--- wikisrc/guide/net-practice.mdwn 2013/03/14 23:19:08 1.2
+++ wikisrc/guide/net-practice.mdwn 2019/09/02 20:48:36 1.7
@@ -1,3 +1,7 @@
+**Contents**
+
+[[!toc levels=3]]
+
# Setting up TCP/IP on NetBSD in practice
## A walk through the kernel configuration
@@ -10,9 +14,9 @@ take the i386/GENERIC config file as an
platforms should contain similar information, the comments in the config files
give additional hints. Besides the information given here, each kernel option is
also documented in the
-[options(4)](http://netbsd.gw.com/cgi-bin/man-cgi?options+4+NetBSD-5.0.1+i386)
+[[!template id=man name="options" section="4"]]
manpage, and there is usually a manpage for each driver too, e.g.
-[tlp(4)](http://netbsd.gw.com/cgi-bin/man-cgi?tlp+4+NetBSD-5.0.1+i386).
+[[!template id=man name="tlp" section="4"]].
The first line of each config file shows the version. It can be used to compare
against other versions via CVS, or when reporting bugs.
@@ -21,7 +25,7 @@ against other versions via CVS, or when
If you want to run the Network Time Protocol (NTP), this option can be enabled
for maximum precision. If the option is not present, NTP will still work. See
-[ntpd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ntpd+8+NetBSD-5.0.1+i386) for
+[[!template id=man name="ntpd" section="8"]] for
more information.
file-system NFS # Network File System client
@@ -42,7 +46,7 @@ information on NFS.
If you want to setup a router that forwards packets between networks or network
interfaces, setting this option is needed. It doesn't only switch on packet
forwarding, but also increases some buffers. See
-[options(4)](http://netbsd.gw.com/cgi-bin/man-cgi?options+4+NetBSD-5.0.1+i386)
+[[!template id=man name="options" section="4"]]
for details.
options INET # IP + ICMP + TCP + UDP
@@ -50,7 +54,7 @@ for details.
This enables the TCP/IP code in the kernel. Even if you don't want/use
networking, you will still need this for machine-internal communication of
subsystems like the X Window System. See
-[inet(4)](http://netbsd.gw.com/cgi-bin/man-cgi?inet+4+NetBSD-5.0.1+i386) for
+[[!template id=man name="inet" section="4"]] for
more details.
options INET6 # IPV6
@@ -58,7 +62,7 @@ more details.
If you want to use IPv6, this is your option. If you don't want IPv6, which is
part of NetBSD since the 1.5 release, you can remove/comment out that option.
See the
-[inet6(4)](http://netbsd.gw.com/cgi-bin/man-cgi?inet6+4+NetBSD-5.0.1+i386)
+[[!template id=man name="inet6" section="4"]]
manpage and [[Next generation Internet protocol -
IPv6|guide/net-intro#ipv6-intro]] for more information on the next generation
Internet protocol.
@@ -68,7 +72,7 @@ Internet protocol.
Includes support for the IPsec protocol, including key and policy management,
authentication and compression. This option can be used without the previous
option INET6, if you just want to use IPsec with IPv4, which is possible. See
-[ipsec(4)](http://netbsd.gw.com/cgi-bin/man-cgi?ipsec+4+NetBSD-5.0.1+i386) for
+[[!template id=man name="ipsec" section="4"]] for
more information.
#options IPSEC_ESP # IP security (encryption part; define w/IPSEC)
@@ -79,7 +83,7 @@ This option is needed in addition to IPS
If multicast services like the MBone services should be routed, this option
needs to be included. Note that the routing itself is controlled by the
-[mrouted(8)](http://netbsd.gw.com/cgi-bin/man-cgi?mrouted+8+NetBSD-5.0.1+i386)
+[[!template id=man name="mrouted" section="8"]]
daemon.
options ISO,TPIP # OSI
@@ -87,7 +91,7 @@ daemon.
These options include the OSI protocol stack, which was said for a long time to
be the future of networking. It's mostly history these days. :-) See the
-[iso(4)](http://netbsd.gw.com/cgi-bin/man-cgi?iso+4+NetBSD-5.0.1+i386) manpage
+[[!template id=man name="iso" section="4"]] manpage
for more information.
options NETATALK # AppleTalk networking protocols
@@ -96,7 +100,7 @@ Include support for the AppleTalk protoc
needed to make use of that. See pkgsrc/net/netatalk and pkgsrc/net/netatalk-asun
for such packages. More information on the AppleTalk protocol and protocol stack
are available in the
-[atalk(4)](http://netbsd.gw.com/cgi-bin/man-cgi?atalk+4+NetBSD-5.0.1+i386)
+[[!template id=man name="atalk" section="4"]]
manpage.
