freebsd-skq/etc/defaults/rc.conf

748 lines
38 KiB
Plaintext
Raw Normal View History

#!/bin/sh
# This is rc.conf - a file full of useful variables that you can set
# to change the default startup behavior of your system. You should
# not edit this file! Put any overrides into one of the ${rc_conf_files}
# instead and you will be able to update these defaults later without
# spamming your local configuration information.
#
# The ${rc_conf_files} files should only contain values which override
# values set in this file. This eases the upgrade path when defaults
# are changed and new features are added.
#
1997-04-28 10:14:45 +00:00
# All arguments must be in double or single quotes.
#
# For a more detailed explanation of all the rc.conf variables, please
# refer to the rc.conf(5) manual page.
#
1999-08-27 23:37:10 +00:00
# $FreeBSD$
##############################################################
### Important initial Boot-time options ####################
##############################################################
# rc_debug can't be set here without interferring with rc.subr's setting it
# when the kenv variable rc.debug is set.
#rc_debug="NO" # Set to YES to enable debugging output from rc.d
rc_info="NO" # Enables display of informational messages at boot.
rc_startmsgs="YES" # Show "Starting foo:" messages at boot
rcshutdown_timeout="90" # Seconds to wait before terminating rc.shutdown
early_late_divider="FILESYSTEMS" # Script that separates early/late
# stages of the boot process. Make sure you know
# the ramifications if you change this.
# See rc.conf(5) for more details.
always_force_depends="NO" # Set to check that indicated dependencies are
# running during boot (can increase boot time).
apm_enable="NO" # Set to YES to enable APM BIOS functions (or NO).
apmd_enable="NO" # Run apmd to handle APM event from userland.
apmd_flags="" # Flags to apmd (if enabled).
ddb_enable="NO" # Set to YES to load ddb scripts at boot.
ddb_config="/etc/ddb.conf" # ddb(8) config file.
devd_enable="YES" # Run devd, to trigger programs on device tree changes.
devd_flags="" # Additional flags for devd(8).
#kld_list="" # Kernel modules to load after local disks are mounted
kldxref_enable="NO" # Build linker.hints files with kldxref(8).
kldxref_clobber="NO" # Overwrite old linker.hints at boot.
kldxref_module_path="" # Override kern.module_path. A ';'-delimited list.
powerd_enable="NO" # Run powerd to lower our power usage.
powerd_flags="" # Flags to powerd (if enabled).
tmpmfs="AUTO" # Set to YES to always create an mfs /tmp, NO to never
tmpsize="20m" # Size of mfs /tmp if created
tmpmfs_flags="-S" # Extra mdmfs options for the mfs /tmp
varmfs="AUTO" # Set to YES to always create an mfs /var, NO to never
varsize="32m" # Size of mfs /var if created
varmfs_flags="-S" # Extra mount options for the mfs /var
populate_var="AUTO" # Set to YES to always (re)populate /var, NO to never
cleanvar_enable="YES" # Clean the /var directory
local_startup="/usr/local/etc/rc.d" # startup script dirs.
script_name_sep=" " # Change if your startup scripts' names contain spaces
rc_conf_files="/etc/rc.conf /etc/rc.conf.local"
# ZFS support
zfs_enable="NO" # Set to YES to automatically mount ZFS file systems
zfsd(8), the ZFS fault management daemon Add zfsd, which deals with hard drive faults in ZFS pools. It manages hotspares and replements in drive slots that publish physical paths. cddl/usr.sbin/zfsd Add zfsd(8) and its unit tests cddl/usr.sbin/Makefile Add zfsd to the build lib/libdevdctl A C++ library that helps devd clients process events lib/Makefile share/mk/bsd.libnames.mk share/mk/src.libnames.mk Add libdevdctl to the build. It's a private library, unusable by out-of-tree software. etc/defaults/rc.conf By default, set zfsd_enable to NO etc/mtree/BSD.include.dist Add a directory for libdevdctl's include files etc/mtree/BSD.tests.dist Add a directory for zfsd's unit tests etc/mtree/BSD.var.dist Add /var/db/zfsd/cases, where zfsd stores case files while it's shut down. etc/rc.d/Makefile etc/rc.d/zfsd Add zfsd's rc script sys/cddl/contrib/opensolaris/uts/common/fs/zfs/vdev.c Fix the resource.fs.zfs.statechange message. It had a number of problems: It was only being emitted on a transition to the HEALTHY state. That made it impossible for zfsd to take actions based on drives getting sicker. It compared the new state to vdev_prevstate, which is the state that the vdev had the last time it was opened. That doesn't make sense, because a vdev can change state multiple times without being reopened. vdev_set_state contains logic that will change the device's new state based on various conditions. However, the statechange event was being posted _before_ that logic took effect. Now it's being posted after. Submitted by: gibbs, asomers, mav, allanjude Reviewed by: mav, delphij Relnotes: yes Sponsored by: Spectra Logic Corp, iX Systems Differential Revision: https://reviews.freebsd.org/D6564
2016-05-28 17:43:40 +00:00
# ZFSD support
zfsd_enable="NO" # Set to YES to automatically start the ZFS fault
# management daemon.
gptboot_enable="YES" # GPT boot success/failure reporting.
# Experimental - test before enabling
gbde_autoattach_all="NO" # YES automatically mounts gbde devices from fstab
gbde_devices="NO" # Devices to automatically attach (list, or AUTO)
gbde_attach_attempts="3" # Number of times to attempt attaching gbde devices
gbde_lockdir="/etc" # Where to look for gbde lockfiles
# GELI disk encryption configuration.
geli_devices="" # List of devices to automatically attach in addition to
# GELI devices listed in /etc/fstab.
geli_tries="" # Number of times to attempt attaching geli device.
# If empty, kern.geom.eli.tries will be used.
geli_default_flags="" # Default flags for geli(8).
geli_autodetach="YES" # Automatically detach on last close.
# Providers are marked as such when all file systems are
# mounted.
# Example use.
#geli_devices="da1 mirror/home"
#geli_da1_flags="-p -k /etc/geli/da1.keys"
#geli_da1_autodetach="NO"
#geli_mirror_home_flags="-k /etc/geli/home.keys"
root_rw_mount="YES" # Set to NO to inhibit remounting root read-write.
root_hold_delay="30" # Time to wait for root mount hold release.
fsck_y_enable="NO" # Set to YES to do fsck -y if the initial preen fails.
fsck_y_flags="" # Additional flags for fsck -y
background_fsck="YES" # Attempt to run fsck in the background where possible.
background_fsck_delay="60" # Time to wait (seconds) before starting the fsck.
netfs_types="nfs:NFS smbfs:SMB" # Net filesystems.
extra_netfs_types="NO" # List of network extra filesystem types for delayed
# mount at startup (or NO).
##############################################################
### Network configuration sub-section ######################
##############################################################
### Basic network and firewall/security options: ###
1999-07-18 09:58:01 +00:00
hostname="" # Set this!
hostid_enable="YES" # Set host UUID.
hostid_file="/etc/hostid" # File with hostuuid.
1997-04-28 10:14:45 +00:00
nisdomainname="NO" # Set to NIS domain if using NIS (or NO).
dhclient_program="/sbin/dhclient" # Path to dhcp client program.
dhclient_flags="" # Extra flags to pass to dhcp client.
