Personal tools
You are here: Home Tips and Tricks (old) Installing and Configuring FreeBSD
Navigation
 
Document Actions

Installing and Configuring FreeBSD

by xenophon — last modified 2005-09-15 18:47

How to build and maintain a FreeBSD workstation or server; supplements the documentation found on FreeBSD's web site.

This document assumes a passing familiarity with computer hardware and Unix operating systems (such as Solaris or Linux). It skips mentioning important things like how to install FreeBSD over a serial console on headless servers or how to boot the installer from floppy disk, and it omits explanations for some difficult to explain and potentially confusing topics such as partitioning a hard drive. This document does not provide a complete transcript of every key-press and command output, as these vary from installation to installation.

Preparation

Download and burn the FreeBSD 5.4 installation CD for your architecture. FreeBSD's documentation can be accessed via the web:

Architecture-specific Installation Notes (for FreeBSD 5.4)

Installation Guide

Mirror Site List

Frequently Asked Questions

The FreeBSD Handbook

Online manual pages

Pointers for newbies

FreeBSD Security Information

Operating System Installation

Boot the installation CD. From the sysinstall main menu, choose Standard to begin a typical installation. Answer the subsequent prompts as follows:

DOS-style FDISK Partitions

  • This option is only available on i386 machine types.

Delete any pre-existing partitions by selecting each partition with the arrow keys and pressing D. Press A to automatically partition the hard disk. This creates a single primary partition of type 0x08 (FreeBSD). Press Q to save these changes and exit.

Install Boot Manager

  • This option is only available on i386 machine types.

Choose BootMgr to install the FreeBSD boot selector (the default.)

FreeBSD Disk Label

To delete a file system, select it using the up and down arrow keys and press D. You should delete any existing file systems and swap partitions prior to automatically laying out the default file systems.

Press A to automatically lay out the default file systems (root, swap, /var, /tmp, and /usr).

To create a file system or swap partition, select the disk (at the top of the label editor screen) using the up arrow keys and press C. Follow the prompts to specify the volume's size, whether it is a file system or swap partition, and the file system's mount point.

A file system created by the automatic layout must be modified by deleting the file system you wish to change and any file systems listed below it (due to a bug in the label editor). Re-create the modified file system, then press A to automatically re-create any remaining file systems.

Press Q to save your changes and exit.

Distribution Selection

Choose All for a full install of FreeBSD on a workstation. If choosing a custom installation or if installing FreeBSD on a server, select at least the following packages:

  • Not all of compat packages are available on every machine type.

base compat1x compat20 compat21 compat22 compat3x compat4x dict doc info man catman proflibs local

The src and ports distributions need not be installed. The latest versions of each will be downloaded later.

Media Selection

Network installs are possible, but installation from local media is recommended.

Network Configuration

Use DHCP to configure a computer's network interfaces wherever possible. Do not configure IPv6. When prompted, enter the fully-qualified domain name of the computer, e.g. wks2.example.com. Make certain that both the computer's host name and its domain name are set correctly.

Do not configure the computer to function as a network gateway.

Do not configure inetd.

Enable SSH login. Note that remote logins to the root account are disabled by default.

Do not enable anonymous FTP access.

Do not configure this computer as an NFS server.

Do not configure this computer as an NFS client.

Console Settings

  • This option is only available on i386 machine types.

You may enable the green system console screen saver (not recommended when FreeBSD is installed in a VMware guest).

Time Zone

When prompted if the computer's clock is set to UTC, choose the default setting (which varies according to the machine type, e.g. i386 defaults to No, alpha and sparc64 default to Yes).

Use the arrow keys to navigate the time zone selection menus, and press Enter to choose your selection. For example, if in the U.S. Eastern time zone:

  1. Choose the region America -- North and South.
  2. Choose the country United States.
  3. Choose the locality Eastern Time.

Linux Binary Compatibility

  • This option is only available on i386 and alpha machine types.

Only activate this if installing FreeBSD on a workstation.

OSF1 Binary Compatibility

  • This option is only available on alpha machine types.

Only activate this if installing FreeBSD on a workstation.

Mouse Settings

  • This option is only available on i386 machine types.

