Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (5.07 MB, 753 trang )
[Chapter 5] 5.3 The BSD Kernel Configuration File
The options statement tells the kernel to compile a software option into the system. The options statement
that is most important to TCP/IP is:
options INET
# basic networking support--mandatory
Every BSD-based system running TCP/IP has an options INET statement in its kernel configuration file.
The statement produces a -DINET argument for the C complier, which in turn causes the IP, ICMP, TCP,
UDP, and ARP modules to be compiled into the kernel. This single statement incorporates the basic
transport and IP datagram services into the system. Never remove this statement from the configuration file.
There are several other options statements in addition to the required INET option. Some of these perform
functions identical to features we have already seen in the Linux configuration. A few have no direct
parallels in the Linux configuration.
options GATEWAY
# internetwork gateway
The GATEWAY option determines whether the system forwards IP datagrams destined for another
computer. When this option is selected, the system forwards datagrams if it has more than one network
interface; i.e., the system is assumed to be a gateway. You don't need GATEWAY on a system with a single
network interface. Hosts - systems with one network interface - do not forward the packets of other systems,
because this would hide configuration problems on other systems on the network. If the other systems are
incorrectly delivering datagrams to a host, forwarding the datagrams makes it appear as if they were
correctly addressed and makes it difficult to detect the real problem. On occasion, you might even want to
force a system that has multiple network interfaces not to forward datagrams by commenting options
GATEWAY out of your configuration. This is useful for preventing a multi-homed host (a host with two
network interfaces) from acting as a gateway.
options IPFIREWALL
# firewall
The IPFIREWALL option prepares the system to act as a firewall. The full firewall implementation requires
application software and other tools. However, certain functions of a firewall, such as address filtering, must
be implemented in the kernel. This option requests those kernel-level services. A variant of this option is
IPFIREWALL_VERBOSE, which enables the same basic kernel services with enhanced error reporting.
The enhanced errors can be useful for detecting intrusions, but they increase the size of the kernel.
options MROUTING
# Multicast routing
The MROUTING option adds multicast routing support to the kernel. A multicast kernel is necessary for the
system to be able to interpret multicast addresses and for the system to support multicast applications like
MBONE and Internet Talk Radio.
options IPACCT
# ipaccounting
The IPACCT option adds additional code and counters that keep track of network usage, which is helpful for
billing purposes.
options ARP_PROXYALL
# global proxy ARP
file:///C|/mynapster/Downloads/warez/tcpip/ch05_03.htm (2 of 6) [2001-10-15 09:17:54]
[Chapter 5] 5.3 The BSD Kernel Configuration File
The ARP_PROXYALL option turns the system into a proxy ARP server. The Address Resolution Protocol
(ARP) is discussed in Chapter 2, Delivering the Data. Proxy ARP is a variant on the standard protocol in
which a server answers the ARP request for its clients. Here's how it works. Host A sends out an ARP
request for the Ethernet address of host B. The proxy ARP server, C, hears the request and sends an ARP
response back to A claiming that C's Ethernet address is the address of host B. A then sends traffic intended
for B to C because it uses C's Ethernet address. C is therefore responsible for forwarding the traffic on to B.
The proxy ARP server is usually a router and proxy ARP is used as a means of forwarding traffic between
systems that cannot use normal routing for that traffic.
In Chapter 2, we saw how a system can act as a proxy ARP server for individual addresses using the publish
option on the arp command. The ARP_PROXYALL kernel option creates a server for all addresses; not just
for individual addresses configured in the ARP table.
options "TCP_COMPAT_42"
# emulate 4.2BSD TCP bugs
This option prevents connections between 4.2 and FreeBSD systems from hanging by adjusting FreeBSD to
ignore mistakes made by 4.2. This parameter also disables UDP checksum calculations. The UDP checksum
calculation in BSD 4.2 was incorrect, so when a host receives a UDP packet from a system running 4.2, it
causes a checksum error. This parameter tells the system to ignore these errors. In addition, setting this
parameter prevents the system from sending TCP Sequence Numbers that are interpreted as negative
numbers by 4.2 systems. With this option, the initial sequence number will be set to zero for each
connection. Forcing sequence numbers to zero is a potential security problem because it allows an intruder
to guess the sequence number and to interject bogus packets into a TCP stream. For this reason, avoid using
this parameter unless you must.
5.3.1.2 Pseudo-device
The second statement required by TCP/IP in all BSD configurations is a pseudo-device statement. A pseudodevice is a device driver not directly associated with an actual piece of hardware. The pseudo-device
statement creates a header (.h) file that is identified by the pseudo-device name in the kernel directory. For
example, the statement shown below creates the file loop.h:
pseudo-device
loop
# loopback network--mandatory
The loop pseudo-device is necessary to create the loopback device (lo0). This device is associated with the
loopback address 127.0.0.1; it is defined as a pseudo-device because it is not really a piece of hardware.
