************************************************
   (quick) *************** (keep state) *********************._

  30.5.1. ****** IPF

   IPF is included in the basic FreeBSD install as a kernel loadable module,
   meaning that a custom kernel is not needed in order to enable IPF.

   For users who prefer to statically compile IPF support into a custom
   kernel, refer to the instructions in *** 8, ****** FreeBSD ******. The
   following kernel options are available:

 options IPFILTER
 options IPFILTER_LOG
 options IPFILTER_LOOKUP
 options IPFILTER_DEFAULT_BLOCK

   where options IPFILTER enables support for IPFILTER, options IPFILTER_LOG
   enables IPF logging using the ipl packet logging pseudo-device for every
   rule that has the log keyword, IPFILTER_LOOKUP enables IP pools in order
   to speed up IP lookups, and options IPFILTER_DEFAULT_BLOCK changes the
   default behavior so that any packet not matching a firewall pass rule gets
   blocked.

   To configure the system to enable IPF at boot time, add the following
   entries to /etc/rc.conf. These entries will also enable logging and
   default pass all. To change the default policy to block all without
   compiling a custom kernel, remember to add a block all rule at the end of
   the ruleset.

 ipfilter_enable="YES"             # Start ipf firewall
 ipfilter_rules="/etc/ipf.rules"   # loads rules definition text file
 ipmon_enable="YES"                # Start IP monitor log
 ipmon_flags="-Ds"                 # D = start as daemon
                                   # s = log to syslog
                                   # v = log tcp window, ack, seq
                                   # n = map IP & port to names

   If NAT functionality is needed, also add these lines:

 gateway_enable="YES"              # Enable as LAN gateway
 ipnat_enable="YES"                # Start ipnat function
 ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat

   Then, to start IPF now:

 # service ipfilter start

   To load the firewall rules, specify the name of the ruleset file using
   ipf. The following command can be used to replace the currently running
   firewall rules:

 # ipf -Fa -f /etc/ipf.rules

   where -Fa flushes all the internal rules tables and -f specifies the file
   containing the rules to load.

   This provides the ability to make changes to a custom ruleset and update
   the running firewall with a fresh copy of the rules without having to
   reboot the system. This method is convenient for testing new rules as the
   procedure can be executed as many times as needed.

   Refer to ipf(8) for details on the other flags available with this
   command.

  30.5.2. IPF ************

   This section describes the IPF rule syntax used to create stateful rules.
   When creating rules, keep in mind that unless the quick keyword appears in
   a rule, every rule is read in order, with the last matching rule being the
   one that is applied. This means that even if the first rule to match a
   packet is a pass, if there is a later matching rule that is a block, the
   packet will be dropped. Sample rulesets can be found in
   /usr/share/examples/ipfilter.

   When creating rules, a # character is used to mark the start of a comment
   and may appear at the end of a rule, to explain that rule's function, or
   on its own line. Any blank lines are ignored.

   The keywords which are used in rules must be written in a specific order,
   from left to right. Some keywords are mandatory while others are optional.
   Some keywords have sub-options which may be keywords themselves and also
   include more sub-options. The keyword order is as follows, where the words
   shown in uppercase represent a variable and the words shown in lowercase
   must precede the variable that follows it:

   ACTION DIRECTION OPTIONS proto PROTO_TYPE from SRC_ADDR SRC_PORT to
   DST_ADDR DST_PORT TCP_FLAG|ICMP_TYPE keep state STATE

   This section describes each of these keywords and their options. It is not
   an exhaustive list of every possible option. Refer to ipf(5) for a
   complete description of the rule syntax that can be used when creating IPF
   rules and examples for using each keyword.

   ACTION

           The action keyword indicates what to do with the packet if it
           matches that rule. Every rule must have an action. The following
           actions are recognized:

           block: drops the packet.

           pass: allows the packet.

           log: generates a log record.

           count: counts the number of packets and bytes which can provide an
           indication of how often a rule is used.

           auth: queues the packet for further processing by another program.

           call: provides access to functions built into IPF that allow more
           complex actions.

           decapsulate: removes any headers in order to process the contents
           of the packet.

   DIRECTION

           Next, each rule must explicitly state the direction of traffic
           using one of these keywords:

           in: the rule is applied against an inbound packet.

           out: the rule is applied against an outbound packet.

           all: the rule applies to either direction.

           If the system has multiple interfaces, the interface can be
           specified along with the direction. An example would be in on
           fxp0.

   OPTIONS

           Options are optional. However, if multiple options are specified,
           they must be used in the order shown here.

           log: when performing the specified ACTION, the contents of the
           packet's headers will be written to the ipl(4) packet log
           pseudo-device.

           quick: if a packet matches this rule, the ACTION specified by the
           rule occurs and no further processing of any following rules will
           occur for this packet.

           on: must be followed by the interface name as displayed by
           ifconfig(8). The rule will only match if the packet is going
           through the specified interface in the specified direction.

           When using the log keyword, the following qualifiers may be used
           in this order:

           body: indicates that the first 128 bytes of the packet contents
           will be logged after the headers.

           first: if the log keyword is being used in conjunction with a keep
           state option, this option is recommended so that only the
           triggering packet is logged and not every packet which matches the
           stateful connection.

           Additional options are available to specify error return messages.
           Refer to ipf(5) for more details.

   PROTO_TYPE

           The protocol type is optional. However, it is mandatory if the
           rule needs to specify a SRC_PORT or a DST_PORT as it defines the
           type of protocol. When specifying the type of protocol, use the
           proto keyword followed by either a protocol number or name from
           /etc/protocols. Example protocol names include tcp, udp, or icmp.
           If PROTO_TYPE is specified but no SRC_PORT or DST_PORT is
           specified, all port numbers for that protocol will match that
           rule.

   SRC_ADDR

           The from keyword is mandatory and is followed by a keyword which
           represents the source of the packet. The source can be a hostname,
           an IP address followed by the CIDR mask, an address pool, or the
           keyword all. Refer to ipf(5) for examples.

           There is no way to match ranges of IP addresses which do not
           express themselves easily using the dotted numeric form /
           mask-length notation. The net-mgmt/ipcalc package or port may be
           used to ease the calculation of the CIDR mask. Additional
           information is available at the utility's web page:
           http://jodies.de/ipcalc.

   SRC_PORT

           The port number of the source is optional. However, if it is used,
           it requires PROTO_TYPE to be first defined in the rule. The port
           number must also be preceded by the proto keyword.

           A number of different comparison operators are supported: = (equal
           to), != (not equal to), < (less than), > (greater than), <= (less
           than or equal to), and >= (greater than or equal to).

           To specify port ranges, place the two port numbers between <>
           (less than and greater than ), >< (greater than and less than ),
           or : (greater than or equal to and less than or equal to).

   DST_ADDR

           The to keyword is mandatory and is followed by a keyword which
           represents the destination of the packet. Similar to SRC_ADDR, it
           can be a hostname, an IP address followed by the CIDR mask, an
           address pool, or the keyword all.

   DST_PORT

           Similar to SRC_PORT, the port number of the destination is
           optional. However, if it is used, it requires PROTO_TYPE to be
           first defined in the rule. The port number must also be preceded
           by the proto keyword.

   TCP_FLAG|ICMP_TYPE

           If tcp is specified as the PROTO_TYPE, flags can be specified as
           letters, where each letter represents one of the possible TCP
           flags used to determine the state of a connection. Possible values
           are: S (SYN), A (ACK), P (PSH), F (FIN), U (URG), R (RST), C
           (CWN), and E (ECN).

           If icmp is specified as the PROTO_TYPE, the ICMP type to match can
           be specified. Refer to ipf(5) for the allowable types.

   STATE

           If a pass rule contains keep state, IPF will add an entry to its
           dynamic state table and allow subsequent packets that match the
           connection. IPF can track state for TCP, UDP, and ICMP sessions.
           Any packet that IPF can be certain is part of an active session,
           even if it is a different protocol, will be allowed.

           In IPF, packets destined to go out through the interface connected
           to the public Internet are first checked against the dynamic state
           table. If the packet matches the next expected packet comprising
           an active session conversation, it exits the firewall and the
           state of the session conversation flow is updated in the dynamic
           state table. Packets that do not belong to an already active
           session are checked against the outbound ruleset. Packets coming
           in from the interface connected to the public Internet are first
           checked against the dynamic state table. If the packet matches the
           next expected packet comprising an active session, it exits the
           firewall and the state of the session conversation flow is updated
           in the dynamic state table. Packets that do not belong to an
           already active session are checked against the inbound ruleset.

           Several keywords can be added after keep state. If used, these
           keywords set various options that control stateful filtering, such
           as setting connection limits or connection age. Refer to ipf(5)
           for the list of available options and their descriptions.

  30.5.3. ***************

   This section demonstrates how to create an example ruleset which only
   allows services matching pass rules and blocks all others.

   FreeBSD uses the loopback interface (lo0) and the IP address 127.0.0.1 for
   internal communication. The firewall ruleset must contain rules to allow
   free movement of these internally used packets:

 # no restrictions on loopback interface
 pass in quick on lo0 all
 pass out quick on lo0 all

   The public interface connected to the Internet is used to authorize and
   control access of all outbound and inbound connections. If one or more
   interfaces are cabled to private networks, those internal interfaces may
   require rules to allow packets originating from the LAN to flow between
   the internal networks or to the interface attached to the Internet. The
   ruleset should be organized into three major sections: any trusted
   internal interfaces, outbound connections through the public interface,
   and inbound connections through the public interface.

   These two rules allow all traffic to pass through a trusted LAN interface
   named xl0:

 # no restrictions on inside LAN interface for private network
 pass out quick on xl0 all
 pass in quick on xl0 all

   The rules for the public interface's outbound and inbound sections should
   have the most frequently matched rules placed before less commonly matched
   rules, with the last rule in the section blocking and logging all packets
   for that interface and direction.

   This set of rules defines the outbound section of the public interface
   named dc0. These rules keep state and identify the specific services that
   internal systems are authorized for public Internet access. All the rules
   use quick and specify the appropriate port numbers and, where applicable,
   destination addresses.

 # interface facing Internet (outbound)
 # Matches session start requests originating from or behind the
 # firewall, destined for the Internet.

 # Allow outbound access to public DNS servers.
 # Replace x.x.x. with address listed in /etc/resolv.conf.
 # Repeat for each DNS server.
 pass out quick on dc0 proto tcp from any to x.x.x. port = 53 flags S keep state
 pass out quick on dc0 proto udp from any to xxx port = 53 keep state

 # Allow access to ISP's specified DHCP server for cable or DSL networks.
 # Use the first rule, then check log for the IP address of DHCP server.
 # Then, uncomment the second rule, replace z.z.z.z with the IP address,
 # and comment out the first rule
 pass out log quick on dc0 proto udp from any to any port = 67 keep state
 #pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state

 # Allow HTTP and HTTPS
 pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state
 pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state

 # Allow email
 pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state
 pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state

 # Allow NTP
 pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state

 # Allow FTP
 pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state

 # Allow SSH
 pass out quick on dc0 proto tcp from any to any port = 22 flags S keep state

 # Allow ping
 pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state

 # Block and log everything else
 block out log first quick on dc0 all

   This example of the rules in the inbound section of the public interface
   blocks all undesirable packets first. This reduces the number of packets
   that are logged by the last rule.

 # interface facing Internet (inbound)
 # Block all inbound traffic from non-routable or reserved address spaces
 block in quick on dc0 from 192.168.0.0/16 to any    #RFC 1918 private IP
 block in quick on dc0 from 172.16.0.0/12 to any     #RFC 1918 private IP
 block in quick on dc0 from 10.0.0.0/8 to any        #RFC 1918 private IP
 block in quick on dc0 from 127.0.0.0/8 to any       #loopback
 block in quick on dc0 from 0.0.0.0/8 to any         #loopback
 block in quick on dc0 from 169.254.0.0/16 to any    #DHCP auto-config
 block in quick on dc0 from 192.0.2.0/24 to any      #reserved for docs
 block in quick on dc0 from 204.152.64.0/23 to any   #Sun cluster interconnect
 block in quick on dc0 from 224.0.0.0/3 to any       #Class D & E multicast

 # Block fragments and too short tcp packets
 block in quick on dc0 all with frags
 block in quick on dc0 proto tcp all with short

 # block source routed packets
 block in quick on dc0 all with opt lsrr
 block in quick on dc0 all with opt ssrr

 # Block OS fingerprint attempts and log first occurrence
 block in log first quick on dc0 proto tcp from any to any flags FUP

 # Block anything with special options
 block in quick on dc0 all with ipopts

 # Block public pings and ident
 block in quick on dc0 proto icmp all icmp-type 8
 block in quick on dc0 proto tcp from any to any port = 113

 # Block incoming Netbios services
 block in log first quick on dc0 proto tcp/udp from any to any port = 137
 block in log first quick on dc0 proto tcp/udp from any to any port = 138
 block in log first quick on dc0 proto tcp/udp from any to any port = 139
 block in log first quick on dc0 proto tcp/udp from any to any port = 81

   Any time there are logged messages on a rule with the log first option,
   run ipfstat -hio to evaluate how many times the rule has been matched. A
   large number of matches may indicate that the system is under attack.

   The rest of the rules in the inbound section define which connections are
   allowed to be initiated from the Internet. The last rule denies all
   connections which were not explicitly allowed by previous rules in this
   section.

 # Allow traffic in from ISP's DHCP server. Replace z.z.z.z with
 # the same IP address used in the outbound section.
 pass in quick on dc0 proto udp from z.z.z.z to any port = 68 keep state

 # Allow public connections to specified internal web server
 pass in quick on dc0 proto tcp from any to x.x.x.x port = 80 flags S keep state

 # Block and log only first occurrence of all remaining traffic.
 block in log first quick on dc0 all

  30.5.4. ****** NAT

   To enable NAT, add these statements to /etc/rc.conf and specify the name
   of the file containing the NAT rules:

 gateway_enable="YES"
 ipnat_enable="YES"
 ipnat_rules="/etc/ipnat.rules"

   NAT rules are flexible and can accomplish many different things to fit the
   needs of both commercial and home users. The rule syntax presented here
   has been simplified to demonstrate common usage. For a complete rule
   syntax description, refer to ipnat(5).

   The basic syntax for a NAT rule is as follows, where map starts the rule
   and IF should be replaced with the name of the external interface:

 map IF LAN_IP_RANGE -> PUBLIC_ADDRESS

   The LAN_IP_RANGE is the range of IP addresses used by internal clients.
   Usually, it is a private address range such as 192.168.1.0/24. The
   PUBLIC_ADDRESS can either be the static external IP address or the keyword
   0/32 which represents the IP address assigned to IF.

   In IPF, when a packet arrives at the firewall from the LAN with a public
   destination, it first passes through the outbound rules of the firewall
   ruleset. Then, the packet is passed to the NAT ruleset which is read from
   the top down, where the first matching rule wins. IPF tests each NAT rule
   against the packet's interface name and source IP address. When a packet's
   interface name matches a NAT rule, the packet's source IP address in the
   private LAN is checked to see if it falls within the IP address range
   specified in LAN_IP_RANGE. On a match, the packet has its source IP
   address rewritten with the public IP address specified by PUBLIC_ADDRESS.
   IPF posts an entry in its internal NAT table so that when the packet
   returns from the Internet, it can be mapped back to its original private
   IP address before being passed to the firewall rules for further
   processing.

   For networks that have large numbers of internal systems or multiple
   subnets, the process of funneling every private IP address into a single
   public IP address becomes a resource problem. Two methods are available to
   relieve this issue.

   The first method is to assign a range of ports to use as source ports. By
   adding the portmap keyword, NAT can be directed to only use source ports
   in the specified range:

 map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000

   Alternately, use the auto keyword which tells NAT to determine the ports
   that are available for use:

 map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto

   The second method is to use a pool of public addresses. This is useful
   when there are too many LAN addresses to fit into a single public address
   and a block of public IP addresses is available. These public addresses
   can be used as a pool from which NAT selects an IP address as a packet's
   address is mapped on its way out.

   The range of public IP addresses can be specified using a netmask or CIDR
   notation. These two rules are equivalent:

 map dc0 192.168.1.0/24 -> 204.134.75.0/255.255.255.0
 map dc0 192.168.1.0/24 -> 204.134.75.0/24

   A common practice is to have a publically accessible web server or mail
   server segregated to an internal network segment. The traffic from these
   servers still has to undergo NAT, but port redirection is needed to direct
   inbound traffic to the correct server. For example, to map a web server
   using the internal address 10.0.10.25 to its public IP address of
   20.20.20.5, use this rule:

 rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80

   If it is the only web server, this rule would also work as it redirects
   all external HTTP requests to 10.0.10.25:

 rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.25 port 80

   IPF has a built in FTP proxy which can be used with NAT. It monitors all
   outbound traffic for active or passive FTP connection requests and
   dynamically creates temporary filter rules containing the port number used
   by the FTP data channel. This eliminates the need to open large ranges of
   high order ports for FTP connections.

   In this example, the first rule calls the proxy for outbound FTP traffic
   from the internal LAN. The second rule passes the FTP traffic from the
   firewall to the Internet, and the third rule handles all non-FTP traffic
   from the internal LAN:

 map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp
 map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp
 map dc0 10.0.10.0/29 -> 0/32

   The FTP map rules go before the NAT rule so that when a packet matches an
   FTP rule, the FTP proxy creates temporary filter rules to let the FTP
   session packets pass and undergo NAT. All LAN packets that are not FTP
   will not match the FTP rules but will undergo NAT if they match the third
   rule.

   Without the FTP proxy, the following firewall rules would instead be
   needed. Note that without the proxy, all ports above 1024 need to be
   allowed:

 # Allow out LAN PC client FTP to public Internet
 # Active and passive modes
 pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state

 # Allow out passive mode data channel high order port numbers
 pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep state

 # Active mode let data channel in from FTP server
 pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state

   Whenever the file containing the NAT rules is edited, run ipnat with -CF
   to delete the current NAT rules and flush the contents of the dynamic
   translation table. Include -f and specify the name of the NAT ruleset to
   load:

 # ipnat -CF -f /etc/ipnat.rules

   To display the NAT statistics:

 # ipnat -s

   To list the NAT table's current mappings:

 # ipnat -l

   To turn verbose mode on and display information relating to rule
   processing and active rules and table entries:

 # ipnat -v

  30.5.5. ****** IPF ************

   IPF includes ipfstat(8) which can be used to retrieve and display
   statistics which are gathered as packets match rules as they go through
   the firewall. Statistics are accumulated since the firewall was last
   started or since the last time they were reset to zero using ipf -Z.

   The default ipfstat output looks like this:

 input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0
  output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0
  input packets logged: blocked 99286 passed 0
  output packets logged: blocked 0 passed 0
  packets logged: input 0 output 0
  log failures: input 3898 output 0
  fragment state(in): kept 0 lost 0
  fragment state(out): kept 0 lost 0
  packet state(in): kept 169364 lost 0
  packet state(out): kept 431395 lost 0
  ICMP replies: 0 TCP RSTs sent: 0
  Result cache hits(in): 1215208 (out): 1098963
  IN Pullups succeeded: 2 failed: 0
  OUT Pullups succeeded: 0 failed: 0
  Fastroute successes: 0 failures: 0
  TCP cksum fails(in): 0 (out): 0
  Packet log flags set: (0)

   Several options are available. When supplied with either -i for inbound or
   -o for outbound, the command will retrieve and display the appropriate
   list of filter rules currently installed and in use by the kernel. To also
   see the rule numbers, include -n. For example, ipfstat -on displays the
   outbound rules table with rule numbers:

 @1 pass out on xl0 from any to any
 @2 block out on dc0 from any to any
 @3 pass out quick on dc0 proto tcp/udp from any to any keep state

   Include -h to prefix each rule with a count of how many times the rule was
   matched. For example, ipfstat -oh displays the outbound internal rules
   table, prefixing each rule with its usage count:

 2451423 pass out on xl0 from any to any
 354727 block out on dc0 from any to any
 430918 pass out quick on dc0 proto tcp/udp from any to any keep state

   To display the state table in a format similar to top(1), use ipfstat -t.
   When the firewall is under attack, this option provides the ability to
   identify and see the attacking packets. The optional sub-flags give the
   ability to select the destination or source IP, port, or protocol to be
   monitored in real time. Refer to ipfstat(8) for details.

  30.5.6. IPF ******

   IPF provides ipmon, which can be used to write the firewall's logging
   information in a human readable format. It requires that options
   IPFILTER_LOG be first added to a custom kernel using the instructions in
   *** 8, ****** FreeBSD ******.

   This command is typically run in daemon mode in order to provide a
   continuous system log file so that logging of past events may be reviewed.
   Since FreeBSD has a built in syslogd(8) facility to automatically rotate
   system logs, the default rc.conf ipmon_flags statement uses -Ds:

 ipmon_flags="-Ds" # D = start as daemon
                   # s = log to syslog
                   # v = log tcp window, ack, seq
                   # n = map IP & port to names

   Logging provides the ability to review, after the fact, information such
   as which packets were dropped, what addresses they came from, and where
   they were going. This information is useful in tracking down attackers.

   Once the logging facility is enabled in rc.conf and started with service
   ipmon start, IPF will only log the rules which contain the log keyword.
   The firewall administrator decides which rules in the ruleset should be
   logged and normally only deny rules are logged. It is customary to include
   the log keyword in the last rule in the ruleset. This makes it possible to
   see all the packets that did not match any of the rules in the ruleset.

   By default, ipmon -Ds mode uses local0 as the logging facility. The
   following logging levels can be used to further segregate the logged data:

 LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block.
 LOG_NOTICE - packets logged which are also passed
 LOG_WARNING - packets logged which are also blocked
 LOG_ERR - packets which have been logged and which can be considered short due to an incomplete header

   In order to setup IPF to log all data to /var/log/ipfilter.log, first
   create the empty file:

 # touch /var/log/ipfilter.log

   Then, to write all logged messages to the specified file, add the
   following statement to /etc/syslog.conf:

 local0.* /var/log/ipfilter.log

   To activate the changes and instruct syslogd(8) to read the modified
   /etc/syslog.conf, run service syslogd reload.

   Do not forget to edit /etc/newsyslog.conf to rotate the new log file.

   Messages generated by ipmon consist of data fields separated by white
   space. Fields common to all messages are:

    1. The date of packet receipt.

    2. The time of packet receipt. This is in the form HH:MM:SS.F, for hours,
       minutes, seconds, and fractions of a second.

    3. The name of the interface that processed the packet.

    4. The group and rule number of the rule in the format @0:17.

    5. The action: p for passed, b for blocked, S for a short packet, n did
       not match any rules, and L for a log rule.

    6. The addresses written as three fields: the source address and port
       separated by a comma, the -> symbol, and the destination address and
       port. For example: 209.53.17.22,80 -> 198.73.220.17,1722.

    7. PR followed by the protocol name or number: for example, PR tcp.

    8. len followed by the header length and total length of the packet: for
       example, len 20 40.

   If the packet is a TCP packet, there will be an additional field starting
   with a hyphen followed by letters corresponding to any flags that were
   set. Refer to ipf(5) for a list of letters and their flags.

   If the packet is an ICMP packet, there will be two fields at the end: the
   first always being "icmp" and the next being the ICMP message and
   sub-message type, separated by a slash. For example: icmp 3/3 for a port
   unreachable message.

30.6. Blacklistd

   Blacklistd is a daemon listening to sockets to receive notifications from
   other daemons about connection attempts that failed or were successful. It
   is most widely used in blocking too many connection attempts on open
   ports. A prime example is SSH running on the internet getting a lot of
   requests from bots or scripts trying to guess passwords and gain access.
   Using blacklistd, the daemon can notify the firewall to create a filter
   rule to block excessive connection attempts from a single source after a
   number of tries. Blacklistd was first developed on NetBSD and appeared
   there in version 7. FreeBSD 11 imported blacklistd from NetBSD.

   This chapter describes how to set up blacklistd, configure it, and
   provides examples on how to use it. Readers should be familiar with basic
   firewall concepts like rules. For details, refer to the firewall chapter.
   PF is used in the examples, but other firewalls available on FreeBSD
   should be able to work with blacklistd, too.

  30.6.1. ****** Blacklistd

   The main configuration for blacklistd is stored in blacklistd.conf(5).
   Various command line options are also available to change blacklistd's
   run-time behavior. Persistent configuration across reboots should be
   stored in /etc/blacklistd.conf. To enable the daemon during system boot,
   add a blacklistd_enable line to /etc/rc.conf like this:

 # sysrc blacklistd_enable=yes

   To start the service manually, run this command:

 # service blacklistd start

  30.6.2. ****** Blacklistd *********

   Rules for blacklistd are configured in blacklistd.conf(5) with one entry
   per line. Each rule contains a tuple separated by spaces or tabs. Rules
   either belong to a local or a remote, which applies to the machine where
   blacklistd is running or an outside source, respectively.

    30.6.2.1. ************

   An example blacklistd.conf entry for a local rule looks like this:

 [local]
 ssh             stream  *       *               *       3       24h

   All rules that follow the [local] section are treated as local rules
   (which is the default), applying to the local machine. When a [remote]
   section is encountered, all rules that follow it are handled as remote
   machine rules.

   Seven fields define a rule separated by either tabs or spaces. The first
   four fields identify the traffic that should be blacklisted. The three
   fields that follow define backlistd's behavior. Wildcards are denoted as
   asterisks (*), matching anything in this field. The first field defines
   the location. In local rules, these are the network ports. The syntax for
   the location field is as follows:

 [address|interface][/mask][:port]

   Adressses can be specified as IPv4 in numeric format or IPv6 in square
   brackets. An interface name like em0 can also be used.

   The socket type is defined by the second field. TCP sockets are of type
   stream, whereas UDP is denoted as dgram. The example above uses TCP, since
   SSH is using that protocol.

   A protocol can be used in the third field of a blacklistd rule. The
   following protocols can be used: tcp, udp, tcp6, udp6, or numeric. A
   wildcard, like in the example, is typically used to match all protocols
   unless there is a reason to distinguish traffic by a certain protocol.

   In the fourth field, the effective user or owner of the daemon process
   that is reporting the event is defined. The username or UID can be used
   here, as well as a wildcard (see example rule above).

   The packet filter rule name is declared by the fifth field, which starts
   the behavior part of the rule. By default, blacklistd puts all blocks
   under a pf anchor called blacklistd in pf.conf like this:

 anchor "blacklistd/*" in on $ext_if
 block in
 pass out

   For separate blacklists, an anchor name can be used in this field. In
   other cases, the wildcard will suffice. When a name starts with a hyphen
   (-) it means that an anchor with the default rule name prepended should be
   used. A modified example from the above using the hyphen would look like
   this:

 ssh             stream  *       *               -ssh       3       24h

   With such a rule, any new blacklist rules are added to an anchor called
   blacklistd-ssh.

   To block whole subnets for a single rule violation, a / in the rule name
   can be used. This causes the remaining portion of the name to be
   interpreted as the mask to be applied to the address specified in the
   rule. For example, this rule would block every address adjoining /24.

 22              stream  tcp       *               */24    3       24h

  ******:

   It is important to specify the proper protocol here. IPv4 and IPv6 treat
   /24 differently, that is the reason why * cannot be used in the third
   field for this rule.

   This rule defines that if any one host in that network is misbehaving,
   everything else on that network will be blocked, too.

   The sixth field, called nfail, sets the number of login failures required
   to blacklist the remote IP in question. When a wildcard is used at this
   position, it means that blocks will never happen. In the example rule
   above, a limit of three is defined meaning that after three attempts to
   log into SSH on one connection, the IP is blocked.

   The last field in a blacklistd rule definition specifies how long a host
   is blacklisted. The default unit is seconds, but suffixes like m, h, and d
   can also be specified for minutes, hours, and days, respectively.

   The example rule in its entirety means that after three times
   authenticating to SSH will result in a new PF block rule for that host.
   Rule matches are performed by first checking local rules one after
   another, from most specific to least specific. When a match occurs, the
   remote rules are applied and the name, nfail, and disable fields are
   changed by the remote rule that matched.

    30.6.2.2. ************

   Remote rules are used to specify how blacklistd changes its behavior
   depending on the remote host currently being evaluated. Each field in a
   remote rule is the same as in a local rule. The only difference is in the
   way blacklistd is using them. To explain it, this example rule is used:

 [remote]
 203.0.113.128/25 *      *       *               =/25    =       48h

   The address field can be an IP address (either v4 or v6), a port or both.
   This allows setting special rules for a specific remote address range like
   in this example. The fields for type, protocol and owner are identically
   interpreted as in the local rule.

   The name fields is different though: the equal sign (=) in a remote rule
   tells blacklistd to use the value from the matching local rule. It means
   that the firewall rule entry is taken and the /25 prefix (a netmask of
   255.255.255.128) is added. When a connection from that address range is
   blacklisted, the entire subnet is affected. A PF anchor name can also be
   used here, in which case blacklistd will add rules for this address block
   to the anchor of that name. The default table is used when a wildcard is
   specified.

   A custom number of failures in the nfail column can be defined for an
   address. This is useful for exceptions to a specific rule, to maybe allow
   someone a less strict application of rules or a bit more leniency in login
   tries. Blocking is disabled when an asterisk is used in this sixth field.

   Remote rules allow a stricter enforcement of limits on attempts to log in
   compared to attempts coming from a local network like an office.

  30.6.3. Blacklistd ***************

   There are a few software packages in FreeBSD that can utilize blacklistd's
   functionality. The two most prominent ones are ftpd(8) and sshd(8) to
   block excessive connection attempts. To activate blacklistd in the SSH
   daemon, add the following line to /etc/ssh/sshd_config:

 UseBlacklist yes

   ****************** sshd ******************._

   Blacklisting for ftpd(8) is enabled using -B, either in /etc/inetd.conf or
   as a flag in /etc/rc.conf like this:

 ftpd_flags="-B"

   That is all that is needed to make these programs talk to blacklistd.

  30.6.4. Blacklistd ******

   Blacklistd provides the user with a management utility called
   blacklistctl(8). It displays blocked addresses and networks that are
   blacklisted by the rules defined in blacklistd.conf(5). To see the list of
   currently blocked hosts, use dump combined with -b like this.

 # blacklistctl dump -b
       address/ma:port id      nfail   last access
 213.0.123.128/25:22   OK      6/3     2019/06/08 14:30:19

   This example shows that there were 6 out of three permitted attempts on
   port 22 coming from the address range 213.0.123.128/25. There are more
   attempts listed than are allowed because SSH allows a client to try
   multiple logins on a single TCP connection. A connection that is currently
   going on is not stopped by blacklistd. The last connection attempt is
   listed in the last access column of the output.

   To see the remaining time that this host will be on the blacklist, add -r
   to the previous command.

 # blacklistctl dump -br
       address/ma:port id      nfail   remaining time
 213.0.123.128/25:22   OK      6/3     36s

   In this example, there are 36s seconds left until this host will not be
   blocked any more.

  30.6.5. ***************************

   Sometimes it is necessary to remove a host from the block list before the
   remaining time expires. Unfortunately, there is no functionality in
   blacklistd to do that. However, it is possible to remove the address from
   the PF table using pfctl. For each blocked port, there is a child anchor
   inside the blacklistd anchor defined in /etc/pf.conf. For example, if
   there is a child anchor for blocking port 22 it is called blacklistd/22.
   There is a table inside that child anchor that contains the blocked
   addresses. This table is called port followed by the port number. In this
   example, it would be called port22. With that information at hand, it is
   now possible to use pfctl(8) to display all addresses listed like this:

 # pfctl -a blacklistd/22 -t port22 -T show
 ...
 213.0.123.128/25
 ...

   After identifying the address to be unblocked from the list, the following
   command removes it from the list:

 # pfctl -a blacklistd/22 -T delete 213.0.123.128/25

   The address is now removed from PF, but will still show up in the
   blacklistctl list, since it does not know about any changes made in PF.
   The entry in blacklistd's database will eventually expire and be removed
   from its output eventually. The entry will be added again if the host is
   matching one of the block rules in blacklistd again.

*** 31. ******************

   ************

   31.1. ******

   31.2. ******************

   31.3. ************

   31.4. USB ************

   31.5. ******

   31.6. ******

   31.7. Link Aggregation ***************

   31.8. PXE ***************

   31.9. IPv6

   31.10. ************************ (CARP)

   31.11. VLANs

31.1. ******

   This chapter covers a number of advanced networking topics.

   ****************************

     * The basics of gateways and routes.

     * How to set up USB tethering.

     * How to set up IEEE(R) 802.11 and Bluetooth(R) devices.

     * How to make FreeBSD act as a bridge.

     * How to set up network PXE booting.

     * How to set up IPv6 on a FreeBSD machine.

     * How to enable and utilize the features of the Common Address
       Redundancy Protocol (CARP) in FreeBSD.

     * ********* FreeBSD *************** VLAN._

     * Configure bluetooth headset.

   ****************************************

     * Understand the basics of the /etc/rc scripts.

     * ************************._

     * Know how to configure and install a new FreeBSD kernel (*** 8, ******
       FreeBSD ******).

     * *************************************** (*** 4,
       ***************************** Port)._

31.2. ******************

   Contributed by Coranth Gryphon.

   Routing is the mechanism that allows a system to find the network path to
   another system. A route is a defined pair of addresses which represent the
   "destination" and a "gateway". The route indicates that when trying to get
   to the specified destination, send the packets through the specified
   gateway. There are three types of destinations: individual hosts, subnets,
   and "default". The "default route" is used if no other routes apply. There
   are also three types of gateways: individual hosts, interfaces, also
   called links, and Ethernet hardware (MAC) addresses. Known routes are
   stored in a routing table.

   This section provides an overview of routing basics. It then demonstrates
   how to configure a FreeBSD system as a router and offers some
   troubleshooting tips.

  31.2.1. ******************

   To view the routing table of a FreeBSD system, use netstat(1):

 % netstat -r
 Routing tables

 Internet:
 Destination      Gateway            Flags     Refs     Use     Netif Expire
 default          outside-gw         UGS        37      418       em0
 localhost        localhost          UH          0      181       lo0
 test0            0:e0:b5:36:cf:4f   UHLW        5    63288       re0     77
 10.20.30.255     link#1             UHLW        1     2421
 example.com      link#1             UC          0        0
 host1            0:e0:a8:37:8:1e    UHLW        3     4601       lo0
 host2            0:e0:a8:37:8:1e    UHLW        0        5       lo0 =>
 host2.example.com link#1            UC          0        0
 224              link#1             UC          0        0

   The entries in this example are as follows:

   default

           The first route in this table specifies the default route. When
           the local system needs to make a connection to a remote host, it
           checks the routing table to determine if a known path exists. If
           the remote host matches an entry in the table, the system checks
           to see if it can connect using the interface specified in that
           entry.

           If the destination does not match an entry, or if all known paths
           fail, the system uses the entry for the default route. For hosts
           on a local area network, the Gateway field in the default route is
           set to the system which has a direct connection to the Internet.
           When reading this entry, verify that the Flags column indicates
           that the gateway is usable (UG).

           The default route for a machine which itself is functioning as the
           gateway to the outside world will be the gateway machine at the
           Internet Service Provider (ISP).

   localhost

           The second route is the localhost route. The interface specified
           in the Netif column for localhost is lo0, also known as the
           loopback device. This indicates that all traffic for this
           destination should be internal, rather than sending it out over
           the network.

   MAC address

           The addresses beginning with 0:e0: are MAC addresses. FreeBSD will
           automatically identify any hosts, test0 in the example, on the
           local Ethernet and add a route for that host over the Ethernet
           interface, re0. This type of route has a timeout, seen in the
           Expire column, which is used if the host does not respond in a
           specific amount of time. When this happens, the route to this host
           will be automatically deleted. These hosts are identified using
           the Routing Information Protocol (RIP), which calculates routes to
           local hosts based upon a shortest path determination.

   subnet

           FreeBSD will automatically add subnet routes for the local subnet.
           In this example, 10.20.30.255 is the broadcast address for the
           subnet 10.20.30 and example.com is the domain name associated with
           that subnet. The designation link#1 refers to the first Ethernet
           card in the machine.

           Local network hosts and local subnets have their routes
           automatically configured by a daemon called routed(8). If it is
           not running, only routes which are statically defined by the
           administrator will exist.

   host

           The host1 line refers to the host by its Ethernet address. Since
           it is the sending host, FreeBSD knows to use the loopback
           interface (lo0) rather than the Ethernet interface.

           The two host2 lines represent aliases which were created using
           ifconfig(8). The => symbol after the lo0 interface says that an
           alias has been set in addition to the loopback address. Such
           routes only show up on the host that supports the alias and all
           other hosts on the local network will have a link#1 line for such
           routes.

   224

           The final line (destination subnet 224) deals with multicasting.

   Various attributes of each route can be seen in the Flags column.
   ****** 31.1, "*********************" summarizes some of these flags and
   their meanings:

   ****** 31.1. *********************

   ******                               ******                                
   U      The route is active (up).                                           
   H      The route destination is a single host.                             
   G      Send anything for this destination on to this gateway, which will   
          figure out from there where to send it.                             
   S      This route was statically configured.                               
   C      Clones a new route based upon this route for machines to connect    
          to. This type of route is normally used for local networks.         
   W      The route was auto-configured based upon a local area network       
          (clone) route.                                                      
   L      Route involves references to Ethernet (link) hardware.              

   On a FreeBSD system, the default route can defined in /etc/rc.conf by
   specifying the IP address of the default gateway:

 defaultrouter="10.20.30.1"

   It is also possible to manually add the route using route:

 # route add default 10.20.30.1

   Note that manually added routes will not survive a reboot. For more
   information on manual manipulation of network routing tables, refer to
   route(8).

  31.2.2. *********************************

   Contributed by Al Hoang.

   A FreeBSD system can be configured as the default gateway, or router, for
   a network if it is a dual-homed system. A dual-homed system is a host
   which resides on at least two different networks. Typically, each network
   is connected to a separate network interface, though IP aliasing can be
   used to bind multiple addresses, each on a different subnet, to one
   physical interface.

   In order for the system to forward packets between interfaces, FreeBSD
   must be configured as a router. Internet standards and good engineering
   practice prevent the FreeBSD Project from enabling this feature by
   default, but it can be configured to start at boot by adding this line to
   /etc/rc.conf:

 gateway_enable="YES"          # Set to YES if this host will be a gateway

   To enable routing now, set the sysctl(8) variable net.inet.ip.forwarding
   to 1. To stop routing, reset this variable to 0.

   The routing table of a router needs additional routes so it knows how to
   reach other networks. Routes can be either added manually using static
   routes or routes can be automatically learned using a routing protocol.
   Static routes are appropriate for small networks and this section
   describes how to add a static routing entry for a small network.

  ******:

   For large networks, static routes quickly become unscalable. FreeBSD comes
   with the standard BSD routing daemon routed(8), which provides the routing
   protocols RIP, versions 1 and 2, and IRDP. Support for the BGP and OSPF
   routing protocols can be installed using the net/zebra package or port.

   Consider the following network:

   In this scenario, RouterA is a FreeBSD machine that is acting as a router
   to the rest of the Internet. It has a default route set to 10.0.0.1 which
   allows it to connect with the outside world. RouterB is already configured
   to use 192.168.1.1 as its default gateway.

   Before adding any static routes, the routing table on RouterA looks like
   this:

 % netstat -nr
 Routing tables

 Internet:
 Destination        Gateway            Flags    Refs      Use  Netif  Expire
 default            10.0.0.1           UGS         0    49378    xl0
 127.0.0.1          127.0.0.1          UH          0        6    lo0
 10.0.0.0/24        link#1             UC          0        0    xl0
 192.168.1.0/24     link#2             UC          0        0    xl1

   With the current routing table, RouterA does not have a route to the
   192.168.2.0/24 network. The following command adds the Internal Net 2
   network to RouterA's routing table using 192.168.1.2 as the next hop:

 # route add -net 192.168.2.0/24 192.168.1.2

   Now, RouterA can reach any host on the 192.168.2.0/24 network. However,
   the routing information will not persist if the FreeBSD system reboots. If
   a static route needs to be persistent, add it to /etc/rc.conf:

 # Add Internal Net 2 as a persistent static route
 static_routes="internalnet2"
 route_internalnet2="-net 192.168.2.0/24 192.168.1.2"

   The static_routes configuration variable is a list of strings separated by
   a space, where each string references a route name. The variable
   route_internalnet2 contains the static route for that route name.

