 |
Installing FBSD
tested with FBSD 5.1
Pre-scriptum
Yes, yes, I know, everyboby have to read Handbook from freebsd.org.
But imho it is not the fastest way. Even (or particulary ?) having Linux and WIndows setup experience.
You can find step-by-step FBSD server installation guide below. You can read you
manuals from Inet, play with settings and do many other things when base installation is complete.
What we want from this reality ?
- install Free BSD :)
- configure it as router
- set up user environment (russian/midnight/joe)
- mysql server (and/or client)
- web-server
- proxy-server
- mail-server
and in addition
- see FBSD server's disks from Windows machines via 'Network Neighborhood'
- access Windows shares from FBSD server
- access to the server via FTP
- access to the server using SSH (if you have already installed FBSD and configured network, it already works)
- read comments ;)
So what we have to do ?
- Installing FBSD:
- Boot from Free BSD boot CD and choose 1. Boot Free BSD [default]
If you have computer with buggy ACPI, try 2. (disabled ACPI)
- Then choose 2. Custom in sysinstall Main Menu and set installation parameters:
- 2. Options. You can enable/disable IPv6 and DHCP. You will need DHCP if your privider
assigns IP addresses dynamically. You MUST know if it is so.
- 3. Partition. Allocate disk space. Using
Windows and DOS therminology - create partition (primary or extended).
In FBSD world this is known as slice. Later, in the next menu point you will be able to
create some independent file-systems (against Windows world, FBSD allows this).
You can also allocate entire disk for Free BSD: A - Entire disk
When everything is ready: Q - Ok.
Note: changes are not applied yet, so all operations can be cancelled.
- When you are asked where to place Boot Manager imho it is better to choose boot-sector.
- 4. Label. Create file-systems inside previously allocated slice:
mount-point | size |
/ | root file-system.
Contains minimum required set of executables in configs.
512Mb would be ebough. |
swap | virtual memory. Physical memory
size * 1.5 - 2 |
/var | For temporary files,
mail queues, logs and so on.
Set size about 1-2Gb |
/usr | Sources, software instalation placeholder. 4-6Gb |
/home | User homes, FTP, File-server, etc.
Rest free space. |
When done - Q - Finish
Note: changes are also not applied on this stage.
- 5. Distributions
Choose pre-installed packages. It worth adding Developer and Kern-Developer.
This will allow us to rebuild kernel with necessary options.
User is also useful option. Add Х-components if you need.
- 6. Media Installation source. We are installing from CD, so CD-ROM is already selected.
- 7. Commit
Begin installation. This will create slice, according to p.3. File-systems will
be created inside this slice according so p.4 settings.
Then executables and config files will be copied
there. After return to general config menu, choose Exit.
- Login as root after reboot with empty password.
- Enable (if you want, of course) automatic file-system
recovery after unclean (unexpected) reboot.
This is useful for servers working in automatic mode.
There is ee text editor for people, who do not like vi. (vi is installed as default editor).
If you are already in vi and do not know how to exit, use this: 'Esc' 'Esc' ':' 'q' '!' 'Enter'.
Still one useful thing - multiple consoles: use Alt-F1/Alt-F2/etc. to switch between them.
And now, let's edit:
ee /etc/rc.conf
Add the following line to /etc/rc.conf
fsck_y_enable="YES"
- Temporary disable mail-server sendmail.
Add to /etc/rc.conf
sendmail_enable="NO"
- Disable login to 1st tty (that is called by Alt-F1). It is intended for
system log messages. Work on 2nd, 3rd etc. You can switch between
virtual terminals using Alt-F2, Alt-F3, etc.
You should change on for off in /etc/ttys in the following line:
console none unknown on secure
Changes will take effect after reboot. Do it:
shutdown -r now
You can read details about shutdown and its keys (and about many other commands)
using
man shutdown
or
man <some other command>
Exit from man viewer - 'q'.
- Enable maximum log level to see what happens in your system.
