--- wikisrc/guide/net-practice.mdwn 2013/03/14 23:19:08 1.2 +++ wikisrc/guide/net-practice.mdwn 2018/06/22 21:15:35 1.6 @@ -1,3 +1,7 @@ +**Contents** + +[[!toc levels=3]] + # Setting up TCP/IP on NetBSD in practice ## A walk through the kernel configuration @@ -10,9 +14,9 @@ take the i386/GENERIC config file as an platforms should contain similar information, the comments in the config files give additional hints. Besides the information given here, each kernel option is also documented in the -[options(4)](http://netbsd.gw.com/cgi-bin/man-cgi?options+4+NetBSD-5.0.1+i386) +[[!template id=man name="options" section="4"]] manpage, and there is usually a manpage for each driver too, e.g. -[tlp(4)](http://netbsd.gw.com/cgi-bin/man-cgi?tlp+4+NetBSD-5.0.1+i386). +[[!template id=man name="tlp" section="4"]]. The first line of each config file shows the version. It can be used to compare against other versions via CVS, or when reporting bugs. @@ -21,7 +25,7 @@ against other versions via CVS, or when If you want to run the Network Time Protocol (NTP), this option can be enabled for maximum precision. If the option is not present, NTP will still work. See -[ntpd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ntpd+8+NetBSD-5.0.1+i386) for +[[!template id=man name="ntpd" section="8"]] for more information. file-system NFS # Network File System client @@ -42,7 +46,7 @@ information on NFS. If you want to setup a router that forwards packets between networks or network interfaces, setting this option is needed. It doesn't only switch on packet forwarding, but also increases some buffers. See -[options(4)](http://netbsd.gw.com/cgi-bin/man-cgi?options+4+NetBSD-5.0.1+i386) +[[!template id=man name="options" section="4"]] for details. options INET # IP + ICMP + TCP + UDP @@ -50,7 +54,7 @@ for details. This enables the TCP/IP code in the kernel. Even if you don't want/use networking, you will still need this for machine-internal communication of subsystems like the X Window System. See -[inet(4)](http://netbsd.gw.com/cgi-bin/man-cgi?inet+4+NetBSD-5.0.1+i386) for +[[!template id=man name="inet" section="4"]] for more details. options INET6 # IPV6 @@ -58,7 +62,7 @@ more details. If you want to use IPv6, this is your option. If you don't want IPv6, which is part of NetBSD since the 1.5 release, you can remove/comment out that option. See the -[inet6(4)](http://netbsd.gw.com/cgi-bin/man-cgi?inet6+4+NetBSD-5.0.1+i386) +[[!template id=man name="inet6" section="4"]] manpage and [[Next generation Internet protocol - IPv6|guide/net-intro#ipv6-intro]] for more information on the next generation Internet protocol. @@ -68,7 +72,7 @@ Internet protocol. Includes support for the IPsec protocol, including key and policy management, authentication and compression. This option can be used without the previous option INET6, if you just want to use IPsec with IPv4, which is possible. See -[ipsec(4)](http://netbsd.gw.com/cgi-bin/man-cgi?ipsec+4+NetBSD-5.0.1+i386) for +[[!template id=man name="ipsec" section="4"]] for more information. #options IPSEC_ESP # IP security (encryption part; define w/IPSEC) @@ -79,7 +83,7 @@ This option is needed in addition to IPS If multicast services like the MBone services should be routed, this option needs to be included. Note that the routing itself is controlled by the -[mrouted(8)](http://netbsd.gw.com/cgi-bin/man-cgi?mrouted+8+NetBSD-5.0.1+i386) +[[!template id=man name="mrouted" section="8"]] daemon. options ISO,TPIP # OSI @@ -87,7 +91,7 @@ daemon. These options include the OSI protocol stack, which was said for a long time to be the future of networking. It's mostly history these days. :-) See the -[iso(4)](http://netbsd.gw.com/cgi-bin/man-cgi?iso+4+NetBSD-5.0.1+i386) manpage +[[!template id=man name="iso" section="4"]] manpage for more information. options NETATALK # AppleTalk networking protocols @@ -96,7 +100,7 @@ Include support for the AppleTalk protoc needed to make use of