.\" Copyright (c) 1980 Regents of the University of California. .\" All rights reserved. The Berkeley software License Agreement .\" specifies the terms and conditions for redistribution. .\" .\" @(#)5.t 2.5 (2.11BSD GTE) 1996/11/16 .\" .ds lq `` .ds rq '' .ds LH "Installing/Operating \*(2B .ds RH Network setup .ds CF \*(DY .LP .nr H1 5 .nr H2 0 .bp .LG .B .ce 5. NETWORK SETUP .sp 2 .R .NL .PP The following section has been lightly edited to correspond to the current \*(2B networking. Several parts of it do not really apply to \*(2B, for example, it is unlikely that anyone will connect a PDP-11 to an IMP but it is possible as the LH/DH-11 networking interface and the IMP modules have been ported and lightly tested, or that anyone will run the nameserver. The ``correct'' use of the networking in \*(2B is probably with a list of the local net addresses in the \fI/etc/hosts\fP file and with one default gateway for all network traffic. In particular, do not run .IR routed (8) unless you're extremely sure that you know what you're doing. This is doubly true if SL/IP is being used as the primary connection to the outside world. The IMP and PRONET drivers are known to work, but long term robustness is unknown. Sites that wish to hook \*(2B into more than a simple local ethernet may have some work ahead of them. If any additional drivers are ported, I would really like a copy. .PP The networking in \*(2B, runs in supervisor mode, separate from the mainstream kernel. There is room without overlaying to hold both a SL/IP and ethernet driver. This is a major win, as it allows the networking to maintain its mbufs in normal data space, among other things. The networking portion of the kernel resides in ``/netnix'', and is loaded after the kernel is running. Since the kernel only looks for the file ``/netnix'', it will not run if it is unable to load ``/netnix'' , sites should build and keep a non-networking kernel in ``/'' at all times, as a backup. \fBNOTE\fP: The ``/unix'' and ``/netnix'' imagines must have been created at the same time, do not attempt to use mismatched images. The ability to have \fBboot\fP tell the kernel which network image to load is on the wish list (had to have something take the place of wishing for disklabels ;-)). .PP \*(2B provides support for the DARPA standard Internet protocols IP, ICMP, TCP, and UDP. These protocols may be used on top of a variety of hardware devices ranging from the IMP's (PSN's) used in the Internet to local area network controllers for the Ethernet. Network services are split between the kernel (communication protocols) and user programs (user services such as TELNET and FTP). This section describes how to configure your system to use the Internet networking support. \*(2B also includes code to support the Xerox Network Systems (NS) protocols; the basic porting work has been done, but it is completely untested. .NH 2 System configuration .PP To configure the kernel to include the Internet communication protocols, define the INET option. This automatically defines the NLOOP option. TCP_COMPAT_42 is always defined. Xerox NS support is enabled with the NS option. In either case, include the pseudo-device ``pty'' in your machine's configuration file, using the NPTY options. The ``pty'' pseudo-device forces the pseudo terminal device driver to be configured into the system, see \fIpty\fP\|(4). The NLOOP option forces inclusion of the software loopback interface driver. The loop driver is used in network testing as well as for the system talking to itself rather than transmitting the data over the wire. .PP If you are planning to use the Internet network facilities on a 10Mb/s Ethernet, the pseudo-device ``ether'' should also be included in the configuration using the NETHER option; this forces inclusion of the Address Resolution Protocol module used in mapping between 48-bit Ethernet and 32-bit Internet addresses. Also, if you have an IMP connection, you will need to include the pseudo-device ``imp'', using the option NIMP. The IMP software is ported and is in use at at least one site. .PP Before configuring the appropriate networking hardware, you should consult the manual pages in section 4 of the Programmer's Manual. The following table lists the devices for which software support exists. Again, much of this software is unported and untested; only the basic networking has been stressed at all. Many other devices are available, but unported. Porting should simply be a matter of making the hardware device work. The directories ``/sys/pdpif'' and ``/sys/vaxif'' contain many drivers. The ones in ``pdpif'' are either the current, working drivers, or drivers that, at some time, worked on PDP-11's. The ones in ``vaxif'' are the current VAX drivers, and, as such, will have to have their memory usage changed, but serve as an excellent example of how the hardware works. .DS .TS l l. Device name Manufacturer and product _ de DEC DEUNA/DELUA 10Mb/s Ethernet qe DEC DEQNA 10Mb/s Ethernet qt DEC DELQA-YM 10Mb/s Ethernet ec 3Com 10Mb/s Ethernet il Interlan 1010 and 