Alter.Org.UA  
 << Back Home RU ru   Donate Donate www/www1/www2

Installing FBSD

tested with FBSD 5.1

Pre-scriptum

Yes, yes, I know, everyboby have to read Handbook from freebsd.org. But imho it is not the fastest way. Even (or particulary ?) having Linux and WIndows setup experience. You can find step-by-step FBSD server installation guide below. You can read you manuals from Inet, play with settings and do many other things when base installation is complete.

What we want from this reality ?
  1. install Free BSD :)
  2. configure it as router
  3. set up user environment (russian/midnight/joe)
  4. mysql server (and/or client)
  5. web-server
  6. proxy-server
  7. mail-server
and in addition
  1. see FBSD server's disks from Windows machines via 'Network Neighborhood'
  2. access Windows shares from FBSD server
  3. access to the server via FTP
  4. access to the server using SSH (if you have already installed FBSD and configured network, it already works)
  5. read comments ;)
So what we have to do ?
  • Installing FBSD:
    • Boot from Free BSD boot CD and choose 1. Boot Free BSD [default] If you have computer with buggy ACPI, try 2. (disabled ACPI)
    • Then choose 2. Custom in sysinstall Main Menu and set installation parameters:
    • 2. Options. You can enable/disable IPv6 and DHCP. You will need DHCP if your privider assigns IP addresses dynamically. You MUST know if it is so.
    • 3. Partition. Allocate disk space. Using Windows and DOS therminology - create partition (primary or extended). In FBSD world this is known as slice. Later, in the next menu point you will be able to create some independent file-systems (against Windows world, FBSD allows this).
      You can also allocate entire disk for Free BSD: A - Entire disk
      When everything is ready: Q - Ok.
      Note: changes are not applied yet, so all operations can be cancelled.
    • When you are asked where to place Boot Manager imho it is better to choose boot-sector.
    • 4. Label. Create file-systems inside previously allocated slice:
      mount-pointsize
      /root file-system. Contains minimum required set of executables in configs. 512Mb would be ebough.
      swapvirtual memory. Physical memory size * 1.5 - 2
      /varFor temporary files, mail queues, logs and so on. Set size about 1-2Gb
      /usrSources, software instalation placeholder. 4-6Gb
      /homeUser homes, FTP, File-server, etc. Rest free space.
      When done - Q - Finish Note: changes are also not applied on this stage.
    • 5. Distributions Choose pre-installed packages. It worth adding Developer and Kern-Developer. This will allow us to rebuild kernel with necessary options. User is also useful option. Add Х-components if you need.
    • 6. Media Installation source. We are installing from CD, so CD-ROM is already selected.
    • 7. Commit Begin installation. This will create slice, according to p.3. File-systems will be created inside this slice according so p.4 settings. Then executables and config files will be copied there. After return to general config menu, choose Exit.
    • Login as root after reboot with empty password.
    • Enable (if you want, of course) automatic file-system recovery after unclean (unexpected) reboot. This is useful for servers working in automatic mode. There is ee text editor for people, who do not like vi. (vi is installed as default editor). If you are already in vi and do not know how to exit, use this: 'Esc' 'Esc' ':' 'q' '!' 'Enter'. Still one useful thing - multiple consoles: use Alt-F1/Alt-F2/etc. to switch between them. And now, let's edit:
      ee /etc/rc.conf
      
      Add the following line to /etc/rc.conf
      fsck_y_enable="YES"
      
    • Temporary disable mail-server sendmail. Add to /etc/rc.conf
      sendmail_enable="NO"
      
    • Disable login to 1st tty (that is called by Alt-F1). It is intended for system log messages. Work on 2nd, 3rd etc. You can switch between virtual terminals using Alt-F2, Alt-F3, etc. You should change on for off in /etc/ttys in the following line:
      console none                            unknown on secure
      
      Changes will take effect after reboot. Do it:
      shutdown -r now
      
      You can read details about shutdown and its keys (and about many other commands) using
      man shutdown
       or
      man <some other command>
      
      Exit from man viewer - 'q'.
    • Enable maximum log level to see what happens in your system. Change line from /etc/syslog.conf
      *.err;kern.debug;auth.notice;mail.crit         /dev/console
      
      for
      #*.err;kern.debug;auth.notice;mail.crit         /dev/console
      *.*                                             /dev/console
      
