1) Documentation Sources
2) Freebsd 9.0 Installation from handbook
3) Update system
4) Update port collection
5) Rebuild Kernel (if needed)
6) Configure firewall (IPFW)
7) FreeBSD customize shell and mc - http://sclabs.blogspot.com/2010/08/hotkeys.html
8) FreeBSD MyFAQ - http://sclabs.blogspot.com/2011/02/freebsd-optimizations.html
9) Securing OS - Unofficial FreeBSD Security Checklist / Links / Resources
For FreeBSD 10
in case of installing ports, following error appear:
*** Error code 74Could help:
Stop.
make: stopped in /usr/ports/multimedia/plexmediaserver
pkg2ng
/usr/sbin/pkg bootstrap -f
1) Documentation Sources
A wide variety of documentation is available for FreeBSD, on this web site, on other web sites, and available over the counter.
1) FreeBSD Handbook - http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/
2) Frequently Asked Questions (FAQ) - http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/index.html
3) FreeBSD Man Pages (Online) - http://www.freebsd.org/cgi/man.cgi
* 1: General Commands
* 2: System Calls
* 3: C Library Calls
* 4: Kernel Interfaces - Special files (usually devices, those found in /dev) and drivers
* 5: File formats and conventions
* 6: Games
* 7: Miscellaneous Information
* 8: System administration commands and daemons
* 9: Kernel Developers Guides
Some important man to read: man(7) tuning, man(1) systat, man(7) firewall
4) FreeBSD Books
Absolute FreeBSD: The Complete Guide to FreeBSD, 2nd Edition
http://www.amazon.com/Absolute-FreeBSD-Complete-Guide-2nd/dp/1593271514
5) FreeBSD Web Resources
http://forums.freebsd.org/
http://www.bsdguides.org/
2) Freebsd 9.0 Installation from handbook
Creating Traditional Split Filesystem PartitionsFor a traditional partition layout where the /, /var, /tmp, and /usr directories are separate filesystems on their own partitions, create a GPT partitioning scheme, then create the partitions as shown. Partition sizes shown are typical for a 20G target disk. If more space is available on the target disk, larger swap or /var partitions may be useful. Labels shown here are prefixed with ex for "example", but readers should use other unique label values as described above.
By default, FreeBSD's gptboot expects the first UFS partition found to be the / partition.
Partition Type Size Mountpoint Label
freebsd-boot 512K
freebsd-ufs 2G / exrootfs
freebsd-swap 4G exswap
freebsd-ufs 2G /var exvarfs
freebsd-ufs 1G /tmp extmpfs
freebsd-ufs accept the default (remainder of the disk) /usr exusrfs
3) Update FreeBSD (Security Patches)
Security patches are stored on a remote machine and may be downloaded and installed using the following command:
# freebsd-update fetch
# freebsd-update install
If anything went wrong, freebsd-update has the ability to roll back the last set of changes with the following command:
# freebsd-update rollback
Once complete, the system should be restarted if the kernel or any kernel modules were modified. This will allow FreeBSD to load the new binaries into memory.
The freebsd-update utility can automatically update the GENERIC kernel only. If a custom kernel is in use, it will have to be rebuilt and reinstalled after freebsd-update finishes installing the rest of the updates.
To restart
shutdown -r nowThere are three methods to install software on your FreeBSD system:
4a) FreeBSD packages and the pkg_ utility
In general the pkg_add and pkg_delete facilities allow you to install and remove software on your system in an efficient and consistent manner. The pkg_info command allows you to see what's installed, quickly, and to get detailed information about each software package that is installed.
All package information is stored within the /var/db/pkg directory. The installed file list and descriptions of each package can be found within files in this directory.
