FRG: Services

Descriptions of each field in the Services section of the TrueNAS web interface.

  20 minute read

AFP

General Option

Database PathSets the database information to be stored in the path. The path must be writable even if the pool is read only.

Access

Guest AccountSelect an account to use for guest access. This account must have permissions to the shared pool or dataset. The privileges given to this user are also available to any client connecting to the guest service. This user must exist in the password file, but does not require a valid login. The root user cannot be used as guest account.
Guest AccessSet to disable the password prompt that appears before clients access AFP shares.
Max ConnectionsMaximum number of simultaneous connections permitted via AFP. The default limit is 50.
Chmod RequestIndicates how to handle Access Control Lists. Ignore: ignores requests and gives the parent directory ACL inheritance full control over new items. Preserve: preserves ZFS ACEs for named users and groups or the POSIX ACL group mask. Simple: is set to chmod() as requested without any extra steps.
Map ACLsSelect mapping of permissions for authenticated users. Rights (default, Unix-style permissions), None, or Mode (ACLs).

Other Options

Log LevelRecord AFP service messages up to the specified log level in the system log. By default, severe and warning level messages are logged.
Bind InterfacesSpecify the IP addresses to listen for AFP connections. Leave blank to bind to all available IPs. If none are specified, advertise the first IP address of the system, but listen for any incoming request.
Global AuxilliaryAdditional afp.conf(5) parameters.

Dynamic DNS

General Options

ProviderSeveral providers are supported. If a specific provider is not listed, select Custom Provider and enter the information in the Custom Server and Custom Path fields.
CheckIP-Server SSLUse HTTPS for the connection to the CheckIP Server.
CheckIP ServerName and port of the server that reports the external IP address. For example, entering checkip.dyndns.org:80 uses Dyn IP detection. to discover the remote socket IP address.
CheckIP PathPath to the CheckIP Server. For example, no-ip.com uses a CheckIP Server of dynamic.zoneedit.com and CheckIP Path of /checkip.html.
SSLUse HTTPS for the connection to the server that updates the DNS record.
Domain NameFully qualified domain name of the host with the dynamic IP address. Separate multiple domains with a space, comma (,), or semicolon (;). Example: myname.dyndns.org; myothername.dyndns.org.
Update PeriodHow often the IP is checked in seconds.

Credentials

UsernameUsername for logging in to the provider and updating the record.
PasswordPassword for logging in to the provider and updating the record.

FTP

General Options

PortSet the port the FTP service listens on.
ClientsThe maximum number of simultaneous clients.
ConnectionsSet the maximum number of connections per IP address. 0 means unlimited.
Login AttemptsEnter the maximum number of attempts before client is disconnected. Increase this if users are prone to typos.
TimeoutMaximum client idle time in seconds before client is disconnected.
CertificateThe SSL certificate to be used for TLS FTP connections. To create a certificate, use System –> Certificates.

Advanced

AccessWhen set, a local user is only allowed access to their home directory if they are a member of the wheel group.
Always ChrootSetting this option is discouraged as it increases security risk.
Allow Root LoginAllow anonymous FTP logins with access to the directory specified in Path.
Allow Anonymous LoginAllow any local user to log in. By default, only members of the ftp group are allowed to log in.
Allow Local User LoginSetting this option will result in timeouts if identd is not running on the client.
Require IDENT AuthenticationSets default permissions for newly created files.
File Permissionshelp_outlineSets default permissions for newly created directories.