      After that execute
      killall -HUP syslogd
      
  • Setup networking:
    • TCP/IP
      1. run ifconfig command. You will see list af all available interfaces and their settings. Interface is any physical or virtual device that is capable of transferring data between computers:
        • Network cards (NICs - Network Interface Cards, can have various names)
        • loopback interface lo0 - virtual interface for communication between network-oriented applicetions inside single computer. Do not touch its config!
        • lp0 - networking via LPT port.
        • fwe0 - networking via FireWire (IEEE-1384) port.
        For example:
        fwe0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
                ether 02:40:63:03:26:70
                ch 1 dma -1
        vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
                ether 00:40:63:ca:92:0d
                media: Ethernet autoselect (100baseTX <full-duplex>)
                status: active
        rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
                ether 00:50:fc:a2:92:79
                media: Ethernet 10baseT/UTP
                status: active
        lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
        lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
                inet 127.0.0.1 netmask 0xff000000
        
        In this example vr0 and rl0 are NICs. The following records tell us about it: ether xx:yy:zz:aa:bb media: Ethernet Xxxxxxx.
        Record status: active means that network cable is plugged into NIC and physical connection between NICs is established. If you are not sure about NIC names assignent, you can check it observing responses from ifconfig. Unplug cables one by one and run ifconfig each time.
      2. Set IP-addresses and netmasks for interfaces. Everything is like in Linux or Windows, But a little different:
        ifconfig <interface name> inet <IP-address> <netmask>
        
        for example
        ifconfig rl0 inet 10.0.0.1 netmask 255.255.255.0
        
        If everything is ok, computers with IPs from 10.0.0.1 - 10.0.0.254 range must respond on ping.
      3. Record correct (checked) interface settings in /etc/rc.conf. For each interface add to tail of rc.conf rows like this:
        ifconfig_<interface name>="inet <IP-address> <netmask>"
        
        for the previous example this will be
        ifconfig_rl0="inet 10.0.0.1 netmask 255.255.255.0"
        
        Is very similar to comand line. But once again: Do not touch lo0 config!
      4. Setup interface IP and default gateway. Add to /etc/rc.conf the line like this:
        ifconfig_<uplink interface name>="inet <IP-address> <netmask>"
        defaultrouter="IP-of-internet-provider"
        
        If you are already here, you must know IP-of-internet-provider. Lets check:
        route -n flush - clear routing table
        route add default <IP-of-internet-provider>
        netstat -nr - show current state of routing table
        
        You should see something like this:
        Routing tables
        
        Internet:
        Destination        Gateway            Flags    Refs      Use  Netif Expire
        default            192.168.78.1       UGSc        2    14784    rl0
        .........
        
      5. If your ISP uses dynamic address assignment (DHCP), your rc.conf will be a little different:
        ifconfig_<uplink interface name>="DHCP"
        
        for the previous example this will be
        ifconfig_vr0="DHCP"
        
        after that either start DHCP-client or reboot computer:
        /etc/rc.d/dhclient start
        
        Now ping 216.109.127.29 should work . This is yahoo.com.
      6. Enable routing. There are two ways: Add to /etc/rc.conf lines
        router="/sbin/routed"
        router_flags=-"q"
        router_enable="YES"
        gateway_enable="YES"
        
        or run /stand/sysinstall (or /usr/sbin/sysinstall under FBSD 6). Then in Configure->Networking ebable gateway and routed. All settings - by default.
    • DNS
      It is very simple. Add to /etc/resolv.conf
      nameserver      <IP-of-internet-provider-DNS>
      
      I will say again: you must know this value. After that ping yahoo.com should work. (You can try other server names).
    • NAT+firewall
      Firewall - for protection of attacks and NAT functioning. NAT - opaque way for machines from intranet to access the world. The main idea - all local machine's request goes out like they are send by server itself. From outer world such network is visible as single server.
      • Add to rc.conf:
        natd_enable="YES"
        natd_interface="<world_iface>"
        natd_flags="-u -f /etc/natd.conf"
        firewall_enable="YES"           # Set to YES to enable firewall functionality
        firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
        firewall_type="/etc/firewall.conf"              # Firewall type (see /etc/rc.firewall)
        firewall_quiet="NO"             # Set to YES to suppress rule display
        firewall_logging="YES"          # Set to YES to enable events logging
        
        where <world_iface> - name of the interface directed to outer world (to provider).
      • Create empty file /etc/natd.conf:
        touch /etc/natd.conf
        