Change line from /etc/syslog.conf
*.err;kern.debug;auth.notice;mail.crit /dev/console
for
#*.err;kern.debug;auth.notice;mail.crit /dev/console
*.* /dev/console
After that execute
killall -HUP syslogd
- Setup networking:
- TCP/IP
- run ifconfig command. You will see list af all available interfaces and their settings.
Interface is any physical or virtual device
that is capable of transferring data between computers:
- Network cards (NICs - Network Interface Cards, can have various names)
- loopback interface lo0 - virtual interface for communication
between network-oriented applicetions inside single computer. Do not touch its config!
- lp0 - networking via LPT port.
- fwe0 - networking via FireWire (IEEE-1384) port.
For example:
fwe0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
ether 02:40:63:03:26:70
ch 1 dma -1
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:40:63:ca:92:0d
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:50:fc:a2:92:79
media: Ethernet 10baseT/UTP
status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
In this example vr0 and rl0 are NICs. The following records tell us about it:
ether xx:yy:zz:aa:bb
media: Ethernet Xxxxxxx.
Record status: active means that network cable is plugged into NIC
and physical connection between NICs is established.
If you are not sure about NIC names assignent, you can check it
observing responses from ifconfig. Unplug cables one by one
and run ifconfig each time.
- Set IP-addresses and netmasks for interfaces. Everything is like in Linux
or Windows, But a little different:
ifconfig <interface name> inet <IP-address> <netmask>
for example
ifconfig rl0 inet 10.0.0.1 netmask 255.255.255.0
If everything is ok, computers with IPs from 10.0.0.1 - 10.0.0.254 range
must respond on ping.
- Record correct (checked) interface settings in
/etc/rc.conf.
For each interface add to tail of rc.conf rows like this:
ifconfig_<interface name>="inet <IP-address> <netmask>"
for the previous example this will be
ifconfig_rl0="inet 10.0.0.1 netmask 255.255.255.0"
Is very similar to comand line. But once again: Do not touch lo0 config!
- Setup interface IP and default gateway. Add to
/etc/rc.conf the line like this:
ifconfig_<uplink interface name>="inet <IP-address> <netmask>"
defaultrouter="IP-of-internet-provider"
If you are already here, you must know IP-of-internet-provider. Lets check:
route -n flush - clear routing table
route add default <IP-of-internet-provider>
netstat -nr - show current state of routing table
You should see something like this:
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.78.1 UGSc 2 14784 rl0
.........
-
If your ISP uses dynamic address assignment (DHCP), your rc.conf will be a little different:
ifconfig_<uplink interface name>="DHCP"
for the previous example this will be
ifconfig_vr0="DHCP"
after that either start DHCP-client or reboot computer:
/etc/rc.d/dhclient start
Now ping 216.109.127.29 should work . This is yahoo.com.
- Enable routing. There are two ways: Add to /etc/rc.conf lines
router="/sbin/routed"
router_flags=-"q"
router_enable="YES"
gateway_enable="YES"
or run /stand/sysinstall (or /usr/sbin/sysinstall under FBSD 6).
Then in Configure->Networking
ebable gateway and routed. All settings - by default.
- DNS
It is very simple. Add to /etc/resolv.conf
nameserver <IP-of-internet-provider-DNS>
I will say again: you must know this value.
After that ping yahoo.com should work. (You can try other server names).
- NAT+firewall
Firewall - for protection of attacks and NAT functioning.
NAT - opaque way for machines from intranet to access the world.
The main idea - all local machine's request goes out like they are send
by server itself. From outer world such network is visible as single server.
- Add to rc.conf:
natd_enable="YES"
natd_interface="<world_iface>"
natd_flags="-u -f /etc/natd.conf"
firewall_enable="YES" # Set to YES to enable firewall functionality
firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
firewall_type="/etc/firewall.conf" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" # Set to YES to suppress rule display
firewall_logging="YES" # Set to YES to enable events logging
where <world_iface> - name of the interface directed to outer world (to provider).
- Create empty file /etc/natd.conf:
touch /etc/natd.conf
- Create config file for firewall - /etc/firewall.conf.
