FreeBSD

From CNI Wiki
Jump to navigation Jump to search

This page describes the basic FreeBSD installation used for all CNI servers, as well as the most important FreeBSD maintenance commands.

FreeBSD Installation

## - get latest 'bootonly' ISO from FreeBSD website
## - from Sysinstall
##      - Standard Install
##      - use entire disk (A)
##      - Standard MBR
##      - auto slices (A)
##      - minimal install + man (from Custom)
##      - install from FTP server 'ftp4'

enable passwordless root login over ssh

## on the console
vi /etc/ssh/sshd_config     # PermitRootLogin yes
/etc/rc.d/sshd reload
## via ssh login, with password
mkdir -m 700 .ssh
echo "YOUR PUBLIC SSH KEY" > .ssh/authorized_keys
sed -E -i -e 's;^(PermitRootLogin).*;\1 without-password;' /etc/ssh/sshd_config
/etc/rc.d/sshd reload
## confirm login without password

enable 'gmirror' software RAID

sysctl kern.geom.debugflags=17
gmirror label -v -b round-robin gm0 /dev/ad4
echo 'geom_mirror_load="YES"' >> /boot/loader.conf
echo 'daily_status_gmirror_enable="YES"' >> /etc/periodic.conf
gmirror load
cp -a /etc/fstab /etc/fstab.sysinstall
sed -E -i -e 's;ad4(...).;mirror/gm0\1;' /etc/fstab
shutdown -r now
df -h
gmirror status
gmirror insert gm0 /dev/ad6
gmirror status
gmirror list

make dhclient synchronous; needed for pf & smartd

echo 'synchronous_dhclient="YES"' >> /etc/rc.conf

update to the latest security branch

freebsd-update fetch install
reboot  # if neccessary

install the ports collection

## have portsnap fetch the new ports tree daily, update the INDEX file, and list outdated packages;
echo '#' >> /etc/crontab
echo '# update the ports collection and look for outdated packages' >> /etc/crontab
echo '0 4 * * * root portsnap -I cron update && pkg_version -vIL=' >> /etc/crontab
portsnap fetch extract

install ports-mgmt/portaudit & ports-mgmt/portmaster

cd /usr/ports/ports-mgmt/portaudit && make install && make distclean
cd /usr/ports/ports-mgmt/portmaster && make install && make distclean   # enable BASH
rehash

install vim, bash, rsync, screen, git

portmaster editors/vim-lite shells/bash-completion net/rsync
portmaster sysutils/screen                                              # disable INFO
portmaster devel/git                                                    # disable all but ICONV, CURL
                                                                        # ftp/curl: disable IPV6, PROXY

email configuration: outgoing mail only, using ssmtp

Note that ssmtp does not use aliases, as found in /etc/aliases. 

## install mail/ssmtp
portmaster mail/ssmtp && cd /usr/ports/mail/ssmtp/ && make replace      # disable IPV6

## disable sendmail: edit /etc/rc.conf
cat << EOF >> /etc/rc.conf

sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
EOF

## put in /usr/local/etc/ssmtp/ssmtp.conf
cat << EOF >> /usr/local/etc/ssmtp/ssmtp.conf
root=gsfr@stanford.edu
mailhub=smtp.stanford.edu
usestarttls=yes
EOF

## change root's full name to HOSTNAME and shell to bash
pw usermod root -c `hostname -s` -s /usr/local/bin/bash

Network Time Protocol (NTP) daemon

echo 'ntpd_enable="YES"' >> /etc/rc.conf && /etc/rc.d/ntpd start

SMART disk utility

portmaster sysutils/smartmontools

# -a                report almost everything (default for ATA devices)
# -o on             enable automatic offline testing
# -S on             enable attribute auto save
# -s (...)          schedule:   short self-test between 2 and 3 am every day
#                               long self-test between 4 and 5 am every Sunday
# -m root           send a warning email to root upon error
# -M diminishing    send repeated emails after 1 day, 2 days, ...
# -M test           send a test email to root upon startup
echo '/dev/ad4 -a -o on -S on -s (S/../.././02|L/../../7/04) -m root -M diminishing -M test' >> /usr/local/etc/smartd.conf
echo '/dev/ad6 -a -o on -S on -s (S/../.././02|L/../../7/04) -m root -M diminishing -M test' >> /usr/local/etc/smartd.conf

# start smartd (root should get a test mail)
echo 'smartd_enable="YES"' >> /etc/rc.conf && /usr/local/etc/rc.d/smartd start

OpenBSD's firewall: packet filter (PF)

pfctl -e                                # enable PF
pfctl -d                                # disable PF
pfctl -F all -f /etc/pf.conf            # flush all rules (nat, filter, state, table, etc.) and reload from file
pfctl -nf /etc/pf.conf                  # parse the file but don't load it

pfctl -s info                           # show status and filter information
pfctl -s [ rules | nat | state | all ]  # report on the filter rules, nat rules, state table, or everything


## setup expiretable
sed -i -e 's#^PATH.*#&:/usr/local/bin:/usr/local/sbin#' /etc/crontab
echo '#' >> /etc/crontab
echo "# clean out pf's ABUSIVE_HOSTS table" >> /etc/crontab
echo '*/5 * * * * root expiretable -t 3600 ABUSIVE_HOSTS' >> /etc/crontab
portmaster security/expiretable