Install: # pkg_add lsof-4.56.4.tgz # Manual installation from file # pkg_add -r lsof # Auto installation (from an FTP site) Info: # pkg_info cvsup-16.1 A general network file distribution system optimized for CV Deinstall: # pkg_delete xchat-1.7.1 # Remove a specific package # pkg_delete -f xchat-1.7.1 # Force remove a package, even if others depend on it # pkg_delete -r xchat-1.7.1 # Remove a package and ALL depend on it # pkg_delete 'php5-*' # Removing packages with the mask # pkg_delete -i 'php5-*' # Removing packages with the mask + confirmation
4b) The ports collection /usr/ports
a) Update port collection
Download a compressed snapshot of the Ports Collection into /var/db/portsnap. You can disconnect from the Internet after this step, if you wish.If you are running Portsnap for the first time, extract the snapshot into /usr/ports:
For the first time used
# portsnap fetch extract # Load initial snapshot AND AFTER Unpack the snapshot in the /usr/ports
For next time
# portsnap fetch update # download updates and install
b) Installing port
# locate lsofMake option
# cd /usr/ports/sysutils/lsof
# make install clean
OR
# portinstall tcptrack
Auto-respond OK to default make options:
# make -DBATCH install cleanManually respond to ALL make options (inclusive dependecies)
# make config-recursive install cleanIf something went wrong, try:
cd /usr/ports/programc) Reconfiguring Ports
make fetch-recursive
make all-depends-list
make run-depends-list
make build-depends-list
make pretty-print-build-depends-list
make pretty-print-run-depends-list
make config
make showconfig
make rmconfig
d) Uninstall port
# pkg_delete lsof-4.57
e) Port upgrade
Check port for up-to-date infoBefore attempting a port upgrade, you should check /usr/ports/UPDATING. This file describes various issues and additional steps users may encounter and need to perform when updating a port, including such things as file format changes
# pkg_version -v
# pkg_version -v -L=
# cd /usr/ports/ports-mgmt/portupgrade # make install clean # portupgrade -R firefox Include the-R
flag if portupgrade should first upgrade all the ports required by the given application.
f) Port master
Portmaster is another utility for upgrading installed ports. Portmaster was designed make use of the tools found in the “base” system
(it does not depend upon other ports) and uses the information in /var/db/pkg/ to determine which ports to upgrade.
It is available from the ports-mgmt/portmaster port:
# cd /usr/ports/ports-mgmt/portmasterPortmaster groups ports into four categories:
# make install clean
- Root ports (no dependencies, not depended on)
- Trunk ports (no dependencies, are depended on)
- Branch ports (have dependencies, are depended on)
- Leaf ports (have dependencies, not depended on)
portmaster -L # List all the installed ports and search for updates using the -L option
portmaster -a # All the installed ports that can be upgraded
portmaster -af # force, If you encounter errors during the upgrade process
portmaster shells/bash # install bash
g) portaudit
system to check installed packages for known vulnerabilities.
To begin using Portaudit, one must install it from the Ports Collection:
# cd /usr/ports/ports-mgmt/portaudit && make install cleanTo check your installed ports for known vulnerabilities now, do:
# /usr/local/sbin/portaudit -Fda
-F Fetch the current database from the FreeBSD servers.
-d Print the creation date of the database.
-a Print a vulnerability report for all installed packages.
h) Clean temp files and folder from all ports
portsclean -CDD
4c) Installing from source (gcc make)
You are most likely to install from packages, then ports, then from source.
Accept the default configs of the ports, so that the installation will go smooth without me to select options
#make config-recursiveinteractive answer ALL options for ALL selected port dependencies, so that you won't be bothered with them (not all ports support it, but most do).
OR
# make -DBATCH install clean
install the default options for dependencies
5) Rebuild Kernel (if needed)
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html
Kernel rebuild benefits:
- Faster boot time (kernel will only probe the hardware you have on your system)
- Lower memory usage.
- Additional hardware support
Before building a custom kernel, consider the reasons for doing so. If there is a need for specific hardware support, it may already exist as a module.
Kernel modules exist in the /boot/kernel directory and may be dynamically loaded into the running kernel using kldload(8).
