20,53 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
In Detail
This book is a guide to FreeBSD for network administrators; therefore it does not cover basic installation and configuration of FreeBSD, but is about using FreeBSD to build, secure, and maintain networks.
After introducing the basic tools for monitoring the performance and security of the system the book moves on to cover using jails, FreeBSD virtual environments, to virtually run multiple instances of FreeBSD on the same hardware. Then it shows how to overcome the different bottlenecks that you may meet depending on the services you are running by tweaking different parameters to maintain a high performance from your FreeBSD server. Next it covers using the ifconfig utility to configure interfaces with different layer protocols and about connectivity testing and debugging tools. After covering using User PPP or Kernel PPP for Point-to-Point Protocol network configuration it explains basic IP forwarding in FreeBSD and the use of the built-in routing daemons, routed and route6d, which support RIPv1, RIPv2, RIPng, and RDISC. Next it covers the OpenOSPFD and OpenBGPD daemons that you can install to run OSPF and BGP on your host. Then it covers setup and configuration of IPFW and PF, and finally looks at some important internet services and how to set them up on your FreeBSD server.
The book is a guide to Network admins who are interested in extracting full potential of FreeBSD. Security, one of everlasting concerns in the IT industry, can be tackled very effectively in FreeBSD. How do you do it? Read the book and find out. You can then move on to learn intricacies of FreeBSD. Just tweak a few parameters to make the network suit your environment.
Approach
This book first covers the basics on each topic clearly and then gives examples, so that you understand the topic clearly and can work on it independently after you have worked through the book.
Who this book is for
This book is for Network Administrators who would like to work with FreeBSD and are looking for skills beyond installation and configuration of FreeBSD.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 364
Veröffentlichungsjahr: 2008
Ähnliche
Table of Contents
Network Administration with FreeBSD 7
Babak Farrokhi
Network Administration with FreeBSD 7
Copyright © 2008 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, Packt Publishing, nor its dealers or distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: April 2008
Production Reference: 1070408
Published by Packt Publishing Ltd.
32 Lincoln Road
Olton
Birmingham, B27 6PA, UK.
ISBN 978-1-847192-64-6
www.packtpub.com
Cover Image by Nilesh Mohite (<[email protected]>)
Credits
Author
Babak Farrokhi
Reviewer
Roman Bogorodskiy
Acquisition Editor
Rashmi Phadnis
Technical Editor
Della Pradeep
Editorial Team Leader
Mithil Kulkarni
Project Manager
Abhijeet Deobhakta
Project Coordinator
Abhijeet Deobhakta
Indexer
Hemangini Bari
Proofreader
Nina Hasso
Production Coordinator
Aparna Bhagat
Cover Work
Aparna Bhagat
About the Author
Babak Farrokhi is an experienced UNIX system administrator and Network Engineer who worked for 12 years in the IT industry in carrier-level network service providers. He discovered FreeBSD around 1997 and since then he has been using it on a daily basis. He is also an experienced Solaris administrator and has extensive experience in TCP/IP networks.
In his spare time, he contributes to the open source community and develops his skills to keep himself in the cutting edge.
You may contact Babak at <[email protected]> and his personal website at http://farrokhi.net/
I would like to thank my wife, Hana, for being the source of inspiration in my life. Without her support and patience I could not finish this project.
Next I'd like to thank the Technical Reviewer of the book, Roman Bogorodskiy (<[email protected]>) for his thorough review, great suggestions, and excellent notes that helped me to come up with the chapters even better.
I also want to thank PACKT and everyone I worked with, Priyanka Baruah,Abhijeet Deobhakta, Rashmi Phadnis, Patricia Weir, Della Pradeep and others for their patience and cooperation. Without their help I could not turn my scattered notes into a professional looking book.
About the Reviewer
Roman Bogorodskiy lives in Russia, Saratov. He is a student of the Mechanics and Mathematics faculty at the Saratov State University. At the time of writing, he was working on a diploma project. He is working as a Software Engineer in the one of the biggest ISPs of his hometown. He takes part in various open source projects and got his FreeBSD commit bit back in 2005.
