Pre-scriptum

Yes, yes, I know, everyboby have to read Handbook from freebsd.org. But imho it is not the fastest way. Even (or particulary ?) having Linux and WIndows setup experience. You can find step-by-step FBSD server installation guide below. You can read you manuals from Inet, play with settings and do many other things when base installation is complete.

What we want from this reality ?

1. install Free BSD :)
2. configure it as router
3. set up user environment (russian/midnight/joe)
4. mysql server (and/or client)
5. web-server
6. proxy-server
7. mail-server

5. see FBSD server's disks from Windows machines via 'Network Neighborhood'
6. access Windows shares from FBSD server
7. access to the server via FTP
8. access to the server using SSH (if you have already installed FBSD and configured network, it already works)
9. read comments ;)

So what we have to do ?

• Installing FBSD:
  • Boot from Free BSD boot CD and choose 1. Boot Free BSD [default] If you have computer with buggy ACPI, try 2. (disabled ACPI)
  • Then choose 2. Custom in sysinstall Main Menu and set installation parameters:
  • 2. Options. You can enable/disable IPv6 and DHCP. You will need DHCP if your privider assigns IP addresses dynamically. You MUST know if it is so.
  • 3. Partition. Allocate disk space. Using Windows and DOS therminology - create partition (primary or extended). In FBSD world this is known as slice. Later, in the next menu point you will be able to create some independent file-systems (against Windows world, FBSD allows this).
    You can also allocate entire disk for Free BSD: A - Entire disk
    When everything is ready: Q - Ok.
    Note: changes are not applied yet, so all operations can be cancelled.
  • When you are asked where to place Boot Manager imho it is better to choose boot-sector.
  • 4. Label. Create file-systems inside previously allocated slice:

    mount-point	size
    /	root file-system. Contains minimum required set of executables in configs. 512Mb would be ebough.
    swap	virtual memory. Physical memory size * 1.5 - 2
    /var	For temporary files, mail queues, logs and so on. Set size about 1-2Gb
    /usr	Sources, software instalation placeholder. 4-6Gb
    /home	User homes, FTP, File-server, etc. Rest free space.

    When done - Q - Finish Note: changes are also not applied on this stage.
  • 5. Distributions Choose pre-installed packages. It worth adding Developer and Kern-Developer. This will allow us to rebuild kernel with necessary options. User is also useful option. Add Х-components if you need.
  • 6. Media Installation source. We are installing from CD, so CD-ROM is already selected.
  • 7. Commit Begin installation. This will create slice, according to p.3. File-systems will be created inside this slice according so p.4 settings. Then executables and config files will be copied there. After return to general config menu, choose Exit.
  • Login as root after reboot with empty password.
  • Enable (if you want, of course) automatic file-system recovery after unclean (unexpected) reboot. This is useful for servers working in automatic mode. There is ee text editor for people, who do not like vi. (vi is installed as default editor). If you are already in vi and do not know how to exit, use this: 'Esc' 'Esc' ':' 'q' '!' 'Enter'. Still one useful thing - multiple consoles: use Alt-F1/Alt-F2/etc. to switch between them. And now, let's edit:
    

    ee /etc/rc.conf
    

    Add the following line to /etc/rc.conf

    fsck_y_enable="YES"
    

  • Temporary disable mail-server sendmail. Add to /etc/rc.conf

    sendmail_enable="NO"
    

  • Disable login to 1st tty (that is called by Alt-F1). It is intended for system log messages. Work on 2nd, 3rd etc. You can switch between virtual terminals using Alt-F2, Alt-F3, etc. You should change on for off in /etc/ttys in the following line:

    console none                            unknown on secure
    

    Changes will take effect after reboot. Do it:

    shutdown -r now
    

    You can read details about shutdown and its keys (and about many other commands) using

    man shutdown
     or
    man <some other command>
    

    Exit from man viewer - 'q'.
  • Enable maximum log level to see what happens in your system. Change line from /etc/syslog.conf

    *.err;kern.debug;auth.notice;mail.crit         /dev/console
    

    for

    #*.err;kern.debug;auth.notice;mail.crit         /dev/console
    *.*                                             /dev/console
    

