[Chapter 5] 5.3 The BSD Kernel Configuration File

[Chapter 5] 5.3 The BSD Kernel Configuration File



The options statement tells the kernel to compile a software option into the system. The options statement

that is most important to TCP/IP is:

options INET



# basic networking support--mandatory



Every BSD-based system running TCP/IP has an options INET statement in its kernel configuration file.

The statement produces a -DINET argument for the C complier, which in turn causes the IP, ICMP, TCP,

UDP, and ARP modules to be compiled into the kernel. This single statement incorporates the basic

transport and IP datagram services into the system. Never remove this statement from the configuration file.

There are several other options statements in addition to the required INET option. Some of these perform

functions identical to features we have already seen in the Linux configuration. A few have no direct

parallels in the Linux configuration.

options GATEWAY



# internetwork gateway



The GATEWAY option determines whether the system forwards IP datagrams destined for another

computer. When this option is selected, the system forwards datagrams if it has more than one network

interface; i.e., the system is assumed to be a gateway. You don't need GATEWAY on a system with a single

network interface. Hosts - systems with one network interface - do not forward the packets of other systems,

because this would hide configuration problems on other systems on the network. If the other systems are

incorrectly delivering datagrams to a host, forwarding the datagrams makes it appear as if they were

correctly addressed and makes it difficult to detect the real problem. On occasion, you might even want to

force a system that has multiple network interfaces not to forward datagrams by commenting options

GATEWAY out of your configuration. This is useful for preventing a multi-homed host (a host with two

network interfaces) from acting as a gateway.

options IPFIREWALL



# firewall



The IPFIREWALL option prepares the system to act as a firewall. The full firewall implementation requires

application software and other tools. However, certain functions of a firewall, such as address filtering, must

be implemented in the kernel. This option requests those kernel-level services. A variant of this option is

IPFIREWALL_VERBOSE, which enables the same basic kernel services with enhanced error reporting.

The enhanced errors can be useful for detecting intrusions, but they increase the size of the kernel.

options MROUTING



# Multicast routing



The MROUTING option adds multicast routing support to the kernel. A multicast kernel is necessary for the

system to be able to interpret multicast addresses and for the system to support multicast applications like

MBONE and Internet Talk Radio.

options IPACCT



# ipaccounting



The IPACCT option adds additional code and counters that keep track of network usage, which is helpful for

billing purposes.

options ARP_PROXYALL



# global proxy ARP



file:///C|/mynapster/Downloads/warez/tcpip/ch05_03.htm (2 of 6) [2001-10-15 09:17:54]



[Chapter 5] 5.3 The BSD Kernel Configuration File



The ARP_PROXYALL option turns the system into a proxy ARP server. The Address Resolution Protocol

(ARP) is discussed in Chapter 2, Delivering the Data. Proxy ARP is a variant on the standard protocol in

which a server answers the ARP request for its clients. Here's how it works. Host A sends out an ARP

request for the Ethernet address of host B. The proxy ARP server, C, hears the request and sends an ARP

response back to A claiming that C's Ethernet address is the address of host B. A then sends traffic intended

for B to C because it uses C's Ethernet address. C is therefore responsible for forwarding the traffic on to B.

The proxy ARP server is usually a router and proxy ARP is used as a means of forwarding traffic between

systems that cannot use normal routing for that traffic.

In Chapter 2, we saw how a system can act as a proxy ARP server for individual addresses using the publish

option on the arp command. The ARP_PROXYALL kernel option creates a server for all addresses; not just

for individual addresses configured in the ARP table.

options "TCP_COMPAT_42"



# emulate 4.2BSD TCP bugs



This option prevents connections between 4.2 and FreeBSD systems from hanging by adjusting FreeBSD to

ignore mistakes made by 4.2. This parameter also disables UDP checksum calculations. The UDP checksum

calculation in BSD 4.2 was incorrect, so when a host receives a UDP packet from a system running 4.2, it

causes a checksum error. This parameter tells the system to ignore these errors. In addition, setting this

parameter prevents the system from sending TCP Sequence Numbers that are interpreted as negative

numbers by 4.2 systems. With this option, the initial sequence number will be set to zero for each

connection. Forcing sequence numbers to zero is a potential security problem because it allows an intruder

to guess the sequence number and to interject bogus packets into a TCP stream. For this reason, avoid using

this parameter unless you must.

5.3.1.2 Pseudo-device

The second statement required by TCP/IP in all BSD configurations is a pseudo-device statement. A pseudodevice is a device driver not directly associated with an actual piece of hardware. The pseudo-device

statement creates a header (.h) file that is identified by the pseudo-device name in the kernel directory. For

example, the statement shown below creates the file loop.h:

pseudo-device



loop



# loopback network--mandatory



The loop pseudo-device is necessary to create the loopback device (lo0). This device is associated with the

loopback address 127.0.0.1; it is defined as a pseudo-device because it is not really a piece of hardware.