   Using more than one string in static_routes creates multiple static
   routes. The following shows an example of adding static routes for the
   192.168.0.0/24 and 192.168.1.0/24 networks:

 static_routes="net1 net2"
 route_net1="-net 192.168.0.0/24 192.168.0.1"
 route_net2="-net 192.168.1.0/24 192.168.1.1"

  31.2.3. ************

   When an address space is assigned to a network, the service provider
   configures their routing tables so that all traffic for the network will
   be sent to the link for the site. But how do external sites know to send
   their packets to the network's ISP?

   There is a system that keeps track of all assigned address spaces and
   defines their point of connection to the Internet backbone, or the main
   trunk lines that carry Internet traffic across the country and around the
   world. Each backbone machine has a copy of a master set of tables, which
   direct traffic for a particular network to a specific backbone carrier,
   and from there down the chain of service providers until it reaches a
   particular network.

   It is the task of the service provider to advertise to the backbone sites
   that they are the point of connection, and thus the path inward, for a
   site. This is known as route propagation.

   Sometimes, there is a problem with route propagation and some sites are
   unable to connect. Perhaps the most useful command for trying to figure
   out where routing is breaking down is traceroute. It is useful when ping
   fails.

   When using traceroute, include the address of the remote host to connect
   to. The output will show the gateway hosts along the path of the attempt,
   eventually either reaching the target host, or terminating because of a
   lack of connection. For more information, refer to traceroute(8).

  31.2.4. ****** (Multicast) ************

   FreeBSD natively supports both multicast applications and multicast
   routing. Multicast applications do not require any special configuration
   in order to run on FreeBSD. Support for multicast routing requires that
   the following option be compiled into a custom kernel:

 options MROUTING

   The multicast routing daemon, mrouted can be installed using the
   net/mrouted package or port. This daemon implements the DVMRP multicast
   routing protocol and is configured by editing /usr/local/etc/mrouted.conf
   in order to set up the tunnels and DVMRP. The installation of mrouted also
   installs map-mbone and mrinfo, as well as their associated man pages.
   Refer to these for configuration examples.

  ******:

   DVMRP has largely been replaced by the PIM protocol in many multicast
   installations. Refer to pim(4) for more information.

31.3. ************

   Loader, Marc Fonvieille and Murray Stokely.

  31.3.1. ******************

   Most wireless networks are based on the IEEE(R) 802.11 standards. A basic
   wireless network consists of multiple stations communicating with radios
   that broadcast in either the 2.4GHz or 5GHz band, though this varies
   according to the locale and is also changing to enable communication in
   the 2.3GHz and 4.9GHz ranges.

   802.11 networks are organized in two ways. In infrastructure mode, one
   station acts as a master with all the other stations associating to it,
   the network is known as a BSS, and the master station is termed an access
   point (AP). In a BSS, all communication passes through the AP; even when
   one station wants to communicate with another wireless station, messages
   must go through the AP. In the second form of network, there is no master
   and stations communicate directly. This form of network is termed an IBSS
   and is commonly known as an ad-hoc network.

   802.11 networks were first deployed in the 2.4GHz band using protocols
   defined by the IEEE(R) 802.11 and 802.11b standard. These specifications
   include the operating frequencies and the MAC layer characteristics,
   including framing and transmission rates, as communication can occur at
   various rates. Later, the 802.11a standard defined operation in the 5GHz
   band, including different signaling mechanisms and higher transmission
   rates. Still later, the 802.11g standard defined the use of 802.11a
   signaling and transmission mechanisms in the 2.4GHz band in such a way as
   to be backwards compatible with 802.11b networks.

   Separate from the underlying transmission techniques, 802.11 networks have
   a variety of security mechanisms. The original 802.11 specifications
   defined a simple security protocol called WEP. This protocol uses a fixed
   pre-shared key and the RC4 cryptographic cipher to encode data transmitted
   on a network. Stations must all agree on the fixed key in order to
   communicate. This scheme was shown to be easily broken and is now rarely
   used except to discourage transient users from joining networks. Current
   security practice is given by the IEEE(R) 802.11i specification that
   defines new cryptographic ciphers and an additional protocol to
   authenticate stations to an access point and exchange keys for data
   communication. Cryptographic keys are periodically refreshed and there are
   mechanisms for detecting and countering intrusion attempts. Another
   security protocol specification commonly used in wireless networks is
   termed WPA, which was a precursor to 802.11i. WPA specifies a subset of
   the requirements found in 802.11i and is designed for implementation on
   legacy hardware. Specifically, WPA requires only the TKIP cipher that is
   derived from the original WEP cipher. 802.11i permits use of TKIP but also
   requires support for a stronger cipher, AES-CCM, for encrypting data. The
   AES cipher was not required in WPA because it was deemed too
   computationally costly to be implemented on legacy hardware.

   The other standard to be aware of is 802.11e. It defines protocols for
   deploying multimedia applications, such as streaming video and voice over
   IP (VoIP), in an 802.11 network. Like 802.11i, 802.11e also has a
   precursor specification termed WME (later renamed WMM) that has been
   defined by an industry group as a subset of 802.11e that can be deployed
   now to enable multimedia applications while waiting for the final
   ratification of 802.11e. The most important thing to know about 802.11e
   and WME/WMM is that it enables prioritized traffic over a wireless network
   through Quality of Service (QoS) protocols and enhanced media access
   protocols. Proper implementation of these protocols enables high speed
   bursting of data and prioritized traffic flow.

   FreeBSD supports networks that operate using 802.11a, 802.11b, and
   802.11g. The WPA and 802.11i security protocols are likewise supported (in
   conjunction with any of 11a, 11b, and 11g) and QoS and traffic
   prioritization required by the WME/WMM protocols are supported for a
   limited set of wireless devices.

  31.3.2. ************

   Connecting a computer to an existing wireless network is a very common
   situation. This procedure shows the steps required.

    1. Obtain the SSID (Service Set Identifier) and PSK (Pre-Shared Key) for
       the wireless network from the network administrator.

    2. Identify the wireless adapter. The FreeBSD GENERIC kernel includes
       drivers for many common wireless adapters. If the wireless adapter is
       one of those models, it will be shown in the output from ifconfig(8):

 % ifconfig | grep -B3 -i wireless

       On FreeBSD 11 or higher, use this command instead:

 % sysctl net.wlan.devices

       If a wireless adapter is not listed, an additional kernel module might
       be required, or it might be a model not supported by FreeBSD.

       This example shows the Atheros ath0 wireless adapter.

    3. Add an entry for this network to /etc/wpa_supplicant.conf. If the file
       does not exist, create it. Replace myssid and mypsk with the SSID and
       PSK provided by the network administrator.

 network={
         ssid="myssid"
         psk="mypsk"
 }

    4. Add entries to /etc/rc.conf to configure the network on startup:

 wlans_ath0="wlan0"
 ifconfig_wlan0="WPA SYNCDHCP"

    5. Restart the computer, or restart the network service to connect to the
       network:

 # service netif restart

  31.3.3. ************

    31.3.3.1. ************

   To use wireless networking, a wireless networking card is needed and the
   kernel needs to be configured with the appropriate wireless networking
   support. The kernel is separated into multiple modules so that only the
   required support needs to be configured.

   The most commonly used wireless devices are those that use parts made by
   Atheros. These devices are supported by ath(4) and require the following
   line to be added to /boot/loader.conf:

 if_ath_load="YES"

   The Atheros driver is split up into three separate pieces: the driver
   (ath(4)), the hardware support layer that handles chip-specific functions
   (ath_hal(4)), and an algorithm for selecting the rate for transmitting
   frames. When this support is loaded as kernel modules, any dependencies
   are automatically handled. To load support for a different type of
   wireless device, specify the module for that device. This example is for
   devices based on the Intersil Prism parts (wi(4)) driver:

 if_wi_load="YES"

  ******:

   The examples in this section use an ath(4) device and the device name in
   the examples must be changed according to the configuration. A list of
   available wireless drivers and supported adapters can be found in the
   FreeBSD Hardware Notes, available on the Release Information page of the
   FreeBSD website. If a native FreeBSD driver for the wireless device does
   not exist, it may be possible to use the Windows(R) driver with the help
   of the NDIS driver wrapper.

   In addition, the modules that implement cryptographic support for the
   security protocols to use must be loaded. These are intended to be
   dynamically loaded on demand by the wlan(4) module, but for now they must
   be manually configured. The following modules are available: wlan_wep(4),
   wlan_ccmp(4), and wlan_tkip(4). The wlan_ccmp(4) and wlan_tkip(4) drivers
   are only needed when using the WPA or 802.11i security protocols. If the
   network does not use encryption, wlan_wep(4) support is not needed. To
   load these modules at boot time, add the following lines to
   /boot/loader.conf:

 wlan_wep_load="YES"
 wlan_ccmp_load="YES"
 wlan_tkip_load="YES"

   Once this information has been added to /boot/loader.conf, reboot the
   FreeBSD box. Alternately, load the modules by hand using kldload(8).

  ******:

   For users who do not want to use modules, it is possible to compile these
   drivers into the kernel by adding the following lines to a custom kernel
   configuration file:

 device wlan              # 802.11 support
 device wlan_wep          # 802.11 WEP support
 device wlan_ccmp         # 802.11 CCMP support
 device wlan_tkip         # 802.11 TKIP support
 device wlan_amrr         # AMRR transmit rate control algorithm
 device ath               # Atheros pci/cardbus NIC's
 device ath_hal           # pci/cardbus chip support
 options AH_SUPPORT_AR5416 # enable AR5416 tx/rx descriptors
 device ath_rate_sample   # SampleRate tx rate control for ath

   With this information in the kernel configuration file, recompile the
   kernel and reboot the FreeBSD machine.

   Information about the wireless device should appear in the boot messages,
   like this:

 ath0: <Atheros 5212> mem 0x88000000-0x8800ffff irq 11 at device 0.0 on cardbus1
 ath0: [ITHREAD]
 ath0: AR2413 mac 7.9 RF2413 phy 4.5

    31.3.3.2. *********************

   Since the regulatory situation is different in various parts of the world,
   it is necessary to correctly set the domains that apply to your location
   to have the correct information about what channels can be used.

   The available region definitions can be found in /etc/regdomain.xml. To
   set the data at runtime, use ifconfig:

 # ifconfig wlan0 regdomain ETSI country AT

   To persist the settings, add it to /etc/rc.conf:

 # sysrc create_args_wlan0="country AT regdomain ETSI"

  31.3.4. ********* (Infrastructure)

   Infrastructure (BSS) mode is the mode that is typically used. In this
   mode, a number of wireless access points are connected to a wired network.
   Each wireless network has its own name, called the SSID. Wireless clients
   connect to the wireless access points.

    31.3.4.1. FreeBSD *********

      31.3.4.1.1. *********************

   To scan for available networks, use ifconfig(8). This request may take a
   few moments to complete as it requires the system to switch to each
   available wireless frequency and probe for available access points. Only
   the superuser can initiate a scan:

 # ifconfig wlan0 create wlandev ath0
 # ifconfig wlan0 up scan
 SSID/MESH ID    BSSID              CHAN RATE   S:N     INT CAPS
 dlinkap         00:13:46:49:41:76   11   54M -90:96   100 EPS  WPA WME
 freebsdap       00:11:95:c3:0d:ac    1   54M -83:96   100 EPS  WPA

  ******:

   The interface must be up before it can scan. Subsequent scan requests do
   not require the interface to be marked as up again.

   The output of a scan request lists each BSS/IBSS network found. Besides
   listing the name of the network, the SSID, the output also shows the
   BSSID, which is the MAC address of the access point. The CAPS field
   identifies the type of each network and the capabilities of the stations
   operating there:

   ****** 31.2. ******************

   ************                            ******                             
                Extended Service Set (ESS). Indicates that the station is     
   E            part of an infrastructure network rather than an IBSS/ad-hoc  
                network.                                                      
   I            IBSS/ad-hoc network. Indicates that the station is part of an 
                ad-hoc network rather than an ESS network.                    
                Privacy. Encryption is required for all data frames exchanged 
   P            within the BSS using cryptographic means such as WEP, TKIP or 
                AES-CCMP.                                                     
                Short Preamble. Indicates that the network is using short     
   S            preambles, defined in 802.11b High Rate/DSSS PHY, and         
                utilizes a 56 bit sync field rather than the 128 bit field    
                used in long preamble mode.                                   
                Short slot time. Indicates that the 802.11g network is using  
   s            a short slot time because there are no legacy (802.11b)       
                stations present.                                             

   One can also display the current list of known networks with:

 # ifconfig wlan0 list scan

   This information may be updated automatically by the adapter or manually
   with a scan request. Old data is automatically removed from the cache, so
   over time this list may shrink unless more scans are done.

      31.3.4.1.2. ************

   This section provides a simple example of how to make the wireless network
   adapter work in FreeBSD without encryption. Once familiar with these
   concepts, it is strongly recommend to use WPA to set up the wireless
   network.

   There are three basic steps to configure a wireless network: select an
   access point, authenticate the station, and configure an IP address. The
   following sections discuss each step.

        31.3.4.1.2.1. ***************

   Most of the time, it is sufficient to let the system choose an access
   point using the builtin heuristics. This is the default behavior when an
   interface is marked as up or it is listed in /etc/rc.conf:

 wlans_ath0="wlan0"
 ifconfig_wlan0="DHCP"

   If there are multiple access points, a specific one can be selected by its
   SSID:

 wlans_ath0="wlan0"
 ifconfig_wlan0="ssid your_ssid_here DHCP"

   In an environment where there are multiple access points with the same
   SSID, which is often done to simplify roaming, it may be necessary to
   associate to one specific device. In this case, the BSSID of the access
   point can be specified, with or without the SSID:

 wlans_ath0="wlan0"
 ifconfig_wlan0="ssid your_ssid_here bssid xx:xx:xx:xx:xx:xx DHCP"

   There are other ways to constrain the choice of an access point, such as
   limiting the set of frequencies the system will scan on. This may be
   useful for a multi-band wireless card as scanning all the possible
   channels can be time-consuming. To limit operation to a specific band, use
   the mode parameter:

 wlans_ath0="wlan0"
 ifconfig_wlan0="mode 11g ssid your_ssid_here DHCP"

   This example will force the card to operate in 802.11g, which is defined
   only for 2.4GHz frequencies so any 5GHz channels will not be considered.
   This can also be achieved with the channel parameter, which locks
   operation to one specific frequency, and the chanlist parameter, to
   specify a list of channels for scanning. More information about these
   parameters can be found in ifconfig(8).

        31.3.4.1.2.2. ******

   Once an access point is selected, the station needs to authenticate before
   it can pass data. Authentication can happen in several ways. The most
   common scheme, open authentication, allows any station to join the network
   and communicate. This is the authentication to use for test purposes the
   first time a wireless network is setup. Other schemes require
   cryptographic handshakes to be completed before data traffic can flow,
   either using pre-shared keys or secrets, or more complex schemes that
   involve backend services such as RADIUS. Open authentication is the
   default setting. The next most common setup is WPA-PSK, also known as WPA
   Personal, which is described in *** 31.3.4.1.3.1, "WPA-PSK".

  ******:

   If using an Apple(R) AirPort(R) Extreme base station for an access point,
   shared-key authentication together with a WEP key needs to be configured.
   This can be configured in /etc/rc.conf or by using wpa_supplicant(8). For
   a single AirPort(R) base station, access can be configured with:

 wlans_ath0="wlan0"
 ifconfig_wlan0="authmode shared wepmode on weptxkey 1 wepkey 01234567 DHCP"

   In general, shared key authentication should be avoided because it uses
   the WEP key material in a highly-constrained manner, making it even easier
   to crack the key. If WEP must be used for compatibility with legacy
   devices, it is better to use WEP with open authentication. More
   information regarding WEP can be found in *** 31.3.4.1.4, "WEP".

        31.3.4.1.2.3. ****** DHCP ****** IP ******

   Once an access point is selected and the authentication parameters are
   set, an IP address must be obtained in order to communicate. Most of the
   time, the IP address is obtained via DHCP. To achieve that, edit
   /etc/rc.conf and add DHCP to the configuration for the device:

 wlans_ath0="wlan0"
 ifconfig_wlan0="DHCP"

   The wireless interface is now ready to bring up:

 # service netif start

   Once the interface is running, use ifconfig(8) to see the status of the
   interface ath0:

 # ifconfig wlan0
 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         ether 00:11:95:d5:43:62
         inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
         media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11g
         status: associated
         ssid dlinkap channel 11 (2462 Mhz 11g) bssid 00:13:46:49:41:76
         country US ecm authmode OPEN privacy OFF txpower 21.5 bmiss 7
         scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7
         roam:rate 5 protmode CTS wme burst

   The status: associated line means that it is connected to the wireless
   network. The bssid 00:13:46:49:41:76 is the MAC address of the access
   point and authmode OPEN indicates that the communication is not encrypted.

        31.3.4.1.2.4. ****** IP ******

   If an IP address cannot be obtained from a DHCP server, set a fixed IP
   address. Replace the DHCP keyword shown above with the address
   information. Be sure to retain any other parameters for selecting the
   access point:

 wlans_ath0="wlan0"
 ifconfig_wlan0="inet 192.168.1.100 netmask 255.255.255.0 ssid your_ssid_here"

      31.3.4.1.3. WPA

   Wi-Fi Protected Access (WPA) is a security protocol used together with
   802.11 networks to address the lack of proper authentication and the
   weakness of WEP. WPA leverages the 802.1X authentication protocol and uses
   one of several ciphers instead of WEP for data integrity. The only cipher
   required by WPA is the Temporary Key Integrity Protocol (TKIP). TKIP is a
   cipher that extends the basic RC4 cipher used by WEP by adding integrity
   checking, tamper detection, and measures for responding to detected
   intrusions. TKIP is designed to work on legacy hardware with only software
   modification. It represents a compromise that improves security but is
   still not entirely immune to attack. WPA also specifies the AES-CCMP
   cipher as an alternative to TKIP, and that is preferred when possible. For
   this specification, the term WPA2 or RSN is commonly used.

   WPA defines authentication and encryption protocols. Authentication is
   most commonly done using one of two techniques: by 802.1X and a backend
   authentication service such as RADIUS, or by a minimal handshake between
   the station and the access point using a pre-shared secret. The former is
   commonly termed WPA Enterprise and the latter is known as WPA Personal.
   Since most people will not set up a RADIUS backend server for their
   wireless network, WPA-PSK is by far the most commonly encountered
   configuration for WPA.

   The control of the wireless connection and the key negotiation or
   authentication with a server is done using wpa_supplicant(8). This program
   requires a configuration file, /etc/wpa_supplicant.conf, to run. More
   information regarding this file can be found in wpa_supplicant.conf(5).

        31.3.4.1.3.1. WPA-PSK

   WPA-PSK, also known as WPA Personal, is based on a pre-shared key (PSK)
   which is generated from a given password and used as the master key in the
   wireless network. This means every wireless user will share the same key.
   WPA-PSK is intended for small networks where the use of an authentication
   server is not possible or desired.

  ******:

   Always use strong passwords that are sufficiently long and made from a
   rich alphabet so that they will not be easily guessed or attacked.

   The first step is the configuration of /etc/wpa_supplicant.conf with the
   SSID and the pre-shared key of the network:

 network={
   ssid="freebsdap"
   psk="freebsdmall"
 }

   Then, in /etc/rc.conf, indicate that the wireless device configuration
   will be done with WPA and the IP address will be obtained with DHCP:

 wlans_ath0="wlan0"
 ifconfig_wlan0="WPA DHCP"

   Then, bring up the interface:

 # service netif start
 Starting wpa_supplicant.
 DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 5
 DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 6
 DHCPOFFER from 192.168.0.1
 DHCPREQUEST on wlan0 to 255.255.255.255 port 67
 DHCPACK from 192.168.0.1
 bound to 192.168.0.254 -- renewal in 300 seconds.
 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       ether 00:11:95:d5:43:62
       inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
       media: IEEE 802.11 Wireless Ethernet OFDM/36Mbps mode 11g
       status: associated
       ssid freebsdap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
       country US ecm authmode WPA2/802.11i privacy ON deftxkey UNDEF
       AES-CCM 3:128-bit txpower 21.5 bmiss 7 scanvalid 450 bgscan
       bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
       wme burst roaming MANUAL

   Or, try to configure the interface manually using the information in
   /etc/wpa_supplicant.conf:

 # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf
 Trying to associate with 00:11:95:c3:0d:ac (SSID='freebsdap' freq=2412 MHz)
 Associated with 00:11:95:c3:0d:ac
 WPA: Key negotiation completed with 00:11:95:c3:0d:ac [PTK=CCMP GTK=CCMP]
 CTRL-EVENT-CONNECTED - Connection to 00:11:95:c3:0d:ac completed (auth) [id=0 id_str=]

   The next operation is to launch dhclient(8) to get the IP address from the
   DHCP server:

 # dhclient wlan0
 DHCPREQUEST on wlan0 to 255.255.255.255 port 67
 DHCPACK from 192.168.0.1
 bound to 192.168.0.254 -- renewal in 300 seconds.
 # ifconfig wlan0
 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       ether 00:11:95:d5:43:62
       inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
       media: IEEE 802.11 Wireless Ethernet OFDM/36Mbps mode 11g
       status: associated
       ssid freebsdap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
       country US ecm authmode WPA2/802.11i privacy ON deftxkey UNDEF
       AES-CCM 3:128-bit txpower 21.5 bmiss 7 scanvalid 450 bgscan
       bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
       wme burst roaming MANUAL

  ******:

   If /etc/rc.conf has an ifconfig_wlan0="DHCP" entry, dhclient(8) will be
   launched automatically after wpa_supplicant(8) associates with the access
   point.

   If DHCP is not possible or desired, set a static IP address after
   wpa_supplicant(8) has authenticated the station:

 # ifconfig wlan0 inet 192.168.0.100 netmask 255.255.255.0
 # ifconfig wlan0
 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       ether 00:11:95:d5:43:62
       inet 192.168.0.100 netmask 0xffffff00 broadcast 192.168.0.255
       media: IEEE 802.11 Wireless Ethernet OFDM/36Mbps mode 11g
       status: associated
       ssid freebsdap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
       country US ecm authmode WPA2/802.11i privacy ON deftxkey UNDEF
       AES-CCM 3:128-bit txpower 21.5 bmiss 7 scanvalid 450 bgscan
       bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
       wme burst roaming MANUAL

   When DHCP is not used, the default gateway and the nameserver also have to
   be manually set:

 # route add default your_default_router
 # echo "nameserver your_DNS_server" >> /etc/resolv.conf

        31.3.4.1.3.2. WPA ****** EAP-TLS

   The second way to use WPA is with an 802.1X backend authentication server.
   In this case, WPA is called WPA Enterprise to differentiate it from the
   less secure WPA Personal. Authentication in WPA Enterprise is based on the
   Extensible Authentication Protocol (EAP).

   EAP does not come with an encryption method. Instead, EAP is embedded
   inside an encrypted tunnel. There are many EAP authentication methods, but
   EAP-TLS, EAP-TTLS, and EAP-PEAP are the most common.

   EAP with Transport Layer Security (EAP-TLS) is a well-supported wireless
   authentication protocol since it was the first EAP method to be certified
   by the Wi-Fi Alliance. EAP-TLS requires three certificates to run: the
   certificate of the Certificate Authority (CA) installed on all machines,
   the server certificate for the authentication server, and one client
   certificate for each wireless client. In this EAP method, both the
   authentication server and wireless client authenticate each other by
   presenting their respective certificates, and then verify that these
   certificates were signed by the organization's CA.

   As previously, the configuration is done via /etc/wpa_supplicant.conf:

 network={
   ssid="freebsdap" 1
   proto=RSN  2
   key_mgmt=WPA-EAP 3
   eap=TLS 4
   identity="loader" 5
   ca_cert="/etc/certs/cacert.pem" 6
   client_cert="/etc/certs/clientcert.pem" 7
   private_key="/etc/certs/clientkey.pem" 8
   private_key_passwd="freebsdmallclient" 9
 }

   1 This field indicates the network name (SSID).                            
   2 This example uses the RSN IEEE(R) 802.11i protocol, also known as WPA2.  
   3 The key_mgmt line refers to the key management protocol to use. In this  
     example, it is WPA using EAP authentication.                             
   4 This field indicates the EAP method for the connection.                  
   5 The identity field contains the identity string for EAP.                 
   6 The ca_cert field indicates the pathname of the CA certificate file.     
     This file is needed to verify the server certificate.                    
   7 The client_cert line gives the pathname to the client certificate file.  
     This certificate is unique to each wireless client of the network.       
   8 The private_key field is the pathname to the client certificate private  
     key file.                                                                
   9 The private_key_passwd field contains the passphrase for the private     
     key.                                                                     

   Then, add the following lines to /etc/rc.conf:

 wlans_ath0="wlan0"
 ifconfig_wlan0="WPA DHCP"

   The next step is to bring up the interface:

 # service netif start
 Starting wpa_supplicant.
 DHCPREQUEST on wlan0 to 255.255.255.255 port 67 interval 7
 DHCPREQUEST on wlan0 to 255.255.255.255 port 67 interval 15
 DHCPACK from 192.168.0.20
 bound to 192.168.0.254 -- renewal in 300 seconds.
 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       ether 00:11:95:d5:43:62
       inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
       media: IEEE 802.11 Wireless Ethernet DS/11Mbps mode 11g
       status: associated
       ssid freebsdap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
       country US ecm authmode WPA2/802.11i privacy ON deftxkey UNDEF
       AES-CCM 3:128-bit txpower 21.5 bmiss 7 scanvalid 450 bgscan
       bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
       wme burst roaming MANUAL

   It is also possible to bring up the interface manually using
   wpa_supplicant(8) and ifconfig(8).

        31.3.4.1.3.3. WPA ****** EAP-TTLS

   With EAP-TLS, both the authentication server and the client need a
   certificate. With EAP-TTLS, a client certificate is optional. This method
   is similar to a web server which creates a secure SSL tunnel even if
   visitors do not have client-side certificates. EAP-TTLS uses an encrypted
   TLS tunnel for safe transport of the authentication data.

   The required configuration can be added to /etc/wpa_supplicant.conf:

 network={
   ssid="freebsdap"
   proto=RSN
   key_mgmt=WPA-EAP
   eap=TTLS 1
   identity="test" 2
   password="test" 3
   ca_cert="/etc/certs/cacert.pem" 4
   phase2="auth=MD5" 5
 }

   1 This field specifies the EAP method for the connection.                  
   2 The identity field contains the identity string for EAP authentication   
     inside the encrypted TLS tunnel.                                         
   3 The password field contains the passphrase for the EAP authentication.   
   4 The ca_cert field indicates the pathname of the CA certificate file.     
     This file is needed to verify the server certificate.                    
   5 This field specifies the authentication method used in the encrypted TLS 
     tunnel. In this example, EAP with MD5-Challenge is used. The "inner      
     authentication" phase is often called "phase2".                          

   Next, add the following lines to /etc/rc.conf:

 wlans_ath0="wlan0"
 ifconfig_wlan0="WPA DHCP"

   The next step is to bring up the interface:

 # service netif start
 Starting wpa_supplicant.
 DHCPREQUEST on wlan0 to 255.255.255.255 port 67 interval 7
 DHCPREQUEST on wlan0 to 255.255.255.255 port 67 interval 15
 DHCPREQUEST on wlan0 to 255.255.255.255 port 67 interval 21
 DHCPACK from 192.168.0.20
 bound to 192.168.0.254 -- renewal in 300 seconds.
 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       ether 00:11:95:d5:43:62
       inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
       media: IEEE 802.11 Wireless Ethernet DS/11Mbps mode 11g
       status: associated
       ssid freebsdap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
       country US ecm authmode WPA2/802.11i privacy ON deftxkey UNDEF
       AES-CCM 3:128-bit txpower 21.5 bmiss 7 scanvalid 450 bgscan
       bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
       wme burst roaming MANUAL

        31.3.4.1.3.4. WPA ****** EAP-PEAP

  ******:

   PEAPv0/EAP-MSCHAPv2 is the most common PEAP method. In this chapter, the
   term PEAP is used to refer to that method.

   Protected EAP (PEAP) is designed as an alternative to EAP-TTLS and is the
   most used EAP standard after EAP-TLS. In a network with mixed operating
   systems, PEAP should be the most supported standard after EAP-TLS.

   PEAP is similar to EAP-TTLS as it uses a server-side certificate to
   authenticate clients by creating an encrypted TLS tunnel between the
   client and the authentication server, which protects the ensuing exchange
   of authentication information. PEAP authentication differs from EAP-TTLS
   as it broadcasts the username in the clear and only the password is sent
   in the encrypted TLS tunnel. EAP-TTLS will use the TLS tunnel for both the
   username and password.

   Add the following lines to /etc/wpa_supplicant.conf to configure the
   EAP-PEAP related settings:

 network={
   ssid="freebsdap"
   proto=RSN
   key_mgmt=WPA-EAP
   eap=PEAP 1
   identity="test" 2
   password="test" 3
   ca_cert="/etc/certs/cacert.pem" 4
   phase1="peaplabel=0" 5
   phase2="auth=MSCHAPV2" 6
 }

   1 This field specifies the EAP method for the connection.                  
   2 The identity field contains the identity string for EAP authentication   
     inside the encrypted TLS tunnel.                                         
   3 The password field contains the passphrase for the EAP authentication.   
   4 The ca_cert field indicates the pathname of the CA certificate file.     
     This file is needed to verify the server certificate.                    
   5 This field contains the parameters for the first phase of                
     authentication, the TLS tunnel. According to the authentication server   
     used, specify a specific label for authentication. Most of the time, the 
     label will be "client EAP encryption" which is set by using peaplabel=0. 
     More information can be found in wpa_supplicant.conf(5).                 
   6 This field specifies the authentication protocol used in the encrypted   
     TLS tunnel. In the case of PEAP, it is auth=MSCHAPV2.                    

   ********************* /etc/rc.conf**

 wlans_ath0="wlan0"
 ifconfig_wlan0="WPA DHCP"

   Then, bring up the interface:

 # service netif start
 Starting wpa_supplicant.
 DHCPREQUEST on wlan0 to 255.255.255.255 port 67 interval 7
 DHCPREQUEST on wlan0 to 255.255.255.255 port 67 interval 15
 DHCPREQUEST on wlan0 to 255.255.255.255 port 67 interval 21
 DHCPACK from 192.168.0.20
 bound to 192.168.0.254 -- renewal in 300 seconds.
 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       ether 00:11:95:d5:43:62
       inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
       media: IEEE 802.11 Wireless Ethernet DS/11Mbps mode 11g
       status: associated
       ssid freebsdap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
       country US ecm authmode WPA2/802.11i privacy ON deftxkey UNDEF
       AES-CCM 3:128-bit txpower 21.5 bmiss 7 scanvalid 450 bgscan
       bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
       wme burst roaming MANUAL

      31.3.4.1.4. WEP

   Wired Equivalent Privacy (WEP) is part of the original 802.11 standard.
   There is no authentication mechanism, only a weak form of access control
   which is easily cracked.

   WEP can be set up using ifconfig(8):

 # ifconfig wlan0 create wlandev ath0
 # ifconfig wlan0 inet 192.168.1.100 netmask 255.255.255.0 \
             ssid my_net wepmode on weptxkey 3 wepkey 3:0x3456789012

     * The weptxkey specifies which WEP key will be used in the transmission.
       This example uses the third key. This must match the setting on the
       access point. When unsure which key is used by the access point, try 1
       (the first key) for this value.

     * The wepkey selects one of the WEP keys. It should be in the format
       index:key. Key 1 is used by default; the index only needs to be set
       when using a key other than the first key.

  ******:

       Replace the 0x3456789012 with the key configured for use on the access
       point.

   Refer to ifconfig(8) for further information.

   The wpa_supplicant(8) facility can be used to configure a wireless
   interface with WEP. The example above can be set up by adding the
   following lines to /etc/wpa_supplicant.conf:

 network={
   ssid="my_net"
   key_mgmt=NONE
   wep_key3=3456789012
   wep_tx_keyidx=3
 }

   Then:

 # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf
 Trying to associate with 00:13:46:49:41:76 (SSID='dlinkap' freq=2437 MHz)
 Associated with 00:13:46:49:41:76

  31.3.5. ********* (Ad-hoc)

   IBSS mode, also called ad-hoc mode, is designed for point to point
   connections. For example, to establish an ad-hoc network between the
   machines A and B, choose two IP addresses and a SSID.

   On A:

 # ifconfig wlan0 create wlandev ath0 wlanmode adhoc
 # ifconfig wlan0 inet 192.168.0.1 netmask 255.255.255.0 ssid freebsdap
 # ifconfig wlan0
   wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
           ether 00:11:95:c3:0d:ac
           inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
           media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <adhoc>
           status: running
           ssid freebsdap channel 2 (2417 Mhz 11g) bssid 02:11:95:c3:0d:ac
           country US ecm authmode OPEN privacy OFF txpower 21.5 scanvalid 60
           protmode CTS wme burst

   The adhoc parameter indicates that the interface is running in IBSS mode.

   B should now be able to detect A:

 # ifconfig wlan0 create wlandev ath0 wlanmode adhoc
 # ifconfig wlan0 up scan
   SSID/MESH ID    BSSID              CHAN RATE   S:N     INT CAPS
   freebsdap       02:11:95:c3:0d:ac    2   54M -64:-96  100 IS   WME

   The I in the output confirms that A is in ad-hoc mode. Now, configure B
   with a different IP address:

 # ifconfig wlan0 inet 192.168.0.2 netmask 255.255.255.0 ssid freebsdap
 # ifconfig wlan0
   wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
           ether 00:11:95:d5:43:62
           inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
           media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <adhoc>
           status: running
           ssid freebsdap channel 2 (2417 Mhz 11g) bssid 02:11:95:c3:0d:ac
           country US ecm authmode OPEN privacy OFF txpower 21.5 scanvalid 60
           protmode CTS wme burst

   Both A and B are now ready to exchange information.

  31.3.6. FreeBSD ***************

   FreeBSD can act as an Access Point (AP) which eliminates the need to buy a
   hardware AP or run an ad-hoc network. This can be particularly useful when
   a FreeBSD machine is acting as a gateway to another network such as the
   Internet.

    31.3.6.1. ************

   Before configuring a FreeBSD machine as an AP, the kernel must be
   configured with the appropriate networking support for the wireless card
   as well as the security protocols being used. For more details, see
   *** 31.3.3, "************".

  ******:

   The NDIS driver wrapper for Windows(R) drivers does not currently support
   AP operation. Only native FreeBSD wireless drivers support AP mode.

   Once wireless networking support is loaded, check if the wireless device
   supports the host-based access point mode, also known as hostap mode:

 # ifconfig wlan0 create wlandev ath0
 # ifconfig wlan0 list caps
 drivercaps=6f85edc1<STA,FF,TURBOP,IBSS,HOSTAP,AHDEMO,TXPMGT,SHSLOT,SHPREAMBLE,MONITOR,MBSS,WPA1,WPA2,BURST,WME,WDS,BGSCAN,TXFRAG>
 cryptocaps=1f<WEP,TKIP,AES,AES_CCM,TKIPMIC>

   This output displays the card's capabilities. The HOSTAP word confirms
   that this wireless card can act as an AP. Various supported ciphers are
   also listed: WEP, TKIP, and AES. This information indicates which security
   protocols can be used on the AP.

   The wireless device can only be put into hostap mode during the creation
   of the network pseudo-device, so a previously created device must be
   destroyed first:

 # ifconfig wlan0 destroy

   then regenerated with the correct option before setting the other
   parameters:

 # ifconfig wlan0 create wlandev ath0 wlanmode hostap
 # ifconfig wlan0 inet 192.168.0.1 netmask 255.255.255.0 ssid freebsdap mode 11g channel 1

   Use ifconfig(8) again to see the status of the wlan0 interface:

 # ifconfig wlan0
   wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
           ether 00:11:95:c3:0d:ac
           inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
           media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
           status: running
           ssid freebsdap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
           country US ecm authmode OPEN privacy OFF txpower 21.5 scanvalid 60
           protmode CTS wme burst dtimperiod 1 -dfs

   The hostap parameter indicates the interface is running in the host-based
   access point mode.

   The interface configuration can be done automatically at boot time by
   adding the following lines to /etc/rc.conf:

 wlans_ath0="wlan0"
 create_args_wlan0="wlanmode hostap"
 ifconfig_wlan0="inet 192.168.0.1 netmask 255.255.255.0 ssid freebsdap mode 11g channel 1"

    31.3.6.2. ********************* Host-based *********

   Although it is not recommended to run an AP without any authentication or
   encryption, this is a simple way to check if the AP is working. This
   configuration is also important for debugging client issues.

   Once the AP is configured, initiate a scan from another wireless machine
   to find the AP:

 # ifconfig wlan0 create wlandev ath0
 # ifconfig wlan0 up scan
 SSID/MESH ID    BSSID              CHAN RATE   S:N     INT CAPS
 freebsdap       00:11:95:c3:0d:ac    1   54M -66:-96  100 ES   WME

   The client machine found the AP and can be associated with it:

 # ifconfig wlan0 inet 192.168.0.2 netmask 255.255.255.0 ssid freebsdap
 # ifconfig wlan0
   wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
           ether 00:11:95:d5:43:62
           inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
           media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11g
           status: associated
           ssid freebsdap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
           country US ecm authmode OPEN privacy OFF txpower 21.5 bmiss 7
           scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7
           roam:rate 5 protmode CTS wme burst

    31.3.6.3. WPA2 Host-based *********

   This section focuses on setting up a FreeBSD access point using the WPA2
   security protocol. More details regarding WPA and the configuration of
   WPA-based wireless clients can be found in *** 31.3.4.1.3, "WPA".

   The hostapd(8) daemon is used to deal with client authentication and key
   management on the WPA2-enabled AP.

   The following configuration operations are performed on the FreeBSD
   machine acting as the AP. Once the AP is correctly working, hostapd(8) can
   be automatically started at boot with this line in /etc/rc.conf:

 hostapd_enable="YES"

   Before trying to configure hostapd(8), first configure the basic settings
   introduced in *** 31.3.6.1, "************".

      31.3.6.3.1. WPA2-PSK

   WPA2-PSK is intended for small networks where the use of a backend
   authentication server is not possible or desired.

   The configuration is done in /etc/hostapd.conf:

 interface=wlan0                  1
 debug=1                          2
 ctrl_interface=/var/run/hostapd  3
 ctrl_interface_group=wheel       4
 ssid=freebsdap                   5
 wpa=2                            6
 wpa_passphrase=freebsdmall       7
 wpa_key_mgmt=WPA-PSK             8
 wpa_pairwise=CCMP                9

   1 Wireless interface used for the access point.                            
   2 Level of verbosity used during the execution of hostapd(8). A value of 1 
     represents the minimal level.                                            
   3 Pathname of the directory used by hostapd(8) to store domain socket      
     files for communication with external programs such as hostapd_cli(8).   
     The default value is used in this example.                               
   4 The group allowed to access the control interface files.                 
   5 The wireless network name, or SSID, that will appear in wireless scans.  
   6 Enable WPA and specify which WPA authentication protocol will be         
     required. A value of 2 configures the AP for WPA2 and is recommended.    
     Set to 1 only if the obsolete WPA is required.                           
   7 ASCII passphrase for WPA authentication.                                 
                                                                              
       ******:                                                                
                                                                              
     Always use strong passwords that are at least 8 characters long and made 
     from a rich alphabet so that they will not be easily guessed or          
     attacked.                                                                
   8 The key management protocol to use. This example sets WPA-PSK.           
   9 Encryption algorithms accepted by the access point. In this example,     
     only the CCMP (AES) cipher is accepted. CCMP is an alternative to TKIP   
     and is strongly preferred when possible. TKIP should be allowed only     
     when there are stations incapable of using CCMP.                         

