NOTES/FreeBSD

[ HOME | REFERENCE | FreeBSD | MySQL | PostgreSQL | Apache | qmail | PHP | Pure-FTPd ]

introduction

Why FreeBSD over a Linux distribution? One reason: Somebody using FreeBSD was willing to help me out. I am not saying Linux users are not willing to help. It just so happens a couple of guys were willing to help me move over from a Windows platform. I do not promote FreeBSD advocacy nor Linux and/or Windows bashing. I still use Windows as my workstation, and I would (one day) like to try some Linux distribution as a workstation. I always believed use what works for your environment. Or in the case of choosing FreeBSD over Linux, my situation.

These liner notes were created for a FreeBSD server handling mail and routing jobs. No X or any sort of pretty window manager (ie. GUI) is installed. There are many other documentation out there that can show you how to setup a GUI.

Also, I am still rather new to the *nix world. If someone is able to correct any errors, wrong usage of words, or anything that just does not seem right when it comes to FreeBSD, please do not hesitate to contact me. I do not like being wrong. And it would be bad if NOTES steer new users in the wrong direction.

And one more thing. I came from a Windows environment, therefore I'm teaching from a Windows environment. This installation is for an x86 system (i.e. Intel Pentium, AMD Athlon, etc).

These NOTES were done with latest FreeBSD 7.0-RELEASE and immediately update with the RELENG_7_0 security branch. For the longest time, I thought the -STABLE branch meant this is the most stable of all the branches. This is incorrect. The -STABLE branch is still a development branch where major releases are made. Therefore, -RELEASE is the most stable. (Please see the FreeBSD Handbook, 21.2 FreeBSD-Current vs. FreeBSD-STABLE.) We will use the RELENG_7_0 cvs tag to update our FreeBSD 7.0-RELEASE. This will update our -RELEASE with any noted security advisories and critical fixes.

Much of the beginning of this document were taken by the FreeBSD Handbook. This is one documentation you should take a look before or after these notes. Actually, I prefer if you take a look at these before the handbook that way you get a better understanding of what is going on. Now that I think about it, if you do read the Handbook, you could skip this entire FreeBSD notes. So please, remember to read the Handbook.


track

  1. bootable install CD
  2. installation
  3. post installation
  4. screen & shell configuration
  5. adduser
  6. cvsup
  7. kernel
  8. network configuration
  9. time
  10. data
  11. backup
  12. references

i. bootable install CD

Being the 21st century, I figure most have CD-ROM drives in our computers. Therefore, I scratched the floppy disk method of installing FreeBSD.

Grab 7.0-RELEASE-i386-disc1.iso from ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/7.0

Note: I suggest looking for an FTP mirror near you.

Burn your freshly downloaded FreeBSD ISO using your favorite CD writing software. Then pop it into your machine and boot!


ii. installation

You should be viewing the sysinstall program that will assist you in setting up your machine. Choose a Custom installation.

Choose Partition. To dedicate the entire disk to FreeBSD, be sure to delete all slices and create a new slice dedicating all of the space to FreeBSD. Quit and save after you are finished.

Next you see what Boot Manager to install for the drive. Choose BootMgr.

You should be back on the Custom installation menu. Now choose Label. Follow the instructions there or just choose A = Auto Defaults to create default lables for your drive.

After saving your changes, choose Distributions. Do not bother choosing the pre-made distributions listed. Go to the bottom of the screen to Custom - Specify your own distribution set. This is the custom distribution I normally create.

base
kernels
dict
doc
info
man
catman
proflibs
src >> All
ports
local

Note: I choose everything except for X.Org. If I need X.Org, I install them from the ports collection

Next, choose Media. Use CD/DVD for your Media.

OK your Network settings and choose Commit at the Custom installation menu.

All systems go to whatever warning FreeBSD gives you before the download. The rest of the installation may take fifteen minutes or so. It all depends on how fast you can transfer data from your CD/DVD drive.


iii. post installation

You will see a menu FreeBSD gives you when your installation is complete. Visit the general configuration menu for a chance to set any last options? Choose YES.

First go into Networking since setting up your network using sysinstall is much faster than messing around with /etc/rc.conf.