      • Create config file for firewall - /etc/firewall.conf. Add there something like this:
        add 00100 allow ip from any to any via lo0
        add 00200 deny ip from any to 127.0.0.0/8
        add 00500 divert natd all from any to any via <world_iface>
        
        add 10600 allow ip from 10.0.0.0/24 to any via <local_iface>
        add 10600 allow ip from me to any via <world_iface>
        add 10700 allow tcp from any to me 22,25,80,53 via any
        add 10705 allow tcp from me to any 22,25,80,53 via any
        add 10701 allow udp from any to me 22,25,80,53 via any
        add 10706 allow udp from me to any 22,25,80,53 via any
        add 10710 allow tcp from any to me 110,143,443,495,587 via any
        add 10715 allow tcp from me to any 110,143,443,495,587 via any
        add 10730 allow tcp from me 25 to any via any
        add 30800 deny tcp from any to me 3306,3307 via <world_iface>
        add 30801 deny tcp from any to me 3128,3130 via <world_iface>
        add 30800 deny tcp from any to me 1-1024 via <world_iface>
        add 30801 deny udp from any to me 1-1024 via <world_iface>
        add 30900 allow tcp from any to me 1024-65535 via <world_iface>
        add 30901 allow udp from any to me 1024-65535 via <world_iface>
        add 51000 allow ip from any to any
        
        where <local_iface> and <world_iface> are interface names (see ifconfig). Such settings opens SSH, SMTP, HTTP, DNS, POP3, SHTTP and blocks access from outer world to local proxy and privileged ports (1-1024). sendmail is off now (see above) and it doesn't relay mail from anyone by default. Thus, spammest will not fuck you. (Of cource if there is no fresh exploit ;)
      • Rebuild kernel with special options for NAT+firewall. Build file with full option list (LINT) and construct own kernel config.
        cd /usr/src/sys/i386/conf
        make LINT
        GENERIC
        cp GENERIC MY_SERVER_v1
        ee MY_SERVER_v1
        
        Remove unnecessary options.
        Everything higher than Pentium/AMD 586/K6 would be I686_CPU. Thus you can remove I386_CPU - I586_CPU suport (if you are not planning to work on such platform). Most probably you need no IPv6 support (INET6 and related options. Just look and you will see).
        On other hand the following options are required:
        options IPFIREWALL
        options IPFIREWALL_VERBOSE
        options IPFIREWALL_FORWARD
        options IPDIVERT
        
        options LIBICONV
        options SC_DISABLE_REBOOT
        options SC_HISTORY_SIZE=3000
        options VESA
        options VGA_WIDTH90
        
        rest - to tase. Read LINT and NOTES in the same directory (/usr/src/sys/i386/conf). Build kernel:
        config MY_SERVER_v1
        cd ../compile/MY_SERVER_v1
        make depend
        make
        make install
        shutdown -r now
        
        after reboot set you server as Default Gateway for machine in local network. This machine should be able to ping world servers. For example same ping 216.109.127.29. If you setup this machine to use provider's DNS server, ping yahoo.com should also work.
    • Local name-server - named. Why should the whole intranet ask bore provider with DNS queries ? Lets ask our own server. It will think a little and find what to asnwer, If not - will ask provider and remember for future.
      cd /etc/namedb
      sh make-localhost
      
      and in в rc.conf
      named_enable="YES"               # Run named, the DNS server (or NO).
      
      Run named from command prompt. Chack if it is started with ps -ax|grep named. The following line should present in output:
      4603  ??  Ss     0:00,00 named
      
      Now you can setup same machine from intranet to use our FBSD server as DNS server It should still be able to ping servers by names. For example ping yahoo.com.
    • FTP Run /stand/sysinstall or /usr/sbin/sysinstall and enable inetd in Configure->Networking Answer 'No' for prompt if you want to edit inetd.conf. Go to Configure->Networking and enable Anonymous FTP. You can use all default settings, but I would recommend to change /var/ftp for /home/ftp. Then run inetd from command prompt. After that you should be able to connect to FTP from local network. After reboot inetd will be started automatically.
  • Some useful things.
    Are built from ports (located in /usr/ports directory tree). I would recommend to read /usr/ports/README All ports are build in same way: make; make install. If required archive with sources is not found in /usr/ports/distfiles, make will attempt to download it from inet.
    • joe
      cd /usr/ports/editors/joe
      make
      make install
      