Add there something like this:
add 00100 allow ip from any to any via lo0
add 00200 deny ip from any to 127.0.0.0/8
add 00500 divert natd all from any to any via <world_iface>
add 10600 allow ip from 10.0.0.0/24 to any via <local_iface>
add 10600 allow ip from me to any via <world_iface>
add 10700 allow tcp from any to me 22,25,80,53 via any
add 10705 allow tcp from me to any 22,25,80,53 via any
add 10701 allow udp from any to me 22,25,80,53 via any
add 10706 allow udp from me to any 22,25,80,53 via any
add 10710 allow tcp from any to me 110,143,443,495,587 via any
add 10715 allow tcp from me to any 110,143,443,495,587 via any
add 10730 allow tcp from me 25 to any via any
add 30800 deny tcp from any to me 3306,3307 via <world_iface>
add 30801 deny tcp from any to me 3128,3130 via <world_iface>
add 30800 deny tcp from any to me 1-1024 via <world_iface>
add 30801 deny udp from any to me 1-1024 via <world_iface>
add 30900 allow tcp from any to me 1024-65535 via <world_iface>
add 30901 allow udp from any to me 1024-65535 via <world_iface>
add 51000 allow ip from any to any
where <local_iface> and <world_iface> are interface names (see ifconfig).
Such settings opens SSH, SMTP, HTTP, DNS, POP3, SHTTP and blocks access from
outer world to local proxy and privileged ports (1-1024).
sendmail is off now (see above) and it doesn't relay mail from anyone by default.
Thus, spammest will not fuck you. (Of cource if there is no fresh exploit ;)
- Rebuild kernel with special options for NAT+firewall. Build
file with full option list (LINT) and construct own kernel config.
cd /usr/src/sys/i386/conf
make LINT
GENERIC
cp GENERIC MY_SERVER_v1
ee MY_SERVER_v1
Remove unnecessary options.
Everything higher than Pentium/AMD 586/K6 would be I686_CPU. Thus
you can remove I386_CPU - I586_CPU suport (if you are not planning to work on such platform).
Most probably you need no IPv6 support (INET6 and related options. Just look and you will see).
On other hand the following options are required:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options IPDIVERT
options LIBICONV
options SC_DISABLE_REBOOT
options SC_HISTORY_SIZE=3000
options VESA
options VGA_WIDTH90
rest - to tase. Read LINT and NOTES in the same directory (/usr/src/sys/i386/conf). Build kernel:
config MY_SERVER_v1
cd ../compile/MY_SERVER_v1
make depend
make
make install
shutdown -r now
after reboot set you server as Default Gateway for machine in local network.
This machine should be able to ping world servers. For example same
ping 216.109.127.29. If you setup this machine to use
provider's DNS server, ping yahoo.com should also work.
- Local name-server - named. Why should the whole intranet ask bore
provider with DNS queries ?
Lets ask our own server. It will think a little and find what to asnwer,
If not - will ask provider and remember for future.
cd /etc/namedb
sh make-localhost
and in в rc.conf
named_enable="YES" # Run named, the DNS server (or NO).
Run named from command prompt. Chack if it is started with
ps -ax|grep named. The following line should present in output:
4603 ?? Ss 0:00,00 named
Now you can setup same machine from intranet to use our FBSD server as DNS server
It should still be able to ping servers by names.
For example ping yahoo.com.
- FTP
Run /stand/sysinstall or /usr/sbin/sysinstall and enable inetd in Configure->Networking
Answer 'No' for prompt if you want to edit inetd.conf.
Go to Configure->Networking and enable Anonymous FTP.
You can use all default settings, but I would recommend to change /var/ftp for /home/ftp.
Then run inetd from command prompt. After that you should be able
to connect to FTP from local network. After reboot inetd will be started automatically.
- Some useful things.
Are built from ports (located in /usr/ports directory tree). I would recommend to read /usr/ports/README
All ports are build in same way: make; make install. If required archive with sources is not found
in /usr/ports/distfiles, make will attempt to download it from inet.