   The next step is to start hostapd(8):

 # service hostapd forcestart

 # ifconfig wlan0
 wlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
         ether 04:f0:21:16:8e:10
         inet6 fe80::6f0:21ff:fe16:8e10%wlan0 prefixlen 64 scopeid 0x9
         nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
         media: IEEE 802.11 Wireless Ethernet autoselect mode 11na <hostap>
         status: running
         ssid No5ignal channel 36 (5180 MHz 11a ht/40+) bssid 04:f0:21:16:8e:10
         country US ecm authmode WPA2/802.11i privacy MIXED deftxkey 2
         AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 17 mcastrate 6 mgmtrate 6
         scanvalid 60 ampdulimit 64k ampdudensity 8 shortgi wme burst
         dtimperiod 1 -dfs
         groups: wlan

   Once the AP is running, the clients can associate with it. See
   *** 31.3.4.1.3, "WPA" for more details. It is possible to see the stations
   associated with the AP using ifconfig wlan0 list sta.

    31.3.6.4. WEP Host-based *********

   It is not recommended to use WEP for setting up an AP since there is no
   authentication mechanism and the encryption is easily cracked. Some legacy
   wireless cards only support WEP and these cards will only support an AP
   without authentication or encryption.

   The wireless device can now be put into hostap mode and configured with
   the correct SSID and IP address:

 # ifconfig wlan0 create wlandev ath0 wlanmode hostap
 # ifconfig wlan0 inet 192.168.0.1 netmask 255.255.255.0 \
         ssid freebsdap wepmode on weptxkey 3 wepkey 3:0x3456789012 mode 11g

     * The weptxkey indicates which WEP key will be used in the transmission.
       This example uses the third key as key numbering starts with 1. This
       parameter must be specified in order to encrypt the data.

     * The wepkey sets the selected WEP key. It should be in the format
       index:key. If the index is not given, key 1 is set. The index needs to
       be set when using keys other than the first key.

   Use ifconfig(8) to see the status of the wlan0 interface:

 # ifconfig wlan0
   wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
           ether 00:11:95:c3:0d:ac
           inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
           media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
           status: running
           ssid freebsdap channel 4 (2427 Mhz 11g) bssid 00:11:95:c3:0d:ac
           country US ecm authmode OPEN privacy ON deftxkey 3 wepkey 3:40-bit
           txpower 21.5 scanvalid 60 protmode CTS wme burst dtimperiod 1 -dfs

   From another wireless machine, it is now possible to initiate a scan to
   find the AP:

 # ifconfig wlan0 create wlandev ath0
 # ifconfig wlan0 up scan
 SSID            BSSID              CHAN RATE  S:N   INT CAPS
 freebsdap       00:11:95:c3:0d:ac    1   54M 22:1   100 EPS

   In this example, the client machine found the AP and can associate with it
   using the correct parameters. See *** 31.3.4.1.4, "WEP" for more details.

  31.3.7. *********************************

   A wired connection provides better performance and reliability, while a
   wireless connection provides flexibility and mobility. Laptop users
   typically want to roam seamlessly between the two types of connections.

   On FreeBSD, it is possible to combine two or even more network interfaces
   together in a "failover" fashion. This type of configuration uses the most
   preferred and available connection from a group of network interfaces, and
   the operating system switches automatically when the link state changes.

   Link aggregation and failover is covered in *** 31.7, "Link Aggregation
   ***************" and an example for using both wired and wireless
   connections is provided at ****** 31.3,
   "***************************************************".

  31.3.8. ************

   This section describes a number of steps to help troubleshoot common
   wireless networking problems.

     * If the access point is not listed when scanning, check that the
       configuration has not limited the wireless device to a limited set of
       channels.

     * If the device cannot associate with an access point, verify that the
       configuration matches the settings on the access point. This includes
       the authentication scheme and any security protocols. Simplify the
       configuration as much as possible. If using a security protocol such
       as WPA or WEP, configure the access point for open authentication and
       no security to see if traffic will pass.

       Debugging support is provided by wpa_supplicant(8). Try running this
       utility manually with -dd and look at the system logs.

     * Once the system can associate with the access point, diagnose the
       network configuration using tools like ping(8).

     * There are many lower-level debugging tools. Debugging messages can be
       enabled in the 802.11 protocol support layer using wlandebug(8). For
       example, to enable console messages related to scanning for access
       points and the 802.11 protocol handshakes required to arrange
       communication:

 # wlandebug -i wlan0 +scan+auth+debug+assoc
   net.wlan.0.debug: 0 => 0xc80000<assoc,auth,scan>

       Many useful statistics are maintained by the 802.11 layer and
       wlanstats, found in /usr/src/tools/tools/net80211, will dump this
       information. These statistics should display all errors identified by
       the 802.11 layer. However, some errors are identified in the device
       drivers that lie below the 802.11 layer so they may not show up. To
       diagnose device-specific problems, refer to the drivers'
       documentation.

   If the above information does not help to clarify the problem, submit a
   problem report and include output from the above tools.

31.4. USB ************

   Many cellphones provide the option to share their data connection over USB
   (often called "tethering"). This feature uses either the RNDIS, CDC or a
   custom Apple(R) iPhone(R)/iPad(R) protocol.

     * Android(TM) devices generally use the urndis(4) driver.

     * Apple(R) devices use the ipheth(4) driver.

     * Older devices will often use the cdce(4) driver.

   Before attaching a device, load the appropriate driver into the kernel:

 # kldload if_urndis
 # kldload if_cdce
 # kldload if_ipheth

   Once the device is attached ue0 will be available for use like a normal
   network device. Be sure that the "USB tethering" option is enabled on the
   device.

31.5. ******

   Written by Pav Lucistnik.

   Bluetooth is a wireless technology for creating personal networks
   operating in the 2.4 GHz unlicensed band, with a range of 10 meters.
   Networks are usually formed ad-hoc from portable devices such as cellular
   phones, handhelds, and laptops. Unlike Wi-Fi wireless technology,
   Bluetooth offers higher level service profiles, such as FTP-like file
   servers, file pushing, voice transport, serial line emulation, and more.

   This section describes the use of a USB Bluetooth dongle on a FreeBSD
   system. It then describes the various Bluetooth protocols and utilities.

  31.5.1. ******************

   The Bluetooth stack in FreeBSD is implemented using the netgraph(4)
   framework. A broad variety of Bluetooth USB dongles is supported by
   ng_ubt(4). Broadcom BCM2033 based Bluetooth devices are supported by the
   ubtbcmfw(4) and ng_ubt(4) drivers. The 3Com Bluetooth PC Card 3CRWB60-A is
   supported by the ng_bt3c(4) driver. Serial and UART based Bluetooth
   devices are supported by sio(4), ng_h4(4), and hcseriald(8).

   Before attaching a device, determine which of the above drivers it uses,
   then load the driver. For example, if the device uses the ng_ubt(4)
   driver:

 # kldload ng_ubt

   If the Bluetooth device will be attached to the system during system
   startup, the system can be configured to load the module at boot time by
   adding the driver to /boot/loader.conf:

 ng_ubt_load="YES"

   Once the driver is loaded, plug in the USB dongle. If the driver load was
   successful, output similar to the following should appear on the console
   and in /var/log/messages:

 ubt0: vendor 0x0a12 product 0x0001, rev 1.10/5.25, addr 2
 ubt0: Interface 0 endpoints: interrupt=0x81, bulk-in=0x82, bulk-out=0x2
 ubt0: Interface 1 (alt.config 5) endpoints: isoc-in=0x83, isoc-out=0x3,
       wMaxPacketSize=49, nframes=6, buffer size=294

   To start and stop the Bluetooth stack, use its startup script. It is a
   good idea to stop the stack before unplugging the device. Starting the
   bluetooth stack might require hcsecd(8) to be started. When starting the
   stack, the output should be similar to the following:

 # service bluetooth start ubt0
 BD_ADDR: 00:02:72:00:d4:1a
 Features: 0xff 0xff 0xf 00 00 00 00 00
 <3-Slot> <5-Slot> <Encryption> <Slot offset>
 <Timing accuracy> <Switch> <Hold mode> <Sniff mode>
 <Park mode> <RSSI> <Channel quality> <SCO link>
 <HV2 packets> <HV3 packets> <u-law log> <A-law log> <CVSD>
 <Paging scheme> <Power control> <Transparent SCO data>
 Max. ACL packet size: 192 bytes
 Number of ACL packets: 8
 Max. SCO packet size: 64 bytes
 Number of SCO packets: 8

  31.5.2. ************************

   The Host Controller Interface (HCI) provides a uniform method for
   accessing Bluetooth baseband capabilities. In FreeBSD, a netgraph HCI node
   is created for each Bluetooth device. For more details, refer to
   ng_hci(4).

   One of the most common tasks is discovery of Bluetooth devices within RF
   proximity. This operation is called inquiry. Inquiry and other HCI related
   operations are done using hccontrol(8). The example below shows how to
   find out which Bluetooth devices are in range. The list of devices should
   be displayed in a few seconds. Note that a remote device will only answer
   the inquiry if it is set to discoverable mode.

 % hccontrol -n ubt0hci inquiry
 Inquiry result, num_responses=1
 Inquiry result #0
        BD_ADDR: 00:80:37:29:19:a4
        Page Scan Rep. Mode: 0x1
        Page Scan Period Mode: 00
        Page Scan Mode: 00
        Class: 52:02:04
        Clock offset: 0x78ef
 Inquiry complete. Status: No error [00]

   The BD_ADDR is the unique address of a Bluetooth device, similar to the
   MAC address of a network card. This address is needed for further
   communication with a device and it is possible to assign a human readable
   name to a BD_ADDR. Information regarding the known Bluetooth hosts is
   contained in /etc/bluetooth/hosts. The following example shows how to
   obtain the human readable name that was assigned to the remote device:

 % hccontrol -n ubt0hci remote_name_request 00:80:37:29:19:a4
 BD_ADDR: 00:80:37:29:19:a4
 Name: Pav's T39

   If an inquiry is performed on a remote Bluetooth device, it will find the
   computer as "your.host.name (ubt0)". The name assigned to the local device
   can be changed at any time.

   Remote devices can be assigned aliases in /etc/bluetooth/hosts. More
   information about /etc/bluetooth/hosts file might be found in
   bluetooth.hosts(5).

   The Bluetooth system provides a point-to-point connection between two
   Bluetooth units, or a point-to-multipoint connection which is shared among
   several Bluetooth devices. The following example shows how to create a
   connection to a remote device:

 % hccontrol -n ubt0hci create_connection BT_ADDR

   create_connection accepts BT_ADDR as well as host aliases in
   /etc/bluetooth/hosts.

   The following example shows how to obtain the list of active baseband
   connections for the local device:

 % hccontrol -n ubt0hci read_connection_list
 Remote BD_ADDR    Handle Type Mode Role Encrypt Pending Queue State
 00:80:37:29:19:a4     41  ACL    0 MAST    NONE       0     0 OPEN

   A connection handle is useful when termination of the baseband connection
   is required, though it is normally not required to do this by hand. The
   stack will automatically terminate inactive baseband connections.

 # hccontrol -n ubt0hci disconnect 41
 Connection handle: 41
 Reason: Connection terminated by local host [0x16]

   Type hccontrol help for a complete listing of available HCI commands. Most
   of the HCI commands do not require superuser privileges.

  31.5.3. ************

   By default, Bluetooth communication is not authenticated, and any device
   can talk to any other device. A Bluetooth device, such as a cellular
   phone, may choose to require authentication to provide a particular
   service. Bluetooth authentication is normally done with a PIN code, an
   ASCII string up to 16 characters in length. The user is required to enter
   the same PIN code on both devices. Once the user has entered the PIN code,
   both devices will generate a link key. After that, the link key can be
   stored either in the devices or in a persistent storage. Next time, both
   devices will use the previously generated link key. This procedure is
   called pairing. Note that if the link key is lost by either device, the
   pairing must be repeated.

   The hcsecd(8) daemon is responsible for handling Bluetooth authentication
   requests. The default configuration file is /etc/bluetooth/hcsecd.conf. An
   example section for a cellular phone with the PIN code set to 1234 is
   shown below:

 device {
         bdaddr  00:80:37:29:19:a4;
         name    "Pav's T39";
         key     nokey;
         pin     "1234";
       }

   The only limitation on PIN codes is length. Some devices, such as
   Bluetooth headsets, may have a fixed PIN code built in. The -d switch
   forces hcsecd(8) to stay in the foreground, so it is easy to see what is
   happening. Set the remote device to receive pairing and initiate the
   Bluetooth connection to the remote device. The remote device should
   indicate that pairing was accepted and request the PIN code. Enter the
   same PIN code listed in hcsecd.conf. Now the computer and the remote
   device are paired. Alternatively, pairing can be initiated on the remote
   device.

   The following line can be added to /etc/rc.conf to configure hcsecd(8) to
   start automatically on system start:

 hcsecd_enable="YES"

   The following is a sample of the hcsecd(8) daemon output:

 hcsecd[16484]: Got Link_Key_Request event from 'ubt0hci', remote bdaddr 0:80:37:29:19:a4
 hcsecd[16484]: Found matching entry, remote bdaddr 0:80:37:29:19:a4, name 'Pav's T39', link key doesn't exist
 hcsecd[16484]: Sending Link_Key_Negative_Reply to 'ubt0hci' for remote bdaddr 0:80:37:29:19:a4
 hcsecd[16484]: Got PIN_Code_Request event from 'ubt0hci', remote bdaddr 0:80:37:29:19:a4
 hcsecd[16484]: Found matching entry, remote bdaddr 0:80:37:29:19:a4, name 'Pav's T39', PIN code exists
 hcsecd[16484]: Sending PIN_Code_Reply to 'ubt0hci' for remote bdaddr 0:80:37:29:19:a4

  31.5.4. ****** PPP Profile ************

   A Dial-Up Networking (DUN) profile can be used to configure a cellular
   phone as a wireless modem for connecting to a dial-up Internet access
   server. It can also be used to configure a computer to receive data calls
   from a cellular phone.

   Network access with a PPP profile can be used to provide LAN access for a
   single Bluetooth device or multiple Bluetooth devices. It can also provide
   PC to PC connection using PPP networking over serial cable emulation.

   In FreeBSD, these profiles are implemented with ppp(8) and the
   rfcomm_pppd(8) wrapper which converts a Bluetooth connection into
   something PPP can use. Before a profile can be used, a new PPP label must
   be created in /etc/ppp/ppp.conf. Consult rfcomm_pppd(8) for examples.

   In this example, rfcomm_pppd(8) is used to open a connection to a remote
   device with a BD_ADDR of 00:80:37:29:19:a4 on a DUN RFCOMM channel:

 # rfcomm_pppd -a 00:80:37:29:19:a4 -c -C dun -l rfcomm-dialup

   The actual channel number will be obtained from the remote device using
   the SDP protocol. It is possible to specify the RFCOMM channel by hand,
   and in this case rfcomm_pppd(8) will not perform the SDP query. Use
   sdpcontrol(8) to find out the RFCOMM channel on the remote device.

   In order to provide network access with the PPP LAN service, sdpd(8) must
   be running and a new entry for LAN clients must be created in
   /etc/ppp/ppp.conf. Consult rfcomm_pppd(8) for examples. Finally, start the
   RFCOMM PPP server on a valid RFCOMM channel number. The RFCOMM PPP server
   will automatically register the Bluetooth LAN service with the local SDP
   daemon. The example below shows how to start the RFCOMM PPP server.

 # rfcomm_pppd -s -C 7 -l rfcomm-server

  31.5.5. ******************

   This section provides an overview of the various Bluetooth protocols,
   their function, and associated utilities.

    31.5.5.1. Logical Link Control and Adaptation Protocol (L2CAP)

   The Logical Link Control and Adaptation Protocol (L2CAP) provides
   connection-oriented and connectionless data services to upper layer
   protocols. L2CAP permits higher level protocols and applications to
   transmit and receive L2CAP data packets up to 64 kilobytes in length.

   L2CAP is based around the concept of channels. A channel is a logical
   connection on top of a baseband connection, where each channel is bound to
   a single protocol in a many-to-one fashion. Multiple channels can be bound
   to the same protocol, but a channel cannot be bound to multiple protocols.
   Each L2CAP packet received on a channel is directed to the appropriate
   higher level protocol. Multiple channels can share the same baseband
   connection.

   In FreeBSD, a netgraph L2CAP node is created for each Bluetooth device.
   This node is normally connected to the downstream Bluetooth HCI node and
   upstream Bluetooth socket nodes. The default name for the L2CAP node is
   "devicel2cap". For more details refer to ng_l2cap(4).

   A useful command is l2ping(8), which can be used to ping other devices.
   Some Bluetooth implementations might not return all of the data sent to
   them, so 0 bytes in the following example is normal.

 # l2ping -a 00:80:37:29:19:a4
 0 bytes from 0:80:37:29:19:a4 seq_no=0 time=48.633 ms result=0
 0 bytes from 0:80:37:29:19:a4 seq_no=1 time=37.551 ms result=0
 0 bytes from 0:80:37:29:19:a4 seq_no=2 time=28.324 ms result=0
 0 bytes from 0:80:37:29:19:a4 seq_no=3 time=46.150 ms result=0

   The l2control(8) utility is used to perform various operations on L2CAP
   nodes. This example shows how to obtain the list of logical connections
   (channels) and the list of baseband connections for the local device:

 % l2control -a 00:02:72:00:d4:1a read_channel_list
 L2CAP channels:
 Remote BD_ADDR     SCID/ DCID   PSM  IMTU/ OMTU State
 00:07:e0:00:0b:ca    66/   64     3   132/  672 OPEN
 % l2control -a 00:02:72:00:d4:1a read_connection_list
 L2CAP connections:
 Remote BD_ADDR    Handle Flags Pending State
 00:07:e0:00:0b:ca     41 O           0 OPEN

   Another diagnostic tool is btsockstat(1). It is similar to netstat(1), but
   for Bluetooth network-related data structures. The example below shows the
   same logical connection as l2control(8) above.

 % btsockstat
 Active L2CAP sockets
 PCB      Recv-Q Send-Q Local address/PSM       Foreign address   CID   State
 c2afe900      0      0 00:02:72:00:d4:1a/3     00:07:e0:00:0b:ca 66    OPEN
 Active RFCOMM sessions
 L2PCB    PCB      Flag MTU   Out-Q DLCs State
 c2afe900 c2b53380 1    127   0     Yes  OPEN
 Active RFCOMM sockets
 PCB      Recv-Q Send-Q Local address     Foreign address   Chan DLCI State
 c2e8bc80      0    250 00:02:72:00:d4:1a 00:07:e0:00:0b:ca 3    6    OPEN

    31.5.5.2. Radio Frequency Communication (RFCOMM)

   The RFCOMM protocol provides emulation of serial ports over the L2CAP
   protocol. RFCOMM is a simple transport protocol, with additional
   provisions for emulating the 9 circuits of RS-232 (EIATIA-232-E) serial
   ports. It supports up to 60 simultaneous connections (RFCOMM channels)
   between two Bluetooth devices.

   For the purposes of RFCOMM, a complete communication path involves two
   applications running on the communication endpoints with a communication
   segment between them. RFCOMM is intended to cover applications that make
   use of the serial ports of the devices in which they reside. The
   communication segment is a direct connect Bluetooth link from one device
   to another.

   RFCOMM is only concerned with the connection between the devices in the
   direct connect case, or between the device and a modem in the network
   case. RFCOMM can support other configurations, such as modules that
   communicate via Bluetooth wireless technology on one side and provide a
   wired interface on the other side.

   In FreeBSD, RFCOMM is implemented at the Bluetooth sockets layer.

    31.5.5.3. Service Discovery Protocol (SDP)

   The Service Discovery Protocol (SDP) provides the means for client
   applications to discover the existence of services provided by server
   applications as well as the attributes of those services. The attributes
   of a service include the type or class of service offered and the
   mechanism or protocol information needed to utilize the service.

   SDP involves communication between a SDP server and a SDP client. The
   server maintains a list of service records that describe the
   characteristics of services associated with the server. Each service
   record contains information about a single service. A client may retrieve
   information from a service record maintained by the SDP server by issuing
   a SDP request. If the client, or an application associated with the
   client, decides to use a service, it must open a separate connection to
   the service provider in order to utilize the service. SDP provides a
   mechanism for discovering services and their attributes, but it does not
   provide a mechanism for utilizing those services.

   Normally, a SDP client searches for services based on some desired
   characteristics of the services. However, there are times when it is
   desirable to discover which types of services are described by an SDP
   server's service records without any prior information about the services.
   This process of looking for any offered services is called browsing.

   The Bluetooth SDP server, sdpd(8), and command line client, sdpcontrol(8),
   are included in the standard FreeBSD installation. The following example
   shows how to perform a SDP browse query.

 % sdpcontrol -a 00:01:03:fc:6e:ec browse
 Record Handle: 00000000
 Service Class ID List:
         Service Discovery Server (0x1000)
 Protocol Descriptor List:
         L2CAP (0x0100)
                 Protocol specific parameter #1: u/int/uuid16 1
                 Protocol specific parameter #2: u/int/uuid16 1

 Record Handle: 0x00000001
 Service Class ID List:
         Browse Group Descriptor (0x1001)

 Record Handle: 0x00000002
 Service Class ID List:
         LAN Access Using PPP (0x1102)
 Protocol Descriptor List:
         L2CAP (0x0100)
         RFCOMM (0x0003)
                 Protocol specific parameter #1: u/int8/bool 1
 Bluetooth Profile Descriptor List:
         LAN Access Using PPP (0x1102) ver. 1.0

   Note that each service has a list of attributes, such as the RFCOMM
   channel. Depending on the service, the user might need to make note of
   some of the attributes. Some Bluetooth implementations do not support
   service browsing and may return an empty list. In this case, it is
   possible to search for the specific service. The example below shows how
   to search for the OBEX Object Push (OPUSH) service:

 % sdpcontrol -a 00:01:03:fc:6e:ec search OPUSH

   Offering services on FreeBSD to Bluetooth clients is done with the sdpd(8)
   server. The following line can be added to /etc/rc.conf:

 sdpd_enable="YES"

   Then the sdpd(8) daemon can be started with:

 # service sdpd start

   The local server application that wants to provide a Bluetooth service to
   remote clients will register the service with the local SDP daemon. An
   example of such an application is rfcomm_pppd(8). Once started, it will
   register the Bluetooth LAN service with the local SDP daemon.

   The list of services registered with the local SDP server can be obtained
   by issuing a SDP browse query via the local control channel:

 # sdpcontrol -l browse

    31.5.5.4. OBEX Object Push (OPUSH)

   Object Exchange (OBEX) is a widely used protocol for simple file transfers
   between mobile devices. Its main use is in infrared communication, where
   it is used for generic file transfers between notebooks or PDAs, and for
   sending business cards or calendar entries between cellular phones and
   other devices with Personal Information Manager (PIM) applications.

   The OBEX server and client are implemented by obexapp, which can be
   installed using the comms/obexapp package or port.

   The OBEX client is used to push and/or pull objects from the OBEX server.
   An example object is a business card or an appointment. The OBEX client
   can obtain the RFCOMM channel number from the remote device via SDP. This
   can be done by specifying the service name instead of the RFCOMM channel
   number. Supported service names are: IrMC, FTRN, and OPUSH. It is also
   possible to specify the RFCOMM channel as a number. Below is an example of
   an OBEX session where the device information object is pulled from the
   cellular phone, and a new object, the business card, is pushed into the
   phone's directory.

 % obexapp -a 00:80:37:29:19:a4 -C IrMC
 obex> get telecom/devinfo.txt devinfo-t39.txt
 Success, response: OK, Success (0x20)
 obex> put new.vcf
 Success, response: OK, Success (0x20)
 obex> di
 Success, response: OK, Success (0x20)

   In order to provide the OPUSH service, sdpd(8) must be running and a root
   folder, where all incoming objects will be stored, must be created. The
   default path to the root folder is /var/spool/obex. Finally, start the
   OBEX server on a valid RFCOMM channel number. The OBEX server will
   automatically register the OPUSH service with the local SDP daemon. The
   example below shows how to start the OBEX server.

 # obexapp -s -C 10

    31.5.5.5. Serial Port Profile (SPP)

   The Serial Port Profile (SPP) allows Bluetooth devices to perform serial
   cable emulation. This profile allows legacy applications to use Bluetooth
   as a cable replacement, through a virtual serial port abstraction.

   In FreeBSD, rfcomm_sppd(1) implements SPP and a pseudo tty is used as a
   virtual serial port abstraction. The example below shows how to connect to
   a remote device's serial port service. A RFCOMM channel does not have to
   be specified as rfcomm_sppd(1) can obtain it from the remote device via
   SDP. To override this, specify a RFCOMM channel on the command line.

 # rfcomm_sppd -a 00:07:E0:00:0B:CA -t
 rfcomm_sppd[94692]: Starting on /dev/pts/6...
 /dev/pts/6

   Once connected, the pseudo tty can be used as serial port:

 # cu -l /dev/pts/6

   The pseudo tty is printed on stdout and can be read by wrapper scripts:

 PTS=`rfcomm_sppd -a 00:07:E0:00:0B:CA -t`
 cu -l $PTS

  31.5.6. ************

   By default, when FreeBSD is accepting a new connection, it tries to
   perform a role switch and become master. Some older Bluetooth devices
   which do not support role switching will not be able to connect. Since
   role switching is performed when a new connection is being established, it
   is not possible to ask the remote device if it supports role switching.
   However, there is a HCI option to disable role switching on the local
   side:

 # hccontrol -n ubt0hci write_node_role_switch 0

   To display Bluetooth packets, use the third-party package hcidump, which
   can be installed using the comms/hcidump package or port. This utility is
   similar to tcpdump(1) and can be used to display the contents of Bluetooth
   packets on the terminal and to dump the Bluetooth packets to a file.

31.6. ******

   Written by Andrew Thompson.

   It is sometimes useful to divide a network, such as an Ethernet segment,
   into network segments without having to create IP subnets and use a router
   to connect the segments together. A device that connects two networks
   together in this fashion is called a "bridge".

   A bridge works by learning the MAC addresses of the devices on each of its
   network interfaces. It forwards traffic between networks only when the
   source and destination MAC addresses are on different networks. In many
   respects, a bridge is like an Ethernet switch with very few ports. A
   FreeBSD system with multiple network interfaces can be configured to act
   as a bridge.

   Bridging can be useful in the following situations:

   Connecting Networks

           The basic operation of a bridge is to join two or more network
           segments. There are many reasons to use a host-based bridge
           instead of networking equipment, such as cabling constraints or
           firewalling. A bridge can also connect a wireless interface
           running in hostap mode to a wired network and act as an access
           point.

   Filtering/Traffic Shaping Firewall

           A bridge can be used when firewall functionality is needed without
           routing or Network Address Translation (NAT).

           An example is a small company that is connected via DSL or ISDN to
           an ISP. There are thirteen public IP addresses from the ISP and
           ten computers on the network. In this situation, using a
           router-based firewall is difficult because of subnetting issues. A
           bridge-based firewall can be configured without any IP addressing
           issues.

   Network Tap

           A bridge can join two network segments in order to inspect all
           Ethernet frames that pass between them using bpf(4) and tcpdump(1)
           on the bridge interface or by sending a copy of all frames out an
           additional interface known as a span port.

   Layer 2 VPN

           Two Ethernet networks can be joined across an IP link by bridging
           the networks to an EtherIP tunnel or a tap(4) based solution such
           as OpenVPN.

   Layer 2 Redundancy

           A network can be connected together with multiple links and use
           the Spanning Tree Protocol (STP) to block redundant paths.

   This section describes how to configure a FreeBSD system as a bridge using
   if_bridge(4). A netgraph bridging driver is also available, and is
   described in ng_bridge(4).

  ******:

   Packet filtering can be used with any firewall package that hooks into the
   pfil(9) framework. The bridge can be used as a traffic shaper with altq(4)
   or dummynet(4).

  31.6.1. ************

   In FreeBSD, if_bridge(4) is a kernel module which is automatically loaded
   by ifconfig(8) when creating a bridge interface. It is also possible to
   compile bridge support into a custom kernel by adding device if_bridge to
   the custom kernel configuration file.

   The bridge is created using interface cloning. To create the bridge
   interface:

 # ifconfig bridge create
 bridge0
 # ifconfig bridge0
 bridge0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
         ether 96:3d:4b:f1:79:7a
         id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
         maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
         root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0

   When a bridge interface is created, it is automatically assigned a
   randomly generated Ethernet address. The maxaddr and timeout parameters
   control how many MAC addresses the bridge will keep in its forwarding
   table and how many seconds before each entry is removed after it is last
   seen. The other parameters control how STP operates.

   Next, specify which network interfaces to add as members of the bridge.
   For the bridge to forward packets, all member interfaces and the bridge
   need to be up:

 # ifconfig bridge0 addm fxp0 addm fxp1 up
 # ifconfig fxp0 up
 # ifconfig fxp1 up

   The bridge can now forward Ethernet frames between fxp0 and fxp1. Add the
   following lines to /etc/rc.conf so the bridge is created at startup:

 cloned_interfaces="bridge0"
 ifconfig_bridge0="addm fxp0 addm fxp1 up"
 ifconfig_fxp0="up"
 ifconfig_fxp1="up"

   If the bridge host needs an IP address, set it on the bridge interface,
   not on the member interfaces. The address can be set statically or via
   DHCP. This example sets a static IP address:

 # ifconfig bridge0 inet 192.168.0.1/24

   It is also possible to assign an IPv6 address to a bridge interface. To
   make the changes permanent, add the addressing information to
   /etc/rc.conf.

  ******:

   When packet filtering is enabled, bridged packets will pass through the
   filter inbound on the originating interface on the bridge interface, and
   outbound on the appropriate interfaces. Either stage can be disabled. When
   direction of the packet flow is important, it is best to firewall on the
   member interfaces rather than the bridge itself.

   The bridge has several configurable settings for passing non-IP and IP
   packets, and layer2 firewalling with ipfw(8). See if_bridge(4) for more
   information.

  31.6.2. ****** Spanning Tree

   For an Ethernet network to function properly, only one active path can
   exist between two devices. The STP protocol detects loops and puts
   redundant links into a blocked state. Should one of the active links fail,
   STP calculates a different tree and enables one of the blocked paths to
   restore connectivity to all points in the network.

   The Rapid Spanning Tree Protocol (RSTP or 802.1w) provides backwards
   compatibility with legacy STP. RSTP provides faster convergence and
   exchanges information with neighboring switches to quickly transition to
   forwarding mode without creating loops. FreeBSD supports RSTP and STP as
   operating modes, with RSTP being the default mode.

   STP can be enabled on member interfaces using ifconfig(8). For a bridge
   with fxp0 and fxp1 as the current interfaces, enable STP with:

 # ifconfig bridge0 stp fxp0 stp fxp1
 bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
         ether d6:cf:d5:a0:94:6d
         id 00:01:02:4b:d4:50 priority 32768 hellotime 2 fwddelay 15
         maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
         root id 00:01:02:4b:d4:50 priority 32768 ifcost 0 port 0
         member: fxp0 flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
                 port 3 priority 128 path cost 200000 proto rstp
                 role designated state forwarding
         member: fxp1 flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
                 port 4 priority 128 path cost 200000 proto rstp
                 role designated state forwarding

   This bridge has a spanning tree ID of 00:01:02:4b:d4:50 and a priority of
   32768. As the root id is the same, it indicates that this is the root
   bridge for the tree.

   Another bridge on the network also has STP enabled:

 bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
         ether 96:3d:4b:f1:79:7a
         id 00:13:d4:9a:06:7a priority 32768 hellotime 2 fwddelay 15
         maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
         root id 00:01:02:4b:d4:50 priority 32768 ifcost 400000 port 4
         member: fxp0 flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
                 port 4 priority 128 path cost 200000 proto rstp
                 role root state forwarding
         member: fxp1 flags=1c7<LEARNING,DISCOVER,STP,AUTOEDGE,PTP,AUTOPTP>
                 port 5 priority 128 path cost 200000 proto rstp
                 role designated state forwarding

   The line root id 00:01:02:4b:d4:50 priority 32768 ifcost 400000 port 4
   shows that the root bridge is 00:01:02:4b:d4:50 and has a path cost of
   400000 from this bridge. The path to the root bridge is via port 4 which
   is fxp0.

  31.6.3. ******************

   Several ifconfig parameters are unique to bridge interfaces. This section
   summarizes some common uses for these parameters. The complete list of
   available parameters is described in ifconfig(8).

   private

           A private interface does not forward any traffic to any other port
           that is also designated as a private interface. The traffic is
           blocked unconditionally so no Ethernet frames will be forwarded,
           including ARP packets. If traffic needs to be selectively blocked,
           a firewall should be used instead.

   span

           A span port transmits a copy of every Ethernet frame received by
           the bridge. The number of span ports configured on a bridge is
           unlimited, but if an interface is designated as a span port, it
           cannot also be used as a regular bridge port. This is most useful
           for snooping a bridged network passively on another host connected
           to one of the span ports of the bridge. For example, to send a
           copy of all frames out the interface named fxp4:

 # ifconfig bridge0 span fxp4

   sticky

           If a bridge member interface is marked as sticky, dynamically
           learned address entries are treated as static entries in the
           forwarding cache. Sticky entries are never aged out of the cache
           or replaced, even if the address is seen on a different interface.
           This gives the benefit of static address entries without the need
           to pre-populate the forwarding table. Clients learned on a
           particular segment of the bridge cannot roam to another segment.

           An example of using sticky addresses is to combine the bridge with
           VLANs in order to isolate customer networks without wasting IP
           address space. Consider that CustomerA is on vlan100, CustomerB is
           on vlan101, and the bridge has the address 192.168.0.1:

 # ifconfig bridge0 addm vlan100 sticky vlan100 addm vlan101 sticky vlan101
 # ifconfig bridge0 inet 192.168.0.1/24

           In this example, both clients see 192.168.0.1 as their default
           gateway. Since the bridge cache is sticky, one host cannot spoof
           the MAC address of the other customer in order to intercept their
           traffic.

           Any communication between the VLANs can be blocked using a
           firewall or, as seen in this example, private interfaces:

 # ifconfig bridge0 private vlan100 private vlan101

           The customers are completely isolated from each other and the full
           /24 address range can be allocated without subnetting.

           The number of unique source MAC addresses behind an interface can
           be limited. Once the limit is reached, packets with unknown source
           addresses are dropped until an existing host cache entry expires
           or is removed.

           The following example sets the maximum number of Ethernet devices
           for CustomerA on vlan100 to 10:

 # ifconfig bridge0 ifmaxaddr vlan100 10

   Bridge interfaces also support monitor mode, where the packets are
   discarded after bpf(4) processing and are not processed or forwarded
   further. This can be used to multiplex the input of two or more interfaces
   into a single bpf(4) stream. This is useful for reconstructing the traffic
   for network taps that transmit the RX/TX signals out through two separate
   interfaces. For example, to read the input from four network interfaces as
   one stream:

 # ifconfig bridge0 addm fxp0 addm fxp1 addm fxp2 addm fxp3 monitor up
 # tcpdump -i bridge0

  31.6.4. SNMP ******

   The bridge interface and STP parameters can be monitored via bsnmpd(1)
   which is included in the FreeBSD base system. The exported bridge MIBs
   conform to IETF standards so any SNMP client or monitoring package can be
   used to retrieve the data.

   To enable monitoring on the bridge, uncomment this line in
   /etc/snmpd.config by removing the beginning # symbol:

 begemotSnmpdModulePath."bridge" = "/usr/lib/snmp_bridge.so"

   Other configuration settings, such as community names and access lists,
   may need to be modified in this file. See bsnmpd(1) and snmp_bridge(3) for
   more information. Once these edits are saved, add this line to
   /etc/rc.conf:

 bsnmpd_enable="YES"

   Then, start bsnmpd(1):

 # service bsnmpd start

   The following examples use the Net-SNMP software (net-mgmt/net-snmp) to
   query a bridge from a client system. The net-mgmt/bsnmptools port can also
   be used. From the SNMP client which is running Net-SNMP, add the following
   lines to $HOME/.snmp/snmp.conf in order to import the bridge MIB
   definitions:

 mibdirs +/usr/share/snmp/mibs
 mibs +BRIDGE-MIB:RSTP-MIB:BEGEMOT-MIB:BEGEMOT-BRIDGE-MIB

   To monitor a single bridge using the IETF BRIDGE-MIB (RFC4188):

 % snmpwalk -v 2c -c public bridge1.example.com mib-2.dot1dBridge
 BRIDGE-MIB::dot1dBaseBridgeAddress.0 = STRING: 66:fb:9b:6e:5c:44
 BRIDGE-MIB::dot1dBaseNumPorts.0 = INTEGER: 1 ports
 BRIDGE-MIB::dot1dStpTimeSinceTopologyChange.0 = Timeticks: (189959) 0:31:39.59 centi-seconds
 BRIDGE-MIB::dot1dStpTopChanges.0 = Counter32: 2
 BRIDGE-MIB::dot1dStpDesignatedRoot.0 = Hex-STRING: 80 00 00 01 02 4B D4 50
 ...
 BRIDGE-MIB::dot1dStpPortState.3 = INTEGER: forwarding(5)
 BRIDGE-MIB::dot1dStpPortEnable.3 = INTEGER: enabled(1)
 BRIDGE-MIB::dot1dStpPortPathCost.3 = INTEGER: 200000
 BRIDGE-MIB::dot1dStpPortDesignatedRoot.3 = Hex-STRING: 80 00 00 01 02 4B D4 50
 BRIDGE-MIB::dot1dStpPortDesignatedCost.3 = INTEGER: 0
 BRIDGE-MIB::dot1dStpPortDesignatedBridge.3 = Hex-STRING: 80 00 00 01 02 4B D4 50
 BRIDGE-MIB::dot1dStpPortDesignatedPort.3 = Hex-STRING: 03 80
 BRIDGE-MIB::dot1dStpPortForwardTransitions.3 = Counter32: 1
 RSTP-MIB::dot1dStpVersion.0 = INTEGER: rstp(2)

   The dot1dStpTopChanges.0 value is two, indicating that the STP bridge
   topology has changed twice. A topology change means that one or more links
   in the network have changed or failed and a new tree has been calculated.
   The dot1dStpTimeSinceTopologyChange.0 value will show when this happened.

