FreeBSD step 1 - Installation and updating

1) Documentation Sources
2) Freebsd 9.0 Installation from handbook
3) Update system
4) Update port collection
5) Rebuild Kernel (if needed)
6) Configure firewall (IPFW)
7) FreeBSD customize shell and mc -
8) FreeBSD MyFAQ -
9) Securing OS - Unofficial FreeBSD Security Checklist / Links / Resources 

For FreeBSD 10
in case of installing ports, following error appear:
 *** Error code 74

make: stopped in /usr/ports/multimedia/plexmediaserver
Could help:
/usr/sbin/pkg bootstrap -f

1) Documentation Sources
A wide variety of documentation is available for FreeBSD, on this web site, on other web sites, and available over the counter.
1) FreeBSD Handbook -

2) Frequently Asked Questions (FAQ) -

3) FreeBSD Man Pages (Online)  -
        * 1: General Commands
        * 2: System Calls
        * 3: C Library Calls
        * 4: Kernel Interfaces - Special files (usually devices, those found in /dev) and drivers
        * 5: File formats and conventions
        * 6: Games
        * 7: Miscellaneous Information
        * 8: System administration commands and daemons
        * 9: Kernel Developers Guides
Some important man to read: man(7) tuning, man(1) systat, man(7) firewall

4) FreeBSD Books
Absolute FreeBSD: The Complete Guide to FreeBSD, 2nd Edition

5) FreeBSD Web Resources

2) Freebsd 9.0 Installation from handbook
Creating Traditional Split Filesystem Partitions

For a traditional partition layout where the /, /var, /tmp, and /usr directories are separate filesystems on their own partitions, create a GPT partitioning scheme, then create the partitions as shown. Partition sizes shown are typical for a 20G target disk. If more space is available on the target disk, larger swap or /var partitions may be useful. Labels shown here are prefixed with ex for "example", but readers should use other unique label values as described above.

By default, FreeBSD's gptboot expects the first UFS partition found to be the / partition.
Partition Type     Size     Mountpoint     Label
freebsd-boot       512K          
freebsd-ufs        2G       /     exrootfs
freebsd-swap       4G           exswap
freebsd-ufs        2G       /var     exvarfs
freebsd-ufs        1G       /tmp     extmpfs
freebsd-ufs        accept the default (remainder of the disk)     /usr     exusrfs

3) Update FreeBSD (Security Patches)
Security patches are stored on a remote machine and may be downloaded and installed using the following command:
# freebsd-update fetch
# freebsd-update install

If anything went wrong, freebsd-update has the ability to roll back the last set of changes with the following command:
# freebsd-update rollback

Once complete, the system should be restarted if the kernel or any kernel modules were modified. This will allow FreeBSD to load the new binaries into memory.
The freebsd-update utility can automatically update the GENERIC kernel only. If a custom kernel is in use, it will have to be rebuilt and reinstalled after freebsd-update finishes installing the rest of the updates. 

To restart
shutdown -r now
There are three methods to install software on your FreeBSD system:

4a) FreeBSD packages and the pkg_ utility
In general the pkg_add and pkg_delete facilities allow you to install and remove software on your system in an efficient and consistent manner. The pkg_info command allows you to see what's installed, quickly, and to get detailed information about each software package that is installed.
All package information is stored within the /var/db/pkg directory. The installed file list and descriptions of each package can be found within files in this directory.
# pkg_add lsof-4.56.4.tgz                   # Manual installation from file
# pkg_add -r lsof                           # Auto installation (from an FTP site)

# pkg_info
cvsup-16.1          A general network file distribution system optimized for CV

# pkg_delete xchat-1.7.1                    # Remove a specific package
# pkg_delete -f xchat-1.7.1                 # Force remove a package, even if others depend on it
# pkg_delete -r xchat-1.7.1                 # Remove a package and ALL depend on it
# pkg_delete 'php5-*'                       # Removing packages with the mask
# pkg_delete -i 'php5-*'                    # Removing packages with the mask + confirmation

4b) The ports collection /usr/ports

a) Update port collection
Download a compressed snapshot of the Ports Collection into /var/db/portsnap. You can disconnect from the Internet after this step, if you wish.If you are running Portsnap for the first time, extract the snapshot into /usr/ports:

For the first time used
# portsnap fetch extract         # Load initial snapshot AND AFTER Unpack the snapshot in the /usr/ports