Another pseudo-device that is used on many FreeBSD TCP/IP systems is:

pseudo-device



ether



# basic Ethernet support



This statement is necessary to support Ethernet. The ether pseudo-device is required for full support of ARP

and other Ethernet specific functions. While it is possible that a system that does not have Ethernet may not

require this statement, it is usually configured, and should remain in your kernel configuration.

The pseudo-terminals, or ptys, are other pseudo-devices that are universally configured:

file:///C|/mynapster/Downloads/warez/tcpip/ch05_03.htm (3 of 6) [2001-10-15 09:17:54]



[Chapter 5] 5.3 The BSD Kernel Configuration File



pseudo-device



pty



16



# pseudo-tty's



This statement defines the virtual terminal devices used by remote login services such as rlogin and telnet.

Pseudo-terminals are also used by many other applications, such as Emacs, that have no direct connection to

TCP/IP networking. The number, 16 in the example, is the number of ptys created by the kernel. The

maximum on a FreeBSD system is 64.

Other commonly configured pseudo-devices are those that support SLIP and PPP.

pseudo-device



sl



2



# Serial Line IP



This statement defines the interface for the Serial Line IP protocol. The number, 2 in the example, defines

the number of SLIP pseudo-devices created by the kernel. The two devices created here would be addressed

as device sl0 and sl1.

pseudo-device



ppp



2



# Point-to-point protocol



The ppp pseudo-device is the interface for the Point-to-Point Protocol. The number, 2 in the example,

defines the number of PPP pseudo-devices created by the kernel. The two devices created here would be

addressed as device ppp0 and ppp1. Two other pseudo-devices directly related to PPP are shown next.

pseudo-device

pseudo-device



sppp

tun



1



# Generic synchronous PPP

# Tunnel driver(user process ppp)



The sppp statement adds support for synchronous PPP data link-layer protocols. Normally, PPP runs over a

dial-up line using an asynchronous link protocol. Asynchronous modems are the common modems all of us

have on our home computers. Synchronous modems and synchronous link protocols are used on leased

lines.

The tun pseudo-device is a tunnel driver used by user-level PPP software. Tunneling is when a system

passes one protocol through another protocol; tun is a FreeBSD feature for doing this over PPP links. The

number, 1 in the example, is the number of tunnels that will be supported by this kernel.

The last three pseudo-devices are less frequently used.

pseudo-device

pseudo-device

pseudo-device



fddi

bpfilter

disc



4



# Generic FDDI

# Berkeley packet filter

# Discard device



The fddi statement adds support for the Fiber Digital Data Interface (FDDI) to the kernel. FDDI is a local

area network standard for transmitting data at 100M bps over fiber-optic cable.

The bpfilter statement adds the support necessary for capturing packets. Capturing packets is an essential

part of protocol analyzers; see Chapter 11, Troubleshooting TCP/IP . When the bpfilter statement is included

in the BSD kernel, the Ethernet interface can be placed into "promiscuous mode". [6] An interface in

promiscuous mode passes all packets, not just those addressed to the local system, up to the software at the

next layer. This feature is useful for a system administrator troubleshooting a network. But it can also be

file:///C|/mynapster/Downloads/warez/tcpip/ch05_03.htm (4 of 6) [2001-10-15 09:17:54]



[Chapter 5] 5.3 The BSD Kernel Configuration File



used by intruders to steal passwords and compromise security. Use the bpfilter pseudo-device only if you

really need it. The number, 4 in the example, indicates the maximum number of Ethernet interfaces that can

be monitored by bpfilter.

[6] This assumes that the Ethernet hardware is capable of functioning in promiscuous mode.

Not all Ethernet boards support this feature.

The final network pseudo-device is disc. It discards all data that it receives. This device is used only for

testing.

5.3.1.3 Devices

Real hardware devices are defined using the device statement. Every host attached to a TCP/IP network

requires some physical hardware for that attachment. The hardware is declared with a device statement in

the kernel configuration file. There are many possible network interfaces for TCP/IP, but the most common

are Ethernet interfaces.

Table 5.1 lists the Ethernet device drivers available with FreeeBSD 2.1.5.