Preface
This book is supposed to help Network Administrators to understand how FreeBSD can help them simplify the task of network administration and troubleshooting as well as running various services on top of FreeBSD 7 Operation System. FreeBSD is a proven Operating System for networked environments and FreeBSD 7 offers superior performance to run network services, as well as great flexibility to integrate into any network running IPv4, IPv6 or any other popular network protocol.
This book is divided into three segments—system configuration, network configuration, and network services.
The first segment of the book covers system configuration topics and talks about different aspects of system configuration and management, including disks management, patching and keeping the system up to date, managing software packages, system management and monitoring, jails and virtualization, and general improvements to system performance.
Second segment of the book actually enters the networking world by introducing basic network configuration in FreeBSD, network interface configuration for different layer 3 protocols, Tunnelling protocols, PPP over serial and Ethernet and IPv6. This segment also looks into bridging and routing in FreeBSD using various third party softwares. At the end, there is an introduction to various firewall packages in FreeBSD and details on how to configure them.
Third segment of the book deals with different daemons and network services that can be run on top of FreeBSD, including Local network services such as DHCP, TFTP, NFS, SMB as well as Internet services such as DNS, Web, Mail, FTP and NTP.
What This Book Covers
Chapter 1 looks into FreeBSD file system and disk I/O from a performance point of view. Several methods to optimize the I/O performance on a FreeBSD host are discussed in this chapter.
Chapter 2 discusses several methods and tools to keep a FreeBSD system up-to-date, including CVSUP to update source and ports tree and also customizing and updating system kernel and rebuilding the whole system from source.
Chapter 3 introduces FreeBSD ports collection, packages, and different methods to install, remove, or upgrade software packages on FreeBSD.
Chapter 4 covers basic information about daemons, processes, and how to manage them. You will also get familiar with various system tools to monitor and control process behavior and manage system resources efficiently.
Chapter 5 discusses virtualization in FreeBSD and introduces Jails from ground up. This chapter covers creating and maintaining Jails and scenarios in which you can benefit from these built-in virtualization facilities in FreeBSD.
Chapter 6 discusses performance tuning from different perspectives, including Disk I/O and Network, and how to get the most out of the modern hardware and multi-processor systems. It discusses various tweaks that can make your FreeBSD system perform much faster and more smoothly.
Chapter 7 deals with network configuration in FreeBSD in general, focusing mostly on network interface configuration for different network protocols such as IPv4, IPv6, IPX and AppleTalk. It also deals with basic network configuration and related configuration files and finally introduces some network management and testing tools.
Chapter 8 discusses tunneling in general and introduces various tunneling protocols, and mostly concentrates on GRE and IPSec tunneling.
Chapter 9 covers PPP configuration in FreeBSD including PPP over Ethernet protocol as both client and server.
Chapter 10 has a closer look at routing and bridging in FreeBSD using built-in bridging features and also different routing protocols including OSPF and BGP using third-party software.
Chapter 11 concentrates on IPv6 implementation in FreeBSD and gives more detail on interface configuration, routing IPv6 using RIP6, Multicast routing, and Tunneling protocols.
Chapter 12 introduces IPFW and PF tools for packet filtering and network address translation as well as traffic management on FreeBSD.
Chapter 13 has a quick look at various important protocols such as SSH, NTP, DNS, FTP, Mail, Web, and Proxying. It also introduces different pieces of software that you can use to set up these services on a FreeBSD host.
Chapter 14 looks into some network protocols that are mostly used inside an autonomous system or inside a datacenter or a local network, such as DHCP, TFTP, NFS, SMB, SNMP, NIS and Printing and introduces various pieces of software and setting them up on a FreeBSD host.
