FreeBSD Manual Pages
RC.CONF(5) File Formats Manual RC.CONF(5) NAME rc.conf -- system configuration information DESCRIPTION The file rc.conf contains descriptive information about the local host name, configuration details for any potential network interfaces and which services should be started up at system initial boot time. In new installations, the rc.conf file is generally initialized by the system installation utility. The purpose of rc.conf is not to run commands or perform system startup actions directly. Instead, it is included by the various generic startup scripts in /etc which conditionalize their internal actions ac- cording to the settings found there. The /etc/rc.conf file is included from the file /etc/defaults/rc.conf, which specifies the default settings for all the available options. Options need only be specified in /etc/rc.conf when the system adminis- trator wishes to override these defaults. The file /etc/defaults/vendor.conf allows vendors to override FreeBSD defaults. The file /etc/rc.conf.local is used to override settings in /etc/rc.conf for historical reasons. The sysrc(8) command provides a scripting interface to modify system config files. In addition to /etc/rc.conf.local you can also place smaller configura- tion files for each rc(8) script in the /etc/rc.conf.d directory or <dir>/rc.conf.d directories (where <dir> is each entry specified in local_startup, but with any trailing /rc.d stripped), which will be in- cluded by the load_rc_config function. For jail configurations you could use the file /etc/rc.conf.d/jail to store jail-specific configu- ration options. If local_startup contains /usr/local/etc/rc.d and /opt/conf, /usr/local/etc/rc.conf.d/jail and /opt/conf/rc.conf.d/jail will be loaded. If <dir>/rc.conf.d/<name> is a directory then all of the files in the directory will be loaded. See also the rc_conf_files variable below. Options are set with "name=value" assignments that use sh(1) syntax. The following list provides a name and short description for each vari- able that can be set in the rc.conf file: rc_debug (bool) If set to "YES", enable output of debug messages from rc scripts. This variable can be helpful in diagnos- ing mistakes when editing or integrating new scripts. Be- ware that this produces copious output to the terminal and syslog(3). rc_info (bool) If set to "NO", disable informational messages from the rc scripts. Informational messages are displayed when a condition that is not serious enough to warrant a warning or an error occurs. rc_startmsgs (bool) If set to "YES", show "Starting foo:" when faststart is used (e.g., at boot time). early_late_divider (str) The name of the script that should be used as the de- limiter between the "early" and "late" stages of the boot process. The early stage should contain all the services needed to get the disks (local or remote) mounted so that the late stage can include scripts contained in the direc- tories listed in the local_startup variable (see below). Thus, the two likely candidates for this value are mountcritlocal for the typical system, and mountcritremote if the system needs remote file systems mounted to get ac- cess to the local_startup directories; for example when /usr/local is NFS mounted. For rc.conf within a jail(8) NETWORKING is likely to be an appropriate value. Extreme care should be taken when changing this value, and before changing it one should ensure that there are adequate pro- visions to recover from a failed boot (such as physical contact with the machine, or reliable remote console ac- cess). always_force_depends (bool) Various rc.d scripts use the force_depend function to check whether required services are already running, and to start them if necessary. By default during boot time this check is bypassed if the required service is enabled in /etc/rc.conf[.local]. Setting this option will bypass that check at boot time and always test whether or not the service is actually running. Enabling this option is likely to increase your boot time if services are enabled that utilize the force_depend check. <name>_chroot (str) chroot(8) to this directory before running the ser- vice. <name>_cpuset (str) A list of CPUs to run the service on. Passed to cpuset(1) using the -l flag. <name>_fib (int) The setfib(1) value to run the service under. <name>_group (str) Run the chrooted service under this system group. Unlike the <name>_user setting, this setting has no effect if the service is not chrooted. <name>_limits (str) Resource limits to apply to the service using limits(1). By default, resource limits are based on the login class defined in <name>_login_class. <name>_login_class (str) Login class to be used with <name>_limits. Defaults to "daemon". <name>_nice (int) The nice(1) value to run the service under. <name>_oomprotect (str) Use protect(1) to prevent the service from being killed when swap space is exhausted. Use "YES" to protect only the service itself, and "ALL" to protect the service and all its child processes. Please note that rc scripts which redefine ${argument}_cmd (see rc.subr(8)) such as PostgreSQL will not inherit the OOM killer protection. This variable has no effect on services running within a jail(8). <name>_setup (str) Run the specified setup script right before starting the actual service command. Useful for automatic configu- ration file generation. <name>_umask (int) Run the service using this umask(1) value. <name>_user (str) Run the service under this user account. <name>_svcj (bool) If set to "YES", auto-jail the service with inher- ited filesystem and other jail properties depending on <name>_svcj_options. <name>_svcj_ipaddrs (str) A list of IP addresses that the service jail will be permitted to use. If this is not specified, the service jail will be permitted to use all assigned IP addresses if networking is enabled in the jail. <name>_svcj_options (str) A list of jail properties for the service. See "SERVICE JAILS" for a list of valid properties. apm_enable (bool) If set to "YES", enable support for Automatic Power Management with the apm(8) command. apmd_enable (bool) Run apmd(8) to handle APM event from userland. This also enables support for APM. apmd_flags (str) If apmd_enable is set to "YES", these are the flags to pass to the apmd(8) daemon. devd_enable (bool) Run devd(8) to handle device added, removed or un- known events from the kernel. ddb_enable (bool) Run ddb(8) to install ddb(4) scripts at boot time. ddb_config (str) Configuration file for ddb(8). Default /etc/ddb.conf. devmatch_enable (bool) If set to "NO", disable auto-loading of kernel mod- ules with devmatch(8). devmatch_blocklist (str) A whitespace-separated list of kernel modules to be ignored by devmatch(8). In addition, the kenv(1) devmatch_blocklist is appended to this variable to allow disabling of devmatch(8) loaded modules from the boot loader. devmatch_blacklist (str) This variable is deprecated. Use devmatch_blocklist instead. A whitespace-separated list of kernel modules to be ignored by devmatch(8). kld_list (str) A whitespace-separated list of kernel modules to load right after the local disks are mounted, without any .ko extension or path. kldxref_enable (bool) Set to "NO" by default. Set to "YES" to automati- cally rebuild linker.hints files with kldxref(8) at boot time. kldxref_clobber (bool) Set to "NO" by default. If kldxref_enable is true, setting to "YES" will overwrite existing linker.hints files at boot time. Otherwise, only missing linker.hints files are generated. kldxref_module_path (str) Empty by default. A semi-colon (`;') delimited list of paths containing kld(4) modules. If empty, the contents of the kern.module_path sysctl(8) are used. powerd_enable (bool) If set to "YES", enable the system power control fa- cility with the powerd(8) daemon. powerd_flags (str) If powerd_enable is set to "YES", these are the flags to pass to the powerd(8) daemon. svcj_all_enable Enable auto-jailing of all services which are not explic- itly excluded. See "SERVICE JAILS" for more info. tmpmfs Controls the creation of a /tmp memory file system. Always happens if set to "YES" and never happens if set to "NO". If set to anything else, a memory file system is created if /tmp is not writable. tmpsize Controls the size of a created /tmp memory file system. tmpmfs_flags Extra options passed to the mdmfs(8) utility when the mem- ory file system for /tmp is created. The default is "-S", which inhibits the use of softupdates on /tmp so that file system space is freed without delay after file truncation or deletion. See mdmfs(8) for other options you can use in tmpmfs_flags. varmfs Controls the creation of a /var memory file system. Always happens if set to "YES" and never happens if set to "NO". If set to anything else, a memory file system is created if /var is not writable. varsize Controls the size of a created /var memory file system. varmfs_flags Extra options passed to the mdmfs(8) utility when the mem- ory file system for /var is created. The default is "-S", which inhibits the use of softupdates on /var so that file system space is freed without delay after file truncation or deletion. See mdmfs(8) for other options you can use in varmfs_flags. populate_var Controls the automatic population of the /var file system. Always happens if set to "YES" and never happens if set to "NO". If set to anything else, a memory file system is created if /var is not writable. Note that this process requires access to certain commands in /usr before /usr is mounted on normal systems. cleanvar_enable (bool) Clean the /var directory. var_run_enable (bool) Set to "YES" to enable saving of the /var/run direc- tory structure into an mtree file at shutdown and the re- load of the /var/run directory structure at boot. var_run_autosave (bool) In some cases it may be undesirable to save /var/run at shutdown. When set to "NO" /var/run is loaded at reboot but not saved at shutdown. Typically in this scenario `service var_run save' would be performed to save a copy of the /var/run directory structure once, to be reloaded dur- ing all subsequent reboots. var_run_mtree (str) Where to save the /var/run mtree. The default loca- tion is /var/db/mtree/BSD.var-run.mtree. local_startup (str) List of directories to search for startup script files. script_name_sep (str) The field separator to use for breaking down the list of startup script files into individual filenames. The de- fault is a space. It is not necessary to change this un- less there are startup scripts with names containing spaces. hostapd_enable (bool) Set to "YES" to start hostapd(8) at system boot time. hostname (str) The fully qualified domain name (FQDN) of this host on the network. This should almost certainly be set to something meaningful, even if there is no network connec- tion. If dhclient(8) is used to set the hostname via DHCP, this variable should be set to an empty string. Within a jail(8) the hostname is generally already set and this variable may be absent. If this value remains unset when the system is done booting your console login will display the default hostname of "Amnesiac". nisdomainname (str) The NIS domain name of this host, or "NO" if NIS is not used. hostid_enable (bool) If set to "NO", disable the generation or saving of the hostid and machine-id files at system boot and shut- down. hostid_file (str) Path to the hostid file, default /etc/hostid. hostid_uuidgen_flags (str) Flags passed to uuidgen(1) when generating a software host UUID. This is used only if the system cannot deter- mine a hardware UUID. Set to "-r" by default. machine_id_file (str) Path to the machine-id file, default /etc/machine-id. dhclient_program (str) Path to the DHCP client program, defaulting to /sbin/dhclient. dhclient_flags (str) Additional flags to pass to the DHCP client program. See the dhclient(8) manpage for a