#dhclient_flags_fxp0="" # Extra dhclient flags for fxp0 only
background_dhclient="NO" # Start dhcp client in the background.
#background_dhclient_fxp0="YES" # Start dhcp client on fxp0 in the background.
synchronous_dhclient="NO" # Start dhclient directly on configured
# interfaces during startup.
defaultroute_delay="30" # Time to wait for a default route on a DHCP interface.
defaultroute_carrier_delay="5" # Time to wait for carrier while waiting for a default route.
netif_enable="YES" # Set to YES to initialize network interfaces
netif_ipexpand_max="2048" # Maximum number of IP addrs in a range spec.
wpa_supplicant_program="/usr/sbin/wpa_supplicant"
wpa_supplicant_flags="-s" # Extra flags to pass to wpa_supplicant
wpa_supplicant_conf_file="/etc/wpa_supplicant.conf"
#
firewall_enable="NO" # Set to YES to enable firewall functionality
firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" # Set to YES to suppress rule display
firewall_logging="NO" # Set to YES to enable events logging
firewall_logif="NO" # Set to YES to create logging-pseudo interface
firewall_flags="" # Flags passed to ipfw when type is a file
firewall_coscripts="" # List of executables/scripts to run after
# firewall starts/stops
firewall_client_net="192.0.2.0/24" # IPv4 Network address for "client"
# firewall.
#firewall_client_net_ipv6="2001:db8:2:1::/64" # IPv6 network prefix for
# "client" firewall.
firewall_simple_iif="ed1" # Inside network interface for "simple"
# firewall.
firewall_simple_inet="192.0.2.16/28" # Inside network address for "simple"
# firewall.
firewall_simple_oif="ed0" # Outside network interface for "simple"
# firewall.
firewall_simple_onet="192.0.2.0/28" # Outside network address for "simple"
# firewall.
#firewall_simple_iif_ipv6="ed1" # Inside IPv6 network interface for "simple"
# firewall.
#firewall_simple_inet_ipv6="2001:db8:2:800::/56" # Inside IPv6 network prefix
# for "simple" firewall.
#firewall_simple_oif_ipv6="ed0" # Outside IPv6 network interface for "simple"
# firewall.
#firewall_simple_onet_ipv6="2001:db8:2:0::/56" # Outside IPv6 network prefix
# for "simple" firewall.
firewall_myservices="" # List of TCP ports on which this host
# offers services for "workstation" firewall.
firewall_allowservices="" # List of IPs which have access to
# $firewall_myservices for "workstation"
# firewall.
firewall_trusted="" # List of IPs which have full access to this
# host for "workstation" firewall.
firewall_logdeny="NO" # Set to YES to log default denied incoming
# packets for "workstation" firewall.
firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports
# for which denied incoming packets are not
# logged for "workstation" firewall.
firewall_nat_enable="NO" # Enable kernel NAT (if firewall_enable == YES)
firewall_nat_interface="" # Public interface or IPaddress to use
firewall_nat_flags="" # Additional configuration parameters
dummynet_enable="NO" # Load the dummynet(4) module
ip_portrange_first="NO" # Set first dynamically allocated port
ip_portrange_last="NO" # Set last dynamically allocated port
ike_enable="NO" # Enable IKE daemon (usually racoon or isakmpd)
ike_program="/usr/local/sbin/isakmpd" # Path to IKE daemon
ike_flags="" # Additional flags for IKE daemon
ipsec_enable="NO" # Set to YES to run setkey on ipsec_file
ipsec_file="/etc/ipsec.conf" # Name of config file for setkey
1999-03-24 10:27:46 +00:00
natd_program="/sbin/natd" # path to natd, if you want a different one.
natd_enable="NO" # Enable natd (if firewall_enable == YES).
natd_interface="" # Public interface or IPaddress to use.
natd_flags="" # Additional flags for natd.
ipfilter_enable="NO" # Set to YES to enable ipfilter functionality
ipfilter_program="/sbin/ipf" # where the ipfilter program lives
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see
# /usr/src/contrib/ipfilter/rules for examples
ipfilter_flags="" # additional flags for ipfilter
ipnat_enable="NO" # Set to YES to enable ipnat functionality
ipnat_program="/sbin/ipnat" # where the ipnat program lives
ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat
ipnat_flags="" # additional flags for ipnat
ipmon_enable="NO" # Set to YES for ipmon; needs ipfilter or ipnat
ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives
ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog"
ipfs_enable="NO" # Set to YES to enable saving and restoring
# of state tables at shutdown and boot
ipfs_program="/sbin/ipfs" # where the ipfs program lives
ipfs_flags="" # additional flags for ipfs
pf_enable="NO" # Set to YES to enable packet filter (pf)
pf_rules="/etc/pf.conf" # rules definition file for pf
pf_program="/sbin/pfctl" # where the pfctl program lives
pf_flags="" # additional flags for pfctl
pflog_enable="NO" # Set to YES to enable packet filter logging
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_program="/sbin/pflogd" # where the pflogd program lives
pflog_flags="" # additional flags for pflogd
ftpproxy_enable="NO" # Set to YES to enable ftp-proxy(8) for pf
ftpproxy_flags="" # additional flags for ftp-proxy(8)
pfsync_enable="NO" # Expose pf state to other hosts for syncing
pfsync_syncdev="" # Interface for pfsync to work through
pfsync_syncpeer="" # IP address of pfsync peer host
pfsync_ifconfig="" # Additional options to ifconfig(8) for pfsync
2001-05-25 01:46:39 +00:00
tcp_extensions="YES" # Set to NO to turn off RFC1323 extensions.
log_in_vain="0" # >=1 to log connects to ports w/o listeners.
1999-08-14 03:42:27 +00:00
tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO).
tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN
2000-05-18 19:02:47 +00:00
# NOTE: this violates the TCP specification
icmp_drop_redirect="NO" # Set to YES to ignore ICMP REDIRECT packets
icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets
network_interfaces="auto" # List of network interfaces (or "auto").
cloned_interfaces="" # List of cloned network interfaces to create.
#cloned_interfaces="gif0 gif1 gif2 gif3" # Pre-cloning GENERIC config.
#ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration.
#ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias entry.
#ifconfig_ed0_ipv6="inet6 2001:db8:1::1 prefixlen 64" # Sample IPv6 addr entry
#ifconfig_ed0_alias0="inet6 2001:db8:2::1 prefixlen 64" # Sample IPv6 alias
#ifconfig_fxp0_name="net0" # Change interface name from fxp0 to net0.
#vlans_fxp0="101 vlan0" # vlan(4) interfaces for fxp0 device
#create_args_vlan0="vlan 102" # vlan tag for vlan0 device
#wlans_ath0="wlan0" # wlan(4) interfaces for ath0 device
#wlandebug_wlan0="scan+auth+assoc" # Set debug flags with wlandebug(8)
#ipv4_addrs_fxp0="192.168.0.1/24 192.168.1.1-5/28" # example IPv4 address entry.
#
#autobridge_interfaces="bridge0" # List of bridges to check
#autobridge_bridge0="tap* vlan0" # Interface glob to automatically add to the bridge
#
# If you have any sppp(4) interfaces above, you might also want to set
# the following parameters. Refer to spppcontrol(8) for their meaning.
sppp_interfaces="" # List of sppp interfaces.
#sppp_interfaces="...0" # example: sppp over ...