that. See pkgsrc/net/netatalk and pkgsrc/net/netatalk-asun for such packages. More information on the AppleTalk protocol and protocol stack are available in the -[atalk(4)](http://netbsd.gw.com/cgi-bin/man-cgi?atalk+4+NetBSD-5.0.1+i386) +[[!template id=man name="atalk" section="4"]] manpage. options PPP_BSDCOMP # BSD-Compress compression support for PPP @@ -111,8 +115,8 @@ enables code to filter some packets. options IPFILTER_LOG # ipmon(8) log support These options enable firewalling in NetBSD, using IPFilter. See the -[ipf(4)](http://netbsd.gw.com/cgi-bin/man-cgi?ipf+4+NetBSD-5.0.1+i386) and -[ipf(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ipf+8+NetBSD-5.0.1+i386) manpages +[[!template id=man name="ipf" section="4"]] and +[[!template id=man name="ipf" section="8"]] manpages for more information on operation of IPFilter, and [[Configuring the gateway/firewall|guide/net-practice#ipnat-configuring-gateway]] for a configuration example. @@ -131,7 +135,7 @@ broadcast-address to `0`. The `TCP_COMPA These options enable lookup of data via DHCP or the BOOTPARAM protocol if the kernel is told to use a NFS root file system. See the -[diskless(8)](http://netbsd.gw.com/cgi-bin/man-cgi?diskless+8+NetBSD-5.0.1+i386) +[[!template id=man name="diskless" section="8"]] manpage for more information. # Kernel root file system and dump configuration. @@ -161,15 +165,15 @@ Others with attachment on USB, PCMCIA or This rather long list contains all sorts of network drivers. Please pick the one that matches your hardware, according to the comments. For most drivers, there's also a manual page available, e.g. -[tlp(4)](http://netbsd.gw.com/cgi-bin/man-cgi?tlp+4+NetBSD-5.0.1+i386), -[ne(4)](http://netbsd.gw.com/cgi-bin/man-cgi?ne+4+NetBSD-5.0.1+i386), etc. +[[!template id=man name="tlp" section="4"]], +[[!template id=man name="ne" section="4"]], etc. # MII/PHY support This section lists media independent interfaces for network cards. Pick one that matches your hardware. If in doubt, enable them all and see what the kernel picks. See the -[mii(4)](http://netbsd.gw.com/cgi-bin/man-cgi?mii+4+NetBSD-5.0.1+i386) manpage +[[!template id=man name="mii" section="4"]] manpage for more information. # USB Ethernet adapters @@ -188,14 +192,14 @@ for more information. This pseudo-device allows sniffing packets of all sorts. It's needed for tcpdump, but also rarpd and some other applications that need to know about network traffic. See -[bpf(4)](http://netbsd.gw.com/cgi-bin/man-cgi?bpf+4+NetBSD-5.0.1+i386) for more +[[!template id=man name="bpf" section="4"]] for more information. pseudo-device ipfilter # IP filter (firewall) and NAT This one enables the IPFilter's packet filtering kernel interface used for firewalling, NAT (IP Masquerading) etc. See -[ipf(4)](http://netbsd.gw.com/cgi-bin/man-cgi?ipf+4+NetBSD-5.0.1+i386) and +[[!template id=man name="ipf" section="4"]] and [Configuring the gateway/firewall|guide/net-practice#ipnat-configuring-gateway]] for more information. @@ -203,14 +207,14 @@ for more information. This is the `lo0` software loopback network device which is used by some programs these days, as well as for routing things. It should not be omitted. -See [lo(4)](http://netbsd.gw.com/cgi-bin/man-cgi?lo+4+NetBSD-5.0.1+i386) for +See [[!template id=man name="lo" section="4"]] for more details. pseudo-device ppp 2 # Point-to-Point Protocol If you want to use PPP either over a serial interface or ethernet (PPPoE), you will need this option. See -[ppp(4)](http://netbsd.gw.com/cgi-bin/man-cgi?ppp+4+NetBSD-5.0.1+i386) for +[[!template id=man name="ppp" section="4"]] for details on this interface. pseudo-device sl 2 # Serial Line IP @@ -218,13 +222,13 @@ details on this interface. Serial Line IP is a simple encapsulation for IP over (well :) serial lines. It does not include negotiation of IP addresses and other options, which is the reason that it's not in widespread use today any more. See -[sl(4)](http://netbsd.gw.com/cgi-bin/man-cgi?sl+4+NetBSD-5.0.1+i386). +[[!template id=man name="sl" section="4"]]. pseudo-device strip 2 # Starmode Radio IP (Metricom) If you happen to have one of the old Metricom Ricochet packet radio wireless network devices, use this pseudo-device to use it. See the -[strip(4)](http://netbsd.gw.com/cgi-bin/man-cgi?strip+4+NetBSD-5.0.1+i386) +[[!template id=man name="strip" section="4"]] manpage for detailed information. pseudo-device tun 2 # network tunneling over tty @@ -233,28 +237,28 @@ This network device can be used to tunne `/dev/tun*`. Packets routed to the tun0 interface can be read from `/dev/tun0`, and data written to `/dev/tun0` will be sent out the tun0 network interface. This can be used to implement e.g. QoS routing in userland. See -[tun(4)](http://netbsd.gw.com/cgi-bin/man-cgi?tun+4+NetBSD-5.0.1+i386) for +[[!template id=man name="tun" section="4"]] for details. pseudo-device gre 2 # generic L3 over IP tunnel The GRE encapsulation can be used to tunnel arbitrary layer 3 packets over IP, e.g. to implement VPNs. See -[gre(4)](http://netbsd.gw.com/cgi-bin/man-cgi?gre+4+NetBSD-5.0.1+i386) for more. +[[!template id=man name="gre" section="4"]] for more. pseudo-device gif 4 # IPv[46] over IPv[46] tunnel (RFC 1933) Using the GIF interface allows to tunnel e.g. IPv6 over IPv4, which can be used to get IPv6 connectivity if no IPv6-capable uplink (ISP) is available. Other mixes of operations are possible, too. See the -[gif(4)](http://netbsd.gw.com/cgi-bin/man-cgi?gif+4+NetBSD-5.0.1+i386) manpage +[[!template id=man name="gif" section="4"]] manpage for some examples. #pseudo-device faith 1 # IPv[46] tcp relay translation i/f The faith interface captures IPv6 TCP traffic, for implementing userland IPv6-to-IPv4 TCP relays e.g. for protocol transitions. See the -[faith(4)](http://netbsd.gw.com/cgi-bin/man-cgi?faith+4+NetBSD-5.0.1+i386) +[[!template id=man name="faith" section="4"]] manpage for more details on this device. #pseudo-device stf 1 # 6to4 IPv6 over IPv4 encapsulation @@ -262,7 +266,7 @@ manpage for more details on this device. This adds a network device that can be used to tunnel IPv6 over IPv4 without setting up a configured tunnel before. The source address of outgoing packets contains the IPv4 address, which allows routing replies back via IPv4. See the -[stf(4)](http://netbsd.gw.com/cgi-bin/man-cgi?stf+4+NetBSD-5.0.1+i386) manpage +[[!template id=man name="stf" section="4"]] manpage and [IPv6 Connectivity & Transition via 6to4|guide/net-practice#ipv6-6to4]] for more details. @@ -273,7 +277,7 @@ tagging Ethernet frames with a `vlan` ID (that also have to support VLAN, of course), this can be used to build virtual LANs where one set of machines doesn't see traffic from the other (broadcast and other). The -[vlan(4)](http://netbsd.gw.com/cgi-bin/man-cgi?vlan+4+NetBSD-5.0.1+i386) manpage +[[!template id=man name="vlan" section="4"]] manpage tells more about this. ## Overview of the network configuration files @@ -397,7 +401,7 @@ to the provider is alan, an example conn In the previous example, the script specifies a *chat file* to be used for the connection. The options in the script are detailed in the -[pppd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pppd+8+NetBSD-5.0.1+i386) man +[[!template id=man name="pppd" section="8"]] man page. ### Note @@ -409,8 +413,8 @@ connection script kdebug 4 You will get a log of the operations performed when the system tries to connect. -See [pppd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pppd+8+NetBSD-5.0.1+i386), -[syslog.