   To monitor multiple bridge interfaces, the private BEGEMOT-BRIDGE-MIB can
   be used:

 % snmpwalk -v 2c -c public bridge1.example.com
 enterprises.fokus.begemot.begemotBridge
 BEGEMOT-BRIDGE-MIB::begemotBridgeBaseName."bridge0" = STRING: bridge0
 BEGEMOT-BRIDGE-MIB::begemotBridgeBaseName."bridge2" = STRING: bridge2
 BEGEMOT-BRIDGE-MIB::begemotBridgeBaseAddress."bridge0" = STRING: e:ce:3b:5a:9e:13
 BEGEMOT-BRIDGE-MIB::begemotBridgeBaseAddress."bridge2" = STRING: 12:5e:4d:74:d:fc
 BEGEMOT-BRIDGE-MIB::begemotBridgeBaseNumPorts."bridge0" = INTEGER: 1
 BEGEMOT-BRIDGE-MIB::begemotBridgeBaseNumPorts."bridge2" = INTEGER: 1
 ...
 BEGEMOT-BRIDGE-MIB::begemotBridgeStpTimeSinceTopologyChange."bridge0" = Timeticks: (116927) 0:19:29.27 centi-seconds
 BEGEMOT-BRIDGE-MIB::begemotBridgeStpTimeSinceTopologyChange."bridge2" = Timeticks: (82773) 0:13:47.73 centi-seconds
 BEGEMOT-BRIDGE-MIB::begemotBridgeStpTopChanges."bridge0" = Counter32: 1
 BEGEMOT-BRIDGE-MIB::begemotBridgeStpTopChanges."bridge2" = Counter32: 1
 BEGEMOT-BRIDGE-MIB::begemotBridgeStpDesignatedRoot."bridge0" = Hex-STRING: 80 00 00 40 95 30 5E 31
 BEGEMOT-BRIDGE-MIB::begemotBridgeStpDesignatedRoot."bridge2" = Hex-STRING: 80 00 00 50 8B B8 C6 A9

   To change the bridge interface being monitored via the mib-2.dot1dBridge
   subtree:

 % snmpset -v 2c -c private bridge1.example.com
 BEGEMOT-BRIDGE-MIB::begemotBridgeDefaultBridgeIf.0 s bridge2

31.7. Link Aggregation ***************

   Written by Andrew Thompson.

   FreeBSD provides the lagg(4) interface which can be used to aggregate
   multiple network interfaces into one virtual interface in order to provide
   failover and link aggregation. Failover allows traffic to continue to flow
   as long as at least one aggregated network interface has an established
   link. Link aggregation works best on switches which support LACP, as this
   protocol distributes traffic bi-directionally while responding to the
   failure of individual links.

   The aggregation protocols supported by the lagg interface determine which
   ports are used for outgoing traffic and whether or not a specific port
   accepts incoming traffic. The following protocols are supported by
   lagg(4):

   failover

           This mode sends and receives traffic only through the master port.
           If the master port becomes unavailable, the next active port is
           used. The first interface added to the virtual interface is the
           master port and all subsequently added interfaces are used as
           failover devices. If failover to a non-master port occurs, the
           original port becomes master once it becomes available again.

   fec / loadbalance

           Cisco(R) Fast EtherChannel(R) (FEC) is found on older Cisco(R)
           switches. It provides a static setup and does not negotiate
           aggregation with the peer or exchange frames to monitor the link.
           If the switch supports LACP, that should be used instead.

   lacp

           The IEEE(R) 802.3ad Link Aggregation Control Protocol (LACP)
           negotiates a set of aggregable links with the peer into one or
           more Link Aggregated Groups (LAGs). Each LAG is composed of ports
           of the same speed, set to full-duplex operation, and traffic is
           balanced across the ports in the LAG with the greatest total
           speed. Typically, there is only one LAG which contains all the
           ports. In the event of changes in physical connectivity, LACP will
           quickly converge to a new configuration.

           LACP balances outgoing traffic across the active ports based on
           hashed protocol header information and accepts incoming traffic
           from any active port. The hash includes the Ethernet source and
           destination address and, if available, the VLAN tag, and the IPv4
           or IPv6 source and destination address.

   roundrobin

           This mode distributes outgoing traffic using a round-robin
           scheduler through all active ports and accepts incoming traffic
           from any active port. Since this mode violates Ethernet frame
           ordering, it should be used with caution.

  31.7.1. ************

   This section demonstrates how to configure a Cisco(R) switch and a FreeBSD
   system for LACP load balancing. It then shows how to configure two
   Ethernet interfaces in failover mode as well as how to configure failover
   mode between an Ethernet and a wireless interface.

   ****** 31.1. Cisco(R) ****************** LACP Aggregation

   This example connects two fxp(4) Ethernet interfaces on a FreeBSD machine
   to the first two Ethernet ports on a Cisco(R) switch as a single load
   balanced and fault tolerant link. More interfaces can be added to increase
   throughput and fault tolerance. Replace the names of the Cisco(R) ports,
   Ethernet devices, channel group number, and IP address shown in the
   example to match the local configuration.

   Frame ordering is mandatory on Ethernet links and any traffic between two
   stations always flows over the same physical link, limiting the maximum
   speed to that of one interface. The transmit algorithm attempts to use as
   much information as it can to distinguish different traffic flows and
   balance the flows across the available interfaces.

   On the Cisco(R) switch, add the FastEthernet0/1 and FastEthernet0/2
   interfaces to channel group 1:

 interface FastEthernet0/1
  channel-group 1 mode active
  channel-protocol lacp
 !
 interface FastEthernet0/2
  channel-group 1 mode active
  channel-protocol lacp

   On the FreeBSD system, create the lagg(4) interface using the physical
   interfaces fxp0 and fxp1 and bring the interfaces up with an IP address of
   10.0.0.3/24:

 # ifconfig fxp0 up
 # ifconfig fxp1 up
 # ifconfig lagg0 create
 # ifconfig lagg0 up laggproto lacp laggport fxp0 laggport fxp1 10.0.0.3/24

   Next, verify the status of the virtual interface:

 # ifconfig lagg0
 lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
         options=8<VLAN_MTU>
         ether 00:05:5d:71:8d:b8
         inet 10.0.0.3 netmask 0xffffff00 broadcast 10.0.0.255
         media: Ethernet autoselect
         status: active
         laggproto lacp
         laggport: fxp1 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
         laggport: fxp0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>

   Ports marked as ACTIVE are part of the LAG that has been negotiated with
   the remote switch. Traffic will be transmitted and received through these
   active ports. Add -v to the above command to view the LAG identifiers.

   To see the port status on the Cisco(R) switch:

 switch# show lacp neighbor
 Flags:  S - Device is requesting Slow LACPDUs
         F - Device is requesting Fast LACPDUs
         A - Device is in Active mode       P - Device is in Passive mode

 Channel group 1 neighbors

 Partner's information:

                   LACP port                        Oper    Port     Port
 Port      Flags   Priority  Dev ID         Age     Key     Number   State
 Fa0/1     SA      32768     0005.5d71.8db8  29s    0x146   0x3      0x3D
 Fa0/2     SA      32768     0005.5d71.8db8  29s    0x146   0x4      0x3D

   For more detail, type show lacp neighbor detail.

   To retain this configuration across reboots, add the following entries to
   /etc/rc.conf on the FreeBSD system:

 ifconfig_fxp0="up"
 ifconfig_fxp1="up"
 cloned_interfaces="lagg0"
 ifconfig_lagg0="laggproto lacp laggport fxp0 laggport fxp1 10.0.0.3/24"

   ****** 31.2. ******************

   Failover mode can be used to switch over to a secondary interface if the
   link is lost on the master interface. To configure failover, make sure
   that the underlying physical interfaces are up, then create the lagg(4)
   interface. In this example, fxp0 is the master interface, fxp1 is the
   secondary interface, and the virtual interface is assigned an IP address
   of 10.0.0.15/24:

 # ifconfig fxp0 up
 # ifconfig fxp1 up
 # ifconfig lagg0 create
 # ifconfig lagg0 up laggproto failover laggport fxp0 laggport fxp1 10.0.0.15/24

   The virtual interface should look something like this:

 # ifconfig lagg0
 lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
         options=8<VLAN_MTU>
         ether 00:05:5d:71:8d:b8
         inet 10.0.0.15 netmask 0xffffff00 broadcast 10.0.0.255
         media: Ethernet autoselect
         status: active
         laggproto failover
         laggport: fxp1 flags=0<>
         laggport: fxp0 flags=5<MASTER,ACTIVE>

   Traffic will be transmitted and received on fxp0. If the link is lost on
   fxp0, fxp1 will become the active link. If the link is restored on the
   master interface, it will once again become the active link.

   To retain this configuration across reboots, add the following entries to
   /etc/rc.conf:

 ifconfig_fxp0="up"
 ifconfig_fxp1="up"
 cloned_interfaces="lagg0"
 ifconfig_lagg0="laggproto failover laggport fxp0 laggport fxp1 10.0.0.15/24"

   ****** 31.3. ***************************************************

   For laptop users, it is usually desirable to configure the wireless device
   as a secondary which is only used when the Ethernet connection is not
   available. With lagg(4), it is possible to configure a failover which
   prefers the Ethernet connection for both performance and security reasons,
   while maintaining the ability to transfer data over the wireless
   connection.

   This is achieved by overriding the physical wireless interface's MAC
   address with that of the Ethernet interface.

   In this example, the Ethernet interface, bge0, is the master and the
   wireless interface, wlan0, is the failover. The wlan0 device was created
   from iwn0 wireless interface, which will be configured with the MAC
   address of the Ethernet interface. First, determine the MAC address of the
   Ethernet interface:

 # ifconfig bge0
 bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
         options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
         ether 00:21:70:da:ae:37
         inet6 fe80::221:70ff:feda:ae37%bge0 prefixlen 64 scopeid 0x2
         nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
         media: Ethernet autoselect (1000baseT <full-duplex>)
         status: active

   Replace bge0 to match the system's Ethernet interface name. The ether line
   will contain the MAC address of the specified interface. Now, change the
   MAC address of the underlying wireless interface:

 # ifconfig iwn0 ether 00:21:70:da:ae:37

   Bring the wireless interface up, but do not set an IP address:

 # ifconfig wlan0 create wlandev iwn0 ssid my_router up

   Make sure the bge0 interface is up, then create the lagg(4) interface with
   bge0 as master with failover to wlan0:

 # ifconfig bge0 up
 # ifconfig lagg0 create
 # ifconfig lagg0 up laggproto failover laggport bge0 laggport wlan0

   The virtual interface should look something like this:

 # ifconfig lagg0
 lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
         options=8<VLAN_MTU>
         ether 00:21:70:da:ae:37
         media: Ethernet autoselect
         status: active
         laggproto failover
         laggport: wlan0 flags=0<>
         laggport: bge0 flags=5<MASTER,ACTIVE>

   Then, start the DHCP client to obtain an IP address:

 # dhclient lagg0

   To retain this configuration across reboots, add the following entries to
   /etc/rc.conf:

 ifconfig_bge0="up"
 wlans_iwn0="wlan0"
 ifconfig_wlan0="WPA"
 create_args_wlan0="wlanaddr 00:21:70:da:ae:37"
 cloned_interfaces="lagg0"
 ifconfig_lagg0="up laggproto failover laggport bge0 laggport wlan0 DHCP"

31.8. PXE ***************

   Updated by Jean-Franc,ois Dockes.
   Reorganized and enhanced by Alex Dupre.

   The Intel(R) Preboot eXecution Environment (PXE) allows an operating
   system to boot over the network. For example, a FreeBSD system can boot
   over the network and operate without a local disk, using file systems
   mounted from an NFS server. PXE support is usually available in the BIOS.
   To use PXE when the machine starts, select the Boot from network option in
   the BIOS setup or type a function key during system initialization.

   In order to provide the files needed for an operating system to boot over
   the network, a PXE setup also requires properly configured DHCP, TFTP, and
   NFS servers, where:

     * Initial parameters, such as an IP address, executable boot filename
       and location, server name, and root path are obtained from the DHCP
       server.

     * The operating system loader file is booted using TFTP.

     * The file systems are loaded using NFS.

   When a computer PXE boots, it receives information over DHCP about where
   to obtain the initial boot loader file. After the host computer receives
   this information, it downloads the boot loader via TFTP and then executes
   the boot loader. In FreeBSD, the boot loader file is /boot/pxeboot. After
   /boot/pxeboot executes, the FreeBSD kernel is loaded and the rest of the
   FreeBSD bootup sequence proceeds, as described in *** 12, FreeBSD
   ************.

   This section describes how to configure these services on a FreeBSD system
   so that other systems can PXE boot into FreeBSD. Refer to diskless(8) for
   more information.

  ******:

   As described, the system providing these services is insecure. It should
   live in a protected area of a network and be untrusted by other hosts.

  31.8.1. ****** PXE ******

   Written by Craig Rodrigues.

   The steps shown in this section configure the built-in NFS and TFTP
   servers. The next section demonstrates how to install and configure the
   DHCP server. In this example, the directory which will contain the files
   used by PXE users is /b/tftpboot/FreeBSD/install. It is important that
   this directory exists and that the same directory name is set in both
   /etc/inetd.conf and /usr/local/etc/dhcpd.conf.

    1. Create the root directory which will contain a FreeBSD installation to
       be NFS mounted:

 # export NFSROOTDIR=/b/tftpboot/FreeBSD/install
 # mkdir -p ${NFSROOTDIR}

    2. Enable the NFS server by adding this line to /etc/rc.conf:

 nfs_server_enable="YES"

    3. Export the diskless root directory via NFS by adding the following to
       /etc/exports:

 /b -ro -alldirs -maproot=root

    4. Start the NFS server:

 # service nfsd start

    5. Enable inetd(8) by adding the following line to /etc/rc.conf:

 inetd_enable="YES"

    6. Uncomment the following line in /etc/inetd.conf by making sure it does
       not start with a # symbol:

 tftp dgram udp wait root /usr/libexec/tftpd tftpd -l -s /b/tftpboot

  ******:

       Some PXE versions require the TCP version of TFTP. In this case,
       uncomment the second tftp line which contains stream tcp.

    7. Start inetd(8):

 # service inetd start

    8. Install the base system into ${NFSROOTDIR}, either by decompressing
       the official archives or by rebuilding the FreeBSD kernel and userland
       (refer to *** 23.5, "****************** FreeBSD" for more detailed
       instructions, but do not forget to add DESTDIR=${NFSROOTDIR} when
       running the make installkernel and make installworld commands.

    9. Test that the TFTP server works and can download the boot loader which
       will be obtained via PXE:

 # tftp localhost
 tftp> get FreeBSD/install/boot/pxeboot
 Received 264951 bytes in 0.1 seconds

   10. Edit ${NFSROOTDIR}/etc/fstab and create an entry to mount the root
       file system over NFS:

 # Device                                         Mountpoint    FSType   Options  Dump Pass
 myhost.example.com:/b/tftpboot/FreeBSD/install       /         nfs      ro        0    0

       Replace myhost.example.com with the hostname or IP address of the NFS
       server. In this example, the root file system is mounted read-only in
       order to prevent NFS clients from potentially deleting the contents of
       the root file system.

   11. Set the root password in the PXE environment for client machines which
       are PXE booting :

 # chroot ${NFSROOTDIR}
 # passwd

   12. If needed, enable ssh(1) root logins for client machines which are PXE
       booting by editing ${NFSROOTDIR}/etc/ssh/sshd_config and enabling
       PermitRootLogin. This option is documented in sshd_config(5).

   13. Perform any other needed customizations of the PXE environment in
       ${NFSROOTDIR}. These customizations could include things like
       installing packages or editing the password file with vipw(8).

   When booting from an NFS root volume, /etc/rc detects the NFS boot and
   runs /etc/rc.initdiskless. In this case, /etc and /var need to be memory
   backed file systems so that these directories are writable but the NFS
   root directory is read-only:

 # chroot ${NFSROOTDIR}
 # mkdir -p conf/base
 # tar -c -v -f conf/base/etc.cpio.gz --format cpio --gzip etc
 # tar -c -v -f conf/base/var.cpio.gz --format cpio --gzip var

   When the system boots, memory file systems for /etc and /var will be
   created and mounted and the contents of the cpio.gz files will be copied
   into them. By default, these file systems have a maximum capacity of 5
   megabytes. If your archives do not fit, which is usually the case for /var
   when binary packages have been installed, request a larger size by putting
   the number of 512 byte sectors needed (e.g., 5 megabytes is 10240 sectors)
   in ${NFSROOTDIR}/conf/base/etc/md_size and
   ${NFSROOTDIR}/conf/base/var/md_size files for /etc and /var file systems
   respectively.

  31.8.2. ****** DHCP *********

   The DHCP server does not need to be the same machine as the TFTP and NFS
   server, but it needs to be accessible in the network.

   DHCP is not part of the FreeBSD base system but can be installed using the
   net/isc-dhcp43-server port or package.

   Once installed, edit the configuration file, /usr/local/etc/dhcpd.conf.
   Configure the next-server, filename, and root-path settings as seen in
   this example:

 subnet 192.168.0.0 netmask 255.255.255.0 {
    range 192.168.0.2 192.168.0.3 ;
    option subnet-mask 255.255.255.0 ;
    option routers 192.168.0.1 ;
    option broadcast-address 192.168.0.255 ;
    option domain-name-servers 192.168.35.35, 192.168.35.36 ;
    option domain-name "example.com";

    # IP address of TFTP server
    next-server 192.168.0.1 ;

    # path of boot loader obtained via tftp
    filename "FreeBSD/install/boot/pxeboot" ;

    # pxeboot boot loader will try to NFS mount this directory for root FS
    option root-path "192.168.0.1:/b/tftpboot/FreeBSD/install/" ;

 }

   The next-server directive is used to specify the IP address of the TFTP
   server.

   The filename directive defines the path to /boot/pxeboot. A relative
   filename is used, meaning that /b/tftpboot is not included in the path.

   The root-path option defines the path to the NFS root file system.

   Once the edits are saved, enable DHCP at boot time by adding the following
   line to /etc/rc.conf:

 dhcpd_enable="YES"

   Then start the DHCP service:

 # service isc-dhcpd start

  31.8.3. PXE ************

   Once all of the services are configured and started, PXE clients should be
   able to automatically load FreeBSD over the network. If a particular
   client is unable to connect, when that client machine boots up, enter the
   BIOS configuration menu and confirm that it is set to boot from the
   network.

   This section describes some troubleshooting tips for isolating the source
   of the configuration problem should no clients be able to PXE boot.

    1. Use the net/wireshark package or port to debug the network traffic
       involved during the PXE booting process, which is illustrated in the
       diagram below.

       ****** 31.1. ****** NFS Root Mount ****** PXE ************
       ****** NFS Root Mount ****** PXE ************

       1 Client broadcasts a DHCPDISCOVER message.                            
       2 The DHCP server responds with the IP address, next-server, filename, 
         and root-path values.                                                
       3 The client sends a TFTP request to next-server, asking to retrieve   
         filename.                                                            
       4 The TFTP server responds and sends filename to client.               
       5 The client executes filename, which is pxeboot(8), which then loads  
         the kernel. When the kernel executes, the root file system specified 
         by root-path is mounted over NFS.                                    

    2. On the TFTP server, read /var/log/xferlog to ensure that pxeboot is
       being retrieved from the correct location. To test this example
       configuration:

 # tftp 192.168.0.1
 tftp> get FreeBSD/install/boot/pxeboot
 Received 264951 bytes in 0.1 seconds

       The BUGS sections in tftpd(8) and tftp(1) document some limitations
       with TFTP.

    3. Make sure that the root file system can be mounted via NFS. To test
       this example configuration:

 # mount -t nfs 192.168.0.1:/b/tftpboot/FreeBSD/install /mnt

31.9. IPv6

   Originally Written by Aaron Kaplan.
   Restructured and Added by Tom Rhodes.
   Extended by Brad Davis.

   IPv6 is the new version of the well known IP protocol, also known as IPv4.
   IPv6 provides several advantages over IPv4 as well as many new features:

     * Its 128-bit address space allows for
       340,282,366,920,938,463,463,374,607,431,768,211,456 addresses. This
       addresses the IPv4 address shortage and eventual IPv4 address
       exhaustion.

     * Routers only store network aggregation addresses in their routing
       tables, thus reducing the average space of a routing table to 8192
       entries. This addresses the scalability issues associated with IPv4,
       which required every allocated block of IPv4 addresses to be exchanged
       between Internet routers, causing their routing tables to become too
       large to allow efficient routing.

     * Address autoconfiguration (RFC2462).

     * Mandatory multicast addresses.

     * Built-in IPsec (IP security).

     * Simplified header structure.

     * Support for mobile IP.

     * IPv6-to-IPv4 transition mechanisms.

   FreeBSD includes the http://www.kame.net/ IPv6 reference implementation
   and comes with everything needed to use IPv6. This section focuses on
   getting IPv6 configured and running.

  31.9.1. IPv6 *********************

   There are three different types of IPv6 addresses:

   Unicast

           A packet sent to a unicast address arrives at the interface
           belonging to the address.

   Anycast

           These addresses are syntactically indistinguishable from unicast
           addresses but they address a group of interfaces. The packet
           destined for an anycast address will arrive at the nearest router
           interface. Anycast addresses are only used by routers.

   Multicast

           These addresses identify a group of interfaces. A packet destined
           for a multicast address will arrive at all interfaces belonging to
           the multicast group. The IPv4 broadcast address, usually
           xxx.xxx.xxx.255, is expressed by multicast addresses in IPv6.

   When reading an IPv6 address, the canonical form is represented as
   x:x:x:x:x:x:x:x, where each x represents a 16 bit hex value. An example is
   FEBC:A574:382B:23C1:AA49:4592:4EFE:9982.

   Often, an address will have long substrings of all zeros. A :: (double
   colon) can be used to replace one substring per address. Also, up to three
   leading 0s per hex value can be omitted. For example, fe80::1 corresponds
   to the canonical form fe80:0000:0000:0000:0000:0000:0000:0001.

   A third form is to write the last 32 bits using the well known IPv4
   notation. For example, 2002::10.0.0.1 corresponds to the hexadecimal
   canonical representation 2002:0000:0000:0000:0000:0000:0a00:0001, which in
   turn is equivalent to 2002::a00:1.

   To view a FreeBSD system's IPv6 address, use ifconfig(8):

 # ifconfig

 rl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
          inet 10.0.0.10 netmask 0xffffff00 broadcast 10.0.0.255
          inet6 fe80::200:21ff:fe03:8e1%rl0 prefixlen 64 scopeid 0x1
          ether 00:00:21:03:08:e1
          media: Ethernet autoselect (100baseTX )
          status: active

   In this example, the rl0 interface is using fe80::200:21ff:fe03:8e1%rl0,
   an auto-configured link-local address which was automatically generated
   from the MAC address.

   Some IPv6 addresses are reserved. A summary of these reserved addresses is
   seen in ****** 31.3, "************ IPv6 ******":

   ****** 31.3. ************ IPv6 ******

     IPv6 address   Prefixlength      ******                ******            
                       (Bits)    
   ::               128 bits     unspecified      Equivalent to 0.0.0.0 in    
                                                  IPv4.                       
   ::1              128 bits     loopback address Equivalent to 127.0.0.1 in  
                                                  IPv4.                       
   ::00:xx:xx:xx:xx 96 bits      embedded IPv4    The lower 32 bits are the   
                                                  compatible IPv4 address.    
                                 IPv4 mapped IPv6 The lower 32 bits are the   
   ::ff:xx:xx:xx:xx 96 bits      address          IPv4 address for hosts      
                                                  which do not support IPv6.  
   fe80::/10        10 bits      link-local       Equivalent to               
                                                  169.254.0.0/16 in IPv4.     
                                                  Unique local addresses are  
                                                  intended for local          
   fc00::/7         7 bits       unique-local     communication and are only  
                                                  routable within a set of    
                                                  cooperating sites.          
   ff00::           8 bits       multicast                                    
                                                  All global unicast          
   2000::-3fff::    3 bits       global unicast   addresses are assigned from 
                                                  this pool. The first 3 bits 
                                                  are 001.                    

   For further information on the structure of IPv6 addresses, refer to
   RFC3513.

  31.9.2. ****** IPv6

   To configure a FreeBSD system as an IPv6 client, add these two lines to
   rc.conf:

 ifconfig_rl0_ipv6="inet6 accept_rtadv"
 rtsold_enable="YES"

   The first line enables the specified interface to receive router
   advertisement messages. The second line enables the router solicitation
   daemon, rtsol(8).

   If the interface needs a statically assigned IPv6 address, add an entry to
   specify the static address and associated prefix length:

 ifconfig_rl0_ipv6="inet6 2001:db8:4672:6565:2026:5043:2d42:5344 prefixlen 64"

   To assign a default router, specify its address:

 ipv6_defaultrouter="2001:db8:4672:6565::1"

  31.9.3. ********* Provider

   In order to connect to other IPv6 networks, one must have a provider or a
   tunnel that supports IPv6:

     * Contact an Internet Service Provider to see if they offer IPv6.

     * Hurricane Electric offers tunnels with end-points all around the
       globe.

  ******:

   Install the net/freenet6 package or port for a dial-up connection.

   This section demonstrates how to take the directions from a tunnel
   provider and convert them into /etc/rc.conf settings that will persist
   through reboots.

   The first /etc/rc.conf entry creates the generic tunneling interface gif0:

 cloned_interfaces="gif0"

   Next, configure that interface with the IPv4 addresses of the local and
   remote endpoints. Replace MY_IPv4_ADDR and REMOTE_IPv4_ADDR with the
   actual IPv4 addresses:

 create_args_gif0="tunnel MY_IPv4_ADDR REMOTE_IPv4_ADDR"

   To apply the IPv6 address that has been assigned for use as the IPv6
   tunnel endpoint, add this line, replacing
   MY_ASSIGNED_IPv6_TUNNEL_ENDPOINT_ADDR with the assigned address:

 ifconfig_gif0_ipv6="inet6 MY_ASSIGNED_IPv6_TUNNEL_ENDPOINT_ADDR"

   Then, set the default route for the other side of the IPv6 tunnel. Replace
   MY_IPv6_REMOTE_TUNNEL_ENDPOINT_ADDR with the default gateway address
   assigned by the provider:

 ipv6_defaultrouter="MY_IPv6_REMOTE_TUNNEL_ENDPOINT_ADDR"

   If the FreeBSD system will route IPv6 packets between the rest of the
   network and the world, enable the gateway using this line:

 ipv6_gateway_enable="YES"

  31.9.4. Router Advertisement *** Host Auto Configuration

   This section demonstrates how to setup rtadvd(8) to advertise the IPv6
   default route.

   To enable rtadvd(8), add the following to /etc/rc.conf:

 rtadvd_enable="YES"

   It is important to specify the interface on which to do IPv6 router
   advertisement. For example, to tell rtadvd(8) to use rl0:

 rtadvd_interfaces="rl0"

   Next, create the configuration file, /etc/rtadvd.conf as seen in this
   example:

 rl0:\
         :addrs#1:addr="2001:db8:1f11:246::":prefixlen#64:tc=ether:

   Replace rl0 with the interface to be used and 2001:db8:1f11:246:: with the
   prefix of the allocation.

   For a dedicated /64 subnet, nothing else needs to be changed. Otherwise,
   change the prefixlen# to the correct value.

  31.9.5. IPv6 *** IPv6 ***************

   When IPv6 is enabled on a server, there may be a need to enable IPv4
   mapped IPv6 address communication. This compatibility option allows for
   IPv4 addresses to be represented as IPv6 addresses. Permitting IPv6
   applications to communicate with IPv4 and vice versa may be a security
   issue.

   This option may not be required in most cases and is available only for
   compatibility. This option will allow IPv6-only applications to work with
   IPv4 in a dual stack environment. This is most useful for third party
   applications which may not support an IPv6-only environment. To enable
   this feature, add the following to /etc/rc.conf:

 ipv6_ipv4mapping="YES"

   Reviewing the information in RFC 3493, section 3.6 and 3.7 as well as RFC
   4038 section 4.2 may be useful to some administrators.

31.10. ************************ (CARP)

   Contributed by Tom Rhodes.
   Updated by Allan Jude.

   The Common Address Redundancy Protocol (CARP) allows multiple hosts to
   share the same IP address and Virtual Host ID (VHID) in order to provide
   high availability for one or more services. This means that one or more
   hosts can fail, and the other hosts will transparently take over so that
   users do not see a service failure.

   In addition to the shared IP address, each host has its own IP address for
   management and configuration. All of the machines that share an IP address
   have the same VHID. The VHID for each virtual IP address must be unique
   across the broadcast domain of the network interface.

   High availability using CARP is built into FreeBSD, though the steps to
   configure it vary slightly depending upon the FreeBSD version. This
   section provides the same example configuration for versions before and
   equal to or after FreeBSD 10.

   This example configures failover support with three hosts, all with unique
   IP addresses, but providing the same web content. It has two different
   masters named hosta.example.org and hostb.example.org, with a shared
   backup named hostc.example.org.

   These machines are load balanced with a Round Robin DNS configuration. The
   master and backup machines are configured identically except for their
   hostnames and management IP addresses. These servers must have the same
   configuration and run the same services. When the failover occurs,
   requests to the service on the shared IP address can only be answered
   correctly if the backup server has access to the same content. The backup
   machine has two additional CARP interfaces, one for each of the master
   content server's IP addresses. When a failure occurs, the backup server
   will pick up the failed master machine's IP address.

  31.10.1. ****** CARP *** FreeBSD 10 ***************

   Enable boot-time support for CARP by adding an entry for the carp.ko
   kernel module in /boot/loader.conf:

 carp_load="YES"

   To load the module now without rebooting:

 # kldload carp

   For users who prefer to use a custom kernel, include the following line in
   the custom kernel configuration file and compile the kernel as described
   in *** 8, ****** FreeBSD ******:

 device  carp

   The hostname, management IP address and subnet mask, shared IP address,
   and VHID are all set by adding entries to /etc/rc.conf. This example is
   for hosta.example.org:

 hostname="hosta.example.org"
 ifconfig_em0="inet 192.168.1.3 netmask 255.255.255.0"
 ifconfig_em0_alias0="inet vhid 1 pass testpass alias 192.168.1.50/32"

   The next set of entries are for hostb.example.org. Since it represents a
   second master, it uses a different shared IP address and VHID. However,
   the passwords specified with pass must be identical as CARP will only
   listen to and accept advertisements from machines with the correct
   password.

 hostname="hostb.example.org"
 ifconfig_em0="inet 192.168.1.4 netmask 255.255.255.0"
 ifconfig_em0_alias0="inet vhid 2 pass testpass alias 192.168.1.51/32"

   The third machine, hostc.example.org, is configured to handle failover
   from either master. This machine is configured with two CARP VHIDs, one to
   handle the virtual IP address for each of the master hosts. The CARP
   advertising skew, advskew, is set to ensure that the backup host
   advertises later than the master, since advskew controls the order of
   precedence when there are multiple backup servers.

 hostname="hostc.example.org"
 ifconfig_em0="inet 192.168.1.5 netmask 255.255.255.0"
 ifconfig_em0_alias0="inet vhid 1 advskew 100 pass testpass alias 192.168.1.50/32"
 ifconfig_em0_alias1="inet vhid 2 advskew 100 pass testpass alias 192.168.1.51/32"

   Having two CARP VHIDs configured means that hostc.example.org will notice
   if either of the master servers becomes unavailable. If a master fails to
   advertise before the backup server, the backup server will pick up the
   shared IP address until the master becomes available again.

  ******:

   If the original master server becomes available again, hostc.example.org
   will not release the virtual IP address back to it automatically. For this
   to happen, preemption has to be enabled. The feature is disabled by
   default, it is controlled via the sysctl(8) variable
   net.inet.carp.preempt. The administrator can force the backup server to
   return the IP address to the master:

 # ifconfig em0 vhid 1 state backup

   Once the configuration is complete, either restart networking or reboot
   each system. High availability is now enabled.

   CARP functionality can be controlled via several sysctl(8) variables
   documented in the carp(4) manual pages. Other actions can be triggered
   from CARP events by using devd(8).

  31.10.2. ****** CARP *** FreeBSD 9 ***************

   The configuration for these versions of FreeBSD is similar to the one
   described in the previous section, except that a CARP device must first be
   created and referred to in the configuration.

   Enable boot-time support for CARP by loading the if_carp.ko kernel module
   in /boot/loader.conf:

 if_carp_load="YES"

   To load the module now without rebooting:

 # kldload carp

   For users who prefer to use a custom kernel, include the following line in
   the custom kernel configuration file and compile the kernel as described
   in *** 8, ****** FreeBSD ******:

 device  carp

   Next, on each host, create a CARP device:

 # ifconfig carp0 create

   Set the hostname, management IP address, the shared IP address, and VHID
   by adding the required lines to /etc/rc.conf. Since a virtual CARP device
   is used instead of an alias, the actual subnet mask of /24 is used instead
   of /32. Here are the entries for hosta.example.org:

 hostname="hosta.example.org"
 ifconfig_fxp0="inet 192.168.1.3 netmask 255.255.255.0"
 cloned_interfaces="carp0"
 ifconfig_carp0="vhid 1 pass testpass 192.168.1.50/24"

   On hostb.example.org:

 hostname="hostb.example.org"
 ifconfig_fxp0="inet 192.168.1.4 netmask 255.255.255.0"
 cloned_interfaces="carp0"
 ifconfig_carp0="vhid 2 pass testpass 192.168.1.51/24"

   The third machine, hostc.example.org, is configured to handle failover
   from either of the master hosts:

 hostname="hostc.example.org"
 ifconfig_fxp0="inet 192.168.1.5 netmask 255.255.255.0"
 cloned_interfaces="carp0 carp1"
 ifconfig_carp0="vhid 1 advskew 100 pass testpass 192.168.1.50/24"
 ifconfig_carp1="vhid 2 advskew 100 pass testpass 192.168.1.51/24"

  ******:

   Preemption is disabled in the GENERIC FreeBSD kernel. If preemption has
   been enabled with a custom kernel, hostc.example.org may not release the
   IP address back to the original content server. The administrator can
   force the backup server to return the IP address to the master with the
   command:

 # ifconfig carp0 down && ifconfig carp0 up

   This should be done on the carp interface which corresponds to the correct
   host.

   Once the configuration is complete, either restart networking or reboot
   each system. High availability is now enabled.

31.11. VLANs

   VLANs are a way of virtually dividing up a network into many different
   subnetworks, also referred to as segmenting. Each segment will have its
   own broadcast domain and be isolated from other VLANs.

   *** FreeBSD ************** VLANs
   **************************************************************************
   vlan*********** vlan(4) ************._

   When configuring a VLAN, a couple pieces of information must be known.
   First, which network interface? Second, what is the VLAN tag?

   To configure VLANs at run time, with a NIC of em0 and a VLAN tag of 5 the
   command would look like this:

 # ifconfig em0.5 create vlan 5 vlandev em0 inet 192.168.20.20/24

  ******:

   See how the interface name includes the NIC driver name and the VLAN tag,
   separated by a period? This is a best practice to make maintaining the
   VLAN configuration easy when many VLANs are present on a machine.

   To configure VLANs at boot time, /etc/rc.conf must be updated. To
   duplicate the configuration above, the following will need to be added:

 vlans_em0="5"
 ifconfig_em0_5="inet 192.168.20.20/24"

   Additional VLANs may be added, by simply adding the tag to the vlans_em0
   field and adding an additional line configuring the network on that VLAN
   tag's interface.

   It is useful to assign a symbolic name to an interface so that when the
   associated hardware is changed, only a few configuration variables need to
   be updated. For example, security cameras need to be run over VLAN 1 on
   em0. Later, if the em0 card is replaced with a card that uses the ixgb(4)
   driver, all references to em0.1 will not have to change to ixgb0.1.

   To configure VLAN 5, on the NIC em0, assign the interface name cameras,
   and assign the interface an IP address of 192.168.20.20 with a 24-bit
   prefix, use this command:

 # ifconfig em0.5 create vlan 5 vlandev em0 name cameras inet 192.168.20.20/24

   For an interface named video, use the following:

 # ifconfig video.5 create vlan 5 vlandev video name cameras inet 192.168.20.20/24

   To apply the changes at boot time, add the following lines to
   /etc/rc.conf:

 vlans_video="camera"
 create_args_camera="vlan 5"
 ifconfig_camera="inet 192.168.20.20/24"

                                 *** V. ******

   ************

   A. ****** FreeBSD

                A.1. CD *** DVD ******

                A.2. FTP ***

                A.3. ****** Subversion

                A.4. ****** rsync

   B. ************

                B.1. FreeBSD ************

                B.2. ************

                B.3. ************

                B.4. ************

                B.5. ******************

                B.6. *********************

                B.7. ******************

                B.8. UNIX(R) ******

                B.9. ***************

   C. ************

                C.1. ******

                C.2. ************ (Mailing List)

                C.3. Usenet ************

                C.4. ***************

   D. OpenPGP ******

                D.1. ******

****** A. ****** FreeBSD

   ************

   A.1. CD *** DVD ******

   A.2. FTP ***

   A.3. ****** Subversion

   A.4. ****** rsync

A.1. CD *** DVD ******

   FreeBSD CD ****** DVD ********************************************

     * FreeBSD Mall, Inc.
         2420 Sand Creek Rd C-1 #347
         Brentwood, CA
         94513
         USA
         Phone: +1 925 240-6652
         Fax: +1 925 674-0821
         Email: <info@freebsdmall.com>
         WWW: https://www.freebsdmall.com

     * Getlinux
         78 Rue de la Croix Rochopt
         Epinay-sous-Senart
         91860
         France
         Email: <contact@getlinux.fr>
         WWW: http://www.getlinux.fr/

     * Dr. Hinner EDV
         Kochelseestr. 11
         D-81371 Mu:nchen
         Germany
         Phone: (0177) 428 419 0
         Email: <infow@hinner.de>
         WWW: http://www.hinner.de/linux/freebsd.html

     * Linux Center
         Galernaya Street, 55
         Saint-Petersburg
         190000
         Russia
         Phone: +7-812-309-06-86
         Email: <info@linuxcenter.ru>
         WWW: http://linuxcenter.ru/shop/freebsd

A.2. FTP ***

   FreeBSD ********************************************************* FTP
   ******._****** ftp://ftp.FreeBSD.org/pub/FreeBSD/ ************ HTTP ***
   FTP*******************************************************************************
   GeoDNS *****************************************************._

   **************FreeBSD ****************** FTP
   ************************._*************** FTP ****** FreeBSD
   **************************************._****** "***************"
   ************************************ FreeBSD *********
   (******************************************)*******************************************************************************._**************************************************************************
   FreeBSD *********._*************************** FTP
   ******************************************************._************************************************************************._

   ***************,_***************,_************ (Armenia),_******
   (Australia),_********* (Austria),_****** (Brazil),_****** (Czech
   Republic),_****** (Denmark),_************ (Estonia),_******
   (Finland),_****** (France),_****** (Germany),_****** (Greece),_******
   (Hong Kong),_********* (Ireland),_****** (Japan),_******
   (Korea),_************ (Latvia),_********* (Lithuania),_******
   (Netherlands),_********* (New Zealand),_****** (Norway),_******
   (Poland),_********* (Russia),_****************** (Saudi
   Arabia),_*************** (Slovenia),_****** (South Africa),_*********
   (Spain),_****** (Sweden),_****** (Switzerland),_****** (Taiwan),_*********
   (Ukraine),_****** (United Kingdom),_****** (USA)._

   (as of UTC)

   ***************
              * ftp://ftp.FreeBSD.org/pub/FreeBSD/ (ftp / ftpv6 /
                http://ftp.FreeBSD.org/pub/FreeBSD/ /
                http://ftp.FreeBSD.org/pub/FreeBSD/)

   ***************

           ********************************************************
           <mirror-admin@FreeBSD.org>._

              * ftp://ftp1.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp2.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp3.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp4.FreeBSD.org/pub/FreeBSD/ (ftp / ftpv6 /
                http://ftp4.FreeBSD.org/pub/FreeBSD/ /
                http://ftp4.FreeBSD.org/pub/FreeBSD/)

              * ftp://ftp5.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp6.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp7.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp10.FreeBSD.org/pub/FreeBSD/ (ftp / ftpv6 /
                http://ftp10.FreeBSD.org/pub/FreeBSD/ /
                http://ftp10.FreeBSD.org/pub/FreeBSD/)

              * ftp://ftp11.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp13.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp14.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp14.FreeBSD.org/pub/FreeBSD/)

   ************ (Armenia)

           ********************************************************
           <hostmaster@am.FreeBSD.org>._

              * ftp://ftp1.am.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp1.am.FreeBSD.org/pub/FreeBSD/ / rsync)

   ****** (Australia)

           ********************************************************
           <hostmaster@au.FreeBSD.org>._

              * ftp://ftp.au.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp2.au.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp3.au.FreeBSD.org/pub/FreeBSD/ (ftp)

   ********* (Austria)

           ********************************************************
           <hostmaster@at.FreeBSD.org>._

              * ftp://ftp.at.FreeBSD.org/pub/FreeBSD/ (ftp / ftpv6 /
                http://ftp.at.FreeBSD.org/pub/FreeBSD/ /
                http://ftp.at.FreeBSD.org/pub/FreeBSD/)

   ****** (Brazil)

           ********************************************************
           <hostmaster@br.FreeBSD.org>._

              * ftp://ftp2.br.FreeBSD.org/FreeBSD/ (ftp /
                http://ftp2.br.FreeBSD.org/)

              * ftp://ftp3.br.FreeBSD.org/pub/FreeBSD/ (ftp / rsync)

              * ftp://ftp4.br.FreeBSD.org/pub/FreeBSD/ (ftp)

   ****** (Czech Republic)

           ********************************************************
           <hostmaster@cz.FreeBSD.org>._

              * ftp://ftp.cz.FreeBSD.org/pub/FreeBSD/ (ftp /
                ftp://ftp.cz.FreeBSD.org/pub/FreeBSD/ /
                http://ftp.cz.FreeBSD.org/pub/FreeBSD/ /
                http://ftp.cz.FreeBSD.org/pub/FreeBSD/ / rsync / rsyncv6)

              * ftp://ftp2.cz.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp2.cz.FreeBSD.org/pub/FreeBSD/)

   ****** (Denmark)

           ********************************************************
           <hostmaster@dk.FreeBSD.org>._

              * ftp://ftp.dk.FreeBSD.org/pub/FreeBSD/ (ftp / ftpv6 /
                http://ftp.dk.FreeBSD.org/pub/FreeBSD/ /
                http://ftp.dk.FreeBSD.org/pub/FreeBSD/)

   ************ (Estonia)

           ********************************************************
           <hostmaster@ee.FreeBSD.org>._

              * ftp://ftp.ee.FreeBSD.org/pub/FreeBSD/ (ftp)

   ****** (Finland)

           ********************************************************
           <hostmaster@fi.FreeBSD.org>._

              * ftp://ftp.fi.FreeBSD.org/pub/FreeBSD/ (ftp)

   ****** (France)

           ********************************************************
           <hostmaster@fr.FreeBSD.org>._

              * ftp://ftp.fr.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp1.fr.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp1.fr.FreeBSD.org/pub/FreeBSD/ / rsync)

              * ftp://ftp3.fr.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp5.fr.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp6.fr.FreeBSD.org/pub/FreeBSD/ (ftp / rsync)

              * ftp://ftp7.fr.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp8.fr.FreeBSD.org/pub/FreeBSD/ (ftp)

   ****** (Germany)

           ********************************************************
           <hostmaster@de.FreeBSD.org>._

              * ftp://ftp.de.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp1.de.FreeBSD.org/freebsd/ (ftp /
                http://www1.de.FreeBSD.org/freebsd/ /
                rsync://rsync3.de.FreeBSD.org/freebsd/)

              * ftp://ftp2.de.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp2.de.FreeBSD.org/pub/FreeBSD/ / rsync)

              * ftp://ftp4.de.FreeBSD.org/FreeBSD/ (ftp /
                http://ftp4.de.FreeBSD.org/pub/FreeBSD/)

              * ftp://ftp5.de.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp7.de.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp7.de.FreeBSD.org/pub/FreeBSD/)

              * ftp://ftp8.de.FreeBSD.org/pub/FreeBSD/ (ftp)

   ****** (Greece)

           ********************************************************
           <hostmaster@gr.FreeBSD.org>._

              * ftp://ftp.gr.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp2.gr.FreeBSD.org/pub/FreeBSD/ (ftp)

   ****** (Hong Kong)
              * ftp://ftp.hk.FreeBSD.org/pub/FreeBSD/ (ftp)

   ********* (Ireland)

           In case of problems, please contact the hostmaster
           <hostmaster@ie.FreeBSD.org> for this domain.

