5.t

早期freebsd实现

has certain advantages over the routing daemon, but is
unsuitable in an environment where there are only bridges (i.e.
pseudo gateways that, for instance, do not generate routing
redirect messages).  Further, if the
smart gateway goes down there is no alternative, save manual
alteration of the routing table entry, to maintaining service.
.PP
The system always listens, and processes, routing redirect
information, so it is possible to combine both of the above
facilities.  For example, the routing table management process
might be used to maintain up to date information about routes
to geographically local networks, while employing the wildcard
routing techniques for ``distant'' networks.  The
.Xr netstat (1)
program may be used to display routing table contents as well
as various routing oriented statistics.  For example,
.DS
\fB#\fP \fInetstat \-r\fP
.DE
will display the contents of the routing tables, while
.DS
\fB#\fP \fInetstat \-r \-s\fP
.DE
will show the number of routing table entries dynamically
created as a result of routing redirect messages, etc.
.Sh 2 "Use of \*(4B machines as gateways"
.PP
Several changes have been made in \*(4B in the area of gateway support
(or packet forwarding, if one prefers).
A new configuration option, GATEWAY, is used when configuring
a machine to be used as a gateway.
This option increases the size of the routing hash tables in the kernel.
Unless configured with that option,
hosts with only a single non-loopback interface never attempt
to forward packets or to respond with ICMP error messages to misdirected
packets.
This change reduces the problems that may occur when different hosts
on a network disagree on the network number or broadcast address.
Another change is that \*(4B machines that forward packets back through
the same interface on which they arrived
will send ICMP redirects to the source host if it is on the same network.
This improves the interaction of \*(4B gateways with hosts that configure
their routes via default gateways and redirects.
The generation of redirects may be disabled with the configuration option
IPSENDREDIRECTS=0 or while the system is running by using the command:
.DS
.ft CW
sysctl -w net.inet.ip.redirect=0
.DE
in environments where it may cause difficulties.
.Sh 2 "Network databases"
.PP
Several data files are used by the network library routines
and server programs.  Most of these files are host independent
and updated only rarely.
.br
.ne 1i
.TS
lfC l l.
File	Manual reference	Use
_
/etc/hosts	\fIhosts\fP\|(5)	local host names
/etc/networks	\fInetworks\fP\|(5)	network names
/etc/services	\fIservices\fP\|(5)	list of known services
/etc/protocols	\fIprotocols\fP\|(5)	protocol names
/etc/hosts.equiv	\fIrshd\fP\|(8)	list of ``trusted'' hosts
/etc/netstart	\fIrc\fP\|(8)	command script for initializing network
/etc/rc	\fIrc\fP\|(8)	command script for starting standard servers
/etc/rc.local	\fIrc\fP\|(8)	command script for starting local servers
/etc/ftpusers	\fIftpd\fP\|(8)	list of ``unwelcome'' ftp users
/etc/hosts.lpd	\fIlpd\fP\|(8)	list of hosts allowed to access printers
/etc/inetd.conf	\fIinetd\fP\|(8)	list of servers started by \fIinetd\fP
.TE
The files distributed are set up for Internet hosts.
Local networks and hosts should be added to describe the local
configuration; the Berkeley entries may serve as examples
(see also the section on
.Pn /etc/hosts ).
Network numbers will have to be chosen for each Ethernet.
For sites connected to the Internet,
the normal channels should be used for allocation of network
numbers (contact hostmaster@SRI-NIC.ARPA).
For other sites,
these could be chosen more or less arbitrarily,
but it is generally better to request official numbers
to avoid conversion if a connection to the Internet (or others on the Internet)
is ever established.
.Sh 3 "Network servers"
.PP
Most network servers are automatically started up at boot time
by the command file
.Pn /etc/rc
or by the Internet daemon (see below).
These include the following:
.TS
lfC l l.
Program	Server	Started by
_
/usr/sbin/syslogd	error logging server	\f(CW/etc/rc\fP
/usr/sbin/named	Internet name server	\f(CW/etc/rc\fP
/sbin/routed	routing table management daemon	\f(CW/etc/rc\fP
/usr/sbin/rwhod	system status daemon	\f(CW/etc/rc\fP
/usr/sbin/timed	time synchronization daemon	\f(CW/etc/rc\fP
/usr/sbin/sendmail	SMTP server	\f(CW/etc/rc\fP
/usr/libexec/rshd	shell server	inetd
/usr/libexec/rexecd	exec server	inetd
/usr/libexec/rlogind	login server	inetd
/usr/libexec/telnetd	TELNET server	inetd
/usr/libexec/ftpd	FTP server	inetd
/usr/libexec/fingerd	Finger server	inetd
/usr/libexec/tftpd	TFTP server	inetd
.TE
Consult the manual pages and accompanying documentation (particularly
for named and sendmail) for details about their operation.
.PP
The use of
.Xr routed
and
.Xr rwhod
is controlled by shell
variables set in
.Pn /etc/netstart .
By default,
.Xr routed
is used, but
.Xr rwhod
is not; they are enabled by setting the variables \fIroutedflags\fP and
.Xr rwhod
to strings other than ``NO.''
The value of \fIroutedflags\fP provides host-specific options to
.Xr routed .