- joe
cd /usr/ports/editors/joe
make
make install
- Midnight comander
cd /usr/ports/misc/mc
make
make install
- trafshow
cd /usr/ports/net/trafshow
make
make install
- ARP-ping (arping)
cd /usr/ports/net/arping
make
make install
- mtr
cd /usr/ports/net/mtr
make
make install
- Russian/Ukrainian support.
Add to rc.conf:
font8x14="cp866u-8x14"
font8x16="cp866u-8x16"
font8x8="cp866u-8x8"
keymap="ua.koi8-u.shift.alt"
scrnmap="koi8-u2cp866u"
- SSH
Enable SSHD:
Add to or modify /etc/rc.conf:
sshd_enable="YES"
You can run it immediately:
/etc/rc.d/sshd start
- sudo
For better security it worth creating admin user(s) and disable root login.
- Create user admin (or any other name you like). Use
adduser command. It prompt many things. One of them is shell. Choose
any shell you like. I like tcsh. So, I can share with you its config :)
For all other questions you may simply chose default answer.
If everything is ok, user home directory <username> will be created in /home directory.
- Create config file for your shell in user's home. For tcsh it
is .tcshrc.
You can download it from here or view in browser here.
- Make sudo
cd /usr/ports/security/sudo
make
make install
Add to /usr/local/etc/sudoers
admin ALL=(ALL) ALL
Note:. /usr/local/etc/sudoers must be read-only for everyone.
You have to remove RO before edit, and must restore after:
chmod u+w /usr/local/etc/sudoers
ee /usr/local/etc/sudoers
chmod u-w /usr/local/etc/sudoers
-
Now user admin logs in with own password.
If admin needs root privileges, run
sudo -s
and use admin's password again. Now we need not share root password.
You can create many administrative user (if you need it), you can also
simply remove them :)
Just modify /usr/local/etc/sudoers.
-
Check if newly created admin can become root (see above).
- Deny root login. Use vipw command to edit user database.
Find root there
root:$1$xxxxxxxxxxxxxxxxxxxxxxxxxx/:0:0::0:0:Charlie &:/root:/bin/csh
and add '*' to root's password:
root:*$1$xxxxxxxxxxxxxxxxxxxxxxxxxx/:0:0::0:0:Charlie &:/root:/bin/csh
^
pay attention here
- MySQL
I think it is nasty substituting libmysqlclient.so.10 (from MySQL 3.23) with libmysqlclient.so.12
(from MySQL 4.0). But PHP wants .10 and I could not compile it.
cd /usr/ports/databases/mysql40-server
make
make install
cd /usr/local/lib/mysql/
ln -s libmysqlclient.so.12 libmysqlclient.so.10
ln -s libmysqlclient_r.so.12 libmysqlclient_r.so.10
Client should be compiled automatically, but you can use this to
build it manually.
cd /usr/ports/databases/mysql40-client
make
make install
- Install Apache (web-server) + PHP
- Apache itself
cd /usr/ports/www/apache2
make
make install
Apache will be installed and /usr/local/etc/rc.d should contain control script apache2.sh.
It will start Apache automatically on next boot. For now you can run it so:
/usr/local/etc/rc.d/apache2.sh start
After that you should be able to access you server via http. (for ex. http://10.0.0.1).
You can check if Apache is running with ps -ax|grep httpd. The following line should present in output:
459 ?? Ss 1:08,98 /usr/local/sbin/httpd -k start
521 ?? I 0:00,13 /usr/local/sbin/httpd -k start
522 ?? I 0:00,14 /usr/local/sbin/httpd -k start
- pdflib
If you need PDF support in PHP, lets make pdflib first. If not - skip this point.
In general this should work:
cd /usr/ports/print/pdflib
make
make install
Try, may be you are lucky. Looks like I'm not. The following toruble happened:
during pdflib build from FBSD 5.1 Release ports I meet this: Old version
of pdflib.5 sources (PDFlib-Lite-5.0.0-Unix-src.tar.gz) was removed from Adobe site. It was
changed for new one.