10101A 10Mb/s Ethernet interfaces vv Proteon ProNET - Token Ring Interface acc LH/DH-11 1822 IMP/PSN Interface .TE .DE .PP SL/IP is also available. It is surprisingly efficient. Over a 9600 baud line it is not unusual to see \fBftp\fP rates in the 800 bytes per second range (depending how busy the system is). .PP All network interface drivers including the loopback interface, require that their host address(es) be defined at boot time. This is done with .IR ifconfig (8) commands included in the \fI/etc/rc.local\fP file. Interfaces that are able to dynamically deduce the host part of an address may check that the host part of the address is correct. The manual page for each network interface describes the method used to establish a host's address. .IR Ifconfig (8) can also be used to set options for the interface at boot time. Options are set independently for each interface, and apply to all packets sent using that interface. These options include disabling the use of the Address Resolution Protocol; this may be useful if a network is shared with hosts running software that does not yet provide this function. Alternatively, translations for such hosts may be set in advance or ``published'' by a \*(2B host by use of the .IR arp (8) command. Note that the use of trailer link-level is now negotiated between \*(2B hosts using ARP, and it is thus no longer necessary to disable the use of trailers with \fIifconfig\fP. It is \fBSTRONGLY\fP recommended, however, that \*(2B networking be run without trailers, as the trailer code in most of the drivers has either been removed, commented out, is untested or is \fBknown\fP not to work. This is a problem with certain releases of \fIUltrix\fP, which has to be explicitly configured not to send trailers if it and \*(2B are to coexist. .PP To use the pseudo terminals just configured, device entries must be created in the ``/dev'' directory. To create 32 pseudo terminals (plenty, you can probably get by with many less) execute the following commands. .DS \fB#\fP cd /dev \fB#\fP MAKEDEV pty0 pty1 .DE More pseudo terminals may be made by specifying \fIpty2\fP, \fIpty3\fP, etc. The kernel normally includes support for 16 pseudo terminals unless the configuration file specifies a different number. Each pseudo terminal really consists of two files in /dev: a master and a slave. The master pseudo terminal file is named /dev/ptyp?, while the slave side is /dev/ttyp?. Pseudo terminals are also used by several programs not related to the network. \fBNOTE\fP: the terminal structures are 78 bytes each, declaring more than 16 pseudo terminals is potentially wasteful of kernel D space. See the comment in the kernel config files. In addition to creating the pseudo terminals, be sure to install them in the .I /etc/ttys file (with a `none' in the second column so no .I getty is started). .NH 2 Local subnetworks .PP In \*(2B the DARPA Internet support includes the notion of ``subnetworks''. This is a mechanism by which multiple local networks may appears as a single Internet network to off-site hosts. Subnetworks are useful because they allow a site to hide their local topology, requiring only a single route in external gateways; it also means that local network numbers may be locally administered. The standard describing this change in Internet addressing is RFC-950. .PP To set up local subnetworks one must first decide how the available address space (the Internet ``host part'' of the 32-bit address) is to be partitioned. Sites with a class A network number have a 24-bit address space with which to work, sites with a class B network number have a 16-bit address space, while sites with a class C network number have an 8-bit address space\(ua. .FS .IP \(ua If you are unfamiliar with the Internet addressing structure, consult ``Address Mappings'', Internet RFC-796, J. Postel; available from the Internet Network Information Center at SRI. .FE To define local subnets you must steal some bits from the local host address space for use in extending the network portion of the Internet address. This reinterpretation of Internet addresses is done only for local networks; i.e. it is not visible to hosts off-site. For example, if your site has a class B network number, hosts on this network have an Internet address that contains the network number, 16 bits, and the host number, another 16 bits. To define 254 local subnets, each possessing at most 255 hosts, 8 bits may be taken from the local part. (The use of subnets 0 and all-1's, 255 in this example, is discouraged to avoid confusion about broadcast addresses.) These new network numbers are then constructed by concatenating the original 16-bit network number with the extra 8 bits containing the local subnetwork number. .PP The existence of local subnetworks is communicated to the system at the time a network interface is configured with the .I netmask option to the .I ifconfig program. A ``network mask'' is specified to define the portion of the Internet address that is to be considered the network part for that network. This mask