#spppconfig_...0="authproto=chap myauthname=foo myauthsecret='top secret' hisauthname=some-gw hisauthsecret='another secret'"
# User ppp configuration.
ppp_enable="NO" # Start user-ppp (or NO).
ppp_program="/usr/sbin/ppp" # Path to user-ppp program.
ppp_mode="auto" # Choice of "auto", "ddial", "direct" or "dedicated".
# For details see man page for ppp(8). Default is auto.
ppp_nat="YES" # Use PPP's internal network address translation or NO.
ppp_profile="papchap" # Which profile to use from /etc/ppp/ppp.conf.
ppp_user="root" # Which user to run ppp as
# Start multiple instances of ppp at boot time
#ppp_profile="profile1 profile2 profile3" # Which profiles to use
#ppp_profile1_mode="ddial" # Override ppp mode for profile1
#ppp_profile2_nat="NO" # Override nat mode for profile2
# profile3 uses default ppp_mode and ppp_nat
Bring in a hybrid of SunSoft's transport-independent RPC (TI-RPC) and associated changes that had to happen to make this possible as well as bugs fixed along the way. Bring in required TLI library routines to support this. Since we don't support TLI we've essentially copied what NetBSD has done, adding a thin layer to emulate direct the TLI calls into BSD socket calls. This is mostly from Sun's tirpc release that was made in 1994, however some fixes were backported from the 1999 release (supposedly only made available after this porting effort was underway). The submitter has agreed to continue on and bring us up to the 1999 release. Several key features are introduced with this update: Client calls are thread safe. (1999 code has server side thread safe) Updated, a more modern interface. Many userland updates were done to bring the code up to par with the recent RPC API. There is an update to the pthreads library, a function pthread_main_np() was added to emulate a function of Sun's threads library. While we're at it, bring in NetBSD's lockd, it's been far too long of a wait. New rpcbind(8) replaces portmap(8) (supporting communication over an authenticated Unix-domain socket, and by default only allowing set and unset requests over that channel). It's much more secure than the old portmapper. Umount(8), mountd(8), mount_nfs(8), nfsd(8) have also been upgraded to support TI-RPC and to support IPV6. Umount(8) is also fixed to unmount pathnames longer than 80 chars, which are currently truncated by the Kernel statfs structure. Submitted by: Martin Blapp <mb@imp.ch> Manpage review: ru Secure RPC implemented by: wpaul
2001-03-19 12:50:13 +00:00
### Network daemon (miscellaneous) ###
hostapd_enable="NO" # Run hostap daemon.
1997-04-28 10:14:45 +00:00
syslogd_enable="YES" # Run syslog daemon (or NO).
syslogd_program="/usr/sbin/syslogd" # path to syslogd, if you want a different one.
syslogd_flags="-s" # Flags to syslogd (if enabled).
syslogd_oomprotect="YES" # Don't kill syslogd when swap space is exhausted.
altlog_proglist="" # List of chrooted applicatioins in /var
inetd_enable="NO" # Run the network daemon dispatcher (YES/NO).
inetd_program="/usr/sbin/inetd" # path to inetd, if you want a different one.
inetd_flags="-wW -C 60" # Optional flags to inetd
iscsid_enable="NO" # iSCSI initiator daemon.
iscsictl_enable="NO" # iSCSI initiator autostart.
iscsictl_flags="-Aa" # Optional flags to iscsictl.
hastd_enable="NO" # Run the HAST daemon (YES/NO).
hastd_program="/sbin/hastd" # path to hastd, if you want a different one.
hastd_flags="" # Optional flags to hastd.
ctld_enable="NO" # CAM Target Layer / iSCSI target daemon.
local_unbound_enable="NO" # local caching resolver
blacklistd_enable="NO" # Run blacklistd daemon (YES/NO).
blacklistd_flags="" # Optional flags for blacklistd(8).
#
# kerberos. Do not run the admin daemons on slave servers
#
kdc_enable="NO" # Run a kerberos 5 KDC (or NO).
kdc_program="/usr/libexec/kdc" # path to kerberos 5 KDC
kdc_flags="" # Additional flags to the kerberos 5 KDC
kadmind_enable="NO" # Run kadmind (or NO)
kadmind_program="/usr/libexec/kadmind" # path to kadmind
kpasswdd_enable="NO" # Run kpasswdd (or NO)
kpasswdd_program="/usr/libexec/kpasswdd" # path to kpasswdd
kfd_enable="NO" # Run kfd (or NO)
kfd_program="/usr/libexec/kfd" # path to kerberos 5 kfd daemon
kfd_flags=""
ipropd_master_enable="NO" # Run Heimdal incremental propagation daemon
# (master daemon).
ipropd_master_program="/usr/libexec/ipropd-master"
ipropd_master_flags="" # Flags to ipropd-master.
ipropd_master_keytab="/etc/krb5.keytab" # keytab for ipropd-master.
ipropd_master_slaves="" # slave node names used for /var/heimdal/slaves.
ipropd_slave_enable="NO" # Run Heimdal incremental propagation daemon
# (slave daemon).
ipropd_slave_program="/usr/libexec/ipropd-slave"
ipropd_slave_flags="" # Flags to ipropd-slave.
ipropd_slave_keytab="/etc/krb5.keytab" # keytab for ipropd-slave.
ipropd_slave_master="" # master node name.
gssd_enable="NO" # Run the gssd daemon (or NO).
gssd_program="/usr/sbin/gssd" # Path to gssd.
gssd_flags="" # Flags for gssd.
1997-04-28 10:14:45 +00:00
rwhod_enable="NO" # Run the rwho daemon (or NO).
rwhod_flags="" # Flags for rwhod
Bring in a hybrid of SunSoft's transport-independent RPC (TI-RPC) and associated changes that had to happen to make this possible as well as bugs fixed along the way. Bring in required TLI library routines to support this. Since we don't support TLI we've essentially copied what NetBSD has done, adding a thin layer to emulate direct the TLI calls into BSD socket calls. This is mostly from Sun's tirpc release that was made in 1994, however some fixes were backported from the 1999 release (supposedly only made available after this porting effort was underway). The submitter has agreed to continue on and bring us up to the 1999 release. Several key features are introduced with this update: Client calls are thread safe. (1999 code has server side thread safe) Updated, a more modern interface. Many userland updates were done to bring the code up to par with the recent RPC API. There is an update to the pthreads library, a function pthread_main_np() was added to emulate a function of Sun's threads library. While we're at it, bring in NetBSD's lockd, it's been far too long of a wait. New rpcbind(8) replaces portmap(8) (supporting communication over an authenticated Unix-domain socket, and by default only allowing set and unset requests over that channel). It's much more secure than the old portmapper. Umount(8), mountd(8), mount_nfs(8), nfsd(8) have also been upgraded to support TI-RPC and to support IPV6. Umount(8) is also fixed to unmount pathnames longer than 80 chars, which are currently truncated by the Kernel statfs structure. Submitted by: Martin Blapp <mb@imp.ch> Manpage review: ru Secure RPC implemented by: wpaul
2001-03-19 12:50:13 +00:00
rarpd_enable="NO" # Run rarpd (or NO).
rarpd_flags="-a" # Flags to rarpd.
bootparamd_enable="NO" # Run bootparamd (or NO).