TLS

Enable TLSAllow encrypted connections. Requires a certificate created or imported with the System > Certificates menu.
TLS PolicyDefine whether the control channel, data channel, both channels, or neither channel of an FTP session must occur over SSL/TLS. The policies are described here.
TLS Allow Client RenegotiationsSetting this option is not recommended as it breaks several security measures. Refer to mod_tls for more details.
TLS Allow Dot LoginIf set, the user home directory is checked for a .tlslogin file which contains one or more PEM-encoded certificates. If not found, the user is prompted for password authentication.
TLS Allow Per UserIf set, the password of the user can be sent unencrypted.
TLS Common Name RequiredWhen set, the common name in the certificate must match the FQDN of the host.
TLS Enable DiagnosticsIf set when troubleshooting a connection, logs more verbosely.
TLS Export Certificate DataSet to export the certificate environment variables.
TLS No Certificate RequestSet if the client cannot connect, and it is suspected the client is poorly handling the server certificate request.
TLS No Empty FragmentsEnabling this option is not recommended as it bypasses a security mechanism.
TLS No Session Reuse RequiredSetting this option reduces the security of the connection, so only use it if the client does not understand reused SSL sessions.
TLS Export Standard VarsIf selected, sets several environment variables.
TLS DNS Name RequiredIf set, the DNS name of the client must resolve to its IP address and the cert must contain the same DNS name.
TLS IP Address RequiredIf set, the client certificate must contain the IP address that matches the IP address of the client.

Bandwidth

Local User Upload Bandwidth: (Examples: 500 KiB, 500M, 2 TB) *In KiBs or greater. A default of 0 KiB means unlimited. This field accepts human-readable input (Ex. 50 GiB, 500M, 2 TB). If units are not specified, the value defaults to KiB.
Local User Download Bandwidth *In KiBs or greater. A default of 0 KiB means unlimited. This field accepts human-readable input (Ex. 50 GiB, 500M, 2 TB). If units are not specified, the value defaults to KiB.
Anonymous User Upload Bandwidth *In KiBs or greater. A default of 0 KiB means unlimited. This field accepts human-readable input (Ex. 50 GiB, 500M, 2 TB). If units are not specified, the value defaults to KiB.
Anonymous User Download Bandwidth *In KiBs or greater. A default of 0 KiB means unlimited. This field accepts human-readable input (Ex. 50 GiB, 500M, 2 TB). If units are not specified, the value defaults to KiB.

Other Options

Minimum Passive Port *Used by clients in PASV mode. A default of 0 means any port above 1023.
Maximum Passive Port *Used by clients in PASV mode. A default of 0 means any port above 1023.
Enable FXPSet to enable the File eXchange Protocol. This option makes the server vulnerable to FTP bounce attacks so it is not recommended.
Allow Transfer ResumptionSet to allow FTP clients to resume interrupted transfers.
Perform Reverse DNS LookupsSet to perform reverse DNS lookups on client IPs. This can cause long delays if reverse DNS is not configured.
Masquerade AddressPublic IP address or hostname. Set if FTP clients cannot connect through a NAT device.
Display LoginSpecify the message displayed to local login users after authentication. Not displayed to anonymous login users.
Auxiliary ParametersUsed to add additional proftpd(8 parameters.

iSCSI

Target Global Configuration

Base NameLowercase alphanumeric characters plus dot (.), dash (-), and colon (:) are allowed. See the Constructing iSCSI names using the iqn.format section of RFC3721.
ISNS ServersHostnames or IP addresses of the ISNS servers to be registered with the iSCSI targets and portals of the system. Separate entries by pressing Enter.
Pool Available Space ThresholdGenerate an alert when the pool has this percent space remaining. This is typically configured at the pool level when using zvols or at the extent level for both file and device based extents.

Portals

DescriptionOptional description. Portals are automatically assigned a numeric group.
Discovery Authentication GroupiSCSI supports multiple authentication methods that are used by the target to discover valid devices. None allows anonymous discovery while CHAP and Mutual CHAP require authentication.
Discovery Authentication GroupGroup ID created in Authorized Access. Required when the Discovery Authentication Method is set to CHAP or Mutual CHAP.
IP AddressSelect the IP addresses to be listened on by the portal. Click ADD to add IP addresses with a different network port. The address 0.0.0.0 can be selected to listen on all IPv4 addresses, or :: to listen on all IPv6 addresses.
PortTCP port used to access the iSCSI target. Default is 3260.