Table 5.1: Ethernet Cards Supported by FreeBSD

Device Description

de0

DEC DC21040 PCI adapter

ed0

Western Digital SMC 80xx, Novell NE1000/2000, 3COM 3C503

eg0

3COM 3C505

el0

3COM 3C501

ep0

3COM 3C509

fe0

Fujitsu MB86960A/MB86965A

ie0

AT&T StarLAN 10 & EN100, 3COM 3C507, N15210

ix0

Intel EtherExpress 16

le0

DEC EtherWorks 2 and EtherWorks3

lnc0 Isolan, Novell NE2100 and NE32-VL

ze0

IBM/National Semiconductor PCMCIA adapter

zp0

3COM Etherlink III PCMICA adapter

A sample device statement shows the general format of the commands used to configure an Ethernet

interface in the FreeBSD kernel:

device ed0 at isa? port 0x280 net irq 5 iomem 0xd8000 vector edintr

device de0

Note that the ed0 device statement defines the bus type (isa), the I/O base address (port 0x280), the interrupt

number (irq 5) and the memory address (iomem 0xd8000). These values should match the values configured

on the adapter card. All of these are standard items for configuring PC hardware. [7] On the other hand, the

de0 device statement requires very little configuration because it configures a card attached to the PCI bus.

file:///C|/mynapster/Downloads/warez/tcpip/ch05_03.htm (5 of 6) [2001-10-15 09:17:54]



[Chapter 5] 5.3 The BSD Kernel Configuration File



The PCI is an intelligent bus that can determine the configuration directly from the hardware.

[7] See Networking Personal Computers with TCP/IP, by Craig Hunt (O'Reilly & Associates),

for details about PC hardware configuration.

Ethernet is not the only TCP/IP network interface supported by FreeBSD. It supports an experimental ISDN

interface as well as the DEC FDDI adapter. More widely used than these are the serial line interfaces

necessary for SLIP and PPP.

device

device

device

device



sio0

sio1

sio2

sio3



at

at

at

at



isa?

isa?

isa?

isa?



port

port

port

port



"IO_COM1"

"IO_COM2"

"IO_COM3"

"IO_COM4"



tty

tty

tty

tty



irq

irq

irq

irq



4

3

5

9



vector

vector

vector

vector



siointr

siointr

siointr

siointr



The four serial interfaces, sio0 through sio3, correspond to the MS-DOS interfaces COM1 to COM4. These

are needed for SLIP and PPP. Chapter 6 covers other aspects of configuring PPP and SLIP.

The device statement varies according to the interface being configured. But how do you know which

hardware interfaces are installed in your system? Remember that the GENERIC kernel that comes with your

FreeBSD system is configured for a large number of devices. A simple way to tell which hardware interfaces

are installed in your system is to look at the messages displayed on the console at boot time. These messages

show all of the devices, including network devices, that the kernel found during initialization. Look at the

output of the dmesg command. It displays a copy of the console messages generated during the last boot.

The options, pseudo-device, and device statements found in the kernel configuration file tell the system to

include the TCP/IP hardware and software in the kernel. The statements in your configuration may vary

somewhat from those shown in the previous examples. But you have the same basic statements in your

kernel configuration file. With these basic statements, FreeBSD UNIX is ready to run TCP/IP.

You will probably never change any of the variables discussed in this section. Like everything else in the

kernel configuration file, they usually come correctly configured to run TCP/IP.



Previous: 5.2 Linux Kernel

Configuration

5.2 Linux Kernel

Configuration



TCP/IP Network

Administration

Book Index



Next: 5.4 The Internet

Daemon

5.4 The Internet Daemon



[ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ]



file:///C|/mynapster/Downloads/warez/tcpip/ch05_03.htm (6 of 6) [2001-10-15 09:17:54]



[Chapter 5] 5.2 Linux Kernel Configuration



Previous: 5.1 Kernel

Configuration



Chapter 5

Basic Configuration



Next: 5.3 The BSD Kernel

Configuration File



5.2 Linux Kernel Configuration

The Linux kernel is a C program compiled and installed by make. The make config command customizes the

kernel configuration and generates the files (including the Makefile) needed to compile and link the kernel. On

Linux systems, the kernel source directory is /usr/src/linux. To start the configuration process, change to the

source directory and run make config:

# cd /usr/src/linux

# make config

The make config command asks many questions about your system configuration. Some of these are directly

related to network configuration. The first network configuration question is:

Networking support (CONFIG_NET) [Y/n/?]

Answer "yes" (y), which is the default. Networking support is necessary for all of the TCP/IP networking

features that we will request later in the configuration. Even if you don't run TCP/IP, you should answer "yes"

to this question. Basic network support is essential to many services.

The make config command asks several more general configuration questions before returning to the topic of

networking. When it does, it has many networking questions to ask. The example below is an excerpt from the

actual configuration of the Linux 2.0 kernel on a Slackware 96 system. [2]

[2] The configuration questions change with every new kernel. Refer to your system's

documentation for the latest information.

Network firewalls (CONFIG_FIREWALL) [N/y/?]