bootparamd_flags="" # Flags to bootparamd
Bring in a hybrid of SunSoft's transport-independent RPC (TI-RPC) and associated changes that had to happen to make this possible as well as bugs fixed along the way. Bring in required TLI library routines to support this. Since we don't support TLI we've essentially copied what NetBSD has done, adding a thin layer to emulate direct the TLI calls into BSD socket calls. This is mostly from Sun's tirpc release that was made in 1994, however some fixes were backported from the 1999 release (supposedly only made available after this porting effort was underway). The submitter has agreed to continue on and bring us up to the 1999 release. Several key features are introduced with this update: Client calls are thread safe. (1999 code has server side thread safe) Updated, a more modern interface. Many userland updates were done to bring the code up to par with the recent RPC API. There is an update to the pthreads library, a function pthread_main_np() was added to emulate a function of Sun's threads library. While we're at it, bring in NetBSD's lockd, it's been far too long of a wait. New rpcbind(8) replaces portmap(8) (supporting communication over an authenticated Unix-domain socket, and by default only allowing set and unset requests over that channel). It's much more secure than the old portmapper. Umount(8), mountd(8), mount_nfs(8), nfsd(8) have also been upgraded to support TI-RPC and to support IPV6. Umount(8) is also fixed to unmount pathnames longer than 80 chars, which are currently truncated by the Kernel statfs structure. Submitted by: Martin Blapp <mb@imp.ch> Manpage review: ru Secure RPC implemented by: wpaul
2001-03-19 12:50:13 +00:00
pppoed_enable="NO" # Run the PPP over Ethernet daemon.
pppoed_provider="*" # Provider and ppp(8) config file entry.
pppoed_flags="-P /var/run/pppoed.pid" # Flags to pppoed (if enabled).
pppoed_interface="fxp0" # The interface that pppoed runs on.
sshd_enable="NO" # Enable sshd
Bring in a hybrid of SunSoft's transport-independent RPC (TI-RPC) and associated changes that had to happen to make this possible as well as bugs fixed along the way. Bring in required TLI library routines to support this. Since we don't support TLI we've essentially copied what NetBSD has done, adding a thin layer to emulate direct the TLI calls into BSD socket calls. This is mostly from Sun's tirpc release that was made in 1994, however some fixes were backported from the 1999 release (supposedly only made available after this porting effort was underway). The submitter has agreed to continue on and bring us up to the 1999 release. Several key features are introduced with this update: Client calls are thread safe. (1999 code has server side thread safe) Updated, a more modern interface. Many userland updates were done to bring the code up to par with the recent RPC API. There is an update to the pthreads library, a function pthread_main_np() was added to emulate a function of Sun's threads library. While we're at it, bring in NetBSD's lockd, it's been far too long of a wait. New rpcbind(8) replaces portmap(8) (supporting communication over an authenticated Unix-domain socket, and by default only allowing set and unset requests over that channel). It's much more secure than the old portmapper. Umount(8), mountd(8), mount_nfs(8), nfsd(8) have also been upgraded to support TI-RPC and to support IPV6. Umount(8) is also fixed to unmount pathnames longer than 80 chars, which are currently truncated by the Kernel statfs structure. Submitted by: Martin Blapp <mb@imp.ch> Manpage review: ru Secure RPC implemented by: wpaul
2001-03-19 12:50:13 +00:00
sshd_program="/usr/sbin/sshd" # path to sshd, if you want a different one.
sshd_flags="" # Additional flags for sshd.
ftpd_enable="NO" # Enable stand-alone ftpd.
ftpd_program="/usr/libexec/ftpd" # Path to ftpd, if you want a different one.
ftpd_flags="" # Additional flags to stand-alone ftpd.
Bring in a hybrid of SunSoft's transport-independent RPC (TI-RPC) and associated changes that had to happen to make this possible as well as bugs fixed along the way. Bring in required TLI library routines to support this. Since we don't support TLI we've essentially copied what NetBSD has done, adding a thin layer to emulate direct the TLI calls into BSD socket calls. This is mostly from Sun's tirpc release that was made in 1994, however some fixes were backported from the 1999 release (supposedly only made available after this porting effort was underway). The submitter has agreed to continue on and bring us up to the 1999 release. Several key features are introduced with this update: Client calls are thread safe. (1999 code has server side thread safe) Updated, a more modern interface. Many userland updates were done to bring the code up to par with the recent RPC API. There is an update to the pthreads library, a function pthread_main_np() was added to emulate a function of Sun's threads library. While we're at it, bring in NetBSD's lockd, it's been far too long of a wait. New rpcbind(8) replaces portmap(8) (supporting communication over an authenticated Unix-domain socket, and by default only allowing set and unset requests over that channel). It's much more secure than the old portmapper. Umount(8), mountd(8), mount_nfs(8), nfsd(8) have also been upgraded to support TI-RPC and to support IPV6. Umount(8) is also fixed to unmount pathnames longer than 80 chars, which are currently truncated by the Kernel statfs structure. Submitted by: Martin Blapp <mb@imp.ch> Manpage review: ru Secure RPC implemented by: wpaul
2001-03-19 12:50:13 +00:00
### Network daemon (NFS): All need rpcbind_enable="YES" ###
1997-04-28 10:14:45 +00:00
amd_enable="NO" # Run amd service with $amd_flags (or NO).
amd_program="/usr/sbin/amd" # path to amd, if you want a different one.
amd_flags="-a /.amd_mnt -l syslog /host /etc/amd.map /net /etc/amd.map"
amd_map_program="NO" # Can be set to "ypcat -k amd.master"
autofs_enable="NO" # Run autofs daemons.
automount_flags="" # Flags to automount(8) (if autofs enabled).
automountd_flags="" # Flags to automountd(8) (if autofs enabled).
autounmountd_flags="" # Flags to autounmountd(8) (if autofs enabled).
1997-04-28 10:14:45 +00:00
nfs_client_enable="NO" # This host is an NFS client (or NO).
nfs_access_cache="60" # Client cache timeout in seconds
1997-04-28 10:14:45 +00:00
nfs_server_enable="NO" # This host is an NFS server (or NO).
nfs_server_flags="-u -t" # Flags to nfsd (if enabled).
nfs_server_managegids="NO" # The NFS server maps gids for AUTH_SYS (or NO).
mountd_enable="NO" # Run mountd (or NO).
mountd_flags="-r -S" # Flags to mountd (if NFS server enabled).
weak_mountd_authentication="NO" # Allow non-root mount requests to be served.