Choose Interfaces. Then choose the Network Interface Card (a.k.a "NIC") you want to configure.

If you're setting up your FreeBSD machine to be a NATd router/firewall, be sure to choose which NIC you want to be on the "outside" (ie. connected directly to the Internet). Upon finding your outside NIC, you want to make the following settings for that NIC.

It will first ask you if you want to configure for IPv6. If you do not know what IPv6 is, it is probably safe to choose NO when it asks you this question. If you want to let your DHCP server handle most of your network settings, choose YES when it asks you if want DHCP to configure your network interface. If you are not using DHCP, you will need to configure the NIC yourself.

Whether you allow DHCP to configure your network interface, you will be shown with a menu waiting for network information. If you were not using DHCP, fill in the blanks. If you were using DHCP, you may need to fill out the Host field.

field name eg. comment
Host machine.name.com Normally the computer name with your fully-qualified domain name.
Domain name.com Your fully-qualified domain name.
IPv4 Gateway 60.60.60.255 Gateway addressprovided by your ISP.
Name server 16.16.0.1 Name server (or DNS addresses, as Windows calls it) provided by your ISP.
IPv4 60.60.60.1 IP address for your machine.
Netmask 255.255.255.0 Windows calls it Subnet Mask.

After configuring Interfaces, you will be in the Networking menu. Go down until you see sshd. Be sure to enable sshd.

When you exit the Networking menu, there may be a few more post-installation configuration you would like to do.

Change your Root Password. This is important since the root password is currently blank.

After doing that, set your Time Zone. Follow the instructions for the time zone settings.

There are much options you can mess around, but I do not bother with them. When you are complete, hit ESC to get out of the Options menu. Hit ESC again to get out of the Custom Installation menu. Finally, hit ESC one more time to get out of the Installation menu. Choose YES and it will reboot.

Note: For the remaining of the document, a simple post installation and configuration script has been created to speed up the process. Though, only recommended to those who already read NOTES, it's available to aid the process.


iv. screen & shell configuration

Okay, when it is done rebooting, log in as root. We're using FreeBSD's magnificent ports system to install our programs. Since the ports system in -RELEASE might be outdated, the first thing that needs to be done is to update the ports collection using portsnap.

Fetch and then extract the updated ports collection

# portsnap fetch
# portsnap extract

Note: A # symbol before issuing a command is your shell prompt as a super user (root).

For future reference, use the following command to update the ports collection

# portsnap fetch update

Now install screen.

# (cd /usr/ports/misc/screen && make install && make clean)

Next, install vim, bash, scponly, gnuls, cvsup-without-gui, and sudo

# (cd /usr/ports/editors/vim && make install && make clean)
# (cd /usr/ports/shells/bash2 && make install && make clean)
# (cd /usr/ports/shells/scponly && make install && make clean)
# (cd /usr/ports/misc/gnuls && make install && make clean)
# (cd /usr/ports/net/cvsup-without-gui && make install && make clean)
# (cd /usr/ports/security/sudo && make install && make clean)

After that is complete, change root's shell to bash.

# chsh -s /usr/local/bin/bash root

Now that is complete, modify root's .profile (you should still be in root's home directoy... ~/ or /root).

Note: Despite installing vim, NOTES will use ee (easy editor) to be the primary editor to edit files on FreeBSD. You can switch to the more popular vim editor later.

# ee .profile

Edit the file so it looks somewhat similar like this

# $FreeBSD, NOTES modification: .profile,v 1.00 2002/12/28 22:25:57 NkM Exp $
#
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin
export PATH
HOME=/root
export HOME
TERM=${TERM:-cons25}
export TERM
PAGER=less
export PAGER
BLOCKSIZE=K
export BLOCKSIZE
EDITOR=ee
export EDITOR

PS1="\u@\h:\w"
case `id -u` in
0) PS1="${PS1}# ";;
*) PS1="${PS1}$ ";;
esac
export PS1

alias 'ls'='gnuls -F --color=auto --show-control-chars'
alias 'dir'='gnuls -F --color=auto --show-control-chars -h'

alias 'vi'='vim'

ENV=$HOME/.shrc
export ENV

Do not remove lines, only modify them. When done editing file, ESC to brings a menu, leave editor, and save file.