For next time
# portsnap fetch update                     # download updates and install

b) Installing port

# locate lsof
# cd /usr/ports/sysutils/lsof
# make install clean


# portinstall tcptrack
Make option
Auto-respond OK to default make options:

# make -DBATCH install clean
Manually respond to ALL make options (inclusive dependecies)
# make config-recursive install clean
If something went wrong, try:
cd /usr/ports/program
make fetch-recursive
make all-depends-list
make run-depends-list
make build-depends-list
make pretty-print-build-depends-list
make pretty-print-run-depends-list
c) Reconfiguring Ports
make config
make showconfig
make rmconfig
d) Uninstall port
# pkg_delete lsof-4.57
e) Port upgrade
Check port for up-to-date info
#  pkg_version -v
# pkg_version -v -L=
Before attempting a port upgrade, you should check /usr/ports/UPDATING. This file describes various issues and additional steps users may encounter and need to perform when updating a port, including such things as file format changes
# cd /usr/ports/ports-mgmt/portupgrade
# make install clean

# portupgrade -R firefox
Include the -R flag if portupgrade should first upgrade all the ports required by the given application.
f) Port master
Portmaster is another utility for upgrading installed ports.
Portmaster was designed make use of the tools found in the “base” system
(it does not depend upon other ports) and uses the information in /var/db/pkg/ to determine which ports to upgrade.

It is available from the ports-mgmt/portmaster port:

    # cd /usr/ports/ports-mgmt/portmaster
    # make install clean
Portmaster groups ports into four categories:
 - Root ports (no dependencies, not depended on)
 - Trunk ports (no dependencies, are depended on)
 - Branch ports (have dependencies, are depended on)
 - Leaf ports (have dependencies, not depended on)

    portmaster -L             # List all the installed ports and search for updates using the -L option
    portmaster -a             # All the installed ports that can be upgraded
    portmaster -af            # force, If you encounter errors during the upgrade process
    portmaster shells/bash    # install bash
g) portaudit
system to check installed packages for known vulnerabilities.
To begin using Portaudit, one must install it from the Ports Collection:
# cd /usr/ports/ports-mgmt/portaudit && make install clean
To check your installed ports for known vulnerabilities now, do:
# /usr/local/sbin/portaudit -Fda
 -F  Fetch the current database from the FreeBSD servers.
 -d  Print the creation date of the database.
 -a  Print a vulnerability report for all installed packages.

h) Clean temp files and folder from all ports
portsclean -CDD

4c) Installing from source (gcc make)

You are most likely to install from packages, then ports, then from source.

Accept the default configs of the ports, so that the installation will go smooth without me to select options

#make config-recursive
interactive answer ALL options for ALL selected port dependencies, so that you won't be bothered with them (not all ports support it, but most do).


# make -DBATCH install clean
install the default options for dependencies

5) Rebuild Kernel (if needed)
Kernel rebuild benefits:
  • Faster boot time (kernel will only probe the hardware you have on your system)
  • Lower memory usage.
  • Additional hardware support
Kernel Drivers, Subsystems, and Modules
Before building a custom kernel, consider the reasons for doing so. If there is a need for specific hardware support, it may already exist as a module.
Kernel modules exist in the /boot/kernel directory and may be dynamically loaded into the running kernel using kldload(8).

Kernel build directory
All directories mentioned will be relative to the main /usr/src/sys
arch represents one of i386, amd64, ia64, powerpc, sparc64.
# cd /usr/src/sys/amd64/conf
# mkdir /root/kernels
# cp GENERIC /root/kernels/SI64
# ln -s /root/kernels/SI64
Now, edit SI64 with your favorite text editor.
ident            SI64
# disable some devices that you are sure are not needed, be careful, read NOTE
# required for IPFW
# optional enable logging to syslogd(8)
# optional; don't get too many log entries
# options         IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by default
# for NAT and traffic shape
# options         IPFIREWALL_FORWARD      #packet destination changes
# options         DUMMYNET
# options         IPDIVERT
# for multiple fibs (setfibs)
# options         ROUTETABLES=2           # max 16. 1 is back compatible

Building a Kernel
# cd /usr/src
# make buildkernel KERNCONF=SI64 &&  make installkernel KERNCONF=SI64
In FreeBSD10
make[1]: "/usr/src/share/mk/" line 457: MK_CLANG_IS_CC can't be set by a user.
*** Error code 1
Comment in /etc/make.conf
The new kernel will be copied to the /boot/kernel directory as /boot/kernel/kernel and the old kernel will be moved to /boot/kernel.old/kernel. Now, shutdown the system and reboot to use your new kernel. If something goes wrong, there are some troubleshooting instructions at the end of this chapter that you may find useful. Be sure to read the section which explains how to recover in case your new kernel does not boot.