1997-04-28 10:14:45 +00:00
nfs_reserved_port_only="NO" # Provide NFS only on secure port (or NO).
nfs_bufpackets="" # bufspace (in packets) for client
rpc_lockd_enable="NO" # Run NFS rpc.lockd needed for client/server.
rpc_lockd_flags="" # Flags to rpc.lockd (if enabled).
rpc_statd_enable="NO" # Run NFS rpc.statd needed for client/server.
rpc_statd_flags="" # Flags to rpc.statd (if enabled).
rpcbind_enable="NO" # Run the portmapper service (YES/NO).
rpcbind_program="/usr/sbin/rpcbind" # path to rpcbind, if you want a different one.
rpcbind_flags="" # Flags to rpcbind (if enabled).
rpc_ypupdated_enable="NO" # Run if NIS master and SecureRPC (or NO).
keyserv_enable="NO" # Run the SecureRPC keyserver (or NO).
keyserv_flags="" # Flags to keyserv (if enabled).
nfsv4_server_enable="NO" # Enable support for NFSv4
nfscbd_enable="NO" # NFSv4 client side callback daemon
nfscbd_flags="" # Flags for nfscbd
nfsuserd_enable="NO" # NFSv4 user/group name mapping daemon
nfsuserd_flags="" # Flags for nfsuserd
### Network Time Services options: ###
timed_enable="NO" # Run the time daemon (or NO).
timed_flags="" # Flags to timed (if enabled).
ntpdate_enable="NO" # Run ntpdate to sync time on boot (or NO).
ntpdate_program="/usr/sbin/ntpdate" # path to ntpdate, if you want a different one.
ntpdate_flags="-b" # Flags to ntpdate (if enabled).
ntpdate_config="/etc/ntp.conf" # ntpdate(8) configuration file
ntpdate_hosts="" # Whitespace-separated list of ntpdate(8) servers.
ntpd_enable="NO" # Run ntpd Network Time Protocol (or NO).
ntpd_program="/usr/sbin/ntpd" # path to ntpd, if you want a different one.
ntpd_config="/etc/ntp.conf" # ntpd(8) configuration file
ntpd_sync_on_start="NO" # Sync time on ntpd startup, even if offset is high
ntpd_flags="-p /var/run/ntpd.pid -f /var/db/ntpd.drift"
# Flags to ntpd (if enabled).
ntp_src_leapfile="/etc/ntp/leap-seconds"
# Initial source for ntpd leapfile
ntp_db_leapfile="/var/db/ntpd.leap-seconds.list"
# Working copy (updated weekly) leapfile
ntp_leapfile_sources="https://www.ietf.org/timezones/data/leap-seconds.list"
# Source from which to fetch leapfile
ntp_leapfile_fetch_opts="-mq" # Options to use for ntp leapfile fetch,
# e.g. --no-verify-peer
ntp_leapfile_expiry_days=30 # Check for new leapfile 30 days prior to
# expiry.
ntp_leapfile_fetch_verbose="NO" # Be verbose during NTP leapfile fetch
# Network Information Services (NIS) options: All need rpcbind_enable="YES" ###
1997-06-24 22:36:42 +00:00
nis_client_enable="NO" # We're an NIS client (or NO).
nis_client_flags="" # Flags to ypbind (if enabled).
1997-04-28 10:14:45 +00:00
nis_ypset_enable="NO" # Run ypset at boot time (or NO).
nis_ypset_flags="" # Flags to ypset (if enabled).
1997-06-24 22:36:42 +00:00
nis_server_enable="NO" # We're an NIS server (or NO).
nis_server_flags="" # Flags to ypserv (if enabled).
1997-04-28 10:14:45 +00:00
nis_ypxfrd_enable="NO" # Run rpc.ypxfrd at boot time (or NO).
nis_ypxfrd_flags="" # Flags to rpc.ypxfrd (if enabled).
nis_yppasswdd_enable="NO" # Run rpc.yppasswdd at boot time (or NO).
nis_yppasswdd_flags="" # Flags to rpc.yppasswdd (if enabled).
2016-06-06 03:55:00 +00:00
nis_ypldap_enable="NO" # Run ypldap at boot time (or NO).
nis_ypldap_flags="" # Flags to ypldap (if enabled).
### SNMP daemon ###
# Be sure to understand the security implications of running SNMP v1/v2
# in your network.
bsnmpd_enable="NO" # Run the SNMP daemon (or NO).
bsnmpd_flags="" # Flags for bsnmpd.
### Network routing options: ###
1997-04-28 10:14:45 +00:00
defaultrouter="NO" # Set to default gateway (or NO).
static_arp_pairs="" # Set to static ARP list (or leave empty).
static_ndp_pairs="" # Set to static NDP list (or leave empty).
static_routes="" # Set to static route list (or leave empty).
natm_static_routes="" # Set to static route list for NATM (or leave empty).
1997-04-28 10:14:45 +00:00
gateway_enable="NO" # Set to YES if this host will be a gateway.
routed_enable="NO" # Set to YES to enable a routing daemon.
routed_program="/sbin/routed" # Name of routing daemon to use if enabled.
routed_flags="-q" # Flags for routing daemon.
arpproxy_all="NO" # replaces obsolete kernel option ARP_PROXYALL.
forward_sourceroute="NO" # do source routing (only if gateway_enable is set to "YES")
accept_sourceroute="NO" # accept source routed packets to us
### ATM interface options: ###
atm_enable="NO" # Configure ATM interfaces (or NO).
#atm_netif_hea0="atm 1" # Network interfaces for physical interface.
#atm_sigmgr_hea0="uni31" # Signalling manager for physical interface.
#atm_prefix_hea0="ILMI" # NSAP prefix (UNI interfaces only) (or ILMI).
#atm_macaddr_hea0="NO" # Override physical MAC address (or NO).
#atm_arpserver_atm0="0x47.0005.80.999999.9999.9999.9999.999999999999.00" # ATMARP server address (or local).
#atm_scsparp_atm0="NO" # Run SCSP/ATMARP on network interface (or NO).
atm_pvcs="" # Set to PVC list (or leave empty).
atm_arps="" # Set to permanent ARP list (or leave empty).
### Bluetooth ###
hcsecd_enable="NO" # Enable hcsecd(8) (or NO)
hcsecd_config="/etc/bluetooth/hcsecd.conf" # hcsecd(8) configuration file
sdpd_enable="NO" # Enable sdpd(8) (or NO)
sdpd_control="/var/run/sdp" # sdpd(8) control socket
sdpd_groupname="nobody" # set spdp(8) user/group to run as after
sdpd_username="nobody" # it initializes
bthidd_enable="NO" # Enable bthidd(8) (or NO)
bthidd_config="/etc/bluetooth/bthidd.conf" # bthidd(8) configuration file
bthidd_hids="/var/db/bthidd.hids" # bthidd(8) known HID devices file
rfcomm_pppd_server_enable="NO" # Enable rfcomm_pppd(8) in server mode (or NO)
rfcomm_pppd_server_profile="one two" # Profile to use from /etc/ppp/ppp.conf
#
#rfcomm_pppd_server_one_bdaddr="" # Override local bdaddr for 'one'
rfcomm_pppd_server_one_channel="1" # Override local channel for 'one'
#rfcomm_pppd_server_one_register_sp="NO" # Override SP and DUN register
#rfcomm_pppd_server_one_register_dun="NO" # for 'one'
#
#rfcomm_pppd_server_two_bdaddr="" # Override local bdaddr for 'two'
rfcomm_pppd_server_two_channel="3" # Override local channel for 'two'
#rfcomm_pppd_server_two_register_sp="NO" # Override SP and DUN register
#rfcomm_pppd_server_two_register_dun="NO" # for 'two'
ubthidhci_enable="NO" # Switch an USB BT controller present on
#ubthidhci_busnum="3" # bus 3 and addr 2 from HID mode to HCI mode.
