diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/defaults/periodic.conf | 6 | ||||
-rw-r--r-- | etc/defaults/rc.conf | 11 | ||||
-rw-r--r-- | etc/devd.conf | 1 | ||||
-rw-r--r-- | etc/etc.arm/ttys | 6 | ||||
-rw-r--r-- | etc/inetd.conf | 1 | ||||
-rw-r--r-- | etc/mtree/BSD.tests.dist | 2 | ||||
-rw-r--r-- | etc/rc.d/iovctl | 2 | ||||
-rwxr-xr-x | etc/rc.d/random | 47 | ||||
-rw-r--r-- | etc/rc.firewall | 38 | ||||
-rw-r--r-- | etc/sendmail/freebsd.mc | 1 | ||||
-rw-r--r-- | etc/sendmail/freebsd.submit.mc | 1 | ||||
-rw-r--r-- | etc/services | 2 |
12 files changed, 79 insertions, 39 deletions
diff --git a/etc/defaults/periodic.conf b/etc/defaults/periodic.conf index c70bee2..fbc5d0a 100644 --- a/etc/defaults/periodic.conf +++ b/etc/defaults/periodic.conf @@ -357,8 +357,12 @@ if [ -z "${source_periodic_confs_defined}" ]; then *) return 0 ;; esac ;; + '') + # Script run manually. + return 0 + ;; *) - echo "ASSERTION FAILED: Unexpected value for " \ + echo "ASSERTION FAILED: Unexpected value for" \ "\$PERIODIC: '$PERIODIC'" >&2 exit 127 ;; diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index ef3b861..125d59e 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -630,15 +630,16 @@ kern_securelevel="-1" # range: -1..3 ; `-1' is the most insecure # in the system booting with securelevel set to 1, as # init(8) will raise the level when rc(8) completes. update_motd="YES" # update version info in /etc/motd (or NO) -entropy_file="/entropy" # Set to NO to disable caching entropy through reboots. +entropy_boot_file="/boot/entropy" # Set to NO to disable very early + # (used at early boot time) entropy caching through reboots. +entropy_file="/entropy" # Set to NO to disable late (used when going multi-user) + # entropy through reboots. # /var/db/entropy-file is preferred if / is not avail. entropy_dir="/var/db/entropy" # Set to NO to disable caching entropy via cron. entropy_save_sz="4096" # Size of the entropy cache files. entropy_save_num="8" # Number of entropy cache files to save. -harvest_interrupt="YES" # Entropy device harvests interrupt randomness -harvest_ethernet="YES" # Entropy device harvests ethernet randomness -harvest_p_to_p="YES" # Entropy device harvests point-to-point randomness -harvest_swi="YES" # Entropy device harvests internal SWI randomness +harvest_mask="511" # Entropy device harvests all but the very invasive sources. + # (See 'sysctl kern.random.harvest' and random(4)) dmesg_enable="YES" # Save dmesg(8) to /var/run/dmesg.boot watchdogd_enable="NO" # Start the software watchdog daemon watchdogd_flags="" # Flags to watchdogd (if enabled) diff --git a/etc/devd.conf b/etc/devd.conf index 7a033a7..04a090b 100644 --- a/etc/devd.conf +++ b/etc/devd.conf @@ -296,7 +296,6 @@ detach 10 { # Button: Button pressed (0 for power, 1 for sleep) # CMBAT: ACPI battery events # Lid: Lid state (0 is closed, 1 is open) -# RCTL: Resource limits # Suspend, Resume: Suspend and resume notification # Thermal: ACPI thermal zone events # diff --git a/etc/etc.arm/ttys b/etc/etc.arm/ttys index 501bae6..f5f225e 100644 --- a/etc/etc.arm/ttys +++ b/etc/etc.arm/ttys @@ -42,8 +42,8 @@ ttyv7 "/usr/libexec/getty Pc" xterm off secure # Serial terminals # The 'dialup' keyword identifies dialin lines to login, fingerd etc. ttyu0 "/usr/libexec/getty 3wire" vt100 onifconsole secure -ttyu1 "/usr/libexec/getty std.9600" dialup off secure -ttyu2 "/usr/libexec/getty std.9600" dialup off secure -ttyu3 "/usr/libexec/getty