Make the default setting YES for now to get some experience with it.
Note: If people starts seeing disk errors because of this then it
should not be backed.
Note that "right" in this case is not universally recognized, but
NTP-practittioners as opposed to theoretians generally agree that
getting "inside the window" using ntpdate is TRTTD on PC hardware.
PR: 25514
Submitted by: Chris Johnson <cjohnson-pr@palomine.net>
very specific scenarios, and now that we have had net.inet.tcp.blackhole for
quite some time there is really no reason to use it any more.
(second of three commits)
associated changes that had to happen to make this possible as well as
bugs fixed along the way.
Bring in required TLI library routines to support this.
Since we don't support TLI we've essentially copied what NetBSD
has done, adding a thin layer to emulate direct the TLI calls
into BSD socket calls.
This is mostly from Sun's tirpc release that was made in 1994,
however some fixes were backported from the 1999 release (supposedly
only made available after this porting effort was underway).
The submitter has agreed to continue on and bring us up to the
1999 release.
Several key features are introduced with this update:
Client calls are thread safe. (1999 code has server side thread
safe)
Updated, a more modern interface.
Many userland updates were done to bring the code up to par with
the recent RPC API.
There is an update to the pthreads library, a function
pthread_main_np() was added to emulate a function of Sun's threads
library.
While we're at it, bring in NetBSD's lockd, it's been far too
long of a wait.
New rpcbind(8) replaces portmap(8) (supporting communication over
an authenticated Unix-domain socket, and by default only allowing
set and unset requests over that channel). It's much more secure
than the old portmapper.
Umount(8), mountd(8), mount_nfs(8), nfsd(8) have also been upgraded
to support TI-RPC and to support IPV6.
Umount(8) is also fixed to unmount pathnames longer than 80 chars,
which are currently truncated by the Kernel statfs structure.
Submitted by: Martin Blapp <mb@imp.ch>
Manpage review: ru
Secure RPC implemented by: wpaul
enable all harvesting options by default since having them on for
devices not present doesn't hurt anything. Leave them on by default
since for the most part they are not producing noticable slowdown,
and are about to get a lot more efficient.
Re-order part of the cheesy entropy process in preparation for
its complete removal.
during the boot process. We're turning it on by default, based on the
actual presence of a configured ethernet card, and/or ppp/tun devices.
Of course, it's easy to disable in rc.conf.
it at boot time closer to the way we want it to be in the final version.
* Move the default directory to /var/db/entropy
* Run the entropy saving cron job every 11 minutes. This seems
to be a better default, although still bikeshed material.
* Feed /dev/random some cheesy "entropy" from various commands
and files before the disks are mounted. This gives /dev/random
a better chance of running without blocking early.
* Move the reseeding with previously stored entropy to the point
immediately after the disks are mounted.
* Make the harvesting script a little safer in regards to the
possibility of accidentally overwriting something other
than a regular file.
it can be used to reseed at boot time. This will greatly increase
the chances that there will be sufficient entropy available at
boot time to prevent long delays.
For /etc/rc, remove the vmstat and iostat runs from the attempt
to provide some cheesy randomness if the files fail, since
those programs are dynamically linked, and ldd seems to want
some randomness to do its magic.
Guidance and parameters for this project were provided by
Mark Murray, based on the requirements of the Yarrow
algorithm. Some helpful suggestions for implementation
(including the tip about iostat and vmstat) were provided
by Sheldon Hearn. All blame for problems or mistakes is
mine of course.
- rtsol should be work for only one interface
- new variable ipv6_defaultrouter is added
- option name of rtadvd in comment are corrected
- ipv6_firewall_enable, ipv6_firewall_type, ipv6_firewall_script,
ipv6_firewall_logging are added to introduce rc.firewall6.
IPv6 firewall rule is just starting point and should be brushed up.
This commit includes PR18621, PR21694, PR22051.
PR: conf/18621, conf/21694, conf/22051
Reviewed by: asmodai
the appropriate documentation added to rc.conf(5). If all goes well
with this over the next few weeks, the PR will be closed with the
pullup of patches back to 4-STABLE.
PR: 20202
Submitted by: Gerhard Sittig <Gerhard.Sittig@gmx.net>
Reviewed by: Darren Reed <darrenr@freebsd.org>
Approved by: Darren Reed <darrenr@freebsd.org>
Obtained from: Gerhard Sittig <Gerhard.Sittig@gmx.net>
cached when not in use. This changes the FreeBSD default from 30 minutes
to 5 minutes. JKH was the one that added the override to amd_flags, but
there was no reason given other to serve as an example of what could be
done.
IPX folks a fighting chance of figuring this out themselves. I can't
work out how to document this carefully in rc.conf(5), but this ought
to close the PR.
PR: 17904
Reported by: John Gelnaw <jeg@hawk.circa.ufl.edu>
Make sysinstall override this on install, so the effective behavioural
change for a newly installed system is null. Overall, this makes a system
with an empty /etc/rc.conf not run any network services, and makes the
FreeBSD-provided network services that are running visible in /etc/rc.conf
(instead of making people look through /etc/defaults/rc.conf to find the
things they need to disable to secure the system.)
Reviewed by: jhb
Discussed with: The usual cabal
time, and this is used to reseed the random number generator at
boot time.
NOTE - this has no hope of working if you halt(); you need to
execute rc.shutdown to get the entropy stash.
The only change in the default functionality should be that
the output reports are slightly more verbose WRT files deleted.
Not objected to by: freebsd-arch
options. This allows you to set the standard dynamic port
assignment range prior to any network daemons (like named) starting
up, necessary if you are also using a firewall to restrict lower ports.
will be MFC'd in a few days