Kernel build directory
All directories mentioned will be relative to the main /usr/src/sys
arch represents one of i386, amd64, ia64, powerpc, sparc64.
# cd /usr/src/sys/amd64/confNow, edit SI64 with your favorite text editor.
# mkdir /root/kernels
# cp GENERIC /root/kernels/SI64
# ln -s /root/kernels/SI64
ident SI64
#
# disable some devices that you are sure are not needed, be careful, read NOTE
#
# required for IPFW
options IPFIREWALL
# optional enable logging to syslogd(8)
options IPFIREWALL_VERBOSE
# optional; don't get too many log entries
options IPFIREWALL_VERBOSE_LIMIT=10
# options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
#
# for NAT and traffic shape
# options IPFIREWALL_FORWARD #packet destination changes
# options DUMMYNET
# options IPDIVERT
# for multiple fibs (setfibs)
# options ROUTETABLES=2 # max 16. 1 is back compatible
Building a Kernel
# cd /usr/srcIn FreeBSD10
# make buildkernel KERNCONF=SI64 && make installkernel KERNCONF=SI64
make[1]: "/usr/src/share/mk/bsd.own.mk" line 457: MK_CLANG_IS_CC can't be set by a user.Comment in /etc/make.conf
*** Error code 1
# MK_CLANG_IS_CC=noThe new kernel will be copied to the /boot/kernel directory as /boot/kernel/kernel and the old kernel will be moved to /boot/kernel.old/kernel. Now, shutdown the system and reboot to use your new kernel. If something goes wrong, there are some troubleshooting instructions at the end of this chapter that you may find useful. Be sure to read the section which explains how to recover in case your new kernel does not boot.
6) Configure firewall (IPFW)
IPFW - FreeBSD IP firewall, traffic shaper, packet scheduler, in-kernel NAT.
wc -l ip2.txt
65536 ip2.txt
ipfw table 1 flush
ipfw /etc/rc.firewall.prefixes
ipfw table 1 list
/etc/rc.firewall.prefixes
table 1 add 192.168.0.36
table 1 add 192.168.0.37
table 1 add 84.247.24.0/22 table 1 add 86.105.221.0/24 table 1 add 89.47.90.0/24 table 1 add 93.113.220.0/23 table 1 add 94.176.4.0/24 table 1 add 94.176.41.0/24
General info - http://www.freebsd.org/doc/handbook/firewalls-ipfw.html
http://forums.freebsd.org/showpost.php?p=27122&postcount=14
1. Add IPFW rules to /etc/rc.conf
firewall_enable="YES"
# firewall_script="/usr/local/etc/ipfw.rules"
# if not specified, will use /etc/rc.firewall
2. Edit /etc/rc.firewall
# - for comment.
blank lines are ignored.
#!/bin/sh -
# Flush out the list before we begin
/sbin/ipfw -q -f flush
cmd="ipfw -q add"
# Set rules command prefix
mgmtlan="10.20.30.0/24"