Another pseudo-device that is used on many FreeBSD TCP/IP systems is:
pseudo-device
ether
# basic Ethernet support
This statement is necessary to support Ethernet. The ether pseudo-device is required for full support of ARP
and other Ethernet specific functions. While it is possible that a system that does not have Ethernet may not
require this statement, it is usually configured, and should remain in your kernel configuration.
The pseudo-terminals, or ptys, are other pseudo-devices that are universally configured:
file:///C|/mynapster/Downloads/warez/tcpip/ch05_03.htm (3 of 6) [2001-10-15 09:17:54]
[Chapter 5] 5.3 The BSD Kernel Configuration File
pseudo-device
pty
16
# pseudo-tty's
This statement defines the virtual terminal devices used by remote login services such as rlogin and telnet.
Pseudo-terminals are also used by many other applications, such as Emacs, that have no direct connection to
TCP/IP networking. The number, 16 in the example, is the number of ptys created by the kernel. The
maximum on a FreeBSD system is 64.
Other commonly configured pseudo-devices are those that support SLIP and PPP.
pseudo-device
sl
2
# Serial Line IP
This statement defines the interface for the Serial Line IP protocol. The number, 2 in the example, defines
the number of SLIP pseudo-devices created by the kernel. The two devices created here would be addressed
as device sl0 and sl1.
pseudo-device
ppp
2
# Point-to-point protocol
The ppp pseudo-device is the interface for the Point-to-Point Protocol. The number, 2 in the example,
defines the number of PPP pseudo-devices created by the kernel. The two devices created here would be
addressed as device ppp0 and ppp1. Two other pseudo-devices directly related to PPP are shown next.
pseudo-device
pseudo-device
sppp
tun
1
# Generic synchronous PPP
# Tunnel driver(user process ppp)
The sppp statement adds support for synchronous PPP data link-layer protocols. Normally, PPP runs over a
dial-up line using an asynchronous link protocol. Asynchronous modems are the common modems all of us
have on our home computers. Synchronous modems and synchronous link protocols are used on leased
lines.
The tun pseudo-device is a tunnel driver used by user-level PPP software. Tunneling is when a system
passes one protocol through another protocol; tun is a FreeBSD feature for doing this over PPP links. The
number, 1 in the example, is the number of tunnels that will be supported by this kernel.
The last three pseudo-devices are less frequently used.
pseudo-device
pseudo-device
pseudo-device
fddi
bpfilter
disc
4
# Generic FDDI
# Berkeley packet filter
# Discard device
The fddi statement adds support for the Fiber Digital Data Interface (FDDI) to the kernel. FDDI is a local
area network standard for transmitting data at 100M bps over fiber-optic cable.
The bpfilter statement adds the support necessary for capturing packets. Capturing packets is an essential
part of protocol analyzers; see Chapter 11, Troubleshooting TCP/IP . When the bpfilter statement is included
in the BSD kernel, the Ethernet interface can be placed into "promiscuous mode". [6] An interface in
promiscuous mode passes all packets, not just those addressed to the local system, up to the software at the
next layer. This feature is useful for a system administrator troubleshooting a network. But it can also be
file:///C|/mynapster/Downloads/warez/tcpip/ch05_03.htm (4 of 6) [2001-10-15 09:17:54]
[Chapter 5] 5.3 The BSD Kernel Configuration File
used by intruders to steal passwords and compromise security. Use the bpfilter pseudo-device only if you
really need it. The number, 4 in the example, indicates the maximum number of Ethernet interfaces that can
be monitored by bpfilter.
[6] This assumes that the Ethernet hardware is capable of functioning in promiscuous mode.
Not all Ethernet boards support this feature.
The final network pseudo-device is disc. It discards all data that it receives. This device is used only for
testing.
5.3.1.3 Devices
Real hardware devices are defined using the device statement. Every host attached to a TCP/IP network
requires some physical hardware for that attachment. The hardware is declared with a device statement in
the kernel configuration file. There are many possible network interfaces for TCP/IP, but the most common
are Ethernet interfaces.
Table 5.1 lists the Ethernet device drivers available with FreeeBSD 2.1.5.