description of the com- mand line options available. dhclient_flags_<iface> Additional flags to pass to the DHCP client program running on iface only. When specified, this variable overrides dhclient_flags. background_dhclient (bool) Set to "YES" to start the DHCP client in background. This can cause trouble with applications depending on a working network, but it will provide a faster startup in many cases. background_dhclient_<iface> When specified, this variable overrides the background_dhclient variable for interface iface only. dhclient_arpwait (bool) Set to "NO" to stop dhclient(8) from waiting for ARP resolution, to make the system boot faster. This may be done on networks where the DHCP server is certain to know whether an address is available. synchronous_dhclient (bool) Set to "YES" to start dhclient(8) synchronously at startup. This behavior can be overridden on a per-inter- face basis by replacing the "DHCP" keyword in the ifconfig_<interface> variable with "SYNCDHCP" or "NOSYNCDHCP". defaultroute_delay (int) When set to a positive value, wait up to this long after configuring DHCP interfaces at startup to give the interfaces time to receive a lease. firewall_enable (bool) Set to "YES" to load firewall rules at startup. If the kernel was not built with options IPFIREWALL, the ipfw.ko kernel module will be loaded. See also ipfilter_enable. firewall_script (str) This variable specifies the full path to the firewall script to run. The default is /etc/rc.firewall. firewall_type (str) Names the firewall type from the selection in /etc/rc.firewall, or the file which contains the local firewall ruleset. Valid selections from /etc/rc.firewall are: open unrestricted IP access closed all IP services disabled, except via "lo0" client basic protection for a workstation workstation basic protection for a workstation using stateful firewalling simple basic protection for a LAN. If a filename is specified, the full path must be given. Most of the predefined rulesets define additional configu- ration variables. These are documented in /etc/rc.firewall. firewall_quiet (bool) Set to "YES" to disable the display of firewall rules on the console during boot. firewall_logging (bool) Set to "YES" to enable firewall event logging. This is equivalent to the IPFIREWALL_VERBOSE kernel option. firewall_logif (bool) Set to "YES" to create pseudo interface ipfw0 for logging. For more details, see ipfw(8) manual page. firewall_flags (str) Flags passed to ipfw(8) if firewall_type specifies a filename. firewall_coscripts (str) List of executables and/or rc scripts to run after firewall starts/stops. Default is empty. firewall_nat_enable (bool) The ipfw(8) equivalent of natd_enable. Setting this to "YES" will automatically load the ipfw(8) NAT kernel module if firewall_enable is also set to "YES". firewall_nat_interface (str) The ipfw(8) equivalent of natd_interface. This is the name of the public interface or IP address on which kernel NAT should run. firewall_nat_flags (str) Additional configuration parameters for kernel NAT should be placed here. firewall_nat64_enable (bool) Setting this to "YES" will automatically load the ipfw(8) NAT64 kernel module if firewall_enable is also set to "YES". firewall_nptv6_enable (bool) Setting this to "YES" will automatically load the ipfw(8) NPTv6 kernel module if firewall_enable is also set to "YES". firewall_pmod_enable (bool) Setting this to "YES" will automatically load the ipfw(8) pmod kernel module if firewall_enable is also set to "YES". dummynet_enable (bool) Setting this to "YES" will automatically load the dummynet(4) module if firewall_enable is also set to "YES". ipfw_netflow_enable (bool) Setting this to "YES" will enable netflow logging via ng_netflow(4). By default a ipfw rule is inserted and all packets are du- plicated with the ngtee command and netflow packets are sent to 127.0.0.1 on the netflow port using protocol ver- sion 5. ipfw_netflow_hook (int) netflow hook name, must be numerical (default 9995). ipfw_netflow_rule (int) ipfw rule number (default 1000). ipfw_netflow_ip (str) Destination server ip for receiving netflow data (de- fault 127.0.0.1). ipfw_netflow_port (int) Destination server port for receiving netflow data (default 9995). ipfw_netflow_version (int) Do not set for using version 5 of the netflow proto- col, set it to 9 for using version 9. ipfw_netflow_fib (int) Only match packet in FIB ipfw_netflow_fib (default is undefined meaning all FIBs). natd_program (str) Path to natd(8). natd_enable (bool) Set to "YES" to enable natd(8). firewall_enable must also be set to "YES", and divert(4) sockets must be enabled in the kernel. If the kernel was not built with options IPDIVERT, the ipdivert.ko kernel module will be loaded. natd_interface (str) This is the name of the public interface on which natd(8) should run. The interface may be given as an in- terface name or as an IP address. natd_flags (str) Additional natd(8) flags should be placed here. The -n or -a flag is automatically added with the above natd_interface as an argument. ipfilter_enable (bool) Set to "NO" by default. Setting this to "YES" en- ables ipf(8) packet filtering. Typical usage will require putting ipfilter_enable="YES" ipnat_enable="YES" ipmon_enable="YES" ipfs_enable="YES" into /etc/rc.conf and editing /etc/ipf.rules and /etc/ipnat.rules appropriately. Note that ipfilter_enable and ipnat_enable can be enabled independently. ipmon_enable and ipfs_enable both require at least one of ipfilter_enable and ipnat_enable to be en- abled. Having options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK in the kernel configuration file is a good idea, too. ipfilter_program (str) Path to ipf(8) (default /sbin/ipf). ipfilter_rules (str) Set to /etc/ipf.rules by default. This variable con- tains the name of the filter rule definition file. The file is expected to be readable for the ipf(8) command to execute. ipfilter_flags (str) Empty by default. This variable contains flags passed to the ipf(8) program. ipnat_enable (bool) Set to "NO" by default. Set it to "YES" to enable ipnat(8) network address translation. See ipfilter_enable for a detailed discussion. ipnat_program (str) Path to ipnat(8) (default /sbin/ipnat). ipnat_rules (str) Set to /etc/ipnat.rules by default. This variable contains the name of the file holding the network address translation definition. This file is expected to be read- able for the ipnat(8) command to execute. ipnat_flags (str) Empty by default. This variable contains flags passed to the ipnat(8) program. ipmon_enable (bool) Set to "NO" by default. Set it to "YES" to enable ipmon(8) monitoring (logging ipf(8) and ipnat(8) events). Setting this variable needs setting ipfilter_enable or ipnat_enable too. See ipfilter_enable for a detailed dis- cussion. ipmon_program (str) Path to ipmon(8) (default /sbin/ipmon). ipmon_flags (str) Set to "-Ds" by default. This variable contains flags passed to the ipmon(8) program. Another typical ex- ample would be "-D /var/log/ipflog" to have ipmon(8) log directly to a file bypassing syslogd(8). Make sure to ad- just /etc/newsyslog.conf in such case like this: /var/log/ipflog 640 10 100 * Z /var/run/ipmon.pid ipfs_enable (bool) Set to "NO" by default. Set it to "YES" to enable ipfs(8) saving the filter and NAT state tables during shut- down and reloading them during startup again. Setting this variable needs setting ipfilter_enable or ipnat_enable to "YES" too. See ipfilter_enable for a detailed discussion. Note that if kern_securelevel is set to 3, ipfs_enable can- not be used because the raised securelevel will prevent ipfs(8) from saving the state tables at shutdown time. ipfs_program (str) Path to ipfs(8) (default /sbin/ipfs). ipfs_flags (str) Empty by default. This variable contains flags passed to the ipfs(8) program. pf_enable (bool) Set to "NO" by default. Setting this to "YES" en- ables pf(4) packet filtering. Typical usage will require putting pf_enable="YES" into /etc/rc.conf and editing /etc/pf.conf appropriately. Adding device pf builds support for pf(4) into the kernel, otherwise the kernel module will be loaded. pf_rules (str) Path to pf(4) ruleset configuration file (default /etc/pf.conf). pf_program (str) Path to pfctl(8) (default /sbin/pfctl). pf_flags (str) If pf_enable is set to "YES", these flags are passed to the pfctl(8) program when loading the ruleset. pf_fallback_rules_enable (bool) Set to "NO" by default. Setting this to "YES" en- ables loading pf_fallback_rules_file or pf_fallback_rules in case of a problem when loading the ruleset in pf_rules. pf_fallback_rules_file (str) Path to a pf ruleset to load in case of failure when loading the ruleset in pf_rules (default /etc/pf-fallback.conf). pf_fallback_rules (str) A pf ruleset to load in case of failure when loading the ruleset in pf_rules and pf_fallback_rules_file is not found. Multiple rules can be set as follows: pf_fallback_rules=" block drop log all pass in quick on em0" The default fallback rule is "block drop log all" pflog_enable (bool) Set to "NO" by default. Setting this to "YES" en- ables pflogd(8) which logs packets from the pf(4) packet filter. pflog_logfile (str) If pflog_enable is set to "YES" this controls where pflogd(8) stores the logfile (default /var/log/pflog). Check /etc/newsyslog.conf to adjust logfile rotation for this. pflog_program (str) Path to pflogd(8) (default /sbin/pflogd). pflog_flags (str) Empty by default. This variable contains additional flags passed to the pflogd(8) program. pflog_instances (str) If logging to more than one pflog(4) interface is de- sired, pflog_instances is set to the list of pflogd(8) in- stances that should be started at system boot time. If pflog_instances is set, for each whitespace-separated element in the list, <element>_dev and <element>_logfile elements are assumed to exist. <element>_dev must contain the pflog(4) interface to be watched by the named pflogd(8) instance. <element>_logfile must contain the name of the logfile that will be used by the pflogd(8) instance. ftpproxy_enable (bool) Set to "NO" by default. Setting this to "YES" en- ables ftp-proxy(8) which supports the pf(4) packet filter in translating ftp connections. ftpproxy_flags (str) Empty by default. This variable contains additional flags passed to the ftp-proxy(8) program. ftpproxy_instances (str) Empty by default. If multiple instances of ftp-proxy(8) are desired at boot time, ftpproxy_instances should contain a whitespace-separated list of instance names. For each element in the list, a variable named <element>_flags should be defined, containing the command- line flags to be passed to the ftp-proxy(8) instance. pfsync_enable (bool) Set to "NO" by default. Setting this to "YES" en- ables exposing pf(4) state changes to other hosts over the network by means of pfsync(4). The pfsync_syncdev variable must also be set then. pfsync_syncdev (str) Empty by default. This variable specifies the name of the network interface pfsync(4) should operate through. It must be set accordingly if pfsync_enable is set to "YES". pfsync_syncpeer (str) Empty by default. This variable is optional. By de- fault, state change messages are sent out on the synchroni- sation interface using IP multicast packets. The protocol is IP protocol 240, PFSYNC, and the multicast group used is 224.0.0.240. When a peer address is specified using the pfsync_syncpeer option, the peer address is used as a des- tination for the pfsync traffic, and the traffic can then be protected using ipsec(4). See the pfsync(4) manpage for more details about using ipsec(4) with pfsync(4) inter- faces. pfsync_ifconfig (str) Empty by default. This variable can contain addi- tional options to be passed to the ifconfig(8) command used to set up pfsync(4). tcp_extensions (bool) Set to "YES" by default. Setting this to "NO" dis- ables certain TCP options as described