Network aliasing (CONFIG_NET_ALIAS) [N/y/?]

TCP/IP networking (CONFIG_INET) [Y/n/?]

IP: forwarding/gatewaying (CONFIG_IP_FORWARD) [N/y/?]

IP: multicasting (CONFIG_IP_MULTICAST) [N/y/?]

IP: accounting (CONFIG_IP_ACCT) [N/y/?]

IP: PC/TCP compatibility mode (CONFIG_INET_PCTCP) [N/y/?]

IP: Reverse ARP (CONFIG_INET_RARP) [N/y/m/?]

IP: Disable Path MTU Discovery (normally enabled)

(CONFIG_NO_PATH_MTU_DISCOVERY) [N/y/?]

IP: Drop source routed frames (CONFIG_IP_NOSR) [Y/n/?]

IP: Allow large windows (not recommended if <16Mb of memory)

(CONFIG_SKB_LARGE) [Y/n/?]

file:///C|/mynapster/Downloads/warez/tcpip/ch05_02.htm (1 of 5) [2001-10-15 09:17:55]



[Chapter 5] 5.2 Linux Kernel Configuration



Network device support (CONFIG_NETDEVICES) [Y/n/?]

Dummy net driver support (CONFIG_DUMMY) [N/y/m/?]

EQL (serial line load balancing) support (CONFIG_EQUALIZER) [N/y/m/?]

PLIP (parallel port) support (CONFIG_PLIP) [N/y/m/?]

PPP (point-to-point) support (CONFIG_PPP) [Y/m/n/?]

SLIP (serial line) support (CONFIG_SLIP) [Y/m/n/?]

CSLIP compressed headers (CONFIG_SLIP_COMPRESSED) [Y/n/?]

Keepalive and linefill (CONFIG_SLIP_SMART) [N/y/?]

Six bit SLIP encapsulation (CONFIG_SLIP_MODE_SLIP6) [N/y/?]

Radio network interfaces (CONFIG_NET_RADIO) [N/y/?]

Ethernet (10 or 100Mbit) (CONFIG_NET_ETHERNET) [Y/n/?]

3COM cards (CONFIG_NET_VENDOR_3COM) [Y/n/?]

3c501 support (CONFIG_EL1) [N/y/m/?]

3c503 support (CONFIG_EL2) [N/y/m/?]

3c509/3c579 support (CONFIG_EL3) [Y/m/n/?]

3c590 series (592/595/597) "Vortex" support (CONFIG_VORTEX) [N/y/m/?]

AMD LANCE and PCnet (AT1500 and NE2100) support (CONFIG_LANCE) [N/y/?]

Western Digital/SMC cards (CONFIG_NET_VENDOR_SMC) [N/y/?]

Other ISA cards (CONFIG_NET_ISA) [N/y/?]

EISA, VLB, PCI and on board controllers (CONFIG_NET_EISA) [N/y/?]

Pocket and portable adaptors (CONFIG_NET_POCKET) [N/y/?]

Token Ring driver support (CONFIG_TR) [N/y/?]

ARCnet support (CONFIG_ARCNET) [N/y/m/?]

ISDN support (CONFIG_ISDN) [N/y/m/?]

Each configuration option is either enabled by entering a "y" for "yes", or disabled with an "n" for "no". "m" for

"module" is an alternative method for enabling some features. Features that are available as dynamically

loadable modules list "m" as a possible response. If "m" is selected, the dynamically loadable module is loaded

the first time a call is made to the kernel that requires the module. If "y" is selected for a feature, the code that

supports that feature is compiled directly into the kernel. The default setting of each option is indicated by the

uppercase letter in the square brackets at the end of the option line. For example, [Y,n] indicates an option that

is enabled by default. Here, we list each option and its purpose:

CONFIG_FIREWALL

Adds the kernel support necessary to make this system a firewall. Enable this only if the Linux system

will be your firewall. The full firewall installation requires additional software outside the kernel. See

Chapter 12, Network Security , for a discussion of firewalls. [3]

[3] Building a firewall is beyond the scope of this book. See Building Internet Firewalls, by

Brent Chapman and Elizabeth Zwicky (O'Reilly & Associates), for a full treatment of the subject.

CONFIG_NET_ALIAS

Adds the kernel support necessary for address translation. Use this feature only if you have a private

internal network number and a different network address for external communications. If you do,

internal addresses must be translated to valid external addresses whenever connections are made to the

outside world, but it is likely that the translation will be done by your router or firewall. You should

select "yes" only in the rare circumstance that the Linux box must do the translation; otherwise, select



file:///C|/mynapster/Downloads/warez/tcpip/ch05_02.htm (2 of 5) [2001-10-15 09:17:55]