For example,
.DS
.ft CW
routedflags=-q
rwhod=NO
.DE
would run
.Xr "routed -q"
and would not run
.Xr rwhod .
.PP
To have other network servers started as well,
commands of the following sort should be placed in the site-dependent file
.Pn /etc/rc.local .
.DS
.ft CW
if [ -f /usr/sbin/timed ]; then
	/usr/sbin/timed & echo -n ' timed'			>/dev/console
f\&i
.DE
.Sh 3 "Internet daemon"
.PP
In \*(4B most of the servers for user-visible services are started up by a
``super server'', the Internet daemon.  The Internet
daemon,
.Pn /usr/sbin/inetd ,
acts as a master server for
programs specified in its configuration file,
.Pn /etc/inetd.conf ,
listening for service requests for these servers, and starting
up the appropriate program whenever a request is received.
The configuration file contains lines containing a service
name (as found in
.Pn /etc/services ),
the type of socket the
server expects (e.g. stream or dgram), the protocol to be
used with the socket (as found in
.Pn /etc/protocols ),
whether to wait for each server to complete before starting up another,
the user name by which the server should run, the server
program's name, and at most five arguments to pass to the
server program.
Some trivial services are implemented internally in
.Xr inetd ,
and their servers are listed as ``internal.''
For example, an entry for the file
transfer protocol server would appear as
.DS
.ft CW
ftp	stream	tcp	nowait	root	/usr/libexec/ftpd	ftpd
.DE
Consult
.Xr inetd (8)
for more detail on the format of the configuration file
and the operation of the Internet daemon.
.Sh 3 "The \f(CW/etc/hosts.equiv\fP file"
.PP
The remote login and shell servers use an
authentication scheme based on trusted hosts.  The
.Pn hosts.equiv
file contains a list of hosts that are considered trusted
and, under a single administrative control.  When a user
contacts a remote login or shell server requesting service,
the client process passes the user's name and the official
name of the host on which the client is located.  In the simple
case, if the host's name is located in
.Pn hosts.equiv
and the user has an account on the server's machine, then service
is rendered (i.e. the user is allowed to log in, or the command
is executed).  Users may expand this ``equivalence'' of
machines by installing a
.Pn \&.rhosts
file in their login directory.
The root login is handled specially, bypassing the
.Pn hosts.equiv
file, and using only the
.Pn /.rhosts
file.
.PP
Thus, to create a class of equivalent machines, the
.Pn hosts.equiv
file should contain the \fIofficial\fP names for those machines.
If you are running the name server, you may omit the domain part
of the host name for machines in your local domain.
For example, four machines on our local
network are considered trusted, so the
.Pn hosts.equiv
file is of the form:
.DS
.ft CW
vangogh.CS.Berkeley.EDU
picasso.CS.Berkeley.EDU
okeeffe.CS.Berkeley.EDU
.DE
.Sh 3 "The \f(CW/etc/ftpusers\fP file"
.PP
The FTP server included in the system provides support for an
anonymous FTP account.  Because of the inherent security problems
with such a facility you should read this section carefully if
you consider providing such a service.
.PP
An anonymous account is enabled by creating a user
.Xr ftp .
When a client uses the anonymous account a
.Xr chroot (2)
system call is performed by the server to restrict the client
from moving outside that part of the filesystem where the
user ftp home directory is located.  Because a
.Xr chroot
call is used, certain programs and files used by the server
process must be placed in the ftp home directory.
Further, one must be
sure that all directories and executable images are unwritable.
The following directory setup is recommended.  The
use of the
.Xr awk
commands to copy the
.Pn /etc/passwd
and
.Pn /etc/group
files are \fBSTRONGLY\fP recommended.
.DS
\fB#\fP \fIcd ~ftp\fP
\fB#\fP \fIchmod 555 .; chown ftp .; chgrp ftp .\fP
\fB#\fP \fImkdir bin etc pub\fP
\fB#\fP \fIchown root bin etc\fP
\fB#\fP \fIchmod 555 bin etc\fP
\fB#\fP \fIchown ftp pub\fP
\fB#\fP \fIchmod 777 pub\fP
\fB#\fP \fIcd bin\fP
\fB#\fP \fIcp /bin/sh /bin/ls .\fP
\fB#\fP \fIchmod 111 sh ls\fP
\fB#\fP \fIcd ../etc\fP
\fB#\fP \fIawk -F: '{$2="*";print$1":"$2":"$3":"$4":"$5":"$6":"}' < /etc/passwd > passwd\fP
\fB#\fP \fIawk -F: '{$2="*";print$1":"$2":"}' < /etc/group > group\fP
\fB#\fP \fIchmod 444 passwd group\fP
.DE
When local users wish to place files in the anonymous
area, they must be placed in a subdirectory.  In the
setup here, the directory
.Pn ~ftp/pub
is used.
.PP
Aside from the problems of directory modes and such,
the ftp server may provide a loophole for interlopers
if certain user accounts are allowed.
The file
.Pn /etc/ftpusers
is checked on each connection.
If the requested user name is located in the file, the
request for service is denied.  This file normally has
the following names on our systems.
.DS
uucp
root
.DE
Accounts without passwords need not be listed in this file as the ftp
server will refuse service to these users.
Accounts with nonstandard shells (any not listed in
.Pn /etc/shells )
will also be denied access via ftp.