by RFC 1323. Set- ting this to "NO" might help remedy such problems with con- nections as randomly hanging or other weird behavior. Some network devices are known to be broken with respect to these options. log_in_vain (int) Set to 0 by default. The sysctl(8) variables, net.inet.tcp.log_in_vain and net.inet.udp.log_in_vain, as described in tcp(4) and udp(4), are set to the given value. tcp_keepalive (bool) Set to "YES" by default. Setting to "NO" will dis- able probing idle TCP connections to verify that the peer is still up and reachable. tcp_drop_synfin (bool) Set to "NO" by default. Setting to "YES" will cause the kernel to ignore TCP frames that have both the SYN and FIN flags set. This prevents OS fingerprinting, but may break some legitimate applications. icmp_drop_redirect (bool) Set to "AUTO" by default. This setting will be identical to "YES", if a dynamic routing daemon is enabled, because redirect processing may cause performance issues for large routing tables. If no such service is enabled, this setting behaves like a "NO". Setting to "YES" will cause the kernel to ignore ICMP REDIRECT packets. Setting to "NO" will cause the kernel to process ICMP REDIRECT packets. Refer to icmp(4) for more information. icmp_log_redirect (bool) Set to "NO" by default. Setting to "YES" will cause the kernel to log ICMP REDIRECT packets. Note that the log messages are not rate-limited, so this option should only be used for troubleshooting networks. Refer to icmp(4) for more information. icmp_bmcastecho (bool) Set to "YES" to respond to broadcast or multicast ICMP ping packets. Refer to icmp(4) for more information. ip_portrange_first (int) If not set to "NO", this is the first port in the de- fault portrange. Refer to ip(4) for more information. ip_portrange_last (int) If not set to "NO", this is the last port in the de- fault portrange. Refer to ip(4) for more information. network_interfaces (str) Set to the list of network interfaces to configure on this host or "AUTO" (the default) for all current inter- faces. Setting the network_interfaces variable to anything other than the default is deprecated. Interfaces that the administrator wishes to store configuration for, but not start at boot should be configured with the "NOAUTO" key- word in their ifconfig_<interface> variables as described below. An ifconfig_<interface> variable is assumed to exist for each value of interface. When an interface name contains any of the characters ".-/+" they are translated to "_" be- fore lookup. For example, the interface em0.102 would be configured using the variable ifconfig_em0_102. The variable can contain arguments to ifconfig(8), as well as special case-insensitive keywords described below. Such keywords are removed before passing the value to ifconfig(8) while the order of the other arguments is pre- served. For example, to assign the IPv4 address 192.0.2.1/24 to the interface em0: ifconfig_em0="inet 192.0.2.1/24 up" If the variable ifconfig_<interface>_ipv6 is set, then ifconfig_<interface> does not need to be set unless an IPv4 address should also be assigned to the interface. It is possible to add IP alias entries using ifconfig(8) syntax with the address family keyword such as inet. As- suming that the interface in question was em0, it might look something like this: ifconfig_em0_alias0="inet 127.0.0.253/32" ifconfig_em0_alias1="inet 127.0.0.254/32" It also possible to configure multiple IP addresses in Classless Inter-Domain Routing (CIDR) address notation, whose each address component can be a range like inet 192.0.2.5-23/24 or inet6 2001:db8:1-f::1/64. This notation allows address and prefix length part only, not the other address modifiers. Note that the maximum number of the generated addresses from a range specification is limited to an integer value specified in netif_ipexpand_max in rc.conf because a small typo can unexpectedly generate a large number of addresses. The default value is 2048. It can be increased by adding the following line into rc.conf: netif_ipexpand_max="4096" In the case of 192.0.2.5-23/24, the address 192.0.2.5 will be configured with the prefix length /24 and the addresses 192.0.2.6 to 192.0.2.23 with the non-conflicting prefix length /32 as explained in the ifconfig(8) alias section. Note that this special CIDR handling is only for inet, not for the other address families such as inet6. With the interface in question being em0, an example could look like: ifconfig_em0_alias2="inet 192.0.2.129/27" ifconfig_em0_alias3="inet 192.0.2.1-5/28" and so on. Note that deprecated ipv4_addrs_<interface> variable was supported for IPv4 CIDR address notation. The ifconfig_<interface>_alias<n> variable replaces it, though ipv4_addrs_<interface> is still supported for backward com- patibility. For each ifconfig_<interface>_alias<n> entry with an ad- dress family keyword, its contents are passed to ifconfig(8). Execution stops at the first unsuccessful ac- cess, so if something like this is present: ifconfig_em0_alias0="inet 127.0.0.251/32" ifconfig_em0_alias1="inet 127.0.0.252/32" ifconfig_em0_alias2="inet 127.0.0.253/32" ifconfig_em0_alias4="inet 127.0.0.254/32" Then note that alias4 would not be added since the search would stop with the missing "alias3" entry. Because of this difficult to manage behavior, there is ifconfig_<interface>_aliases variable, which has the same functionality as ifconfig_<interface>_alias<n> and can have all of the entries in a variable like the following: ifconfig_em0_aliases="\ inet 127.0.0.251/32 \ inet 127.0.0.252/32 \ inet 127.0.0.253/32 \ inet 127.0.0.254/32" It also supports netmask notation for backward compatibil- ity. If the /etc/start_if.<interface> file is present, it is read and executed by the sh(1) interpreter before configur- ing the interface as specified in the ifconfig_<interface> and ifconfig_<interface>_alias<n> variables. If a vlans_<interface> variable is set, a vlan(4) interface will be created for each item in the list with the vlandev argument set to interface. If a vlan interface's name is a number, then that number is used as the vlan tag and the new vlan interface is named interface.tag. Otherwise, the vlan tag must be specified via a vlan parameter in the create_args_<interface> variable. To create a vlan device named em0.101 on em0 with the vlan tag 101 and the optional IPv4 address 192.0.2.1/24: vlans_em0="101" ifconfig_em0_101="inet 192.0.2.1/24" To create a vlan device named myvlan on em0 with the vlan tag 102: vlans_em0="myvlan" create_args_myvlan="vlan 102" If a wlans_<interface> variable is set, an wlan(4) inter- face will be created for each item in the list with the wlandev argument set to interface. Further wlan cloning arguments may be passed to the ifconfig(8) create command by setting the create_args_<interface> variable. One or more wlan(4) devices must be created for each wireless de- vice as of FreeBSD 8.0. Debugging flags for wlan(4) de- vices as set by wlandebug(8) may be specified with an wlandebug_<interface> variable. The contents of this vari- able will be passed directly to wlandebug(8). If the ifconfig_<interface> contains the keyword "NOAUTO" then the interface will not be configured at boot or by /etc/pccard_ether when network_interfaces is set to "AUTO". It is possible to bring up an interface with DHCP by adding "DHCP" to the ifconfig_<interface> variable. For instance, to initialize the em0 device via DHCP, it is possible to use something like: ifconfig_em0="DHCP" If you want to configure your wireless interface with wpa_supplicant(8) for use with WPA, EAP/LEAP or WEP, you need to add "WPA" to the ifconfig_<interface> variable. On the other hand, if you want to configure your wireless interface with hostapd(8), you need to add "HOSTAP" to the ifconfig_<interface> variable. hostapd(8) will use the settings from /etc/hostapd-<interface>.conf Finally, you can add ifconfig(8) options in this variable, in addition to the /etc/start_if.<interface> file. For in- stance, to configure an ath(4) wireless device in station mode with an address obtained via DHCP, using WPA authenti- cation and 802.11b mode, it is possible to use something like: wlans_ath0="wlan0" ifconfig_wlan0="DHCP WPA mode 11b" In addition to the ifconfig_<interface> form, a fallback variable ifconfig_DEFAULT may be configured. It will be used for all interfaces with no ifconfig_<interface> vari- able. It is also possible to rename an interface by doing: ifconfig_em0_name="net0" ifconfig_net0="inet 192.0.2.1/24" ipv6_enable (bool) This variable is deprecated. Use ifconfig_<interface>_ipv6 and ipv6_activate_all_interfaces if necessary. If the variable is "YES", "inet6 accept_rtadv" is added to all of ifconfig_<interface>_ipv6 and the ipv6_activate_all_interfaces variable is defined as "YES". ipv6_prefer (bool) This variable is deprecated. Use ip6addrctl_policy instead. If the variable is "YES", the default address selection policy table set by ip6addrctl(8) will be IPv6-preferred. If the variable is "NO", the default address selection pol- icy table set by ip6addrctl(8) will be IPv4-preferred. ipv6_activate_all_interfaces (bool) This controls initial configuration on IPv6-capable interfaces with no corresponding ifconfig_<interface>_ipv6 variable. Note that it is not always necessary to set this variable to "YES" to use IPv6 functionality on FreeBSD. In most cases, just configuring ifconfig_<interface>_ipv6 variables works. If the variable is "NO", all interfaces which do not have a corresponding ifconfig_<interface>_ipv6 variable will be marked as "IFDISABLED" at creation. This means that all IPv6 functionality on that interface is completely disabled to enforce a security policy. If the variable is set to "YES", the flag will be cleared on all of the interfaces. In most cases, just defining an ifconfig_<interface>_ipv6 for an IPv6-capable interface should be sufficient. How- ever, if an interface is added dynamically (by some tunneling protocols such as PPP, for example), it is often difficult to define the variable in advance. In such a case, configuring the "IFDISABLED" flag can be disabled by setting this variable to "YES". For more details of the "IFDISABLED" flag and keywords "inet6 ifdisabled", see ifconfig(8). Default is "NO". ipv6_privacy (bool) If the variable is "YES" privacy addresses will be generated for each IPv6 interface as described in RFC 4941. ipv6_network_interfaces (str) This is the IPv6 equivalent of network_interfaces. Normally manual configuration of this variable is not needed. ipv6_cpe_wanif (str) If the variable is set to an interface name, the ifconfig(8) options "inet6 -no_radr accept_rtadv" will be added to the specified interface automatically before eval- uating ifconfig_<interface>_ipv6, and two sysctl(8) vari- ables net.inet6.ip6.rfc6204w3 and net.inet6.ip6.no_radr will be set to 1. This means the specified interface will accept ICMPv6 Router Advertisement messages on that link and add the dis- covered routers into the Default Router List. While the other interfaces can still accept RA messages if the "inet6 accept_rtadv" option is specified, adding routes into the Default Router List will be disabled by "inet6 no_radr" op- tion by default. See ifconfig(8) for more details. Note that ICMPv6 Router Advertisement messages will be ac- cepted even when net.inet6.ip6.forwarding is 1 (packet forwarding is enabled) when net.inet6.ip6.rfc6204w3 is set to 1. Default is "NO". ifconfig_<interface>_descr (str) This assigns arbitrary description to an interface. The sysctl(8) variable net.ifdescr_maxlen limits its length. This static setting may be overridden by commands started with dynamic interface configuration utilities like dhclient(8) hooks. The description can be seen with ifconfig(8) command and it may be exported with bsnmpd(1) daemon using its MIB-2 module. ifconfig_<interface>_ipv6 (str) IPv6 functionality on an interface should be config- ured by ifconfig_<interface>_ipv6, instead of setting if- config parameters in ifconfig_<interface>. If this vari- able is empty, all IPv6 configurations on the specified in- terface by other variables such as ipv6_prefix_<interface> will be ignored. Aliases should be set by ifconfig_<interface>_alias<n> with "inet6" keyword. For example: ifconfig_em0_ipv6="inet6 2001:db8:1::1 prefixlen 64" ifconfig_em0_alias0="inet6 2001:db8:2::1 prefixlen 64" Interfaces that have an "inet6 accept_rtadv" keyword in ifconfig_<interface>_ipv6 setting will be automatically configured by SLAAC (StateLess Address AutoConfiguration) described in RFC 4862. Note that a link-local address will be automatically con- figured in addition to the configured global-scope ad- dresses because the IPv6 specifications require it on each link. The address is calculated from the MAC address by using an algorithm defined in RFC 4862, Section 5.3. If only a link-local address is needed on the interface, the following configuration can be used: ifconfig_em0_ipv6="inet6 auto_linklocal" A link-local address can also be configured manually. This is useful for the default router address of an IPv6 router so that it does not change when the network interface card is replaced. For example: ifconfig_em0_ipv6="inet6 fe80::1 prefixlen 64" ipv6_prefix_<interface> (str) If one or more prefixes are defined in ipv6_prefix_<interface> addresses based on each prefix and the EUI-64 interface index will be configured on that in- terface. Note that this variable will be ignored when ifconfig_<interface>_ipv6 is empty. For example, the following configuration ipv6_prefix_em0="2001:db8:1:0 2001:db8:2:0" is equivalent to the following: ifconfig_em0_alias0="inet6 2001:db8:1:: eui64 prefixlen 64" ifconfig_em0_alias1="inet6 2001:db8:1:: prefixlen 64 anycast" ifconfig_em0_alias2="inet6 2001:db8:2:: eui64 prefixlen 64" ifconfig_em0_alias3="inet6 2001:db8:2:: prefixlen 64 anycast" These Subnet-Router anycast addresses will be added only when ipv6_gateway_enable is YES. ipv6_default_interface (str) If not set to "NO", this is the default output inter- face for scoped addresses. This works only with ipv6_gate- way_enable="NO". ip6addrctl_enable (bool) This variable is to enable configuring default ad- dress selection policy table (RFC 3484). The table can be specified in another variable ip6addrctl_policy. For ip6addrctl_policy the following keywords can be specified: "ipv4_prefer", "ipv6_prefer", or "AUTO". If "ipv4_prefer" or "ipv6_prefer" is specified, ip6addrctl(8) installs a pre-defined policy table described in Section 10.3 (IPv4-preferred) or 2.1 (IPv6-preferred) of RFC 3484. If "AUTO" is specified, it attempts to read a file /etc/ip6addrctl.conf first. If this file is found, ip6addrctl(8) reads and installs it. If not found, a pol- icy is automatically set according to ipv6_activate_all_interfaces variable; if the variable is set to "YES" the IPv6-preferred one is used. Otherwise IPv4-preferred. The default value of ip6addrctl_enable and ip6addrctl_policy are "YES" and "AUTO", respectively. cloned_interfaces (str) Set to the list of clonable network interfaces to create on this host. Further cloning arguments may be passed to the ifconfig(8) create command for each interface by setting the create_args_<interface> variable. If an in- terface name is specified with ":sticky" keyword, the in- terface will not be destroyed even when rc.d/netif script is invoked with "stop" argument. This is useful when re- configuring the interface without destroying it. Entries in cloned_interfaces are automatically appended to network_interfaces for configuration. cloned_interfaces_sticky (bool) This variable is to globally enable functionality of ":sticky" keyword in cloned_interfaces for all interfaces. The default value is "NO". Even if this variable is speci- fied to "YES", ":nosticky" keyword can be used to override it on per interface basis. gif_interfaces Set to the list of gif(4) tunnel interfaces to configure on this host. A gifconfig_<interface> variable is assumed to exist for each value of interface. The value of this vari- able is used to configure the link layer of the tunnel us- ing the tunnel option to ifconfig(8). Additionally, this option ensures that each listed interface is created via the create option to ifconfig(8) before attempting to con- figure it. For example, configure two gif(4) interfaces with: gif_interfaces="gif0 gif1" gifconfig_gif0="100.64.0.1 100.64.0.2" ifconfig_gif0="inet 10.0.0.1/30 10.0.0.2" gifconfig_gif1="inet6 2a00::1 2a01::1" ifconfig_gif1="inet 10.1.0.1/30 10.1.0.2" ppp_enable (bool) If set to "YES", run the ppp(8) daemon. ppp_profile (str) The name of the profile to use from /etc/ppp/ppp.conf. Also used for per-profile overrides of ppp_mode and ppp_nat, and ppp_<profile>_unit. When the profile name contains any of the characters ".-/+" they are translated to "_" for the proposes of the override variable names. ppp_mode (str) Mode in which to run the ppp(8) daemon. ppp_<profile>_mode (str) Overrides the global ppp_mode for profile. Accepted modes are "auto", "ddial", "direct" and "dedicated". See the manual for a full description. ppp_nat (bool) If set to "YES", enables network address transla- tion. Used in conjunction with gateway_enable allows hosts on private network addresses access to the Internet using this host as a network address translating router. Default is "YES". ppp_<profile>_nat (str) Overrides the global ppp_nat for profile. ppp_<profile>_unit (int) Set the unit number to be used for this profile. See the manual description of -unitN for details. ppp_user (str) The name of the user under which ppp(8) should be started. By default, ppp(8) is started as "root". rc_conf_files (str) This option is used to specify a list of files that will override the settings in /etc/defaults/rc.conf. The files will be read in the order in which they are specified and should include the full path to the file. By default, the files specified are /etc/rc.conf and /etc/rc.conf.local. zfs_enable (bool) If set to "YES", /etc/rc.d/zfs will attempt to auto- matically mount ZFS file systems and initialize ZFS volumes (ZVOLs). zpool_reguid (str) A space-separated list of ZFS pool names for which new pool GUIDs should be assigned upon first boot. This is useful when using a ZFS pool copied from a template, such as a virtual machine image. zpool_upgrade (str) A space-separated list of ZFS pool names for which the version should be upgraded upon first boot. This is useful when using a ZFS pool generated by the makefs(8) utility. gptboot_enable (bool) If set to "YES", /etc/rc.d/gptboot will log if the system successfully (or not) booted from a GPT partition, which had the bootonce attribute set using gpart(8) util- ity. geli_devices (str) List of devices to automatically attach on boot. Note that .eli devices from /etc/fstab are automatically appended to this list. geli_groups (str) List of groups containing devices to automatically attach on boot with the same keyfiles and passphrase. This must be accompanied with a corresponding geli_<group>_devices variable. geli_tries (int) Number of times user is asked for the pass-phrase. If empty, it will be taken from kern.geom.eli.tries sysctl variable. geli_default_flags (str) Default flags to use by geli(8) when configuring disk encryption. Flags can be configured for every device sepa- rately by defining the geli_<device>_flags variable, and for every group separately by defining the geli_<group>_flags variable. geli_autodetach (str) Specifies if GELI devices should be marked for detach on last close after file systems are mounted. Default is "YES". This can be changed for every device separately by defining the geli_<device>_autodetach variable. root_rw_mount (bool) Set to "YES" by default. After the file systems are checked at boot time, the root file system is remounted as read-write if this is set to "YES". Diskless systems that mount their root file system from a read-only remote NFS share should set this to "NO" in their rc.conf. fsck_y_enable (bool) If set to "YES", fsck(8) will be run with the -y flag if the initial preen of the file systems fails. background_fsck (bool) If set to "NO", the system will not attempt to run fsck(8) in the background where possible. background_fsck_delay (int) The amount of time in seconds to sleep before start- ing a background fsck(8). It defaults to sixty seconds to allow large applications such as the X server to start be- fore disk I/O bandwidth is monopolized by fsck(8). If set to a negative number, the background file system check will be delayed indefinitely to allow the administrator to run it at a more convenient time. For example it may be run from cron(8) by adding a line like 0 4 * * * root /etc/rc.d/bgfsck forcestart to /etc/crontab. netfs_types (str) List of file system types that are network-based. This list should generally not be modified by end users. Use extra_netfs_types instead. extra_netfs_types (str) If set to something other than "NO" (the default), this variable extends the list of file system types for which automatic mounting at startup by rc(8) should be de- layed until the network is initialized. It should contain a whitespace-separated list of network file system descrip- tor pairs, each consisting of a file system type as passed to mount(8) and a human-readable, one-word description, joined with a colon (`:'). Extending the default list in this way is only necessary when third party file system types are used. syslogd_enable (bool) If set to "YES", run the syslogd(8) daemon. Note, the syslogd_oomprotect variable is set to "YES" by default in /etc/defaults/rc.conf. syslogd_program (str) Path to syslogd(8) (default /usr/sbin/syslogd). syslogd_flags (str) If syslogd_enable is set to "YES", these are the flags to pass to syslogd(8). inetd_enable (bool) If set to "YES", run the inetd(8) daemon. inetd_program (str) Path to inetd(8) (default /usr/sbin/inetd). inetd_flags (str) If inetd_enable is set to "YES", these are the flags to pass to inetd(8). hastd_enable (bool) If set to "YES", run the hastd(8) daemon. hastd_program (str) Path to hastd(8) (default /sbin/hastd). hastd_flags (str) If hastd_enable is set to "YES", these are the flags to pass to hastd(8). local_unbound_enable (bool) If set to "YES", run the unbound(8) daemon as a lo- cal caching DNS resolver. Note, the local_unbound_oomprotect variable is set to "YES" by de- fault in /etc/defaults/rc.conf. nscd_enable (bool) Set to "YES" to start the nscd(8) caching daemon for the nsswitch subsystem. nscd_flags (str) If nscd_enable is set to "YES", these flags are passed to nscd(8). kdc_enable (bool) Set to "YES" to start a Kerberos 5 authentication server at boot time. kdc_program (str) If kdc_enable is set to "YES" this is the path to Kerberos 5 Authentication Server. kdc_flags (str) Empty by default. This variable contains additional flags to be passed to the Kerberos 5 authentication server. kadmind_enable (bool) Set to "YES" to start kadmind(8), the Kerberos 5 Ad- ministration Daemon; set to "NO" on a slave server. kadmind_program (str) If kadmind_enable is set to "YES" this is the path to Kerberos 5 Administration Daemon. kpasswdd_enable (bool) Set to "YES" to start kpasswdd(8), the Kerberos 5 Password-Changing Daemon; set to "NO" on a slave server. kpasswdd_program (str) If kpasswdd_enable is set to "YES" this is the path to Kerberos 5 Password-Changing Daemon. kfd_enable (bool) Set to "YES" to start kfd(8), the Kerberos 5 ticket forwarding daemon, at the boot time. kfd_program (str) Path to kfd(8) (default /usr/libexec/kfd). rwhod_enable (bool) If set to "YES", run the rwhod(8) daemon at boot time. rwhod_flags (str) If rwhod_enable is set to "YES", these are the flags to pass to it. update_motd (bool) If