normally contains the bits corresponding to the standard network part as well as the portion of the local part that has been assigned to subnets. If no mask is specified when the address is set, it will be set according to the class of the network. For example, at Berkeley (class B network 128.32) 8 bits of the local part have been reserved for defining subnetworks; consequently the /etc/rc.local file contains lines of the form .DS ifconfig en0 netmask 0xffffff00 128.32.1.7 .DE This specifies that for interface ``en0'', the upper 24 bits of the Internet address should be used in calculating network numbers (netmask 0xffffff00), and the interface's Internet address is ``128.32.1.7'' (host 7 on network 128.32.1). Hosts \fIm\fP on sub-network \fIn\fP of this network would then have addresses of the form ``128.32.\fIn\fP.\fIm\fP''; for example, host 99 on network 129 would have an address ``128.32.129.99''. For hosts with multiple interfaces, the network mask should be set for each interface, although in practice only the mask of the first interface on each network is actually used. .NH 2 Internet broadcast addresses .PP The address defined as the broadcast address for Internet networks according to RFC-919 is the address with a host part of all 1's. The address used by 4.2BSD was the address with a host part of 0. \*(2B uses the standard broadcast address (all 1's) by default, but allows the broadcast address to be set (with \fIifconfig\fP) for each interface. This allows networks consisting of both 4.2BSD and \*(2B hosts to coexist. In the presence of subnets, the broadcast address uses the subnet field as for normal host addresses, with the remaining host part set to 1's (or 0's, on a network that has not yet been converted). \*(2B hosts recognize and accept packets sent to the logical-network broadcast address as well as those sent to the subnet broadcast address, and when using an all-1's broadcast, also recognize and receive packets sent to host 0 as a broadcast. .NH 2 Routing .PP If your environment allows access to networks not directly attached to your host you will need to set up routing information to allow packets to be properly routed. Two schemes are supported by the system. The first scheme employs the routing table management daemon \fIrouted\fP to maintain the system routing tables. The routing daemon uses a variant of the Xerox Routing Information Protocol to maintain up to date routing tables in a cluster of local area networks. By using the \fI/etc/gateways\fP file created by .IR htable (8), the routing daemon can also be used to initialize static routes to distant networks (see the next section for further discussion). When the routing daemon is started up (usually from \fI/etc/rc.local\fP) it reads \fI/etc/gateways\fP if it exists and installs those routes defined there, then broadcasts on each local network to which the host is attached to find other instances of the routing daemon. If any responses are received, the routing daemons cooperate in maintaining a globally consistent view of routing in the local environment. This view can be extended to include remote sites also running the routing daemon by setting up suitable entries in \fI/etc/gateways\fP; consult .IR routed (8) for a more thorough discussion. .PP The second approach is to define a default or wildcard route to a smart gateway and depend on the gateway to provide ICMP routing redirect information to dynamically create a routing data base. This is done by adding an entry of the form .DS route add default \fIsmart-gateway\fP 1 .DE to \fI/etc/rc.local\fP; see .IR route (8) for more information. The default route will be used by the system as a ``last resort'' in routing packets to their destination. Assuming the gateway to which packets are directed is able to generate the proper routing redirect messages, the system will then add routing table entries based on the information supplied. This approach has certain advantages over the routing daemon, but is unsuitable in an environment where there are only bridges (i.e. pseudo gateways that, for instance, do not generate routing redirect messages). Further, if the smart gateway goes down there is no alternative, save manual alteration of the routing table entry, to maintaining service. .PP The system always listens, and processes, routing redirect information, so it is possible to combine both of the above facilities. For example, the routing table management process might be used to maintain up to date information about routes to geographically local networks, while employing the wildcard routing techniques for ``distant'' networks. The .IR netstat (1) program may be used to display routing table contents as well as various routing oriented statistics. For example, .DS \fB#\fP\|netstat \-r .DE will display the contents of the routing tables, while .DS \fB#\fP\|netstat \-r \-s .DE will show the number of routing table entries dynamically created as a result of routing redirect messages, etc. .NH 2 Use of \*(2B machines as gateways .PP Only sheer insanity could