Initiators

Connected InitiatorsInitiators currently connected to the system. Shown in IQN format with an IP address. Set initiators and click an -> (arrow) to add the initiators to either the Allowed Initiators or Authorized Networks lists. Clicking Refresh updates the Connected Initiators list.
Allowed InitiatorsInitiators allowed access to this system. Enter an iSCSI Qualified Name (IQN) and click + to add it to the list. Example: iqn.1994-09.org.freebsd:freenas.local
Authorized NetworksNetwork addresses allowed use this initiator. Each address can include an optional CIDR netmask. Click + to add the network address to the list. Example: 192.168.2.0/24.
DescriptionAny notes about initiators.

Authorized

Group IDAllow different groups to be configured with different authentication profiles. Example: all users with a group ID of 1 will inherit the authentication profile associated with Group 1.
UserUser account to create for CHAP authentication with the user on the remote system. Many initiators use the initiator name as the user name.
SecretUser password. Must be at least 12 and no more than 16 characters long.
Peer UserOnly entered when configuring mutual CHAP. Usually the same value as User.
Peer SecretMutual secret password. Required when Peer User is set. Must be different than the Secret.

Target

Target NameThe base name is automatically prepended if the target name does not start with iqn. Lowercase alphanumeric characters plus dot (.), dash (-), and colon (:) are allowed. See the Constructing iSCSI names using the iqn.format section of RFC3721.
Portal Group IDLeave empty or select number of existing portal to use.
Initiator Group IDSelect which existing initiator group has access to the target.
Authentication MethodChoices are None, Auto, CHAP, or Mutual CHAP.
Authentication Group NumberSelect None or an integer. This value represents the number of existing authorized accesses.

Extents

NameName of the extent. If the Extent size is not 0, it cannot be an existing file within the pool or dataset.
DescriptionNotes about this extent.
EnabledSet to enable the iSCSI extent.
Extent TypeDevice provides virtual storage access to zvols, zvol snapshots, or physical devices. File provides virtual storage access to a single file.
DeviceOnly appears if Device is selected. Select the unformatted disk, controller, or zvol snapshot.
Logical Block SizeLeave at the default of 512 unless the initiator requires a different block size.
Disable Physical Block Size ReportingSet if the initiator does not support physical block size values over 4K (MS SQL).
Enable TPCSet to allow an initiator to bypass normal access control and access any scannable target. This allows xcopy operations which are otherwise blocked by access control.
Xen initiator compat modeSet when using Xen as the iSCSI initiator.
LUN RPMDo NOT change this setting when using Windows as the initiator. Only needs to be changed in large environments where the number of systems using a specific RPM is needed for accurate reporting statistics.
Read-onlySet to prevent the initiator from initializing this LUN.

Associated Targets

TargetSelect an existing target.
LUN IDSelect the value or enter a value between 0 and 1023. Some initiators expect a value below 256. Leave this field blank to automatically assign the next available ID.
ExtentSelect an existing extent.

LLDP

General Options

Interface DescriptionEnables receive mode. Any received peer information is saved in interface descriptions.
--
County CodeTwo-letter ISO 3166-1 alpha-2 code used to enable LLDP location support.
LocationThe physical location of the host.

NFS

General Options

Number of servers *Specify how many servers to create. Increase if NFS client responses are slow. Keep this less than or equal to the number of CPUs reported by sysctl -n kern.smp.cpus to limit CPU context switching.
Bind IP AddressesSelect IP addresses to listen to for NFS requests. Leave empty for NFS to listen to all available addresses.

NFSv4

Enable NFSv4Set to switch from NFSv3 to NFSv4.
NFSv3 ownership model for NFSv4Set when NFSv4 ACL support is needed without requiring the client and the server to sync users and groups.
Require Kerberos for NFSv4Set to force NFS shares to fail if the Kerberos ticket is unavailable.

Ports

mountd(8) bind portEnter a port to bind mountd(8).
rpc.statd(8) bind portEnter a port to bind rpc.statd(8).
rpc.lockd(8) bind portEnter a port to bind rpc.lockd(8).