set to "YES", /var/run/motd will be updated at boot time to reflect the kernel release being run. If set to "NO", /var/run/motd will not be updated. nfs_client_enable (bool) If set to "YES", run the NFS client daemons at boot time. nfs_access_cache (int) If nfs_client_enable is set to "YES", this can be set to "0" to disable NFS ACCESS RPC caching, or to the number of seconds for which NFS ACCESS results should be cached. A value of 2-10 seconds will substantially reduce network traffic for many NFS operations. nfs_server_enable (bool) If set to "YES", run the NFS server daemons at boot time. nfs_server_flags (str) If nfs_server_enable is set to "YES", these are the flags to pass to the nfsd(8) daemon. nfsv4_server_enable (bool) If nfs_server_enable is set to "YES" and nfsv4_server_enable is set to "YES", enable the server for NFSv4 as well as NFSv2 and NFSv3. nfsv4_server_only (bool) If nfs_server_enable is set to "YES" and nfsv4_server_only is set to "YES", enable the NFS server for NFSv4 only. nfs_server_maxio (int) value to set vfs.nfsd.srvmaxio to, which is the maxi- mum I/O size for the NFS server. tlsclntd_enable (bool) If set to "YES", run the rpc.tlsclntd(8) daemon, which is needed for NFS-over-TLS NFS mounts. tlsservd_enable (bool) If set to "YES", run the rpc.tlsservd(8) daemon, which is needed for the nfsd(8) to support NFS-over-TLS NFS mounts. nfsuserd_enable (bool) If nfsuserd_enable is set to "YES", run the nfsuserd daemon, which is needed for NFSv4 in order to map between user/group names vs uid/gid numbers. If nfsv4_server_enable is set to "YES", this will be forced enabled. nfsuserd_flags (str) If nfsuserd_enable is set to "YES", these are the flags to pass to the nfsuserd(8) daemon. nfscbd_enable (bool) If nfscbd_enable is set to "YES", run the nfscbd daemon, which enables callbacks/delegations for the NFSv4 client. nfscbd_flags (str) If nfscbd_enable is set to "YES", these are the flags to pass to the nfscbd(8) daemon. mountd_enable (bool) If set to "YES", and no nfs_server_enable is set, start mountd(8), but not nfsd(8) daemon. It is commonly needed to run CFS without real NFS used. mountd_flags (str) If mountd_enable is set to "YES", these are the flags to pass to the mountd(8) daemon. weak_mountd_authentication (bool) If set to "YES", allow services like PCNFSD to make non-privileged mount requests. nfs_reserved_port_only (bool) If set to "YES", provide NFS services only on a se- cure port. nfs_bufpackets (int) If set to a number, indicates the number of packets worth of socket buffer space to reserve on an NFS client. The kernel default is typically 4. Using a higher number may be useful on gigabit networks to improve performance. The minimum value is 2 and the maximum is 64. rpc_lockd_enable (bool) If set to "YES" and also an NFS server or client, run rpc.lockd(8) at boot time. rpc_lockd_flags (str) If rpc_lockd_enable is set to "YES", these are the flags to pass to the rpc.lockd(8) daemon. rpc_statd_enable (bool) If set to "YES" and also an NFS server or client, run rpc.statd(8) at boot time. rpc_statd_flags (str) If rpc_statd_enable is set to "YES", these are the flags to pass to the rpc.statd(8) daemon. rpcbind_program (str) Path to rpcbind(8) (default /usr/sbin/rpcbind). rpcbind_enable (bool) If set to "YES", run the rpcbind(8) service at boot time. rpcbind_flags (str) If rpcbind_enable is set to "YES", these are the flags to pass to the rpcbind(8) daemon. pppoed_enable (bool) If set to "YES", run the pppoed(8) daemon at boot time to provide PPP over Ethernet services. pppoed_<provider> (str) pppoed(8) listens to requests to this provider and ultimately runs ppp(8) with a system argument of the same name. pppoed_flags (str) Additional flags to pass to pppoed(8). pppoed_interface (str) The network interface to run pppoed(8) on. This is mandatory when pppoed_enable is set to "YES". ntpdate_enable (bool) If set to "YES", run ntpdate(8) at system startup. This command is intended to synchronize the system clock only once from some standard reference. Note that the use of the ntpd_sync_on_start variable is a preferred alternative to the ntpdate(8) utility as ntpdate(8) is to be retired from the NTP distribution. ntpdate_config (str) Configuration file for ntpdate(8). Default /etc/ntp.conf. ntpdate_hosts (str) A whitespace-separated list of NTP servers to syn- chronize with at startup. The default is to use the servers listed in ntpdate_config, if that file exists. ntpdate_program (str) Path to ntpdate(8) (default /usr/sbin/ntpdate). ntpdate_flags (str) If ntpdate_enable is set to "YES", these are the flags to pass to the ntpdate(8) command (typically a host- name). ntpd_enable (bool) If set to "YES", run the ntpd(8) command at boot time. ntpd_program (str) Path to ntpd(8) (default /usr/sbin/ntpd). ntpd_config (str) Path to ntpd(8) configuration file. Default /etc/ntp.conf. ntpd_flags (str) If ntpd_enable is set to "YES", these are the flags to pass to the ntpd(8) daemon. ntpd_sync_on_start (bool) If set to "YES", ntpd(8) is run with the -g flag, which syncs the system's clock on startup. See ntpd(8) for more information regarding the -g option. This is a pre- ferred alternative to using ntpdate(8) or specifying the ntpdate_enable variable. nis_client_enable (bool) If set to "YES", run the ypbind(8) service at system boot time. nis_client_flags (str) If nis_client_enable is set to "YES", these are the flags to pass to the ypbind(8) service. nis_ypldap_enable (bool) If set to "YES", run the ypldap(8) daemon at system boot time. nis_ypldap_flags (str) If nis.ypldap_enable is set to "YES", these are the flags to pass to the ypldap(8) daemon. nis_ypset_enable (bool) If set to "YES", run the ypset(8) daemon at system boot time. nis_ypset_flags (str) If nis_ypset_enable is set to "YES", these are the flags to pass to the ypset(8) daemon. nis_server_enable (bool) If set to "YES", run the ypserv(8) daemon at system boot time. nis_server_flags (str) If nis_server_enable is set to "YES", these are the flags to pass to the ypserv(8) daemon. nis_ypxfrd_enable (bool) If set to "YES", run the rpc.ypxfrd(8) daemon at system boot time. nis_ypxfrd_flags (str) If nis_ypxfrd_enable is set to "YES", these are the flags to pass to the rpc.ypxfrd(8) daemon. nis_yppasswdd_enable (bool) If set to "YES", run the rpc.yppasswdd(8) daemon at system boot time. nis_yppasswdd_flags (str) If nis_yppasswdd_enable is set to "YES", these are the flags to pass to the rpc.yppasswdd(8) daemon. rpc_ypupdated_enable (bool) If set to "YES", run the rpc.ypupdated daemon at system boot time. bsnmpd_enable (bool) If set to "YES", run the bsnmpd(1) daemon at system boot time. Be sure to understand the security implications of running an SNMP daemon on your host. bsnmpd_flags (str) If bsnmpd_enable is set to "YES", these are the flags to pass to the bsnmpd(1) daemon. defaultrouter (str) If not set to "NO", create a default route to this host name or IP address (use an IP address if this router is also required to get to the name server!). defaultrouter_fibN (str) If not set to "NO", create a default route in FIB N to this host name or IP address. ipv6_defaultrouter (str) The IPv6 equivalent of defaultrouter. ipv6_defaultrouter_fibN (str) The IPv6 equivalent of defaultrouter_fibN. static_arp_pairs (str) Set to the list of static ARP pairs that are to be added at system boot time. For each whitespace separated element in the value, a static_arp_<element> variable is assumed to exist whose contents will later be passed to a "arp -S" operation. For example static_arp_pairs="gw" static_arp_gw="192.168.1.1 00:01:02:03:04:05" static_ndp_pairs (str) Set to the list of static NDP pairs that are to be added at system boot time. For each whitespace separated element in the value, a static_ndp_<element> variable is assumed to exist whose contents will later be passed to a "ndp -s" operation. For example static_ndp_pairs="gw" static_ndp_gw="2001:db8:3::1 00:01:02:03:04:05" static_routes (str) Set to the list of static routes that are to be added at system boot time. If not set to "NO" then for each whitespace separated element in the value, a route_<element> variable is assumed to exist whose contents will later be passed to a "route add" operation. For exam- ple: static_routes="ext mcast:gif0 gif0local:gif0" route_ext="-net 10.0.0.0/24 -gateway 192.168.0.1" route_mcast="-net 224.0.0.0/4 -iface gif0" route_gif0local="-host 169.254.1.1 -iface lo0" When an element is in the form of name:ifname, the route is specific to the interface ifname. ipv6_static_routes (str) The IPv6 equivalent of static_routes. If not set to "NO" then for each whitespace separated element in the value, a ipv6_route_<element> variable is assumed to exist whose contents will later be passed to a "route add -inet6" operation. gateway_enable (bool) If set to "YES", configure host to act as an IP router, e.g. to forward packets between interfaces. ipv6_gateway_enable (bool) The IPv6 equivalent of gateway_enable. routed_enable (bool) If set to "YES", run a routing daemon of some sort, based on the settings of routed_program and routed_flags. route6d_enable (bool) The IPv6 equivalent of routed_enable. If set to "YES", run a routing daemon of some sort, based on the set- tings of route6d_program and route6d_flags. routed_program (str) If routed_enable is set to "YES", this is the name of the routing daemon to use. The default is routed(8). route6d_program (str) The IPv6 equivalent of routed_program. The default is route6d(8). routed_flags (str) If routed_enable is set to "YES", these are the flags to pass to the routing daemon. route6d_flags (str) The IPv6 equivalent of routed_flags. rtadvd_enable (bool) If set to "YES", run the rtadvd(8) daemon at boot time. The rtadvd(8) utility sends ICMPv6 Router Advertise- ment messages to the interfaces specified in rtadvd_interfaces. This should only be enabled with great care. You may want to fine-tune rtadvd.conf(5). rtadvd_flags (str) If rtadvd_enable is set to "YES", these are the flags to pass to rtadvd(8). rtadvd_interfaces (str) If rtadvd_enable is set to "YES" this is the list of interfaces to use. arpproxy_all (bool) If set to "YES", enable global proxy ARP. forward_sourceroute (bool) If set to "YES" and gateway_enable is also set to "YES", source-routed packets are forwarded. accept_sourceroute (bool) If set to "YES", the system will accept source- routed packets directed at it. rarpd_enable (bool) If set to "YES", run the rarpd(8) daemon at system boot time. rarpd_flags (str) If rarpd_enable is set to "YES", these are the flags to pass to the rarpd(8) daemon. bootparamd_enable (bool) If set to "YES", run the bootparamd(8) daemon at system boot time. bootparamd_flags (str) If bootparamd_enable is set to "YES", these are the flags to pass to the bootparamd(8) daemon. stf_interface_ipv4addr (str) If not set to "NO", this is the local IPv4 address for 6to4 (IPv6 over IPv4 tunneling interface). Specify this entry to enable the 6to4 interface. stf_interface_ipv4plen (int) Prefix length for 6to4 IPv4 addresses, to limit peer address range. An effective value is 0-31. stf_interface_ipv6_ifid (str) IPv6 interface ID for stf(4). This can be set to "AUTO". stf_interface_ipv6_slaid (str) IPv6 Site Level Aggregator for stf(4). ipv6_ipv4mapping (bool) If set to "YES" this enables IPv4 mapped IPv6 ad- dress communication (like ::ffff:a.b.c.d). rtsold_enable (bool) Set to "YES" to enable the rtsold(8) daemon to send ICMPv6 Router Solicitation messages. rtsold_flags (str) If rtsold_enable is set to "YES", these are the flags to pass to rtsold(8). rtsol_flags (str) For interfaces configured with the "inet6 accept_rtadv" keyword, these are the flags to pass to rtsol(8). Note that rtsold_enable is mutually exclusive to rtsol_flags; rtsold_enable takes precedence. keybell (str) The keyboard bell sound. Set to "normal", "visual", "off", or "NO" if the default behavior is desired. For de- tails, refer to the kbdcontrol(1) manpage. keyboard (str) If set to a non-null string, the virtual console's keyboard input is set to this device. keymap (str) If set to "NO", no keymap is installed, otherwise the value is used to install the keymap file found in /usr/share/syscons/keymaps/<value>.kbd (if using syscons(4)) or /usr/share/vt/keymaps/<value>.kbd (if using vt(4)). keyrate (str) The keyboard repeat speed. Set to "slow", "normal", "fast", or "NO" if the default behavior is desired. keychange (str) If not set to "NO", attempt to program the function keys with the value. The value should be a single string of the form: "funkey_number new_value [funkey_number new_value ...]". cursor (str) Can be set to the value of "normal", "blink", "destructive", or "NO" to set the cursor behavior explic- itly or choose the default behavior. scrnmap (str) If set to "NO", no screen map is installed, otherwise the value is used to install the screen map file in /usr/share/syscons/scrnmaps/<value>. This parameter is ig- nored when using vt(4) as the console driver. font8x16 (str) If set to "NO", the default 8x16 font value is used for screen size requests, otherwise the value in /usr/share/syscons/fonts/<value> or /usr/share/vt/fonts/<value> is used (depending on the con- sole driver being used). font8x14 (str) If set to "NO", the default 8x14 font value is used for screen size requests, otherwise the value in /usr/share/syscons/fonts/<value> or /usr/share/vt/fonts/<value> is used (depending on the con- sole driver being used). font8x8 (str) If set to "NO", the default 8x8 font value is used for screen size requests, otherwise the value in /usr/share/syscons/fonts/<value> or /usr/share/vt/fonts/<value> is used (depending on the con- sole driver being used). blanktime (int) If set to "NO", the default screen blanking interval is used, otherwise it is set to value seconds. saver (str) If not set to "NO", this is the actual screen saver to use (blank, snake, daemon, etc). moused_nondefault_enable (str) If set to "NO", the mouse device specified on the command line is not automatically treated as enabled by the /etc/rc.d/moused script. Having this variable set to "YES" allows a usb(4) mouse, for example, to be enabled as soon as it is plugged in. moused_enable (str) If set to "YES", the moused(8) daemon is started for doing cut/paste selection on the console. moused_type (str) This is the protocol type of the mouse connected to this host. This variable must be set if moused_enable is set to "YES", but defaults to "auto" as the moused(8) dae- mon is able to detect the appropriate mouse type automati- cally in many cases. Set this variable to one from the following list if the automatic detection fails. If the mouse is attached to the PS/2 mouse port, choose "auto" or "ps/2", regardless of the brand and model of the mouse. Likewise, if the mouse is attached to the bus mouse port, choose "auto" or "busmouse". All other protocols are for serial mice and will not work with the PS/2 and bus mice. If this is a USB mouse, "auto" is the only protocol type which will work. microsoft Microsoft mouse (serial) intellimouse Microsoft IntelliMouse (serial) mousesystems Mouse systems Corp. mouse (serial) mmseries MM Series mouse (serial) logitech Logitech mouse (serial) busmouse A bus mouse mouseman Logitech MouseMan and TrackMan (serial) glidepoint ALPS GlidePoint (serial) thinkingmouse Kensington ThinkingMouse (serial) ps/2 PS/2 mouse mmhittab MM HitTablet (serial) x10mouseremote X10 MouseRemote (serial) versapad Interlink VersaPad (serial) Even if the mouse is not in the above list, it may be com- patible with one in the list. Refer to the manual page for moused(8) for compatibility information. It should also be noted that while this is enabled, any other client of the mouse (such as an X server) should ac- cess the mouse through the virtual mouse device, /dev/sysmouse, and configure it as a "sysmouse" type mouse, since all mouse data is converted to this single canonical format when using moused(8). If the client program does not support the "sysmouse" type, specify the "mousesystems" type. It is the second preferred type. moused_port (str) If moused_enable is set to "YES", this is the actual port the mouse is on. It might be /dev/cuau0 for a COM1 serial mouse, or /dev/psm0 for a PS/2 mouse, for example. moused_flags (str) If moused_flags is set, its value is used as an addi- tional set of flags to pass to the moused(8) daemon. moused_XXX_flags When moused_nondefault_enable is enabled, and a moused(8) daemon is started for a non-default port, the moused_XXX_flags set of options has precedence over and re- places the default moused_flags (where XXX is the name of the non-default port, i.e., ums0). By setting moused_XXX_flags it is possible to set up a different set of default flags for each moused(8) instance. For example, you can use "-3" for the default moused_flags to make your laptop's touchpad more comfortable to use, but an empty set of options for moused_ums0_flags when your usb(4) mouse has three or more buttons. mousechar_start (int) If set to "NO", the default mouse cursor character range 0xd0-0xd3 is used, otherwise the range start is set to value character, see vidcontrol(1). Use if the default range is occupied in the language code table. allscreens_flags (str) If set, vidcontrol(1) is run with these options for each of the virtual terminals (/dev/ttyv*). For example, "-m on" will enable the mouse pointer on all virtual termi- nals if moused_enable is set to "YES". allscreens_kbdflags (str) If set, kbdcontrol(1) is run with these options for each of the virtual terminals (/dev/ttyv*). For example, "-h 200" will set the syscons(4) or vt(4) scrollback (his- tory) buffer to 200 lines. cron_enable (bool) If set to "YES", run the cron(8) daemon at system boot time. cron_program (str) Path to cron(8) (default /usr/sbin/cron). cron_flags (str) If cron_enable is set to "YES", these are the flags to pass to cron(8). cron_dst (bool) If set to "YES", enable the special handling of transitions to and from the Daylight Saving Time in cron(8) (equivalent to using the flag -s). lpd_program (str) Path to lpd(8) (default /usr/sbin/lpd). lpd_enable (bool) If set to "YES", run the lpd(8) daemon at system boot time. lpd_flags (str) If lpd_enable is set to "YES", these are the flags to pass to the lpd(8) daemon. chkprintcap_enable (bool) If set to "YES", run the chkprintcap(8) command be- fore starting the lpd(8) daemon. chkprintcap_flags (str) If lpd_enable and chkprintcap_enable are set to "YES", these are the flags to pass to the chkprintcap(8) program. The default is "-d", which causes missing direc- tories to be created. dumpdev (str) Indicates the device (usually a swap partition) to which a crash dump should be written in the event of a sys- tem crash. If the value of this variable is "AUTO", the first suitable swap device listed in /etc/fstab will be used as dump device. Otherwise, the value of this variable is passed as the argument to dumpon(8) and savecore(8). To disable crash dumps, set this variable to "NO". dumpon_flags (str) Flags to pass to dumpon(8) when configuring dumpdev as the system dump device. dumpdir (str) When the system reboots after a crash and a crash dump is found on the device specified by the dumpdev vari- able, savecore(8) will save that crash dump and a copy of the kernel to the directory specified by the dumpdir vari- able. The default value is /var/crash. Set to "NO" to not run savecore(8) at boot time when dumpdir is set. savecore_enable (bool) If set to "NO", disable automatic extraction of the crash dump from the dumpdev. savecore_flags (str) If crash dumps are enabled, these are the flags to pass to the savecore(8) utility. quota_enable (bool) Set to "YES" to turn on user and group disk quotas on system startup via the quotaon(8) command for all file systems marked as having quotas enabled in /etc/fstab. The kernel must be built with options QUOTA for disk quotas to function. check_quotas (bool) Set to "YES" to enable user and group disk quota checking via the quotacheck(8) command. quotacheck_flags (str) If quota_enable is set to "YES", and check_quotas is set to "YES", these are the flags to pass to the quotacheck(8) utility. The default is "-a", which checks quotas for all file systems with quotas enabled in /etc/fstab. quotaon_flags (str) If quota_enable is set to "YES", these are the flags to pass to the quotaon(8) utility. The default is "-a", which enables quotas for all file systems with quotas en- abled in /etc/fstab. quotaoff_flags (str) If quota_enable is set to "YES", these are the flags to pass to the quotaoff(8) utility when shutting down the quota system. The default is "-a", which disables quotas for all file systems with quotas enabled in /etc/fstab. accounting_enable (bool) Set to "YES" to enable system accounting through the accton(8) facility. firstboot_sentinel (str) This variable specifies the full path to a "first boot" sentinel file. If a file exists with this path, rc.d scripts with the "firstboot" keyword will be run on startup and the sentinel file will be deleted after the boot process completes. The sentinel file must be located on a writable file system which is mounted no later than early_late_divider to function properly. The default is /firstboot. linux_enable (bool) Set to "YES" to enable Linux/ELF binary emulation at system initial boot time. sysvipc_enable (bool) If set to "YES", load System V IPC primitives at boot time. clear_tmp_enable (bool) Set to "YES" to have /tmp cleaned at startup. clear_tmp_X (bool) Set to "NO" to disable removing of X11 lock files, and the removal and (secure) recreation of the various socket directories for X11 related programs. ldconfig_paths (str) Set to the list of shared library paths to use with ldconfig(8). NOTE: /lib and /usr/lib will always be added first, so they need not appear in this list. ldconfig32_paths (str) Set to the list of 32-bit compatibility shared li- brary paths to use with ldconfig(8). ldconfig_insecure (bool) The ldconfig(8) utility normally refuses to use di- rectories which are writable by anyone except root. Set this variable to "YES" to disable that security check dur- ing system startup. ldconfig_local_dirs (str) Set to the list of local ldconfig(8) directories. The names of all files in the directories listed will be passed as arguments to ldconfig(8). ldconfig_local32_dirs (str) Set to the list of local 32-bit compatibility ldconfig(8) directories. The names of all files in the di- rectories listed will be passed as arguments to "ldconfig -32". kern_securelevel_enable (bool) Set to "YES" to set the kernel security level at system startup. kern_securelevel (int) The kernel security level to set at startup. The al- lowed range of value ranges from -1 (the compile time de- fault) to 3 (the most secure). See security(7) for the list of possible security levels and their effect on system operation. sshd_program (str) Path to the SSH server program (/usr/sbin/sshd is the default). sshd_enable (bool) Set to "YES" to start sshd(8) at system boot time. Note, the sshd_oomprotect variable is set to "YES" by de- fault in /etc/defaults/rc.conf. sshd_flags (str) If sshd_enable is set to "YES", these are the flags to pass to the sshd(8) daemon. watchdogd_enable (bool) If set to "YES", start the watchdogd(8) daemon at boot time. This requires that the kernel have been com- piled with a watchdog(4) compatible device. watchdogd_flags (str) If watchdogd_enable is set to "YES", these are the flags passed to the watchdogd(8) daemon. watchdogd_timeout (int) If watchdogd_enable is set to "YES", this is a time- out that will be used by the watchdogd(8) daemon. If this option is set, it overrides -t in