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?syslog.conf+5+NetBSD-5.0.1+i386). +See [[!template id=man name="pppd" section="8"]], +[[!template id=man name="syslog.conf" section="5"]]. The connection script calls the chat application to deal with the physical connection (modem initialization, dialing, ...) The parameters to chat can be @@ -427,7 +431,7 @@ separate file. If, for example, the tele *Note*: If you have problems with the chat file, you can try connecting manually to the POP with the -[cu(1)](http://netbsd.gw.com/cgi-bin/man-cgi?cu+1+NetBSD-5.0.1+i386) program and +[[!template id=man name="cu" section="1"]] program and verify the exact strings that you are receiving. ### Authentication @@ -494,7 +498,7 @@ The only thing left to do is the creatio noipdefault Check the -[pppd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pppd+8+NetBSD-5.0.1+i386) man +[[!template id=man name="pppd" section="8"]] man page for the meaning of the options. ### Testing the modem @@ -502,7 +506,7 @@ page for the meaning of the options. Before activating the link it is a good idea to make a quick modem test, in order to verify that the physical connection and the communication with the modem works. For the test the -[cu(1)](http://netbsd.gw.com/cgi-bin/man-cgi?cu+1+NetBSD-5.0.1+i386) program can +[[!template id=man name="cu" section="1"]] program can be used, as in the following example. 1. Create the file `/etc/uucp/port` with the following lines: @@ -528,16 +532,16 @@ be used, as in the following example. In the previous example the reset command (ATZ) was sent to the modem, which replied with OK: the communication works. To exit - [cu(1)](http://netbsd.gw.com/cgi-bin/man-cgi?cu+1+NetBSD-5.0.1+i386), write + [[!template id=man name="cu" section="1"]], write `~` (tilde) followed by `.` (dot), as in the example. If the modem doesn't work, check that it is connected to the correct port (i.e. you are using the right port with -[cu(1)](http://netbsd.gw.com/cgi-bin/man-cgi?cu+1+NetBSD-5.0.1+i386). Cables are +[[!template id=man name="cu" section="1"]]. Cables are a frequent cause of trouble, too. When you start -[cu(1)](http://netbsd.gw.com/cgi-bin/man-cgi?cu+1+NetBSD-5.0.1+i386) and a +[[!template id=man name="cu" section="1"]] and a message saying `Permission denied` appears, check who is the owner of the `/dev/tty##` device, it must be "uucp". For example: @@ -610,10 +614,10 @@ The two scripts must be executable: If you find yourself to always run the same set of commands each time you dial in, you can put them in a script `/etc/ppp/ip-up` which will be called by -[pppd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pppd+8+NetBSD-5.0.1+i386) after +[[!template id=man name="pppd" section="8"]] after successful dial-in. Likewise, before the connection is closed down, `/etc/ppp/ip-down` is executed. Both scripts are expected to be executable. See -[pppd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pppd+8+NetBSD-5.0.1+i386) for +[[!template id=man name="pppd" section="8"]] for more details. ## Creating a small home network @@ -911,7 +915,7 @@ The first step is to make sure support f running kernel. Support is included in the GENERIC kernel. When the system is ready the bridge can be created, this can be done using the -[brconfig(8)]((http://netbsd.gw.com/cgi-bin/man-cgi?brconfig+8+NetBSD-current)) +[[!template id=man name="brconfig" section="8"]] command. First of a bridge interface has to be created. With the following `ifconfig` command the `bridge0` interface will be created: @@ -943,7 +947,7 @@ being available, and most important, a D to clients on request. To make a NetBSD client run in such an environment, it's usually enough to set - dhclient=yes + dhcpcd=yes in `/etc/rc.conf`, and the IP address will be set automatically, `/etc/resolv.conf` will be created and routing setup to the default router. @@ -1108,7 +1112,7 @@ example for such a configured tunnel is described in [RFC1933](http://tools.ietf.org/html/rfc1933) ("RFC 1933: Transition Mechanisms for IPv6 Hosts and Routers"), and that's implemented e.g. by the -[gif(4)](http://netbsd.gw.com/cgi-bin/man-cgi?gif+4+NetBSD-5.0.1+i386) +[[!template id=man name="gif" section="4"]] device found in NetBSD. An *automatic* tunnel consists of a public server that has some kind of IPv6 @@ -1118,7 +1122,7 @@ registration of the sites using it as up protocol is the 6to4 mechanism described in [RFC3056](http://tools.ietf.org/html/rfc3056) ("RFC 3056: Connection of IPv6 Domains via IPv4 Clouds"), and that is implemented in the -[stf(4)](http://netbsd.gw.com/cgi-bin/man-cgi?stf+4+NetBSD-5.0.1+i386) device +[[!template id=man name="stf" section="4"]] device found in NetBSD's. Another mechanism that does not require registration of IPv6-information is the 6over4 mechanism, which implements transporting of IPv6 over a multicast-enabled IPv4 network, instead of e.g. ethernet or FDDI. 6over4 @@ -1194,7 +1198,7 @@ them: * subnet broadcast address as source/destination: depends on your IPv4 setup The NetBSD -[stf(4)](http://netbsd.gw.com/cgi-bin/man-cgi?stf+4+NetBSD-5.0.1+i386) manual +[[!template id=man name="stf" section="4"]] manual page documents some common configuration mistakes intercepted by default by the KAME stack as well as some further advice on filtering, but keep in mind that because of the requirement of these filters, 6to4 is not perfectly secure. @@ -1237,7 +1241,7 @@ it for using IPv6 and 6to4, e.g. on NetB pseudo-device stf # 6to4 IPv6 over IPv4 encapsulation Note that the -[stf(4)](http://netbsd.gw.com/cgi-bin/man-cgi?stf+4+NetBSD-5.0.1+i386) device is +[[!template id=man name="stf" section="4"]] device is not enabled by default on NetBSD releases older than 4.0. Rebuild your kernel, then reboot your system to use the new kernel. Please consult [[Compiling the kernel|guide/kernel]] for further information on configuring, @@ -1254,7 +1258,7 @@ here are: The first step in setting up 6to4 is creating the 6to4 interface and assigning an IPv6 address to it. This is achieved with the -[ifconfig(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ifconfig+8+NetBSD-5.0.1+i386) +[[!template id=man name="ifconfig" section="8"]] command. Assuming the example configuration above, the commands for NetBSD are: # ifconfig stf0 create @@ -1268,7 +1272,7 @@ NetBSD: # route add -inet6 default 2002:c058:6301:: Note that NetBSD's -[stf(4)](http://netbsd.gw.com/cgi-bin/man-cgi?stf+4+NetBSD-5.0.1+i386) device +[[!template id=man name="stf" section="4"]] device determines the IPv4 address of the 6to4 uplink from the routing table. Using this feature, it is easy to setup your own 6to4 (uplink) gateway if you have an IPv6 uplink, e.g. via 6Bone. @@ -1340,7 +1344,7 @@ Steps to setup the pkgsrc/net/hf6to4 pac # make install 2. Make sure you have the - [stf(4)](http://netbsd.gw.com/cgi-bin/man-cgi?stf+4+NetBSD-5.0.1+i386) + [[!template id=man name="stf" section="4"]] pseudo-device in your kernel, see above. 3. Configure the 'hf6to4' package. First, copy @@ -1352,7 +1356,7 @@ Steps to setup the pkgsrc/net/hf6to4 pac # vi hf6to4.conf Please see the - [hf6to4(8)](http://netbsd.gw.com/cgi-bin/man-cgi?hf6to4+8+NetBSD-5.0.1+i386) + [[!template id=man name="hf6to4" section="8"]] manpage for an explanation of all the variables you can set in `hf6to4.conf`. If you have dialup IP via PPP, and don't want to run Router Advertizing for other IPv6 machines on your home or office network, you @@ -1366,7 +1370,7 @@ Steps to setup the pkgsrc/net/hf6to4 pac # /usr/pkg/sbin/hf6to4 start 5. After that, you should be connected, use - [ping6(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ping6+8+NetBSD-5.0.1+i386): to + [[!template id=man name="ping6" section="8"]]: to see if everything works: # ping6 www.NetBSD.org @@ -1508,7 +1512,7 @@ rules) v4-encapsulated IPv6 packets, all gateway. Of course you only want to do this on one host and use native IPv6 between your hosts, and you may also want to enforce this with more restrictive rulesets, please see -[ipf.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?ipf.conf+5+NetBSD-5.0.1+i386) +[[!template id=man name="ipf.conf" section="5"]] for more information on IPFilter rules. After your firewall lets pass encapsulated IPv6 packets, you may want to set up