prompt the use of \*(2B machines as gateways. If you \fBreally\fP want to do this then the best recourse is to prowl the sources and see what has to be done. The code is all there, and the "ipforwarding" variable is present. .PP Local area routing within a group of interconnected Ethernets and other such networks may be handled by .IR routed (8). Gateways between the Internet and one or more local networks require an additional routing protocol, the Exterior Gateway Protocol (EGP), to inform the core gateways of their presence and to acquire routing information from the core. .NH 2 Network servers .PP In \*(2B most of the server programs are started up by a ``super server'', the Internet daemon. The Internet daemon, \fIinetd\fP, acts as a master server for programs specified in its configuration file, \fI/etc/inetd.conf\fP, listening for service requests for these servers, and starting up the appropriate program whenever a request is received. The configuration file contains lines containing a service name (as found in \fI/etc/services\fP), the type of socket the server expects (e.g. stream or dgram), the protocol to be used with the socket (as found in \fI/etc/protocols\fP), whether to wait for each server to complete before starting up another, the user name as which the server should run, the server program's name, and at most five arguments to pass to the server program. Some trivial services are implemented internally in \fIinetd\fP, and their servers are listed as ``internal.'' For example, an entry for the file transfer protocol server would appear as .DS ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l .DE or if you are using the \fItcp_wrapper\fP program as .DS ftp stream tcp nowait root /usr/libexec/tcpd ftpd -l .DE Consult .IR inetd (8) for more detail on the format of the configuration file and the operation of the Internet daemon. .NH 2 Network data bases .PP Several data files are used by the network library routines and server programs. Most of these files are host independent and updated only rarely. .DS .TS l l l. File Manual reference Use _ /etc/hosts \fIhosts\fP\|(5) host names /etc/networks \fInetworks\fP\|(5) network names /etc/services \fIservices\fP\|(5) list of known services /etc/protocols \fIprotocols\fP\|(5) protocol names /etc/hosts.equiv \fIrshd\fP\|(8) list of ``trusted'' hosts /etc/rc.local \fIrc\fP\|(8) command script for starting servers /etc/ftpusers \fIftpd\fP\|(8) list of ``unwelcome'' ftp users /etc/hosts.lpd \fIlpd\fP\|(8) list of hosts allowed to access printers /etc/inetd.conf \fIinetd\fP\|(8) list of servers started by \fIinetd\fP .TE .DE The files distributed are set up for Internet hosts. Local networks and hosts should be added to describe the local configuration. Network numbers will have to be chosen for each Ethernet. For sites not connected to the Internet, these can be chosen more or less arbitrarily, otherwise the normal channels should be used for allocation of network numbers. .NH 3 Regenerating /etc/hosts and /etc/networks .PP When using the host address routines that use the Internet name server, the file \fI/etc/hosts\fP is only used for setting interface addresses and at other times that the server is not running, and therefore it need only contain addresses for local hosts. There is no equivalent service for network names yet. The days of retrieving a host file containing all systems on the Internet are over. Besides, you would grow very old and run out of disk space while waiting for \fImkhosts\fP\|(8) to process a hosts file containing the several million entries. Therefore the details of retrieving a master hosts file using .IR htable (8) and .IR gettable (8) have been removed from this document. However if you do use local hosts files you will still need to run .IR mkhosts (8) and this is described below. .PP If you are using the host table for host name and address mapping, you should run \fImkhosts\fP\|(8) after installing \fI/etc/hosts\fP. The \fImkhosts\fP\|(8) program has been enhanced for \*(2B to allow multiple addresses per host. The order in which the addresses are given in \fI/etc/hosts\fP is preserved, so the entries for a given host should be in order of importance. If you are using the name server for the host name and address mapping, you only need to install \fInetworks\fP and a small copy of \fIhosts\fP describing your local machines. The full host table in this case might be placed somewhere else for reference by users. The gateways file may be installed in \fI/etc/gateways\fP if you use .IR routed (8) for local routing and wish to have static external routes installed when \fIrouted\fP is started. This procedure is essentially obsolete, however, except for individual hosts that are on the Milnet and do not forward packets from a local network. Other situations require the use of \fBgated\fP. That program can never be made to run on a PDP-11 due to address space considerations. Also, the networking code could not even begin to handle the number of routes which would be received. .PP If you are connected to