              * ftp://ftp3.ie.FreeBSD.org/pub/FreeBSD/ (ftp / rsync)

   ****** (Japan)

           ********************************************************
           <hostmaster@jp.FreeBSD.org>._

              * ftp://ftp.jp.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp2.jp.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp3.jp.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp4.jp.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp5.jp.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp6.jp.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp7.jp.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp8.jp.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp9.jp.FreeBSD.org/pub/FreeBSD/ (ftp)

   ****** (Korea)

           ********************************************************
           <hostmaster@kr.FreeBSD.org>._

              * ftp://ftp.kr.FreeBSD.org/pub/FreeBSD/ (ftp / rsync)

              * ftp://ftp2.kr.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp2.kr.FreeBSD.org/pub/FreeBSD/)

   ************ (Latvia)

           ********************************************************
           <hostmaster@lv.FreeBSD.org>._

              * ftp://ftp.lv.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp.lv.FreeBSD.org/pub/FreeBSD/)

   ********* (Lithuania)

           ********************************************************
           <hostmaster@lt.FreeBSD.org>._

              * ftp://ftp.lt.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp.lt.FreeBSD.org/pub/FreeBSD/)

   ****** (Netherlands)

           ********************************************************
           <hostmaster@nl.FreeBSD.org>._

              * ftp://ftp.nl.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp.nl.FreeBSD.org/os/FreeBSD/ / rsync)

              * ftp://ftp2.nl.FreeBSD.org/pub/FreeBSD/ (ftp)

   ********* (New Zealand)
              * ftp://ftp.nz.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp.nz.FreeBSD.org/pub/FreeBSD/)

   ****** (Norway)

           ********************************************************
           <hostmaster@no.FreeBSD.org>._

              * ftp://ftp.no.FreeBSD.org/pub/FreeBSD/ (ftp / rsync)

   ****** (Poland)

           ********************************************************
           <hostmaster@pl.FreeBSD.org>._

              * ftp://ftp.pl.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp2.pl.FreeBSD.org

   ********* (Russia)

           ********************************************************
           <hostmaster@ru.FreeBSD.org>._

              * ftp://ftp.ru.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp.ru.FreeBSD.org/FreeBSD/ / rsync)

              * ftp://ftp2.ru.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp2.ru.FreeBSD.org/pub/FreeBSD/ / rsync)

              * ftp://ftp4.ru.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp5.ru.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp5.ru.FreeBSD.org/pub/FreeBSD/ / rsync)

              * ftp://ftp6.ru.FreeBSD.org/pub/FreeBSD/ (ftp)

   ****************** (Saudi Arabia)

           ********************************************************
           <ftpadmin@isu.net.sa>._

              * ftp://ftp.isu.net.sa/pub/ftp.freebsd.org/ (ftp)

   *************** (Slovenia)

           ********************************************************
           <hostmaster@si.FreeBSD.org>._

              * ftp://ftp.si.FreeBSD.org/pub/FreeBSD/ (ftp)

   ****** (South Africa)

           ********************************************************
           <hostmaster@za.FreeBSD.org>._

              * ftp://ftp.za.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp2.za.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp4.za.FreeBSD.org/pub/FreeBSD/ (ftp)

   ********* (Spain)

           ********************************************************
           <hostmaster@es.FreeBSD.org>._

              * ftp://ftp.es.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp.es.FreeBSD.org/pub/FreeBSD/)

              * ftp://ftp3.es.FreeBSD.org/pub/FreeBSD/ (ftp)

   ****** (Sweden)

           ********************************************************
           <hostmaster@se.FreeBSD.org>._

              * ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp2.se.FreeBSD.org/pub/FreeBSD/ (ftp /
                rsync://ftp2.se.FreeBSD.org/)

              * ftp://ftp3.se.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp4.se.FreeBSD.org/pub/FreeBSD/ (ftp /
                ftp://ftp4.se.FreeBSD.org/pub/FreeBSD/ /
                http://ftp4.se.FreeBSD.org/pub/FreeBSD/ /
                http://ftp4.se.FreeBSD.org/pub/FreeBSD/ /
                rsync://ftp4.se.FreeBSD.org/pub/FreeBSD/ /
                rsync://ftp4.se.FreeBSD.org/pub/FreeBSD/)

              * ftp://ftp6.se.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp6.se.FreeBSD.org/pub/FreeBSD/)

   ****** (Switzerland)

           ********************************************************
           <hostmaster@ch.FreeBSD.org>._

              * ftp://ftp.ch.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp.ch.FreeBSD.org/pub/FreeBSD/)

   ****** (Taiwan)

           ********************************************************
           <hostmaster@tw.FreeBSD.org>._

              * ftp://ftp.tw.FreeBSD.org/pub/FreeBSD/ (ftp /
                ftp://ftp.tw.FreeBSD.org/pub/FreeBSD/ / rsync / rsyncv6)

              * ftp://ftp2.tw.FreeBSD.org/pub/FreeBSD/ (ftp /
                ftp://ftp2.tw.FreeBSD.org/pub/FreeBSD/ /
                http://ftp2.tw.FreeBSD.org/pub/FreeBSD/ /
                http://ftp2.tw.FreeBSD.org/pub/FreeBSD/ / rsync / rsyncv6)

              * ftp://ftp4.tw.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp5.tw.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp6.tw.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp6.tw.FreeBSD.org/ / rsync)

              * ftp://ftp7.tw.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp8.tw.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp11.tw.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp11.tw.FreeBSD.org/FreeBSD/)

              * ftp://ftp12.tw.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp13.tw.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp14.tw.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp15.tw.FreeBSD.org/pub/FreeBSD/ (ftp)

   ********* (Ukraine)
              * ftp://ftp.ua.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp.ua.FreeBSD.org/pub/FreeBSD/)

              * ftp://ftp6.ua.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp6.ua.FreeBSD.org/pub/FreeBSD /
                rsync://ftp6.ua.FreeBSD.org/FreeBSD/)

              * ftp://ftp7.ua.FreeBSD.org/pub/FreeBSD/ (ftp)

   ****** (United Kingdom)

           ********************************************************
           <hostmaster@uk.FreeBSD.org>._

              * ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp2.uk.FreeBSD.org/pub/FreeBSD/ (ftp /
                rsync://ftp2.uk.FreeBSD.org/ftp.freebsd.org/pub/FreeBSD/)

              * ftp://ftp3.uk.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp4.uk.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp5.uk.FreeBSD.org/pub/FreeBSD/ (ftp)

   ****** (USA)

           ********************************************************
           <hostmaster@us.FreeBSD.org>._

              * ftp://ftp1.us.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp2.us.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp3.us.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp4.us.FreeBSD.org/pub/FreeBSD/ (ftp / ftpv6 /
                http://ftp4.us.FreeBSD.org/pub/FreeBSD/ /
                http://ftp4.us.FreeBSD.org/pub/FreeBSD/)

              * ftp://ftp5.us.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp6.us.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp8.us.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp10.us.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp11.us.FreeBSD.org/pub/FreeBSD/ (ftp)

              * ftp://ftp13.us.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp13.us.FreeBSD.org/pub/FreeBSD/ / rsync)

              * ftp://ftp14.us.FreeBSD.org/pub/FreeBSD/ (ftp /
                http://ftp14.us.FreeBSD.org/pub/FreeBSD/)

              * ftp://ftp15.us.FreeBSD.org/pub/FreeBSD/ (ftp)

A.3. ****** Subversion

  A.3.1. ******

   *** 2012 *** 7 ********FreeBSD ************ FreeBSD
   ************,_********* Port ****************** Subversion
   ************************************._

  ******:

   Subversion
   ******************************._***************************************
   freebsd-update (*** 23.2, "FreeBSD ******") ********* FreeBSD
   *************** portsnap (*** 4.5, "****** Port *********") *********
   FreeBSD Port *********._

   ************************ FreeBSD ************ Subversion
   ************************************ FreeBSD
   ******************************** Subversion ***************._

  A.3.2. *** SSL ******

   ****** security/ca_root_nss ****** Subversion ************ HTTPS
   ***************************._root SSL ************ Port ********

 # cd /usr/ports/security/ca_root_nss
 # make install clean

   **************

 # pkg install ca_root_nss

  A.3.3. Svnlite

   *************** Subversion svnlite ********* FreeBSD ******._Port
   *************** Subversion ****************** Python *** Perl API
   ******************************************** Subversion ************._

   ********* Subversion *************************************** svnlite._

  A.3.4. ******

   *************** svnlite ************************ Subversion
   ***************._

   Subversion ****** Port *****************

 # cd /usr/ports/devel/subversion
 # make install clean

   Subversion **************************

 # pkg install subversion

  A.3.5. ****** Subversion

   *********************************************************
   svn._****************************** ****************** (Local working
   copy)._

  ******:

   ****************** checkout
   *********************************************._

   ************ svn ********************************* (Checkout)
   ******************************************************************._

   Subversion ****** URL **************************************
   protocol://hostname/path._*************************************** FreeBSD
   *************************************base *** FreeBSD
   *********************,_ports *** Port *************** doc
   ***************._**************URL https://svn.FreeBSD.org/ports/head/
   ****** Port ******************************** https ************._

   *************************************** (Checkout) *****************

 # svn checkout https://svn.FreeBSD.org/repository/branch lwcdir

   where:

     * repository *****************************************base, ports ***
       doc._

     * branch ************************************._ports *** doc
       ************************ head *********** base ********* -CURRENT
       ************************ head *****-STABLE
       *************************************** stable/9 (9.x) *** stable/10
       (10.x) ***._

     * lwcdir ******************************************************** ports
       ********* /usr/ports**base ********* /usr/src ****** doc *********
       /usr/doc._

   ********************* HTTPS ********* FreeBSD ****************** Port
   ******************************************** /usr/ports._*** /usr/ports
   *********************** svn
   ***********************************************************._

 # svn checkout https://svn.FreeBSD.org/ports/head /usr/ports

   **********************************************************************************************************************._

   *******************************************************************

 # svn update lwcdir

   ********************************* /usr/ports ***********

 # svn update /usr/ports

   ********************************************************************************._

   ******************************************************************
   /usr/ports, /usr/src ****** /usr/doc ****************** Makefile._******
   SVN_UPDATE ********* update ******._*************** /usr/src**

 # cd /usr/src
 # make update SVN_UPDATE=yes

  A.3.6. Subversion *********

   FreeBSD Subversion *****************

 svn.FreeBSD.org

   ******************************************** GeoDNS
   ***************************************._************************
   Subversion ********************* https://svnweb.FreeBSD.org/._

   HTTPS is the preferred protocol, but the security/ca_root_nss package will
   need to be installed in order to automatically validate certificates.

  A.3.7. ******************

   *************************** Subversion ****************** "Subversion
   Book"************** Version Control with Subversion ****** Subversion
   Documentation._

A.4. ****** rsync

   *************** FreeBSD ********* rsync ******************._rsync
   *************************************************************************************************************************
   FreeBSD FTP *********************************._rsync
   ******************************************** FreeBSD ************
   net/rsync Port ***************._

   ****** (Czech Republic)

           rsync://ftp.cz.FreeBSD.org/

           ********************

              * ftp: FreeBSD FTP ************************._

              * FreeBSD: FreeBSD FTP ************************._

   ****** (Netherlands)

           rsync://ftp.nl.FreeBSD.org/

           ********************

              * FreeBSD: FreeBSD FTP ************************._

   ********* (Russia)

           rsync://ftp.mtu.ru/

           ********************

              * FreeBSD: FreeBSD FTP ************************._

              * FreeBSD-Archive: FreeBSD ****** FTP ******************._

   ****** (Sweden)

           rsync://ftp4.se.freebsd.org/

           ********************

              * FreeBSD: FreeBSD FTP ************************._

   ****** (Taiwan)

           rsync://ftp.tw.FreeBSD.org/

           rsync://ftp2.tw.FreeBSD.org/

           rsync://ftp6.tw.FreeBSD.org/

           ********************

              * FreeBSD: FreeBSD FTP ************************._

   ****** (United Kingdom)

           rsync://rsync.mirrorservice.org/

           ********************

              * ftp.freebsd.org: FreeBSD FTP ************************._

   ****** (USA)

           rsync://ftp-master.FreeBSD.org/

           ****************** FreeBSD *********************._

           ********************

              * FreeBSD: FreeBSD FTP ************************._

              * acl: FreeBSD ****** ACL ******._

           rsync://ftp13.FreeBSD.org/

           ********************

              * FreeBSD: FreeBSD FTP ************************._

****** B. ************

   ************

   B.1. FreeBSD ************

   B.2. ************

   B.3. ************

   B.4. ************

   B.5. ******************

   B.6. *********************

   B.7. ******************

   B.8. UNIX(R) ******

   B.9. ***************

   ************************ FreeBSD
   *****************************************************<'***************>'*****************************************************._*****************
   UNIX(R) ***************************************************************._

B.1. FreeBSD ************

   **************

     * FreeBSD *************** (***************) (************),
       ******************, 1997. ISBN 9-578-39435-7._

     * FreeBSD ************ (FreeBSD Unleashed ***************),
       ***************************. ISBN 7-111-10201-0._

     * FreeBSD ********************* (************),
       ***************************. ISBN 7-111-10286-X._

     * FreeBSD Handbook ********* (***************),
       ***************************. ISBN 7-115-10541-3._

     * FreeBSD & Windows ****************** (************),
       ***************************. ISBN 7-113-03845-X._

     * FreeBSD ****************** (************),
       ***************************. ISBN 7-113-03423-3._

     * FreeBSD (******), CUTT ******. ISBN 4-906391-22-2 C3055 P2400E._

     * Complete Introduction to FreeBSD (******), Shoeisha Co., Ltd ******.
       ISBN 4-88135-473-6 P3600E._

     * Personal UNIX Starter Kit FreeBSD (******), ASCII ******. ISBN
       4-7561-1733-3 P3000E._

     * FreeBSD Handbook (*********), ASCII ******. ISBN 4-7561-1580-2
       P3800E._

     * FreeBSD mit Methode (******), Computer und Literatur Verlag/Vertrieb
       Hanser ******, 1998. ISBN 3-932311-31-0._

     * FreeBSD de Luxe (******), Verlag Modere Industrie ******, 2003. ISBN
       3-8266-1343-0._

     * FreeBSD Install and Utilization Manual (******), Mainichi
       Communications Inc. ******, 1998. ISBN 4-8399-0112-0._

     * Onno W Purbo, Dodi Maryanto, Syahrial Hubbany, Widjil Widodo Building
       Internet Server with FreeBSD (*********), Elex Media Komputindo
       ******._

     * FreeBSD ************ (Absolute BSD: The Ultimate Guide to FreeBSD
       ***************), GrandTech Press ******, 2003. ISBN 986-7944-92-5._

     * FreeBSD 6.0 ********************* (************), ************, 2006.
       ISBN 9-575-27878-X._

   **************

     * Absolute FreeBSD, 2nd Edition: The Complete Guide to FreeBSD,
       published by No Starch Press, 2007. ISBN: 978-1-59327-151-0

     * The Complete FreeBSD, published by O'Reilly, 2003. ISBN: 0596005164

     * The FreeBSD Corporate Networker's Guide, published by Addison-Wesley,
       2000. ISBN: 0201704811

     * FreeBSD: An Open-Source Operating System for Your Personal Computer,
       published by The Bit Tree Press, 2001. ISBN: 0971204500

     * Teach Yourself FreeBSD in 24 Hours, published by Sams, 2002. ISBN:
       0672324245

     * FreeBSD 6 Unleashed, published by Sams, 2006. ISBN: 0672328755

     * FreeBSD: The Complete Reference, published by McGrawHill, 2003. ISBN:
       0072224096

B.2. ************

     * Ohio State University has written a UNIX Introductory Course which is
       available online in HTML and PostScript format.

       An Italian translation of this document is available as part of the
       FreeBSD Italian Documentation Project.

     * Edinburgh University has written an Online Guide for newcomers to the
       UNIX environment.

B.3. ************

     * Jpman Project, Japan FreeBSD Users Group. FreeBSD System
       Administrator's Manual (Japanese translation). Mainichi Communications
       Inc., 1998. ISBN4-8399-0109-0 P3300E.

     * Dreyfus, Emmanuel. Cahiers de l'Admin: BSD 2nd Ed. (in French),
       Eyrolles, 2004. ISBN 2-212-11463-X

B.4. ************

     * Computer Systems Research Group, UC Berkeley. 4.4BSD Programmer's
       Reference Manual. O'Reilly & Associates, Inc., 1994. ISBN
       1-56592-078-3

     * Computer Systems Research Group, UC Berkeley. 4.4BSD Programmer's
       Supplementary Documents. O'Reilly & Associates, Inc., 1994. ISBN
       1-56592-079-1

     * Harbison, Samuel P. and Steele, Guy L. Jr. C: A Reference Manual. 4th
       Ed. Prentice Hall, 1995. ISBN 0-13-326224-3

     * Kernighan, Brian and Dennis M. Ritchie. The C Programming Language.
       2nd Ed. PTR Prentice Hall, 1988. ISBN 0-13-110362-8

     * Lehey, Greg. Porting UNIX Software. O'Reilly & Associates, Inc., 1995.
       ISBN 1-56592-126-7

     * Plauger, P. J. The Standard C Library. Prentice Hall, 1992. ISBN
       0-13-131509-9

     * Spinellis, Diomidis. Code Reading: The Open Source Perspective.
       Addison-Wesley, 2003. ISBN 0-201-79940-5

     * Spinellis, Diomidis. Code Quality: The Open Source Perspective.
       Addison-Wesley, 2006. ISBN 0-321-16607-8

     * Stevens, W. Richard and Stephen A. Rago. Advanced Programming in the
       UNIX Environment. 2nd Ed. Reading, Mass. : Addison-Wesley, 2005. ISBN
       0-201-43307-9

     * Stevens, W. Richard. UNIX Network Programming. 2nd Ed, PTR Prentice
       Hall, 1998. ISBN 0-13-490012-X

B.5. ******************

     * Andleigh, Prabhat K. UNIX System Architecture. Prentice-Hall, Inc.,
       1990. ISBN 0-13-949843-5

     * Jolitz, William. "Porting UNIX to the 386". Dr. Dobb's Journal.
       January 1991-July 1992.

     * Leffler, Samuel J., Marshall Kirk McKusick, Michael J Karels and John
       Quarterman The Design and Implementation of the 4.3BSD UNIX Operating
       System. Reading, Mass. : Addison-Wesley, 1989. ISBN 0-201-06196-1

     * Leffler, Samuel J., Marshall Kirk McKusick, The Design and
       Implementation of the 4.3BSD UNIX Operating System: Answer Book.
       Reading, Mass. : Addison-Wesley, 1991. ISBN 0-201-54629-9

     * McKusick, Marshall Kirk, Keith Bostic, Michael J Karels, and John
       Quarterman. The Design and Implementation of the 4.4BSD Operating
       System. Reading, Mass. : Addison-Wesley, 1996. ISBN 0-201-54979-4

       (Chapter 2 of this book is available online as part of the FreeBSD
       Documentation Project.)

     * Marshall Kirk McKusick, George V. Neville-Neil The Design and
       Implementation of the FreeBSD Operating System. Boston, Mass. :
       Addison-Wesley, 2004. ISBN 0-201-70245-2

     * Marshall Kirk McKusick, George V. Neville-Neil, Robert N. M. Watson
       The Design and Implementation of the FreeBSD Operating System, 2nd
       Ed.. Westford, Mass. : Pearson Education, Inc., 2014. ISBN
       0-321-96897-2

     * Stevens, W. Richard. TCP/IP Illustrated, Volume 1: The Protocols.
       Reading, Mass. : Addison-Wesley, 1996. ISBN 0-201-63346-9

     * Schimmel, Curt. Unix Systems for Modern Architectures. Reading, Mass.
       : Addison-Wesley, 1994. ISBN 0-201-63338-8

     * Stevens, W. Richard. TCP/IP Illustrated, Volume 3: TCP for
       Transactions, HTTP, NNTP and the UNIX Domain Protocols. Reading, Mass.
       : Addison-Wesley, 1996. ISBN 0-201-63495-3

     * Vahalia, Uresh. UNIX Internals -- The New Frontiers. Prentice Hall,
       1996. ISBN 0-13-101908-2

     * Wright, Gary R. and W. Richard Stevens. TCP/IP Illustrated, Volume 2:
       The Implementation. Reading, Mass. : Addison-Wesley, 1995. ISBN
       0-201-63354-X

B.6. *********************

     * Cheswick, William R. and Steven M. Bellovin. Firewalls and Internet
       Security: Repelling the Wily Hacker. Reading, Mass. : Addison-Wesley,
       1995. ISBN 0-201-63357-4

     * Garfinkel, Simson. PGP Pretty Good Privacy O'Reilly & Associates,
       Inc., 1995. ISBN 1-56592-098-8

B.7. ******************

     * Anderson, Don and Tom Shanley. Pentium Processor System Architecture.
       2nd Ed. Reading, Mass. : Addison-Wesley, 1995. ISBN 0-201-40992-5

     * Ferraro, Richard F. Programmer's Guide to the EGA, VGA, and Super VGA
       Cards. 3rd ed. Reading, Mass. : Addison-Wesley, 1995. ISBN
       0-201-62490-7

     * Intel Corporation publishes documentation on their CPUs, chipsets and
       standards on their developer web site, usually as PDF files.

     * Shanley, Tom. 80486 System Architecture. 3rd Ed. Reading, Mass. :
       Addison-Wesley, 1995. ISBN 0-201-40994-1

     * Shanley, Tom. ISA System Architecture. 3rd Ed. Reading, Mass. :
       Addison-Wesley, 1995. ISBN 0-201-40996-8

     * Shanley, Tom. PCI System Architecture. 4th Ed. Reading, Mass. :
       Addison-Wesley, 1999. ISBN 0-201-30974-2

     * Van Gilluwe, Frank. The Undocumented PC, 2nd Ed. Reading, Mass:
       Addison-Wesley Pub. Co., 1996. ISBN 0-201-47950-8

     * Messmer, Hans-Peter. The Indispensable PC Hardware Book, 4th Ed.
       Reading, Mass : Addison-Wesley Pub. Co., 2002. ISBN 0-201-59616-4

B.8. UNIX(R) ******

     * Lion, John Lion's Commentary on UNIX, 6th Ed. With Source Code. ITP
       Media Group, 1996. ISBN 1573980137

     * Raymond, Eric S. The New Hacker's Dictionary, 3rd edition. MIT Press,
       1996. ISBN 0-262-68092-0. Also known as the Jargon File

     * Salus, Peter H. A quarter century of UNIX. Addison-Wesley Publishing
       Company, Inc., 1994. ISBN 0-201-54777-5

     * Simon Garfinkel, Daniel Weise, Steven Strassmann. The UNIX-HATERS
       Handbook. IDG Books Worldwide, Inc., 1994. ISBN 1-56884-203-1. Out of
       print, but available online.

     * Don Libes, Sandy Ressler Life with UNIX - special edition.
       Prentice-Hall, Inc., 1989. ISBN 0-13-536657-7

     * The BSD family tree.
       https://svnweb.freebsd.org/base/head/share/misc/bsd-family-tree?view=co
       or /usr/share/misc/bsd-family-tree on a FreeBSD machine.

     * Networked Computer Science Technical Reports Library.
       http://www.ncstrl.org/

     * Old BSD releases from the Computer Systems Research group (CSRG).
       http://www.mckusick.com/csrg/: The 4CD set covers all BSD versions
       from 1BSD to 4.4BSD and 4.4BSD-Lite2 (but not 2.11BSD, unfortunately).
       The last disk also holds the final sources plus the SCCS files.

B.9. ***************

     * Admin Magazin (in German), published by Medialinx AG. ISSN: 2190-1066

     * BSD Magazine, published by Software Press Sp. z o.o. SK. ISSN:
       1898-9144

     * BSD Now - Video Podcast, published by Jupiter Broadcasting LLC

     * BSD Talk Podcast, by Will Backman

     * FreeBSD Journal, published by S&W Publishing, sponsored by The FreeBSD
       Foundation. ISBN: 978-0-615-88479-0

****** C. ************

   ************

   C.1. ******

   C.2. ************ (Mailing List)

   C.3. Usenet ************

   C.4. ***************

   The rapid pace of FreeBSD progress makes print media impractical as a
   means of following the latest developments. Electronic resources are the
   best, if not often the only, way to stay informed of the latest advances.
   Since FreeBSD is a volunteer effort, the user community itself also
   generally serves as a "technical support department" of sorts, with
   electronic mail, web forums, and USENET news being the most effective way
   of reaching that community.

   The most important points of contact with the FreeBSD user community are
   outlined below. Please send other resources not mentioned here to the
   FreeBSD documentation project mailing list so that they may also be
   included.

C.1. ******

     * The FreeBSD Forums provide a web based discussion forum for FreeBSD
       questions and technical discussion.

     * The BSDConferences YouTube Channel provides a collection of high
       quality videos from BSD conferences around the world. This is a great
       way to watch key developers give presentations about new work in
       FreeBSD.

C.2. ************ (Mailing List)

   The mailing lists are the most direct way of addressing questions or
   opening a technical discussion to a concentrated FreeBSD audience. There
   are a wide variety of lists on a number of different FreeBSD topics.
   Sending questions to the most appropriate mailing list will invariably
   assure a faster and more accurate response.

   The charters for the various lists are given at the bottom of this
   document. Please read the charter before joining or sending mail to any
   list. Most list subscribers receive many hundreds of FreeBSD related
   messages every day, and the charters and rules for use are meant to keep
   the signal-to-noise ratio of the lists high. To do less would see the
   mailing lists ultimately fail as an effective communications medium for
   the Project.

  ******:

   To test the ability to send email to FreeBSD lists, send a test message to
   freebsd-test. Please do not send test messages to any other list.

   When in doubt about what list to post a question to, see How to get best
   results from the FreeBSD-questions mailing list.

   Before posting to any list, please learn about how to best use the mailing
   lists, such as how to help avoid frequently-repeated discussions, by
   reading the Mailing List Frequently Asked Questions (FAQ) document.

   Archives are kept for all of the mailing lists and can be searched using
   the FreeBSD World Wide Web server. The keyword searchable archive offers
   an excellent way of finding answers to frequently asked questions and
   should be consulted before posting a question. Note that this also means
   that messages sent to FreeBSD mailing lists are archived in perpetuity.
   When protecting privacy is a concern, consider using a disposable
   secondary email address and posting only public information.

  C.2.1. ************

   General lists: The following are general lists which anyone is free (and
   encouraged) to join:

                List                                ******                    
   freebsd-advocacy               FreeBSD Evangelism                          
   freebsd-announce               Important events and Project milestones     
                                  (moderated)                                 
   freebsd-arch                   Architecture and design discussions         
                                  Discussions pertaining to the maintenance   
   freebsd-bugbusters             of the FreeBSD problem report database and  
                                  related tools                               
   freebsd-bugs                   Bug reports                                 
   freebsd-chat                   Non-technical items related to the FreeBSD  
                                  community                                   
   freebsd-chromium               FreeBSD-specific Chromium issues            
   freebsd-current                Discussion concerning the use of            
                                  FreeBSD-CURRENT                             
   freebsd-isp                    Issues for Internet Service Providers using 
                                  FreeBSD                                     
   freebsd-jobs                   FreeBSD employment and consulting           
                                  opportunities                               
   freebsd-questions              User questions and technical support        
   freebsd-security-notifications Security notifications (moderated)          
   freebsd-stable                 Discussion concerning the use of            
                                  FreeBSD-STABLE                              
   freebsd-test                   Where to send test messages instead of to   
                                  one of the actual lists                     
   freebsd-women                  FreeBSD advocacy for women                  

   Technical lists: The following lists are for technical discussion. Read
   the charter for each list carefully before joining or sending mail to one
   as there are firm guidelines for their use and content.

            List                                ******                        
   freebsd-acpi           ACPI and power management development               
   freebsd-afs            Porting AFS to FreeBSD                              
   freebsd-amd64          Porting FreeBSD to AMD64 systems (moderated)        
   freebsd-apache         Discussion about Apache related ports               
   freebsd-arm            Porting FreeBSD to ARM(R) processors                
   freebsd-atm            Using ATM networking with FreeBSD                   
   freebsd-bluetooth      Using Bluetooth(R) technology in FreeBSD            
   freebsd-cloud          FreeBSD on cloud platforms (EC2, GCE, Azure, etc.)  
   freebsd-cluster        Using FreeBSD in a clustered environment            
   freebsd-database       Discussing database use and development under       
                          FreeBSD                                             
   freebsd-desktop        Using and improving FreeBSD on the desktop          
   dev-ci                 Build and test reports from the Continuous          
                          Integration servers                                 
   dev-reviews            Notifications of the FreeBSD review system          
   freebsd-doc            Creating FreeBSD related documents                  
   freebsd-drivers        Writing device drivers for FreeBSD                  
   freebsd-dtrace         Using and working on DTrace in FreeBSD              
   freebsd-eclipse        FreeBSD users of Eclipse IDE, tools, rich client    
                          applications and ports.                             
   freebsd-elastic        FreeBSD-specific ElasticSearch discussions          
   freebsd-embedded       Using FreeBSD in embedded applications              
   freebsd-eol            Peer support of FreeBSD-related software that is no 
                          longer supported by the FreeBSD Project.            
   freebsd-emulation      Emulation of other systems such as                  
                          Linux/MS-DOS(R)/Windows(R)                          
   freebsd-enlightenment  Porting Enlightenment and Enlightenment             
                          applications                                        
   freebsd-erlang         FreeBSD-specific Erlang discussions                 
   freebsd-firewire       FreeBSD FireWire(R) (iLink, IEEE 1394) technical    
                          discussion                                          
   freebsd-fortran        Fortran on FreeBSD                                  
   freebsd-fs             File systems                                        
   freebsd-games          Support for Games on FreeBSD                        
   freebsd-gecko          Gecko Rendering Engine issues                       
   freebsd-geom           GEOM-specific discussions and implementations       
   freebsd-git            Discussion of git use in the FreeBSD project        
   freebsd-gnome          Porting GNOME and GNOME applications                
   freebsd-hackers        General technical discussion                        
   freebsd-haskell        FreeBSD-specific Haskell issues and discussions     
   freebsd-hardware       General discussion of hardware for running FreeBSD  
   freebsd-i18n           FreeBSD Internationalization                        
   freebsd-ia32           FreeBSD on the IA-32 (Intel(R) x86) platform        
   freebsd-ia64           Porting FreeBSD to Intel(R)'s upcoming IA64 systems 
   freebsd-infiniband     Infiniband on FreeBSD                               
   freebsd-ipfw           Technical discussion concerning the redesign of the 
                          IP firewall code                                    
   freebsd-isdn           ISDN developers                                     
   freebsd-jail           Discussion about the jail(8) facility               
   freebsd-java           Java(TM) developers and people porting JDK(TM)s to  
                          FreeBSD                                             
   freebsd-kde            Porting KDE and KDE applications                    
   freebsd-lfs            Porting LFS to FreeBSD                              
   freebsd-mips           Porting FreeBSD to MIPS(R)                          
   freebsd-mobile         Discussions about mobile computing                  
   freebsd-mono           Mono and C# applications on FreeBSD                 
   freebsd-multimedia     Multimedia applications                             
   freebsd-new-bus        Technical discussions about bus architecture        
   freebsd-net            Networking discussion and TCP/IP source code        
   freebsd-numerics       Discussions of high quality implementation of libm  
                          functions                                           
   freebsd-ocaml          FreeBSD-specific OCaml discussions                  
   freebsd-office         Office applications on FreeBSD                      
   freebsd-performance    Performance tuning questions for high               
                          performance/load installations                      
   freebsd-perl           Maintenance of a number of Perl-related ports       
   freebsd-pf             Discussion and questions about the packet filter    
                          firewall system                                     
   freebsd-pkg            Binary package management and package tools         
                          discussion                                          
   freebsd-pkg-fallout    Fallout logs from package building                  
   freebsd-pkgbase        Packaging the FreeBSD base system                   
   freebsd-platforms      Concerning ports to non Intel(R) architecture       
                          platforms                                           
   freebsd-ports          Discussion of the Ports Collection                  
   freebsd-ports-announce Important news and instructions about the Ports     
                          Collection (moderated)                              
   freebsd-ports-bugs     Discussion of the ports bugs/PRs                    
   freebsd-ppc            Porting FreeBSD to the PowerPC(R)                   
   freebsd-proliant       Technical discussion of FreeBSD on HP ProLiant      
                          server platforms                                    
   freebsd-python         FreeBSD-specific Python issues                      
   freebsd-rc             Discussion related to the rc.d system and its       
                          development                                         
   freebsd-realtime       Development of realtime extensions to FreeBSD       
   freebsd-ruby           FreeBSD-specific Ruby discussions                   
   freebsd-scsi           The SCSI subsystem                                  
   freebsd-security       Security issues affecting FreeBSD                   
   freebsd-small          Using FreeBSD in embedded applications (obsolete;   
                          use freebsd-embedded instead)                       
   freebsd-snapshots      FreeBSD Development Snapshot Announcements          
   freebsd-sparc64        Porting FreeBSD to SPARC(R) based systems           
   freebsd-standards      FreeBSD's conformance to the C99 and the POSIX(R)   
                          standards                                           
   freebsd-sysinstall     sysinstall(8) development                           
   freebsd-tcltk          FreeBSD-specific Tcl/Tk discussions                 
   freebsd-testing        Testing on FreeBSD                                  
   freebsd-tex            Porting TeX and its applications to FreeBSD         
   freebsd-threads        Threading in FreeBSD                                
   freebsd-tilera         Porting FreeBSD to the Tilera family of CPUs        
   freebsd-tokenring      Support Token Ring in FreeBSD                       
   freebsd-toolchain      Maintenance of FreeBSD's integrated toolchain       
   freebsd-translators    Translating FreeBSD documents and programs          
   freebsd-transport      Discussions of transport level network protocols in 
                          FreeBSD                                             
   freebsd-usb            Discussing FreeBSD support for USB                  
   freebsd-virtualization Discussion of various virtualization techniques     
                          supported by FreeBSD                                
   freebsd-vuxml          Discussion on VuXML infrastructure                  
   freebsd-x11            Maintenance and support of X11 on FreeBSD           
   freebsd-xen            Discussion of the FreeBSD port to Xen(TM) -         
                          implementation and usage                            
   freebsd-xfce           XFCE for FreeBSD - porting and maintaining          
   freebsd-zope           Zope for FreeBSD - porting and maintaining          

   Limited lists: The following lists are for more specialized (and
   demanding) audiences and are probably not of interest to the general
   public. It is also a good idea to establish a presence in the technical
   lists before joining one of these limited lists in order to understand the
   communications etiquette involved.

          List                                 ******                         
   freebsd-hubs        People running mirror sites (infrastructural support)  
   freebsd-user-groups User group coordination                                
   freebsd-wip-status  FreeBSD Work-In-Progress Status                        
   freebsd-wireless    Discussions of 802.11 stack, tools, device driver      
                       development                                            

   Digest lists: All of the above lists are available in a digest format.
   Once subscribed to a list, the digest options can be changed in the
   account options section.

   SVN lists: The following lists are for people interested in seeing the log
   messages for changes to various areas of the source tree. They are
   Read-Only lists and should not have mail sent to them.