You may enable and configure a mouse, if attached. A computer with a PS/2 mouse attached needs no special configuration. Adding the flag -3 will allow the emulation of a third button by pressing mouse buttons 1 and 2 simultaneously. Make certain to select Enable before exiting the mouse configuration menu in order to save any changes.

Package Selection

Do not install any packages at this time.

User Accounts

Do not create any user accounts.

When prompted, set the password of the root user to the standard local administrator password.

Post-installation Configuration

The following commands must be executed while logged in as root.

Default Security

With the above operating system installation, only ports 22/tcp (the SSH server sshd(8)) and 514/udp (the Unix system logger syslogd) are bound to all network interfaces.

By default, sshd does not allow remote root logins. You should not change this behavior.

By default, syslogd runs in a secure mode that does not allow it to log messages received from remote computers. The syslog service port must be open, however, for syslogd to send log messages to remote syslog servers. If it is unnecessary to send log messages from this computer to another syslog server, you may disable logging to remote machines (and close the syslog service port) with the following commands:

ed /etc/rc.conf
a
syslogd_flags="-ss"
.
wq
/etc/rc.d/syslogd restart

Login Banners

Copy the standard pre-login banner to /etc/issue, and copy the standard post-login banner to /etc/motd.

Note that sshd(8) does not display the pre-login banner by default; execute the following commands to change this behavior: 

ed /etc/ssh/sshd_config
a
Banner /etc/issue
.
wq
/etc/rc.d/sshd restart

Operating System Updates

  • Binary updates are only available on i386 machine types.

Use the package freebsd-update to download and install binary updates to FreeBSD:

  1. Install freebsd-update with the following commands: 
    pkg_add -r freebsd-update
rehash
  2. The installation package has a bug whereby the directory storing the updates is not created. Manually create this directory with the following command: 
    mkdir /usr/local/freebsd-update
  3. The sample configuration file is sufficient. Activate it with the following commands: 
    cd /usr/local/etc
ln -s freebsd-update.conf.sample freebsd-update.conf
  4. Schedule the update check in cron(8) with the following command: 
    ed /etc/crontab
a
#
# Download the latest binary updates to FreeBSD.  Email root
# only if new updates are available for installation.
@daily  root    /usr/local/sbin/freebsd-update cron
.
wq
    Note that the cron option has a built-in randomized delay of up to one hour in order to reduce the load on the update servers.
  5. The cron job will run at midnight and notify the root user when updates are available for installation. Fetch and install these updates immediately with the following command: 
    freebsd-update fetch && freebsd-update install

If binary updates are not available for your machine type (e.g. sparc64), you must update FreeBSD from source:

  1. Subscribe to the freebsd-security-notifications mailing list to be notified when updates to FreeBSD are required.
  2. Install cvsup-without-gui with the following commands: 
    pkg_add -r cvsup-without-gui
rehash
  3. Configure cvsup-without-gui to download the FreeBSD source tree with the following commands: 
    cp /usr/share/examples/cvsup/stable-supfile \
  /usr/local/etc
sed -i '' -e 's/CHANGE_THIS/cvsup12/' \
  /usr/local/etc/stable-supfile
  4. Schedule the source tree download in cron(8) with the following commands: 
    ed /etc/crontab
a
#
# Download the latest updates to the FreeBSD sources.
@daily root /usr/local/bin/cvsup /usr/local/etc/stable-supfile
.
wq
  5. At midnight, the cron job will update the directory containing the source tree, /usr/src by default. Perform this update immediately with the following command: 
    cvsup -g -L 2 /usr/local/etc/stable-supfile
  6. When updates are available, rebuild the operating system from source using the procedure documented in FreeBSD Handbook Section 19.4 Rebuilding ``world''. Console access is necessary as this procedure requires rebooting into single-user mode.