    • Midnight comander
      cd /usr/ports/misc/mc
      make
      make install
      
    • trafshow
      cd /usr/ports/net/trafshow
      make
      make install
      
    • ARP-ping (arping)
      cd /usr/ports/net/arping
      make
      make install
      
    • mtr
      cd /usr/ports/net/mtr
      make
      make install
      
    • Russian/Ukrainian support.
      Add to rc.conf:
      font8x14="cp866u-8x14"
      font8x16="cp866u-8x16"
      font8x8="cp866u-8x8"
      keymap="ua.koi8-u.shift.alt"
      scrnmap="koi8-u2cp866u"
      
    • SSH
      Enable SSHD: Add to or modify /etc/rc.conf:
      sshd_enable="YES"
      
      You can run it immediately:
      /etc/rc.d/sshd start
      
    • sudo For better security it worth creating admin user(s) and disable root login.
      1. Create user admin (or any other name you like). Use adduser command. It prompt many things. One of them is shell. Choose any shell you like. I like tcsh. So, I can share with you its config :) For all other questions you may simply chose default answer. If everything is ok, user home directory <username> will be created in /home directory.
      2. Create config file for your shell in user's home. For tcsh it is .tcshrc. You can download it from here or view in browser here.
      3. Make sudo
        cd /usr/ports/security/sudo
        make
        make install
        
        Add to /usr/local/etc/sudoers
        admin   ALL=(ALL) ALL
        
        Note:. /usr/local/etc/sudoers must be read-only for everyone. You have to remove RO before edit, and must restore after:
        chmod u+w /usr/local/etc/sudoers
        ee /usr/local/etc/sudoers
        chmod u-w /usr/local/etc/sudoers
        
      4. Now user admin logs in with own password. If admin needs root privileges, run
        sudo -s
        
        and use admin's password again. Now we need not share root password. You can create many administrative user (if you need it), you can also simply remove them :) Just modify /usr/local/etc/sudoers.
      5. Check if newly created admin can become root (see above).
      6. Deny root login. Use vipw command to edit user database. Find root there
        root:$1$xxxxxxxxxxxxxxxxxxxxxxxxxx/:0:0::0:0:Charlie &:/root:/bin/csh
        
        and add '*' to root's password:
        root:*$1$xxxxxxxxxxxxxxxxxxxxxxxxxx/:0:0::0:0:Charlie &:/root:/bin/csh
             ^
             pay attention here
        
  • MySQL
    I think it is nasty substituting libmysqlclient.so.10 (from MySQL 3.23) with libmysqlclient.so.12 (from MySQL 4.0). But PHP wants .10 and I could not compile it.
    cd /usr/ports/databases/mysql40-server
    make
    make install
    cd /usr/local/lib/mysql/
    ln -s libmysqlclient.so.12 libmysqlclient.so.10
    ln -s libmysqlclient_r.so.12 libmysqlclient_r.so.10
    
    Client should be compiled automatically, but you can use this to build it manually.
    cd /usr/ports/databases/mysql40-client
    make
    make install
    
  • Install Apache (web-server) + PHP
    • Apache itself
      cd /usr/ports/www/apache2
      make
      make install
      
      Apache will be installed and /usr/local/etc/rc.d should contain control script apache2.sh. It will start Apache automatically on next boot. For now you can run it so:
      /usr/local/etc/rc.d/apache2.sh start
      
      After that you should be able to access you server via http. (for ex. http://10.0.0.1). You can check if Apache is running with ps -ax|grep httpd. The following line should present in output:
        459  ??  Ss     1:08,98 /usr/local/sbin/httpd -k start
        521  ??  I      0:00,13 /usr/local/sbin/httpd -k start
        522  ??  I      0:00,14 /usr/local/sbin/httpd -k start
      
    • pdflib
      If you need PDF support in PHP, lets make pdflib first. If not - skip this point. In general this should work:
      cd /usr/ports/print/pdflib
      make
      make install
      
      Try, may be you are lucky. Looks like I'm not. The following toruble happened: during pdflib build from FBSD 5.1 Release ports I meet this: Old version of pdflib.5 sources (PDFlib-Lite-5.0.0-Unix-src.tar.gz) was removed from Adobe site. It was changed for new one. I have downloaded from freebsd.org new port and put it instead of old one (to /usr/ports/print/pdflib). make said taht unknown component lthack found. Makefile contained following:
      INSTALLS_SHLIB= yes
      USE_LIBTOOL_VER=13
      USE_GNOME=     lthack
      USE_REINPLACE=  yes
      