std.9600" dialup off secure +ttyu1 "/usr/libexec/getty 3wire" vt100 onifconsole secure +ttyu2 "/usr/libexec/getty 3wire" vt100 onifconsole secure +ttyu3 "/usr/libexec/getty 3wire" vt100 onifconsole secure # Dumb console dcons "/usr/libexec/getty std.9600" vt100 off secure diff --git a/etc/inetd.conf b/etc/inetd.conf index 77b4eda..98958d4 100644 --- a/etc/inetd.conf +++ b/etc/inetd.conf @@ -68,6 +68,7 @@ #walld/1 dgram rpc/udp wait root /usr/libexec/rpc.rwalld rpc.rwalld #pcnfsd/1-2 dgram rpc/udp wait root /usr/local/libexec/rpc.pcnfsd rpc.pcnfsd #rquotad/1 dgram rpc/udp wait root /usr/libexec/rpc.rquotad rpc.rquotad +#rquotad/1 dgram rpc/udp6 wait root /usr/libexec/rpc.rquotad rpc.rquotad #sprayd/1 dgram rpc/udp wait root /usr/libexec/rpc.sprayd rpc.sprayd # # example entry for the optional pop3 server diff --git a/etc/mtree/BSD.tests.dist b/etc/mtree/BSD.tests.dist index 96e3b3c..3c51c7b 100644 --- a/etc/mtree/BSD.tests.dist +++ b/etc/mtree/BSD.tests.dist @@ -536,6 +536,8 @@ .. gzip .. + ident + .. join .. jot diff --git a/etc/rc.d/iovctl b/etc/rc.d/iovctl index f207b08..1958a26 100644 --- a/etc/rc.d/iovctl +++ b/etc/rc.d/iovctl @@ -27,7 +27,7 @@ run_iovctl() iovctl_start() { - run_iovctl -E + run_iovctl -C } iovctl_stop() diff --git a/etc/rc.d/random b/etc/rc.d/random index 2420a39..ddd37e1 100755 --- a/etc/rc.d/random +++ b/etc/rc.d/random @@ -41,6 +41,13 @@ feed_dev_random() random_start() { + + if [ ${harvest_mask} -gt 0 ]; then + echo -n 'Setting up harvesting:' + ${SYSCTL} kern.random.harvest.mask=${harvest_mask} > /dev/null + ${SYSCTL_N} kern.random.harvest.mask_symbolic + fi + echo -n 'Feeding entropy:' if [ ! -w /dev/random ] ; then @@ -60,7 +67,7 @@ random_start() esac case ${entropy_file:=/entropy} in - [Nn][Oo] | '') + [Nn][Oo]) ;; *) feed_dev_random "${entropy_file}" /var/db/entropy-file @@ -68,6 +75,14 @@ random_start() ;; esac + case ${entropy_boot_file:=/boot/entropy} in + [Nn][Oo]) + ;; + *) + save_dev_random "${entropy_boot_file}" + ;; + esac + echo '.' } @@ -77,7 +92,7 @@ random_stop() # can be reseeded # case ${entropy_file:=/entropy} in - [Nn][Oo] | '') + [Nn][Oo]) ;; *) echo -n 'Writing entropy file:' @@ -100,7 +115,33 @@ random_stop() ;; *) dd if=/dev/random of=${entropy_file_confirmed} \ - bs=4096 count=1 2> /dev/null + bs=4096 count=1 2> /dev/null || + warn 'write failed (unwriteable file or full fs?)' + echo '.' + ;; + esac + umask ${oumask} + ;; + esac + case ${entropy_boot_file:=/boot/entropy} in + [Nn][Oo]) + ;; + *) + echo -n 'Writing early boot entropy file:' + rm -f ${entropy_boot_file} 2> /dev/null + oumask=`umask` + umask 077 + if touch ${entropy_boot_file} 2> /dev/null; then + entropy_boot_file_confirmed="${entropy_boot_file}" + fi + case ${entropy_boot_file_confirmed} in + '') + warn 'write failed (read-only fs?)' + ;; + *) + dd if=/dev/random of=${entropy_boot_file_confirmed} \ + bs=4096 count=1 2> /dev/null || + warn 'write failed (unwriteable file or full fs?)' echo '.' ;; esac diff --git a/etc/rc.firewall b/etc/rc.firewall index ee578ef..c936da6 100644 --- a/etc/rc.firewall +++ b/etc/rc.firewall @@ -266,6 +266,7 @@ case ${firewall_type} in # firewall_simple_oif_ipv6: Outside IPv6 network interface. # firewall_simple_onet_ipv6: Outside IPv6 network prefix. ############ + BAD_ADDR_TBL=13 # set these to your outside interface network oif="$firewall_simple_oif" @@ -290,19 +291,23 @@ case ${firewall_type} in fi fi + # Define stuff we should never send out or