Other Options

Serve UDP NFS clientsSet if NFS clients need to use UDP.
Allow non-root mountSet only if required by the NFS client. Set to allow serving non-root mount requests.
Support >16 groupsSet when a user is a member of more than 16 groups. This assumes group membership is configured correctly on the NFS server.
Log mountd(8) requestsSet to log mountd(8) syslog requests.
Log rpc.statd(8) and rpc.lockd(8)Set to log rpc.statd(8) and rpc.lockd(8) syslog requests.

OpenVPN Client

General Options

Client CertificateChoose a valid client certificate which exists on this system and hasn’t been revoked. Find more about generating certificates and CAs for OpenVPN here.
Root CAChoose the root Certificate Authority that was used to sign the Client and Server certificates. Find more about generating certificates and CAs for OpenVPN here.
RemoteA valid IP address or domain name to which OpenVPN will connect.
PortEnter a port number to use for the connection.
Authentication AlgorithmChoose an algorithm to authenticate packets.
CipherChoose a cipher algorithm to encrypt data channel packets.
CompressionChoose a compression algorithm.
ProtocolChoose the protocol to use when connecting with the remote system.
Device TypeChoose a virtual network interface. More information can be found here.
NobindEnable to prevent binding to local address and port. Must be enabled if OpenVPN client and server are to run concurrently.
TLS Crypt Auth EnabledEnable/disable TLS Web Client Authentication.
Additional ParametersAdditional parameters.
TLS Crypt AuthProvide static key for authentication/encryption of all control channel packets when tls_crypt_auth_enabled is enabled.

OpenVPN Server

General Options

Server CertificateChoose a valid client certificate which exists on this system and hasn’t been revoked. Find more about generating certificates and CAs for OpenVPN here.
Root CAChoose the root Certificate Authority that was used to sign the Client and Server certificates. Find more about generating certificates and CAs for OpenVPN here.
ServerEnter the IP address and netmask of the server.
PortEnter a port number to use for the connection.
Authentication AlgorithmChoose an algorithm to authenticate packets.
CipherChoose a cipher algorithm to encrypt data channel packets.
CompressionChoose a compression algorithm.
ProtocolChoose the protocol to use when connecting with the remote system.
Device TypeChoose a virtual network interface. More information can be found here.
TopologyConfigure virtual addressing topology when running in TUN mode. (TAP mode always uses a SUBNET topology.)
TLS Crypt Auth EnabledEnable/disable TLS Web Client Authentication.
Additional ParametersAdditional parameters.
TLS Crypt AuthWhen tls_crypt_auth_enabled is enabled and tls_crypt_auth is not provided, a static key is automatically generated to be used with OpenVPN client.

Rsync

Rsync Module

TCP Portrsyncd listens on this port.
Auxiliary ParametersEnter any additional parameters from rsyncd.conf(5).

S.M.A.R.T

General Options

Check IntervalDefine a number of minutes for smartd to wake up and check if any tests are configured to run.
DifferenceEnter a number of degrees in Celsius. SMART reports if the temperature of a drive has changed by N degrees Celsius since the last report.
InformationalEnter a threshold temperature in Celsius. SMART will message with a log level of LOG_INFO if the temperature is higher than the threshold.
CriticalEnter a threshold temperature in Celsius. SMART will message with a log level of LOG_CRIT and send an email if the temperature is higher than the threshold.

S3

S3 Configuration Options

IP AddressEnter the IP address which runs the S3 service. 0.0.0.0 tells the server to listen on all addresses.
PortEnter the TCP port which provides the S3 service.
Access KeyEnter the S3 access ID. See Access keys for more information.
Secret KeyEnter the S3 secret access key. See Access keys for more information.
DiskBrowse to the directory for the S3 filesystem.
Enable BrowserSet to enable the web user interface for the S3 service. Access the minio web interface by entering the IP address and port number separated by a colon in the browser address bar.
CertificateUse an SSL certificate that was created or imported in System > Certificates for secure S3 connections.