Table 5.1: Ethernet Cards Supported by FreeBSD
Device Description
de0
DEC DC21040 PCI adapter
ed0
Western Digital SMC 80xx, Novell NE1000/2000, 3COM 3C503
eg0
3COM 3C505
el0
3COM 3C501
ep0
3COM 3C509
fe0
Fujitsu MB86960A/MB86965A
ie0
AT&T StarLAN 10 & EN100, 3COM 3C507, N15210
ix0
Intel EtherExpress 16
le0
DEC EtherWorks 2 and EtherWorks3
lnc0 Isolan, Novell NE2100 and NE32-VL
ze0
IBM/National Semiconductor PCMCIA adapter
zp0
3COM Etherlink III PCMICA adapter
A sample device statement shows the general format of the commands used to configure an Ethernet
interface in the FreeBSD kernel:
device ed0 at isa? port 0x280 net irq 5 iomem 0xd8000 vector edintr
device de0
Note that the ed0 device statement defines the bus type (isa), the I/O base address (port 0x280), the interrupt
number (irq 5) and the memory address (iomem 0xd8000). These values should match the values configured
on the adapter card. All of these are standard items for configuring PC hardware. [7] On the other hand, the
de0 device statement requires very little configuration because it configures a card attached to the PCI bus.
file:///C|/mynapster/Downloads/warez/tcpip/ch05_03.htm (5 of 6) [2001-10-15 09:17:54]
[Chapter 5] 5.3 The BSD Kernel Configuration File
The PCI is an intelligent bus that can determine the configuration directly from the hardware.
[7] See Networking Personal Computers with TCP/IP, by Craig Hunt (O'Reilly & Associates),
for details about PC hardware configuration.
Ethernet is not the only TCP/IP network interface supported by FreeBSD. It supports an experimental ISDN
interface as well as the DEC FDDI adapter. More widely used than these are the serial line interfaces
necessary for SLIP and PPP.
device
device
device
device
sio0
sio1
sio2
sio3
at
at
at
at
isa?
isa?
isa?
isa?
port
port
port
port
"IO_COM1"
"IO_COM2"
"IO_COM3"
"IO_COM4"
tty
tty
tty
tty
irq
irq
irq
irq
4
3
5
9
vector
vector
vector
vector
siointr
siointr
siointr
siointr
The four serial interfaces, sio0 through sio3, correspond to the MS-DOS interfaces COM1 to COM4. These
are needed for SLIP and PPP. Chapter 6 covers other aspects of configuring PPP and SLIP.
The device statement varies according to the interface being configured. But how do you know which
hardware interfaces are installed in your system? Remember that the GENERIC kernel that comes with your
FreeBSD system is configured for a large number of devices. A simple way to tell which hardware interfaces
are installed in your system is to look at the messages displayed on the console at boot time. These messages
show all of the devices, including network devices, that the kernel found during initialization. Look at the
output of the dmesg command. It displays a copy of the console messages generated during the last boot.
The options, pseudo-device, and device statements found in the kernel configuration file tell the system to
include the TCP/IP hardware and software in the kernel. The statements in your configuration may vary
somewhat from those shown in the previous examples. But you have the same basic statements in your
kernel configuration file. With these basic statements, FreeBSD UNIX is ready to run TCP/IP.
You will probably never change any of the variables discussed in this section. Like everything else in the
kernel configuration file, they usually come correctly configured to run TCP/IP.
Previous: 5.2 Linux Kernel
Configuration
5.2 Linux Kernel
Configuration
TCP/IP Network
Administration
Book Index
Next: 5.4 The Internet
Daemon
5.4 The Internet Daemon
[ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ]
file:///C|/mynapster/Downloads/warez/tcpip/ch05_03.htm (6 of 6) [2001-10-15 09:17:54]
[Chapter 5] 5.2 Linux Kernel Configuration
Previous: 5.1 Kernel
Configuration
Chapter 5
Basic Configuration
Next: 5.3 The BSD Kernel
Configuration File
5.2 Linux Kernel Configuration
The Linux kernel is a C program compiled and installed by make. The make config command customizes the
kernel configuration and generates the files (including the Makefile) needed to compile and link the kernel. On
Linux systems, the kernel source directory is /usr/src/linux. To start the configuration process, change to the
source directory and run make config:
# cd /usr/src/linux
# make config
The make config command asks many questions about your system configuration. Some of these are directly
related to network configuration. The first network configuration question is:
Networking support (CONFIG_NET) [Y/n/?]
Answer "yes" (y), which is the default. Networking support is necessary for all of the TCP/IP networking
features that we will request later in the configuration. Even if you don't run TCP/IP, you should answer "yes"
to this question. Basic network support is essential to many services.
The make config command asks several more general configuration questions before returning to the topic of
networking. When it does, it has many networking questions to ask. The example below is an excerpt from the
actual configuration of the Linux 2.0 kernel on a Slackware 96 system. [2]
[2] The configuration questions change with every new kernel. Refer to your system's
documentation for the latest information.
Network firewalls (CONFIG_FIREWALL) [N/y/?]