## configure pf
cat << "EOF" > /etc/pf.conf
EXT_IF = "igb0"
DNS_SERVERS = "{ 171.64.7.55, 171.64.7.77, 171.64.7.99, 171.64.7.121 }"
TRUSTED_HOSTS = "{ 171.64.0.0/14, 172.24.0.0/14, 10.32.0.0/15, 10.39.0.0/16, 68.65.160.0/21 }"
table <ABUSIVE_HOSTS> persist

## no restrictions on the loopback interface
set skip on lo0

## scrub incomming packets
scrub in on $EXT_IF all

## block abusive hosts and activate spoofing protection
block in quick from <ABUSIVE_HOSTS>
block in quick from urpf-failed

## block everything in and out that is not explicitly allowed below
block all

## return a reset packet for blocked TCP connections
block return-rst in proto tcp all


## pass all incoming traffic from trusted hosts
pass in quick on $EXT_IF proto {tcp, udp} from $TRUSTED_HOSTS to $EXT_IF
#pass in quick on $EXT_IF proto tcp from $TRUSTED_HOSTS to $EXT_IF port ssh


## pass all outgoing traffic to trusted hosts
pass out quick on $EXT_IF proto {tcp, udp} from $EXT_IF to $TRUSTED_HOSTS


## pass selected incoming traffic from all hosts
pass in quick on $EXT_IF proto icmp to $EXT_IF icmp-type echoreq
pass in quick on $EXT_IF proto tcp to $EXT_IF port ssh keep state (max-src-conn 4, max-src-conn-rate 3/60, overload <ABUSIVE_HOSTS> flush global)
#pass in on $EXT_IF proto tcp to $EXT_IF port {http, https} keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <ABUSIVE_HOSTS> flush global)
#pass in on $EXT_IF proto tcp to $EXT_IF port imaps keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <ABUSIVE_HOSTS> flush global)


## pass selected outgoing traffic to all hosts
pass out quick on $EXT_IF proto icmp from $EXT_IF icmp-type echoreq
pass out quick on $EXT_IF proto {tcp, udp} from $EXT_IF to $DNS_SERVERS port domain
pass out quick on $EXT_IF proto tcp from $EXT_IF to any port git
pass out quick on $EXT_IF proto udp from $EXT_IF to any port ntp
pass out quick on $EXT_IF proto tcp from $EXT_IF to any port ssh
pass out quick on $EXT_IF proto tcp from $EXT_IF to any port smtp
pass out quick on $EXT_IF proto tcp from $EXT_IF to any port nicname
pass out quick on $EXT_IF proto tcp from $EXT_IF to any port cvsup
pass out quick on $EXT_IF proto tcp from $EXT_IF to any port {http, https}
"EOF"


## start pf; active ssh connection will be dropped
echo  >> /etc/rc.conf
echo 'pf_enable="YES"' >> /etc/rc.conf
echo 'pflog_enable="YES"' >> /etc/rc.conf
/etc/rc.d/pf start

finish up installation

## clean up rc.conf
vim /etc/rc.conf

## install personal rc files
git clone git@nims.stanford.edu:rc.git /root/.rc
cd && rm .cshrc .history .k5login .login .profile
.rc/makelinks.sh gsfr

reboot

ZFS

echo 'zfs_enable="YES"' >> /etc/rc.conf
echo 'daily_status_zfs_enable="YES"' >> /etc/periodic.conf
/etc/rc.d/zfs start

zpool create tank -O atime=off -O compression=gzip -O snapdir=visible raidz2 da{0,1,2,3,4,5,6} spare da7
zpool list
zpool status
zpool get all tank
zfs list
zfs get all tank

zfs create -o compression=on -o sharenfs='m1,m2,m3' tank/home

## show all files systems, including snapshots and clones
zfs list -r -t all tank

## zfs send and receive
zfs send -vR tank@20110330 | ssh biac4 'zfs receive -vF -d tank/nims'
zfs send -vR -i tank@20110330 tank@20110331 | ssh biac4 'zfs receive -v -d tank/nims'

zfs send -vR spltank@20110328 | ssh biac4 'zfs receive -vF -d tank/spltank'                     # force req.
zfs send -vR -i spltank@20110328 spltank@20110329 | ssh biac4 'zfs receive -v -d tank/spltank'  # manual rollback req.
zfs send -vR -i spltank@20110329 spltank@20110330 | ssh biac4 'zfs receive -v -d tank/spltank'

FreeBSD Maintenance

## update to the latest security branch (typically requires reboot)
freebsd-update fetch install

## upgrage to a newer release of FreeBSD
http://www.freebsd.org/doc/en/books/handbook/updating-upgrading.html

## update the ports tree (only the INDEX is updated every night by cron)
portsnap update

## update portaudit database and checking installed ports immediately
portaudit -Fda

## list ports that require upgrading
pkg_version -vIL=

## list installed ports and outdated ones
portmaster -L

## upgrade all ports
portmaster -a

## upgrade / rebuild all ports
portmaster -af

## install / upgrade a port
portmaster PORTNAME         # eg portmaster www/apache22
Retrieved from "http://cni.su.domains/wiki/index.php?title=FreeBSD&oldid=1113"