      Changed to
      INSTALLS_SHLIB= yes
      USE_LIBTOOL_VER=13
      USE_GNOME=     
      USE_REINPLACE=  yes
      
      No more build errors, but pdflib.6 was built instead of pdflib.5. PHP didn't like it. Workaround:
      cd /usr/local/lib/
      ln -s libpdf.so.6 libpdf.so.5
      
    • PHP
      cd /usr/ports/www/mod_php4
      setenv WITH_APACHE2
      make
      
      You will see menu where you can shoose what to install. I would select the following options:
       [X] GD2         GD 2.x library support
       [X] zlib        zlib library support  
       [X] bzip2       bzip2 library support
       [X] mcrypt      Encryption support
       [X] mhash       Crypto-hashing support
       [X] MySQL       MySQL database support
       [X] OpenSSL     OpenSSL support
       [X] FTP         File Transfer Protocol support
       [X] gettext     gettext library support
       [X] iconv       iconv support
       [X] recode      recode support
       [X] mbregex     multibyte regular expressions module
       [X] mbstring    multibyte string module
       [X] BCMath      BCMath support
       [X] sockets     sockets support
       [X] transsid    Transparent session id 
      
      You can also add pdflib, XML, other Databases etc. You can not only install both GD (old, but with GIF support) and GD2 (new, but due to fucking license without GIF). Press OK when ready.
      After successful build edit /usr/local/etc/apache2/httpd.conf. Add there line (to the place, where other LoadModule .... lines are)
      LoadModule php4_module    libexec/apache2/libphp4.so
      
      change line
      DirectoryIndex index.html index.html.var
      
      for
      DirectoryIndex index.php index.html index.html.var
      
      and add line (to the place where other AddType .... lines are)
      AddType application/x-httpd-php .php
      
      Restart Apache:
      killall -HUP httpd
      
      Amen.
  • Squid (proxy-server)
    cd /usr/ports/www/squid24
    make
    make install
    chmod u+w /usr/local/etc/squid/squid.conf
    joe /usr/local/etc/squid/squid.conf
    
    The first things to be changed (imho):
    #http_port 3128
    #icp_port 3130
    cache_mem 8 MB
    cache_dir ufs /usr/local/squid/cache 100 16 256
    
    For:
    http_port 127.0.0.1:3128
    http_port 10.0.0.1:3128
    icp_port 127.0.0.1:3130
    icp_port 10.0.0.1:3130
    cache_mem 32 MB
    cache_dir ufs /usr/local/squid/cache 1024 16 256
    
    Allow access from intranet. Add after lines
    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #
    
    the following:
    acl home_net src 10.0.0.0/255.255.255.0
    http_access allow home_net
    
    Initialize cache and run squid:
    /usr/local/sbin/squid -z
    /usr/local/etc/rc.d/squid.sh start
    
    Now you can setup you browser to use our FBSD server as proxy.
  • mail-server (sendmail) Enable sendmail: Add to or modify /etc/rc.conf:
    sendmail_enable="YES"
    
    Setup local delivery list: Add to /etc/mail/mailertable
    .my.domain           local:
    my.domain            local:
    
    If your provider blocks access to foreign SMTP servers (anti-spam policy), add also the following line:
    .                    smtp:smtp.server.your.provider
    
    Setup access rights for SMTP server: Add to /etc/mail/access
    127.0.0.1                       RELAY
    10.0.0                          RELAY
    
    Rebuild sendmail's databases:
    cd /etc/mail
    make mailertable.db
    make access.db
    
    Run sendmail:
    /usr/sbin/sendmail
    ps -ax | grep sendmail
    
    or (for FBSD 6)
    /etc/rc.d/sendmail stop
    /etc/rc.d/sendmail start
    ps -ax | grep sendmail
    
    If everything is ok, you should see in derived process list something like this:
     3153  ??  Is     0:00,32 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail)
     3155  ??  Ss     0:12,06 sendmail: accepting connections (sendmail)
    


Comments


<< Back designed by Alter aka Alexander A. Telyatnikov powered by Apache+PHP under FBSD © 2002-2017