watchdogd_flags. watchdogd_shutdown_timeout (int) If watchdogd_enable is set to "YES", this is a time- out that will be set by the watchdogd(8) daemon when it ex- its during the system shutdown. This timeout will not be set when returning to the single-user mode or when the watchdogd service is stopped individually using the service(8) command or the rc.d script. Note that the time- out will be applied if watchdogd(8) is stopped outside of rc(8) framework. If this option is set, it overrides -x in watchdogd_flags. devfs_rulesets (str) List of files containing sets of rules for devfs(8). devfs_system_ruleset (str) Rule name(s) to apply to the system /dev itself. devfs_set_rulesets (str) Pairs of already-mounted dev directories and rulesets that should be applied to them. For example: /mount/dev=ruleset_name devfs_load_rulesets (bool) If set, always load the default rulesets listed in devfs_rulesets. performance_cx_lowest (str) CPU idle state to use while on AC power. The string "LOW" indicates that acpi(4) should use the lowest power state available while "HIGH" indicates that the lowest la- tency state (less power savings) should be used. performance_cpu_freq (str) CPU clock frequency to use while on AC power. The string "LOW" indicates that cpufreq(4) should use the low- est frequency available while "HIGH" indicates that the highest frequency (less power savings) should be used. economy_cx_lowest (str) CPU idle state to use when off AC power. The string "LOW" indicates that acpi(4) should use the lowest power state available while "HIGH" indicates that the lowest la- tency state (less power savings) should be used. economy_cpu_freq (str) CPU clock frequency to use when off AC power. The string "LOW" indicates that cpufreq(4) should use the low- est frequency available while "HIGH" indicates that the highest frequency (less power savings) should be used. jail_enable (bool) If set to "NO", any configured jails will not be started. jail_conf (str) The configuration filename used by jail(8) utility. The default value is /etc/jail.conf. /etc/jail.<jname>.conf and /etc/jail.conf.d/<jname>.conf will also be used if <jname> is set in jail_list. jail_parallel_start (bool) If set to "YES", all configured jails will be started in the background (in parallel). jail_flags (str) Unset by default. When set, use as default value for jail_<jname>_flags for every jail in jail_list. jail_list (str) A space-delimited list of jail names. When left empty, all of the jail(8) instances defined in the configu- ration file are started. The names specified in this list control the jail startup order. jail(8) instances missing from jail_list must be started manually. Note that a jail's depend parameter in the configuration file may over- ride this list. jail_reverse_stop (bool) When set to "YES", all configured jails in jail_list are stopped in reverse order. jail_* variables Note that older releases supported per-jail configuration via rc.conf variables. For example, hostname of a jail named vjail was able to be set by jail_vjail_hostname. These per-jail configuration variables are now obsolete in favor of jail(8) configuration file. For backward compati- bility, when per-jail configuration variables are defined, jail(8) configuration files are created as /var/run/jail.<jname>.conf and used. The following per-jail parameters are handled by rc.d/jail script out of their corresponding rc.conf variables. In addition to them, parameters in jail_<jname>_parameters will be added to the configuration file. They must be a semi-colon (`;') delimited list of "key=value". For more details, see jail(8) manual page. path set from jail_<jname>_rootdir host.hostname set from jail_<jname>_hostname exec.consolelog set from jail_<jname>_consolelog. The default value is /var/log/jail_<jname>_console.log. interface set from jail_<jname>_interface. vnet.interface set from jail_<jname>_vnet_interface. This implies vnet parameter will be enabled and cannot be specified with jail_<jname>_interface, jail_<jname>_ip and/or jail_<jname>_ip_multi<n> at the same time. fstab set from jail_<jname>_fstab mount set from jail_<jname>_procfs_enable. exec.fib set from jail_<jname>_fib exec.start set from jail_<jname>_exec_start. The parameter name was command in some older releases. exec.prestart set from jail_<jname>_exec_prestart exec.poststart set from jail_<jname>_exec_poststart exec.stop set from jail_<jname>_exec_stop exec.prestop set from jail_<jname>_exec_prestop exec.poststop set from jail_<jname>_exec_poststop ip4.addr set if jail_<jname>_ip or jail_<jname>_ip_multi<n> contain IPv4 addresses ip6.addr set if jail_<jname>_ip or jail_<jname>_ip_multi<n> contain IPv6 addresses allow.mount set from jail_<jname>_mount_enable mount.devfs set from jail_<jname>_devfs_enable devfs_ruleset set from jail_<jname>_devfs_ruleset. This must be an integer, not a string. mount.fdescfs set from jail_<jname>_fdescfs_enable allow.set_hostname set from jail_<jname>_set_hostname_allow allow.rawsocket set from jail_<jname>_socket_unixiproute_only allow.sysvipc set from jail_<jname>_sysvipc_allow harvest_mask (int) Set to a bit-mask representing the entropy sources you wish to harvest. Refer to random(4) for more informa- tion. entropy_dir (str) Set to "NO" to disable caching entropy via cron(8). Otherwise set to the directory in which the entropy files are stored. To be useful, there must be a system cron job that regularly writes and rotates files here. All files found will be used at boot time. The default is /var/db/entropy. entropy_file (str) Set to "NO" to disable caching entropy through re- boots. Otherwise set to the name of a file used to store cached entropy. This file should be located on a file sys- tem that is readable before all the volumes specified in fstab(5) are mounted. By default, /entropy is used, but if /var/db/entropy-file is found it will also be used. This will be of some use to bsdinstall(8). entropy_boot_file (str) Set to "NO" to disable very early caching entropy through reboots. Otherwise set to the filename used to read very early reboot cached entropy. This file should be located where loader(8) can read it. See also loader.conf(5). The default location is /boot/entropy. entropy_save_sz (int) Size of the entropy cache files saved by save-entropy periodically. entropy_save_num (int) Number of entropy cache files to save by save-entropy periodically. ipsec_enable (bool) Set to "YES" to run setkey(8) on ipsec_file at boot time. ipsec_file (str) Configuration file for setkey(8). dmesg_enable (bool) Set to "YES" to save dmesg(8) to /var/run/dmesg.boot on boot. rcshutdown_timeout (int) If set, start a watchdog timer in the background which will terminate rc.shutdown if shutdown(8) has not completed within the specified time (in seconds). Notice that in addition to this soft timeout, init(8) also applies a hard timeout for the execution of rc.shutdown. This is configured via sysctl(8) variable kern.init_shutdown_timeout and defaults to 120 seconds. Setting the value of rcshutdown_timeout to more than 120 seconds will have no effect until the sysctl(8) variable kern.init_shutdown_timeout is also increased. virecover_enable (bool) Set to "NO" to prevent the system from trying to re- cover prematurely terminated vi(1) sessions. ugidfw_enable (bool) Set to "YES" to load the mac_bsdextended(4) module upon system initialization and load a default ruleset file. bsdextended_script (str) The default mac_bsdextended(4) ruleset file to load. The default value of this variable is /etc/rc.bsdextended. newsyslog_enable (bool) If set to "YES", run newsyslog(8) command at startup. newsyslog_flags (str) If newsyslog_enable is set to "YES", these are the flags to pass to the newsyslog(8) program. The default is "-CN", which causes log files flagged with a C to be cre- ated. mdconfig_md<X> (str) Arguments to mdconfig(8) for md(4) device X. At min- imum a -t type must be specified and either a -s size for malloc or swap backed md(4) devices or a -f file for vnode backed md(4) devices. Note that mdconfig_md<X> variables are evaluated until one variable is unset or null. mdconfig_md<X>_newfs (str) Optional arguments passed to newfs(8) to initialize md(4) device X. mdconfig_md<X>_owner (str) An ownership specification passed to chown(8) after the specified md(4) device X has been mounted. Both the md(4) device and the mount point will be changed. mdconfig_md<X>_perms (str) A mode string passed to chmod(1) after the specified md(4) device X has been mounted. Both the md(4) device and the mount point will be changed. mdconfig_md<X>_files (str) Files to be copied to the mount point of the md(4) device X after it has been mounted. mdconfig_md<X>_cmd (str) Command to execute after the specified md(4) device X has been mounted. Note that the command is passed to eval and that both _dev and _mp variables can be used to refer- ence respectively the md(4) device and the mount point. Assuming that the md(4) device is md0, one could set the following: mdconfig_md0_cmd="tar xfzC /var/file.tgz \${_mp}" autobridge_interfaces (str) Set to the list of bridge interfaces that will have newly arriving interfaces checked against to be automati- cally added. If not set to "NO" then for each whitespace separated element in the value, a autobridge_<element> variable is assumed to exist which has a whitespace sepa- rated list of interface names to match, these names can use wildcards. For example: autobridge_interfaces="bridge0" autobridge_bridge0="tap* dc0 vlan[345]" mixer_enable (bool) If set to "YES", enable support for sound mixer. hcsecd_enable (bool) If set to "YES", enable Bluetooth security daemon. hcsecd_config (str) Configuration file for hcsecd(8). Default /etc/bluetooth/hcsecd.conf. sdpd_enable (bool) If set to "YES", enable Bluetooth Service Discovery Protocol daemon. sdpd_control (str) Path to sdpd(8) control socket. Default /var/run/sdp. sdpd_groupname (str) Sets sdpd(8) group to run as after it initializes. Default "nobody". sdpd_username (str) Sets sdpd(8) user to run as after it initializes. Default "nobody". bthidd_enable (bool) If set to "YES", enable Bluetooth Human Interface Device daemon. bthidd_config (str) Configuration file for bthidd(8). Default /etc/bluetooth/bthidd.conf. bthidd_hids (str) Path to a file, where bthidd(8) will store informa- tion about known HID devices. Default /var/db/bthidd.hids. rfcomm_pppd_server_enable (bool) If set to "YES", enable Bluetooth RFCOMM PPP wrapper daemon. rfcomm_pppd_server_profile (str) The name of the profile to use from /etc/ppp/ppp.conf. Multiple profiles can be specified here. Also used to specify per-profile overrides. When the profile name contains any of the characters ".