Note: You can fetch root's .profile from http://notes.twinwork.net/bin/root.profile to save time typing it all out.

Then symlink .profile to .bashrc.

# ln -s .profile .bashrc

Copy all the contents of /usr/share/skel to /etc/skel.

# cp /usr/share/skel/* /etc/skel/

Change the default .profile for new users called dot.profile found in /etc/skel.

# ee /etc/skel/dot.profile

Edit the file so it looks somewhat similar like this

# $FreeBSD, NOTES modification: dot.profile,v 1.00 2002/12/28 22:25:57 NkM Exp $
#
# .profile - Bourne Shell startup script for login shells
#
# see also sh(1), environ(7).
#

# remove /usr/games and /usr/X11R6/bin if you want
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/bin:/usr/X11R6/bin:$HOME/bin; export PATH

# Setting TERM is normally done through /etc/ttys. Do only override
# if you're sure that you'll never log in via telnet or xterm or a
# serial line.
# Use cons25l1 for iso-* fonts
# TERM=cons25; export TERM

BLOCKSIZE=K; export BLOCKSIZE
EDITOR=ee; export EDITOR
PAGER=less; export PAGER

PS1="\u@\h:\w"
case `id -u` in
0) PS1="${PS1}# ";;
*) PS1="${PS1}$ ";;
esac
cd
export PS1

# set ENV to a file invoked each time sh is started for interactive use.
ENV=$HOME/.shrc; export ENV

alias 'ls'='gnuls -F --color=auto --show-control-chars'
alias 'dir'='gnuls -F --color=auto --show-control-chars -h'
alias 'vi'='vim'

Note: You can fetch the dot.profile from http://notes.twinwork.net/bin/skel.dot.profile to save time typing it all out. Remember to copy this file to the /etc/skel directory.

Use the exit command to log out. Then log back in. Notice the command prompt is a tad bit different. It is much easier to work with.


v. adduser

After installing shell related programs, it's a good time to add a new user. As root

# adduser -C -k /etc/skel

Follow the prompts for first time use. Use your own judgment. Be sure to set the user's default shell as bash. Remember to write file.

After the initial settings have been established, add your first user... yourself.

# adduser

Answer the prompts accordingly. What this will do is have you configure adduser and set /usr/share/skel for the template directory for all new users. Now all you need to do is run adduser as normal to add a new user.

One more thing about /etc/skel in 7.x-RELEASE. NOTES used to symlink .profile to .bashrc. This works fine in /etc/skel for 4.x-RELEASE, but in 7.x-RELEASE, adduser does not copy over these symlinks. You will need to generate them yourself. I do not know what the work around is... and honestly, I do not care much since I am the only user who logs into my machines. When you log in as your new user, create a symlink .profile to .bashrc :)

After adding yourself, edit /etc/group.

# ee /etc/group

Now add yourself to wheel.

wheel:*:0:root,rey

rey is my added self to wheel. This is important. By adding yourself to wheel, you do not need to login as root anymore. Just su to get wheel access, and administer from there.

Logout as root and log back in as yourself then su to test.

Note: A $ symbol before issuing a command is your shell prompt as a normal user.

$ su
Password:

And, hopefully, you'll see root's prompt.

There may be one thing you want to do right now: edit /etc/motd. This is the message of the day pop up when a user logs onto your machine. Be sure to su before you edit it.

To connect to your new machine remotely, you will be using ssh. Telnet is unsafe and insecure, and is disabled by default. Use secure shell instead. More information on telnet, secure shell, and other networking services will be covered later on.


vi. cvsup

Since it's best to update to the latest RELENG_7_0 security branch, we'll use cvsup to update the source tree.

Copy the example standard-supfile, ports-supfile, and doc-supfile to another directory

# cp /usr/src/share/examples/cvsup/standard-supfile /etc/standard-supfile
# cp /usr/src/share/examples/cvsup/doc-supfile /etc/doc-supfile

Be sure to edit your new -supfile documents using ee (do not edit the example -supfile documents, edit the ones copied to /etc)

Note: While editing these files, you may notice a # symbol at the beginning of certain lines. Everything after the # symbol is designated as a comment. Do not delete lines from these files, comment them out instead.