Third-Party Software

Use the package cvsup-without-gui to retrieve up-to-date versions of the FreeBSD Ports and Packages collection, portupgrade to install and update third-party software from the ports tree, and portaudit to automatically notify the root user of security problems with installed third-party software:

  1. Install cvsup-without-gui, portupgrade, and portaudit with the following commands: 
    pkg_add -r cvsup-without-gui
pkg_add -r portupgrade
pkg_add -r portaudit
rehash
  2. Configure cvsup-without-gui to download the ports tree from cvsup12.freebsd.org (a fast, nearby mirror) with the following commands: 
    cp /usr/share/examples/cvsup/ports-supfile \
  /usr/local/etc/
sed -i '' -e 's/CHANGE_THIS/cvsup12/' \
  /usr/local/etc/ports-supfile
  3. Schedule the ports tree download in cron(8) with the following commands: 
    ed
a
#!/bin/sh
/usr/local/bin/cvsup /usr/local/etc/ports-supfile \
  && cd /usr/ports \
  && make fetchindex
.
w /usr/local/bin/cvsup-ports
q
chmod a+x /usr/local/bin/cvsup-ports
ed /etc/crontab
a
#
# Download the latest updates to the FreeBSD Ports and Packages
# collection.
@daily root /usr/local/bin/cvsup-ports
.
wq
  4. At midnight, the cron job will update the directory containing the ports tree, /usr/ports by default. Perform this update immediately with the following command: 
    /usr/local/bin/cvsup-ports
  5. The nightly maintenance scripts will automatically check for security updates to third-party software when portaudit is installed. Perform this check manually with the following command: 
    portaudit -Fda
  6. Upgrade all installed third-party software with the following command: 
    portupgrade -a -m BATCH=yes
  7. Use commands similar to the following to install additional third-party software from the ports tree: 
    portinstall -m BATCH=yes <PACKAGE-NAME>
rehash

VMware Guest Support

The ports tree includes a wrapper for the VMware guest support tools. To install the VMware tools:

  1. In VMware's VM menu, select Install VMware tools.
  2. Begin the software installation with the following command: 
    portinstall emulators/vmware-guestd4
  3. When prompted, choose Yes to mount the CD-ROM.

FIXME: untested, especially with Xorg and emulators/vmware-tools4

Time Synchronization

Time synchronization serves several purposes. For example, it simplifies the task of correlating system log entries across several computers or systems, and Kerberos authentication does not work if the computer's clock is off by more than five minutes. To configure and enable time sychronization via the Network Time Protocol (NTP):

  1. Configure the NTP client to use the standard enterprise time servers. For computers with Internet access, use the pool.ntp.org time servers. For computers that will eventually be members of an Active Directory domain, specify only the Active Directory DNS domain name; this automatically lists all of the domain controllers. Use commands similar to the following to create the configuration file: 
    ed
a
server example.com
.
w /etc/ntp.conf
q
  2. Enable the NTP client and start it with the following commands: 
    ed /etc/rc.conf
a
ntpdate_enable="YES"
ntpd_enable="YES"
.
wq
/etc/rc.d/ntpdate start
/etc/rc.d/ntpd start

Advanced Configuration Options

Electronic Mail

While the default sendmail(8) configuration is relatively secure (in that it opens a submission-only listener on the loopback interface), sendmail is difficult to configure and has a history of security-related problems. I replace sendmail with Postfix, configure it to relay mail through a proxy instead of delivering it directly, and forward mail for various built-in service accounts (including root) to an enterprise mailbox:

  1. Stop sendmail prior to installing Postfix. The Postfix installation will modify the startup/shutdown scripts, making it more difficult to properly stop sendmail if it is still running at that point. 
    /etc/rc.d/sendmail stop
  2. Install Postfix from the ports tree and configure it to start at boot with the following commands: 
    portinstall -m BATCH=yes mail/postfix
ed
a
#
# Execute the Postfix sendmail program, named /usr/local/sbin/sendmail
#
sendmail      /usr/local/sbin/sendmail
send-mail     /usr/local/sbin/sendmail
mailq         /usr/local/sbin/sendmail
newaliases    /usr/local/sbin/sendmail
.
w /etc/mail/mailer.conf
q
ed /etc/rc.conf
a
sendmail_enable="YES"
sendmail_flags="-bd"
sendmail_pidfile="/var/spool/postfix/pid/master.pid"
sendmail_procname="/usr/local/libexec/postfix/master"
sendmail_outbound_enable="NO"
sendmail_submit_enable="NO"
sendmail_msp_queue_enable="NO"
.
wq
  3. Disable FreeBSD's default Sendmail-specific mail maintenance routines with the following commands: 
    ed
a
daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"
.
w /etc/periodic.conf
q
  4. Reconfigure Postfix to listen only on the loopback interface, mimicing sendmail's default listener configuration, with the following command: 
    sed -i '' -e 's/^smtp *inet/localhost:smtp inet/' /usr/local/etc/postfix/master.cf
  5. In their default configurations, both sendmail and Postfix will try to deliver messages directly to their destinations. If desired, you can configure Postfix to relay mail through a proxy with the relayhost setting. Reconfigure Postfix to relay to the mail exchangers of the computer's DNS domain (as listed in that domain's MX records) with the following commands: 
    ed /usr/local/etc/postfix/main.cf
a
relayhost = $mydomain
.
wq
    If you prefer to relay through a specific host, use these commands instead (replacing mail.example.com with the host name or IP address of your relay): 
    ed /usr/local/etc/postfix/main.cf
a
relayhost = [mail.example.com]
.
wq
  6. The default sendmail configuration delivers mail for the root account (or other services) locally. Large enterprises may wish to consolidate system status messages to a specific mailbox (in conformance with RFC 2821 or RFC 2142). Execute the following commands to forward mail to the appropriate domain-wide mailboxes: 
    ## Forward email for the local "root" user.
sed -i '' -e 's/[^:]*root:.*/root: root@example.com/' /etc/aliases

## FreeBSD recommends setting these aliases.
sed -i '' -e 's/[^:]*manager:.*/manager: root/' /etc/aliases
sed -i '' -e 's/[^:]*dumper:.*/dumper: root/' /etc/aliases

## Forward email for these service accounts to the appropriate
## domain-wide RFC 2142 addresses.
sed -i '' -e 's/[^:]*abuse:.*/abuse: abuse@example.com/' /etc/aliases
sed -i '' -e 's/[^:]*noc:.*/noc: noc@example.com/' /etc/aliases
sed -i '' -e 's/[^:]*security:.*/security: security@example.com/' /etc/aliases
sed -i '' -e 's/[^:]*ftp:.*/ftp: webmaster@example.com/' /etc/aliases
sed -i '' -e 's/[^:]*hostmaster:.*/hostmaster: hostmaster@example.com/' /etc/aliases
sed -i '' -e 's/[^:]*webmaster:.*/webmaster: webmaster@example.com/' /etc/aliases
sed -i '' -e 's/[^:]*www:/www:/' /etc/aliases

newaliases
  7. Start Postfix with the following command: 
    /etc/rc.d/sendmail start

Additional Useful Tools

I always install misc/screen and net/rsync on my systems with the following commands: 

touch /etc/make.conf
ed /etc/make.conf
a
WITH_POPT_PORT=yes
.
wq
portinstall -m BATCH=yes misc/screen net/rsync
rehash

Restricting Logons to Specific Users or Groups

FIXME

Securely Delegating Administrative Access

Use the package sudo to give multiple users root access without divulging the root password.

  1. Install sudo with the following commands: 
    portinstall sudo
rehash
  2. sudo uses PAM to authenticate users. Create a PAM service file for sudo with the following commands: 
    ed
a
auth required pam_nologin.so no_warn
auth sufficient pam_self.so no_warn
auth include system
account include system
session include system
.
w /usr/local/etc/pam.d/sudo
q
  3. Example: Restrict root access to members of the group Domain Admins with the following commands: 
    env EDITOR=ed visudo
a
%Domain\ Admins ALL=(ALL) ALL
.
wq
  4. FIXME: create additional examples

Process Accounting

FIXME

System Security Level

FIXME: include discussion of read-only file systems, nosuid/nodev flags, immutable files

For More Information

For additional introductory information about FreeBSD's security mechanisms, see security(7). The security-conscious administrator will run a local firewall, remove access to unnecessary set-UID or set-GID binaries, monitor special files in administrative or service accounts, and remove (or adjust) kernel features in order to thwart or limit the impact of a successful attack. Administrators should consider running networked services under the jail(8) facility (see also Jails: Confining the omnipotent root and FreeBSD Jails) or restricting those services' capabilities using mac(9) (see also chapter 15 "Mandatory Access Control" of the FreeBSD Handbook).
« November 2008 »
Su Mo Tu We Th Fr Sa
1
2345678
9101112131415
16171819202122
23242526272829
30
 
Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: