1997-04-27 03:59:19 +00:00
|
|
|
#!/bin/sh
|
|
|
|
|
2001-11-28 08:52:35 +00:00
|
|
|
# This is rc.conf - a file full of useful variables that you can set
|
1999-02-09 22:15:18 +00:00
|
|
|
# to change the default startup behavior of your system. You should
|
|
|
|
# not edit this file! Put any overrides into one of the ${rc_conf_files}
|
|
|
|
# instead and you will be able to update these defaults later without
|
|
|
|
# spamming your local configuration information.
|
1997-04-27 03:59:19 +00:00
|
|
|
#
|
2000-04-27 08:43:49 +00:00
|
|
|
# The ${rc_conf_files} files should only contain values which override
|
|
|
|
# values set in this file. This eases the upgrade path when defaults
|
|
|
|
# are changed and new features are added.
|
1999-12-21 10:46:41 +00:00
|
|
|
#
|
1997-04-28 10:14:45 +00:00
|
|
|
# All arguments must be in double or single quotes.
|
|
|
|
#
|
2005-01-24 21:52:32 +00:00
|
|
|
# For a more detailed explanation of all the rc.conf variables, please
|
|
|
|
# refer to the rc.conf(5) manual page.
|
|
|
|
#
|
1999-08-27 23:37:10 +00:00
|
|
|
# $FreeBSD$
|
1997-04-27 03:59:19 +00:00
|
|
|
|
|
|
|
##############################################################
|
1999-06-27 22:12:35 +00:00
|
|
|
### Important initial Boot-time options ####################
|
1997-04-27 03:59:19 +00:00
|
|
|
##############################################################
|
|
|
|
|
2016-12-01 05:16:27 +00:00
|
|
|
# rc_debug can't be set here without interferring with rc.subr's setting it
|
|
|
|
# when the kenv variable rc.debug is set.
|
2014-08-23 10:49:02 +00:00
|
|
|
#rc_debug="NO" # Set to YES to enable debugging output from rc.d
|
2003-08-20 06:50:34 +00:00
|
|
|
rc_info="NO" # Enables display of informational messages at boot.
|
2009-09-29 16:49:10 +00:00
|
|
|
rc_startmsgs="YES" # Show "Starting foo:" messages at boot
|
2012-02-17 07:59:37 +00:00
|
|
|
rcshutdown_timeout="90" # Seconds to wait before terminating rc.shutdown
|
2007-04-04 11:11:33 +00:00
|
|
|
early_late_divider="FILESYSTEMS" # Script that separates early/late
|
2005-12-10 20:21:46 +00:00
|
|
|
# stages of the boot process. Make sure you know
|
|
|
|
# the ramifications if you change this.
|
|
|
|
# See rc.conf(5) for more details.
|
2012-02-14 10:51:24 +00:00
|
|
|
always_force_depends="NO" # Set to check that indicated dependencies are
|
|
|
|
# running during boot (can increase boot time).
|
2005-12-10 20:21:46 +00:00
|
|
|
|
1999-07-12 17:20:29 +00:00
|
|
|
apm_enable="NO" # Set to YES to enable APM BIOS functions (or NO).
|
|
|
|
apmd_enable="NO" # Run apmd to handle APM event from userland.
|
|
|
|
apmd_flags="" # Flags to apmd (if enabled).
|
2008-04-23 22:40:59 +00:00
|
|
|
ddb_enable="NO" # Set to YES to load ddb scripts at boot.
|
2008-03-05 18:32:58 +00:00
|
|
|
ddb_config="/etc/ddb.conf" # ddb(8) config file.
|
2004-06-30 15:58:46 +00:00
|
|
|
devd_enable="YES" # Run devd, to trigger programs on device tree changes.
|
2005-11-24 14:39:41 +00:00
|
|
|
devd_flags="" # Additional flags for devd(8).
|
2011-06-18 19:41:05 +00:00
|
|
|
#kld_list="" # Kernel modules to load after local disks are mounted
|
2003-03-17 23:15:53 +00:00
|
|
|
kldxref_enable="NO" # Build linker.hints files with kldxref(8).
|
|
|
|
kldxref_clobber="NO" # Overwrite old linker.hints at boot.
|
|
|
|
kldxref_module_path="" # Override kern.module_path. A ';'-delimited list.
|
2005-02-26 21:19:35 +00:00
|
|
|
powerd_enable="NO" # Run powerd to lower our power usage.
|
|
|
|
powerd_flags="" # Flags to powerd (if enabled).
|
2004-03-23 23:22:35 +00:00
|
|
|
tmpmfs="AUTO" # Set to YES to always create an mfs /tmp, NO to never
|
|
|
|
tmpsize="20m" # Size of mfs /tmp if created
|
2007-03-06 13:13:53 +00:00
|
|
|
tmpmfs_flags="-S" # Extra mdmfs options for the mfs /tmp
|
2004-03-23 23:22:35 +00:00
|
|
|
varmfs="AUTO" # Set to YES to always create an mfs /var, NO to never
|
|
|
|
varsize="32m" # Size of mfs /var if created
|
2007-03-06 13:13:53 +00:00
|
|
|
varmfs_flags="-S" # Extra mount options for the mfs /var
|
2004-03-23 23:22:35 +00:00
|
|
|
populate_var="AUTO" # Set to YES to always (re)populate /var, NO to never
|
2005-12-19 10:57:00 +00:00
|
|
|
cleanvar_enable="YES" # Clean the /var directory
|
2007-05-29 06:22:14 +00:00
|
|
|
local_startup="/usr/local/etc/rc.d" # startup script dirs.
|
2001-07-17 14:33:52 +00:00
|
|
|
script_name_sep=" " # Change if your startup scripts' names contain spaces
|
1999-02-09 22:15:18 +00:00
|
|
|
rc_conf_files="/etc/rc.conf /etc/rc.conf.local"
|
2003-09-18 09:59:37 +00:00
|
|
|
|
2007-04-06 02:27:02 +00:00
|
|
|
# ZFS support
|
|
|
|
zfs_enable="NO" # Set to YES to automatically mount ZFS file systems
|
|
|
|
|
zfsd(8), the ZFS fault management daemon
Add zfsd, which deals with hard drive faults in ZFS pools. It manages
hotspares and replements in drive slots that publish physical paths.
cddl/usr.sbin/zfsd
Add zfsd(8) and its unit tests
cddl/usr.sbin/Makefile
Add zfsd to the build
lib/libdevdctl
A C++ library that helps devd clients process events
lib/Makefile
share/mk/bsd.libnames.mk
share/mk/src.libnames.mk
Add libdevdctl to the build. It's a private library, unusable by
out-of-tree software.
etc/defaults/rc.conf
By default, set zfsd_enable to NO
etc/mtree/BSD.include.dist
Add a directory for libdevdctl's include files
etc/mtree/BSD.tests.dist
Add a directory for zfsd's unit tests
etc/mtree/BSD.var.dist
Add /var/db/zfsd/cases, where zfsd stores case files while it's shut
down.
etc/rc.d/Makefile
etc/rc.d/zfsd
Add zfsd's rc script
sys/cddl/contrib/opensolaris/uts/common/fs/zfs/vdev.c
Fix the resource.fs.zfs.statechange message. It had a number of
problems:
It was only being emitted on a transition to the HEALTHY state.
That made it impossible for zfsd to take actions based on drives
getting sicker.
It compared the new state to vdev_prevstate, which is the state that
the vdev had the last time it was opened. That doesn't make sense,
because a vdev can change state multiple times without being
reopened.
vdev_set_state contains logic that will change the device's new
state based on various conditions. However, the statechange event
was being posted _before_ that logic took effect. Now it's being
posted after.
Submitted by: gibbs, asomers, mav, allanjude
Reviewed by: mav, delphij
Relnotes: yes
Sponsored by: Spectra Logic Corp, iX Systems
Differential Revision: https://reviews.freebsd.org/D6564
2016-05-28 17:43:40 +00:00
|
|
|
# ZFSD support
|
|
|
|
zfsd_enable="NO" # Set to YES to automatically start the ZFS fault
|
|
|
|
# management daemon.
|
|
|
|
|
2010-11-24 15:25:17 +00:00
|
|
|
gptboot_enable="YES" # GPT boot success/failure reporting.
|
|
|
|
|
2003-09-18 09:59:37 +00:00
|
|
|
# Experimental - test before enabling
|
|
|
|
gbde_autoattach_all="NO" # YES automatically mounts gbde devices from fstab
|
|
|
|
gbde_devices="NO" # Devices to automatically attach (list, or AUTO)
|
2004-07-18 18:01:48 +00:00
|
|
|
gbde_attach_attempts="3" # Number of times to attempt attaching gbde devices
|
|
|
|
gbde_lockdir="/etc" # Where to look for gbde lockfiles
|
2003-09-18 09:59:37 +00:00
|
|
|
|
2005-08-14 18:02:22 +00:00
|
|
|
# GELI disk encryption configuration.
|
|
|
|
geli_devices="" # List of devices to automatically attach in addition to
|
|
|
|
# GELI devices listed in /etc/fstab.
|
|
|
|
geli_tries="" # Number of times to attempt attaching geli device.
|
|
|
|
# If empty, kern.geom.eli.tries will be used.
|
|
|
|
geli_default_flags="" # Default flags for geli(8).
|
|
|
|
geli_autodetach="YES" # Automatically detach on last close.
|
|
|
|
# Providers are marked as such when all file systems are
|
|
|
|
# mounted.
|
|
|
|
# Example use.
|
|
|
|
#geli_devices="da1 mirror/home"
|
|
|
|
#geli_da1_flags="-p -k /etc/geli/da1.keys"
|
|
|
|
#geli_da1_autodetach="NO"
|
|
|
|
#geli_mirror_home_flags="-k /etc/geli/home.keys"
|
|
|
|
|
2004-10-20 16:58:28 +00:00
|
|
|
root_rw_mount="YES" # Set to NO to inhibit remounting root read-write.
|
2015-10-30 15:52:10 +00:00
|
|
|
root_hold_delay="30" # Time to wait for root mount hold release.
|
2001-11-28 08:52:35 +00:00
|
|
|
fsck_y_enable="NO" # Set to YES to do fsck -y if the initial preen fails.
|
2017-07-11 12:32:40 +00:00
|
|
|
fsck_y_flags="-T ffs:-R -T ufs:-R" # Additional flags for fsck -y
|
2001-05-22 00:05:48 +00:00
|
|
|
background_fsck="YES" # Attempt to run fsck in the background where possible.
|
2002-12-18 07:21:31 +00:00
|
|
|
background_fsck_delay="60" # Time to wait (seconds) before starting the fsck.
|
2015-04-18 16:08:06 +00:00
|
|
|
netfs_types="nfs:NFS smbfs:SMB" # Net filesystems.
|
2001-12-29 19:42:55 +00:00
|
|
|
extra_netfs_types="NO" # List of network extra filesystem types for delayed
|
|
|
|
# mount at startup (or NO).
|
1997-04-27 03:59:19 +00:00
|
|
|
|
|
|
|
##############################################################
|
|
|
|
### Network configuration sub-section ######################
|
|
|
|
##############################################################
|
|
|
|
|
2000-08-17 06:04:13 +00:00
|
|
|
### Basic network and firewall/security options: ###
|
1999-07-18 09:58:01 +00:00
|
|
|
hostname="" # Set this!
|
2007-04-09 19:21:27 +00:00
|
|
|
hostid_enable="YES" # Set host UUID.
|
|
|
|
hostid_file="/etc/hostid" # File with hostuuid.
|
1997-04-28 10:14:45 +00:00
|
|
|
nisdomainname="NO" # Set to NIS domain if using NIS (or NO).
|
2003-06-07 10:31:17 +00:00
|
|
|
dhclient_program="/sbin/dhclient" # Path to dhcp client program.
|
2007-03-29 21:44:23 +00:00
|
|
|
dhclient_flags="" # Extra flags to pass to dhcp client.
|
|
|
|
#dhclient_flags_fxp0="" # Extra dhclient flags for fxp0 only
|
2009-03-19 12:48:00 +00:00
|
|
|
background_dhclient="NO" # Start dhcp client in the background.
|
2007-03-29 21:42:19 +00:00
|
|
|
#background_dhclient_fxp0="YES" # Start dhcp client on fxp0 in the background.
|
2008-05-15 01:06:10 +00:00
|
|
|
synchronous_dhclient="NO" # Start dhclient directly on configured
|
2006-04-13 06:50:46 +00:00
|
|
|
# interfaces during startup.
|
2009-02-17 11:55:50 +00:00
|
|
|
defaultroute_delay="30" # Time to wait for a default route on a DHCP interface.
|
2010-09-29 22:59:49 +00:00
|
|
|
defaultroute_carrier_delay="5" # Time to wait for carrier while waiting for a default route.
|
2014-10-11 20:28:04 +00:00
|
|
|
netif_enable="YES" # Set to YES to initialize network interfaces
|
2014-09-11 12:30:29 +00:00
|
|
|
netif_ipexpand_max="2048" # Maximum number of IP addrs in a range spec.
|
2008-04-08 23:12:15 +00:00
|
|
|
wpa_supplicant_program="/usr/sbin/wpa_supplicant"
|
|
|
|
wpa_supplicant_flags="-s" # Extra flags to pass to wpa_supplicant
|
|
|
|
wpa_supplicant_conf_file="/etc/wpa_supplicant.conf"
|
|
|
|
#
|
1997-09-11 10:59:02 +00:00
|
|
|
firewall_enable="NO" # Set to YES to enable firewall functionality
|
1999-04-10 10:56:58 +00:00
|
|
|
firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
|
1997-09-11 10:59:02 +00:00
|
|
|
firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall)
|
|
|
|
firewall_quiet="NO" # Set to YES to suppress rule display
|
2001-11-28 08:52:35 +00:00
|
|
|
firewall_logging="NO" # Set to YES to enable events logging
|
2012-07-09 07:16:19 +00:00
|
|
|
firewall_logif="NO" # Set to YES to create logging-pseudo interface
|
2000-02-06 19:25:00 +00:00
|
|
|
firewall_flags="" # Flags passed to ipfw when type is a file
|
2010-02-08 18:51:24 +00:00
|
|
|
firewall_coscripts="" # List of executables/scripts to run after
|
|
|
|
# firewall starts/stops
|
2009-12-02 15:05:26 +00:00
|
|
|
firewall_client_net="192.0.2.0/24" # IPv4 Network address for "client"
|
|
|
|
# firewall.
|
|
|
|
#firewall_client_net_ipv6="2001:db8:2:1::/64" # IPv6 network prefix for
|
|
|
|
# "client" firewall.
|
2008-08-15 19:20:59 +00:00
|
|
|
firewall_simple_iif="ed1" # Inside network interface for "simple"
|
|
|
|
# firewall.
|
|
|
|
firewall_simple_inet="192.0.2.16/28" # Inside network address for "simple"
|
|
|
|
# firewall.
|
|
|
|
firewall_simple_oif="ed0" # Outside network interface for "simple"
|
|
|
|
# firewall.
|
|
|
|
firewall_simple_onet="192.0.2.0/28" # Outside network address for "simple"
|
|
|
|
# firewall.
|
2009-12-02 15:05:26 +00:00
|
|
|
#firewall_simple_iif_ipv6="ed1" # Inside IPv6 network interface for "simple"
|
|
|
|
# firewall.
|
|
|
|
#firewall_simple_inet_ipv6="2001:db8:2:800::/56" # Inside IPv6 network prefix
|
|
|
|
# for "simple" firewall.
|
|
|
|
#firewall_simple_oif_ipv6="ed0" # Outside IPv6 network interface for "simple"
|
|
|
|
# firewall.
|
|
|
|
#firewall_simple_onet_ipv6="2001:db8:2:0::/56" # Outside IPv6 network prefix
|
|
|
|
# for "simple" firewall.
|
2006-10-28 20:08:12 +00:00
|
|
|
firewall_myservices="" # List of TCP ports on which this host
|
2008-08-15 18:48:29 +00:00
|
|
|
# offers services for "workstation" firewall.
|
|
|
|
firewall_allowservices="" # List of IPs which have access to
|
|
|
|
# $firewall_myservices for "workstation"
|
|
|
|
# firewall.
|
2010-01-17 08:41:07 +00:00
|
|
|
firewall_trusted="" # List of IPs which have full access to this
|
2008-08-15 18:48:29 +00:00
|
|
|
# host for "workstation" firewall.
|
2006-10-28 20:08:12 +00:00
|
|
|
firewall_logdeny="NO" # Set to YES to log default denied incoming
|
2008-08-15 18:48:29 +00:00
|
|
|
# packets for "workstation" firewall.
|
2006-10-28 20:08:12 +00:00
|
|
|
firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports
|
2008-08-15 18:48:29 +00:00
|
|
|
# for which denied incoming packets are not
|
|
|
|
# logged for "workstation" firewall.
|
2008-01-21 04:41:18 +00:00
|
|
|
firewall_nat_enable="NO" # Enable kernel NAT (if firewall_enable == YES)
|
|
|
|
firewall_nat_interface="" # Public interface or IPaddress to use
|
|
|
|
firewall_nat_flags="" # Additional configuration parameters
|
2008-01-27 15:15:12 +00:00
|
|
|
dummynet_enable="NO" # Load the dummynet(4) module
|
2017-07-17 08:53:51 +00:00
|
|
|
ipfw_netflow_enable="NO" # Enable netflow logging via ng_netflow
|
2000-06-22 17:40:53 +00:00
|
|
|
ip_portrange_first="NO" # Set first dynamically allocated port
|
|
|
|
ip_portrange_last="NO" # Set last dynamically allocated port
|
2003-11-28 17:28:42 +00:00
|
|
|
ike_enable="NO" # Enable IKE daemon (usually racoon or isakmpd)
|
|
|
|
ike_program="/usr/local/sbin/isakmpd" # Path to IKE daemon
|
|
|
|
ike_flags="" # Additional flags for IKE daemon
|
2000-06-22 17:40:53 +00:00
|
|
|
ipsec_enable="NO" # Set to YES to run setkey on ipsec_file
|
|
|
|
ipsec_file="/etc/ipsec.conf" # Name of config file for setkey
|
1999-03-24 10:27:46 +00:00
|
|
|
natd_program="/sbin/natd" # path to natd, if you want a different one.
|
2001-11-28 08:52:35 +00:00
|
|
|
natd_enable="NO" # Enable natd (if firewall_enable == YES).
|
2002-02-20 10:31:01 +00:00
|
|
|
natd_interface="" # Public interface or IPaddress to use.
|
2001-11-28 08:52:35 +00:00
|
|
|
natd_flags="" # Additional flags for natd.
|
2000-10-06 12:24:45 +00:00
|
|
|
ipfilter_enable="NO" # Set to YES to enable ipfilter functionality
|
2001-11-24 15:36:30 +00:00
|
|
|
ipfilter_program="/sbin/ipf" # where the ipfilter program lives
|
2000-10-06 12:24:45 +00:00
|
|
|
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see
|
|
|
|
# /usr/src/contrib/ipfilter/rules for examples
|
2001-11-24 15:36:30 +00:00
|
|
|
ipfilter_flags="" # additional flags for ipfilter
|
|
|
|
ipnat_enable="NO" # Set to YES to enable ipnat functionality
|
|
|
|
ipnat_program="/sbin/ipnat" # where the ipnat program lives
|
2000-10-06 12:24:45 +00:00
|
|
|
ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat
|
|
|
|
ipnat_flags="" # additional flags for ipnat
|
2001-11-24 15:36:30 +00:00
|
|
|
ipmon_enable="NO" # Set to YES for ipmon; needs ipfilter or ipnat
|
|
|
|
ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives
|
|
|
|
ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog"
|
2001-11-28 08:52:35 +00:00
|
|
|
ipfs_enable="NO" # Set to YES to enable saving and restoring
|
2001-10-20 04:33:02 +00:00
|
|
|
# of state tables at shutdown and boot
|
|
|
|
ipfs_program="/sbin/ipfs" # where the ipfs program lives
|
2001-11-24 15:36:30 +00:00
|
|
|
ipfs_flags="" # additional flags for ipfs
|
2004-03-23 22:30:15 +00:00
|
|
|
pf_enable="NO" # Set to YES to enable packet filter (pf)
|
|
|
|
pf_rules="/etc/pf.conf" # rules definition file for pf
|
|
|
|
pf_program="/sbin/pfctl" # where the pfctl program lives
|
|
|
|
pf_flags="" # additional flags for pfctl
|
2004-04-02 19:25:27 +00:00
|
|
|
pflog_enable="NO" # Set to YES to enable packet filter logging
|
2004-07-27 00:28:16 +00:00
|
|
|
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
|
2004-04-02 19:25:27 +00:00
|
|
|
pflog_program="/sbin/pflogd" # where the pflogd program lives
|
|
|
|
pflog_flags="" # additional flags for pflogd
|
2007-09-06 21:00:48 +00:00
|
|
|
ftpproxy_enable="NO" # Set to YES to enable ftp-proxy(8) for pf
|
|
|
|
ftpproxy_flags="" # additional flags for ftp-proxy(8)
|
2005-10-02 18:59:02 +00:00
|
|
|
pfsync_enable="NO" # Expose pf state to other hosts for syncing
|
|
|
|
pfsync_syncdev="" # Interface for pfsync to work through
|
2007-04-10 16:42:14 +00:00
|
|
|
pfsync_syncpeer="" # IP address of pfsync peer host
|
2005-10-02 18:59:02 +00:00
|
|
|
pfsync_ifconfig="" # Additional options to ifconfig(8) for pfsync
|
2001-05-25 01:46:39 +00:00
|
|
|
tcp_extensions="YES" # Set to NO to turn off RFC1323 extensions.
|
2002-01-26 09:05:13 +00:00
|
|
|
log_in_vain="0" # >=1 to log connects to ports w/o listeners.
|
1999-08-14 03:42:27 +00:00
|
|
|
tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO).
|
1999-09-12 17:22:08 +00:00
|
|
|
tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN
|
2000-05-18 19:02:47 +00:00
|
|
|
# NOTE: this violates the TCP specification
|
2002-04-27 06:24:58 +00:00
|
|
|
icmp_drop_redirect="NO" # Set to YES to ignore ICMP REDIRECT packets
|
1999-08-10 09:45:33 +00:00
|
|
|
icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets
|
1999-07-08 18:56:04 +00:00
|
|
|
network_interfaces="auto" # List of network interfaces (or "auto").
|
2001-09-19 21:27:27 +00:00
|
|
|
cloned_interfaces="" # List of cloned network interfaces to create.
|
|
|
|
#cloned_interfaces="gif0 gif1 gif2 gif3" # Pre-cloning GENERIC config.
|
2011-05-31 00:25:52 +00:00
|
|
|
#ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration.
|
1997-05-19 07:46:51 +00:00
|
|
|
#ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias entry.
|
2009-09-12 22:22:31 +00:00
|
|
|
#ifconfig_ed0_ipv6="inet6 2001:db8:1::1 prefixlen 64" # Sample IPv6 addr entry
|
|
|
|
#ifconfig_ed0_alias0="inet6 2001:db8:2::1 prefixlen 64" # Sample IPv6 alias
|
2004-10-30 13:44:06 +00:00
|
|
|
#ifconfig_fxp0_name="net0" # Change interface name from fxp0 to net0.
|
2009-12-29 21:03:36 +00:00
|
|
|
#vlans_fxp0="101 vlan0" # vlan(4) interfaces for fxp0 device
|
2010-08-25 08:37:18 +00:00
|
|
|
#create_args_vlan0="vlan 102" # vlan tag for vlan0 device
|
2008-05-03 07:06:48 +00:00
|
|
|
#wlans_ath0="wlan0" # wlan(4) interfaces for ath0 device
|
2016-02-28 23:57:26 +00:00
|
|
|
#wlandebug_wlan0="scan+auth+assoc" # Set debug flags with wlandebug(8)
|
2005-11-14 23:34:50 +00:00
|
|
|
#ipv4_addrs_fxp0="192.168.0.1/24 192.168.1.1-5/28" # example IPv4 address entry.
|
1999-01-13 17:32:37 +00:00
|
|
|
#
|
2010-05-14 04:53:57 +00:00
|
|
|
#autobridge_interfaces="bridge0" # List of bridges to check
|
2006-06-01 11:01:54 +00:00
|
|
|
#autobridge_bridge0="tap* vlan0" # Interface glob to automatically add to the bridge
|
|
|
|
#
|
1999-01-13 17:32:37 +00:00
|
|
|
# If you have any sppp(4) interfaces above, you might also want to set
|
|
|
|
# the following parameters. Refer to spppcontrol(8) for their meaning.
|
|
|
|
sppp_interfaces="" # List of sppp interfaces.
|
2008-05-26 10:40:09 +00:00
|
|
|
#sppp_interfaces="...0" # example: sppp over ...
|
|
|
|
#spppconfig_...0="authproto=chap myauthname=foo myauthsecret='top secret' hisauthname=some-gw hisauthsecret='another secret'"
|
1997-04-27 03:59:19 +00:00
|
|
|
|
1999-11-24 10:44:47 +00:00
|
|
|
# User ppp configuration.
|
1999-07-26 10:49:37 +00:00
|
|
|
ppp_enable="NO" # Start user-ppp (or NO).
|
2004-12-15 12:39:28 +00:00
|
|
|
ppp_program="/usr/sbin/ppp" # Path to user-ppp program.
|
1999-07-26 10:49:37 +00:00
|
|
|
ppp_mode="auto" # Choice of "auto", "ddial", "direct" or "dedicated".
|
|
|
|
# For details see man page for ppp(8). Default is auto.
|
1999-08-22 23:26:05 +00:00
|
|
|
ppp_nat="YES" # Use PPP's internal network address translation or NO.
|
1999-07-26 10:49:37 +00:00
|
|
|
ppp_profile="papchap" # Which profile to use from /etc/ppp/ppp.conf.
|
2000-08-10 00:13:02 +00:00
|
|
|
ppp_user="root" # Which user to run ppp as
|
1999-07-26 10:49:37 +00:00
|
|
|
|
2007-10-12 16:35:36 +00:00
|
|
|
# Start multiple instances of ppp at boot time
|
|
|
|
#ppp_profile="profile1 profile2 profile3" # Which profiles to use
|
|
|
|
#ppp_profile1_mode="ddial" # Override ppp mode for profile1
|
|
|
|
#ppp_profile2_nat="NO" # Override nat mode for profile2
|
|
|
|
# profile3 uses default ppp_mode and ppp_nat
|
|
|
|
|
Bring in a hybrid of SunSoft's transport-independent RPC (TI-RPC) and
associated changes that had to happen to make this possible as well as
bugs fixed along the way.
Bring in required TLI library routines to support this.
Since we don't support TLI we've essentially copied what NetBSD
has done, adding a thin layer to emulate direct the TLI calls
into BSD socket calls.
This is mostly from Sun's tirpc release that was made in 1994,
however some fixes were backported from the 1999 release (supposedly
only made available after this porting effort was underway).
The submitter has agreed to continue on and bring us up to the
1999 release.
Several key features are introduced with this update:
Client calls are thread safe. (1999 code has server side thread
safe)
Updated, a more modern interface.
Many userland updates were done to bring the code up to par with
the recent RPC API.
There is an update to the pthreads library, a function
pthread_main_np() was added to emulate a function of Sun's threads
library.
While we're at it, bring in NetBSD's lockd, it's been far too
long of a wait.
New rpcbind(8) replaces portmap(8) (supporting communication over
an authenticated Unix-domain socket, and by default only allowing
set and unset requests over that channel). It's much more secure
than the old portmapper.
Umount(8), mountd(8), mount_nfs(8), nfsd(8) have also been upgraded
to support TI-RPC and to support IPV6.
Umount(8) is also fixed to unmount pathnames longer than 80 chars,
which are currently truncated by the Kernel statfs structure.
Submitted by: Martin Blapp <mb@imp.ch>
Manpage review: ru
Secure RPC implemented by: wpaul
2001-03-19 12:50:13 +00:00
|
|
|
### Network daemon (miscellaneous) ###
|
2006-02-03 01:35:36 +00:00
|
|
|
hostapd_enable="NO" # Run hostap daemon.
|
1997-04-28 10:14:45 +00:00
|
|
|
syslogd_enable="YES" # Run syslog daemon (or NO).
|
2001-06-28 03:32:10 +00:00
|
|
|
syslogd_program="/usr/sbin/syslogd" # path to syslogd, if you want a different one.
|
2000-03-20 19:53:56 +00:00
|
|
|
syslogd_flags="-s" # Flags to syslogd (if enabled).
|
2016-02-24 01:32:12 +00:00
|
|
|
syslogd_oomprotect="YES" # Don't kill syslogd when swap space is exhausted.
|
2013-11-05 09:30:06 +00:00
|
|
|
altlog_proglist="" # List of chrooted applicatioins in /var
|
2000-07-28 22:45:36 +00:00
|
|
|
inetd_enable="NO" # Run the network daemon dispatcher (YES/NO).
|
2001-06-28 03:32:10 +00:00
|
|
|
inetd_program="/usr/sbin/inetd" # path to inetd, if you want a different one.
|
2003-09-15 16:44:24 +00:00
|
|
|
inetd_flags="-wW -C 60" # Optional flags to inetd
|
2013-09-14 15:29:06 +00:00
|
|
|
iscsid_enable="NO" # iSCSI initiator daemon.
|
|
|
|
iscsictl_enable="NO" # iSCSI initiator autostart.
|
|
|
|
iscsictl_flags="-Aa" # Optional flags to iscsictl.
|
2010-02-18 23:16:19 +00:00
|
|
|
hastd_enable="NO" # Run the HAST daemon (YES/NO).
|
|
|
|
hastd_program="/sbin/hastd" # path to hastd, if you want a different one.
|
|
|
|
hastd_flags="" # Optional flags to hastd.
|
2013-09-14 15:29:06 +00:00
|
|
|
ctld_enable="NO" # CAM Target Layer / iSCSI target daemon.
|
2013-09-23 04:36:51 +00:00
|
|
|
local_unbound_enable="NO" # local caching resolver
|
2016-06-06 17:01:35 +00:00
|
|
|
blacklistd_enable="NO" # Run blacklistd daemon (YES/NO).
|
2016-06-02 19:06:04 +00:00
|
|
|
blacklistd_flags="" # Optional flags for blacklistd(8).
|
1998-12-19 07:25:56 +00:00
|
|
|
|
2001-07-28 19:57:57 +00:00
|
|
|
#
|
|
|
|
# kerberos. Do not run the admin daemons on slave servers
|
|
|
|
#
|
Restructure rc.d scripts for kerberos5 daemons:
- Rename $kerberos5_server_enable with $kdc_enable and rename
rc.d/kerberos with rc.d/kdc.
- Rename $kadmin5_server_enable with $kadmind_enable.
- Rename ${kerberos5,kpasswdd}_server with ${kdc,kpasswdd}_program.
- Fix rc.d/{kadmind,kerberos,kpasswdd,kfd} scripts not to change variables
after load_rc_config().
- Add rc.d/ipropd_master and rc.d/ipropd_slave scripts. These are
for iprop-master(8) and iprop-slave(8). Keytab used for iprop service is
defined in ipropd_{master,slave}_keytab (/etc/krb5.keytab by default).
- Add dependency on rc.d/kdc to SERVERS. rc.d/kdc must be invoked as early
as possible before scripts divided by rc.d/SERVERS.
Note that changes to rc.d/{kdc,kpasswdd,kadmind} are backward-compatible
with the old configuration variables:
${kerberos5,kpasswdd,kadmin5}_server{,_enable,_flags}.
2014-08-29 07:51:47 +00:00
|
|
|
kdc_enable="NO" # Run a kerberos 5 KDC (or NO).
|
|
|
|
kdc_program="/usr/libexec/kdc" # path to kerberos 5 KDC
|
|
|
|
kdc_flags="" # Additional flags to the kerberos 5 KDC
|
|
|
|
kadmind_enable="NO" # Run kadmind (or NO)
|
|
|
|
kadmind_program="/usr/libexec/kadmind" # path to kadmind
|
|
|
|
kpasswdd_enable="NO" # Run kpasswdd (or NO)
|
|
|
|
kpasswdd_program="/usr/libexec/kpasswdd" # path to kpasswdd
|
2012-05-06 20:46:04 +00:00
|
|
|
kfd_enable="NO" # Run kfd (or NO)
|
|
|
|
kfd_program="/usr/libexec/kfd" # path to kerberos 5 kfd daemon
|
Restructure rc.d scripts for kerberos5 daemons:
- Rename $kerberos5_server_enable with $kdc_enable and rename
rc.d/kerberos with rc.d/kdc.
- Rename $kadmin5_server_enable with $kadmind_enable.
- Rename ${kerberos5,kpasswdd}_server with ${kdc,kpasswdd}_program.
- Fix rc.d/{kadmind,kerberos,kpasswdd,kfd} scripts not to change variables
after load_rc_config().
- Add rc.d/ipropd_master and rc.d/ipropd_slave scripts. These are
for iprop-master(8) and iprop-slave(8). Keytab used for iprop service is
defined in ipropd_{master,slave}_keytab (/etc/krb5.keytab by default).
- Add dependency on rc.d/kdc to SERVERS. rc.d/kdc must be invoked as early
as possible before scripts divided by rc.d/SERVERS.
Note that changes to rc.d/{kdc,kpasswdd,kadmind} are backward-compatible
with the old configuration variables:
${kerberos5,kpasswdd,kadmin5}_server{,_enable,_flags}.
2014-08-29 07:51:47 +00:00
|
|
|
kfd_flags=""
|
|
|
|
ipropd_master_enable="NO" # Run Heimdal incremental propagation daemon
|
|
|
|
# (master daemon).
|
|
|
|
ipropd_master_program="/usr/libexec/ipropd-master"
|
|
|
|
ipropd_master_flags="" # Flags to ipropd-master.
|
|
|
|
ipropd_master_keytab="/etc/krb5.keytab" # keytab for ipropd-master.
|
|
|
|
ipropd_master_slaves="" # slave node names used for /var/heimdal/slaves.
|
|
|
|
ipropd_slave_enable="NO" # Run Heimdal incremental propagation daemon
|
|
|
|
# (slave daemon).
|
|
|
|
ipropd_slave_program="/usr/libexec/ipropd-slave"
|
|
|
|
ipropd_slave_flags="" # Flags to ipropd-slave.
|
|
|
|
ipropd_slave_keytab="/etc/krb5.keytab" # keytab for ipropd-slave.
|
2014-09-16 05:45:38 +00:00
|
|
|
ipropd_slave_master="" # master node name.
|
2001-07-28 19:57:57 +00:00
|
|
|
|
2008-11-05 10:20:33 +00:00
|
|
|
gssd_enable="NO" # Run the gssd daemon (or NO).
|
2014-08-29 06:23:00 +00:00
|
|
|
gssd_program="/usr/sbin/gssd" # Path to gssd.
|
2008-11-05 10:20:33 +00:00
|
|
|
gssd_flags="" # Flags for gssd.
|
|
|
|
|
1997-04-28 10:14:45 +00:00
|
|
|
rwhod_enable="NO" # Run the rwho daemon (or NO).
|
1999-01-03 22:19:23 +00:00
|
|
|
rwhod_flags="" # Flags for rwhod
|
Bring in a hybrid of SunSoft's transport-independent RPC (TI-RPC) and
associated changes that had to happen to make this possible as well as
bugs fixed along the way.
Bring in required TLI library routines to support this.
Since we don't support TLI we've essentially copied what NetBSD
has done, adding a thin layer to emulate direct the TLI calls
into BSD socket calls.
This is mostly from Sun's tirpc release that was made in 1994,
however some fixes were backported from the 1999 release (supposedly
only made available after this porting effort was underway).
The submitter has agreed to continue on and bring us up to the
1999 release.
Several key features are introduced with this update:
Client calls are thread safe. (1999 code has server side thread
safe)
Updated, a more modern interface.
Many userland updates were done to bring the code up to par with
the recent RPC API.
There is an update to the pthreads library, a function
pthread_main_np() was added to emulate a function of Sun's threads
library.
While we're at it, bring in NetBSD's lockd, it's been far too
long of a wait.
New rpcbind(8) replaces portmap(8) (supporting communication over
an authenticated Unix-domain socket, and by default only allowing
set and unset requests over that channel). It's much more secure
than the old portmapper.
Umount(8), mountd(8), mount_nfs(8), nfsd(8) have also been upgraded
to support TI-RPC and to support IPV6.
Umount(8) is also fixed to unmount pathnames longer than 80 chars,
which are currently truncated by the Kernel statfs structure.
Submitted by: Martin Blapp <mb@imp.ch>
Manpage review: ru
Secure RPC implemented by: wpaul
2001-03-19 12:50:13 +00:00
|
|
|
rarpd_enable="NO" # Run rarpd (or NO).
|
2008-03-06 14:01:10 +00:00
|
|
|
rarpd_flags="-a" # Flags to rarpd.
|
2002-09-05 20:14:46 +00:00
|
|
|
bootparamd_enable="NO" # Run bootparamd (or NO).
|
|
|
|
bootparamd_flags="" # Flags to bootparamd
|
Bring in a hybrid of SunSoft's transport-independent RPC (TI-RPC) and
associated changes that had to happen to make this possible as well as
bugs fixed along the way.
Bring in required TLI library routines to support this.
Since we don't support TLI we've essentially copied what NetBSD
has done, adding a thin layer to emulate direct the TLI calls
into BSD socket calls.
This is mostly from Sun's tirpc release that was made in 1994,
however some fixes were backported from the 1999 release (supposedly
only made available after this porting effort was underway).
The submitter has agreed to continue on and bring us up to the
1999 release.
Several key features are introduced with this update:
Client calls are thread safe. (1999 code has server side thread
safe)
Updated, a more modern interface.
Many userland updates were done to bring the code up to par with
the recent RPC API.
There is an update to the pthreads library, a function
pthread_main_np() was added to emulate a function of Sun's threads
library.
While we're at it, bring in NetBSD's lockd, it's been far too
long of a wait.
New rpcbind(8) replaces portmap(8) (supporting communication over
an authenticated Unix-domain socket, and by default only allowing
set and unset requests over that channel). It's much more secure
than the old portmapper.
Umount(8), mountd(8), mount_nfs(8), nfsd(8) have also been upgraded
to support TI-RPC and to support IPV6.
Umount(8) is also fixed to unmount pathnames longer than 80 chars,
which are currently truncated by the Kernel statfs structure.
Submitted by: Martin Blapp <mb@imp.ch>
Manpage review: ru
Secure RPC implemented by: wpaul
2001-03-19 12:50:13 +00:00
|
|
|
pppoed_enable="NO" # Run the PPP over Ethernet daemon.
|
|
|
|
pppoed_provider="*" # Provider and ppp(8) config file entry.
|
|
|
|
pppoed_flags="-P /var/run/pppoed.pid" # Flags to pppoed (if enabled).
|
|
|
|
pppoed_interface="fxp0" # The interface that pppoed runs on.
|
2001-11-28 08:52:35 +00:00
|
|
|
sshd_enable="NO" # Enable sshd
|
Bring in a hybrid of SunSoft's transport-independent RPC (TI-RPC) and
associated changes that had to happen to make this possible as well as
bugs fixed along the way.
Bring in required TLI library routines to support this.
Since we don't support TLI we've essentially copied what NetBSD
has done, adding a thin layer to emulate direct the TLI calls
into BSD socket calls.
This is mostly from Sun's tirpc release that was made in 1994,
however some fixes were backported from the 1999 release (supposedly
only made available after this porting effort was underway).
The submitter has agreed to continue on and bring us up to the
1999 release.
Several key features are introduced with this update:
Client calls are thread safe. (1999 code has server side thread
safe)
Updated, a more modern interface.
Many userland updates were done to bring the code up to par with
the recent RPC API.
There is an update to the pthreads library, a function
pthread_main_np() was added to emulate a function of Sun's threads
library.
While we're at it, bring in NetBSD's lockd, it's been far too
long of a wait.
New rpcbind(8) replaces portmap(8) (supporting communication over
an authenticated Unix-domain socket, and by default only allowing
set and unset requests over that channel). It's much more secure
than the old portmapper.
Umount(8), mountd(8), mount_nfs(8), nfsd(8) have also been upgraded
to support TI-RPC and to support IPV6.
Umount(8) is also fixed to unmount pathnames longer than 80 chars,
which are currently truncated by the Kernel statfs structure.
Submitted by: Martin Blapp <mb@imp.ch>
Manpage review: ru
Secure RPC implemented by: wpaul
2001-03-19 12:50:13 +00:00
|
|
|
sshd_program="/usr/sbin/sshd" # path to sshd, if you want a different one.
|
2001-11-28 08:52:35 +00:00
|
|
|
sshd_flags="" # Additional flags for sshd.
|
2006-01-21 18:08:16 +00:00
|
|
|
ftpd_enable="NO" # Enable stand-alone ftpd.
|
|
|
|
ftpd_program="/usr/libexec/ftpd" # Path to ftpd, if you want a different one.
|
|
|
|
ftpd_flags="" # Additional flags to stand-alone ftpd.
|
Bring in a hybrid of SunSoft's transport-independent RPC (TI-RPC) and
associated changes that had to happen to make this possible as well as
bugs fixed along the way.
Bring in required TLI library routines to support this.
Since we don't support TLI we've essentially copied what NetBSD
has done, adding a thin layer to emulate direct the TLI calls
into BSD socket calls.
This is mostly from Sun's tirpc release that was made in 1994,
however some fixes were backported from the 1999 release (supposedly
only made available after this porting effort was underway).
The submitter has agreed to continue on and bring us up to the
1999 release.
Several key features are introduced with this update:
Client calls are thread safe. (1999 code has server side thread
safe)
Updated, a more modern interface.
Many userland updates were done to bring the code up to par with
the recent RPC API.
There is an update to the pthreads library, a function
pthread_main_np() was added to emulate a function of Sun's threads
library.
While we're at it, bring in NetBSD's lockd, it's been far too
long of a wait.
New rpcbind(8) replaces portmap(8) (supporting communication over
an authenticated Unix-domain socket, and by default only allowing
set and unset requests over that channel). It's much more secure
than the old portmapper.
Umount(8), mountd(8), mount_nfs(8), nfsd(8) have also been upgraded
to support TI-RPC and to support IPV6.
Umount(8) is also fixed to unmount pathnames longer than 80 chars,
which are currently truncated by the Kernel statfs structure.
Submitted by: Martin Blapp <mb@imp.ch>
Manpage review: ru
Secure RPC implemented by: wpaul
2001-03-19 12:50:13 +00:00
|
|
|
|
2002-08-14 05:37:15 +00:00
|
|
|
### Network daemon (NFS): All need rpcbind_enable="YES" ###
|
1997-04-28 10:14:45 +00:00
|
|
|
amd_enable="NO" # Run amd service with $amd_flags (or NO).
|
2006-04-11 09:02:07 +00:00
|
|
|
amd_program="/usr/sbin/amd" # path to amd, if you want a different one.
|
2000-09-01 01:08:52 +00:00
|
|
|
amd_flags="-a /.amd_mnt -l syslog /host /etc/amd.map /net /etc/amd.map"
|
1998-04-26 06:32:13 +00:00
|
|
|
amd_map_program="NO" # Can be set to "ypcat -k amd.master"
|
2014-11-24 13:02:39 +00:00
|
|
|
autofs_enable="NO" # Run autofs daemons.
|
|
|
|
automount_flags="" # Flags to automount(8) (if autofs enabled).
|
|
|
|
automountd_flags="" # Flags to automountd(8) (if autofs enabled).
|
|
|
|
autounmountd_flags="" # Flags to autounmountd(8) (if autofs enabled).
|
1997-04-28 10:14:45 +00:00
|
|
|
nfs_client_enable="NO" # This host is an NFS client (or NO).
|
2006-05-24 00:06:14 +00:00
|
|
|
nfs_access_cache="60" # Client cache timeout in seconds
|
1997-04-28 10:14:45 +00:00
|
|
|
nfs_server_enable="NO" # This host is an NFS server (or NO).
|
2014-01-09 15:55:55 +00:00
|
|
|
nfs_server_flags="-u -t" # Flags to nfsd (if enabled).
|
2015-11-30 22:29:11 +00:00
|
|
|
nfs_server_managegids="NO" # The NFS server maps gids for AUTH_SYS (or NO).
|
2002-08-14 05:37:15 +00:00
|
|
|
mountd_enable="NO" # Run mountd (or NO).
|
2016-05-08 20:10:22 +00:00
|
|
|
mountd_flags="-r -S" # Flags to mountd (if NFS server enabled).
|
2000-07-23 11:31:09 +00:00
|
|
|
weak_mountd_authentication="NO" # Allow non-root mount requests to be served.
|
1997-04-28 10:14:45 +00:00
|
|
|
nfs_reserved_port_only="NO" # Provide NFS only on secure port (or NO).
|
2003-02-08 20:55:56 +00:00
|
|
|
nfs_bufpackets="" # bufspace (in packets) for client
|
2001-10-18 19:37:57 +00:00
|
|
|
rpc_lockd_enable="NO" # Run NFS rpc.lockd needed for client/server.
|
2007-04-04 13:16:18 +00:00
|
|
|
rpc_lockd_flags="" # Flags to rpc.lockd (if enabled).
|
2001-10-18 19:37:57 +00:00
|
|
|
rpc_statd_enable="NO" # Run NFS rpc.statd needed for client/server.
|
2007-04-04 13:16:18 +00:00
|
|
|
rpc_statd_flags="" # Flags to rpc.statd (if enabled).
|
2002-08-14 05:37:15 +00:00
|
|
|
rpcbind_enable="NO" # Run the portmapper service (YES/NO).
|
|
|
|
rpcbind_program="/usr/sbin/rpcbind" # path to rpcbind, if you want a different one.
|
|
|
|
rpcbind_flags="" # Flags to rpcbind (if enabled).
|
1998-04-12 09:47:43 +00:00
|
|
|
rpc_ypupdated_enable="NO" # Run if NIS master and SecureRPC (or NO).
|
|
|
|
keyserv_enable="NO" # Run the SecureRPC keyserver (or NO).
|
|
|
|
keyserv_flags="" # Flags to keyserv (if enabled).
|
2009-06-02 22:15:47 +00:00
|
|
|
nfsv4_server_enable="NO" # Enable support for NFSv4
|
|
|
|
nfscbd_enable="NO" # NFSv4 client side callback daemon
|
|
|
|
nfscbd_flags="" # Flags for nfscbd
|
|
|
|
nfsuserd_enable="NO" # NFSv4 user/group name mapping daemon
|
|
|
|
nfsuserd_flags="" # Flags for nfsuserd
|
1997-04-27 03:59:19 +00:00
|
|
|
|
|
|
|
### Network Time Services options: ###
|
1997-06-02 02:58:08 +00:00
|
|
|
timed_enable="NO" # Run the time daemon (or NO).
|
1997-04-27 03:59:19 +00:00
|
|
|
timed_flags="" # Flags to timed (if enabled).
|
2004-09-15 01:08:33 +00:00
|
|
|
ntpdate_enable="NO" # Run ntpdate to sync time on boot (or NO).
|
|
|
|
ntpdate_program="/usr/sbin/ntpdate" # path to ntpdate, if you want a different one.
|
|
|
|
ntpdate_flags="-b" # Flags to ntpdate (if enabled).
|
2006-07-20 10:07:34 +00:00
|
|
|
ntpdate_config="/etc/ntp.conf" # ntpdate(8) configuration file
|
|
|
|
ntpdate_hosts="" # Whitespace-separated list of ntpdate(8) servers.
|
2002-08-14 05:37:15 +00:00
|
|
|
ntpd_enable="NO" # Run ntpd Network Time Protocol (or NO).
|
|
|
|
ntpd_program="/usr/sbin/ntpd" # path to ntpd, if you want a different one.
|
2006-04-18 15:02:24 +00:00
|
|
|
ntpd_config="/etc/ntp.conf" # ntpd(8) configuration file
|
2004-09-15 01:08:33 +00:00
|
|
|
ntpd_sync_on_start="NO" # Sync time on ntpd startup, even if offset is high
|
2003-10-03 21:33:40 +00:00
|
|
|
ntpd_flags="-p /var/run/ntpd.pid -f /var/db/ntpd.drift"
|
|
|
|
# Flags to ntpd (if enabled).
|
2016-01-26 07:06:44 +00:00
|
|
|
ntp_src_leapfile="/etc/ntp/leap-seconds"
|
|
|
|
# Initial source for ntpd leapfile
|
|
|
|
ntp_db_leapfile="/var/db/ntpd.leap-seconds.list"
|
|
|
|
# Working copy (updated weekly) leapfile
|
|
|
|
ntp_leapfile_sources="https://www.ietf.org/timezones/data/leap-seconds.list"
|
|
|
|
# Source from which to fetch leapfile
|
2016-01-27 02:25:25 +00:00
|
|
|
ntp_leapfile_fetch_opts="-mq" # Options to use for ntp leapfile fetch,
|
|
|
|
# e.g. --no-verify-peer
|
2016-01-26 07:06:44 +00:00
|
|
|
ntp_leapfile_expiry_days=30 # Check for new leapfile 30 days prior to
|
|
|
|
# expiry.
|
|
|
|
ntp_leapfile_fetch_verbose="NO" # Be verbose during NTP leapfile fetch
|
1997-04-27 03:59:19 +00:00
|
|
|
|
2002-08-14 05:37:15 +00:00
|
|
|
# Network Information Services (NIS) options: All need rpcbind_enable="YES" ###
|
1997-06-24 22:36:42 +00:00
|
|
|
nis_client_enable="NO" # We're an NIS client (or NO).
|
1997-04-27 03:59:19 +00:00
|
|
|
nis_client_flags="" # Flags to ypbind (if enabled).
|
1997-04-28 10:14:45 +00:00
|
|
|
nis_ypset_enable="NO" # Run ypset at boot time (or NO).
|
1997-04-27 03:59:19 +00:00
|
|
|
nis_ypset_flags="" # Flags to ypset (if enabled).
|
1997-06-24 22:36:42 +00:00
|
|
|
nis_server_enable="NO" # We're an NIS server (or NO).
|
1997-04-27 03:59:19 +00:00
|
|
|
nis_server_flags="" # Flags to ypserv (if enabled).
|
1997-04-28 10:14:45 +00:00
|
|
|
nis_ypxfrd_enable="NO" # Run rpc.ypxfrd at boot time (or NO).
|
1997-04-27 03:59:19 +00:00
|
|
|
nis_ypxfrd_flags="" # Flags to rpc.ypxfrd (if enabled).
|
1997-05-05 09:32:34 +00:00
|
|
|
nis_yppasswdd_enable="NO" # Run rpc.yppasswdd at boot time (or NO).
|
|
|
|
nis_yppasswdd_flags="" # Flags to rpc.yppasswdd (if enabled).
|
2016-06-06 03:55:00 +00:00
|
|
|
nis_ypldap_enable="NO" # Run ypldap at boot time (or NO).
|
|
|
|
nis_ypldap_flags="" # Flags to ypldap (if enabled).
|
1997-04-27 03:59:19 +00:00
|
|
|
|
2005-04-17 10:47:58 +00:00
|
|
|
### SNMP daemon ###
|
|
|
|
# Be sure to understand the security implications of running SNMP v1/v2
|
|
|
|
# in your network.
|
|
|
|
bsnmpd_enable="NO" # Run the SNMP daemon (or NO).
|
|
|
|
bsnmpd_flags="" # Flags for bsnmpd.
|
|
|
|
|
1997-04-27 03:59:19 +00:00
|
|
|
### Network routing options: ###
|
1997-04-28 10:14:45 +00:00
|
|
|
defaultrouter="NO" # Set to default gateway (or NO).
|
2009-08-25 19:07:26 +00:00
|
|
|
static_arp_pairs="" # Set to static ARP list (or leave empty).
|
2011-10-23 09:08:42 +00:00
|
|
|
static_ndp_pairs="" # Set to static NDP list (or leave empty).
|
1997-04-27 03:59:19 +00:00
|
|
|
static_routes="" # Set to static route list (or leave empty).
|
1997-04-28 10:14:45 +00:00
|
|
|
gateway_enable="NO" # Set to YES if this host will be a gateway.
|
2009-09-12 22:22:31 +00:00
|
|
|
routed_enable="NO" # Set to YES to enable a routing daemon.
|
|
|
|
routed_program="/sbin/routed" # Name of routing daemon to use if enabled.
|
|
|
|
routed_flags="-q" # Flags for routing daemon.
|
2001-11-28 08:52:35 +00:00
|
|
|
arpproxy_all="NO" # replaces obsolete kernel option ARP_PROXYALL.
|
1998-08-10 19:53:22 +00:00
|
|
|
forward_sourceroute="NO" # do source routing (only if gateway_enable is set to "YES")
|
1998-02-16 19:21:32 +00:00
|
|
|
accept_sourceroute="NO" # accept source routed packets to us
|
1997-04-27 03:59:19 +00:00
|
|
|
|
2005-10-11 19:16:48 +00:00
|
|
|
### Bluetooth ###
|
|
|
|
hcsecd_enable="NO" # Enable hcsecd(8) (or NO)
|
|
|
|
hcsecd_config="/etc/bluetooth/hcsecd.conf" # hcsecd(8) configuration file
|
|
|
|
|
|
|
|
sdpd_enable="NO" # Enable sdpd(8) (or NO)
|
|
|
|
sdpd_control="/var/run/sdp" # sdpd(8) control socket
|
2005-11-22 18:51:43 +00:00
|
|
|
sdpd_groupname="nobody" # set spdp(8) user/group to run as after
|
|
|
|
sdpd_username="nobody" # it initializes
|
2005-10-11 19:16:48 +00:00
|
|
|
|
2006-09-07 22:25:08 +00:00
|
|
|
bthidd_enable="NO" # Enable bthidd(8) (or NO)
|
|
|
|
bthidd_config="/etc/bluetooth/bthidd.conf" # bthidd(8) configuration file
|
|
|
|
bthidd_hids="/var/db/bthidd.hids" # bthidd(8) known HID devices file
|
|
|
|
|
2008-04-08 23:50:03 +00:00
|
|
|
rfcomm_pppd_server_enable="NO" # Enable rfcomm_pppd(8) in server mode (or NO)
|
|
|
|
rfcomm_pppd_server_profile="one two" # Profile to use from /etc/ppp/ppp.conf
|
|
|
|
#
|
|
|
|
#rfcomm_pppd_server_one_bdaddr="" # Override local bdaddr for 'one'
|
|
|
|
rfcomm_pppd_server_one_channel="1" # Override local channel for 'one'
|
|
|
|
#rfcomm_pppd_server_one_register_sp="NO" # Override SP and DUN register
|
|
|
|
#rfcomm_pppd_server_one_register_dun="NO" # for 'one'
|
|
|
|
#
|
|
|
|
#rfcomm_pppd_server_two_bdaddr="" # Override local bdaddr for 'two'
|
|
|
|
rfcomm_pppd_server_two_channel="3" # Override local channel for 'two'
|
|
|
|
#rfcomm_pppd_server_two_register_sp="NO" # Override SP and DUN register
|
|
|
|
#rfcomm_pppd_server_two_register_dun="NO" # for 'two'
|
|
|
|
|
2010-04-17 21:31:42 +00:00
|
|
|
ubthidhci_enable="NO" # Switch an USB BT controller present on
|
2010-04-09 17:32:38 +00:00
|
|
|
#ubthidhci_busnum="3" # bus 3 and addr 2 from HID mode to HCI mode.
|
|
|
|
#ubthidhci_addr="2" # Check usbconfig list to find the correct
|
|
|
|
# numbers for your system.
|
|
|
|
|
2011-06-19 22:48:40 +00:00
|
|
|
### Network link/usability verification options
|
|
|
|
netwait_enable="NO" # Enable rc.d/netwait (or NO)
|
2015-12-26 18:21:32 +00:00
|
|
|
#netwait_ip="" # Wait for ping response from any IP in this list.
|
2011-06-19 22:48:40 +00:00
|
|
|
netwait_timeout="60" # Total number of seconds to perform pings.
|
2015-12-26 18:21:32 +00:00
|
|
|
#netwait_if="" # Wait for active link on each intf in this list.
|
2011-06-19 22:48:40 +00:00
|
|
|
netwait_if_timeout="30" # Total number of seconds to monitor link state.
|
|
|
|
|
1998-09-15 10:49:03 +00:00
|
|
|
### Miscellaneous network options: ###
|
|
|
|
icmp_bmcastecho="NO" # respond to broadcast ping packets
|
|
|
|
|
2000-02-23 18:05:58 +00:00
|
|
|
### IPv6 options: ###
|
2010-09-13 19:52:04 +00:00
|
|
|
ipv6_network_interfaces="auto" # List of IPv6 network interfaces
|
2010-09-13 19:51:15 +00:00
|
|
|
# (or "auto" or "none").
|
2010-09-13 19:55:40 +00:00
|
|
|
ipv6_activate_all_interfaces="NO" # If NO, interfaces which have no
|
|
|
|
# corresponding $ifconfig_IF_ipv6 is
|
|
|
|
# marked as IFDISABLED for security
|
|
|
|
# reason.
|
2000-10-29 19:59:05 +00:00
|
|
|
ipv6_defaultrouter="NO" # Set to IPv6 default gateway (or NO).
|
2001-12-06 20:44:14 +00:00
|
|
|
#ipv6_defaultrouter="2002:c058:6301::" # Use this for 6to4 (RFC 3068)
|
2000-03-12 20:35:54 +00:00
|
|
|
ipv6_static_routes="" # Set to static route list (or leave empty).
|
|
|
|
#ipv6_static_routes="xxx" # An example to set fec0:0000:0000:0006::/64
|
|
|
|
# route toward loopback interface.
|
|
|
|
#ipv6_route_xxx="fec0:0000:0000:0006:: -prefixlen 64 ::1"
|
2000-02-23 18:05:58 +00:00
|
|
|
ipv6_gateway_enable="NO" # Set to YES if this host will be a gateway.
|
2016-06-08 18:38:48 +00:00
|
|
|
ipv6_cpe_wanif="NO" # Set to the upstream interface name if this
|
2011-09-13 00:06:11 +00:00
|
|
|
# node will work as a router to forward IPv6
|
|
|
|
# packets not explicitly addressed to itself.
|
2010-09-13 19:52:46 +00:00
|
|
|
ipv6_privacy="NO" # Use privacy address on RA-receiving IFs
|
2011-09-15 09:22:49 +00:00
|
|
|
# (RFC 4941)
|
2009-09-12 22:22:31 +00:00
|
|
|
|
|
|
|
route6d_enable="NO" # Set to YES to enable an IPv6 routing daemon.
|
|
|
|
route6d_program="/usr/sbin/route6d" # Name of IPv6 routing daemon.
|
|
|
|
route6d_flags="" # Flags to IPv6 routing daemon.
|
|
|
|
#route6d_flags="-l" # Example for route6d with only IPv6 site local
|
2000-02-23 18:05:58 +00:00
|
|
|
# addrs.
|
2009-09-12 22:22:31 +00:00
|
|
|
#route6d_flags="-q" # If you want to run a routing daemon on an end
|
2002-07-18 05:00:16 +00:00
|
|
|
# node, you should stop advertisement.
|
2000-10-29 19:59:05 +00:00
|
|
|
#ipv6_network_interfaces="ed0 ep0" # Examples for router
|
|
|
|
# or static configuration for end node.
|
2000-02-23 18:05:58 +00:00
|
|
|
# Choose correct prefix value.
|
|
|
|
#ipv6_prefix_ed0="fec0:0000:0000:0001 fec0:0000:0000:0002" # Examples for rtr.
|
|
|
|
#ipv6_prefix_ep0="fec0:0000:0000:0003 fec0:0000:0000:0004" # Examples for rtr.
|
2001-06-28 21:45:47 +00:00
|
|
|
ipv6_default_interface="NO" # Default output interface for scoped addrs.
|
2010-04-26 15:31:58 +00:00
|
|
|
# This works only with
|
|
|
|
# ipv6_gateway_enable="NO".
|
2003-08-08 17:43:58 +00:00
|
|
|
rtsol_flags="" # Flags to IPv6 router solicitation.
|
2010-02-03 16:18:42 +00:00
|
|
|
rtsold_enable="NO" # Set to YES to enable an IPv6 router
|
|
|
|
# solicitation daemon.
|
|
|
|
rtsold_flags="-a" # Flags to an IPv6 router solicitation
|
|
|
|
# daemon.
|
2001-06-20 13:17:07 +00:00
|
|
|
rtadvd_enable="NO" # Set to YES to enable an IPv6 router
|
2000-03-12 20:35:54 +00:00
|
|
|
# advertisement daemon. If set to YES,
|
|
|
|
# this router becomes a possible candidate
|
|
|
|
# IPv6 default router for local subnets.
|
2001-01-25 13:05:50 +00:00
|
|
|
rtadvd_interfaces="" # Interfaces rtadvd sends RA packets.
|
2000-03-12 20:35:54 +00:00
|
|
|
stf_interface_ipv4addr="" # Local IPv4 addr for 6to4 IPv6 over IPv4
|
|
|
|
# tunneling interface. Specify this entry
|
|
|
|
# to enable 6to4 interface.
|
|
|
|
stf_interface_ipv4plen="0" # Prefix length for 6to4 IPv4 addr,
|
|
|
|
# to limit peer addr range. Effective value
|
|
|
|
# is 0-31.
|
|
|
|
stf_interface_ipv6_ifid="0:0:0:1" # IPv6 interface id for stf0.
|
|
|
|
# If you like, you can set "AUTO" for this.
|
|
|
|
stf_interface_ipv6_slaid="0000" # IPv6 Site Level Aggregator for stf0
|
2002-07-25 15:44:01 +00:00
|
|
|
ipv6_ipv4mapping="NO" # Set to "YES" to enable IPv4 mapped IPv6 addr
|
2000-03-28 17:39:53 +00:00
|
|
|
# communication. (like ::ffff:a.b.c.d)
|
2002-11-02 08:21:26 +00:00
|
|
|
ipv6_ipfilter_rules="/etc/ipf6.rules" # rules definition file for ipfilter,
|
|
|
|
# see /usr/src/contrib/ipfilter/rules
|
|
|
|
# for examples
|
2007-03-03 06:36:32 +00:00
|
|
|
ip6addrctl_enable="YES" # Set to YES to enable default address selection
|
2004-06-02 09:39:49 +00:00
|
|
|
ip6addrctl_verbose="NO" # Set to YES to enable verbose configuration messages
|
2010-09-13 19:55:40 +00:00
|
|
|
ip6addrctl_policy="AUTO" # A pre-defined address selection policy
|
|
|
|
# (ipv4_prefer, ipv6_prefer, or AUTO)
|
1997-04-27 03:59:19 +00:00
|
|
|
|
|
|
|
##############################################################
|
|
|
|
### System console options #################################
|
|
|
|
##############################################################
|
|
|
|
|
2004-06-18 20:09:30 +00:00
|
|
|
keyboard="" # keyboard device to use (default /dev/kbd0).
|
2014-08-26 08:13:30 +00:00
|
|
|
keymap="NO" # keymap in /usr/share/{syscons,vt}/keymaps/* (or NO).
|
1997-04-28 10:14:45 +00:00
|
|
|
keyrate="NO" # keyboard rate to: slow, normal, fast (or NO).
|
2003-03-15 08:14:42 +00:00
|
|
|
keybell="NO" # See kbdcontrol(1) for options. Use "off" to disable.
|
1997-04-28 10:14:45 +00:00
|
|
|
keychange="NO" # function keys default values (or NO).
|
|
|
|
cursor="NO" # cursor type {normal|blink|destructive} (or NO).
|
|
|
|
scrnmap="NO" # screen map in /usr/share/syscons/scrnmaps/* (or NO).
|
2014-08-26 08:13:30 +00:00
|
|
|
font8x16="NO" # font 8x16 from /usr/share/{syscons,vt}/fonts/* (or NO).
|
|
|
|
font8x14="NO" # font 8x14 from /usr/share/{syscons,vt}/fonts/* (or NO).
|
|
|
|
font8x8="NO" # font 8x8 from /usr/share/{syscons,vt}/fonts/* (or NO).
|
1998-06-23 03:09:26 +00:00
|
|
|
blanktime="300" # blank time (in seconds) or "NO" to turn it off.
|
2002-04-06 18:02:52 +00:00
|
|
|
saver="NO" # screen saver: Uses /boot/kernel/${saver}_saver.ko
|
Do a better job of supporting more than one mouse device
on the system.
To start/stop/check on a specific device give the device name as
the second argument to the script:
# /etc/rc.d/moused start ums0
To use different rc.conf(5) knobs with different mice use the device
name as part of the knob. For example, if the mouse device is ums0, then:
moused_ums0_enable=yes
moused_ums0_flags="-z 4"
moused_ums0_port="/dev/ums0"
Starting rc.d/moused without the device argument will use the standard
moused_* flags. So, this commit should not disrupt or change current usage.
To preserve current behaviour with respect to usb mice, which appear
automatically when inserted, there is a new knob, moused_nondefault_enable,
which will treat any devices without rc.conf knobs as enabled.
To minimize knobs in /etc/rc.conf, the device file and pid file are
auto-computed, so that in the typical case for a usb mouse you don't
need to add anything extra in /etc/rc.conf to get it working.
Additionally, this updates /etc/usbd.conf to use the rc.d/moused script so
people don't have to modify it to configure their usb mouse anymore.
MFC after: 1 month
2004-11-01 18:05:41 +00:00
|
|
|
moused_nondefault_enable="YES" # Treat non-default mice as enabled unless
|
|
|
|
# specifically overriden in rc.conf(5).
|
1998-03-07 09:02:08 +00:00
|
|
|
moused_enable="NO" # Run the mouse daemon.
|
|
|
|
moused_type="auto" # See man page for rc.conf(5) for available settings.
|
2001-11-28 08:52:35 +00:00
|
|
|
moused_port="/dev/psm0" # Set to your mouse port.
|
1997-05-19 07:46:51 +00:00
|
|
|
moused_flags="" # Any additional flags to moused.
|
2002-11-15 08:26:36 +00:00
|
|
|
mousechar_start="NO" # if 0xd0-0xd3 default range is occupied in your
|
2001-04-19 14:53:47 +00:00
|
|
|
# language code table, specify alternative range
|
|
|
|
# start like mousechar_start=3, see vidcontrol(1)
|
1998-04-02 15:33:49 +00:00
|
|
|
allscreens_flags="" # Set this vidcontrol mode for all virtual screens
|
2001-04-28 20:56:53 +00:00
|
|
|
allscreens_kbdflags="" # Set this kbdcontrol mode for all virtual screens
|
1997-04-27 03:59:19 +00:00
|
|
|
|
|
|
|
##############################################################
|
2002-04-05 02:30:49 +00:00
|
|
|
### Mail Transfer Agent (MTA) options ######################
|
1997-04-27 03:59:19 +00:00
|
|
|
##############################################################
|
|
|
|
|
2002-04-05 02:30:49 +00:00
|
|
|
mta_start_script="/etc/rc.sendmail"
|
|
|
|
# Script to start your chosen MTA, called by /etc/rc.
|
2004-04-05 16:22:14 +00:00
|
|
|
# Settings for /etc/rc.sendmail and /etc/rc.d/sendmail:
|
2002-09-03 22:15:57 +00:00
|
|
|
sendmail_enable="NO" # Run the sendmail inbound daemon (YES/NO).
|
2004-04-05 16:22:14 +00:00
|
|
|
sendmail_pidfile="/var/run/sendmail.pid" # sendmail pid file
|
|
|
|
sendmail_procname="/usr/sbin/sendmail" # sendmail process name
|
2002-02-17 22:19:14 +00:00
|
|
|
sendmail_flags="-L sm-mta -bd -q30m" # Flags to sendmail (as a server)
|
2013-10-19 18:51:06 +00:00
|
|
|
sendmail_cert_create="YES" # Create a server certificate if none (YES/NO)
|
|
|
|
#sendmail_cert_cn="CN" # CN of the generate certificate
|
2002-03-28 03:29:22 +00:00
|
|
|
sendmail_submit_enable="YES" # Start a localhost-only MTA for mail submission
|
|
|
|
sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost"
|
|
|
|
# Flags for localhost-only MTA
|
2001-03-13 05:53:16 +00:00
|
|
|
sendmail_outbound_enable="YES" # Dequeue stuck mail (YES/NO).
|
2002-02-17 22:19:14 +00:00
|
|
|
sendmail_outbound_flags="-L sm-queue -q30m" # Flags to sendmail (outbound only)
|
|
|
|
sendmail_msp_queue_enable="YES" # Dequeue stuck clientmqueue mail (YES/NO).
|
|
|
|
sendmail_msp_queue_flags="-L sm-msp-queue -Ac -q30m"
|
2002-03-28 03:29:22 +00:00
|
|
|
# Flags for sendmail_msp_queue daemon.
|
2007-06-12 17:33:23 +00:00
|
|
|
sendmail_rebuild_aliases="NO" # Run newaliases if necessary (YES/NO).
|
2002-04-05 02:30:49 +00:00
|
|
|
|
|
|
|
|
|
|
|
##############################################################
|
|
|
|
### Miscellaneous administrative options ###################
|
|
|
|
##############################################################
|
|
|
|
|
2006-02-02 10:02:19 +00:00
|
|
|
auditd_enable="NO" # Run the audit daemon.
|
2006-11-06 15:11:24 +00:00
|
|
|
auditd_program="/usr/sbin/auditd" # Path to the audit daemon.
|
2006-02-02 10:02:19 +00:00
|
|
|
auditd_flags="" # Which options to pass to the audit daemon.
|
2012-12-01 15:11:46 +00:00
|
|
|
auditdistd_enable="NO" # Run the audit daemon.
|
|
|
|
auditdistd_program="/usr/sbin/auditdistd" # Path to the auditdistd daemon.
|
|
|
|
auditdistd_flags="" # Which options to pass to the auditdistd daemon.
|
2002-04-05 02:30:49 +00:00
|
|
|
cron_enable="YES" # Run the periodic job daemon.
|
|
|
|
cron_program="/usr/sbin/cron" # Which cron executable to run (if enabled).
|
2003-12-25 23:29:19 +00:00
|
|
|
cron_dst="YES" # Handle DST transitions intelligently (YES/NO)
|
2002-04-05 02:30:49 +00:00
|
|
|
cron_flags="" # Which options to pass to the cron daemon.
|
|
|
|
lpd_enable="NO" # Run the line printer daemon.
|
|
|
|
lpd_program="/usr/sbin/lpd" # path to lpd, if you want a different one.
|
|
|
|
lpd_flags="" # Flags to lpd (if enabled).
|
2007-09-28 10:38:08 +00:00
|
|
|
nscd_enable="NO" # Run the nsswitch caching daemon.
|
2005-03-02 02:46:47 +00:00
|
|
|
chkprintcap_enable="NO" # Run chkprintcap(8) before running lpd.
|
|
|
|
chkprintcap_flags="-d" # Create missing directories by default.
|
2005-06-07 15:22:08 +00:00
|
|
|
dumpdev="AUTO" # Device to crashdump to (device name, AUTO, or NO).
|
2001-10-09 18:40:00 +00:00
|
|
|
dumpdir="/var/crash" # Directory where crash dumps are to be stored
|
Add support for encrypted kernel crash dumps.
Changes include modifications in kernel crash dump routines, dumpon(8) and
savecore(8). A new tool called decryptcore(8) was added.
A new DIOCSKERNELDUMP I/O control was added to send a kernel crash dump
configuration in the diocskerneldump_arg structure to the kernel.
The old DIOCSKERNELDUMP I/O control was renamed to DIOCSKERNELDUMP_FREEBSD11 for
backward ABI compatibility.
dumpon(8) generates an one-time random symmetric key and encrypts it using
an RSA public key in capability mode. Currently only AES-256-CBC is supported
but EKCD was designed to implement support for other algorithms in the future.
The public key is chosen using the -k flag. The dumpon rc(8) script can do this
automatically during startup using the dumppubkey rc.conf(5) variable. Once the
keys are calculated dumpon sends them to the kernel via DIOCSKERNELDUMP I/O
control.
When the kernel receives the DIOCSKERNELDUMP I/O control it generates a random
IV and sets up the key schedule for the specified algorithm. Each time the
kernel tries to write a crash dump to the dump device, the IV is replaced by
a SHA-256 hash of the previous value. This is intended to make a possible
differential cryptanalysis harder since it is possible to write multiple crash
dumps without reboot by repeating the following commands:
# sysctl debug.kdb.enter=1
db> call doadump(0)
db> continue
# savecore
A kernel dump key consists of an algorithm identifier, an IV and an encrypted
symmetric key. The kernel dump key size is included in a kernel dump header.
The size is an unsigned 32-bit integer and it is aligned to a block size.
The header structure has 512 bytes to match the block size so it was required to
make a panic string 4 bytes shorter to add a new field to the header structure.
If the kernel dump key size in the header is nonzero it is assumed that the
kernel dump key is placed after the first header on the dump device and the core
dump is encrypted.
Separate functions were implemented to write the kernel dump header and the
kernel dump key as they need to be unencrypted. The dump_write function encrypts
data if the kernel was compiled with the EKCD option. Encrypted kernel textdumps
are not supported due to the way they are constructed which makes it impossible
to use the CBC mode for encryption. It should be also noted that textdumps don't
contain sensitive data by design as a user decides what information should be
dumped.
savecore(8) writes the kernel dump key to a key.# file if its size in the header
is nonzero. # is the number of the current core dump.
decryptcore(8) decrypts the core dump using a private RSA key and the kernel
dump key. This is performed by a child process in capability mode.
If the decryption was not successful the parent process removes a partially
decrypted core dump.
Description on how to encrypt crash dumps was added to the decryptcore(8),
dumpon(8), rc.conf(5) and savecore(8) manual pages.
EKCD was tested on amd64 using bhyve and i386, mipsel and sparc64 using QEMU.
The feature still has to be tested on arm and arm64 as it wasn't possible to run
FreeBSD due to the problems with QEMU emulation and lack of hardware.
Designed by: def, pjd
Reviewed by: cem, oshogbo, pjd
Partial review: delphij, emaste, jhb, kib
Approved by: pjd (mentor)
Differential Revision: https://reviews.freebsd.org/D4712
2016-12-10 16:20:39 +00:00
|
|
|
dumppubkey="" # Public key for encrypted kernel crash dumps.
|
|
|
|
# See dumpon(8) for more details.
|
2016-04-29 12:23:56 +00:00
|
|
|
savecore_enable="YES" # Extract core from dump devices if any
|
2012-12-16 23:29:56 +00:00
|
|
|
savecore_flags="-m 10" # Used if dumpdev is enabled above, and present.
|
|
|
|
# By default, only the 10 most recent kernel dumps
|
|
|
|
# are saved.
|
2009-05-14 08:26:20 +00:00
|
|
|
crashinfo_enable="YES" # Automatically generate crash dump summary.
|
2008-08-29 20:30:30 +00:00
|
|
|
crashinfo_program="/usr/sbin/crashinfo" # Script to generate crash dump summary.
|
2008-06-19 07:06:11 +00:00
|
|
|
quota_enable="NO" # turn on quotas on startup (or NO).
|
1999-09-06 20:22:40 +00:00
|
|
|
check_quotas="YES" # Check quotas on startup (or NO).
|
2007-01-20 04:24:20 +00:00
|
|
|
quotaon_flags="-a" # Turn quotas on for all file systems (if enabled)
|
|
|
|
quotaoff_flags="-a" # Turn quotas off for all file systems at shutdown
|
|
|
|
quotacheck_flags="-a" # Check all file system quotas (if enabled)
|
1997-05-19 03:20:22 +00:00
|
|
|
accounting_enable="NO" # Turn on process accounting (or NO).
|
1997-04-28 10:14:45 +00:00
|
|
|
ibcs2_enable="NO" # Ibcs2 (SCO) emulation loaded at startup (or NO).
|
2001-02-28 22:28:00 +00:00
|
|
|
ibcs2_loaders="coff" # List of additional Ibcs2 loaders (or NO).
|
2013-10-19 21:37:06 +00:00
|
|
|
firstboot_sentinel="/firstboot" # Scripts with "firstboot" keyword are run if
|
|
|
|
# this file exists. Should be on a R/W filesystem so
|
|
|
|
# the file can be deleted after the boot completes.
|
2005-12-19 10:57:00 +00:00
|
|
|
|
|
|
|
# Emulation/compatibility services provided by /etc/rc.d/abi
|
2001-01-16 20:05:05 +00:00
|
|
|
sysvipc_enable="NO" # Load System V IPC primitives at startup (or NO).
|
1999-09-15 02:25:13 +00:00
|
|
|
linux_enable="NO" # Linux binary compatibility loaded at startup (or NO).
|
1997-11-16 12:52:17 +00:00
|
|
|
clear_tmp_enable="NO" # Clear /tmp at startup.