What You Need for This Book
Basically you need a host running FreeBSD 7 connected to your network. Your host can be any hardware platform that FreeBSD supports, including i386, sparc64, amd64, ia64, powerpc or pc98. You should download relevant FreeBSD installation CD images from FreeBSD project's FTP server at ftp://ftp.freebsd.org/pub/
There you will find ISO images for various platforms under different subdirectories (e.g. "ISO-IMAGES-i386" directory contains i386 platform ISO images). For a basic installation, the ISO image for first CD will suffice.
Once you have installed FreeBSD, you should also configure your network parameters to get connected to your existing network. This can be done during installation or later by modifying the /etc/rc.conf configuration file (covered in Chapter 7).
Who is This Book for
For Network Administrators who would like to work with FreeBSD and are looking for skills beyond Installation and configuration of FreeBSD.
Conventions
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
There are three styles for code. Code words in text are shown as follows: "And finally, check the system's swap status using the following swapinfo(8) command."
A block of code will be set as follows:
When we wish to draw your attention to a particular part of a code block, the relevant lines or items will be made bold:
Any command-line input and output is written as follows:
New terms and important words are introduced in a bold-type font. Words that you see on the screen, in menus or dialog boxes for example, appear in our text like this: "Note that either the userquota or the groupquota can be specified for each partition in the Options column.".
Note
Important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader Feedback
Feedback from our readers is always welcome. Let us know what you think about this book, what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply drop an email to <[email protected]>, making sure to mention the book title in the subject of your message.
If there is a book that you need and would like to see us publish, please send us a note in the SUGGEST A TITLE form on www.packtpub.com or email <[email protected]>.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Customer Support
Now that you are the proud owner of a Packt book, we have a number of things to help you get the most from your purchase.
Errata
Although we have taken every care to ensure the accuracy of our contents, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in text or code—we would be grateful if you would report this to us. By doing this you can save other readers from frustration, and help to improve subsequent versions of this book. If you find any errata, report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the Submit Errata link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata are added to the list of existing errata. The existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Questions
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.
Chapter 1. System Configuration—Disks
Disk I/O is one of the most important bottlenecks in the server's performance. Default disk configuration in every operating system is optimally designed to fit the general usage. However, you may need to reconfigure disks for your specific usage, to get the best performance. This includes choosing multiple disks for different partitions, choosing the right partition size for specific usage, and fine-tuning the swap size. This chapter discusses how to use the right partition size and tuning file system to gain better performance on your FreeBSD servers.
In this chapter, we will look into the following:
Partition Layout and Sizes
When it comes to creating disk layout during installation, most system administrators choose the default (system recommended) settings, or create a single root partition that contains file system hierarchy.
However, while the recommended settings work for most simple configurations and desktop use, it may not fit your special needs. For example, if you are deploying a mail exchanger or a print server you may need to have a /var partition bigger than the recommended size.
By default, FreeBSD installer recommends you to create five separate partitions as shown in the following table:
Partition
Size
Description
Minimum
Maximum
Swap
RAM size / 8
2 * RAM size
Size of swap partition is recommended to be 2 or 3 times the size of the physical RAM. If you have multiple disks, you may want to create swap on a separate disk like other partitions.
/
256 MB
512 MB
Root file system contains your FreeBSD installation. All other partitions (except swap) will be mounted under root partition.
/tmp
128 MB
512 MB
Temporary files will be placed under this partition. This partition can be made either on the disk or in the RAM for faster access. Files under this partition are not guaranteed to be retained after reboots.
/var
128 MB
1 GB + RAM size
This partition contains files that are constantly "varying", including log files and mailboxes. Print spool files and other administrative files. Creating this partition on a separate disk is recommended for busy servers.
/usr
1536 MB
Rest of disk
All other files, including home directories and user installed applications, will be installed under this partition.
These values could change in further releases. It is recommended that you refer to the release notes of the version you are using, for more accurate information.