           List            Source area       Area Description (source for)    
                                          All changes to the doc Subversion   
   svn-doc-all          /usr/doc          repository (except for user,        
                                          projects and translations)          
   svn-doc-head         /usr/doc          All changes to the "head" branch of 
                                          the doc Subversion repository       
   svn-doc-projects     /usr/doc/projects All changes to the projects area of 
                                          the doc Subversion repository       
                                          All changes to the administrative   
   svn-doc-svnadmin     /usr/doc          scripts, hooks, and other           
                                          configuration data of the doc       
                                          Subversion repository               
   svn-ports-all        /usr/ports        All changes to the ports Subversion 
                                          repository                          
   svn-ports-head       /usr/ports        All changes to the "head" branch of 
                                          the ports Subversion repository     
                                          All changes to the administrative   
   svn-ports-svnadmin   /usr/ports        scripts, hooks, and other           
                                          configuration data of the ports     
                                          Subversion repository               
                                          All changes to the src Subversion   
   svn-src-all          /usr/src          repository (except for user and     
                                          projects)                           
                                          All changes to the "head" branch of 
   svn-src-head         /usr/src          the src Subversion repository (the  
                                          FreeBSD-CURRENT branch)             
   svn-src-projects     /usr/projects     All changes to the projects area of 
                                          the src Subversion repository       
   svn-src-release      /usr/src          All changes to the releases area of 
                                          the src Subversion repository       
                                          All changes to the releng branches  
   svn-src-releng       /usr/src          of the src Subversion repository    
                                          (the security / release engineering 
                                          branches)                           
                                          All changes to the all stable       
   svn-src-stable       /usr/src          branches of the src Subversion      
                                          repository                          
   svn-src-stable-6     /usr/src          All changes to the stable/6 branch  
                                          of the src Subversion repository    
   svn-src-stable-7     /usr/src          All changes to the stable/7 branch  
                                          of the src Subversion repository    
   svn-src-stable-8     /usr/src          All changes to the stable/8 branch  
                                          of the src Subversion repository    
   svn-src-stable-9     /usr/src          All changes to the stable/9 branch  
                                          of the src Subversion repository    
   svn-src-stable-10    /usr/src          All changes to the stable/10 branch 
                                          of the src Subversion repository    
   svn-src-stable-11    /usr/src          All changes to the stable/11 branch 
                                          of the src Subversion repository    
   svn-src-stable-12    /usr/src          All changes to the stable/12 branch 
                                          of the src Subversion repository    
                                          All changes to the older stable     
   svn-src-stable-other /usr/src          branches of the src Subversion      
                                          repository                          
                                          All changes to the administrative   
   svn-src-svnadmin     /usr/src          scripts, hooks, and other           
                                          configuration data of the src       
                                          Subversion repository               
                                          All changes to the experimental     
   svn-src-user         /usr/src          user area of the src Subversion     
                                          repository                          
   svn-src-vendor       /usr/src          All changes to the vendor work area 
                                          of the src Subversion repository    

  C.2.2. ************

   To subscribe to a list, click the list name at
   http://lists.FreeBSD.org/mailman/listinfo. The page that is displayed
   should contain all of the necessary subscription instructions for that
   list.

   To actually post to a given list, send mail to <listname@FreeBSD.org>. It
   will then be redistributed to mailing list members world-wide.

   To unsubscribe from a list, click on the URL found at the bottom of every
   email received from the list. It is also possible to send an email to
   <listname-unsubscribe@FreeBSD.org> to unsubscribe.

   It is important to keep discussion in the technical mailing lists on a
   technical track. To only receive important announcements, instead join the
   FreeBSD announcements mailing list, which is intended for infrequent
   traffic.

  C.2.3. ************

   All FreeBSD mailing lists have certain basic rules which must be adhered
   to by anyone using them. Failure to comply with these guidelines will
   result in two (2) written warnings from the FreeBSD Postmaster
   <postmaster@FreeBSD.org>, after which, on a third offense, the poster will
   removed from all FreeBSD mailing lists and filtered from further posting
   to them. We regret that such rules and measures are necessary at all, but
   today's Internet is a pretty harsh environment, it would seem, and many
   fail to appreciate just how fragile some of its mechanisms are.

   Rules of the road:

     * The topic of any posting should adhere to the basic charter of the
       list it is posted to. If the list is about technical issues, the
       posting should contain technical discussion. Ongoing irrelevant
       chatter or flaming only detracts from the value of the mailing list
       for everyone on it and will not be tolerated. For free-form discussion
       on no particular topic, the FreeBSD chat mailing list is freely
       available and should be used instead.

     * No posting should be made to more than 2 mailing lists, and only to 2
       when a clear and obvious need to post to both lists exists. For most
       lists, there is already a great deal of subscriber overlap and except
       for the most esoteric mixes (say "-stable & -scsi"), there really is
       no reason to post to more than one list at a time. If a message is
       received with multiple mailing lists on the Cc line, trim the Cc line
       before replying. The person who replies is still responsible for
       cross-posting, no matter who the originator might have been.

     * Personal attacks and profanity (in the context of an argument) are not
       allowed, and that includes users and developers alike. Gross breaches
       of netiquette, like excerpting or reposting private mail when
       permission to do so was not and would not be forthcoming, are frowned
       upon but not specifically enforced. However, there are also very few
       cases where such content would fit within the charter of a list and it
       would therefore probably rate a warning (or ban) on that basis alone.

     * Advertising of non-FreeBSD related products or services is strictly
       prohibited and will result in an immediate ban if it is clear that the
       offender is advertising by spam.

   Individual list charters:

   freebsd-acpi

           ACPI and power management development

   freebsd-afs

           Andrew File System

           This list is for discussion on porting and using AFS from
           CMU/Transarc

   freebsd-announce

           Important events / milestones

           This is the mailing list for people interested only in occasional
           announcements of significant FreeBSD events. This includes
           announcements about snapshots and other releases. It contains
           announcements of new FreeBSD capabilities. It may contain calls
           for volunteers etc. This is a low volume, strictly moderated
           mailing list.

   freebsd-arch

           Architecture and design discussions

           This list is for discussion of the FreeBSD architecture. Messages
           will mostly be kept strictly technical in nature. Examples of
           suitable topics are:

              * How to re-vamp the build system to have several customized
                builds running at the same time.

              * What needs to be fixed with VFS to make Heidemann layers
                work.

              * How do we change the device driver interface to be able to
                use the same drivers cleanly on many buses and architectures.

              * How to write a network driver.

   freebsd-bluetooth

           Bluetooth(R) in FreeBSD

           This is the forum where FreeBSD's Bluetooth(R) users congregate.
           Design issues, implementation details, patches, bug reports,
           status reports, feature requests, and all matters related to
           Bluetooth(R) are fair game.

   freebsd-bugbusters

           Coordination of the Problem Report handling effort

           The purpose of this list is to serve as a coordination and
           discussion forum for the Bugmeister, his Bugbusters, and any other
           parties who have a genuine interest in the PR database. This list
           is not for discussions about specific bugs, patches or PRs.

   freebsd-bugs

           Bug reports

           This is the mailing list for reporting bugs in FreeBSD. Whenever
           possible, bugs should be submitted using the web interface to it.

   freebsd-chat

           Non technical items related to the FreeBSD community

           This list contains the overflow from the other lists about
           non-technical, social information. It includes discussion about
           whether Jordan looks like a toon ferret or not, whether or not to
           type in capitals, who is drinking too much coffee, where the best
           beer is brewed, who is brewing beer in their basement, and so on.
           Occasional announcements of important events (such as upcoming
           parties, weddings, births, new jobs, etc) can be made to the
           technical lists, but the follow ups should be directed to this
           -chat list.

   freebsd-chromium

           FreeBSD-specific Chromium issues

           This is a list for the discussion of Chromium support for FreeBSD.
           This is a technical list to discuss development and installation
           of Chromium.

   freebsd-cloud

           Running FreeBSD on various cloud platforms

           This list discusses running FreeBSD on Amazon EC2, Google Compute
           Engine, Microsoft Azure, and other cloud computing platforms.

   freebsd-core

           FreeBSD core team

           This is an internal mailing list for use by the core members.
           Messages can be sent to it when a serious FreeBSD-related matter
           requires arbitration or high-level scrutiny.

   freebsd-current

           Discussions about the use of FreeBSD-CURRENT

           This is the mailing list for users of FreeBSD-CURRENT. It includes
           warnings about new features coming out in -CURRENT that will
           affect the users, and instructions on steps that must be taken to
           remain -CURRENT. Anyone running "CURRENT" must subscribe to this
           list. This is a technical mailing list for which strictly
           technical content is expected.

   freebsd-desktop

           Using and improving FreeBSD on the desktop

           This is a forum for discussion of FreeBSD on the desktop. It is
           primarily a place for desktop porters and users to discuss issues
           and improve FreeBSD's desktop support.

   dev-ci

           Continuous Integration reports of build and test results

           All Continuous Integration reports of build and test results

   dev-reviews

           Notifications of work in progress in FreeBSD's review tool

           Automated notifications of work in progress for review in
           FreeBSD's review tools, including patches.

   freebsd-doc

           Documentation Project

           This mailing list is for the discussion of issues and projects
           related to the creation of documentation for FreeBSD. The members
           of this mailing list are collectively referred to as "The FreeBSD
           Documentation Project". It is an open list; feel free to join and
           contribute!

   freebsd-drivers

           Writing device drivers for FreeBSD

           This is a forum for technical discussions related to device
           drivers on FreeBSD. It is primarily a place for device driver
           writers to ask questions about how to write device drivers using
           the APIs in the FreeBSD kernel.

   freebsd-dtrace

           Using and working on DTrace in FreeBSD

           DTrace is an integrated component of FreeBSD that provides a
           framework for understanding the kernel as well as user space
           programs at run time. The mailing list is an archived discussion
           for developers of the code as well as those using it.

   freebsd-eclipse

           FreeBSD users of Eclipse IDE, tools, rich client applications and
           ports.

           The intention of this list is to provide mutual support for
           everything to do with choosing, installing, using, developing and
           maintaining the Eclipse IDE, tools, rich client applications on
           the FreeBSD platform and assisting with the porting of Eclipse IDE
           and plugins to the FreeBSD environment.

           The intention is also to facilitate exchange of information
           between the Eclipse community and the FreeBSD community to the
           mutual benefit of both.

           Although this list is focused primarily on the needs of Eclipse
           users it will also provide a forum for those who would like to
           develop FreeBSD specific applications using the Eclipse framework.

   freebsd-embedded

           Using FreeBSD in embedded applications

           This list discusses topics related to using FreeBSD in embedded
           systems. This is a technical mailing list for which strictly
           technical content is expected. For the purpose of this list,
           embedded systems are those computing devices which are not
           desktops and which usually serve a single purpose as opposed to
           being general computing environments. Examples include, but are
           not limited to, all kinds of phone handsets, network equipment
           such as routers, switches and PBXs, remote measuring equipment,
           PDAs, Point Of Sale systems, and so on.

   freebsd-emulation

           Emulation of other systems such as Linux/MS-DOS(R)/Windows(R)

           This is a forum for technical discussions related to running
           programs written for other operating systems on FreeBSD.

   freebsd-enlightenment

           Enlightenment

           Discussions concerning the Enlightenment Desktop Environment for
           FreeBSD systems. This is a technical mailing list for which
           strictly technical content is expected.

   freebsd-eol

           Peer support of FreeBSD-related software that is no longer
           supported by the FreeBSD Project.

           This list is for those interested in providing or making use of
           peer support of FreeBSD-related software for which the FreeBSD
           Project no longer provides official support in the form of
           security advisories and patches.

   freebsd-firewire

           FireWire(R) (iLink, IEEE 1394)

           This is a mailing list for discussion of the design and
           implementation of a FireWire(R) (aka IEEE 1394 aka iLink)
           subsystem for FreeBSD. Relevant topics specifically include the
           standards, bus devices and their protocols, adapter
           boards/cards/chips sets, and the architecture and implementation
           of code for their proper support.

   freebsd-fortran

           Fortran on FreeBSD

           This is the mailing list for discussion of Fortran related ports
           on FreeBSD: compilers, libraries, scientific and engineering
           applications from laptops to HPC clusters.

   freebsd-fs

           File systems

           Discussions concerning FreeBSD filesystems. This is a technical
           mailing list for which strictly technical content is expected.

   freebsd-games

           Games on FreeBSD

           This is a technical list for discussions related to bringing games
           to FreeBSD. It is for individuals actively working on porting
           games to FreeBSD, to bring up problems or discuss alternative
           solutions. Individuals interested in following the technical
           discussion are also welcome.

   freebsd-gecko

           Gecko Rendering Engine

           This is a forum about Gecko applications using FreeBSD.

           Discussion centers around Gecko Ports applications, their
           installation, their development and their support within FreeBSD.

   freebsd-geom

           GEOM

           Discussions specific to GEOM and related implementations. This is
           a technical mailing list for which strictly technical content is
           expected.

   freebsd-git

           Use of git in the FreeBSD project

           Discussions of how to use git in FreeBSD infrastructure including
           the github mirror and other uses of git for project collaboration.
           Discussion area for people using git against the FreeBSD github
           mirror. People wanting to get started with the mirror or git in
           general on FreeBSD can ask here.

   freebsd-gnome

           GNOME

           Discussions concerning The GNOME Desktop Environment for FreeBSD
           systems. This is a technical mailing list for which strictly
           technical content is expected.

   freebsd-infiniband

           Infiniband on FreeBSD

           Technical mailing list discussing Infiniband, OFED, and OpenSM on
           FreeBSD.

   freebsd-ipfw

           IP Firewall

           This is the forum for technical discussions concerning the
           redesign of the IP firewall code in FreeBSD. This is a technical
           mailing list for which strictly technical content is expected.

   freebsd-ia64

           Porting FreeBSD to IA64

           This is a technical mailing list for individuals actively working
           on porting FreeBSD to the IA-64 platform from Intel(R), to bring
           up problems or discuss alternative solutions. Individuals
           interested in following the technical discussion are also welcome.

   freebsd-isdn

           ISDN Communications

           This is the mailing list for people discussing the development of
           ISDN support for FreeBSD.

   freebsd-java

           Java(TM) Development

           This is the mailing list for people discussing the development of
           significant Java(TM) applications for FreeBSD and the porting and
           maintenance of JDK(TM)s.

   freebsd-jobs

           Jobs offered and sought

           This is a forum for posting employment notices specifically
           related to FreeBSD and resumes from those seeking FreeBSD-related
           employment. This is not a mailing list for general employment
           issues since adequate forums for that already exist elsewhere.

           Note that this list, like other FreeBSD.org mailing lists, is
           distributed worldwide. Be clear about the geographic location and
           the extent to which telecommuting or assistance with relocation is
           available.

           Email should use open formats only - preferably plain text, but
           basic Portable Document Format (PDF), HTML, and a few others are
           acceptable to many readers. Closed formats such as Microsoft(R)
           Word (.doc) will be rejected by the mailing list server.

   freebsd-kde

           KDE

           Discussions concerning KDE on FreeBSD systems. This is a technical
           mailing list for which strictly technical content is expected.

   freebsd-hackers

           Technical discussions

           This is a forum for technical discussions related to FreeBSD. This
           is the primary technical mailing list. It is for individuals
           actively working on FreeBSD, to bring up problems or discuss
           alternative solutions. Individuals interested in following the
           technical discussion are also welcome. This is a technical mailing
           list for which strictly technical content is expected.

   freebsd-hardware

           General discussion of FreeBSD hardware

           General discussion about the types of hardware that FreeBSD runs
           on, various problems and suggestions concerning what to buy or
           avoid.

   freebsd-hubs

           Mirror sites

           Announcements and discussion for people who run FreeBSD mirror
           sites.

   freebsd-isp

           Issues for Internet Service Providers

           This mailing list is for discussing topics relevant to Internet
           Service Providers (ISPs) using FreeBSD. This is a technical
           mailing list for which strictly technical content is expected.

   freebsd-mono

           Mono and C# applications on FreeBSD

           This is a list for discussions related to the Mono development
           framework on FreeBSD. This is a technical mailing list. It is for
           individuals actively working on porting Mono or C# applications to
           FreeBSD, to bring up problems or discuss alternative solutions.
           Individuals interested in following the technical discussion are
           also welcome.

   freebsd-ocaml

           FreeBSD-specific OCaml discussions

           This is a list for discussions related to the OCaml support on
           FreeBSD. This is a technical mailing list. It is for individuals
           working on OCaml ports, 3rd party libraries and frameworks.
           Individuals interested in the technical discussion are also
           welcome.

   freebsd-office

           Office applications on FreeBSD

           Discussion centers around office applications, their installation,
           their development and their support within FreeBSD.

   freebsd-ops-announce

           Project Infrastructure Announcements

           This is the mailing list for people interested in changes and
           issues related to the FreeBSD.org Project infrastructure.

           This moderated list is strictly for announcements: no replies,
           requests, discussions, or opinions.

   freebsd-performance

           Discussions about tuning or speeding up FreeBSD

           This mailing list exists to provide a place for hackers,
           administrators, and/or concerned parties to discuss performance
           related topics pertaining to FreeBSD. Acceptable topics includes
           talking about FreeBSD installations that are either under high
           load, are experiencing performance problems, or are pushing the
           limits of FreeBSD. Concerned parties that are willing to work
           toward improving the performance of FreeBSD are highly encouraged
           to subscribe to this list. This is a highly technical list ideally
           suited for experienced FreeBSD users, hackers, or administrators
           interested in keeping FreeBSD fast, robust, and scalable. This
           list is not a question-and-answer list that replaces reading
           through documentation, but it is a place to make contributions or
           inquire about unanswered performance related topics.

   freebsd-pf

           Discussion and questions about the packet filter firewall system

           Discussion concerning the packet filter (pf) firewall system in
           terms of FreeBSD. Technical discussion and user questions are both
           welcome. This list is also a place to discuss the ALTQ QoS
           framework.

   freebsd-pkg

           Binary package management and package tools discussion

           Discussion of all aspects of managing FreeBSD systems by using
           binary packages to install software, including binary package
           toolkits and formats, their development and support within
           FreeBSD, package repository management, and third party packages.

           Note that discussion of ports which fail to generate packages
           correctly should generally be considered as ports problems, and so
           inappropriate for this list.

   freebsd-pkg-fallout

           Fallout logs from package building

           All packages building failures logs from the package building
           clusters

   freebsd-pkgbase

           Packaging the FreeBSD base system.

           Discussions surrounding implementation and issues regarding
           packaging the FreeBSD base system.

   freebsd-platforms

           Porting to Non Intel(R) platforms

           Cross-platform FreeBSD issues, general discussion and proposals
           for non Intel(R) FreeBSD ports. This is a technical mailing list
           for which strictly technical content is expected.

   freebsd-ports

           Discussion of "ports"

           Discussions concerning FreeBSD's "ports collection" (/usr/ports),
           ports infrastructure, and general ports coordination efforts. This
           is a technical mailing list for which strictly technical content
           is expected.

   freebsd-ports-announce

           Important news and instructions about the FreeBSD "Ports
           Collection"

           Important news for developers, porters, and users of the "Ports
           Collection" (/usr/ports), including architecture/infrastructure
           changes, new capabilities, critical upgrade instructions, and
           release engineering information. This is a low-volume mailing
           list, intended for announcements.

   freebsd-ports-bugs

           Discussion of "ports" bugs

           Discussions concerning problem reports for FreeBSD's "ports
           collection" (/usr/ports), proposed ports, or modifications to
           ports. This is a technical mailing list for which strictly
           technical content is expected.

   freebsd-proliant

           Technical discussion of FreeBSD on HP ProLiant server platforms

           This mailing list is to be used for the technical discussion of
           the usage of FreeBSD on HP ProLiant servers, including the
           discussion of ProLiant-specific drivers, management software,
           configuration tools, and BIOS updates. As such, this is the
           primary place to discuss the hpasmd, hpasmcli, and hpacucli
           modules.

   freebsd-python

           Python on FreeBSD

           This is a list for discussions related to improving Python-support
           on FreeBSD. This is a technical mailing list. It is for
           individuals working on porting Python, its third party modules and
           Zope stuff to FreeBSD. Individuals interested in following the
           technical discussion are also welcome.

   freebsd-questions

           User questions

           This is the mailing list for questions about FreeBSD. Do not send
           "how to" questions to the technical lists unless the question is
           quite technical.

   freebsd-ruby

           FreeBSD-specific Ruby discussions

           This is a list for discussions related to the Ruby support on
           FreeBSD. This is a technical mailing list. It is for individuals
           working on Ruby ports, third party libraries and frameworks.

           Individuals interested in the technical discussion are also
           welcome.

   freebsd-scsi

           SCSI subsystem

           This is the mailing list for people working on the SCSI subsystem
           for FreeBSD. This is a technical mailing list for which strictly
           technical content is expected.

   freebsd-security

           Security issues

           FreeBSD computer security issues (DES, Kerberos, known security
           holes and fixes, etc). This is a technical mailing list for which
           strictly technical discussion is expected. Note that this is not a
           question-and-answer list, but that contributions (BOTH question
           AND answer) to the FAQ are welcome.

   freebsd-security-notifications

           Security Notifications

           Notifications of FreeBSD security problems and fixes. This is not
           a discussion list. The discussion list is FreeBSD-security.

   freebsd-small

           Using FreeBSD in embedded applications

           This list discusses topics related to unusually small and embedded
           FreeBSD installations. This is a technical mailing list for which
           strictly technical content is expected.

  ******:

           This list has been obsoleted by freebsd-embedded.

   freebsd-snapshots

           FreeBSD Development Snapshot Announcements

           This list provides notifications about the availability of new
           FreeBSD development snapshots for the head/ and stable/ branches.

   freebsd-stable

           Discussions about the use of FreeBSD-STABLE

           This is the mailing list for users of FreeBSD-STABLE. "STABLE" is
           the branch where development continues after a RELEASE, including
           bug fixes and new features. The ABI is kept stable for binary
           compatibility. It includes warnings about new features coming out
           in -STABLE that will affect the users, and instructions on steps
           that must be taken to remain -STABLE. Anyone running "STABLE"
           should subscribe to this list. This is a technical mailing list
           for which strictly technical content is expected.

   freebsd-standards

           C99 & POSIX Conformance

           This is a forum for technical discussions related to FreeBSD
           Conformance to the C99 and the POSIX standards.

   freebsd-teaching

           Teaching with FreeBSD

           Non technical mailing list discussing teaching with FreeBSD.

   freebsd-testing

           Testing on FreeBSD

           Technical mailing list discussing testing on FreeBSD, including
           ATF/Kyua, test build infrastructure, port tests to FreeBSD from
           other operating systems (NetBSD, ...), etc.

   freebsd-tex

           Porting TeX and its applications to FreeBSD

           This is a technical mailing list for discussions related to TeX
           and its applications on FreeBSD. It is for individuals actively
           working on porting TeX to FreeBSD, to bring up problems or discuss
           alternative solutions. Individuals interested in following the
           technical discussion are also welcome.

   freebsd-toolchain

           Maintenance of FreeBSD's integrated toolchain

           This is the mailing list for discussions related to the
           maintenance of the toolchain shipped with FreeBSD. This could
           include the state of Clang and GCC, but also pieces of software
           such as assemblers, linkers and debuggers.

   freebsd-transport

           Discussions of transport level network protocols in FreeBSD

           The transport mailing list exists for the discussion of issues and
           designs around the transport level protocols in the FreeBSD
           network stack, including TCP, SCTP and UDP. Other networking
           topics, including driver specific and network protocol issues
           should be discussed on the FreeBSD networking mailing list.

   freebsd-translators

           Translating FreeBSD documents and programs

           A discussion list where translators of FreeBSD documents from
           English into other languages can talk about translation methods
           and tools. New members are asked to introduce themselves and
           mention the languages they are interested in translating.

   freebsd-usb

           Discussing FreeBSD support for USB

           This is a mailing list for technical discussions related to
           FreeBSD support for USB.

   freebsd-user-groups

           User Group Coordination List

           This is the mailing list for the coordinators from each of the
           local area Users Groups to discuss matters with each other and a
           designated individual from the Core Team. This mail list should be
           limited to meeting synopsis and coordination of projects that span
           User Groups.

   freebsd-virtualization

           Discussion of various virtualization techniques supported by
           FreeBSD

           A list to discuss the various virtualization techniques supported
           by FreeBSD. On one hand the focus will be on the implementation of
           the basic functionality as well as adding new features. On the
           other hand users will have a forum to ask for help in case of
           problems or to discuss their use cases.

   freebsd-wip-status

           FreeBSD Work-In-Progress Status

           This mailing list can be used by developers to announce the
           creation and progress of FreeBSD related work. Messages will be
           moderated. It is suggested to send the message "To:" a more
           topical FreeBSD list and only "BCC:" this list. This way the WIP
           can also be discussed on the topical list, as no discussion is
           allowed on this list.

           Look inside the archives for examples of suitable messages.

           An editorial digest of the messages to this list might be posted
           to the FreeBSD website every few months as part of the Status
           Reports [3]. Past reports are archived.

   freebsd-wireless

           Discussions of 802.11 stack, tools device driver development

           The FreeBSD-wireless list focuses on 802.11 stack (sys/net80211),
           device driver and tools development. This includes bugs, new
           features and maintenance.

   freebsd-xen

           Discussion of the FreeBSD port to Xen(TM) - implementation and
           usage

           A list that focuses on the FreeBSD Xen(TM) port. The anticipated
           traffic level is small enough that it is intended as a forum for
           both technical discussions of the implementation and design
           details as well as administrative deployment issues.

   freebsd-xfce

           XFCE

           This is a forum for discussions related to bring the XFCE
           environment to FreeBSD. This is a technical mailing list. It is
           for individuals actively working on porting XFCE to FreeBSD, to
           bring up problems or discuss alternative solutions. Individuals
           interested in following the technical discussion are also welcome.

   freebsd-zope

           Zope

           This is a forum for discussions related to bring the Zope
           environment to FreeBSD. This is a technical mailing list. It is
           for individuals actively working on porting Zope to FreeBSD, to
           bring up problems or discuss alternative solutions. Individuals
           interested in following the technical discussion are also welcome.

  C.2.4. ************************

   The FreeBSD mailing lists are filtered in multiple ways to avoid the
   distribution of spam, viruses, and other unwanted emails. The filtering
   actions described in this section do not include all those used to protect
   the mailing lists.

   Only certain types of attachments are allowed on the mailing lists. All
   attachments with a MIME content type not found in the list below will be
   stripped before an email is distributed on the mailing lists.

     * application/octet-stream

     * application/pdf

     * application/pgp-signature

     * application/x-pkcs7-signature

     * message/rfc822

     * multipart/alternative

     * multipart/related

     * multipart/signed

     * text/html

     * text/plain

     * text/x-diff

     * text/x-patch

  ******:

   Some of the mailing lists might allow attachments of other MIME content
   types, but the above list should be applicable for most of the mailing
   lists.

   If an email contains both an HTML and a plain text version, the HTML
   version will be removed. If an email contains only an HTML version, it
   will be converted to plain text.

C.3. Usenet ************

   In addition to two FreeBSD specific newsgroups, there are many others in
   which FreeBSD is discussed or are otherwise relevant to FreeBSD users.

  C.3.1. BSD ******************

     * comp.unix.bsd.freebsd.announce

     * comp.unix.bsd.freebsd.misc

     * de.comp.os.unix.bsd (German)

     * fr.comp.os.bsd (French)

  C.3.2. *************** UNIX(R) ************

     * comp.unix

     * comp.unix.questions

     * comp.unix.admin

     * comp.unix.programmer

     * comp.unix.shell

     * comp.unix.misc

     * comp.unix.bsd

  C.3.3. X ************

     * comp.windows.x

C.4. ***************

   ***************,_************ (Armenia),_****** (Australia),_*********
   (Austria),_****** (Czech Republic),_****** (Denmark),_******
   (Finland),_****** (France),_****** (Germany),_****** (Hong
   Kong),_********* (Ireland),_****** (Japan),_************
   (Latvia),_********* (Lithuania),_****** (Netherlands),_******
   (Norway),_********* (Russia),_*************** (Slovenia),_****** (South
   Africa),_********* (Spain),_****** (Sweden),_****** (Switzerland),_******
   (Taiwan),_****** (United Kingdom),_****** (USA)._

   (as of UTC)

     * ***************

          * https://www.FreeBSD.org/

     * ************ (Armenia)

          * http://www1.am.FreeBSD.org/ (IPv6)

     * ****** (Australia)

          * http://www.au.FreeBSD.org/

          * http://www2.au.FreeBSD.org/

     * ********* (Austria)

          * http://www.at.FreeBSD.org/ (IPv6)

     * ****** (Czech Republic)

          * http://www.cz.FreeBSD.org/ (IPv6)

     * ****** (Denmark)

          * http://www.dk.FreeBSD.org/ (IPv6)

     * ****** (Finland)

          * http://www.fi.FreeBSD.org/

     * ****** (France)

          * http://www1.fr.FreeBSD.org/

     * ****** (Germany)

          * http://www.de.FreeBSD.org/

     * ****** (Hong Kong)

          * http://www.hk.FreeBSD.org/

     * ********* (Ireland)

          * http://www.ie.FreeBSD.org/

     * ****** (Japan)

          * http://www.jp.FreeBSD.org/www.FreeBSD.org/ (IPv6)

     * ************ (Latvia)

          * http://www.lv.FreeBSD.org/

     * ********* (Lithuania)

          * http://www.lt.FreeBSD.org/

     * ****** (Netherlands)

          * http://www.nl.FreeBSD.org/

     * ****** (Norway)

          * http://www.no.FreeBSD.org/

     * ********* (Russia)

          * http://www.ru.FreeBSD.org/ (IPv6)

     * *************** (Slovenia)

          * http://www.si.FreeBSD.org/

     * ****** (South Africa)

          * http://www.za.FreeBSD.org/

     * ********* (Spain)

          * http://www.es.FreeBSD.org/

          * http://www2.es.FreeBSD.org/

     * ****** (Sweden)

          * http://www.se.FreeBSD.org/

     * ****** (Switzerland)

          * http://www.ch.FreeBSD.org/ (IPv6)

          * http://www2.ch.FreeBSD.org/ (IPv6)

     * ****** (Taiwan)

          * http://www.tw.FreeBSD.org/

          * http://www2.tw.FreeBSD.org/

          * http://www4.tw.FreeBSD.org/

          * http://www5.tw.FreeBSD.org/ (IPv6)

     * ****** (United Kingdom)

          * http://www1.uk.FreeBSD.org/

          * http://www3.uk.FreeBSD.org/

     * ****** (USA)

          * http://www5.us.FreeBSD.org/ (IPv6)

     ----------------------------------------------------------------------

   [3] https://www.freebsd.org/news/status/

****** D. OpenPGP ******

   ************

   D.1. ******

   The OpenPGP keys of the FreeBSD.org officers are shown here. These keys
   can be used to verify a signature or send encrypted email to one of the
   officers. A full list of FreeBSD OpenPGP keys is available in the PGP Keys
   article. The complete keyring can be downloaded at
   https://www.FreeBSD.org/doc/pgpkeyring.txt.

D.1. ******

  D.1.1. Security Officer Team <security-officer@FreeBSD.org>

 pub   rsa4096/D39792F49EA7E5C2 2017-08-16 [SC] [expires: 2023-01-02]
       Key fingerprint = FC0E 878A E5AF E788 028D  6355 D397 92F4 9EA7 E5C2
 uid                            FreeBSD Security Officer <security-officer@FreeBSD.org>
 sub   rsa4096/6DD0A349F26ADEFD 2017-08-16 [E] [expires: 2023-01-02]


 -----BEGIN PGP PUBLIC KEY BLOCK-----

 mQINBFmT2+ABEACrTVJ7Z/MuDeyKFqoTFnm5FrGG55k66RLeKivzQzq/tT/6RKO9
 K8DaEvSIqD9b0/xgK02KgLSdp0Bucq8HLDFYUk3McFa6Z3YwjobNCWkxc72ipvVl
 uAOGN4H6fuoYOpeg4cLK1H9pktUIrzONTCixaZzc/Bu6X+aX4ywGeCfsuu8g5v03
 fLCPBLLgf3Bm5wsyZ6ZaGmsmILrWzd+d/rbr35Mcc5BekdgywUI4R191qo1bdrw9
 mEJP1V7Ik3jpExOsNnuhMTvm5OQMeCTfUvVEOtBU15QtbT+1LXF5FIOgML0LwS5v
 RHZN+5w/xvzSnEULpj24UuMKLDs/u9rj8U/zET8QaE+oG7m/mr4jJWZEmdX8HKdO
 WrpnVj6UAppk72qdBIEfLsOW2xB/NOjJpppbCQH3+sw7DRYA2UnKE9Mptj/KKiE4
 cs4c8Cupo2WSu93lEZDC5rCrULpT2lFeEXnRYlC/5oIgY5w9sFide9VI4CzHkkWX
 Z2NPW/i1w3mFhoXjvnNLGOYMfAMKPxsRC2/Bn3bY0IhKvuIZ4rAeu7FTmKDDqFKQ
 YEcrUOW74ZVng17AB29xzjWr4zNJVvp/CybFiUb8JoKkwtVWRqAVZIEgenAjU40d
 G5+W4e+ccL0mfTQfEBbXRjnL2BL2tnaoBR42cTfbZGRucPHz7MrlKBEeZQARAQAB
 tDdGcmVlQlNEIFNlY3VyaXR5IE9mZmljZXIgPHNlY3VyaXR5LW9mZmljZXJARnJl
 ZUJTRC5vcmc+iQJUBBMBCgA+FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlmT2+AC
 GwMFCQoek4AFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQ05eS9J6n5cKd9A/9
 Fz3uGjNy28D0ALT1d/JJGzdQ2R3YwspHk9KHBr1LePkog9wf1WRalwCeNtPmA+g5
 cn24psuzOeh1tRElImTZ2eE2ENPZ9XzK/J0ok0nK42MvmIwmMCyz+CaWv9GXW+FK
 0oXnFmHi4YaQUVN3p+45TGkD9T+O5biVww7P47n/NnWsTfhLx0bzC7LyjPKXINai
 /LgPgtlcOgY65/YhW/qhADCkoU7qMp9is41jMjTu1WB3OBPJkUkNpHfu6r15y8FN
 Wqsk7K4W6Obr/WQ6VKGGXgh/a5mTcaEoFGMO16uHijAY4nXeb2HGZlBKxgmPH9Ur
 aT4A9Pz/n+rIRMrK+rs+msFPemQHHNBYxy+x99uBpRBNyT2Su6GouZIxu5J16aIM
 V0ZyOy/dy7m/uJ4sMhJPqKkd8a+MoQs/2L1M1y1EAzsO/QZqIrKrCluaftNN9k/B
 qU0XClSDqB6sRMF7HFzYqb+f+M6cwSL/3Cp1Yx4rZ/onEE/MdWp64+3R87dETTXd
 5tWXQw04qOhfPri5cBTI7r3t/qMO1iNXCGSG5RJbGkas6N6t6Mj83L4ItjI8doLf
 aSIWZjj1XP3/me2hFJ6h2G5y5A+khO4ZwhC0ATFSq1fYbVGHw5AtfthIgNn8FoWu
 +Sb8h7/RqTr7F6LgWagAoAh0GtVj02SVABZjcNZz/AKJAjcEEAEKACEWIQQc9/9v
 rfXKn74bjLLtZ+zWXc9q5wUCWZPcTAMFAngACgkQ7Wfs1l3PauflkRAAgYcaBX0Y
 ic4btxKoP/eOVpgUciOPPKEhDCiloQDyf4XQnZFDoMfjgcHpbLTBZ6kiAz2UzDGr
 fJ4yUqrD+xfixUfCd5YpwzsaSpCGzDzSxOBcP/SpuAFhe40awSOIf5MruQar9Mlf
 33JyslDLULXXeewAq2pcGk0/WrrOragI6Cs2vPGy9XP96VvLxyhjrWjlKmnO+//w
 UF8oIO5hhKoqbtoxxlcqJgsWVyHch0mnPzvr6GWwoPhFXocnh1oPdbLjX1AwmGm9
 ltEYMge4QxONIXlXJR0TvuDuJOaLNvTOC3OI8L97fdBcZS7eNJrG5FAYR5Ft3ISf
 KJowIsSLGDt/cYApqpyP2pv7FpCvnwHgXHYar7/q4zhngCFRxQ2DPUx1cIJQ3Bgh
 HZolKyK1X7XE5ZVDfZ3s3gcHSVKS89pipgHHZNr4sSmOanA8rXHcyHS4o2zSi1ie
 r4iBwnOk6cCd6UNzEIiq0y/XhP/sc7xeL0mn3wDuV7jDBP9sp65sexL1qtIAfnzL
 pLQevm0z41ifrUH5nNeL6RdbXpaoXc8M4PJJeQKJDu04KzLcQpZdUdCJsbS6QO9w
 srWR8enQXPEhz2CO4L77bM9TgYO29222jTqEPcbXcmxF/klxO1rpssTTHUnHHi1Z
 LUGYCbZPjt+laTJ2YPHTjUtN1Jw85vSKCEuJATMEEAEKAB0WIQS7KNQLNg7uk2rt
 FW/l97zLo73d+AUCWjSYRwAKCRDl97zLo73d+JKyB/9N5Ytao12nD5QzMLvceGh5
 otCLN99TUryYiDVDLoNkBivq3jHQA/hOX2rwEueFq0+LF8/2DnglJuUICNtCxIzL
 WXXf/Hr5iWBUQ0JxYNPQzzjdMSXGE0WMwYVpAbCGxHpIsetKLdHUCwneYhaywe3I
 KzmRJSDJGV1IJB0sAfoFtgybZXHgIR61jQjtnNmmyYXliYCd0wmIhXQDFN91tzzG
 +EZdJ3Fao9JsMC+x55jO6EOLVySZgRF5E8vCeKUWemQciKFC7EhKcljILPYAA21u
 NmHCAgRHKWU9JMdFK0w9lQuN2HQaNfkahjarTNM/Q6LwxY0dLG0vVYifE085WFAf
 uQINBFmT2+ABEACxi39m5nQZexzY3c9sg/w5mUYCD89ZNSkj427gduQMYYGn7YW6
 jSPfVJ/V3+PDK824c0a0XasyDapQFY1CPTZYrReRPoyjb8tJjsSVGXXCTFpJZlFU
 br6kS9mgcx58Sypke2PMVk73+W1N1Yco+nahfTECRuM2/T2zHHr0AdKuBPF28U+H
 TxyLatKoIgQwHDs4E/f4ZTbAoHvu3PixAl7XHVXCgz0cHaLhRljXizbZDXngOdGm
 lqdFlAIpL6/l8E3m1Er0m3IfFo6qSzWRHg/KaBGIL4YKetJ6ACjlkCe5qbatDpmk
 gWlg3Ux4RBVjyCK834Xh7eZpEcNf2iwpm28glWh7XMHGUplTHkU3PWQ4vGfNxXB8
 HBOd9r02/cHL6MiHwhCAfIzZGVtqR0i9Ira57TMdXTpJWNXUcgsCMsi/Bg2a+hsn
 aiYLrZc18uNL5nqOqsqKG3c1TcmeN7nbxVgnrNST4AjteulkhmB9p8tNOXA3u979
 OO0T5LPwdqIpobdZ0lfw4URnAGw4Wd4Sm9PtRw0RvuAk2M2e5KXNyxPWAuMVkoRR
 a7wG6h/R8pki54Gexyc+JkfB4ZcOrzHNLurw6DhxroyfRs8WEgX0wNIGmJvCXSBG
 54jb5w9qudYwzIg4YPfvuX8sfeY8MTNhal3rF0tvVloGj3l709wlaWlBYwARAQAB
 iQI8BBgBCgAmFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlmT2+ACGwwFCQoek4AA
 CgkQ05eS9J6n5cKhWw/+PT0R4r2gPAxI8ESEe380BYOmneNAH24MFOgWXqWCj4zX
 Uz992BVnW2aL5nH4O5d822LGeCrYUC7SCpQvlifdHZHjobgtizLTwuu40bc3gSOz
 cxWlx2jKfx3Ezn6QQz2mhhK6fZ1AO0ObiQxQq25ldURep95L78E/C8XkCe11YlUR
 ng3wQKeHM7awZWRw/QBC92haHuVtU3cx7At+zQL7jTBKSZqd34zzs0uoXIhk2h94
 O07MMDZ8z8MeU337vdL+RKYtD2bljLwpf7/kqg1D/q44RJ4ZpZcha9G0GvtLaQg2
 +MAPlLg1vOWZ8wOTLaQHm+uzYRpkqxkIV8OuVd4UikCd8t3VNjNG5rG/YRNIAX0A
 UEzs6oMF5YOFE8LmykesbUHAbC07Vcb0AsT5u3XKixDiIpPdnYSwGlkvoOVVLdeh
 q/aXLK9V8BpViG5+a8xP2fdF1eMqdnrKAsiO4GEiq193PN/FA049VeIs3fd0izAa
 x7+ag1MGtoF5Pij5iTVJm6phH5SUd1P3FY3OmclxWj/MbL4ba/G/6FWcy5NXxdw9
 L1bRqaM2KEHJ67aF6NZz7UMldwExAWzFbUon1LUpKysAukxVf0EnntydBeVOQ+JO
 HdqEpirrVLMpxPttUB2xxbo947nMj7/Bnme2gvb0vxaC9xSGVxrpW9cg5iCwSdc=
 =8rds
 -----END PGP PUBLIC KEY BLOCK-----