SMB

NetBIOS

NetBIOS NameAutomatically populated with the original hostname of the system. This name is limited to 15 characters and cannot be the Workgroup name.
NetBIOS AliasEnter any aliases, separated by spaces. Each alias can be up to 15 characters long.
WorkgroupMust match Windows workgroup name. When this is unconfigured and Active Directory or LDAP are active, TrueNAS will detect and set the correct workgroup from these services.
DescriptionOptional. Enter a server description.
Enable SMB1 supportUse this option to allow legacy SMB clients to connect to the server. Note that SMB1 is being deprecated and it is advised to upgrade clients to operating system versions that support modern versions of the SMB protocol.
NTLMv1 AuthOff by default. When set, smbd(8) attempts to authenticate users with the insecure and vulnerable NTLMv1 encryption. This setting allows backward compatibility with older versions of Windows, but is not recommended and should not be used on untrusted networks.

Other Options

Unix CharsetDefault is UTF-8 which supports all characters in all languages.
Log LevelRecord SMB service messages up to the specified log level. By default, error and warning level messages are logged.
Use Syslog OnlySet to log authentication failures in /var/log/messages instead of the default of /var/log/samba4/log.smbd.
Local MasterSet to determine if the system participates in a browser election. Leave unset when the network contains an AD or LDAP server, or when Vista or Windows 7 machines are present.
Enable Apple SMB2/3 Protocol ExtensionsThese protocol extensions can be used by macOS to improve the performance and behavioral characteristics of SMB shares. This is required for Time Machine support.
Administrators GroupMembers of this group are local admins and automatically have privileges to take ownership of any file in an SMB share, reset permissions, and administer the SMB server through the Computer Management MMC snap-in.
Guest AccountAccount to be used for guest access. Default is nobody. The chosen account is required to have permissions to the shared pool or dataset. To adjust permissions, edit the dataset Access Control List (ACL), add a new entry for the chosen guest account, and configure the permissions in that entry. If the selected Guest Account is deleted the field resets to nobody.
File MaskOverrides default file creation mask of 0666 which creates files with read and write access for everybody.
Directory MaskOverrides default directory creation mask of 0777 which grants directory read, write and execute access for everybody.
Bind IP AddressesStatic IP addresses which SMB listens on for connections. Leaving all unselected defaults to listening on all active interfaces.
Auxiliary ParametersEnter additional smb.conf options. See the Samba Guide for more information on these settings. To log more details when a client attempts to authenticate to the share, add log level = 1, auth_audit:5.

SNMP

General Options

LocationEnter the location of the system.
ContactE-mail address that will receive SNMP service messages.
CommunityChange from public to increase system security. Can only contain alphanumeric characters, underscores, dashes, periods, and spaces. This can be left empty for SNMPv3 networks.

SNMP v3 Options

SNMP v3 SupportSet to to enable support for SNMP version 3. See snmpd.conf(5) for configuration details.

Other Options

Auxiliary ParametersEnter any additional snmpd.conf(5) options. Add one option for each line.
Expose zilstat vis SNMPEnabling this option may have performance implications on your pools.
Log LevelChoose how many log entries to create. Choices range from the least log entries (Emergency) to the most (Debug).

SSH

General Options

TCP PortOpen a port for SSH connection requests.
Log in as Root with PasswordRoot logins are discouraged. Allows root logins. A password must be set for the root user account.
Allow Password AuthenticationEnabling allows using a password to authenticate the SSH login. Warning: when directory services are enabled, allowing password authentication can grant access to all users imported by the directory service.
Disabling changes authentication to require keys for all users. This requires additional setup on both the SSH client and server.
Allow Kerberos AuthenticationEnsure valid entries exist in Directory Services > Kerberos Realms and Directory Services > Kerberos Keytabs and the system can communicate with the Kerberos Domain Controller before enabling this option.
Allow TCP Port ForwardingSet to allow users to bypass firewall restrictions using the SSH port forwarding feature.