FreeBSD disklabel editor with automatically created partitions is shown in the following screenshots:
Depending on your system I/O load, partitions can be placed on different physical disks. The benefit of this placement is better I/O performance, especially on /var and /tmp partitions. You can also create /tmp in your system RAM by tweaking the tmpmfs variable in /etc/rc.conf file. An example of such a configuration would look like this:
This will mount a 128 MB partition onto RAM using md(4) driver so that access to /tmp would be dramatically faster, especially for programs which constantly read/write temporary data into /tmp directory.
Swap
Swap space is a very important part of the virtual memory system. Despite the fact that most servers are equipped with enough physical memory, having enough swap space is still very important for servers with high and unexpected loads. It is recommended that you distribute swap partitions across multiple physical disks or create the swap partition on a separate disk, to gain better performance. FreeBSD automatically uses multiple swap partitions (if available) in a round-robin fashion.
When installing a new FreeBSD system, you can use disklabel editor to create appropriate swap partitions. Creating a swap partition, which is double the size of the installed physical memory, is a good rule of thumb.
Using swapinfo(8) and pstat(8) commands, you can review your current swap configuration and status. The swapinfo(8) command displays the system's current swap statistics as follows:
The pstat(8) command has more capabilities as compared with the swapinfo(8) command and shows the size of different system tables, under different load conditions. This is shown in the following command line:
Adding More Swap Space
There are times when your system runs out of swap space, and you need to add more swap space for the system to run smoothly. You will have three options as shown in the following list:
Adding swap on a new physical hard disk will give better I/O performance, but it requires you to take the server offline for adding new hardware. Once you have installed a new hard disk, you should launch FreeBSD's disklabel editor and create appropriate partitions on the newly installed hard disk.
Note
To invoke the sysinstall's disklabel editor from the command line use sysinstall diskLabelEditor command.
If, for any reason, you cannot add new hardware to your server, you can still use the existing file system to create a swap file with the desired size and add it as swap space. First of all, you should check to see where you have enough space to create the swap file as shown as follows:
Then create a swap file where you have enough space using the following command line:
In the above example, I created a 256MB empty file (256 * 1024k blocks) named swap0 in the file system's root directory. Also remember to set the correct permission on the file. Only the root user should have read/write permission on file. This is done using the following command lines:
Then add the following swapfile variable in the /etc/rc.conf file to enable swap file on boot time:
To make the new swap file active immediately, you should manually configure md(4) device. First of all, let's see if there is any md(4) device configured, using mdconfig(8) command as shown as follows:
Then configure md(4) device as shown here:
You can also verify the new md(4) node as follows:
Please note that -u flag in the mdconfig(8) command takes the number of md node (in this case, 1). In order to enable the swap file, you should use swapon(8) command and specify the appropriate md(4) device as shown here:
And finally, check the system's swap status using the following swapinfo(8) command:
Swap Encryption
Since swap space contains the contents of the memory, it would have sensitive information like cleartext passwords. In order to prevent an intruder from extracting such information from swap space, you can encrypt your swap space.
There are already two file system encryption methods that are implemented in FreeBSD 7—gbde(8) and geli(8) commands. To enable encryption on the swap partition, you need to add .eli or .bde to the device name in the /etc/fstab file to enable the geli(8) command and the gbde(8) command, respectively. In the following example, the /etc/fstab file shows a swap partition encrypted using geli(8) command:
Then you have to reboot the system for the changes to take effect. You can verify the proper operation using the following swapinfo(8) command:
Softupdates
Softupdates is a feature to increase disk access speed and decrease I/O by caching file system metadata updates into the memory. The softupdates feature decreases disk I/O from 40% to 70% in the file-intensive environments like email servers. While softupdates guarantees disk consistency, it is not recommended to enable it on root partition.
The softupdates feature can be enabled during file system creation (using sysinstall's disklabel editor) or using tunefs(8) command on an already created file system.
The best time to enable softupdates is before mounting partitions (that is in the super-user mode).