options PPP_BSDCOMP # BSD-Compress compression support for PPP
@@ -111,8 +115,8 @@ enables code to filter some packets.
options IPFILTER_LOG # ipmon(8) log support
These options enable firewalling in NetBSD, using IPFilter. See the
-[ipf(4)](http://netbsd.gw.com/cgi-bin/man-cgi?ipf+4+NetBSD-5.0.1+i386) and
-[ipf(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ipf+8+NetBSD-5.0.1+i386) manpages
+[[!template id=man name="ipf" section="4"]] and
+[[!template id=man name="ipf" section="8"]] manpages
for more information on operation of IPFilter, and [[Configuring the
gateway/firewall|guide/net-practice#ipnat-configuring-gateway]] for a
configuration example.
@@ -131,7 +135,7 @@ broadcast-address to `0`. The `TCP_COMPA
These options enable lookup of data via DHCP or the BOOTPARAM protocol if the
kernel is told to use a NFS root file system. See the
-[diskless(8)](http://netbsd.gw.com/cgi-bin/man-cgi?diskless+8+NetBSD-5.0.1+i386)
+[[!template id=man name="diskless" section="8"]]
manpage for more information.
# Kernel root file system and dump configuration.
@@ -161,15 +165,15 @@ Others with attachment on USB, PCMCIA or
This rather long list contains all sorts of network drivers. Please pick the one
that matches your hardware, according to the comments. For most drivers, there's
also a manual page available, e.g.
-[tlp(4)](http://netbsd.gw.com/cgi-bin/man-cgi?tlp+4+NetBSD-5.0.1+i386),
-[ne(4)](http://netbsd.gw.com/cgi-bin/man-cgi?ne+4+NetBSD-5.0.1+i386), etc.
+[[!template id=man name="tlp" section="4"]],
+[[!template id=man name="ne" section="4"]], etc.
# MII/PHY support
This section lists media independent interfaces for network cards. Pick one that
matches your hardware. If in doubt, enable them all and see what the kernel
picks. See the
-[mii(4)](http://netbsd.gw.com/cgi-bin/man-cgi?mii+4+NetBSD-5.0.1+i386) manpage
+[[!template id=man name="mii" section="4"]] manpage
for more information.
# USB Ethernet adapters
@@ -188,14 +192,14 @@ for more information.
This pseudo-device allows sniffing packets of all sorts. It's needed for
tcpdump, but also rarpd and some other applications that need to know about
network traffic. See
-[bpf(4)](http://netbsd.gw.com/cgi-bin/man-cgi?bpf+4+NetBSD-5.0.1+i386) for more
+[[!template id=man name="bpf" section="4"]] for more
information.
pseudo-device ipfilter # IP filter (firewall) and NAT
This one enables the IPFilter's packet filtering kernel interface used for
firewalling, NAT (IP Masquerading) etc. See
-[ipf(4)](http://netbsd.gw.com/cgi-bin/man-cgi?ipf+4+NetBSD-5.0.1+i386) and
+[[!template id=man name="ipf" section="4"]] and
[Configuring the gateway/firewall|guide/net-practice#ipnat-configuring-gateway]]
for more information.
@@ -203,14 +207,14 @@ for more information.
This is the `lo0` software loopback network device which is used by some
programs these days, as well as for routing things. It should not be omitted.
-See [lo(4)](http://netbsd.gw.com/cgi-bin/man-cgi?lo+4+NetBSD-5.0.1+i386) for
+See [[!template id=man name="lo" section="4"]] for
more details.
pseudo-device ppp 2 # Point-to-Point Protocol
If you want to use PPP either over a serial interface or ethernet (PPPoE), you
will need this option. See
-[ppp(4)](http://netbsd.gw.com/cgi-bin/man-cgi?ppp+4+NetBSD-5.0.1+i386) for
+[[!template id=man name="ppp" section="4"]] for
details on this interface.
pseudo-device sl 2 # Serial Line IP
@@ -218,13 +222,13 @@ details on this interface.
Serial Line IP is a simple encapsulation for IP over (well :) serial lines. It
does not include negotiation of IP addresses and other options, which is the
reason that it's not in widespread use today any more. See
-[sl(4)](http://netbsd.gw.com/cgi-bin/man-cgi?sl+4+NetBSD-5.0.1+i386).