  D.1.2. Security Team Secretary <secteam-secretary@FreeBSD.org>

 pub   4096R/3CB2EAFCC3D6C666 2013-09-24 [expires: 2018-01-01]
       Key fingerprint = FA97 AA04 4DF9 0969 D5EF  4ADA 3CB2 EAFC C3D6 C666
 uid                          FreeBSD Security Team Secretary <secteam-secretary@FreeBSD.org>
 sub   4096R/509B26612335EB65 2013-09-24 [expires: 2018-01-01]

 -----BEGIN PGP PUBLIC KEY BLOCK-----

 mQINBFJBjIIBEADadvvpXSkdnBOGV2xcsFwBBcSwAdryWuLk6v2VxjwsPcY6Lwqz
 NAZr2Ox1BaSgX7106Psa6v9si8nxoOtMc5BCM/ps/fmedFU48YtqOTGF+utxvACg
 Ou6SKintEMUa1eoPcww1jzDZ3mxx49bQaNAJLjVxeiAZoYHe9loTe1fxsprCONnx
 Era1hrI+YA2KjMWDORcwa0sSXRCI3V+b4PUnbMUOQa3fFVUriM4QjjUBU6hW0Ub0
 GDPcZq45nd7PoPPtb3/EauaYfk/zdx8Xt0OmuKTi9/vMkvB09AEUyShbyzoebaKH
 dKtXlzyAPCZoH9dihFM67rhUg4umckFLc8vc5P2tNblwYrnhgL8ymUaOIjZB/fOi
 Z2OZLVCiDeHNjjK3VZ6jLAiPyiYTG1Hrk9E8NaZDeUgIb9X/K06JXVBQIKNSGfX5
 LLp/j2wr+Kbg3QtEBkcStlUGBOzfcbhKpE2nySnuIyspfDb/6JbhD/qYqMJerX0T
 d5ekkJ1tXtM6aX2iTXgZ8cqv+5gyouEF5akrkLi1ySgZetQfjm+zhy/1x/NjGd0u
 35QbUye7sTbfSimwzCXKIIpy06zIO4iNA0P/vgG4v7ydjMvXsW8FRULSecDT19Gq
 xOZGfSPVrSRSAhgNxHzwUivxJbr05NNdwhJSbx9m57naXouLfvVPAMeJYwARAQAB
 tD9GcmVlQlNEIFNlY3VyaXR5IFRlYW0gU2VjcmV0YXJ5IDxzZWN0ZWFtLXNlY3Jl
 dGFyeUBGcmVlQlNELm9yZz6JAj0EEwEKACcFAlJBjIICGwMFCQgH7b8FCwkIBwMF
 FQoJCAsFFgIDAQACHgECF4AACgkQPLLq/MPWxmYt8Q/+IfFhPIbqglh4rwFzgR58
 8YonMZcq+5Op3qiUBh6tE6yRz6VEqBqTahyCQGIk4xGzrHSIOIj2e6gEk5a4zYtf
 0jNJprk3pxu2Og05USJmd8lPSbyBF20FVm5W0dhWMKHagL5dGS8zInlwRYxr6mMi
 UuJjj+2Hm3PoUNGAwL1SH2BVOeAeudtzu80vAlbRlujYVmjIDn/dWVjqnWgEBNHT
 SD+WpA3yW4mBJyxWil0sAJQbTlt5EM/XPORVZ2tvETxJIrXea/Sda9mFwvJ02pJn
 gHi6TGyOYydmbu0ob9Ma9AvUrRlxv8V9eN7eZUtvNa6n+IT8WEJj2+snJlO4SpHL
 D3Z+l7zwfYeM8FOdzGZdVFgxeyBU7t3AnPjYfHmoneqgLcCO0nJDKq/98ohz5T9i
 FbNR/vtLaEiYFBeX3C9Ee96pP6BU26BXhw+dRSnFeyIhD+4g+/AZ0XJ1CPF19D+5
 z0ojanJkh7lZn4JL+V6+mF1eOExiGrydIiiSXDA/p5FhavMMu8Om4S0sn5iaQ2aX
 wRUv2SUKhbHDqhIILLeQKlB3X26obx1Vg0nRhy47qNQn/xc9oSWLAQSVOgsShQeC
 6DSzrKIBdKB3V8uWOmuM7lWAoCP53bDRW+XIOu9wfpSaXN2VTyqzU7zpTq5BHX1a
 +XRw8KNHZGnCSAOCofZWnKyJAhwEEAEKAAYFAlJBjYgACgkQ7Wfs1l3PaudFcQ//
 UiM7EXsIHLwHxez32TzA/0uNMPWFHQN4Ezzg4PKB6Cc4amva5qbgbhoeCPuP+XPI
 2ELfRviAHbmyZ/zIgqplDC4nmyisMoKlpK0Yo1w4qbix9EVVZr2ztL8F43qN3Xe/
 NUSMTBgt/Jio7l5lYyhuVS3JQCfDlYGbq6NPk0xfYoYOMOZASoPhEquCxM5D4D0Z
 3J3CBeAjyVzdF37HUw9rVQe2IRlxGn1YAyMb5EpR2Ij612GFad8c/5ikzDh5q6JD
 tB9ApdvLkr0czTBucDljChSpFJ7ENPjAgZuH9N5Dmx2rRUj2mdBmi7HKqxAN9Kdm
 +pg/6vZ3vM18rBlXmw1poQdc3srAL+6MHmIfHHrq49oksLyHwyeL8T6BO4d4nTZU
 xObP7PLAeWrdrd1Sb3EWlZJ9HB/m2UL9w9Om1c6cb6X2DoCzQAStVypAE6SQCMBK
 pxkWRj90L41BS62snja+BlZTELuuLTHULRkWqS3fFkUxlDSMUn96QksWlwZLcxCv
 hKxJXOX+pHAiUuMIImaPQ0TBDBWWf5d8zOQlNPsyhSGFR5Skwzlg+m9ErQ+jy7Uz
 UmNCNztlYgRKeckXuvr73seoKoNXHrn7vWQ6qB1IRURj2bfphsqlmYuITmcBhfFS
 Dw0fdYXSDXrmG9wad98g49g4HwCJhPAl0j55f93gHLGIRgQQEQoABgUCUkGO5gAK
 CRAV1ogEymzfsol4AKCI7rOnptuoXgwYx2Z9HkUKuugSRwCgkyW9pxa5EovDijEF
 j1jG/cdxTOaJAhwEEAEKAAYFAlJBkdUACgkQkshDRW2mpm6aLxAAzpWNHMZVFt7e
 wQnCJnf/FMLTjduGTEhVFnVCkEtI+YKarveE6pclqKJfSRFDxruZ6PHGG2CDfMig
 J6mdDdmXCkN//TbIlRGowVgsxpIRg4jQVh4S3D0Nz50h+Zb7CHbjp6WAPVoWZz7b
 Myp+pN7qx/miJJwEiw22Eet4Hjj1QymKwjWyY146V928BV/wDBS/xiwfg3xIVPZr
 RqtiOGN/AGpMGeGQKKplkeITY7AXiAd+mL4H/eNf8b+o0Ce2Z9oSxSsGPF3DzMTL
 kIX7sWD3rjy3Xe2BM20stIDrJS2a1fbnIwFvqszS3Z3sF5bLc6W0iyPJdtbQ0pt6
 nekRl9nboAdUs0R+n/6QNYBkj4AcSh3jpZKe82NwnD/6WyzHWtC0SDRTVkcQWXPW
 EaWLmv8VqfzdBiw6aLcxlmXQSAr0cUA6zo6/bMQZosKwiCfGl3tR4Pbwgvbyjoii
 pF+ZXfz7rWWUqZ2C79hy3YTytwIlVMOnp3MyOV+9ubOsFhLuRDxAksIMaRTsO7ii
 5J4z1d+jzWMW4g1B50CoQ8W+FyAfVp/8qGwzvGN7wxN8P1iR+DZjtpCt7J+Xb9Pt
 L+lRKSO/aOgOfDksyt2fEKY4yEWdzq9A3VkRo1HCdUQY6SJ/qt7IyQHumxvL90F6
 vbB3edrR/fVGeJsz4vE10hzy7kI1QT65Ag0EUkGMggEQAMTsvyKEdUsgEehymKz9
 MRn9wiwfHEX5CLmpJAvnX9MITgcsTX8MKiPyrTBnyY/QzA0rh+yyhzkY/y55yxMP
 INdpL5xgJCS1SHyJK85HOdN77uKDCkwHfphlWYGlBPuaXyxkiWYXJTVUggSjuO4b
 jeKwDqFl/4Xc0XeZNgWVjqHtKF91wwgdXXgAzUL1/nwN3IglxiIR31y10GQdOQEG
 4T3ufx6gv73+qbFc0RzgZUQiJykQ3tZK1+Gw6aDirgjQYOc90o2Je0RJHjdObyZQ
 aQc4PTZ2DC7CElFEt2EHJCXLyP/taeLq+IdpKe6sLPckwakqtbqwunWVoPTbgkxo
 Q1eCMzgrkRu23B2TJaY9zbZAFP3cpL65vQAVJVQISqJvDL8K5hvAWJ3vi92qfBcz
 jqydAcbhjkzJUI9t44v63cIXTI0+QyqTQhqkvEJhHZkbb8MYoimebDVxFVtQ3I1p
 EynOYPfn4IMvaItLFbkgZpR/zjHYau5snErR9NC4AOIfNFpxM+fFFJQ7W88JP3cG
 JLl9dcRGERq28PDU/CTDH9rlk1kZ0xzpRDkJijKDnFIxT2ajijVOZx7l2jPL1njx
 s4xa1jK0/39kh6XnrCgK49WQsJM5IflVR2JAi8BLi2q/e0NQG2pgn0QL695Sqbbp
 NbrrJGRcRJD9sUkQTpMsLlQTABEBAAGJAiUEGAEKAA8FAlJBjIICGwwFCQgH7b8A
 CgkQPLLq/MPWxmZAew//et/LToMVR3q6/qP/pf9ob/QwQ3MgejkC0DY3Md7JBRl/
 6GWfySYnO0Vm5IoJofcv1hbhc/y3OeZTvK4s+BOQsNokYe34mCxZG4dypNaepkQi
 x0mLujeU/n4Y0p0LTLjhGLVdKina2dM9HmllgYr4KumT58g6eGjxs2oZD6z5ty0L
 viU5tx3lz3o0c3I9soH2RN2zNHVjXNW0EvWJwFLxFeLJbk/Y3UY1/kXCtcyMzLua
 S5L5012eUOEvaZr5iYDKjy+wOxY4SUCNYf0GPmSej8CBbwHOF2XCwXytSzm6hNb3
 5TRgCGbOSFTIy9MxfV5lpddQcdzijmuFSl8LySkL2yuJxjlI7uKNDN+NlfODIPMg
 rdH0hBSyKci6Uz7Nz/Up3qdE+aISq68k+Hk1fiKJG1UcBRJidheds29FCzj3hoyZ
 VDmf6OL60hL0YI1/4GjIkJyetlPzjMp8J7K3GweOUkfHcFihYZlbiMe7z+oIWEc7
 0fNScrAGF/+JN3L6mjXKB6Pv+ER5ztzpfuhBJ/j7AV5BaNMmDXAVO4aTphWl7Dje
 iecENuGTpkK8Ugv5cMJc4QJaWDkj/9sACc0EFgigPo68KjegvKg5R8jUPwb8E7T6
 lIjBtlclVhaUrE2uLx/yTz2Apbm+GAmD8M0dQ7IYsOFlZNBW9zjgLLCtWDW+p1A=
 =5gJ7
 -----END PGP PUBLIC KEY BLOCK-----

  D.1.3. Core Team Secretary <core-secretary@FreeBSD.org>

 pub   rsa2048/0CB403E4E95B96EC 2018-06-30 [SC] [expires: 2020-06-29]
       Key fingerprint = 9F02 836F 50D3 AD5A B75A  C588 0CB4 03E4 E95B 96EC
 uid                            FreeBSD Core Team Secretary <core-secretary@freebsd.org>
 sub   rsa2048/133C3338A5B95A60 2018-06-30 [E] [expires: 2020-06-29]
       Key fingerprint = FA37 B8AA C667 C3AA D310  751D 133C 3338 A5B9 5A60


 -----BEGIN PGP PUBLIC KEY BLOCK-----

 mQENBFs3wcYBCAC7nlaUTMqyT7PBSFLtW/LleSz7BNUwqSTo8LfUVJOY5G/pzWt5
 Mqjqh4oJcW/MvKFTDeRaJ2mHp+vELxIP7wO3gcP36dXgImw6sXwBTkPlKpmmFRm1
 M+QqnCCrrLHtCznWaDg+1fTHmyQpFHpg37XzA1Z5ev6PryEUYJkcBP77oNCTY933
 86sXOqRAJRywvN/LEkAoaawqBz0CpkNTOBACoJZRV8i9CIklEOy8J+hNzGtJpHkg
 FxUOXWj7z+2y6UOR4GzSpYAWJGbtwEcpGPfhqJk5M5eZ6PJcwzZ6LeLKgGFzNi6r
 tlShQh5LT7wAKkTrBsZ9vckyyuTEtqgdGCmhABEBAAG0OEZyZWVCU0QgQ29yZSBU
 ZWFtIFNlY3JldGFyeSA8Y29yZS1zZWNyZXRhcnlAZnJlZWJzZC5vcmc+iQFUBBMB
 CgA+FiEEnwKDb1DTrVq3WsWIDLQD5OlbluwFAls3wcYCGwMFCQPCZwAFCwkIBwMF
 FQoJCAsFFgMCAQACHgECF4AACgkQDLQD5OlbluyRZAf/VG9VWpIsofcoHwDxhYAL
 mm+xbuP/eq1/Q8HeO3XVhA/HZF5nvSKZbD8F+ujaHDH/waNStWb3wUK87l9AfB6G
 QFMVYjVQWrPwgpwFtGjL9zLMCBS3T+ysuub+xSuPhr1KQHgKB4+t6NLoBlSwP+76
 sLLx0SILGwTpsb0r84etaECgp5ymAXijbzIB0Pu44Y+DjZimBEVuw2YRZ4/Ug/3z
 pcNQqpjbrHNYjU6AOZEHXftbXwuWfgdjINnrWpvTwkKVnU0FhGXV9UYWP2UAxE5u
 OyAvIyYFbX10iSFQGUXle3eg6IuHncT5u6P1IxQM++d/TJIbKrQW+xdr+1I+vUrS
 rokCMwQQAQoAHRYhBHLPrCF5vLAktbVFkANvbJ7n856/BQJbOJDdAAoJEANvbJ7n
 856/1swQAN2QKGe1riRm9jKVxC8AMy57+Tzu1ITGDDUf6dH2+gxx0K5GoVmtdhLL
 2qrmDJEqP7K232T25cU5zStQnaTHpEIUklY8Rn1Fati8+IZBdpemG4BXTzGnNDQ0
 FS6PxuxOFvcELOFvuUil3PP7ArMKI9jfjxisEkOWFuwQVyIPeApcQuf8vyqrfTnV
 /Qes/XhySrvsEL+ehq2OEorl6YjMB2/lVK2lVWYrWJ91Oq8Vwp0G09whZEMhMabQ
 D1OxlmM6kofkTioM8DOmbGTbOXhiiiiCUI41pOAOzF9SrCqCpLV2OyrPFz7J+GU9
 6u+DPPZyy7O8NmjdDsyrDg2hhbTwWC4dvW+QMJSWZ8Bo8eMx8b5ti9RX0XPEIwao
 KrCKh3aemGgkP8zcVbFWOzOji8aXrpWrRr/oxQmJxE49d2j1oF4LydIfhDxOnfOF
 428pVhDXDLjf0xdUIVQqCsOBQvzwVPWTQVOFSakVFNRYP6/SXyF5eUf5E6iSExKn
 fn+G4FtrJd6QNwNUquI2LF8CEhJBpLNBqjJW3WEv1tDzU+rqS9QpHzSmLzLqtiE+
 5HqynvOPXGRRsAcUOLmV4fMUGRH8tpNoH4iBEc7LmoFTQXIf6oJClaiwRkFKuT9c
 2XlkJ4ca6fxU4KyoHtR6pmMNkLIcehfpoL11+TPyyBjNd2TwLpLbiQIzBBABCgAd
 FiEEwHv14xCuZL9hILD2NqfAX+Hs+bsFAls4kV0ACgkQNqfAX+Hs+bvRrw//QVea
 9diHHbzxq84yp4eOGQoj86usPSV+IOZN27+e6QDYR8ZsxqFE5wQycSAdyqo0n42Q
 EDE6tnn+/HhyFogr7kF8CRJMtsSlwKgDrMMYjVPnP2fP5VFxAF36epSRgcGC0Lqh
 Ris+xjfSzXM2oNiiebPu2MOe8qOe8LVGJMyuxJZbb/OuEfgLGLKtjcJ1SujKhzLl
 TVS8JSSVRbxk62huh/Mo80eCKHMV+/NmbHP4QKZBOVSWn0U/lrm+SyDR78l3EhtN
 x/KIfhiPZENYTjSBSxa8F/Vg19bcmUedLapcN9J8q2KVNx7VuiPz+X2ww/dOKFR0
 FxwOvCweGFRNRyoytF4ziw0Gwt78RHw4OdhQg8YH38kbrRFvf2YqiddGUA2UWwKi
 HRdj9ZGemzL++OE/MZvgODVhZA6V5QU/B9bR3xfnVcBsPyGTrlQ8XZ9aY1wBMTrS
 TTbS3sD7HuyS4PO8rt3iZy50UDMc5v55Pr5SIPiaUdyV8Y401oOWnKvKgKtHzBtC
 2ADT+iZk/I4a3iDj4hw07Y+O1Voqp72LaACGhqWqkN0zqoKq3TvD/ukEZwgsvDdP
 ErzPUanN31gn055PlpWYQBVoLjupH8SXahrdTmo15Xjdr97VHCuABNT4Kh3QDELU
 vQtF0IB+S+VQfTVR5wkC1OLj8J1edvoXlsVzREW5AQ0EWzfBxgEIAMZxwaI3hZ2G
 je7L8N1TFfPJA62kMGzzFDvFqeH8mDPOXkd4JC4y2EIBySPS36y0c1MJM79oOkKI
 6DQLyUb3p4hGZbEVKidAwXvp4t5x1QJ0bpodHc/7xh95EP11Lf8C/DFP5Js3YVPl
 MsdeVhx7J8itQuivoLJrZVTgKSgFepatLuXXKUttYAJNcU11ziPwTlzjEuTx4X6V
 RimPrp8+/dbkRmPhsDqMXrqJmjeNarYK9F0xKlaWnIhtyZnNXtHrdtQE/VOBjoXN
 0NXiuJg02JZGqZuBM80Ig7yBdmUlZdPrxkYw92+kxHIdySM3+WYbGu/e6T/VY6wx
 7KW2IV3u3b8AEQEAAYkBPAQYAQoAJhYhBJ8Cg29Q061at1rFiAy0A+TpW5bsBQJb
 N8HGAhsMBQkDwmcAAAoJEAy0A+TpW5bsp0AH/Rht32xeJQk59UgDf7BPHiiphgg8
 P1qmRVd6OZJ6GoVYWjJ87+gU9sChbZUTCFioiIYLWPbhm9AJKy1KDrcnP0zYjWL2
 SKjezMbru9cgFYk6R3LO+mK5DwtGMgyzipKAN8Kh92pX2WERUeMFulkYa4+rdVkP
 kBtB49hmDj25GPw/72Vuksg5m7sbpEZzt6JjXQN0ynDjBuizE/HYm2E8VW5tH1aH
 wdzVGruNVIOMMF3gHKbJbrxKiq/SPJfph0YGeL6v5bF9mgizGamEUn9YHVkCqZ7z
 wDuSIDVTSiQQOJesD58WOADCDINEP3uXFhlI1A0Au7X+XYyjIjHCdyTNhBI=
 =5VKx
 -----END PGP PUBLIC KEY BLOCK-----

  D.1.4. Ports Management Team Secretary <portmgr-secretary@FreeBSD.org>

 pub   rsa2048/D8294EC3BBC4D7D5 2012-07-24 [SC]
       Key fingerprint = FB37 45C8 6F15 E8ED AC81  32FC D829 4EC3 BBC4 D7D5
 uid                            FreeBSD Ports Management Team Secretary <portmgr-secretary@FreeBSD.org>
 sub   rsa2048/5CC117965F65CFE7 2012-07-24 [E]


 -----BEGIN PGP PUBLIC KEY BLOCK-----

 mQENBFAOzqYBCACYd+KGv0/DduIRpSEKWZG2yfDILStzWfdaQMD+8zdWihB0x7dd
 JDBUpV0o0Ixzt9mvu5CHybx+9lOHeFRhZshFXc+bIJOPyi+JrSs100o7Lo6jg6+c
 Si2vME0ixG4x9YjCi8DisXIGJ1kZiDXhmVWwCvL+vLInpeXrtJnK8yFkmszCOr4Y
 Q3GXuvdU0BF2tL/Wo/eCbSf+3U9syopVS2L2wKcP76bbYU0ioO35Y503rJEK6R5G
 TchwYvYjSXuhv4ec7N1/j3thrMC9GNpoqjVninTynOk2kn+YZuMpO3c6b/pfoNcq
 MxoizGlTu8VT4OO/SF1y52OkKjpAsENbFaNTABEBAAG0R0ZyZWVCU0QgUG9ydHMg
 TWFuYWdlbWVudCBUZWFtIFNlY3JldGFyeSA8cG9ydG1nci1zZWNyZXRhcnlARnJl
 ZUJTRC5vcmc+iQE4BBMBAgAiBQJQDs6mAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIe
 AQIXgAAKCRDYKU7Du8TX1QW2B/0coHe8utbTfGKpeM4BY9IyC+PFgkE58Hq50o8d
 shoB9gfommcUaK9PNwJPxTEJNlwiKPZy+VoKs/+dO8gahovchbRdSyP1ejn3CFy+
 H8pol0hDDU4n7Ldc50q54GLuZijdcJZqlgOloZqWOYtXFklKPZjdUvYN8KHAntgf
 u361rwM4DZ40HngYY9fdGc4SbXurGA5m+vLAURLzPv+QRQqHfaI1DZF6gzMgY49x
 qS1JBF4kPoicpgvs3o6CuX8MD9ewGFSAMM3EdzV6ZdC8pnpXC8+8Q+p6FjNqmtjk
 GpW39Zq/p8SJVg1RortCH6qWLe7dW7TaFYov7gF1V/DYwDN5iEYEEBECAAYFAlN2
 WksACgkQtzkaJjSHbFtuMwCg0MXdQTcGMMOma7LC3L5b4MEoZ+wAn0WyUHpHwHnn
 pn2oYDlfAbwTloWIiQEcBBABAgAGBQJQDuVrAAoJENk3EJekc8mQ3KwIAImNDMXA
 F8ajPwCZFpM6KDi3F/jpwyBPISGY1oWuYPEi1zN94k5jS90aZb3W8Y8x4JTh35Ew
 b6XODi3uGLSLCmnlqu2a80yPfXf5IuWmIQdFNQxvosj9UHrg+icZGFmm+f0hPJxM
 TsZREv3AvivQfnb/N3xIICxW4SjKSYXQcq4hr4ObhUx7GKnjayq+ofU2cRlujr87
 uOH0fO3xhOJG4+cX5mI1HGK38k0Csc1zqYa/66Qe5dnIZz+sNXpEPMLAHIt1a45U
 B967igJdZSDFN33bPl1QWmf3aUXU3d1VttiSyHkpm4kb9KgsDkUk1IJ5nUe9OXyd
 WtoqNW5afDa5N0aIRgQQEQIABgUCUA7lwwAKCRB59uBxdBRinNh2AJ41+zfsaQSR
 HWvSkqOXGcP/fgOduwCfUJDT+M1eXe2udmKof/9yzGYMirKJASIEEAECAAwFAlAa
 IT8FAwASdQAACgkQlxC4m8pXrXwCHAf+J7l+L7AvRpqlQcezjnjFS/zG1098qkDf
 lThHZlpVnrBMJZaXdvL6LzVgiIYVWZC5CSSazW9EWFjp9VjM7FBHdWFZNMV7GAuU
 t0jzx6gGXOWwi+/v/hs1P11RyDZN5hICHdPNmyZVupciDxe+sIEP9aEbVxcaiccq
 zM/pFzIVIMMP5tCiA42q6Mz3h0hy6hntUKptS8Uon6sje5cDVcVlKAUj1wO2cphC
 qkYlwMQfZV5J9f/hcW5ODriD3cBwK8SocA2Cq5JYF8kYDL1+pXnUutGnvAHUYt87
 RWvQdKmfXjzBcMFJ2LlPUB1+IFvwQ13V9R8j9B/EdLmSWQYT9qRA2okCHAQTAQoA
 BgUCV1XMpwAKCRCtu/hhCjeJt2CyD/9JLe+Ck23CJkeRSF8oC+4SFOUdSAmejSzn
 klPwmEClffABYd/kckO1T6um+2FUcXuJZQE1nKKUNvZ8pBWwsm1RDHsyroKi/XB1
 0a1Tdx/rvlU88ytbeLfUCLzoCrf6pkMQWoU6/3qS6elV0WwOlDufk+XjD1sja2wu
 sshG8y+1WCA5JjP3rZdD9NVdzo5DgkotTRUfuYN1LJIN4zlDgHj7FVP7wW7+R0cZ
 FoOiNsLJCA0FN8SiyU98UysjawLiIY9dTJz6XVA0DgB0TZWO3mWiDjITeKrdGcqf
 PNiJhmvUKBkn07YpTPNfkoTT/p/q5ChYmu0ubGeyS1ELKjmklJ+DzynfZLzvnXYX
 Ngo5ckeuqEqUNxM0J63v8lmfhDRROFveqHWdp0XMxXVmR5bMunSldg5EZsoLyQbN
 +ScIPnDTAEPGrCtf0t84RQxNQeET6/WBbZfzeSeAFmpBFCdicsZ6Mjwtwjr4+o15
 n1QMTZco1NaTqf8vXwzl9wM4aYtg1OkF4z8HdHuy50CHCet4mT5eJgwZUfFvXdbM
 pHXprEI0Y9OOL4aMinC1egF3dXt/0n57i6CE+E2k3UJPNvMrtp0HaDEnKZ8cfkBU
 EBzkUYi5wwqntHV2JRisqoRnHdvJT7ImlHMe7WaJsifBK874PnToaKg8P6K1Tph+
 FyLxULaYjYkCHAQSAQgABgUCVBg2zwAKCRDqsDxYv9xHj1klEADXYJdHC3zsdx7w
 DsJsttWdykcZoOd/VUKUdN0BAU72nLV0tLn4uFjETA6MhHZVxzwIDTeLB8kqyEpc
 fZnoVbqJIUJz1sJXMdOty7CwZzlZlAwmUaIfFiazJY1p398JbyYfSrVKNOpw9wCm
 Db7WP9dBritwvjaLzu8HQsiztO0S/5ha/EDfTU3qocBUTjbCtGR9LqAmPE4X8+li
 F2EfZMEoJd3rJWsYv2y/k6pSgC/MpQewnyr6f+JQ/781UoZB6PpxCxfu4D6xlOyd
 ERBUg+FfDAWYR+KX+DGOalRlUyaSz8Nvxl8/b0Im/AQhx9afqyEZxIDpg52zt8jJ
 t3wx23YP8EQGUgwF8pIrj3wFSBSG3a/cskiBNUIhChIR9hQrVPUahN/jx7DGAGxk
 /Ka9qsRGYTHfSr9jjTUQ+htfeFBRDR0nkZKMo5+Wk/cAcBKVbPlBpwvnzT3fh+wL
 cF3ErBbx5jp+BoFee8D6ATeUvQxMcgVbDPUkgMsy3EtKMVO10jhIoXoVV+Sg9GZ8
 zMEy1tORKn0zsd2ZgXC2sRJOm5ttCSdYQ4ddbM1A9jg6tiRx4hES16GDywvkL8P2
 M9+qyIfjQxjGU33f/r8zp9DyNT1VlrtwhFxtOoMdmrsbYOCTja4Xg14hK1hRac0k
 GB7bj6w97p8uMrQT3PlSMtoyrRyo7bkBDQRQDs6mAQgAzNxJYpf5PrqV8pdRXkn3
 6Fe45q671YtbZ2WrT7D0CVZ8Z+AZsxnP/tiY1SrM2MepCeA2xBAhKGsWBWo1aRk5
 mfZOksKsiXsi2XeBVhdZlCkrOMKBTVian7I1lH59ZnNIMX0Nl0tlj3L1IjeWWNvf
 ej43URV81S9EmSwpjaWboatr2A+1oJku5m7nPD9JIOckE1TzBsyhx7zIUN9w6MKr
 7gFw8DCzypwUKyYgKYToVm8QlkT/L3B0fuQHWhT6ROGk4o8SC71ia5tc1TzUzGEZ
 1AQO8bbnbmJLBDKveWHCoaeAkRzINzoD9wAn9z4pnilze59QtKC1cOqUksTvBSDh
 6wARAQABiQEfBBgBAgAJBQJQDs6mAhsMAAoJENgpTsO7xNfVOHoH/i5VyggVdwpq
 PX8YBmN5mXQziYZNQoiON8IhOsxpX4W2nXCj5m6MACV6nJDVV6wyUH8/VvDQC9nH
 arCe1oaNsHXJz0HamYt5gHJ0G1bYuBcuJp/FEjLa48XFI7nXQjJHn8rlwZMjK/PW
 j1lw2WZiekviuzTEDH8c3YStGJSa+gYe8Eyq3XJVAe2VQOhImoWgGDR3tWfgrya/
 IdEFb/jmjHSG5XUfbI0vNwqlf832BqSQKPG/Zix4MmBJgvAz4R71PH8WBmbmNFjD
 elxVyfz80+iMgEb9aL91MfeBNC2KB1pFmg91mQTsiq7ajwVLVJK8NplHAkdLmkBC
 O8MgMjzGhlE=
 =iw7d
 -----END PGP PUBLIC KEY BLOCK-----

  D.1.5. <doceng-secretary@FreeBSD.org>

 pub   rsa2048/E1C03580AEB45E58 2019-10-31 [SC] [expires: 2022-10-30]
       Key fingerprint = F24D 7B32 B864 625E 5541  A0E4 E1C0 3580 AEB4 5E58
 uid                            FreeBSD Doceng Team Secretary <doceng-secretary@freebsd.org>
 sub   rsa2048/9EA8D713509472FC 2019-10-31 [E] [expires: 2022-10-30]


 -----BEGIN PGP PUBLIC KEY BLOCK-----

 mQENBF27FFcBCADeoSsIgyQUY8vREwkTikwFFlNg31MVy5s/Nq1cNK1PRfRMnprS
 yfB62KqbYuz16bmQKaA9zHN4FGfiTvR6tl66LVHm1s/5HPiLv8sP14GsruLro9zN
 v72dO7a9i68bMw+jarPOnu9dGiDFEI0dACOkdCGEYKEUapQeNpmWRrQ46BeXyFwF
 JcNx76bJJUkwk6fWC0W63D762e6lCEX6ndoaPjjLBnFvtx13heNGUc8RukBwe2mA
 U5pSGHj47J05bdWiRSwZaXa8PcW+20zTWaP755w7zWe4h60GANY7OsT9nuOqsioJ
 QonxTrJuZweKRV8fNQ1EfDws3HZr7/7iXvO3ABEBAAG0PEZyZWVCU0QgRG9jZW5n
 IFRlYW0gU2VjcmV0YXJ5IDxkb2Nlbmctc2VjcmV0YXJ5QGZyZWVic2Qub3JnPokB
 VAQTAQoAPhYhBPJNezK4ZGJeVUGg5OHANYCutF5YBQJduxRXAhsDBQkFo5qABQsJ
 CAcDBRUKCQgLBRYDAgEAAh4BAheAAAoJEOHANYCutF5YB2IIALw+EPYmOz9qlqIn
 oTFmk/5MrcdzC5iLEfxubbF6TopDWsWPiOh5mAuvfEmROSGf6ctvdYe9UtQV3VNY
 KeeyskeFrIBOFo2KG/dFqKPAWef6IfhbW3HWDWo5uOBg01jHzQ/pB1n6SMKiXfsM
 idL9wN+UQKxF3Y7S/bVrZTV0isRUolO9+8kQeSYT/NMojVM0H2fWrTP/TaNEW4fY
 JBDAl5hsktzdl8sdbNqdC0GiX3xb4GvgVzGGQELagsxjfuXk6PfOyn6Wx2d+yRcI
 FrKojmhihBp5VGFQkntBIXQkaW0xhW+WBGxwXdaAl0drQlZ3W+edgdOl705x73kf
 Uw3Fh2a5AQ0EXbsUVwEIANEPAsltM4vFj2pi5xEuHEcZIrIX/ZJhoaBtZkqvkB+H
 4pu3/eQHK5hg0Dw12ugffPMz8mi57iGNI9TXd8ZYMJxAdvEZSDHCKZTX9G+FcxWa
 /AzKNiG25uSISzz7rMB/lV1gofCdGtpHFRFTiNxFcoacugTdlYDiscgJZMJSg/hC
 GXBdEKXR5WRAgAGandcL8llCToOt1lZEOkd5vJM861w6evgDhAZ2HGhRuG8/NDxG
 r4UtlnYGUCFof/Q4oPNbDJzmZXF+8OQyTNcEpVD3leEOWG1Uv5XWS2XKVHcHZZ++
 ISo/B5Q6Oi3SJFCVV9f+g09YF+PgfP/mVMBgif2fT20AEQEAAYkBPAQYAQoAJhYh
 BPJNezK4ZGJeVUGg5OHANYCutF5YBQJduxRXAhsMBQkFo5qAAAoJEOHANYCutF5Y
 kecIAMTh2VHQqjXHTszQMsy3NjiTVVITI3z+pzY0u2EYmLytXQ2pZMzLHMcklmub
 5po0X4EvL6bZiJcLMI2mSrOs0Gp8P3hyMI40IkqoLMp7VA2LFlPgIJ7K5W4oVwf8
 khY6lw7qg2l69APm/MM3xAyiL4p6MU8tpvWg5AncZ6lxyy27rxVflzEtCrKQuG/a
 oVaOlMjH3uxvOK6IIxlhvWD0nKs/e2h2HIAZ+ILE6ytS5ZEg2GXuigoQZdEnv71L
 xyvE9JANwGZLkDxnS5pgN2ikfkQYlFpJEkrNTQleCOHIIIp8vgJngEaP51xOIbQM
 CiG/y3cmKQ/ZfH7BBvlZVtZKQsI=
 =MQKT
 -----END PGP PUBLIC KEY BLOCK-----

                               FreeBSD *********

   This glossary contains terms and acronyms used within the FreeBSD
   community and documentation.

  A

   ACL

           ****** Access Control List.

   ACPI

           ****** Advanced Configuration and Power Interface.

   AMD

           ****** Automatic Mount Daemon.

   AML

           ****** ACPI Machine Language.

   API

           ****** Application Programming Interface.

   APIC

           ****** Advanced Programmable Interrupt Controller.

   APM

           ****** Advanced Power Management.

   APOP

           ****** Authenticated Post Office Protocol.

   ASL

           ****** ACPI Source Language.

   ATA

           ****** Advanced Technology Attachment.

   ATM

           ****** Asynchronous Transfer Mode.

   ACPI Machine Language

           Pseudocode, interpreted by a virtual machine within an
           ACPI-compliant operating system, providing a layer between the
           underlying hardware and the documented interface presented to the
           OS.

   ACPI Source Language

           The programming language AML is written in.

   Access Control List

           A list of permissions attached to an object, usually either a file
           or a network device.

   Advanced Configuration and Power Interface

           A specification which provides an abstraction of the interface the
           hardware presents to the operating system, so that the operating
           system should need to know nothing about the underlying hardware
           to make the most of it. ACPI evolves and supersedes the
           functionality provided previously by APM, PNPBIOS and other
           technologies, and provides facilities for controlling power
           consumption, machine suspension, device enabling and disabling,
           etc.

   Application Programming Interface

           A set of procedures, protocols and tools that specify the
           canonical interaction of one or more program parts; how, when and
           why they do work together, and what data they share or operate on.

   Advanced Power Management

           An API enabling the operating system to work in conjunction with
           the BIOS in order to achieve power management. APM has been
           superseded by the much more generic and powerful ACPI
           specification for most applications.

   Advanced Programmable Interrupt Controller

   Advanced Technology Attachment

   Asynchronous Transfer Mode

   Authenticated Post Office Protocol

   Automatic Mount Daemon

           A daemon that automatically mounts a filesystem when a file or
           directory within that filesystem is accessed.

  B

   BAR

           ****** Base Address Register.

   BIND

           ****** Berkeley Internet Name Domain.

   BIOS

           ****** Basic Input/Output System.

   BSD

           ****** Berkeley Software Distribution.

   Base Address Register

           The registers that determine which address range a PCI device will
           respond to.

   Basic Input/Output System

           The definition of BIOS depends a bit on the context. Some people
           refer to it as the ROM chip with a basic set of routines to
           provide an interface between software and hardware. Others refer
           to it as the set of routines contained in the chip that help in
           bootstrapping the system. Some might also refer to it as the
           screen used to configure the bootstrapping process. The BIOS is
           PC-specific but other systems have something similar.

   Berkeley Internet Name Domain

           An implementation of the DNS protocols.

   Berkeley Software Distribution

           This is the name that the Computer Systems Research Group (CSRG)
           at The University of California at Berkeley gave to their
           improvements and modifications to AT&T's 32V UNIX(R). FreeBSD is a
           descendant of the CSRG work.

   Bikeshed Building

           A phenomenon whereby many people will give an opinion on an
           uncomplicated topic, whilst a complex topic receives little or no
           discussion. See the FAQ for the origin of the term.

  C

   CD

           ****** Carrier Detect.

   CHAP

           ****** Challenge Handshake Authentication Protocol.

   CLIP

           ****** Classical IP over ATM.

   COFF

           ****** Common Object File Format.

   CPU

           ****** Central Processing Unit.

   CTS

           ****** Clear To Send.

   Carrier Detect

           An RS232C signal indicating that a carrier has been detected.

   Central Processing Unit

           Also known as the processor. This is the brain of the computer
           where all calculations take place. There are a number of different
           architectures with different instruction sets. Among the more
           well-known are the Intel-x86 and derivatives, Sun SPARC, PowerPC,
           and Alpha.

   Challenge Handshake Authentication Protocol

           A method of authenticating a user, based on a secret shared
           between client and server.

   Classical IP over ATM

   Clear To Send

           An RS232C signal giving the remote system permission to send data.