The following example shows softupdates enabled partitions:
In the above example, softupdates is enabled on /tmp, /usr, and /var partitions, but not on the root partition. If you want to enable softupdates on the root partition, you may use the tunefs(8) command as shown in the following example:
Please note that you cannot enable or disable softupdates on an active partition (that is currently mounted partition). To do so, you should first unmount the partition or change it to read-only mode. In case you want to enable softupdates on root partition, it is recommended that you boot your system into single-user mode (in which your root partition is mounted as read-only) and then enable softupdates using the method mentioned in the above example.
Snapshots
A file system snapshot is a frozen image of a live file system. Snapshots are very useful when backing up volatile data such as mail storage on a busy mail server.
Snapshots are created under the file system that you are making snapshots from. Up to twenty snapshots can be created per file system.
The mksnap_ffs(8) command is used to create a snapshot from FFS partitions:
Alternatively, you can use the mount(8) command to do the same:
Now that you have created the snapshot, you can:
The fsck(8) command is used on a snapshot file to ensure the integrity of the snapshot before taking backups:
Remember the following, when working with snapshots:
You can also mount a snapshot as a read-only partition to view or extract its contents, using the mount(8) command. To mount a snapshot, you should first create a md(4) node as follows:
In the above case, mdconfig(8) command has attached /var/snap1 to the first available md(8) node and returned the name of the created node. Now you can mount the md(8) node as a read-only file system:
And verify the operation using the mount(8) command:
To unmount the mounted snapshot, you should first use the umount(8) command, and then remove md(4) node using mdconfig(8)as shown here:
Note that mdconfig(8) takes the number of md(4) node (in this case, md2) using -u parameter.
Finally, to remove a snapshot file, use rm(1) command. It may take a few seconds.
File System Backup
There are different utilities in the FreeBSD base system to help system's administrators to take backups from their systems. But before starting to take backups, you should define your backup strategy.
Backups can be taken at the file-system-level, from the whole partition or physical disk, or on a higher-level. This enables you to select relevant files and directories t o be archived and moved to a tape device or a remote server. In this chapter, we will discuss different utilities and how to use them to create usable backups for your needs.
Dump and Restore
The dump(8) utility is the most reliable and portable backup solution to take backups on UNIX systems. The dump utility, in conjunction with restore(8), creates your basic backup toolbox in FreeBSD. The dump command is able to create full and incremental backups from the whole disk or any partition of your choice. Even if your file system that you want to take backups from, is live (which in most cases is), the dump utility creates a snapshot of your file system before the back up, to ensure that your file system does not change during the process.
By default, dump creates backups on a tape drive unless you specify another file or a special device.
A typical full backup using dump may look like the following example:
In the above example, dump is used to take a full backup (note the -0 flag) of the /dev/ad0s1a file, which is mounted onto the / mount point to a regular /usr/dump1 file. The -L flag indicates that the partition is a live file system; so dump will create a consistent snapshot from the partition, before performing the backup operation.
Note
In case -L flag is specified, dump creates a snapshot in .snap directory in the root partition of the file system. The snapshot will be removed as soon as the dump process is complete. Always remember to use -L on your live file systems. This flag will be ignored in read-only and unmounted partitions.
And finally -u flag tells dump to record dump information in the /etc/dumpdates file. This information is used by dump for future backups.
The dump command can also create incremental backups using information recorded in the /etc/dumpdates file. In order to create an incremental backup, you should specify a higher backup-level from -1 to -9 in the command line. If backup-level is not specified, dump will assume a full backup (that is -0) should be taken.
It also updates /etc/dumpdates with new backup dates:
Once you have created dumps from your file system as regular files, you may want to move the dump file to another safe location (like a backup server), to protect your backups in case of a hardware failure. You can also create dumps directly on a remote server over SSH. This can be done by giving the following command:
This will create a level 0 (or full) backup from the /dev/ad0s1a device over network using ssh(1) facility to host bkserver with username admin and uses dd(1) to create a file using input stream. And as we create a full backup, which may be a huge file, bzip2(1) is used to compress data stream to reduce the network load.