For all -supfile documents, make sure to find the *default host line and change the server respectively. Change the server to the mirror closest to you. For example...

*default host=cvsup.FreeBSD.org

Do this for standard-supfile, ports-supfile, and doc-supfile.

One more file needs to be copied over and edited before updating the system.

# cp /usr/src/share/examples/etc/make.conf /etc/make.conf
# ee /etc/make.conf

This make.conf file should be self-explanatory. Uncomment whatever you may need.

Move near the end of the file (before the sendmail configurations), you will see more cvsup options. You may uncomment SUP_UPDATE, SUP, SUPFLAGS, SUPHOST, SUPFILE, and PORTSSUPFILE. Change the line for SUPHOST to whatever cvsup server closest to you. SUPFILE and PORTSSUPFILE should be /etc/standard-supfile, /etc/ports-supfile, and /etc/doc-supfile respectively.

Save /etc/make.conf. We'll update the source tree after configuring a custom kernel.

Since it is best to update to RELENG_7_0 and not -CURRENT, edit /etc/standard-supfile.

# ee /etc/standard-supfile

Go down to line 54 and make sure the tag is RELENG_7_0

*default release=cvs tag=RELENG_7_0

Save your changes.


vii. kernel

Next, edit a custom kernel for the server. As root

# cd /usr/src/sys/i386/conf
# mkdir ~/kernels
# cp GENERIC ~/kernels/CUSTOM_KERNEL_NAME
# ln -s ~/kernels/CUSTOM_KERNEL_NAME CUSTOM_KERNEL_NAME
# ee CUSTOM_KERNEL_NAME

What you're doing is changing the directory where kernel configurations are stored, creating a directory for custom kernels under root, then copying the GENERIC kernel to your CUSTOM_KERNEL_NAME in the directory you just created. Then create a symlink for your new kernel to the original kernel directory. Finally, you're now going to edit your new kernel.

Be sure to check out /usr/src/sys/i386/conf/NOTES for all the options you could use for your custom kernel!

In the first couple of lines in your custom kernel after the comments, you'll see machine and cpu types along with the ident of your kernel. Change these values. Your machine type should stay i386.

I586_CPU are Pentium classics and compatibles. I686_CPU are Pentium Pro (P6) core and higher (PII/PIII) along with its compatibles. To lookup your CPU type, use

# dmesg

and look at the top of of the device list. It will show your CPU type.

Note: dmesg is the same list shown at startup, seen locally.

Comment out the cpu type you don't need. If you are wary of what CPU you do have, do not comment out any of them. Just leave it as is.

For ident, I normally change this to the name of my kernel I copied from GENERIC. So in our example above, it would be CUSTOM_KERNEL_NAME.

There is one line I always add to my custom kernel

options SC_DISABLE_REBOOT # disable reboot key sequence

Note: There is usually a TAB between the options and the device used.

This disables the use of ALT-CTRL-DEL at the physical machine. This is a good option if your machine is hosted at a co-location. This will prevent anyone from connecting a keyboard to your machine and resetting it via ALT-CTRL-DEL.

If you do not have any SCSI devices on your kernel, it is safe to disable nearly all of them... except the required ones. Do be careful making your custom kernel.

If you want to use PF for your packet filtering, add the following to your custom kernel

device pf # PF OpenBSD packet-filter firewall
device pflog # logging support interface for PF
device pfsync # synchronization interface for PF

If you want to use ALTQ for packet prioritization (QoS), add the following to your custom kernel

options ALTQ  
options ALTQ_CBQ # Class Bases Queueing
options ALTQ_RED # Random Early Drop
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler
options ALTQ_CDNR # Traffic conditioner
options ALTQ_PRIQ # Priority Queueing

Save your custom kernel.

Now we are ready to build your kernel along with updating FreeBSD. Pay attention because order is very important.

# cd /usr/src
# make update

This will update your source tree. After that's complete, build the world

# make -j4 buildworld

Note: If you have a dual processor or a dual core machine, you can use -j8 instead of -j4 for your buildworld flag.

This will take a long time depending on the speed of your machine. A test machine with a Pentium II 333MHz and 256MB of RAM along with 1GB of swap takes well over three hours to build the world. In contrast, I had a dual Pentium III 1.2GHz with 1GB of RAM that built the world well under an hour.