           ********* Request To Send.

   Common Object File Format

  D

   DAC

           ****** Discretionary Access Control.

   DDB

           ****** Debugger.

   DES

           ****** Data Encryption Standard.

   DHCP

           ****** Dynamic Host Configuration Protocol.

   DNS

           ****** Domain Name System.

   DSDT

           ****** Differentiated System Description Table.

   DSR

           ****** Data Set Ready.

   DTR

           ****** Data Terminal Ready.

   DVMRP

           ****** Distance-Vector Multicast Routing Protocol.

   Discretionary Access Control

   Data Encryption Standard

           A method of encrypting information, traditionally used as the
           method of encryption for UNIX(R) passwords and the crypt(3)
           function.

   Data Set Ready

           An RS232C signal sent from the modem to the computer or terminal
           indicating a readiness to send and receive data.

           ********* Data Terminal Ready.

   Data Terminal Ready

           An RS232C signal sent from the computer or terminal to the modem
           indicating a readiness to send and receive data.

   Debugger

           An interactive in-kernel facility for examining the status of a
           system, often used after a system has crashed to establish the
           events surrounding the failure.

   Differentiated System Description Table

           An ACPI table, supplying basic configuration information about the
           base system.

   Distance-Vector Multicast Routing Protocol

   Domain Name System

           The system that converts humanly readable hostnames (i.e.,
           mail.example.net) to Internet addresses and vice versa.

   Dynamic Host Configuration Protocol

           A protocol that dynamically assigns IP addresses to a computer
           (host) when it requests one from the server. The address
           assignment is called a "lease".

  E

   ECOFF

           ****** Extended COFF.

   ELF

           ****** Executable and Linking Format.

   ESP

           ****** Encapsulated Security Payload.

   Encapsulated Security Payload

   Executable and Linking Format

   Extended COFF

  F

   FADT

           ****** Fixed ACPI Description Table.

   FAT

           ****** File Allocation Table.

   FAT16

           ****** File Allocation Table (16-bit).

   FTP

           ****** File Transfer Protocol.

   File Allocation Table

   File Allocation Table (16-bit)

   File Transfer Protocol

           A member of the family of high-level protocols implemented on top
           of TCP which can be used to transfer files over a TCP/IP network.

   Fixed ACPI Description Table

  G

   GUI

           ****** Graphical User Interface.

   Giant

           The name of a mutual exclusion mechanism (a sleep mutex) that
           protects a large set of kernel resources. Although a simple
           locking mechanism was adequate in the days where a machine might
           have only a few dozen processes, one networking card, and
           certainly only one processor, in current times it is an
           unacceptable performance bottleneck. FreeBSD developers are
           actively working to replace it with locks that protect individual
           resources, which will allow a much greater degree of parallelism
           for both single-processor and multi-processor machines.

   Graphical User Interface

           A system where the user and computer interact with graphics.

  H

   HTML

           ****** HyperText Markup Language.

   HUP

           ****** HangUp.

   HangUp

   HyperText Markup Language

           The markup language used to create web pages.

  I

   I/O

           ****** Input/Output.

   IASL

           ****** Intel's ASL compiler.

   IMAP

           ****** Internet Message Access Protocol.

   IP

           ****** Internet Protocol.

   IPFW

           ****** IP Firewall.

   IPP

           ****** Internet Printing Protocol.

   IPv4

           ****** IP Version 4.

   IPv6

           ****** IP Version 6.

   ISP

           ****** Internet Service Provider.

   IP Firewall

   IP Version 4

           The IP protocol version 4, which uses 32 bits for addressing. This
           version is still the most widely used, but it is slowly being
           replaced with IPv6.

           ********* IP Version 6.

   IP Version 6

           The new IP protocol. Invented because the address space in IPv4 is
           running out. Uses 128 bits for addressing.

   Input/Output

   Intel's ASL compiler

           Intel's compiler for converting ASL into AML.

   Internet Message Access Protocol

           A protocol for accessing email messages on a mail server,
           characterised by the messages usually being kept on the server as
           opposed to being downloaded to the mail reader client.

           ********* Post Office Protocol Version 3.

   Internet Printing Protocol

   Internet Protocol

           The packet transmitting protocol that is the basic protocol on the
           Internet. Originally developed at the U.S. Department of Defense
           and an extremely important part of the TCP/IP stack. Without the
           Internet Protocol, the Internet would not have become what it is
           today. For more information, see RFC 791.

   Internet Service Provider

           A company that provides access to the Internet.

  K

   KAME

           Japanese for "turtle", the term KAME is used in computing circles
           to refer to the KAME Project, who work on an implementation of
           IPv6.

   KDC

           ****** Key Distribution Center.

   KLD

           ****** Kernel ld(1).

   KSE

           ****** Kernel Scheduler Entities.

   KVA

           ****** Kernel Virtual Address.

   Kbps

           ****** Kilo Bits Per Second.

   Kernel ld(1)

           A method of dynamically loading functionality into a FreeBSD
           kernel without rebooting the system.

   Kernel Scheduler Entities

           A kernel-supported threading system. See the project home page for
           further details.

   Kernel Virtual Address

   Key Distribution Center

   Kilo Bits Per Second

           Used to measure bandwidth (how much data can pass a given point at
           a specified amount of time). Alternates to the Kilo prefix include
           Mega, Giga, Tera, and so forth.

  L

   LAN

           ****** Local Area Network.

   LOR

           ****** Lock Order Reversal.

   LPD

           ****** Line Printer Daemon.

   Line Printer Daemon

   Local Area Network

           A network used on a local area, e.g. office, home, or so forth.

   Lock Order Reversal

           The FreeBSD kernel uses a number of resource locks to arbitrate
           contention for those resources. A run-time lock diagnostic system
           found in FreeBSD-CURRENT kernels (but removed for releases),
           called witness(4), detects the potential for deadlocks due to
           locking errors. (witness(4) is actually slightly conservative, so
           it is possible to get false positives.) A true positive report
           indicates that "if you were unlucky, a deadlock would have
           happened here".

           True positive LORs tend to get fixed quickly, so check
           http://lists.FreeBSD.org/mailman/listinfo/freebsd-current and the
           LORs Seen page before posting to the mailing lists.

  M

   MAC

           ****** ****************** (MAC).

   MADT

           ****** Multiple APIC Description Table.

   MFC

           ****** Merge From Current.

   MFH

           ****** Merge From Head.

   MFS

           ****** Merge From Stable.

   MIT

           ****** Massachusetts Institute of Technology.

   MLS

           ****** Multi-Level Security.

   MOTD

           ****** Message Of The Day.

   MTA

           ****** Mail Transfer Agent.

   MUA

           ****** Mail User Agent.

   Mail Transfer Agent

           An application used to transfer email. An MTA has traditionally
           been part of the BSD base system. Today Sendmail is included in
           the base system, but there are many other MTAs, such as postfix,
           qmail and Exim.

   Mail User Agent

           An application used by users to display and write email.

   ****************** (MAC)

   Massachusetts Institute of Technology

   Merge From Current

           To merge functionality or a patch from the -CURRENT branch to
           another, most often -STABLE.

   Merge From Head

           To merge functionality or a patch from a repository HEAD to an
           earlier branch.

   Merge From Stable

           In the normal course of FreeBSD development, a change will be
           committed to the -CURRENT branch for testing before being merged
           to -STABLE. On rare occasions, a change will go into -STABLE first
           and then be merged to -CURRENT.

           This term is also used when a patch is merged from -STABLE to a
           security branch.

           ********* Merge From Current.

   Message Of The Day

           A message, usually shown on login, often used to distribute
           information to users of the system.

   Multi-Level Security

   Multiple APIC Description Table

  N

   NAT

           ****** Network Address Translation.

   NDISulator

           ****** Project Evil.

   NFS

           ****** Network File System.

   NTFS

           ****** New Technology File System.

   NTP

           ****** Network Time Protocol.

   Network Address Translation

           A technique where IP packets are rewritten on the way through a
           gateway, enabling many machines behind the gateway to effectively
           share a single IP address.

   Network File System

   New Technology File System

           A filesystem developed by Microsoft and available in its "New
           Technology" operating systems, such as Windows(R) 2000,
           Windows NT(R) and Windows(R) XP.

   Network Time Protocol

           A means of synchronizing clocks over a network.

  O

   OBE

           ****** Overtaken By Events.

   ODMR

           ****** On-Demand Mail Relay.

   OS

           ****** Operating System.

   On-Demand Mail Relay

   Operating System

           A set of programs, libraries and tools that provide access to the
           hardware resources of a computer. Operating systems range today
           from simplistic designs that support only one program running at a
           time, accessing only one device to fully multi-user, multi-tasking
           and multi-process systems that can serve thousands of users
           simultaneously, each of them running dozens of different
           applications.

   Overtaken By Events

           Indicates a suggested change (such as a Problem Report or a
           feature request) which is no longer relevant or applicable due to
           such things as later changes to FreeBSD, changes in networking
           standards, the affected hardware having since become obsolete, and
           so forth.

  P

   PAE

           ****** Physical Address Extensions.

   PAM

           ****** Pluggable Authentication Modules.

   PAP

           ****** Password Authentication Protocol.

   PC

           ****** Personal Computer.

   PCNSFD

           ****** Personal Computer Network File System Daemon.

   PDF

           ****** Portable Document Format.

   PID

           ****** Process ID.

   POLA

           ****** Principle Of Least Astonishment.

   POP

           ****** Post Office Protocol.

   POP3

           ****** Post Office Protocol Version 3.

   PPD

           ****** PostScript Printer Description.

   PPP

           ****** Point-to-Point Protocol.

   PPPoA

           ****** PPP over ATM.

   PPPoE

           ****** PPP over Ethernet.

   PPP over ATM

   PPP over Ethernet

   PR

           ****** Problem Report.

   PXE

           ****** Preboot eXecution Environment.

   Password Authentication Protocol

   Personal Computer

   Personal Computer Network File System Daemon

   Physical Address Extensions

           A method of enabling access to up to 64 GB of RAM on systems which
           only physically have a 32-bit wide address space (and would
           therefore be limited to 4 GB without PAE).

   Pluggable Authentication Modules

   Point-to-Point Protocol

   Pointy Hat

           A mythical piece of headgear, much like a dunce cap, awarded to
           any FreeBSD committer who breaks the build, makes revision numbers
           go backwards, or creates any other kind of havoc in the source
           base. Any committer worth his or her salt will soon accumulate a
           large collection. The usage is (almost always?) humorous.

   Portable Document Format

   Post Office Protocol

           ********* Post Office Protocol Version 3.

   Post Office Protocol Version 3

           A protocol for accessing email messages on a mail server,
           characterised by the messages usually being downloaded from the
           server to the client, as opposed to remaining on the server.

           ********* Internet Message Access Protocol.

   PostScript Printer Description

   Preboot eXecution Environment

   Principle Of Least Astonishment

           As FreeBSD evolves, changes visible to the user should be kept as
           unsurprising as possible. For example, arbitrarily rearranging
           system startup variables in /etc/defaults/rc.conf violates POLA.
           Developers consider POLA when contemplating user-visible system
           changes.

   Problem Report

           A description of some kind of problem that has been found in
           either the FreeBSD source or documentation. See Writing FreeBSD
           Problem Reports.

   Process ID

           A number, unique to a particular process on a system, which
           identifies it and allows actions to be taken against it.

   Project Evil

           The working title for the NDISulator, written by Bill Paul, who
           named it referring to how awful it is (from a philosophical
           standpoint) to need to have something like this in the first
           place. The NDISulator is a special compatibility module to allow
           Microsoft Windows(TM) NDIS miniport network drivers to be used
           with FreeBSD/i386. This is usually the only way to use cards where
           the driver is closed-source. See src/sys/compat/ndis/subr_ndis.c.

  R

   RA

           ****** Router Advertisement.

   RAID

           ****** Redundant Array of Inexpensive Disks.

   RAM

           ****** Random Access Memory.

   RD

           ****** Received Data.

   RFC

           ****** Request For Comments.

   RISC

           ****** Reduced Instruction Set Computer.

   RPC

           ****** Remote Procedure Call.

   RS232C

           ****** Recommended Standard 232C.

   RTS

           ****** Request To Send.

   Random Access Memory

   Revision Control System

           The Revision Control System (RCS) is one of the oldest software
           suites that implement "revision control" for plain files. It
           allows the storage, retrieval, archival, logging, identification
           and merging of multiple revisions for each file. RCS consists of
           many small tools that work together. It lacks some of the features
           found in more modern revision control systems, like Git, but it is
           very simple to install, configure, and start using for a small set
           of files.

           ********* Subversion.

   Received Data

           An RS232C pin or wire that data is received on.

           ********* Transmitted Data.

   Recommended Standard 232C

           A standard for communications between serial devices.

   Reduced Instruction Set Computer

           An approach to processor design where the operations the hardware
           can perform are simplified but made as general purpose as
           possible. This can lead to lower power consumption, fewer
           transistors and in some cases, better performance and increased
           code density. Examples of RISC processors include the Alpha,
           SPARC(R), ARM(R) and PowerPC(R).

   Redundant Array of Inexpensive Disks

   Remote Procedure Call

   Request For Comments

           A set of documents defining Internet standards, protocols, and so
           forth. See www.rfc-editor.org.

           Also used as a general term when someone has a suggested change
           and wants feedback.

   Request To Send

           An RS232C signal requesting that the remote system commences
           transmission of data.

           ********* Clear To Send.

   Router Advertisement

  S

   SCI

           ****** System Control Interrupt.

   SCSI

           ****** Small Computer System Interface.

   SG

           ****** Signal Ground.

   SMB

           ****** Server Message Block.

   SMP

           ****** Symmetric MultiProcessor.

   SMTP

           ****** Simple Mail Transfer Protocol.

   SMTP AUTH

           ****** SMTP Authentication.

   SSH

           ****** Secure Shell.

   STR

           ****** Suspend To RAM.

   SVN

           ****** Subversion.

   SMTP Authentication

   Server Message Block

   Signal Ground

           An RS232 pin or wire that is the ground reference for the signal.

   Simple Mail Transfer Protocol

   Secure Shell

   Small Computer System Interface

   Subversion

           Subversion is a version control system currently used by the
           FreeBSD project.

   Suspend To RAM

   Symmetric MultiProcessor

   System Control Interrupt

  T

   TCP

           ****** Transmission Control Protocol.

   TCP/IP

           ****** Transmission Control Protocol/Internet Protocol.

   TD

           ****** Transmitted Data.

   TFTP

           ****** Trivial FTP.

   TGT

           ****** Ticket-Granting Ticket.

   TSC

           ****** Time Stamp Counter.

   Ticket-Granting Ticket

   Time Stamp Counter

           A profiling counter internal to modern Pentium(R) processors that
           counts core frequency clock ticks.

   Transmission Control Protocol

           A protocol that sits on top of (e.g.) the IP protocol and
           guarantees that packets are delivered in a reliable, ordered,
           fashion.

   Transmission Control Protocol/Internet Protocol

           The term for the combination of the TCP protocol running over the
           IP protocol. Much of the Internet runs over TCP/IP.

   Transmitted Data

           An RS232C pin or wire that data is transmitted on.

           ********* Received Data.

   Trivial FTP

  U

   UDP

           ****** User Datagram Protocol.

   UFS1

           ****** Unix File System Version 1.

   UFS2

           ****** Unix File System Version 2.

   UID

           ****** User ID.

   URL

           ****** Uniform Resource Locator.

   USB

           ****** Universal Serial Bus.

   Uniform Resource Locator

           A method of locating a resource, such as a document on the
           Internet and a means to identify that resource.

   Unix File System Version 1

           The original UNIX(R) file system, sometimes called the Berkeley
           Fast File System.

   Unix File System Version 2

           An extension to UFS1, introduced in FreeBSD 5-CURRENT. UFS2 adds
           64 bit block pointers (breaking the 1T barrier), support for
           extended file storage and other features.

   Universal Serial Bus

           A hardware standard used to connect a wide variety of computer
           peripherals to a universal interface.

   User ID

           A unique number assigned to each user of a computer, by which the
           resources and permissions assigned to that user can be identified.

   User Datagram Protocol

           A simple, unreliable datagram protocol which is used for
           exchanging data on a TCP/IP network. UDP does not provide error
           checking and correction like TCP.

  V

   VPN

           ****** Virtual Private Network.

   Virtual Private Network

           A method of using a public telecommunication such as the Internet,
           to provide remote access to a localized network, such as a
           corporate LAN.

                                     ******

  ******

   -CURRENT, ******************

                compiling, ****** FreeBSD-CURRENT

                ******, ****** FreeBSD-CURRENT

   -STABLE, ******************

                compiling, ****** FreeBSD-STABLE

                ******, ****** FreeBSD-STABLE

   .k5login, ********************* Kerberos

   .k5users, ********************* Kerberos

   .rhosts, ******************

   /boot/kernel.old, ***************************

   /etc, *********************

   /etc/groups, ************

   /etc/login.conf, ******************

   /etc/mail/access, Sendmail *********

   /etc/mail/aliases, Sendmail *********

   /etc/mail/local-host-names, Sendmail *********

   /etc/mail/mailer.conf, Sendmail *********

   /etc/mail/mailertable, Sendmail *********

   /etc/mail/sendmail.cf, Sendmail *********

   /etc/mail/virtusertable, Sendmail *********

   /etc/remote, ****** AT ******

   /etc/ttys, ***************

   /usr, *********************

   /usr/bin/login, ***************

   /usr/share/skel, adduser

   /var, *********************

   386BSD, FreeBSD ************

   386BSD Patchkit, FreeBSD ************

   4.3BSD-Lite, FreeBSD ************

   4.4BSD-Lite, ************ FreeBSD**

   802.11 (****** ************)

   *********

                ****** FreeBSD ***************, ********* FreeBSD**

   ***************, *********************

   *********, ******

   ******, ******

   ******, ******

   ************, Link Aggregation ***************

   ************

                COMPAT_LINUX, ****** Linux(R) Binary *********

                IPFILTER, ****** IPF

                IPFILTER_DEFAULT_BLOCK, ****** IPF

                IPFILTER_LOG, ****** IPF

                IPFIREWALL, IPFW ************

                IPFIREWALL_VERBOSE, IPFW ************

                IPFIREWALL_VERBOSE_LIMIT, IPFW ************

                IPSEC, VPN over IPsec

                IPSEC_DEBUG, VPN over IPsec

                MROUTING, ****** (Multicast) ************

                SCSI DELAY, SCSI_DELAY (kern.cam.scsi_delay)

   ******, ******

   ***************, PXE ***************

   ******************, PXE ***************

   ************, ************

   ******, ******

   ************, ************************

   ****** LAN, VLANs

   *********

                Gnumeric, Gnumeric

                KMyMoney, KMyMoney

   *********, *********************************

   *********, *********

  A

   AbiWord, AbiWord

   accounting

                disk space, ************

   accounts

                adding, adduser

                changing password, passwd

                daemon, ************

                groups, ************

                limiting, ******************

                modifying, ************

                nobody, ************

                operator, ************

                removing, rmuser

                superuser (root), *********************

                system, ************

                user, ***************

   ACL, ******************

   ACPI, *********************, ************

                ASL, BIOS ****************** Bytecode, *************** AML

                debugging, ***************************

                problems, ************, ***************************

   adduser, adduser, ***************************

   AIX, ****************** (NIS)

   amd, ****** amd(8) ************

   anti-aliased fonts, ***************

   Apache, ********* FreeBSD**, Apache HTTP *********

                configuration file, *************** Apache

                modules, Apache ******

                starting or stopping, *************** Apache

   Apache OpenOffice , Apache OpenOffice

   APIC

                disabling, ***************

   APM, *********************

   Apple, ********* FreeBSD**

   ASCII, ************

   AT&T, FreeBSD ************

   AUDIT, ******

   autofs, ****** autofs(5) ************

   automatic mounter daemon, ****** amd(8) ************

   automounter subsystem, ****** autofs(5) ************

   AutoPPP, ******************

  B

   backup software, *********************

                cpio, ************

                dump / restore, ******************

                pax, ************

                tar, ************

   Basic Input/Output System (see BIOS)

   BGP, *********************************

   binary compatibility

                Linux, ************ FreeBSD**

   Binary *********

                Linux, ******

   BIND, ************

   BIOS, FreeBSD ************

   bits-per-second, *********************

   Boot Loader, FreeBSD ************

   Boot Manager, FreeBSD ************, ******************

   boot-loader, *********

   booting, ******

   bootstrap, ******

   Bourne shells, Shell

   browsers

                web, *********

   BSD Router, ********* FreeBSD**

   BSD ******, FreeBSD ************

   bsdlabel, ************

  C

   Calligra, Calligra

   CARP, ************************ (CARP)

   CD burner

                ATAPI, *************** CD ******

                ATAPI/CAM driver, ***************

   CD-ROMs

                burning, ****** CD

                creating, *************** CD ******

                creating bootable, ********************* ISO ************

   CHAP, PAP *** CHAP ******

   chpass, chpass

   Chromium, Chromium

   Cisco, ********* FreeBSD**

   Citrix, ********* FreeBSD**

   command line, Shell

   Common Address Redundancy Protocol, ************************ (CARP)

   Compiler, FreeBSD **************

   Concurrent Versions System (****** CVS)

   console, ****** Console ************, ******************

   contributors, FreeBSD ************

   core team, FreeBSD ************

   country codes, ************

   cron

                configuration, ****** cron(8)

   cryptography, mod_ssl

   cuau, ***************

   CVS, FreeBSD ************

   CVS Repository, FreeBSD ************

  D

   dangerously dedicated, ************

   DCE, *********************

   device nodes, ******************

   device.hints, ************

   DGA, ************************

   DHCP

                configuration files, ****** DHCP *********, ***************
                DHCP *********

                dhcpd.conf, *************** DHCP *********

                diskless operation, ****** DHCP *********

                installation, *************** DHCP *********

                server, *************** DHCP *********

   dial-in service, ************

   dial-out service, ************

   directories, ******

   directory hierarchy, ************

   Disk Labels, ******************

   Disk Mirroring, RAID1 - ****** (Mirroring)

   disk quotas, ************, ************

                checking, ******************,
                ***************************************

                limits, ******************

   disks

                adding, ************

                detaching a memory disk,
                ***************************************

                encrypting, *********************

                memory, ***************************************

                memory file system,
                *********************************************

                resizing, ***************************

   Django, Django

   DNS, ************, ************, ************, ******************,
   ****************** (DNS)

   DNS Server, FreeBSD **************

   Documentation (see Updating and Upgrading)

   documentation package (see Updating and Upgrading)

   DSP, ******************

   DTE, *********************

   DTrace, ******

   DTrace support (see DTrace)

   dual homed hosts, *********************************

   dump, ******************

   DVD

                burning, *************** DVD ******

                DVD+RW, ****** DVD+RW

                DVD-RAM, ****** DVD-RAM

                DVD-RW, ****** DVD-RW

                DVD-Video, ****** DVD-Video

   Dynamic Host Configuration Protocol (see DHCP)

  E

   editors, ***************

                ee1, ***************

   ee, ***************

   electronic mail (****** email)

   ELF, ************

                branding, ************

   emacs, ***************

   email, FreeBSD **************, ******

                change mta, ******************************

                configuration, ************

                receiving, ************

                troubleshooting, ************

   embedded, FreeBSD **************

   encodings, ************

   environment variables, Shell

   ePDFView, ePDFView

   execution class loader, ************

  F

   FEC, Link Aggregation ***************

   fetchmail, ****** fetchmail

   file permissions, ******

   file server

                UNIX clients, ****************** (NFS)

                Windows clients, Microsoft(R) Windows(R)
                ****************************** (Samba)

   file systems

                ISO 9660, *************** CD ******, *********************
                ISO ************

                Joliet, ********************* ISO ************

                mounted with fstab, fstab ***

                mounting, ****** mount(8)

                snapshots, ******************

                unmounting, ****** umount(8)

   File Systems, ******

   File Systems Support (see File Systems)

   Firefox, Firefox

   firewall, FreeBSD **************

                IPFILTER, IPFILTER (IPF)

                IPFW, IPFW

                PF, PF

                rulesets, ***************

   fonts

                anti-aliased, ***************

                spacing, ***************

                TrueType, TrueType(R) ******

   Fonts

                LCD screen, ***************

   Free Software Foundation, FreeBSD ************, GNU Info ***

   FreeBSD Project

                history, FreeBSD ************

   FreeBSD Security Advisories, FreeBSD ************

   FreeBSD ******

                ************, FreeBSD ************

   FreeBSD ******

                ******, FreeBSD ************

   freebsd-update (see updating-upgrading)

   FreeNAS, ********* FreeBSD**

   FreshPorts, ************

   FTP

                anonymous, ******

   FTP servers, FreeBSD **************, ****************** (FTP)

  G

   gateway, ******************

   Geeqie, Geeqie

   GEOM, ******, RAID0 - ****** (Striping), RAID1 - ****** (Mirroring), RAID3
   - ************************************, ****** RAID ******,
   ******************, UFS Journaling ****** GEOM

   GEOM Disk Framework (see GEOM)

   getty, ***************

   GhostBSD, ********* FreeBSD**

   GNOME, FreeBSD **************, GNOME

   GNU toolchain, ****** Linux(R) ELF Binary

   GNU ********************************* (LGPL), FreeBSD ************

   GNU ************************ (GPL), FreeBSD ************

   GnuCash, GnuCash

   Gnumeric, Gnumeric

   gpart, ************, ***************************

   grace period, ***************************************

   Greenman, David, FreeBSD ************

   Grimes, Rod, FreeBSD ************

   groups, ************

   gv, gv

  H

   hard limit, ******************

   HAST

                high availability, ********************* (HAST)

   HCI, ************************

   hostname, ************

   hosts, /etc/hosts

   HP-UX, ****************** (NIS)

   Hubbard, Jordan, FreeBSD ************

   hw.ata.wc, hw.ata.wc

  I

   I/O port, ******************

   IEEE, ************

   image scanners, ***************

   IMAP, ************

   init8, FreeBSD ************, ************

   installation

                troubleshooting, ************

   Intel i810 graphic chipset, ****** Intel(R) i810 ***************

   internationalization (see localization)

   Internet Systems Consortium (ISC), ************************ (DHCP)

   interrupt storms, ***************

   IP aliases, ************

   IP masquerading (see NAT)

   IP *********, ******

   IPFILTER

                enabling, ****** IPF

                kernel options, ****** IPF

                logging, IPF ******

                rule syntax, IPF ************

                statistics, ****** IPF ************

   ipfstat, ****** IPF ************

   IPFW

                enabling, ****** IPFW

                kernel options, IPFW ************

                logging, *********************

                rule processing order, IPFW ************

                rule syntax, IPFW ************

   ipfw, IPFW ******

   ipmon, IPF ******

   ipnat, ****** NAT

   IPsec, VPN over IPsec

                AH, VPN over IPsec

                ESP, VPN over IPsec

   IRQ, ******************

   Isilon, ********* FreeBSD**

   ISO 9660, *************** CD ******

   iXsystems, ********* FreeBSD**

  J

   jails, Jail

   Jolitz, Bill, FreeBSD ************

   Journaling, UFS Journaling ****** GEOM

   Juniper, ********* FreeBSD**

  K

   KDE, FreeBSD **************, KDE

                display manager, KDE

   Kerberos5

                configure clients, ********************* Kerberos

                enabling services, ********************* Kerberos

                external resources, ***************************

                Key Distribution Center, ****** Heimdal KDC

                limitations and shortcomings, ****** Kerberos *********

   kern.cam.scsi_delay, SCSI_DELAY (kern.cam.scsi_delay)

   kern.ipc.soacceptqueue, kern.ipc.soacceptqueue

   kern.maxfiles, kern.maxfiles

   kernel, FreeBSD ************

                boot interaction, *********

                bootflags, ************

                building / installing, ***************************

                building a custom kernel, ******

                configuration, ***************

                configuration file, *********

                NOTES, *********

   keymap, Console ******

   KLD (kernel loadable object), ****** Windows(R) NDIS ************

   KMyMoney, KMyMoney

   Konqueror, Konqueror

  L

   L2CAP, Logical Link Control and Adaptation Protocol (L2CAP)

   LACP, Link Aggregation ***************

   lagg, Link Aggregation ***************

   language codes, ************

   LCD screen, ***************

   LCP, ******************

   LDAP, *************************** (LDAP), ***************

   LDAP Server, ****** LDAP *********

   LibreOffice, LibreOffice

   limiting users, ******************

                coredumpsize, ******************

                cputime, ******************

                filesize, ******************

                maxproc, ******************

                memorylocked, ******************

                memoryuse, ******************

                openfiles, ******************

                quotas, ************

                sbsize, ******************

                stacksize, ******************

   Linux, ****************** (NIS)

                ELF binaries, ****** Linux(R) ELF Binary

   Linux binary compatibility, ******

   livefs CD, ************

   loadbalance, Link Aggregation ***************

   loader, *********

   loader configuration, *********

   locale, ************, ************ Shell *********

   localization

                German, ************************

                Greek, ************************

                Japanese, ************************

                Korean, ************************

                Russian, ****** (KOI8-R ******)

                Traditional Chinese, ************************

   log files

                FTP, ******

   log management, *********************

   log rotation, *********************

   login class, ************ Shell *********, ***************************

   ls1, ******

  M

   MAC, ******

                File System Firewall Policy, MAC BSD Extended ******

   MAC Biba Integrity Policy, MAC Biba ******

   MAC Configuration Testing, ************

   MAC Interface Silencing Policy, MAC Interface Silencing ******

   MAC LOMAC, MAC Low-watermark ******

   MAC Multi-Level Security Policy, MAC Multi-Level Security ******

   MAC Port Access Control List Policy, MAC Port Access Control ******

   MAC Process Partition Policy, MAC Partition ******

   MAC See Other UIDs Policy, MAC See Other UIDs ******

   MAC Troubleshooting, MAC ******************

   MacOS, ***************************

   mail host, ************

   mail server daemons

                Exim, ************

                Postfix, ************

                qmail, ************

                Sendmail, ************

   Mail User Agents, ***************************

   Mandatory Access Control (see MAC)

   manual pages, ************

   Master Boot Record (MBR), FreeBSD ************, ******************

   McAfee, ********* FreeBSD**

   mencoder, MPlayer *** MEncoder

   mfsBSD, ********* FreeBSD**

   mgetty, ******************

   Microsoft Windows, Microsoft(R) Windows(R) ******************************
   (Samba)

   Microsoft Windows

                device drivers, ****** Windows(R) NDIS ************

   MIME, ************ Shell *********

   modem, ************

   mod_perl

                Perl, mod_perl

   mod_php

                PHP, mod_php

   mountd, ****************** (NFS)

   moused, Console ******

   MPlayer, MPlayer *** MEncoder

   MS-DOS, ***************************

   multi-user mode, ******************

   multicast routing, ****** (Multicast) ************

   MX record, ************, ************, ************

  N

   Nagios in a MAC Jail, *** MAC Jail ********* Nagios

   NAS4Free, ********* FreeBSD**

   NAT, FreeBSD **************, ****** NAT

                and IPFW, ********* NAT

   NDIS, ****** Windows(R) NDIS ************

   NDISulator, ****** Windows(R) NDIS ************

   net.inet.ip.portrange.*, net.inet.ip.portrange.*

   Net/2, FreeBSD ************

   NetApp, ********* FreeBSD**

   NetBIOS, ************

   NetBSD, ****************** (NIS)

   Netflix, ********* FreeBSD**

   netgroups, ****** Netgroups

   network address translation (see NAT)

   network cards

                configuration, *********************, ***************

                driver, ***************************

                testing, *********************

                troubleshooting, ************

   newsyslog, *********************

   newsyslog.conf, *********************

   NFS, NFS ************, ****************** (NFS)

                configuration, ***************

                export examples, ***************

                installing multiple machines, ******************

                mounting, ***************

                server, ****************** (NFS)

   nfsd, ****************** (NFS)

   NIS, ****************** (NIS)

                client, ************

                client configuration, ****** NIS *********

                domain name, ****** NIS ************

                domains, ****************** (NIS)

                maps, ********* NIS *********

                master server, ************

                password formats, ************

                server configuration, ****** NIS Master *********

                slave server, ************, ****** NIS Slave *********

   NIS+, ***************

   NOTES, *********

   Novell, FreeBSD ************

   NTP, NTP ******

                ntp.conf, /etc/ntp.conf ***

                ntpd, NTP ************

                rc.conf, *** /etc/rc.conf ****** NTP ************

   null-modem cable, ***************, ************ Console ******

  O

   OBEX, OBEX Object Push (OPUSH)

   office suite

                Apache OpenOffice , Apache OpenOffice

                Calligra, Calligra

                LibreOffice, LibreOffice

   Okular, Okular

   one-time passwords, ***************

   OpenBSD, ****************** (NIS)

   OpenSSH, OpenSSH

                client, ****** SSH ***************

                enabling, ****** SSH *********

                secure copy, ****** SSH ***************

                tunneling, SSH ******

   OpenSSL

                certificate generation, ************

   Opera, Opera

   OPNsense, ********* FreeBSD**

   OSPF, *********************************

  P

   PAP, PAP *** CHAP ******

   partitions, ************, ************, ***************************

   passwd, passwd

   password, PAP *** CHAP ******

   pax, ************

   PCI, ***************

   PDF

                viewing, Xpdf, gv, ePDFView, Okular

   permissions, ******

                symbolic, ************

   pfSense, ********* FreeBSD**

   pgp keys, OpenPGP ******

   pkg, ******************************

                search, ************

   POP, ************

   portmap, NIS ***************

   portmaster, ****** Portmaster ****** Port

   ports, ******

                disk-space, Port ***************

                installing, ****** Port

                removing, ****************** Port

                upgrading, ****** Port

                upgrading-tools, *************** Port *********

   Ports Collection, ****** Linux(R) Binary *********

   portupgrade, ****** Portupgrade ****** Port

   POSIX, ************, ************ Shell *********

   PostScript

                viewing, gv

   PPP, ******

                configuration, ******************

                Microsoft extensions, ************

                NAT, ****** PPP ************************

                over ATM, *** ATM ****** PPP (PPPoA)

                over Ethernet, ******, ********************* PPP (PPPoE)

                troubleshooting, PPP ******************

                with static IP addresses, ************

   PPPoA, *** ATM ****** PPP (PPPoA)

   print server

                Windows clients, Microsoft(R) Windows(R)
                ****************************** (Samba)

   printers, ****** (KOI8-R ******)

   Process Accounting, ************

   procmail, ****** procmail

   pw, pw, ***************************

   Python, Django

  Q

   Quest KACE, ********* FreeBSD**

   quotas, ************

  R

   RAID1, RAID1 - ****** (Mirroring)

   RAID3, RAID3 - ************************************

   rc files, ******************

                rc.conf, ***************************

                rc.serial, ***************, ***************

   resolv.conf, /etc/resolv.conf

   resolver, ****************** (DNS)

   Resource limits, ************

   restore, ******************

   reverse DNS, ****************** (DNS)

   RIP, *********************************

   rmuser, rmuser

   root file system, ***************************

   root zone, ****************** (DNS)

   roundrobin, Link Aggregation ***************

   routed, ******************

   router, FreeBSD **************

   routing, ******************

   rpcbind, ****************** (NFS), NIS ***************

   Ruby on Rails, Ruby on Rails

  S

   Samba server, Microsoft(R) Windows(R) ******************************
   (Samba)

   Sandvine, ********* FreeBSD**

   scp1, ****** SSH ***************

   screenmap, Console ******

   SDL, ************************

   SDP, Service Discovery Protocol (SDP)

   security, *********

                firewalls, *********

                one-time passwords, ***************

                OpenSSH, OpenSSH

                OpenSSL, OpenSSL

   Security

                Sudo, ****** Sudo ******************

   Security Event Auditing (see MAC)

   sendmail, ******************

   Sendmail, Sendmail *********

   serial communications, ******

   serial console, ************ Console

   services, ************

   shared libraries, ***************************

   shells, Shell

   shutdown8, ************

   single-user mode, *********, ******************

   skeleton directory, adduser

   slices, ************

   SMTP, ******************, ************

   soft limit, ******************

   Soft Updates, *********

                details, ************************************

   Software RAID Devices

                Hardware-assisted RAID, ****** RAID ******

   Solaris, ************, ****************** (NIS)

   Sony, ********* FreeBSD**

   Sophos, ********* FreeBSD**

   sound cards, ***************

   SourceForge, ************

   Spectra Logic, ********* FreeBSD**

   SQL database, ***************

   SSL, mod_ssl

   static IP address, ****** PPP

   Stormshield, ********* FreeBSD**

   Striping, RAID0 - ****** (Striping)

   subnet, ******************

   Subversion, FreeBSD ************, ****** FreeBSD-STABLE, ****** Subversion

   Subversion Repository, FreeBSD ************

                Mirror Sites, Subversion *********

   SVN (****** Subversion)

   swap

                encrypting, ******************

   swap partition, *********************

   swap sizing, *********************

   symbolic links, ***************************

   sysctl, ****** sysctl(8) ******, sysctl.conf

   sysctl.conf, sysctl.conf

   syslog, ******************, ******

   syslog.conf, ******************

   syslogd8, ******************

   system configuration, ******

   system logging, ******************

   system optimization, ******

  T

   tape media, ************************

   tar, ************

   TCP Bandwidth Delay Product Limiting

                net.inet.tcp.inflight.enable, TCP ******************

   TCP Wrapper, TCP Wrapper, NIS *********

   TCP/IP networking, ************ FreeBSD**

   terminals, ****** Console ************, *********

   tether, USB ************

   text editors, ***************

   The GIMP, The GIMP

   The Weather Channel, ********* FreeBSD**

   traceroute8, ************

   Traditional Chinese

                BIG-5 encoding, ************ (Login Class) ***

   TrueOS, ********* FreeBSD**

   TrueType Fonts, TrueType(R) ******

   ttyu, ***************

   tunefs8, *********

   tuning

                kernel limits, ******************

                with sysctl, ****** sysctl(8) ******

   TV cards, *********

  U

   U.C. Berkeley, FreeBSD ************

   UDP, ****** DHCP *********

   UNIX, ******

   Updating and Upgrading, FreeBSD ******, ***************, *** Port
   ******************

   USB

                disks, USB ************

  V

   Verisign, ********* FreeBSD**

   vfs.hirunningspace, vfs.hirunningspace

   vfs.vmiodirenable, vfs.vmiodirenable

   vfs.write_behind, vfs.write_behind

   vi, ***************

   video packages, ****************** Port *********

   video ports, ****************** Port *********

   vipw, ***************************

   virtual consoles, ****** Console ************

   virtual hosts, ************

   virtual private network (see VPN)

   VLANs, VLANs

   vm.swap_idle_enabled, vm.swap_idle_enabled

   Voxer, ********* FreeBSD**

   VPN, VPN over IPsec

  W

   Walnut Creek CDROM, FreeBSD ************

   web servers

                dynamic, ************

                secure, mod_ssl

                setting up, Apache HTTP *********

   WhatsApp, ********* FreeBSD**

   Wheel Systems, ********* FreeBSD**

   widescreen flatpanel configuration,
   ******************************************

   Williams, Nate, FreeBSD ************

   Windows, ***************************

   Windows drivers, ****** Windows(R) NDIS ************

  X

   X Display Manager, X ******************

   X Input Method (XIM), Xorg ******

   X Window System, FreeBSD **************

   XML, ***************

   Xorg, Xorg ******

   Xorg tuning, ************

   xorg.conf, ************

   Xpdf, Xpdf

   XVideo, ************************

  Y

   yellow pages (see NIS)

  Z

   zones

                examples, ****************** (DNS)

   ZRouter, ********* FreeBSD**

                                  ************

   *************************** "FreeBSD ************"
   *********************************._ ************************ DocBook DTD
   ********* XML ******** ****** XSLT *** XML ***************************._
   ************ Donald Knuth *** TeX ************** Leslie Lamport *** LaTeX
   *** Sebastian Rahtz *** JadeTeX
   ********************************************************************._