receive in. # Stop RFC1918 nets on the outside interface - ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} - ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} - ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} + ${fwcmd} table ${BAD_ADDR_TBL} flush + ${fwcmd} table ${BAD_ADDR_TBL} add 10.0.0.0/8 + ${fwcmd} table ${BAD_ADDR_TBL} add 172.16.0.0/12 + ${fwcmd} table ${BAD_ADDR_TBL} add 192.168.0.0/16 - # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, + # And stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface - ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} - ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} - ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} - ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} - ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} + ${fwcmd} table ${BAD_ADDR_TBL} add 0.0.0.0/8 + ${fwcmd} table ${BAD_ADDR_TBL} add 169.254.0.0/16 + ${fwcmd} table ${BAD_ADDR_TBL} add 192.0.2.0/24 + ${fwcmd} table ${BAD_ADDR_TBL} add 224.0.0.0/4 + ${fwcmd} table ${BAD_ADDR_TBL} add 240.0.0.0/4 + + ${fwcmd} add deny all from any to "table($BAD_ADDR_TBL)" via ${oif} # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking @@ -319,20 +324,7 @@ case ${firewall_type} in ;; esac - # Stop RFC1918 nets on the outside interface - ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} - ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} - ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} - - # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, - # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) - # on the outside interface - ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} - ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} - ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} - ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} - ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} - + ${fwcmd} add deny all from "table($BAD_ADDR_TBL)" to any via ${oif} if [ -n "$inet6" ]; then # Stop unique local unicast address on the outside interface ${fwcmd} add deny all from fc00::/7 to any via ${oif6} diff --git a/etc/sendmail/freebsd.mc b/etc/sendmail/freebsd.mc index 7ab7386..b8b7780 100644 --- a/etc/sendmail/freebsd.mc +++ b/etc/sendmail/freebsd.mc @@ -42,7 +42,6 @@ divert(-1) # /usr/share/sendmail/cf/README or # /usr/src/contrib/sendmail/cf/README # -# # NOTE: If you enable RunAsUser, make sure that you adjust the permissions # and owner of the SSL certificates and keys in /etc/mail/certs to be usable # by that user. diff --git a/etc/sendmail/freebsd.submit.mc b/etc/sendmail/freebsd.submit.mc index c6ec655..aac0403 100644 --- a/etc/sendmail/freebsd.submit.mc +++ b/etc/sendmail/freebsd.submit.mc @@ -7,7 +7,6 @@ divert(-1) # forth in the LICENSE file which can be found at the top level of # the sendmail distribution. # -# # # This is the FreeBSD configuration for a set-group-ID sm-msp sendmail diff --git a/etc/services b/etc/services index 1311799..3d06be6 100644 --- a/etc/services +++ b/etc/services @@ -2365,6 +2365,8 @@ prosharerequest 5716/tcp #proshare conf request prosharerequest 5716/udp #proshare conf request prosharenotify 5717/tcp #proshare conf notify prosharenotify 5717/udp #proshare conf notify +couchdb 5984/tcp #CouchDB database server +couchdb 5984/udp #CouchDB database server cvsup 5999/tcp #CVSup file transfer/John Polstra/FreeBSD x11 6000/tcp #6000-6063 are assigned to X Window System x11 6000/udp |