You can use your favourite compression program (for example, gzip(1), compress(1)) with appropriate parameters, instead of bzip2.
Note
Using a compression program will reduce the network load at the cost of CPU usage during dump routine.
Now that you made your backup on a tape or a remote device, you may also have to verify or restore your backup in future.
The restore(8) utility performs the inverse function of what dump does. Using restore, you can simply restore a backup taken using the dump utility, or extract your files, deleted accidentally. It can also be used to restore backups over the network.
A simple scenario for using restore is restoring a full backup. It is recommended that you restore your backup to an empty partition. You have to format the destination partition, using newfs(8), before restoring your backup. After you restore the full backup, you can proceed to restore the incremental backups, in the order in which they were created.
A typical restore procedure would look like the following command lines:
The restore command fully extracts the dump file to your current directory. So you have to change your current directory to wherever you want to restore the backup using the cd command.
Another interesting feature of the restore utility is the interactive mode. In this mode, you can browse through files and directories inside the dump file, and also mark the files and directories that should be restored. This feature is very useful in restoring the files and directories, deleted accidentally.
There are a number of useful commands in the interactive restore shell to help users choose what they want to extract. The ls, cd, and pwd commands are similar to their equivalents, and are used to navigate through the dump file. Using add and delete commands, you can mark and unmark files and directories that you want to extract. Once you finish selecting the files, you can use the extract command to extract the selected files.
The restore command is also used to extract dump information from the dump file using the what command in the interactive mode:
The tar, cpio, and pax Utilities
There may be scenarios when you may not have to take a full dump of your hard disk or partition. Instead, you may want to archive a series of files and directories to your backup tapes or regular files. This is where tar(1), cpio(1L), and pax(1) utilities come into play.
The tar command is UNIX's original tape manipulation tool. It was created to manipulate streaming archive files for backup tapes. It is not a compression utility and is used in conjunction with an external compression utility such as gzip and bzip2, and compressd, in case compression is required.
Besides tape drives, you can use tar to create regular archive files. The tar archive files are called tarball.
Note
Keep in mind that FreeBSD's tar utility, a.k.a bsdtar(1), is slightly different from the GNU's tar. GNU tar or gtar is available in ports collection. Only BSD tar is covered in this chapter.
A tarball can be created, updated, verified, and extracted using the tar(1) utility.
In the above example, tar is used to create a tarball called backup.tar from the backup directory. The c flag indicates tar should create a tar ball, v flag tells tar to be verbose and show a list of files on which the operation is being performed and f flag indicates the name of the output tarball (backup.tar) in the command.
To update a tarball, u flag is used:
And x flag to extract the files from a tarball:
In all the above examples, the tarball archive was created as a regular file indicated by f flag. While omitting this flag, tar will use the default tape device on the /dev/sa0 file. Other useful tar flags include z for gzip compression and j for bzip2 compression.
Note
You can create tarballs over network with SSH using piping technique discussed in Dump and Restore section.
The cpio utility is another important archiving utility in the FreeBSD's base system. It is similar to the tar utility in many ways. It was also a POSIX standard until POSIX.1-2001 and was dropped due to the 8GB file size limitation.
The pax utility was created by IEEE STD 1003.2 (POSIX.2) to sort out incompatibilities between tar and cpio. Pax does not depend on any specific file format and supports a handful of different archive formats including tar, cpio, and ustar (POSIX.2 standard). Despite being a POSIX standard that is widely implemented, it is still not as popular as a tar utility.
The -w flag is used to create archive:
And -r to extract (or read) the archive to current directory:
The pax utility is also able to read/write different archive types that can be specified by -x flag. The supported parameters of pax are shown in the following list:
Snapshots
Actually, taking snapshots from a file system isn't a backup method, but is very helpful in restoring accidentally removed files. Snapshots can be mounted as regular file systems (even over network) and the system administrator can use regular system commands to browse the mounted file system and restore selected files and directories.