vlan55="em0" # MGMT interface
vlan66="em1" # INTERNET interface
# No restrictions on Loopback Interface
$cmd 10 allow all from any to any via lo0
$cmd 11 deny all from any to 127.0.0.0/8
$cmd 12 deny all from 127.0.0.0/8 to any
$cmd 13 deny tcp from any to any frag
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
$cmd 15 check-state
$cmd 16 allow tcp from any to any established limit src-addr 50
$cmd 17 allow all from any to any out keep-state
# User root have "GOD" privileges.
$cmd 00018 allow tcp from me to any out via $vlan66 setup keep-state uid root
$cmd 00019 allow udp from me to any out via $vlan66 setup keep-state uid root
# $cmd 00050 allow ipv6 from any to any
# Allow SSH
$cmd 22 allow tcp from me to any 22 out via $vlan55 setup keep-state
# Allow DNS out
$cmd 53 allow udp from me to any 53 keep-state
# Allow ICMP ping and traceroute
$cmd 100 allow icmp from any to me icmptypes 0,3,5,8,11
$cmd 101 allow icmp from me to any out
$cmd 102 allow udp from me to any 33434-33600 out
# Allow SNMP out
$cmd 161 allow udp from me to any 161 out via $vlan55 keep-state
# Allow SNMP in
$cmd 161 allow udp from $mgmtlan 161 to me in via $vlan55 keep-state
# Allow SNMP Traps
$cmd 162 allow udp from any to me 162 via $vlan55 keep-state
# Allow NTP out
$cmd 123 allow udp from me to any 123 via $vlan55 keep-state out
$cmd 123 allow udp from me to any 123 via $vlan66 keep-state out
# Allow NTP in (if serving as NTP server)
$cmd 124 allow udp from any 123 to me 123 via $vlan55
# Allow WWW in
# limit 40 connections per IP
$cmd 180 allow tcp from any to me 80 in via $vlan66 setup limit src-addr 40
# Allow Zabbix
$cmd 200 allow tcp from me to any 10050,10051 via $vlan55 setup keep-state
$cmd 201 allow tcp from $mgmtlan to me 10050,10051 via $vlan55 setup keep-state
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 9901 deny all from 192.168.0.0/16 to any in via $vlan66 #RFC 1918 private IP
$cmd 9902 deny all from 172.16.0.0/12 to any in via $vlan66 #RFC 1918 private IP
$cmd 9903 deny all from 10.0.0.0/8 to any in via $vlan66 #RFC 1918 private IP
$cmd 9904 deny all from 127.0.0.0/8 to any in via $vlan66 #loopback
$cmd 9905 deny all from 0.0.0.0/8 to any in via $vlan66 #loopback
$cmd 9906 deny all from 169.254.0.0/16 to any in via $vlan66 #DHCP auto-config
$cmd 9907 deny all from 192.0.2.0/24 to any in via $vlan66 #reserved for docs
$cmd 9908 deny all from 204.152.64.0/23 to any in via $vlan66 #Sun cluster interconnect
$cmd 9909 deny all from 224.0.0.0/3 to any in via $vlan66 #Class D & E multicast
# Deny trash
$cmd 9920 deny tcp from any 135 to any
$cmd 9921 deny tcp from any 137 to any
$cmd 9922 deny tcp from any 138 to any
$cmd 9923 deny tcp from any 139 to any
$cmd 9924 deny tcp from any 445 to any
$cmd 9925 deny udp from any 135 to any
$cmd 9926 deny udp from any 137 to any
$cmd 9927 deny udp from any 138 to any
$cmd 9928 deny udp from any 139 to any
$cmd 9929 deny udp from any 445 to any
# Logg all the rest for troubleshooting
#$cmd 9950 deny log logamount 1000 all from any to any
# For production
$cmd 9999 deny all from any to any
3. Verify IFPW
To check if ipfw is enabled
# sysctl net.inet.ip.fw.enableTo check ipfw rules and states
net.inet.ip.fw.enable: 1
ipfw list # list all the rules in sequence
ipfw -t list # list all the rules with a time stamp of when the last time the rule was matched
ipfw show # show numer of matches
ipfw zero # zero all counters
ipfw zero NUM # Zero the counters for just the rule with number NUM
ipfw -d -e list # show the expired dynamic rules
4. Reload IPFW
service ipfw restart
or older /etc/rc.d/ipfw restart
NOTES:
According to Julian Elischer and Ian Smith, the man page and I are both correct.
IPFW will stop testing rules as soon as a terminal rule matches (allow, deny, divert, a couple others). IPFW will continue testing rules for non-terminal matches (count/log, tee, a couple others). And IPFW will continue checking rules starting at the last match for certain rules (divert, tee, a couple others).
IOW, you can think of IPFW as a first-match-wins rules processing system, with the caveat that some rule types don't stop the rules processing.
http://coombs.anu.edu.au/~avalon/
http://www.devco.net/archives/2005/02/23/ipfw_rule_counters_via_snmpd.php
No comments:
Post a Comment