+[[!template id=man name="sl" section="4"]].
pseudo-device strip 2 # Starmode Radio IP (Metricom)
If you happen to have one of the old Metricom Ricochet packet radio wireless
network devices, use this pseudo-device to use it. See the
-[strip(4)](http://netbsd.gw.com/cgi-bin/man-cgi?strip+4+NetBSD-5.0.1+i386)
+[[!template id=man name="strip" section="4"]]
manpage for detailed information.
pseudo-device tun 2 # network tunneling over tty
@@ -233,28 +237,28 @@ This network device can be used to tunne
`/dev/tun*`. Packets routed to the tun0 interface can be read from `/dev/tun0`,
and data written to `/dev/tun0` will be sent out the tun0 network interface.
This can be used to implement e.g. QoS routing in userland. See
-[tun(4)](http://netbsd.gw.com/cgi-bin/man-cgi?tun+4+NetBSD-5.0.1+i386) for
+[[!template id=man name="tun" section="4"]] for
details.
pseudo-device gre 2 # generic L3 over IP tunnel
The GRE encapsulation can be used to tunnel arbitrary layer 3 packets over IP,
e.g. to implement VPNs. See
-[gre(4)](http://netbsd.gw.com/cgi-bin/man-cgi?gre+4+NetBSD-5.0.1+i386) for more.
+[[!template id=man name="gre" section="4"]] for more.
pseudo-device gif 4 # IPv[46] over IPv[46] tunnel (RFC 1933)
Using the GIF interface allows to tunnel e.g. IPv6 over IPv4, which can be used
to get IPv6 connectivity if no IPv6-capable uplink (ISP) is available. Other
mixes of operations are possible, too. See the
-[gif(4)](http://netbsd.gw.com/cgi-bin/man-cgi?gif+4+NetBSD-5.0.1+i386) manpage
+[[!template id=man name="gif" section="4"]] manpage
for some examples.
#pseudo-device faith 1 # IPv[46] tcp relay translation i/f
The faith interface captures IPv6 TCP traffic, for implementing userland
IPv6-to-IPv4 TCP relays e.g. for protocol transitions. See the
-[faith(4)](http://netbsd.gw.com/cgi-bin/man-cgi?faith+4+NetBSD-5.0.1+i386)
+[[!template id=man name="faith" section="4"]]
manpage for more details on this device.
#pseudo-device stf 1 # 6to4 IPv6 over IPv4 encapsulation
@@ -262,7 +266,7 @@ manpage for more details on this device.
This adds a network device that can be used to tunnel IPv6 over IPv4 without
setting up a configured tunnel before. The source address of outgoing packets
contains the IPv4 address, which allows routing replies back via IPv4. See the
-[stf(4)](http://netbsd.gw.com/cgi-bin/man-cgi?stf+4+NetBSD-5.0.1+i386) manpage
+[[!template id=man name="stf" section="4"]] manpage
and [IPv6 Connectivity & Transition via 6to4|guide/net-practice#ipv6-6to4]] for
more details.
@@ -273,7 +277,7 @@ tagging Ethernet frames with a `vlan` ID
(that also have to support VLAN, of course), this can be used to build virtual
LANs where one set of machines doesn't see traffic from the other (broadcast and
other). The
-[vlan(4)](http://netbsd.gw.com/cgi-bin/man-cgi?vlan+4+NetBSD-5.0.1+i386) manpage
+[[!template id=man name="vlan" section="4"]] manpage
tells more about this.
## Overview of the network configuration files
@@ -397,7 +401,7 @@ to the provider is alan, an example conn
In the previous example, the script specifies a *chat file* to be used for the
connection. The options in the script are detailed in the
-[pppd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pppd+8+NetBSD-5.0.1+i386) man
+[[!template id=man name="pppd" section="8"]] man
page.
### Note
@@ -409,8 +413,8 @@ connection script
kdebug 4
You will get a log of the operations performed when the system tries to connect.
-See [pppd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pppd+8+NetBSD-5.0.1+i386),
-[syslog.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?syslog.conf+5+NetBSD-5.0.1+i386).
+See [[!template id=man name="pppd" section="8"]],
+[[!template id=man name="syslog.conf" section="5"]].
The connection script calls the chat application to deal with the physical
connection (modem initialization, dialing, ...) The parameters to chat can be
@@ -427,7 +431,7 @@ separate file. If, for example, the tele
*Note*: If you have problems with the chat file, you can try connecting manually
to the POP with the
-[cu(1)](http://netbsd.gw.com/cgi-bin/man-cgi?cu+1+NetBSD-5.0.1+i386) program and
+[[!template id=man name="cu" section="1"]] program and
verify the exact strings that you are receiving.