Advanced Options

Bind InterfacesSelect interfaces for SSH to listen on. Leave all options unselected for SSH to listen on all interfaces.
Compress ConnectionsSelect the syslog(3) level of the SFTP server.
SFTP Log LevelSelect the syslog(3) facility of the SFTP server.
SFTP Log FacilityAllow more ciphers for sshd(8) in addition to the defaults in sshd_config(5). None allows unencrypted SSH connections and AES128-CBC allows the 128-bit Advanced Encryption Standard.
Weak CiphersWARNING: these ciphers are considered security vulnerabilities and should only be allowed in a secure network environment.
Auxiliary ParametersAdd any more sshd_config(5) options not covered in this screen. Enter one option per line. These options are case-sensitive. Misspellings can prevent the SSH service from starting.

TFTP

Path

DirectoryBrowse to an existing directory to use for storage. Some devices can require a specific directory name. Consult the documentation for that device to see if there are any restrictions.

Connection

HostThe default host to use for TFTP transfers. Enter an IP address. Example: 192.0.2.1
PortThe UDP port number that listens for TFTP requests. Example: 8050
UsernameSelect the account to use for TFTP requests. This account must have permission to the Directory.

Access

File PermissionsAdjust the file permissions using the checkboxes.
Allow New FilesSet when network devices need to send files to the system.

Other Options

Auxiliary ParametersAdd more options from tftpd(8). Add one option on each line.

UFS

General Options

IdentifierDescribe the UPS device. It can contain alphanumeric, period, comma, hyphen, and underscore characters.
UPS ModeChoose Master if the UPS is plugged directly into the system serial port. The UPS will remain the last item to shut down. Choose Slave to have this system shut down before Master. See the Network UPS Tools Overview.
DriverSee the Network UPS Tools compatibility listfor a list of supported UPS devices.
Port or HostnameSerial or USB port connected to the UPS. To automatically detect and manage the USB port settings, select auto.
When an SNMP driver is selected, enter the IP address or hostname of the SNMP UPS device.

Monitor

Monitor UserEnter a user to associate with this service. Keeping the default is recommended.
Monitor PasswordChange the default password to improve system security. The new password cannot contain a space or #.Enter accounts that have administrative access. See upsd.users(5) for examples.
Extra UsersEnter accounts that have administrative access. See upsd.users(5) for examples.
Remote MonitorSet for the default configuration to listen on all interfaces using the known values of user: upsmon and password: fixmepass.

Shutdown

Shutdown ModeChoose when the UPS initiates shutdown.
Shutdown TimerEnter a value in seconds for the the UPS to wait before initiating shutdown. Shutdown will not occur if power is restored while the timer is counting down. This value only applies when Shutdown mode is set to UPS goes on battery.
Shutdown CommandEnter a command to shut down the system when either battery power is low or the shutdown timer ends.
Power off UPSSet for the UPS to power off after shutting down the system.

Email

Send Email Status UpdatesSet enable sending messages to the address defined in the Email field.
EmailEnter any email addresses to receive status updates. Separate entries by pressing Enter.
Email SubjectEnter the subject for status emails.

Other Options

No Communication Warning TimeEnter a number of seconds to wait before alerting that the service cannot reach any UPS. Warnings continue until the situation is fixed.
Host SyncUpsmon will wait up to this many seconds in master mode for the slaves to disconnect during a shutdown situation.
DescriptionDescribe this service.
Auxiliary Parameters (ups.conf)nter any extra options from UPS.CONF(5).
Auxiliary Parameters (upsd.conf)Enter any extra options from UPSD.CONF(5).

WebDAV

General Options

ProtocolHTTP will keep the connection unencrypted. HTTPS encrypts the connection. HTTP+HTTPS allows both types of connections.
HTTP PortSpecify a port for unencrypted connections. The default port 8080 is recommended. Do not reuse a port.
HTTP AuthenticationBasic Authentication is unencrypted. Digest Authentication is encrypted.
Webdav PasswordThe default of davtest is recommended to change. davtest is a known value.