-/+" they are translated to "_" for the proposes of the override variable names. rfcomm_pppd_server_<profile>_bdaddr (str) Overrides local address to listen on. By default rfcomm_pppd(8) will listen on "ANY" address. The address can be specified as BD_ADDR or name. rfcomm_pppd_server_<profile>_channel (str) Overrides local RFCOMM channel to listen on. By de- fault rfcomm_pppd(8) will listen on RFCOMM channel 1. Must set properly if multiple profiles used in the same time. rfcomm_pppd_server_<profile>_register_sp (bool) Tells rfcomm_pppd(8) if it should register Serial Port service on the specified RFCOMM channel. Default "NO". rfcomm_pppd_server_<profile>_register_dun (bool) Tells rfcomm_pppd(8) if it should register Dial-Up Networking service on the specified RFCOMM channel. De- fault "NO". ubthidhci_enable (bool) If set to "YES", change the USB Bluetooth controller from HID mode to HCI mode. You also need to specify the location of USB Bluetooth controller with the ubthidhci_busnum and ubthidhci_addr variables. ubthidhci_busnum Bus number where the USB Bluetooth controller is located. Check the output of usbconfig(8) on your system to find this information. ubthidhci_addr Bus address of the USB Bluetooth controller. Check the output of usbconfig(8) on your system to find this informa- tion. utx_enable (bool) Set to "YES" to enable user accounting through the utx(8) facility. netwait_enable (bool) If set to "YES", delays the start of network-reliant services until netwait_if is up, duplicate address discov- ery (DAD) has completed, and ICMP packets to a destination defined in netwait_ip are flowing. Link state is examined first, followed by DAD, then "pinging" an IP address to verify network usability. If no destination can be reached or timeouts are exceeded, network services are started any- way with no guarantee that the network is usable. netwait_ip (str) Empty by default. This variable contains a space-de- limited list of IP addresses to ping(8). DNS hostnames should not be used as resolution is not guaranteed to be functional at this point. If multiple IP addresses are specified, each will be tried until one is successful or the list is exhausted. netwait_timeout (int) Indicates the total number of seconds to perform a "ping" against each IP address in netwait_ip, at a rate of one ping per second. If any of the pings are successful, full network connectivity is considered reliable. The de- fault is 60. netwait_if (str) Empty by default. Defines the name of the network interface on which watch for link. ifconfig(8) is used to monitor the interface, looking for "status: no carrier". Once gone, the link is considered up. This can be a vlan(4) interface if desired. netwait_if_timeout (int) Defines the total number of seconds to wait for link to become usable, polled at a 1-second interval. The de- fault is 30. netwait_dad (str) Set to "NO" by default. Set to "YES" to enable wait- ing for DAD to complete. netwait_dad_timeout (int) Unset by default. Indicates the maximum number of seconds to wait for DAD to complete. If zero or unset, the timeout will be one more than the value of the net.inet6.ip6.dad_count sysctl variable. rctl_enable (bool) If set to "YES", load rctl(8) rules from the defined ruleset. The kernel must be built with options RACCT and options RCTL. rctl_rules (str) Set to /etc/rctl.conf by default. This variables contains the rctl.conf(5) ruleset to load for rctl(8). iovctl_files (str) A space-separated list of configuration files used by iovctl(8). The default value is an empty string. autofs_enable (bool) If set to "YES", start the automount(8) utility and the automountd(8) and autounmountd(8) daemons at boot time. automount_flags (str) If autofs_enable is set to "YES", these are the flags to pass to the automount(8) program. By default no flags are passed. automountd_flags (str) If autofs_enable is set to "YES", these are the flags to pass to the automountd(8) daemon. By default no flags are passed. autounmountd_flags (str) If autofs_enable is set to "YES", these are the flags to pass to the autounmountd(8) daemon. By default no flags are passed. ctld_enable (bool) If set to "YES", start the ctld(8) daemon at boot time. iscsid_enable (bool) If set to "YES", start the iscsid(8) daemon at boot time. iscsictl_enable (bool) If set to "YES", start the iscsictl(8) utility at boot time. iscsictl_flags (str) If iscsictl_enable is set to "YES", these are the flags to pass to the iscsictl(8) program. The default is "-Aa", which configures sessions based on the /etc/iscsi.conf configuration file. cfumass_enable (bool) If set to "YES", create and export an USB LUN using cfumass(4) at boot time. cfumass_dir (str) The directory where the files exported by USB LUN are located. The default directory is /var/cfumass. service_delete_empty (bool) If set to "YES", `service delete' removes empty "rc.conf.d" files. zfs_bootonce_activate (bool) If set to "YES", and a boot environment marked bootonce is successfully booted, it will be made perma- nently active. zfskeys_enable (bool) If set to "YES", enable auto-loading of encryption keys for encrypted ZFS datasets. For every dataset the script will first load the appropriate encryption key and then attempt to unlock the dataset. The script operates only on datasets which are encrypted with ZFS native encryption and have a ZFS "keylocation" dataset property beginning with "file://". zfskeys_datasets (str) A whitespace-separated list of ZFS datasets to un- lock. The list is empty by default, which means that the script will attempt to unlock all datasets. zfskeys_timeout (int) Define the total number of seconds to wait for the zfskeys script to unlock an encrypted dataset. The default is 10. sendmail_enable (str) If set to "YES", run the sendmail(8) daemon at system boot time. If set to "NO", do not run a sendmail(8) daemon to listen for incoming network mail. This does not pre- clude a sendmail(8) daemon listening on the SMTP port of the loopback interface. The "NONE" option sets each sendmail_enable, sendmail_submit_enable, sendmail_outbound_enable, sendmail_msp_queue_enable to "NO". sendmail_cert_create (str) If sendmail_enable is set to "YES", create a signed certificate /etc/mail/certs/host.cert representing /etc/mail/certs/host.key by the CA certificate in /etc/mail/certs/cacert.pem. This will enable connecting hosts to negotiate STARTTLS allowing incoming email to be encrypted in transit. sendmail(8) needs to be configured to use these generated files. The default configuration in /etc/mail/freebsd.mc has the required options in it. sendmail_cert_cn (str) If sendmail_enable is set to "YES" and sendmail_cert_create is set to "YES", this is the Common Name (CN) of the certificate that will be created. If sendmail_cert_cn is not set, the system's hostname will be used. If there is no hostname set, "amnesiac" will be used. sendmail_flags (str) If sendmail_enable is set to "YES", these are the flags to pass to the sendmail(8) daemon. sendmail_submit_enable (bool) If set to "YES" and sendmail_enable is set to "NO", run sendmail(8) using sendmail_submit_flags instead of sendmail_flags. This is intended to allow local mail sub- mission via a localhost-only listening SMTP service re- quired for running sendmail(8) as a non-set-user-ID binary. Note that this does not work inside jail(2) systems, as jails do not allow binding to just the localhost interface. sendmail_submit_flags (str) If sendmail_enable is set to "NO" and sendmail_submit_enable is set to "YES", these are the flags to pass to the sendmail(8) daemon. sendmail_outbound_enable (bool) If set to "YES" and both sendmail_enable and sendmail_submit_enable are set to "NO", run sendmail(8) us- ing sendmail_outbound_flags instead of sendmail_flags. This is intended to allow local mail queue management for systems that do not offer a listening SMTP service. sendmail_outbound_flags (str) If both sendmail_enable and sendmail_submit_enable are set to "NO" and sendmail_outbound_enable is set to "YES", these are the flags to pass to the sendmail(8) dae- mon. sendmail_msp_queue_enable (bool) If set to "YES", start a client (MSP) queue runner sendmail(8) daemon at system boot time. As of sendmail 8.12, a separate queue is used for command line submis- sions. The client queue runner ensures that nothing is left behind in the submission queue. sendmail_msp_queue_flags (str) If sendmail_msp_queue_enable is set to daemon. "YES", these are the flags to pass to the sendmail(8) precious_machine If set to "YES", some destructive actions require removal of the action-specific safe-belts before being allowed. For instance, the file /var/run/noshutdown is created to prevent shutdown(8) targeted at the wrong machine. SERVICE JAILS The service jails part of the rc system automatically puts a service into a jail. This jail inherits the filesystem and various other parts of the parent (if you allow child-jails in your jails, service jails can be used in jails) depending on the content of the <name>_svcj_options variable. Typically this variable is set inside rc scripts, but it can be overriden in the rc config. Valid options for <name>_svcj_options are: mlock Allows to lock memory pages into the physical memory. netv4 Allows IPv4 network access and the ability to bind to re- served ports. If <name>_svcj_ipaddrs is set, only the IPv4 addresses listed there will be visible to the jail, other- wise all assigned IPv4 addresses will be visible. This can not be combined with netv6. netv6 Allows IPv6 network access and the ability to bind to re- served ports. If <name>_svcj_ipaddrs is set, only the IPv6 addresses listed there will be visible to the jail, other- wise all assigned IPv6 addresses will be visible. This can not be combined with netv4. net_basic Equivalent to enabling both netv6 and netv4. net_raw Allow to open raw sockets. This option can be combined with netv4, netv6, net_basic. net_all Allows IPv6 and IPv4 network access as for netv4 and netv6, allows to open raw sockets, and allows to open sockets of protocol stacks that have not had jail functionality added to them. nfsd Allows to run nfsd and affiliated daemons. routing Allows to modify the system routing table. settime Allows to set and slew the system time. sysvipc Inherits the SysV semaphores, SysV shared memory and SysV messages from the host or the parent jail. sysvipcnew Creates a new namespace for SysV semaphores, SysV shared memory and SysV messages for this particular service jail. vmm Allows access to vmm(4). This option is only available when vmm(4) is enabled in the kernel. All non-network options can be combined with all other options. From the SysV options only one option can be specified. If the <name>_svcj variable is set to "YES", this particular service is started in a service jail named svcj-name. The svcj_all_enable variable allows to enable service jails for all services of the system at once. Services which have <name>_svcj set to "NO" are excluded. Some services may set <name>_svcj to "NO" in the script to either prevent service jails for this service at all, or may set it to "NO" if it is not set in the rc config, to exclude it from svcj_all_enable but allow to explicitely enable it. The sshd service for example would not see other jails, if it would run as a service jail. This may or may not be what is needed, and as such it is ex- cluded from svcj_all_enable but can be enabled via setting sshd_svcj to "YES". FILES /etc/defaults/rc.conf /etc/defaults/vendor.conf /etc/rc.conf /etc/rc.conf.local /etc/rc.conf.d/ SEE ALSO chmod(1), cpuset(1), gdb(1) (ports/devel/gdb), kbdcontrol(1), limits(1), protect(1), sh(1), umask(1), uuidgen(1), vi(1), vidcontrol(1), bridge(4), dummynet(4), ip(4), ipf(4), ipfw(4), ipnat(4), kld(4), pf(4), pflog(4), pfsync(4), tcp(4), udp(4), exports(5), fstab(5), ipf(5), ipnat(5), jail.conf(5), loader.conf(5), login.conf(5), motd(5), newsyslog.conf(5), pf.conf(5), firewall(7), growfs(7), security(7), tuning(7), accton(8), apm(8), bsdinstall(8), bthidd(8), chkprintcap(8), chown(8), cron(8), devfs(8), dhclient(8), geli(8), hcsecd(8), ifconfig(8), inetd(8), iovctl(8), ipf(8), ipfw(8), ipnat(8), jail(8), kldxref(8), loader(8), lpd(8), makewhatis(8), mdconfig(8), mdmfs(8), mixer(8), mountd(8), moused(8), newfs(8), newsyslog(8), nfsd(8), ntpd(8), ntpdate(8), pfctl(8), pflogd(8), ping(8), powerd(8), quotacheck(8), quotaon(8), rc(8), rc.subr(8), rcorder(8), rfcomm_pppd(8), route(8), route6d(8), routed(8), rpc.lockd(8), rpc.statd(8), rpc.tlsclntd(8), rpc.tlsservd(8), rpcbind(8), rwhod(8), savecore(8), sdpd(8), sendmail(8), service(8), sshd(8), swapon(8), sysctl(8), syslogd(8), sysrc(8), unbound(8), usbconfig(8), utx(8), wlandebug(8), yp(8), ypbind(8), ypserv(8), ypset(8) HISTORY The rc.conf file appeared in FreeBSD 2.2.2. AUTHORS Jordan K. Hubbard. FreeBSD 15.0 STABLE October 5, 2025 RC.CONF(5)
NAME | DESCRIPTION | SERVICE JAILS | FILES | SEE ALSO | HISTORY | AUTHORS
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=rc.conf&manpath=FreeBSD+15.0-STABLE>