Network aliasing (CONFIG_NET_ALIAS) [N/y/?]
TCP/IP networking (CONFIG_INET) [Y/n/?]
IP: forwarding/gatewaying (CONFIG_IP_FORWARD) [N/y/?]
IP: multicasting (CONFIG_IP_MULTICAST) [N/y/?]
IP: accounting (CONFIG_IP_ACCT) [N/y/?]
IP: PC/TCP compatibility mode (CONFIG_INET_PCTCP) [N/y/?]
IP: Reverse ARP (CONFIG_INET_RARP) [N/y/m/?]
IP: Disable Path MTU Discovery (normally enabled)
(CONFIG_NO_PATH_MTU_DISCOVERY) [N/y/?]
IP: Drop source routed frames (CONFIG_IP_NOSR) [Y/n/?]
IP: Allow large windows (not recommended if <16Mb of memory)
(CONFIG_SKB_LARGE) [Y/n/?]
file:///C|/mynapster/Downloads/warez/tcpip/ch05_02.htm (1 of 5) [2001-10-15 09:17:55]
[Chapter 5] 5.2 Linux Kernel Configuration
Network device support (CONFIG_NETDEVICES) [Y/n/?]
Dummy net driver support (CONFIG_DUMMY) [N/y/m/?]
EQL (serial line load balancing) support (CONFIG_EQUALIZER) [N/y/m/?]
PLIP (parallel port) support (CONFIG_PLIP) [N/y/m/?]
PPP (point-to-point) support (CONFIG_PPP) [Y/m/n/?]
SLIP (serial line) support (CONFIG_SLIP) [Y/m/n/?]
CSLIP compressed headers (CONFIG_SLIP_COMPRESSED) [Y/n/?]
Keepalive and linefill (CONFIG_SLIP_SMART) [N/y/?]
Six bit SLIP encapsulation (CONFIG_SLIP_MODE_SLIP6) [N/y/?]
Radio network interfaces (CONFIG_NET_RADIO) [N/y/?]
Ethernet (10 or 100Mbit) (CONFIG_NET_ETHERNET) [Y/n/?]
3COM cards (CONFIG_NET_VENDOR_3COM) [Y/n/?]
3c501 support (CONFIG_EL1) [N/y/m/?]
3c503 support (CONFIG_EL2) [N/y/m/?]
3c509/3c579 support (CONFIG_EL3) [Y/m/n/?]
3c590 series (592/595/597) "Vortex" support (CONFIG_VORTEX) [N/y/m/?]
AMD LANCE and PCnet (AT1500 and NE2100) support (CONFIG_LANCE) [N/y/?]
Western Digital/SMC cards (CONFIG_NET_VENDOR_SMC) [N/y/?]
Other ISA cards (CONFIG_NET_ISA) [N/y/?]
EISA, VLB, PCI and on board controllers (CONFIG_NET_EISA) [N/y/?]
Pocket and portable adaptors (CONFIG_NET_POCKET) [N/y/?]
Token Ring driver support (CONFIG_TR) [N/y/?]
ARCnet support (CONFIG_ARCNET) [N/y/m/?]
ISDN support (CONFIG_ISDN) [N/y/m/?]
Each configuration option is either enabled by entering a "y" for "yes", or disabled with an "n" for "no". "m" for
"module" is an alternative method for enabling some features. Features that are available as dynamically
loadable modules list "m" as a possible response. If "m" is selected, the dynamically loadable module is loaded
the first time a call is made to the kernel that requires the module. If "y" is selected for a feature, the code that
supports that feature is compiled directly into the kernel. The default setting of each option is indicated by the
uppercase letter in the square brackets at the end of the option line. For example, [Y,n] indicates an option that
is enabled by default. Here, we list each option and its purpose:
CONFIG_FIREWALL
Adds the kernel support necessary to make this system a firewall. Enable this only if the Linux system
will be your firewall. The full firewall installation requires additional software outside the kernel. See
Chapter 12, Network Security , for a discussion of firewalls. [3]
[3] Building a firewall is beyond the scope of this book. See Building Internet Firewalls, by
Brent Chapman and Elizabeth Zwicky (O'Reilly & Associates), for a full treatment of the subject.
CONFIG_NET_ALIAS
Adds the kernel support necessary for address translation. Use this feature only if you have a private
internal network number and a different network address for external communications. If you do,
internal addresses must be translated to valid external addresses whenever connections are made to the
outside world, but it is likely that the translation will be done by your router or firewall. You should
select "yes" only in the rare circumstance that the Linux box must do the translation; otherwise, select
file:///C|/mynapster/Downloads/warez/tcpip/ch05_02.htm (2 of 5) [2001-10-15 09:17:55]