6) Configure firewall (IPFW)

IPFW - FreeBSD IP  firewall, traffic shaper, packet scheduler, in-kernel NAT.
wc -l ip2.txt
   65536 ip2.txt
ipfw table 1 flush
ipfw /etc/rc.firewall.prefixes
ipfw table 1 list

table 1 add
table 1 add
table 1 add
table 1 add
table 1 add
table 1 add
table 1 add
table 1 add 
General info -

1. Add IPFW rules to /etc/rc.conf
# firewall_script="/usr/local/etc/ipfw.rules"
# if not specified, will use /etc/rc.firewall

2. Edit /etc/rc.firewall
# - for comment.
blank lines are ignored.

#!/bin/sh -

# Flush out the list before we begin
/sbin/ipfw -q -f flush
cmd="ipfw -q add"

# Set rules command prefix
vlan55="em0"   # MGMT interface
vlan66="em1"  # INTERNET interface

# No restrictions on Loopback Interface
$cmd 10 allow all from any to any via lo0
$cmd 11 deny all from any to
$cmd 12 deny all from to any
$cmd 13 deny tcp from any to any frag

# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
$cmd 15 check-state
$cmd 16 allow tcp from any to any established limit src-addr 50
$cmd 17 allow all from any to any out keep-state

# User root have "GOD" privileges.
$cmd 00018 allow tcp from me to any out via $vlan66 setup keep-state uid root
$cmd 00019 allow udp from me to any out via $vlan66 setup keep-state uid root

# $cmd 00050 allow ipv6 from any to any

# Allow SSH
$cmd 22 allow tcp from me to any 22 out via $vlan55 setup keep-state

# Allow DNS out
$cmd 53 allow udp from me to any 53 keep-state

# Allow ICMP ping and traceroute
$cmd 100 allow icmp from any to me icmptypes 0,3,5,8,11
$cmd 101 allow icmp from me to any out
$cmd 102 allow udp from me to any 33434-33600 out

# Allow SNMP out
$cmd 161 allow udp from me to any 161 out via $vlan55 keep-state

# Allow SNMP in
$cmd 161 allow udp from $mgmtlan 161 to me in via $vlan55  keep-state

# Allow SNMP Traps
$cmd 162 allow udp from any to me 162 via $vlan55 keep-state

# Allow NTP out
$cmd 123 allow udp from me to any 123 via $vlan55 keep-state out
$cmd 123 allow udp from me to any 123 via $vlan66 keep-state out

# Allow NTP in (if serving as NTP server)
$cmd 124 allow udp from any 123 to me 123 via $vlan55

# Allow WWW in
# limit 40 connections per IP
$cmd 180 allow tcp from any to me 80 in via $vlan66 setup limit src-addr 40

# Allow Zabbix
$cmd 200 allow tcp from me to any 10050,10051 via $vlan55 setup keep-state
$cmd 201 allow tcp from $mgmtlan to me 10050,10051 via $vlan55 setup keep-state

# Deny all inbound traffic from non-routable reserved address spaces
$cmd 9901 deny all from to any in via $vlan66  #RFC 1918 private IP
$cmd 9902 deny all from to any in via $vlan66   #RFC 1918 private IP
$cmd 9903 deny all from to any in via $vlan66      #RFC 1918 private IP
$cmd 9904 deny all from to any in via $vlan66     #loopback
$cmd 9905 deny all from to any in via $vlan66       #loopback
$cmd 9906 deny all from to any in via $vlan66  #DHCP auto-config
$cmd 9907 deny all from to any in via $vlan66    #reserved for docs
$cmd 9908 deny all from to any in via $vlan66 #Sun cluster interconnect
$cmd 9909  deny all from to any in via $vlan66     #Class D & E multicast

# Deny trash
$cmd 9920 deny tcp from any 135 to any
$cmd 9921 deny tcp from any 137 to any
$cmd 9922 deny tcp from any 138 to any
$cmd 9923 deny tcp from any 139 to any
$cmd 9924 deny tcp from any 445 to any
$cmd 9925 deny udp from any 135 to any
$cmd 9926 deny udp from any 137 to any
$cmd 9927 deny udp from any 138 to any
$cmd 9928 deny udp from any 139 to any
$cmd 9929 deny udp from any 445 to any

# Logg all the rest for troubleshooting
#$cmd 9950 deny log logamount 1000 all from any to any

# For production
$cmd 9999 deny  all from any to any

3. Verify IFPW
To check if ipfw is enabled
# sysctl net.inet.ip.fw.enable
net.inet.ip.fw.enable: 1
To check ipfw rules and states

ipfw list      # list all the rules in sequence
ipfw -t list    # list all the rules with a time stamp of when the last time the rule was matched
ipfw show     # show numer of matches
ipfw zero     # zero all counters
ipfw zero NUM  # Zero the counters for just the rule with number NUM

ipfw -d -e list  # show the expired dynamic rules

4. Reload IPFW
service ipfw restart
or older /etc/rc.d/ipfw restart

According to Julian Elischer and Ian Smith, the man page and I are both correct.
IPFW will stop testing rules as soon as a terminal rule matches (allow, deny, divert, a couple others). IPFW will continue testing rules for non-terminal matches (count/log, tee, a couple others). And IPFW will continue checking rules starting at the last match for certain rules (divert, tee, a couple others).

IOW, you can think of IPFW as a first-match-wins rules processing system, with the caveat that some rule types don't stop the rules processing.

No comments :

Post a Comment