#ubthidhci_addr="2" # Check usbconfig list to find the correct
# numbers for your system.
### Network link/usability verification options
netwait_enable="NO" # Enable rc.d/netwait (or NO)
Enhance rc.d/netwait script to wait for late-attaching interfaces such as USB NICs. USB network hardware may not be enumerated and available when the rc.d networking scripts run. Eventually the USB attachment completes and devd events cause the network initialization to happen, but by then other rc.d scripts have already failed, because services which depend on NETWORKING (such as mountcritremote) may end up running before the network is actually ready. There is an existing netwait script, but because it is dependent on NETWORKING it runs too late to prevent failure of some other rc scripts. This change flips the order so that NETWORKING depends on netwait, and netwait now depends on devd and routing (the former is needed to make interfaces appear, and the latter is needed to run the ping tests in netwait). The netwait script used to be oriented primarily towards "as soon as any host is reachable the network is fully functional", so you gave it a list of IPs to try and you could optionally name an interface and it would wait for carrier on that interface. That functionality still works the same, but now you can provide a list of interfaces to wait for and it waits until each one of them is available. The ping logic still completes as soon as the first IP on the list responds. These changes were submitted by Brenden Molloy <brendan+freebsd@bbqsrc.net> in PR 205186, and lightly modified by me to allow a list of interfaces instead of just one. PR: 205186 Differential Revision: https://reviews.freebsd.org/D4608 (timeout w/o review)
2015-12-26 18:21:32 +00:00
#netwait_ip="" # Wait for ping response from any IP in this list.
netwait_timeout="60" # Total number of seconds to perform pings.
Enhance rc.d/netwait script to wait for late-attaching interfaces such as USB NICs. USB network hardware may not be enumerated and available when the rc.d networking scripts run. Eventually the USB attachment completes and devd events cause the network initialization to happen, but by then other rc.d scripts have already failed, because services which depend on NETWORKING (such as mountcritremote) may end up running before the network is actually ready. There is an existing netwait script, but because it is dependent on NETWORKING it runs too late to prevent failure of some other rc scripts. This change flips the order so that NETWORKING depends on netwait, and netwait now depends on devd and routing (the former is needed to make interfaces appear, and the latter is needed to run the ping tests in netwait). The netwait script used to be oriented primarily towards "as soon as any host is reachable the network is fully functional", so you gave it a list of IPs to try and you could optionally name an interface and it would wait for carrier on that interface. That functionality still works the same, but now you can provide a list of interfaces to wait for and it waits until each one of them is available. The ping logic still completes as soon as the first IP on the list responds. These changes were submitted by Brenden Molloy <brendan+freebsd@bbqsrc.net> in PR 205186, and lightly modified by me to allow a list of interfaces instead of just one. PR: 205186 Differential Revision: https://reviews.freebsd.org/D4608 (timeout w/o review)
2015-12-26 18:21:32 +00:00
#netwait_if="" # Wait for active link on each intf in this list.
netwait_if_timeout="30" # Total number of seconds to monitor link state.
### Miscellaneous network options: ###
icmp_bmcastecho="NO" # respond to broadcast ping packets
### IPv6 options: ###
ipv6_network_interfaces="auto" # List of IPv6 network interfaces
# (or "auto" or "none").
ipv6_activate_all_interfaces="NO" # If NO, interfaces which have no
# corresponding $ifconfig_IF_ipv6 is
# marked as IFDISABLED for security
# reason.
ipv6_defaultrouter="NO" # Set to IPv6 default gateway (or NO).
#ipv6_defaultrouter="2002:c058:6301::" # Use this for 6to4 (RFC 3068)
ipv6_static_routes="" # Set to static route list (or leave empty).
#ipv6_static_routes="xxx" # An example to set fec0:0000:0000:0006::/64
# route toward loopback interface.
#ipv6_route_xxx="fec0:0000:0000:0006:: -prefixlen 64 ::1"
ipv6_gateway_enable="NO" # Set to YES if this host will be a gateway.
ipv6_cpe_wanif="NO" # Set to the upstream interface name if this
# node will work as a router to forward IPv6
# packets not explicitly addressed to itself.
ipv6_privacy="NO" # Use privacy address on RA-receiving IFs
# (RFC 4941)
route6d_enable="NO" # Set to YES to enable an IPv6 routing daemon.
route6d_program="/usr/sbin/route6d" # Name of IPv6 routing daemon.
route6d_flags="" # Flags to IPv6 routing daemon.
#route6d_flags="-l" # Example for route6d with only IPv6 site local
# addrs.
#route6d_flags="-q" # If you want to run a routing daemon on an end
# node, you should stop advertisement.
#ipv6_network_interfaces="ed0 ep0" # Examples for router
# or static configuration for end node.
# Choose correct prefix value.
#ipv6_prefix_ed0="fec0:0000:0000:0001 fec0:0000:0000:0002" # Examples for rtr.
#ipv6_prefix_ep0="fec0:0000:0000:0003 fec0:0000:0000:0004" # Examples for rtr.
ipv6_default_interface="NO" # Default output interface for scoped addrs.
# This works only with
# ipv6_gateway_enable="NO".
2003-08-08 17:43:58 +00:00
rtsol_flags="" # Flags to IPv6 router solicitation.
rtsold_enable="NO" # Set to YES to enable an IPv6 router
# solicitation daemon.
rtsold_flags="-a" # Flags to an IPv6 router solicitation
# daemon.
rtadvd_enable="NO" # Set to YES to enable an IPv6 router
# advertisement daemon. If set to YES,
# this router becomes a possible candidate
# IPv6 default router for local subnets.
rtadvd_interfaces="" # Interfaces rtadvd sends RA packets.
stf_interface_ipv4addr="" # Local IPv4 addr for 6to4 IPv6 over IPv4
# tunneling interface. Specify this entry
# to enable 6to4 interface.
stf_interface_ipv4plen="0" # Prefix length for 6to4 IPv4 addr,
# to limit peer addr range. Effective value
# is 0-31.
stf_interface_ipv6_ifid="0:0:0:1" # IPv6 interface id for stf0.
# If you like, you can set "AUTO" for this.
stf_interface_ipv6_slaid="0000" # IPv6 Site Level Aggregator for stf0
ipv6_ipv4mapping="NO" # Set to "YES" to enable IPv4 mapped IPv6 addr
# communication. (like ::ffff:a.b.c.d)
ipv6_ipfilter_rules="/etc/ipf6.rules" # rules definition file for ipfilter,
# see /usr/src/contrib/ipfilter/rules
# for examples
ip6addrctl_enable="YES" # Set to YES to enable default address selection
ip6addrctl_verbose="NO" # Set to YES to enable verbose configuration messages
ip6addrctl_policy="AUTO" # A pre-defined address selection policy
# (ipv4_prefer, ipv6_prefer, or AUTO)
##############################################################
### System console options #################################
##############################################################
keyboard="" # keyboard device to use (default /dev/kbd0).
keymap="NO" # keymap in /usr/share/{syscons,vt}/keymaps/* (or NO).
1997-04-28 10:14:45 +00:00
keyrate="NO" # keyboard rate to: slow, normal, fast (or NO).
keybell="NO" # See kbdcontrol(1) for options. Use "off" to disable.
