it at boot time closer to the way we want it to be in the final version.
* Move the default directory to /var/db/entropy
* Run the entropy saving cron job every 11 minutes. This seems
to be a better default, although still bikeshed material.
* Feed /dev/random some cheesy "entropy" from various commands
and files before the disks are mounted. This gives /dev/random
a better chance of running without blocking early.
* Move the reseeding with previously stored entropy to the point
immediately after the disks are mounted.
* Make the harvesting script a little safer in regards to the
possibility of accidentally overwriting something other
than a regular file.
it can be used to reseed at boot time. This will greatly increase
the chances that there will be sufficient entropy available at
boot time to prevent long delays.
For /etc/rc, remove the vmstat and iostat runs from the attempt
to provide some cheesy randomness if the files fail, since
those programs are dynamically linked, and ldd seems to want
some randomness to do its magic.
Guidance and parameters for this project were provided by
Mark Murray, based on the requirements of the Yarrow
algorithm. Some helpful suggestions for implementation
(including the tip about iostat and vmstat) were provided
by Sheldon Hearn. All blame for problems or mistakes is
mine of course.
- rtsol should be work for only one interface
- new variable ipv6_defaultrouter is added
- option name of rtadvd in comment are corrected
- ipv6_firewall_enable, ipv6_firewall_type, ipv6_firewall_script,
ipv6_firewall_logging are added to introduce rc.firewall6.
IPv6 firewall rule is just starting point and should be brushed up.
This commit includes PR18621, PR21694, PR22051.
PR: conf/18621, conf/21694, conf/22051
Reviewed by: asmodai
the appropriate documentation added to rc.conf(5). If all goes well
with this over the next few weeks, the PR will be closed with the
pullup of patches back to 4-STABLE.
PR: 20202
Submitted by: Gerhard Sittig <Gerhard.Sittig@gmx.net>
Reviewed by: Darren Reed <darrenr@freebsd.org>
Approved by: Darren Reed <darrenr@freebsd.org>
Obtained from: Gerhard Sittig <Gerhard.Sittig@gmx.net>
cached when not in use. This changes the FreeBSD default from 30 minutes
to 5 minutes. JKH was the one that added the override to amd_flags, but
there was no reason given other to serve as an example of what could be
done.
IPX folks a fighting chance of figuring this out themselves. I can't
work out how to document this carefully in rc.conf(5), but this ought
to close the PR.
PR: 17904
Reported by: John Gelnaw <jeg@hawk.circa.ufl.edu>
Make sysinstall override this on install, so the effective behavioural
change for a newly installed system is null. Overall, this makes a system
with an empty /etc/rc.conf not run any network services, and makes the
FreeBSD-provided network services that are running visible in /etc/rc.conf
(instead of making people look through /etc/defaults/rc.conf to find the
things they need to disable to secure the system.)
Reviewed by: jhb
Discussed with: The usual cabal
time, and this is used to reseed the random number generator at
boot time.
NOTE - this has no hope of working if you halt(); you need to
execute rc.shutdown to get the entropy stash.
The only change in the default functionality should be that
the output reports are slightly more verbose WRT files deleted.
Not objected to by: freebsd-arch
options. This allows you to set the standard dynamic port
assignment range prior to any network daemons (like named) starting
up, necessary if you are also using a firewall to restrict lower ports.
will be MFC'd in a few days
scripts may use to source safely overrides in ${rc_conf_files}
files.
This protects users who insist on the bad practice of copying
/etc/defaults/rc.conf to /etc/rc.conf from a recursive loop
that exhausts available file descriptors.
Several people have expressed interest in breaking this function
out into its own shell script. Anyone who wants to embark on
such an undertaking would do well to study the attributed PR.
PR: 17595
Reported by: adrian
Submitted by: Doug Barton <Doug@gorean.org>
for pccardd.
Please install /etc/defaults/pccard.conf and update /etc/defaults/rc.conf
as well.