### Authentication
@@ -494,7 +498,7 @@ The only thing left to do is the creatio
noipdefault
Check the
-[pppd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pppd+8+NetBSD-5.0.1+i386) man
+[[!template id=man name="pppd" section="8"]] man
page for the meaning of the options.
### Testing the modem
@@ -502,7 +506,7 @@ page for the meaning of the options.
Before activating the link it is a good idea to make a quick modem test, in
order to verify that the physical connection and the communication with the
modem works. For the test the
-[cu(1)](http://netbsd.gw.com/cgi-bin/man-cgi?cu+1+NetBSD-5.0.1+i386) program can
+[[!template id=man name="cu" section="1"]] program can
be used, as in the following example.
1. Create the file `/etc/uucp/port` with the following lines:
@@ -528,16 +532,16 @@ be used, as in the following example.
In the previous example the reset command (ATZ) was sent to the modem, which
replied with OK: the communication works. To exit
- [cu(1)](http://netbsd.gw.com/cgi-bin/man-cgi?cu+1+NetBSD-5.0.1+i386), write
+ [[!template id=man name="cu" section="1"]], write
`~` (tilde) followed by `.` (dot), as in the example.
If the modem doesn't work, check that it is connected to the correct port (i.e.
you are using the right port with
-[cu(1)](http://netbsd.gw.com/cgi-bin/man-cgi?cu+1+NetBSD-5.0.1+i386). Cables are
+[[!template id=man name="cu" section="1"]]. Cables are
a frequent cause of trouble, too.
When you start
-[cu(1)](http://netbsd.gw.com/cgi-bin/man-cgi?cu+1+NetBSD-5.0.1+i386) and a
+[[!template id=man name="cu" section="1"]] and a
message saying `Permission denied` appears, check who is the owner of the
`/dev/tty##` device, it must be "uucp". For example:
@@ -610,10 +614,10 @@ The two scripts must be executable:
If you find yourself to always run the same set of commands each time you dial
in, you can put them in a script `/etc/ppp/ip-up` which will be called by
-[pppd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pppd+8+NetBSD-5.0.1+i386) after
+[[!template id=man name="pppd" section="8"]] after
successful dial-in. Likewise, before the connection is closed down,
`/etc/ppp/ip-down` is executed. Both scripts are expected to be executable. See
-[pppd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pppd+8+NetBSD-5.0.1+i386) for
+[[!template id=man name="pppd" section="8"]] for
more details.
## Creating a small home network
@@ -911,7 +915,7 @@ The first step is to make sure support f
running kernel. Support is included in the GENERIC kernel.
When the system is ready the bridge can be created, this can be done using the
-[brconfig(8)]((http://netbsd.gw.com/cgi-bin/man-cgi?brconfig+8+NetBSD-current))
+[[!template id=man name="brconfig" section="8"]]
command. First of a bridge interface has to be created. With the following
`ifconfig` command the `bridge0` interface will be created:
@@ -943,7 +947,7 @@ being available, and most important, a D
to clients on request. To make a NetBSD client run in such an environment, it's
usually enough to set
- dhclient=yes
+ dhcpcd=yes
in `/etc/rc.conf`, and the IP address will be set automatically,
`/etc/resolv.conf` will be created and routing setup to the default router.
@@ -1108,7 +1112,7 @@ example for such a configured tunnel is
described in
[RFC1933](http://tools.ietf.org/html/rfc1933) ("RFC 1933: Transition Mechanisms
for IPv6 Hosts and Routers"), and that's implemented e.g. by the
-[gif(4)](http://netbsd.gw.com/cgi-bin/man-cgi?gif+4+NetBSD-5.0.1+i386)
+[[!template id=man name="gif" section="4"]]
device found in NetBSD.
An *automatic* tunnel consists of a public server that has some kind of IPv6
@@ -1118,7 +1122,7 @@ registration of the sites using it as up
protocol is the 6to4 mechanism described in
[RFC3056](http://tools.ietf.org/html/rfc3056) ("RFC 3056: Connection of IPv6
Domains via IPv4 Clouds"), and that is implemented in the
-[stf(4)](http://netbsd.gw.com/cgi-bin/man-cgi?stf+4+NetBSD-5.0.1+i386) device
+[[!template id=man name="stf" section="4"]] device
found in NetBSD's. Another mechanism that does not require registration of
IPv6-information is the 6over4 mechanism, which implements transporting of IPv6
over a multicast-enabled IPv4 network, instead of e.g. ethernet or FDDI. 6over4
@@ -1194,7 +1198,7 @@ them:
* subnet broadcast address as source/destination: depends on your IPv4 setup
The NetBSD
-[stf(4)](http://netbsd.gw.com/cgi-bin/man-cgi?stf+4+NetBSD-5.0.1+i386) manual
+[[!template id=man name="stf" section="4"]] manual
page documents some common configuration mistakes intercepted by default by the
KAME stack as well as some further advice on filtering, but keep in mind that
because of the requirement of these filters, 6to4 is not perfectly secure.