1997-04-28 10:14:45 +00:00
keychange="NO" # function keys default values (or NO).
cursor="NO" # cursor type {normal|blink|destructive} (or NO).
scrnmap="NO" # screen map in /usr/share/syscons/scrnmaps/* (or NO).
font8x16="NO" # font 8x16 from /usr/share/{syscons,vt}/fonts/* (or NO).
font8x14="NO" # font 8x14 from /usr/share/{syscons,vt}/fonts/* (or NO).
font8x8="NO" # font 8x8 from /usr/share/{syscons,vt}/fonts/* (or NO).
blanktime="300" # blank time (in seconds) or "NO" to turn it off.
saver="NO" # screen saver: Uses /boot/kernel/${saver}_saver.ko
moused_nondefault_enable="YES" # Treat non-default mice as enabled unless
# specifically overriden in rc.conf(5).
moused_enable="NO" # Run the mouse daemon.
moused_type="auto" # See man page for rc.conf(5) for available settings.
moused_port="/dev/psm0" # Set to your mouse port.
moused_flags="" # Any additional flags to moused.
2002-11-15 08:26:36 +00:00
mousechar_start="NO" # if 0xd0-0xd3 default range is occupied in your
# language code table, specify alternative range
# start like mousechar_start=3, see vidcontrol(1)
allscreens_flags="" # Set this vidcontrol mode for all virtual screens
allscreens_kbdflags="" # Set this kbdcontrol mode for all virtual screens
##############################################################
### Mail Transfer Agent (MTA) options ######################
##############################################################
mta_start_script="/etc/rc.sendmail"
# Script to start your chosen MTA, called by /etc/rc.
# Settings for /etc/rc.sendmail and /etc/rc.d/sendmail:
sendmail_enable="NO" # Run the sendmail inbound daemon (YES/NO).
sendmail_pidfile="/var/run/sendmail.pid" # sendmail pid file
sendmail_procname="/usr/sbin/sendmail" # sendmail process name
sendmail_flags="-L sm-mta -bd -q30m" # Flags to sendmail (as a server)
sendmail_cert_create="YES" # Create a server certificate if none (YES/NO)
#sendmail_cert_cn="CN" # CN of the generate certificate
sendmail_submit_enable="YES" # Start a localhost-only MTA for mail submission
sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost"
# Flags for localhost-only MTA
sendmail_outbound_enable="YES" # Dequeue stuck mail (YES/NO).
sendmail_outbound_flags="-L sm-queue -q30m" # Flags to sendmail (outbound only)
sendmail_msp_queue_enable="YES" # Dequeue stuck clientmqueue mail (YES/NO).
sendmail_msp_queue_flags="-L sm-msp-queue -Ac -q30m"
# Flags for sendmail_msp_queue daemon.
sendmail_rebuild_aliases="NO" # Run newaliases if necessary (YES/NO).
##############################################################
### Miscellaneous administrative options ###################
##############################################################
auditd_enable="NO" # Run the audit daemon.
auditd_program="/usr/sbin/auditd" # Path to the audit daemon.
auditd_flags="" # Which options to pass to the audit daemon.
auditdistd_enable="NO" # Run the audit daemon.
auditdistd_program="/usr/sbin/auditdistd" # Path to the auditdistd daemon.
auditdistd_flags="" # Which options to pass to the auditdistd daemon.
cron_enable="YES" # Run the periodic job daemon.
cron_program="/usr/sbin/cron" # Which cron executable to run (if enabled).
cron_dst="YES" # Handle DST transitions intelligently (YES/NO)
cron_flags="" # Which options to pass to the cron daemon.
lpd_enable="NO" # Run the line printer daemon.
lpd_program="/usr/sbin/lpd" # path to lpd, if you want a different one.
lpd_flags="" # Flags to lpd (if enabled).
nscd_enable="NO" # Run the nsswitch caching daemon.
chkprintcap_enable="NO" # Run chkprintcap(8) before running lpd.
chkprintcap_flags="-d" # Create missing directories by default.
dumpdev="AUTO" # Device to crashdump to (device name, AUTO, or NO).
dumpdir="/var/crash" # Directory where crash dumps are to be stored
Add support for encrypted kernel crash dumps. Changes include modifications in kernel crash dump routines, dumpon(8) and savecore(8). A new tool called decryptcore(8) was added. A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump configuration in the diocskerneldump_arg structure to the kernel. The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for backward ABI compatibility. dumpon(8) generates an one-time random symmetric key and encrypts it using an RSA public key in capability mode. Currently only AES-256-CBC is supported but EKCD was designed to implement support for other algorithms in the future. The public key is chosen using the -k flag. The dumpon rc(8) script can do this automatically during startup using the dumppubkey rc.conf(5) variable. Once the keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O control. When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random IV and sets up the key schedule for the specified algorithm. Each time the kernel tries to write a crash dump to the dump device, the IV is replaced by a SHA-256 hash of the previous value. This is intended to make a possible differential cryptanalysis harder since it is possible to write multiple crash dumps without reboot by repeating the following commands: # sysctl debug.kdb.enter=1 db> call doadump(0) db> continue # savecore A kernel dump key consists of an algorithm identifier, an IV and an encrypted symmetric key. The kernel dump key size is included in a kernel dump header. The size is an unsigned 32-bit integer and it is aligned to a block size. The header structure has 512 bytes to match the block size so it was required to make a panic string 4 bytes shorter to add a new field to the header structure. If the kernel dump key size in the header is nonzero it is assumed that the kernel dump key is placed after the first header on the dump device and the core dump is encrypted. Separate functions were implemented to write the kernel dump header and the kernel dump key as they need to be unencrypted. The dump_write function encrypts data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps are not supported due to the way they are constructed which makes it impossible to use the CBC mode for encryption. It should be also noted that textdumps don't contain sensitive data by design as a user decides what information should be dumped. savecore(8) writes the kernel dump key to a key.# file if its size in the header is nonzero. # is the number of the current core dump. decryptcore(8) decrypts the core dump using a private RSA key and the kernel dump key. This is performed by a child process in capability mode. If the decryption was not successful the parent process removes a partially decrypted core dump. Description on how to encrypt crash dumps was added to the decryptcore(8), dumpon(8), rc.conf(5) and savecore(8) manual pages. EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU. The feature still has to be tested on arm and arm64 as it wasn't possible to run FreeBSD due to the problems with QEMU emulation and lack of hardware. Designed by: def, pjd Reviewed by: cem, oshogbo, pjd Partial review: delphij, emaste, jhb, kib Approved by: pjd (mentor) Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
dumppubkey="" # Public key for encrypted kernel crash dumps.
# See dumpon(8) for more details.
savecore_enable="YES" # Extract core from dump devices if any
savecore_flags="-m 10" # Used if dumpdev is enabled above, and present.
# By default, only the 10 most recent kernel dumps
# are saved.
crashinfo_enable="YES" # Automatically generate crash dump summary.
crashinfo_program="/usr/sbin/crashinfo" # Script to generate crash dump summary.
quota_enable="NO" # turn on quotas on startup (or NO).
check_quotas="YES" # Check quotas on startup (or NO).
quotaon_flags="-a" # Turn quotas on for all file systems (if enabled)
quotaoff_flags="-a" # Turn quotas off for all file systems at shutdown
quotacheck_flags="-a" # Check all file system quotas (if enabled)
accounting_enable="NO" # Turn on process accounting (or NO).
1997-04-28 10:14:45 +00:00
ibcs2_enable="NO" # Ibcs2 (SCO) emulation loaded at startup (or NO).
ibcs2_loaders="coff" # List of additional Ibcs2 loaders (or NO).
firstboot_sentinel="/firstboot" # Scripts with "firstboot" keyword are run if
# this file exists. Should be on a R/W filesystem so
# the file can be deleted after the boot completes.
# Emulation/compatibility services provided by /etc/rc.d/abi
sysvipc_enable="NO" # Load System V IPC primitives at startup (or NO).