    After that execute

    killall -HUP syslogd
    

• Setup networking:
  • TCP/IP
    1. run ifconfig command. You will see list af all available interfaces and their settings. Interface is any physical or virtual device that is capable of transferring data between computers:
       • Network cards (NICs - Network Interface Cards, can have various names)
       • loopback interface lo0 - virtual interface for communication between network-oriented applicetions inside single computer. Do not touch its config!
       • lp0 - networking via LPT port.
       • fwe0 - networking via FireWire (IEEE-1384) port.
       For example:

       fwe0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
               ether 02:40:63:03:26:70
               ch 1 dma -1
       vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
               ether 00:40:63:ca:92:0d
               media: Ethernet autoselect (100baseTX <full-duplex>)
               status: active
       rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
               ether 00:50:fc:a2:92:79
               media: Ethernet 10baseT/UTP
               status: active
       lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
       lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
               inet 127.0.0.1 netmask 0xff000000
       

       In this example vr0 and rl0 are NICs. The following records tell us about it: ether xx:yy:zz:aa:bb media: Ethernet Xxxxxxx.
       Record status: active means that network cable is plugged into NIC and physical connection between NICs is established. If you are not sure about NIC names assignent, you can check it observing responses from ifconfig. Unplug cables one by one and run ifconfig each time.
    2. Set IP-addresses and netmasks for interfaces. Everything is like in Linux or Windows, But a little different:

       ifconfig <interface name> inet <IP-address> <netmask>
       

       for example

       ifconfig rl0 inet 10.0.0.1 netmask 255.255.255.0
       

       If everything is ok, computers with IPs from 10.0.0.1 - 10.0.0.254 range must respond on ping.
       
    3. Record correct (checked) interface settings in /etc/rc.conf. For each interface add to tail of rc.conf rows like this:

       ifconfig_<interface name>="inet <IP-address> <netmask>"
       

       for the previous example this will be

       ifconfig_rl0="inet 10.0.0.1 netmask 255.255.255.0"
       

       Is very similar to comand line. But once again: Do not touch lo0 config!
    4. Setup interface IP and default gateway. Add to /etc/rc.conf the line like this:
       

       ifconfig_<uplink interface name>="inet <IP-address> <netmask>"
       defaultrouter="IP-of-internet-provider"
       

       If you are already here, you must know IP-of-internet-provider. Lets check:
       

       route -n flush - clear routing table
       route add default <IP-of-internet-provider>
       netstat -nr - show current state of routing table
       

       You should see something like this:

       Routing tables
       
       Internet:
       Destination        Gateway            Flags    Refs      Use  Netif Expire
       default            192.168.78.1       UGSc        2    14784    rl0
       .........
       

    5. If your ISP uses dynamic address assignment (DHCP), your rc.conf will be a little different:

       ifconfig_<uplink interface name>="DHCP"
       

       for the previous example this will be

       ifconfig_vr0="DHCP"
       

       after that either start DHCP-client or reboot computer:

       /etc/rc.d/dhclient start
       

       Now ping 216.109.127.29 should work . This is yahoo.com.
    6. Enable routing. There are two ways: Add to /etc/rc.conf lines

       router="/sbin/routed"
       router_flags=-"q"
       router_enable="YES"
       gateway_enable="YES"
       

       or run /stand/sysinstall (or /usr/sbin/sysinstall under FBSD 6). Then in Configure->Networking ebable gateway and routed. All settings - by default.
  • DNS
    It is very simple. Add to /etc/resolv.conf
    

    nameserver      <IP-of-internet-provider-DNS>
    

    I will say again: you must know this value. After that ping yahoo.com should work. (You can try other server names).
  • NAT+firewall
    Firewall - for protection of attacks and NAT functioning. NAT - opaque way for machines from intranet to access the world. The main idea - all local machine's request goes out like they are send by server itself. From outer world such network is visible as single server.
    • Add to rc.conf:

      natd_enable="YES"
      natd_interface="<world_iface>"
      natd_flags="-u -f /etc/natd.conf"
      firewall_enable="YES"           # Set to YES to enable firewall functionality
      firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
      firewall_type="/etc/firewall.conf"              # Firewall type (see /etc/rc.firewall)
      firewall_quiet="NO"             # Set to YES to suppress rule display
      firewall_logging="YES"          # Set to YES to enable events logging
      

      where <world_iface> - name of the interface directed to outer world (to provider).
    • Create empty file /etc/natd.conf:

      touch /etc/natd.conf
      

    • Create config file for firewall - /etc/firewall.conf. Add there something like this:

      add 00100 allow ip from any to any via lo0
      add 00200 deny ip from any to 127.0.0.0/8
      add 00500 divert natd all from any to any via <world_iface>
      
      add 10600 allow ip from 10.0.0.0/24 to any via <local_iface>
      add 10600 allow ip from me to any via <world_iface>
      add 10700 allow tcp from any to me 22,25,80,53 via any
      add 10705 allow tcp from me to any 22,25,80,53 via any
      add 10701 allow udp from any to me 22,25,80,53 via any
      add 10706 allow udp from me to any 22,25,80,53 via any
      add 10710 allow tcp from any to me 110,143,443,495,587 via any
      add 10715 allow tcp from me to any 110,143,443,495,587 via any
      add 10730 allow tcp from me 25 to any via any
      add 30800 deny tcp from any to me 3306,3307 via <world_iface>
      add 30801 deny tcp from any to me 3128,3130 via <world_iface>
      add 30800 deny tcp from any to me 1-1024 via <world_iface>
      add 30801 deny udp from any to me 1-1024 via <world_iface>
      add 30900 allow tcp from any to me 1024-65535 via <world_iface>
      add 30901 allow udp from any to me 1024-65535 via <world_iface>
      add 51000 allow ip from any to any
      

      where <local_iface> and <world_iface> are interface names (see ifconfig). Such settings opens SSH, SMTP, HTTP, DNS, POP3, SHTTP and blocks access from outer world to local proxy and privileged ports (1-1024). sendmail is off now (see above) and it doesn't relay mail from anyone by default. Thus, spammest will not fuck you. (Of cource if there is no fresh exploit ;)
    • Rebuild kernel with special options for NAT+firewall. Build file with full option list (LINT) and construct own kernel config.

      cd /usr/src/sys/i386/conf
      make LINT
      GENERIC
      cp GENERIC MY_SERVER_v1
      ee MY_SERVER_v1
      

      Remove unnecessary options.
      Everything higher than Pentium/AMD 586/K6 would be I686_CPU. Thus you can remove I386_CPU - I586_CPU suport (if you are not planning to work on such platform). Most probably you need no IPv6 support (INET6 and related options. Just look and you will see).
      On other hand the following options are required:

      options IPFIREWALL
      options IPFIREWALL_VERBOSE
      options IPFIREWALL_FORWARD
      options IPDIVERT
      
      options LIBICONV
      options SC_DISABLE_REBOOT
      options SC_HISTORY_SIZE=3000
      options VESA
      options VGA_WIDTH90
      

      rest - to tase. Read LINT and NOTES in the same directory (/usr/src/sys/i386/conf). Build kernel:

      config MY_SERVER_v1
      cd ../compile/MY_SERVER_v1
      make depend
      make
      make install
      shutdown -r now
      

      after reboot set you server as Default Gateway for machine in local network. This machine should be able to ping world servers. For example same ping 216.109.127.29. If you setup this machine to use provider's DNS server, ping yahoo.com should also work.
  • Local name-server - named. Why should the whole intranet ask bore provider with DNS queries ? Lets ask our own server. It will think a little and find what to asnwer, If not - will ask provider and remember for future.

    cd /etc/namedb
    sh make-localhost
    

    and in в rc.conf

    named_enable="YES"               # Run named, the DNS server (or NO).
    

    Run named from command prompt. Chack if it is started with ps -ax|grep named. The following line should present in output:

    4603  ??  Ss     0:00,00 named
    

    Now you can setup same machine from intranet to use our FBSD server as DNS server It should still be able to ping servers by names. For example ping yahoo.com.
  • FTP Run /stand/sysinstall or /usr/sbin/sysinstall and enable inetd in Configure->Networking Answer 'No' for prompt if you want to edit inetd.conf. Go to Configure->Networking and enable Anonymous FTP. You can use all default settings, but I would recommend to change /var/ftp for /home/ftp. Then run inetd from command prompt. After that you should be able to connect to FTP from local network. After reboot inetd will be started automatically.
• Some useful things.
  Are built from ports (located in /usr/ports directory tree). I would recommend to read /usr/ports/README All ports are build in same way: make; make install. If required archive with sources is not found in /usr/ports/distfiles, make will attempt to download it from inet.
  • joe