After building the world is completed, build your custom kernel

# make buildkernel KERNCONF=CUSTOM_KERNEL_NAME

Note: If you added the PF options in your kernel, you could skip down to the network configuration section of NOTES and configure PF and /etc/rc.conf while your world and kernel build. Effectively, you can issue the following command so that the world and kernel will build right after each other: make -j4 buildworld && make buildkernel KERNCONF=CUSTOM_KERNEL_NAME

After that is complete, install your kernel

Note: According to the FreeBSD Handbook, you should be in single-user mode before installing the world. However, since NOTES are for fresh installations of FreeBSD, chances are you are the only user on that machine. So this should be relatively harmless and safe :)

# make installkernel KERNCONF=CUSTOM_KERNEL_NAME

Installing should not take too long, then when you are complete, go ahead and install world

# make installworld

Note: If you added the PF options for your router and firewall, you can look down to the network configuration sestion (next section) and configure your router/firewall.

After installing both the kernel and the world...

# reboot

Note: If you added the PF options and did not bother to read the above instructions and just decided to reboot, do not come crying to me when you realize you are locked out of your machine :)


viii. network configuration

You should still be root. Figure out what your network devices are

# ifconfig

They should be the ones with inet addresses. lo0 is a loopback interface. The cards I encouter (Intel, 3Com, Linksys, Dlink) are normally fxp, xl, dc, and rl respectively. At least... I think... I could be wrong... but this is simple to figure out.

If you are having trouble finding your network interfaces are, use dmesg and match them up there.

# dmesg

After doing that, edit /etc/rc.conf

# ee /etc/rc.conf

Edit your /etc/rc.conf file so it looks similar to this

hostname="machine.name.com"
defaultrouter="60.60.60.255"

# fxp0 - to world
# xl0 - to local
# lo0 - loopback
#
# If not using this machine as a router, you'll only
# have a single NIC that goes straight out to world.
# Modify accordingly.
network_interfaces="fxp0 xl0 lo0"
ifconfig_fxp0="inet 60.60.60.1 netmask 255.255.255.0"
ifconfig_xl0="inet 192.168.0.1 netmask 255.255.0.0"
ifconfig_lo0="inet 127.0.0.1 netmask 255.255.255.0"

# Comment this out if you're not using this machine
# as a gateway... ie. a router, running IP NAT, etc
gateway_enable="YES"

# PF configuration
pf_enable="YES"
pflog_enable="YES"

# Other options...
icmp_drop_redirects="YES"

Note: hostname, defaultrouter, and ifconfig_going.to.Internet0 should already be filled out from the installation configuration. Just modify the rest of the options to look like above.

Edit /etc/sysctl.conf

# ee /etc/sysctl.conf

Need to set net.inet.ip.forwarding to 1 in order to pass packets freely between network cards. Add the following line somewhere in /etc/sysctl.conf

net.inet.ip.forwarding=1

Edit /etc/pf.conf

# mv /etc/pf.conf /etc/pf.conf.sample
# ee /etc/pf.conf

This is only a temporary ruleset. We just want to keep the firewall open to let us know pf working.

# Required order: options, normalization, queueing, translation, filtering.

# Define a couple of macros for pf
if_int = "xl0" # to the local network
if_ext = "fxp0" # to the world
if_loop = "lo0" # loopback

# If using NAT, keep everything flowing for now
nat on $if_ext from $if_int:network to any -> ($if_ext)

# Keep pf open for testing. After testing is complete, please change to a strict ruleset.
pass in quick all
pass out quick all

Okay. Now, if the kernel and world is done building go ahead and reboot your machine!

# reboot

When you are back, check to see if you can ping or traceroute anywhere. Plug your local NIC into the uplink of your switch (or hub).

Your local machine settings (going into the switch) will use 192.168.0.1 for its default gateway/default router. Then use 192.168.0.2 through 192.168.0.255 for the IP address of your machines. We could also use DHCP that way we do not need to configure any client machines, but this document doesn't discuss that... yet. There are many resources on the Internet on how to configure a DHCP server.