1999-09-15 02:25:13 +00:00
linux_enable="NO" # Linux binary compatibility loaded at startup (or NO).
clear_tmp_enable="NO" # Clear /tmp at startup.
clear_tmp_X="YES" # Clear and recreate X11-related directories in /tmp
ldconfig_insecure="NO" # Set to YES to disable ldconfig security checks
ldconfig_paths="/usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg"
1999-01-10 22:06:22 +00:00
# shared library search paths
ldconfig32_paths="/usr/lib32 /usr/lib32/compat"
# 32-bit compatibility shared library search paths
ldconfigsoft_paths="/usr/libsoft /usr/libsoft/compat /usr/local/libsoft"
# soft float compatibility shared library search paths
# Note: temporarily with extra stuff for transition
ldconfig_paths_aout="/usr/lib/compat/aout /usr/local/lib/aout"
1999-01-10 22:06:22 +00:00
# a.out shared library search paths
ldconfig_local_dirs="/usr/local/libdata/ldconfig"
# Local directories with ldconfig configuration files.
ldconfig_local32_dirs="/usr/local/libdata/ldconfig32"
# Local directories with 32-bit compatibility ldconfig
# configuration files.
ldconfig_localsoft_dirs="/usr/local/libdata/ldconfigsoft"
# Local directories with soft float compatibility ldconfig
# configuration files.
kern_securelevel_enable="NO" # kernel security level (see security(7))
1998-12-16 17:14:16 +00:00
kern_securelevel="-1" # range: -1..3 ; `-1' is the most insecure
# Note that setting securelevel to 0 will result
# in the system booting with securelevel set to 1, as
# init(8) will raise the level when rc(8) completes.
update_motd="YES" # update version info in /etc/motd (or NO)
entropy_boot_file="/boot/entropy" # Set to NO to disable very early
# (used at early boot time) entropy caching through reboots.
entropy_file="/entropy" # Set to NO to disable late (used when going multi-user)
# entropy through reboots.
# /var/db/entropy-file is preferred if / is not avail.
entropy_dir="/var/db/entropy" # Set to NO to disable caching entropy via cron.
This is the much-discussed major upgrade to the random(4) device, known to you all as /dev/random. This code has had an extensive rewrite and a good series of reviews, both by the author and other parties. This means a lot of code has been simplified. Pluggable structures for high-rate entropy generators are available, and it is most definitely not the case that /dev/random can be driven by only a hardware souce any more. This has been designed out of the device. Hardware sources are stirred into the CSPRNG (Yarrow, Fortuna) like any other entropy source. Pluggable modules may be written by third parties for additional sources. The harvesting structures and consequently the locking have been simplified. Entropy harvesting is done in a more general way (the documentation for this will follow). There is some GREAT entropy to be had in the UMA allocator, but it is disabled for now as messing with that is likely to annoy many people. The venerable (but effective) Yarrow algorithm, which is no longer supported by its authors now has an alternative, Fortuna. For now, Yarrow is retained as the default algorithm, but this may be changed using a kernel option. It is intended to make Fortuna the default algorithm for 11.0. Interested parties are encouraged to read ISBN 978-0-470-47424-2 "Cryptography Engineering" By Ferguson, Schneier and Kohno for Fortuna's gory details. Heck, read it anyway. Many thanks to Arthur Mesh who did early grunt work, and who got caught in the crossfire rather more than he deserved to. My thanks also to folks who helped me thresh this out on whiteboards and in the odd "Hallway track", or otherwise. My Nomex pants are on. Let the feedback commence! Reviewed by: trasz,des(partial),imp(partial?),rwatson(partial?) Approved by: so(des)
2014-10-30 21:21:53 +00:00
entropy_save_sz="4096" # Size of the entropy cache files.
entropy_save_num="8" # Number of entropy cache files to save.
harvest_mask="511" # Entropy device harvests all but the very invasive sources.
# (See 'sysctl kern.random.harvest' and random(4))
dmesg_enable="YES" # Save dmesg(8) to /var/run/dmesg.boot
watchdogd_enable="NO" # Start the software watchdog daemon
watchdogd_flags="" # Flags to watchdogd (if enabled)
devfs_rulesets="/etc/defaults/devfs.rules /etc/devfs.rules" # Files containing
# devfs(8) rules.
devfs_system_ruleset="" # The name (NOT number) of a ruleset to apply to /dev
2004-04-10 22:13:27 +00:00
devfs_set_rulesets="" # A list of /mount/dev=ruleset_name settings to
# apply (must be mounted already, i.e. fstab(5))
devfs_load_rulesets="YES" # Enable to always load the default rulesets
performance_cx_lowest="NONE" # Online CPU idle state
2005-07-22 00:38:55 +00:00
performance_cpu_freq="NONE" # Online CPU frequency
economy_cx_lowest="Cmax" # Offline CPU idle state
2005-07-22 00:38:55 +00:00
economy_cpu_freq="NONE" # Offline CPU frequency
virecover_enable="YES" # Perform housekeeping for the vi(1) editor
2004-09-29 07:07:43 +00:00
ugidfw_enable="NO" # Load mac_bsdextended(4) rules on boot
bsdextended_script="/etc/rc.bsdextended" # Default mac_bsdextended(4)
# ruleset file.
newsyslog_enable="YES" # Run newsyslog at startup.
newsyslog_flags="-CN" # Newsyslog flags to create marked files
mixer_enable="YES" # Run the sound mixer.
opensm_enable="NO" # Opensm(8) for infiniband devices defaults to off
# rctl(8) requires kernel options RACCT and RCTL
rctl_enable="YES" # Load rctl(8) rules on boot
rctl_rules="/etc/rctl.conf" # rctl(8) ruleset. See rctl.conf(5).
iovctl_files="" # Config files for iovctl(8)
##############################################################
### Jail Configuration (see rc.conf(5) manual page) ##########
##############################################################
jail_enable="NO" # Set to NO to disable starting of any jails
jail_confwarn="YES" # Prevent warning about obsolete per-jail configuration
jail_parallel_start="NO" # Start jails in the background
jail_list="" # Space separated list of names of jails
jail_reverse_stop="NO" # Stop jails in reverse order
##############################################################
### Define source_rc_confs, the mechanism used by /etc/rc.* ##
### scripts to source rc_conf_files overrides safely. ##
##############################################################
if [ -z "${source_rc_confs_defined}" ]; then
source_rc_confs_defined=yes
2012-07-13 06:46:09 +00:00
source_rc_confs() {
local i sourced_files
for i in ${rc_conf_files}; do
case ${sourced_files} in
*:$i:*)
;;
*)
sourced_files="${sourced_files}:$i:"
if [ -r $i ]; then
. $i
fi
;;
esac
done
# Re-do process to pick up [possibly] redefined $rc_conf_files
for i in ${rc_conf_files}; do
case ${sourced_files} in
*:$i:*)
;;
*)
sourced_files="${sourced_files}:$i:"
if [ -r $i ]; then
. $i
fi
;;
esac
done
}
fi
# Allow vendors to override FreeBSD defaults in /etc/default/rc.conf
# without the need to carefully manage /etc/rc.conf.
if [ -r /etc/defaults/vendor.conf ]; then
. /etc/defaults/vendor.conf
fi