Note that old pccard.conf.sample still remains for while but
no longer to be maintained.
Reviewed by: imp, -mobile ML and nomads ML in Japan.
reserve, in maximal NFS packets. Originally only 2 packets worth of
space was reserved. The default is now 4, which appears to greatly
improve performance for slow to mid-speed machines on gigabit networks.
Add documentation and correct some prior documentation.
Problem Researched by: Andrew Gallatin <gallatin@cs.duke.edu>
Approved by: jkh
- 6to4(stf) interface configuration.
- Static route configuration.
- Comment additions.
- Replaced a still existed '@' to '%' in IPv6 scoped addr format.
(This became necessary as previous IPv6 scoped addr format change.)
Much thanks to ume, who helped me reviewing, testing, and finding problems
with these changes.
Approved by: jkh
Reviewed by: ume
Initial version created by, and kindly much tested by:
bmah@CA.Sandia.GOV (Bruce A. Mah)
Approved by: jkh
Reviewed by: bmah@CA.Sandia.GOV (Bruce A. Mah),
Ollivier Robert <roberto@keltia.freenix.fr>
Obtained from: KAME project
this is no longer the right way to start Vinum unless you are doing some
kind of maintenance, and that's not the sort of thing that would go into
rc.conf.
respectively logging and dropping ICMP REDIRECT packets.
Note that there is no rate limiting on the log messages, so log_redirect
should be used with caution (preferrably only for debugging purposes).
Originally submitted by: Wayne Self <wself@cdrom.com>
Allow a ppp startup option in rc.conf.
Adjust sysinstall so that it appends to the end of ppp.conf
and uses the generated profile to start ppp in auto mode on
boot.
Submitted by: Josef L. Karthauser <joe@uk.FreeBSD.org>
get a list of interfaces, and then automatically configure them if
${ifconfig_${ifn}} or /etc/start_if.${ifn} exists.
This makes it a lot easier to deal with machines that constantly change
their network configuration as you can leave ifconfig settings for all
the possible cards - just the ones that are present will be configured.
and set it to "/etc/pccard.conf.sample" in /etc/defaults/rc.conf.
Perhaps this default value can be inappropriate,
but I set to this value for the convenience of PC-card boot.flp users.
Please correct it if there are better solutions.
twice to enable wrapping for internal wrapping as well. If the option is
not specified wrapping is turned off so that inetd will behave exactly
as it used to before TCP Wrappers was imported.
Change etc/defaults/rc.conf so as to encourage wrapping on new systems.
Clarify the use of TCP Wrappers in the IMPLEMENTATION NOTES of the
manual page.
Approved by: jkh
default.
Despite their name it doesn't keep TCP sessions alive, it kills
them if the other end has gone AWOL. This happens a lot with
clients which use NAT, dynamic IP assignment or which has a 2^32
* 10^-3 seconds upper bound on their uptime.
There is no detectable increase in network trafic because of this:
two minimal TCP packets every two hours for a live TCP connection.
Many servers already enable keepalives themselves.
The host requirements RFC is 10 years old, and doesn't know about
the loosing clients of todays InterNet.
automagically find all the partitions. This is to be preferred to the
somewhat emetic usage of vinum_slices and the equally obnoxious 'vinum
read' command.
log_in_vain:
log_in_vain turns on logging for packets to ports for which
there is no listener.
rc.sysctl:
A generic way to set sysctl values. It reads /etc/syslog.conf
and sets values based on that. No /etc/syslog.conf has been
checked in yet, and I've not added this to the makefile yet
until I get more feedback.
Reviewed by: -current, -hackers and bde especially
enable_quotas - use quotas on your system
check_quotas - check for violations on startup
By assuming that a system was neat and without violation before it booted
we can skip a long (and at that point needless) process.
Submitted by: Alex Perel <veers@disturbed.net>
suitable defaults pointing to the FreeBSD-shipped versions. This will allow
for easier integration of third-party replacements for these daemons.
Reviewed by: Several members of -committers