After testing out your new firewall and router, it is time to add a more sophisticated ruleset. There are many ruleset examples and a great PF how-to out there (check the references section at the end of this document).

Below is a ruleset I use for my own server. Use it at your own risk, and I do suggest checking out a PF how-to and documentation before using this or writing your own ruleset.

For /etc/pf.conf

#
#################################################################
# Macros
#################################################################
#----------------------------------------------------------------
# Define network interfaces using if_*
#----------------------------------------------------------------
if_int = "xl0"
if_ext = "fxp0"
if_loop = "lo0"

#----------------------------------------------------------------
# Define services using svc_*
#----------------------------------------------------------------
svc_tcp = "{ 22, 113 }"

#----------------------------------------------------------------
# Define types using types_*
#----------------------------------------------------------------
types_icmp = "echoreq"

#----------------------------------------------------------------
# Define networks using nets_*
#----------------------------------------------------------------
nets_loopback = "{ 0.0.0.0/8, 127.0.0.0/8 }"
nets_private = "{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
nets_dhcpautoconfig = "{ 169.254.0.0/16 }"
nets_otherreserved = "{ 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 }"

#----------------------------------------------------------------
# Designate computer services using comp_*
#----------------------------------------------------------------
# comp_teamspeak = "192.168.0.10" # An example for internal services

#################################################################
# Options
#################################################################
set block-policy return
set loginterface $if_ext

#################################################################
# Scrub
#################################################################
scrub in all

#################################################################
# Queueing (ALTQ)
#################################################################

#################################################################
# Network Address Translation
#################################################################
nat on $if_ext from $if_int:network to any -> ($if_ext)

#################################################################
# Redirection
#################################################################

#################################################################
# Filtering
#################################################################
block in log all


#################################################################
# External Interface
#################################################################

# Block all inbound traffic from non-routable or reserved address spaces
#-----------------------------------------------------------------------
block drop in quick on $if_ext from $nets_private to any

#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state on it
# so that it's allowed back in.
#----------------------------------------------------------------
pass out quick on $if_ext proto tcp all modulate state flags S/SA
pass out quick on $if_ext proto { udp, icmp } all keep state


#----------------------------------------------------------------
# If you wanted to set up a web server or mail server on your box
# (which is outside the scope of this howto), or allow another system
# on the Internet to externally SSH into your firewall, you'd want to
# uncomment the following lines and modify as appropriate. If you
# have other services running that you need to allow external access
# to, just add more lines using these as examples.
#
# If the services are on a box on your internal network (rather than
# the firewall itself), you'll have to add both the filter listed below,
# plus a redirect rule in your /etc/ipnat.rules file.
#----------------------------------------------------------------
# pass in quick on $if_ext proto tcp from any to any port 80 flags S/SA keep state
# pass in quick on $if_ext proto tcp from any to any port 25 flags S/SA keep state
# pass in quick on $if_ext proto tcp from any to any port 110 flags S/SA keep state
# pass in quick on $if_ext proto tcp from any to any port 113 flags S/SA keep state
# pass in quick on $if_ext proto tcp from any to any port 22 flags S/SA keep state
# pass in quick on $if_ext proto tcp from X.X.X.X/32 to any port 22 flags S/SA keep state

#----------------------------------------------------------------
# Setup for FTPd access for both active and passive state connections.
# You'll need to set the port range in passive state on your FTPd.
#----------------------------------------------------------------
# pass in quick on $if_ext proto tcp from any to any port 21 flags S/SA keep state
# pass in quick on $if_ext proto tcp from any to any port 30000 >< 50000 flags S/SA keep state

#################################################################
# Inside Interface
#################################################################

#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------
pass out quick on $if_int proto tcp from any to any keep state
pass out quick on $if_int proto udp from any to any keep state
pass out quick on $if_int proto icmp from any to any keep state
block out quick on $if_int all

#----------------------------------------------------------------
# Allow in all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------
pass in quick on $if_int proto tcp from any to any keep state
pass in quick on $if_int proto udp from any to any keep state
pass in quick on $if_int proto icmp from any to any keep state
block in quick on $if_int all

#################################################################
# Loopback Interface
#################################################################

#----------------------------------------------------------------
# Allow everything to/from your loopback interface so you
# can ping yourself (e.g. ping localhost)
#----------------------------------------------------------------
pass quick on $if_loop all

Note: The ruleset should have one rule per line. If you're seeing line wraps, those should not be there.