I have downloaded from freebsd.org new port and put it instead of old one
(to /usr/ports/print/pdflib).
make said taht unknown component lthack found. Makefile contained following:
INSTALLS_SHLIB= yes
USE_LIBTOOL_VER=13
USE_GNOME= lthack
USE_REINPLACE= yes
Changed to
INSTALLS_SHLIB= yes
USE_LIBTOOL_VER=13
USE_GNOME=
USE_REINPLACE= yes
No more build errors, but pdflib.6 was built instead of pdflib.5. PHP didn't like it.
Workaround:
cd /usr/local/lib/
ln -s libpdf.so.6 libpdf.so.5
- PHP
cd /usr/ports/www/mod_php4
setenv WITH_APACHE2
make
You will see menu where you can shoose what to install. I would select
the following options:
[X] GD2 GD 2.x library support
[X] zlib zlib library support
[X] bzip2 bzip2 library support
[X] mcrypt Encryption support
[X] mhash Crypto-hashing support
[X] MySQL MySQL database support
[X] OpenSSL OpenSSL support
[X] FTP File Transfer Protocol support
[X] gettext gettext library support
[X] iconv iconv support
[X] recode recode support
[X] mbregex multibyte regular expressions module
[X] mbstring multibyte string module
[X] BCMath BCMath support
[X] sockets sockets support
[X] transsid Transparent session id
You can also add pdflib, XML, other Databases etc. You can not
only install both GD (old, but with GIF support)
and GD2 (new, but due to fucking license without GIF).
Press OK when ready.
After successful build edit /usr/local/etc/apache2/httpd.conf. Add
there line (to the place, where other LoadModule .... lines are)
LoadModule php4_module libexec/apache2/libphp4.so
change line
DirectoryIndex index.html index.html.var
for
DirectoryIndex index.php index.html index.html.var
and add line (to the place where other AddType .... lines are)
AddType application/x-httpd-php .php
Restart Apache:
killall -HUP httpd
Amen.
- Squid (proxy-server)
cd /usr/ports/www/squid24
make
make install
chmod u+w /usr/local/etc/squid/squid.conf
joe /usr/local/etc/squid/squid.conf
The first things to be changed (imho):
#http_port 3128
#icp_port 3130
cache_mem 8 MB
cache_dir ufs /usr/local/squid/cache 100 16 256
For:
http_port 127.0.0.1:3128
http_port 10.0.0.1:3128
icp_port 127.0.0.1:3130
icp_port 10.0.0.1:3130
cache_mem 32 MB
cache_dir ufs /usr/local/squid/cache 1024 16 256
Allow access from intranet. Add after lines
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
the following:
acl home_net src 10.0.0.0/255.255.255.0
http_access allow home_net
Initialize cache and run squid:
/usr/local/sbin/squid -z
/usr/local/etc/rc.d/squid.sh start
Now you can setup you browser to use our FBSD server as proxy.
- mail-server (sendmail)
Enable sendmail:
Add to or modify /etc/rc.conf:
sendmail_enable="YES"
Setup local delivery list:
Add to /etc/mail/mailertable
.my.domain local:
my.domain local:
If your provider blocks access to foreign SMTP servers (anti-spam policy),
add also the following line:
. smtp:smtp.server.your.provider
Setup access rights for SMTP server:
Add to /etc/mail/access
127.0.0.1 RELAY
10.0.0 RELAY
Rebuild sendmail's databases:
cd /etc/mail
make mailertable.db
make access.db
Run sendmail:
/usr/sbin/sendmail
ps -ax | grep sendmail
or (for FBSD 6)
/etc/rc.d/sendmail stop
/etc/rc.d/sendmail start
ps -ax | grep sendmail
If everything is ok, you should see in derived process list something like this:
3153 ?? Is 0:00,32 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail)
3155 ?? Ss 0:12,06 sendmail: accepting connections (sendmail)
Comments
|
 |