the Internet, it is highly recommended that you use the name server resolver routines for your host name and address mapping, as this provides access to a much larger set of hosts than are provided in the host table. Many large organization on the network, currently have only a small percentage of their hosts listed in the host table retrieved from NIC. .NH 3 /etc/hosts.equiv .PP The remote login and shell servers use an authentication scheme based on trusted hosts. The \fIhosts.equiv\fP file contains a list of hosts that are considered trusted and, under a single administrative control. When a user contacts a remote login or shell server requesting service, the client process passes the user's name and the official name of the host on which the client is located. In the simple case, if the host's name is located in \fIhosts.equiv\fP and the user has an account on the server's machine, then service is rendered (i.e. the user is allowed to log in, or the command is executed). Users may expand this ``equivalence'' of machines by installing a \fI.rhosts\fP file in their login directory. The root login is handled specially, bypassing the \fIhosts.equiv\fP file, and using only the \fI/.rhosts\fP file. .PP Thus, to create a class of equivalent machines, the \fIhosts.equiv\fP file should contain the \fIofficial\fP names for those machines. If you are running the name server, you may omit the domain part of the host name for machines in your local domain. For example, several machines on my local network are considered trusted, so the \fIhosts.equiv\fP file is of the form: .DS wlv wlonex wlonex0 wlbr .DE .NH 3 /etc/rc.local .PP Most network servers are automatically started up at boot time by the command file /etc/rc (if they are installed in their presumed locations) or by the Internet daemon (see above). These include the following: .DS .TS l l l. Program Server Started by _ rshd shell server inetd rexecd exec server inetd rlogind login server inetd telnetd TELNET server inetd ftpd FTP server inetd fingerd Finger server inetd tftpd TFTP server inetd rwhod system status daemon /etc/rc syslogd error logging server /etc/rc sendmail SMTP server /etc/rc routed routing table management daemon /etc/rc .TE .DE Consult the manual pages and accompanying documentation (particularly for sendmail) for details about their operation. .PP To have other network servers started up as well, the appropriate line should be added to the Internet daemon's configuration file \fI/etc/inetd.conf\fP, or commands similar to the following should be placed in the site dependent file \fI/etc/rc.local\fP. .DS if [ -f /usr/sbin/rwhod ]; then rwhod & echo -n ' rwhod' >/dev/console f\&i .DE .NH 3 /etc/ftpusers .PP The FTP server included in the system provides support for an anonymous FTP account. Because of the inherent security problems with such a facility you should read this section carefully if you consider providing such a service. .PP An anonymous account is enabled by creating a user \fIftp\fP. When a client uses the anonymous account a \fIchroot\fP\|(2) system call is performed by the server to restrict the client from moving outside that part of the file system where the user ftp home directory is located. Because a \fIchroot\fP call is used, certain programs and files used by the server process must be placed in the ftp home directory. Further, one must be sure that all directories and executable images are unwritable. The following directory setup is recommended. .DS \fB#\fP cd ~ftp \fB#\fP chmod 555 .; chown ftp .; chgrp ftp . \fB#\fP mkdir bin etc pub \fB#\fP chown root bin etc \fB#\fP chmod 555 bin etc \fB#\fP chown ftp pub \fB#\fP chmod 777 pub \fB#\fP cd bin \fB#\fP cp /bin/sh /bin/ls . \fB#\fP chmod 111 sh ls \fB#\fP cd ../etc \fB#\fP cp /etc/passwd /etc/group . \fB#\fP chmod 444 passwd group .DE When local users wish to place files in the anonymous area, they must be placed in a subdirectory. In the setup here, the directory \fI~ftp/pub\fP is used. .PP NOTE: Mode 777 on the 'pub' directory can and has been abused! Changing the mode to 555 is a good choice but would require administrative assistance for placing files in the 'pub' directory. Probably not a bad idea though. .PP Another issue to consider is the copy of \fI/etc/passwd\fP placed here. It may be copied by users who use the anonymous account. They may then try to break the passwords of users on your machine for further access. A good choice of users to include in this copy might be root, daemon, uucp, and the ftp user. .PP Aside from the problems of directory modes and such, the ftp server may provide a loophole for interlopers if certain user accounts are allowed. The file \fI/etc/ftpusers\fP is checked on each connection. If the requested user name is located in the file, the request for service is denied. This file normally has the following names on our systems. .DS uucp root .DE Accounts with nonstandard shells should be listed in this file. Accounts without passwords need not be listed in this file, the ftp server will not service these users.