After you are done making changes to /etc/pf.conf, load it into have pfctl parse the file to check if it is valid

# pfctl -n -f /etc/pf.conf

If no errors occur, you can load your rules

# pfctl -f /etc/pf.conf

There are a few kernel values you can use for PF.

# ee /etc/sysctl.conf

net.inet.ip.forwarding=1
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.ip.portrange.first=25000
net.inet.ip.portrange.last=49151

A bit much? It gets pretty easy when you read the PF user's guide . So read it!


ix. time

Keeping your time sync with the rest of the world is important. If you followed the NOTES, you should have already set the time during post-install... in the options part of sysinstall. If you did not, run tzsetup and set your time zone. After running tzsetup, be sure to touch /etc/wall_cmos_clock. If you already set your time zone during post-installation, go ahead and use date to check your current date and time.

kazuo@job:~$ date
Sun Dec 29 23:00:00 PST 2002

Note: Neat, I can't believe I used date right when it turned eleven o' clock!

To change your time to the correct date, do date and the time in 24-hour format.

# date 1200

Note: You must be root to change the date and time on a system.

That changes the time to 12:00PM. date can do all kinds of neat things, check the man pages for more information.

$ man date

Note: Remember, $ sign is the bash prompt for normal users where # sign are for super users.

Now it's time to syncing your time with a public time server. As root, create

# ee /etc/ntp.conf

Add these two lines in /etc/ntp.conf

server find.a.time.server.address.near.you
driftfile /etc/ntp.drift

It should be quite obvious find.a.time.server.address.near.you is not the time server you would use. Check for a list of time servers you can use.

After doing so, do the sync

# /usr/sbin/ntpd -q -c /etc/ntp.conf

I normally do a time sync once a week. You can do this automatically with a cron job. Edit root's crontab

# crontab -e

0 0 * * 7 /usr/sbin/ntpd -q -c /etc/ntp.conf 2>&1

Note: Those are TABs in-between the zeroes, astericks, and so on. Check out /etc/crontab for an example. And remember, the man pages are your friend.

Save your new crontab and it will install it automatically for you. The above says root will execute /usr/sbin/ntpd -q -c /etc/ntp.conf on the 7th day (Sunday) of each week of every month at midnight.


x. data

This is optional, but I normally put all my data files in one directory. That's normally in /usr/data. Just create it. This will be the directory where all HTML docs, database, email storage, and so on will be stored.

# mkdir /usr/data

That is it for this section.


xi. backup

The FreeBSD Handbook goes through a variety of methods to backup your data. Even if you run a RAID 5 array or RAID 1 or even a RAID 0+1, you should always have a backup copy of your critical data. In this case, the critical data on the server are the system's configuration files, system users' information, data within the databases (MySQL or PostgreSQL), qmail data, and the websites that are hosted on the machine.

Of course, data that is important to you varies from one another. I will show you one method on how I backup my data on the Twinwork servers and send that data to a remote machine for archiving. The two machines are both running FreeBSD. You can do this method with any *nix-like machine that supports SSH (for RSA keys) or SSH2 (for DSA keys). They also need to support the scp command. I also use scponly for the shell of the backup users. Before doing using this method, please check out the Handbook on methods for backing up your data.

The following method is not for everyone. This backup requires a fast connection to the Internet (it can also be applied to LAN). Also there is a security risk if not used properly. For SSH authentication, we will be using passphraseless DSA keys. If anyone gets a hold of your private key, they can login as the backup user we plan to create. Keep those keys safe!

Create the backup directory. Traditionally this is the archive directory.

# mkdir -p /usr/data/archive/scripts

At the same time, the scripts directory is created. All backup scripts will be stored under scripts.

Now this is the point that is going to get a bit complicated. You will need to create a user called backup. User backup needs to be created on both machines. The machine that will be doing the backup is our local machine. The machine that will receive the backup is our remote machine. Keep that in mind even though the actual server might be remote from you and your local workstation is actually the machine getting the backed up data. In other words, local and remote are from the server's point of view.