@@ -1237,7 +1241,7 @@ it for using IPv6 and 6to4, e.g. on NetB
pseudo-device stf # 6to4 IPv6 over IPv4 encapsulation
Note that the
-[stf(4)](http://netbsd.gw.com/cgi-bin/man-cgi?stf+4+NetBSD-5.0.1+i386) device is
+[[!template id=man name="stf" section="4"]] device is
not enabled by default on NetBSD releases older than 4.0. Rebuild your kernel,
then reboot your system to use the new kernel. Please consult
[[Compiling the kernel|guide/kernel]] for further information on configuring,
@@ -1254,7 +1258,7 @@ here are:
The first step in setting up 6to4 is creating the 6to4 interface and assigning
an IPv6 address to it. This is achieved with the
-[ifconfig(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ifconfig+8+NetBSD-5.0.1+i386)
+[[!template id=man name="ifconfig" section="8"]]
command. Assuming the example configuration above, the commands for NetBSD are:
# ifconfig stf0 create
@@ -1268,7 +1272,7 @@ NetBSD:
# route add -inet6 default 2002:c058:6301::
Note that NetBSD's
-[stf(4)](http://netbsd.gw.com/cgi-bin/man-cgi?stf+4+NetBSD-5.0.1+i386) device
+[[!template id=man name="stf" section="4"]] device
determines the IPv4 address of the 6to4 uplink from the routing table. Using
this feature, it is easy to setup your own 6to4 (uplink) gateway if you have an
IPv6 uplink, e.g. via 6Bone.
@@ -1340,7 +1344,7 @@ Steps to setup the pkgsrc/net/hf6to4 pac
# make install
2. Make sure you have the
- [stf(4)](http://netbsd.gw.com/cgi-bin/man-cgi?stf+4+NetBSD-5.0.1+i386)
+ [[!template id=man name="stf" section="4"]]
pseudo-device in your kernel, see above.
3. Configure the 'hf6to4' package. First, copy
@@ -1352,7 +1356,7 @@ Steps to setup the pkgsrc/net/hf6to4 pac
# vi hf6to4.conf
Please see the
- [hf6to4(8)](http://netbsd.gw.com/cgi-bin/man-cgi?hf6to4+8+NetBSD-5.0.1+i386)
+ [[!template id=man name="hf6to4" section="8"]]
manpage for an explanation of all the variables you can set in
`hf6to4.conf`. If you have dialup IP via PPP, and don't want to run Router
Advertizing for other IPv6 machines on your home or office network, you
@@ -1366,7 +1370,7 @@ Steps to setup the pkgsrc/net/hf6to4 pac
# /usr/pkg/sbin/hf6to4 start
5. After that, you should be connected, use
- [ping6(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ping6+8+NetBSD-5.0.1+i386): to
+ [[!template id=man name="ping6" section="8"]]: to
see if everything works:
# ping6 www.NetBSD.org
@@ -1433,13 +1437,13 @@ necessary, you may find a list of known
[http://www.kfu.com/\~nsayer/6to4/](http://www.kfu.com/~nsayer/6to4/). In tests,
only 6to4.kfu.com and 6to4.ipv6.microsoft.com were found working. Cisco has one
that requires registration, see
-[http://www.cisco.com/ipv6/](http://www.cisco.com/ipv6/).
+.
There's also an experimental 6to4 server located in Germany,
6to4.ipv6.fh-regensburg.de. This server runs under NetBSD 1.6 and was setup
using the configuration steps described above. The whole configuration of the
machine can be seen at
-[http://www.feyrer.de/IPv6/netstart.local](http://www.feyrer.de/IPv6/netstart.local).
+.
### Tunneling 6to4 through an IPFilter firewall
@@ -1508,7 +1512,7 @@ rules) v4-encapsulated IPv6 packets, all
gateway. Of course you only want to do this on one host and use native IPv6
between your hosts, and you may also want to enforce this with more restrictive
rulesets, please see
-[ipf.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?ipf.conf+5+NetBSD-5.0.1+i386)
+[[!template id=man name="ipf.conf" section="5"]]
for more information on IPFilter rules.
After your firewall lets pass encapsulated IPv6 packets, you may want to set up