|
2005-12-20 20:36:48 +00:00
|
|
|
clear_tmp_X="YES" # Clear and recreate X11-related directories in /tmp
|
2000-08-11 03:26:30 +00:00
|
|
|
ldconfig_insecure="NO" # Set to YES to disable ldconfig security checks
|
2007-05-29 06:22:14 +00:00
|
|
|
ldconfig_paths="/usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg"
|
1999-01-10 22:06:22 +00:00
|
|
|
# shared library search paths
|
2014-08-01 19:32:20 +00:00
|
|
|
ldconfig32_paths="/usr/lib32 /usr/lib32/compat"
|
|
|
|
# 32-bit compatibility shared library search paths
|
2016-01-18 21:40:18 +00:00
|
|
|
ldconfigsoft_paths="/usr/libsoft /usr/libsoft/compat /usr/local/libsoft"
|
|
|
|
# soft float compatibility shared library search paths
|
|
|
|
# Note: temporarily with extra stuff for transition
|
2007-05-29 06:22:14 +00:00
|
|
|
ldconfig_paths_aout="/usr/lib/compat/aout /usr/local/lib/aout"
|
1999-01-10 22:06:22 +00:00
|
|
|
# a.out shared library search paths
|
2007-05-29 06:22:14 +00:00
|
|
|
ldconfig_local_dirs="/usr/local/libdata/ldconfig"
|
2006-01-08 10:15:31 +00:00
|
|
|
# Local directories with ldconfig configuration files.
|
2007-05-29 06:22:14 +00:00
|
|
|
ldconfig_local32_dirs="/usr/local/libdata/ldconfig32"
|
2006-01-08 10:15:31 +00:00
|
|
|
# Local directories with 32-bit compatibility ldconfig
|
|
|
|
# configuration files.
|
2016-01-18 21:40:18 +00:00
|
|
|
ldconfig_localsoft_dirs="/usr/local/libdata/ldconfigsoft"
|
|
|
|
# Local directories with soft float compatibility ldconfig
|
|
|
|
# configuration files.
|
2009-01-08 23:27:59 +00:00
|
|
|
kern_securelevel_enable="NO" # kernel security level (see security(7))
|
1998-12-16 17:14:16 +00:00
|
|
|
kern_securelevel="-1" # range: -1..3 ; `-1' is the most insecure
|
2005-07-21 15:17:54 +00:00
|
|
|
# Note that setting securelevel to 0 will result
|
|
|
|
# in the system booting with securelevel set to 1, as
|
|
|
|
# init(8) will raise the level when rc(8) completes.
|
1998-12-12 23:04:21 +00:00
|
|
|
update_motd="YES" # update version info in /etc/motd (or NO)
|
2015-06-30 17:09:41 +00:00
|
|
|
entropy_boot_file="/boot/entropy" # Set to NO to disable very early
|
|
|
|
# (used at early boot time) entropy caching through reboots.
|
|
|
|
entropy_file="/entropy" # Set to NO to disable late (used when going multi-user)
|
|
|
|
# entropy through reboots.
|
2005-04-11 02:45:05 +00:00
|
|
|
# /var/db/entropy-file is preferred if / is not avail.
|
2001-01-14 07:18:31 +00:00
|
|
|
entropy_dir="/var/db/entropy" # Set to NO to disable caching entropy via cron.
|
This is the much-discussed major upgrade to the random(4) device, known to you all as /dev/random.
This code has had an extensive rewrite and a good series of reviews, both by the author and other parties. This means a lot of code has been simplified. Pluggable structures for high-rate entropy generators are available, and it is most definitely not the case that /dev/random can be driven by only a hardware souce any more. This has been designed out of the device. Hardware sources are stirred into the CSPRNG (Yarrow, Fortuna) like any other entropy source. Pluggable modules may be written by third parties for additional sources.
The harvesting structures and consequently the locking have been simplified. Entropy harvesting is done in a more general way (the documentation for this will follow). There is some GREAT entropy to be had in the UMA allocator, but it is disabled for now as messing with that is likely to annoy many people.
The venerable (but effective) Yarrow algorithm, which is no longer supported by its authors now has an alternative, Fortuna. For now, Yarrow is retained as the default algorithm, but this may be changed using a kernel option. It is intended to make Fortuna the default algorithm for 11.0. Interested parties are encouraged to read ISBN 978-0-470-47424-2 "Cryptography Engineering" By Ferguson, Schneier and Kohno for Fortuna's gory details. Heck, read it anyway.
Many thanks to Arthur Mesh who did early grunt work, and who got caught in the crossfire rather more than he deserved to.
My thanks also to folks who helped me thresh this out on whiteboards and in the odd "Hallway track", or otherwise.
My Nomex pants are on. Let the feedback commence!
Reviewed by: trasz,des(partial),imp(partial?),rwatson(partial?)
Approved by: so(des)
2014-10-30 21:21:53 +00:00
|
|
|
entropy_save_sz="4096" # Size of the entropy cache files.
|
2001-11-28 08:52:35 +00:00
|
|
|
entropy_save_num="8" # Number of entropy cache files to save.
|
2015-06-30 17:09:41 +00:00
|
|
|
harvest_mask="511" # Entropy device harvests all but the very invasive sources.
|
|
|
|
# (See 'sysctl kern.random.harvest' and random(4))
|
2002-06-13 22:27:31 +00:00
|
|
|
dmesg_enable="YES" # Save dmesg(8) to /var/run/dmesg.boot
|
2003-06-26 09:50:52 +00:00
|
|
|
watchdogd_enable="NO" # Start the software watchdog daemon
|
2009-10-21 09:43:22 +00:00
|
|
|
watchdogd_flags="" # Flags to watchdogd (if enabled)
|
2003-08-20 06:15:18 +00:00
|
|
|
devfs_rulesets="/etc/defaults/devfs.rules /etc/devfs.rules" # Files containing
|
|
|
|
# devfs(8) rules.
|
2008-01-27 13:45:20 +00:00
|
|
|
devfs_system_ruleset="" # The name (NOT number) of a ruleset to apply to /dev
|
2004-04-10 22:13:27 +00:00
|
|
|
devfs_set_rulesets="" # A list of /mount/dev=ruleset_name settings to
|
|
|
|
# apply (must be mounted already, i.e. fstab(5))
|
2014-04-30 04:02:32 +00:00
|
|
|
devfs_load_rulesets="YES" # Enable to always load the default rulesets
|
2016-12-01 04:35:43 +00:00
|
|
|
performance_cx_lowest="NONE" # Online CPU idle state
|
2005-07-22 00:38:55 +00:00
|
|
|
performance_cpu_freq="NONE" # Online CPU frequency
|
2014-05-06 23:28:37 +00:00
|
|
|
economy_cx_lowest="Cmax" # Offline CPU idle state
|
2005-07-22 00:38:55 +00:00
|
|
|
economy_cpu_freq="NONE" # Offline CPU frequency
|
2004-03-03 15:21:01 +00:00
|
|
|
virecover_enable="YES" # Perform housekeeping for the vi(1) editor
|
2004-09-29 07:07:43 +00:00
|
|
|
ugidfw_enable="NO" # Load mac_bsdextended(4) rules on boot
|
2004-09-29 00:12:28 +00:00
|
|
|
bsdextended_script="/etc/rc.bsdextended" # Default mac_bsdextended(4)
|
|
|
|
# ruleset file.
|
2005-03-02 00:40:55 +00:00
|
|
|
newsyslog_enable="YES" # Run newsyslog at startup.
|
|
|
|
newsyslog_flags="-CN" # Newsyslog flags to create marked files
|
2006-10-06 23:22:13 +00:00
|
|
|
mixer_enable="YES" # Run the sound mixer.
|
2011-03-21 09:58:24 +00:00
|
|
|
opensm_enable="NO" # Opensm(8) for infiniband devices defaults to off
|
2003-08-20 06:15:18 +00:00
|
|
|
|
2014-02-15 14:50:47 +00:00
|
|
|
# rctl(8) requires kernel options RACCT and RCTL
|
2015-08-05 17:38:02 +00:00
|
|
|
rctl_enable="YES" # Load rctl(8) rules on boot
|
2014-02-15 14:50:47 +00:00
|
|
|
rctl_rules="/etc/rctl.conf" # rctl(8) ruleset. See rctl.conf(5).
|
|
|
|
|
2015-03-01 00:58:23 +00:00
|
|
|
iovctl_files="" # Config files for iovctl(8)
|
|
|
|
|
2003-08-24 06:29:32 +00:00
|
|
|
##############################################################
|
2013-10-10 09:32:27 +00:00
|
|
|
### Jail Configuration (see rc.conf(5) manual page) ##########
|
2003-08-24 06:29:32 +00:00
|
|
|
##############################################################
|
|
|
|
jail_enable="NO" # Set to NO to disable starting of any jails
|
2016-10-12 20:50:17 +00:00
|
|
|
jail_confwarn="YES" # Prevent warning about obsolete per-jail configuration
|
2010-03-05 14:34:33 +00:00
|
|
|
jail_parallel_start="NO" # Start jails in the background
|
2003-08-24 06:29:32 +00:00
|
|
|
jail_list="" # Space separated list of names of jails
|
2016-02-10 16:13:59 +00:00
|
|
|
jail_reverse_stop="NO" # Stop jails in reverse order
|
1997-05-24 11:29:59 +00:00
|
|
|
|
|
|
|
##############################################################
|
2000-04-27 08:43:49 +00:00
|
|
|
### Define source_rc_confs, the mechanism used by /etc/rc.* ##
|
|
|
|
### scripts to source rc_conf_files overrides safely. ##
|
1997-05-24 11:29:59 +00:00
|
|
|
##############################################################
|
1999-01-25 18:24:46 +00:00
|
|
|
|
2000-04-27 08:43:49 +00:00
|
|
|
if [ -z "${source_rc_confs_defined}" ]; then
|
2001-11-28 08:52:35 +00:00
|
|
|
source_rc_confs_defined=yes
|
2012-07-13 06:46:09 +00:00
|
|
|
source_rc_confs() {
|
2001-11-28 08:52:35 +00:00
|
|
|
local i sourced_files
|
|
|
|
for i in ${rc_conf_files}; do
|
|
|
|
case ${sourced_files} in
|
|
|
|
*:$i:*)
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
sourced_files="${sourced_files}:$i:"
|
|
|
|
if [ -r $i ]; then
|
|
|
|
. $i
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
done
|
2016-02-06 02:35:52 +00:00
|
|
|
# Re-do process to pick up [possibly] redefined $rc_conf_files
|
2016-02-06 02:16:48 +00:00
|
|
|
for i in ${rc_conf_files}; do
|
|
|
|
case ${sourced_files} in
|
|
|
|
*:$i:*)
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
sourced_files="${sourced_files}:$i:"
|
|
|
|
if [ -r $i ]; then
|
|
|
|
. $i
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
done
|
2001-11-28 08:52:35 +00:00
|
|
|
}
|
2000-04-27 08:43:49 +00:00
|
|
|
fi
|
2016-06-23 19:37:00 +00:00
|
|
|
|
|
|
|
# Allow vendors to override FreeBSD defaults in /etc/default/rc.conf
|
|
|
|
# without the need to carefully manage /etc/rc.conf.
|
|
|
|
if [ -r /etc/defaults/vendor.conf ]; then
|
|
|
|
. /etc/defaults/vendor.conf
|
|
|
|
fi
|