The local machine (server) could contain sensitive data you do not want anyone else to have access to. Therefore, when we create user backup, we do not give this user a shell.

root@local:~# pw adduser backup -u 531 -c "Backup User" -d /usr/data/archive -s /sbin/nologin
root@local:~# chown -R backup:backup /usr/data/archive

We want to make sure no one is able to login with user backup on this local machine. Create the same user on your remote machine with similar settings but you must give it a shell.

root@remote:~# pw adduser backup -u 531 -c "Backup User" -d /usr/data/archive -s /usr/local/bin/scponly

If a shell is not given, local will not be able to SSH into the remote machine and securely copy your backed up files.

Now generate the DSA keys on your local machine as user backup

root@local:~# sudo -u backup /usr/local/bin/bash
backup@local:~$ ssh-keygen -f /usr/data/archive/.ssh/id_dsa -t dsa

When prompt for a passphrase, use an empty passphrase.

backup@local:~$ cd /usr/data/archive/.ssh
backup@local:~$ ls -la

You will see two files: id_dsa and id_dsa.pub. id_dsa is your private key and absolutely no one should be able to get a hold of it. id_dsa.pub is your public key, and this is the key you will copy to the remote machine for user backup.

As root on your remote machine

root@remote:~# mkdir /usr/data/archive/.ssh
root@remote:~# chown backup:backup /usr/data/archive
root@remote:~# chown backup:backup /usr/data/archive/.ssh
root@remote:~# chmod 700 /usr/data/archive/.ssh
root@remote:~# ee /usr/data/archive/.ssh/authorized_keys

You are now editing the authorized_keys file for backup. It should be empty (just created). Copy the contents of id_dsa.pub from the local machine to this authorized_keys file. id_dsa.pub should only take up one line! There should actually be one public key per line in that authorized_keys file.

After adding the public key for backup from the local machine, save it and chmod it so it is read-write only for backup

root@remote:~# chown backup:backup /usr/data/archive/.ssh/authorized_keys
backup@remote:~$ chmod 600 /usr/data/archive/.ssh/authorized_keys

Back on your local machine as backup, make sure you can login to your remote machine

backup@local:~$ ssh remote_host

Note: Replace remote_host with the actual address of your remote host.

If it asks you about the authenticity of your remote server, type yes to add it to your remote hosts list. After you have logged in, you should see the default bash prompt. Exit from the remote machine. You should now be back on your local machine. The fingerprint of your remote machine has been copied to /usr/data/archive/.ssh/known_hosts. You will need to copy this finger print to /root/.ssh/known_hosts. There is a very good chance that your /root/.ssh/known_hosts is empty (if you followed NOTES from the beginning), so just copy it over from /usr/data/archive/.ssh/known_hosts without any fear of overwriting any other fingerprints.

root@local:~# cp /usr/data/archive/.ssh/known_hosts ~/.ssh/known_hosts

Before moving on, let me emphasize one point: do not let anyone get a hold of your private keys (any of them if you choose to make more). If you do plan to make more, use a good passphrase. That way if for some reason someone compromises one of your private keys, and that person knows where that key is good for, that person will still need to know your passphrase for that particular machine.

Now, backup will use scp (secure copy) to copy all backed up files to the remote machine. A very simple syntax for copying from a local machine to a remote machine is quite simple.

backup@local:~$ scp some_file backup@remote:/usr/data/archive/some_file

That's pretty much it. It can work in reverse, too. Remember, it is copy from file to file. The general command backup will be using will be something like

backup@local:~$ scp /usr/data/archive/*.tar.bz2 backup@remote:/usr/data/archive/

Pretty simple, correct? Now write a simple, but effective shell script to backup important files.

root@local:~# cd /usr/data/archive/scripts

If you are doing this as root, you'll need to chown all files under scripts to backup:backup to ensure user backup will be able to execute, read, and write to them.

[2003/05/10 -- BACKUP REFERENCE INCOMPLETE]


xii. references


Valid XHTML 1.0!QUESTIONS/COMMENTS/CORRECTIONS? notes@twinwork.net
$NOTES: /freebsd/, v.0.53 2010/12/11 13:44:35 PST /16389/ NkM$
Maintainer: Neafevoc K. Marindale