    cd /usr/ports/editors/joe
    make
    make install
    

  • Midnight comander

    cd /usr/ports/misc/mc
    make
    make install
    

  • trafshow

    cd /usr/ports/net/trafshow
    make
    make install
    

  • ARP-ping (arping)

    cd /usr/ports/net/arping
    make
    make install
    

  • mtr

    cd /usr/ports/net/mtr
    make
    make install
    

  • Russian/Ukrainian support.
    Add to rc.conf:

    font8x14="cp866u-8x14"
    font8x16="cp866u-8x16"
    font8x8="cp866u-8x8"
    keymap="ua.koi8-u.shift.alt"
    scrnmap="koi8-u2cp866u"
    

  • SSH
    Enable SSHD: Add to or modify /etc/rc.conf:

    sshd_enable="YES"
    

    You can run it immediately:

    /etc/rc.d/sshd start
    

  • sudo For better security it worth creating admin user(s) and disable root login.
    1. Create user admin (or any other name you like). Use adduser command. It prompt many things. One of them is shell. Choose any shell you like. I like tcsh. So, I can share with you its config :) For all other questions you may simply chose default answer. If everything is ok, user home directory <username> will be created in /home directory.
    2. Create config file for your shell in user's home. For tcsh it is .tcshrc. You can download it from here or view in browser here.
    3. Make sudo

       cd /usr/ports/security/sudo
       make
       make install
       

       Add to /usr/local/etc/sudoers

       admin   ALL=(ALL) ALL
       

       Note:. /usr/local/etc/sudoers must be read-only for everyone. You have to remove RO before edit, and must restore after:

       chmod u+w /usr/local/etc/sudoers
       ee /usr/local/etc/sudoers
       chmod u-w /usr/local/etc/sudoers
       

    4. Now user admin logs in with own password. If admin needs root privileges, run

       sudo -s
       

       and use admin's password again. Now we need not share root password. You can create many administrative user (if you need it), you can also simply remove them :) Just modify /usr/local/etc/sudoers.
    5. Check if newly created admin can become root (see above).
    6. Deny root login. Use vipw command to edit user database. Find root there

       root:$1$xxxxxxxxxxxxxxxxxxxxxxxxxx/:0:0::0:0:Charlie &:/root:/bin/csh
       

       and add '*' to root's password:

       root:*$1$xxxxxxxxxxxxxxxxxxxxxxxxxx/:0:0::0:0:Charlie &:/root:/bin/csh
            ^
            pay attention here
       

• MySQL
  I think it is nasty substituting libmysqlclient.so.10 (from MySQL 3.23) with libmysqlclient.so.12 (from MySQL 4.0). But PHP wants .10 and I could not compile it.

  cd /usr/ports/databases/mysql40-server
  make
  make install
  cd /usr/local/lib/mysql/
  ln -s libmysqlclient.so.12 libmysqlclient.so.10
  ln -s libmysqlclient_r.so.12 libmysqlclient_r.so.10
  

  Client should be compiled automatically, but you can use this to build it manually.

  cd /usr/ports/databases/mysql40-client
  make
  make install
  

• Install Apache (web-server) + PHP
  • Apache itself

    cd /usr/ports/www/apache2
    make
    make install
    

    Apache will be installed and /usr/local/etc/rc.d should contain control script apache2.sh. It will start Apache automatically on next boot. For now you can run it so:

    /usr/local/etc/rc.d/apache2.sh start
    

    After that you should be able to access you server via http. (for ex. http://10.0.0.1). You can check if Apache is running with ps -ax|grep httpd. The following line should present in output:

      459  ??  Ss     1:08,98 /usr/local/sbin/httpd -k start
      521  ??  I      0:00,13 /usr/local/sbin/httpd -k start
      522  ??  I      0:00,14 /usr/local/sbin/httpd -k start
    

  • pdflib
    If you need PDF support in PHP, lets make pdflib first. If not - skip this point. In general this should work:

    cd /usr/ports/print/pdflib
    make
    make install
    

    Try, may be you are lucky. Looks like I'm not. The following toruble happened: during pdflib build from FBSD 5.1 Release ports I meet this: Old version of pdflib.5 sources (PDFlib-Lite-5.0.0-Unix-src.tar.gz) was removed from Adobe site. It was changed for new one. I have downloaded from freebsd.org new port and put it instead of old one (to /usr/ports/print/pdflib). make said taht unknown component lthack found. Makefile contained following:

    INSTALLS_SHLIB= yes
    USE_LIBTOOL_VER=13
    USE_GNOME=     lthack
    USE_REINPLACE=  yes
    

    Changed to

    INSTALLS_SHLIB= yes
    USE_LIBTOOL_VER=13
    USE_GNOME=     
    USE_REINPLACE=  yes
    

    No more build errors, but pdflib.6 was built instead of pdflib.5. PHP didn't like it. Workaround:

    cd /usr/local/lib/
    ln -s libpdf.so.6 libpdf.so.5
    

  • PHP

    cd /usr/ports/www/mod_php4
    setenv WITH_APACHE2
    make
    

    You will see menu where you can shoose what to install. I would select the following options:

     [X] GD2         GD 2.x library support
     [X] zlib        zlib library support  
     [X] bzip2       bzip2 library support
     [X] mcrypt      Encryption support
     [X] mhash       Crypto-hashing support
     [X] MySQL       MySQL database support
     [X] OpenSSL     OpenSSL support
     [X] FTP         File Transfer Protocol support
     [X] gettext     gettext library support
     [X] iconv       iconv support
     [X] recode      recode support
     [X] mbregex     multibyte regular expressions module
     [X] mbstring    multibyte string module
     [X] BCMath      BCMath support
     [X] sockets     sockets support
     [X] transsid    Transparent session id 
    

    You can also add pdflib, XML, other Databases etc. You can not only install both GD (old, but with GIF support) and GD2 (new, but due to fucking license without GIF). Press OK when ready.
    After successful build edit /usr/local/etc/apache2/httpd.conf. Add there line (to the place, where other LoadModule .... lines are)

    LoadModule php4_module    libexec/apache2/libphp4.so
    

    change line

    DirectoryIndex index.html index.html.var
    

    for

    DirectoryIndex index.php index.html index.html.var
    

    and add line (to the place where other AddType .... lines are)

    AddType application/x-httpd-php .php
    

    Restart Apache:

    killall -HUP httpd
    

    Amen.
• Squid (proxy-server)

  cd /usr/ports/www/squid24
  make
  make install
  chmod u+w /usr/local/etc/squid/squid.conf
  joe /usr/local/etc/squid/squid.conf
  

  The first things to be changed (imho):

  #http_port 3128
  #icp_port 3130
  cache_mem 8 MB
  cache_dir ufs /usr/local/squid/cache 100 16 256
  

  For:

  http_port 127.0.0.1:3128
  http_port 10.0.0.1:3128
  icp_port 127.0.0.1:3130
  icp_port 10.0.0.1:3130
  cache_mem 32 MB
  cache_dir ufs /usr/local/squid/cache 1024 16 256
  

  Allow access from intranet. Add after lines

  #
  # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
  #
  

  the following:

  acl home_net src 10.0.0.0/255.255.255.0
  http_access allow home_net
  

  Initialize cache and run squid:

  /usr/local/sbin/squid -z
  /usr/local/etc/rc.d/squid.sh start
  

  Now you can setup you browser to use our FBSD server as proxy.
• mail-server (sendmail) Enable sendmail: Add to or modify /etc/rc.conf:

  sendmail_enable="YES"
  

  Setup local delivery list: Add to /etc/mail/mailertable

  .my.domain           local:
  my.domain            local:
  

  If your provider blocks access to foreign SMTP servers (anti-spam policy), add also the following line:

  .                    smtp:smtp.server.your.provider
  

  Setup access rights for SMTP server: Add to /etc/mail/access

  127.0.0.1                       RELAY
  10.0.0                          RELAY
  

  Rebuild sendmail's databases:

  cd /etc/mail
  make mailertable.db
  make access.db
  

  Run sendmail:

  /usr/sbin/sendmail
  ps -ax | grep sendmail
  

  or (for FBSD 6)

  /etc/rc.d/sendmail stop
  /etc/rc.d/sendmail start
  ps -ax | grep sendmail
  

  If everything is ok, you should see in derived process list something like this:

   3153  ??  Is     0:00,32 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail)
   3155  ??  Ss     0:12,06 sendmail: accepting connections (sendmail)