/dev/urandom

Assuming you have a ‘fresh’ installation of FreeBSD, there are a few things you want to get done as soon as possible, to get your system up-to-date, and as secure as possible. First, upgrade the base system and Ports tree.

First update your ‘/usr/src’ directory, using `csup`.

cp /usr/share/examples/cvsup/standard-supfile /etc/
sed -i '' s/CHANGE_THIS/cvs11/ /etc/standard-supfile
csup -L 0 /etc/standard-supfile

You can expect this process to take some time — usually around 20 or so minutes, depending on your connection. When csup finishes, you can continue to build your world and kernel.

cd /usr/src
cp sys/$ARCH/conf/GENERIC sys/$ARCH/conf/YOURKERNELNAME

*Replace ‘$ARCH’ with your architecture, ie. i386.

Read /usr/src/UPDATING and edit your kernel options as necessary. Once your options are configured, we continue to build and install your new world and kernel, then reboot.

cd /usr/src
time make buildworld
time make buildkernel KERNCONF=YOURKERNELNAME
time make installkernel KERNCONF=YOURKERNELNAME
shutdown now
cd /usr/src
make installworld
exit
shutdown -r now

The ‘ports’ tree is a list of software with a customized Makefile, located in the /usr/ports directory. Ports are (typically) updated regularly, and usually have the “latest and greatest” software.

Packages are compiled once, when the -RELEASE version of FreeBSD is released.

What this means using Xorg, FreeBSD 6.2-RELEASE, and FreeBSD 6.3-RELEASE as examples:
When FreeBSD 6.2 was released, the stable version of Xorg was 6.9. If you wanted to get Xorg installed, but not compile it yourself, you could run:

pkg_add -r xorg

which would install Xorg 6.9.

At the time of this writing, the stable release of Xorg is 7.3. So, if you did ‘pkg_add’ in FreeBSD 6.3, you would install the 7.3 version of Xorg.

Using ports, in 6.2-RELEASE, if you

cd /usr/ports/x11/xorg
make install clean

you would compile the latest version of Xorg, which would be 7.3

Some have the misconception that you can use wpa_supplicant.conf to scan and connect to networks. This defeats the purpose of wpa_supplicant, which is used to connect to ’secure’ networks (or networks you know won’t jeopardize your data).

Example /etc/wpa_supplicant.conf file:

network={
	ssid="myhomenetwork"
	key_mgmt=WPA-PSK
	psk="my_secret_password"
	prority=42
	}

network={
	ssid="college_network"
	key_mgmt=NONE
	priority=3
	}

What it means:
First network={ block connects to the network “myhomenetwork”, using WPA-PSK protocol (`man wpa_supplicant.conf’), and password “my_secret_password”, with priority ‘42′ (a higher priority than the default).

The second network={ block connects to “college_network”, an unsecured network, which has a priority of ‘3′, still higher than default. Priorities are useful if you connect to some networks regularly, but others not so frequently.

Problem:
You want to use a window manager (or a desktop environment).

Solution::
If you have installed Xorg, by default if you type:

startx

you will be presented with the default window manager, TWM.

Fluxbox:
If you want to install and use Fluxbox, you could compile from ports:

cd /usr/ports/x11-wm/fluxbox
make install clean

or you could install a binary package:

pkg_add -r fluxbox

To start Fluxbox with the startx command, edit a file in your home directory — ~/.xinitrc

/usr/local/bin/fluxbox

KDE:
If you want to install and use the K Desktop Environment — KDE, you could compile from ports:

cd /usr/ports/x11/kdebase3
make install clean

or you could install a binary package:

pkg_add -r kdebase

To start KDE, edit your ~/.xinitrc file:

/usr/local/bin/startkde

To automatically start KDE at boot, edit /etc/ttys as root, changing:

ttyv8   "/usr/local/bin/xdm -nodaemon"  xterm   off secure

to

ttyv8   "/usr/local/bin/kdm -nodaemon"  xterm   on insecure

*Note changing “off” to “on”, and “secure” to “insecure”. Using “insecure”, you disable root login.

GNOME:
If you want to install and use the GNOME Desktop Environment, you could compile from ports:

cd /usr/ports/x11/gnome2
make install clean

or you could install a binary package:

pkg_add -r gnome2

To start GNOME, edit your ~/.xinitrc file:

/usr/local/bin/gnome-session

To start GNOME at boot, edit /etc/rc.conf as root:

gnome_enable="YES"
gdm_enable="YES"

*Note: Do not add ‘gdm’ to /etc/ttys, as this causes gdm to infinitely loop. Enabling ‘gnome’ in rc.conf starts gnome services when GDM starts.

Problem:
You want to configure a Domain Name System server which will query upstream DNS servers for local client machines.

Solution:
BIND (Berkeley Internet Name Domain) is included in the FreeBSD base installation, so we will configure it first. A simple DNS server is surprisingly simple to configure, depending on what your needs are. Edit /etc/named/named.conf to allow upstream DNS querying. Edit the forwarders section:

// Note:  If you can find the DNS server for your ISP, use that.  The IP addresses below are root DNS servers.
forwarders {
     198.41.0.4;
     128.8.10.90;
};

For simple queries, you are finished configuring your DNS server. Edit your /etc/rc.conf file, to allow the service to run:

named_enable="YES"

Start the service:

/etc/rc.d/named start

Problem:
You want to configure a Dynamic Host Configuration Protocol server to assign TCP/IP addresses to local client machines.

Solution:
A DHCP server is not included in the FreeBSD base install, so install the server from ports:

cd /usr/ports/net/isc-dhcp3-server
make install clean

or install a binary package:

pkg_add -r isc-dhcp3-server

Now make a copy of the sample configuration file:

cd /usr/local/etc
cp dhcpd.conf.sample dhcpd.conf

Edit /usr/local/etc/dhcpd.conf to fit your needs. My sample file contains:

option domain-name "example.com";       # Edit to match your domain name
option domain-name-servers 192.168.1.1; # My DHCP server is the DNS server as well

default-lease-time 3600;                # Leases default to a 1 hour timeout
max-lease-time 7200;                    # Leases cannot be used over 2 hours

authoritative;                          # My DHCP server is the only DHCP server

log-facility local7;                    # Default logfile location

subnet 192.168.1.0 netmask 255.255.255.0 { # network ID
  range 192.168.1.2 192.168.1.10;       # List of available TCP/IP addresses to lease
  option routers 192.168.1.1;           # Default router
}

Edit your /etc/rc.conf to allow the DHCP service to start:

# Note: Change the 're0' line below to match your internal network interface
dhcpd_enable="YES"
dhcpd_ifaces="re0"

Start the service:

/usr/local/etc/rc.d/isc-dhcpd start

Please note that this page is not necessarily a “how-to”, but more of an example of my configuration decisions. At the time of this writing, I am using Mutt 1.5.18 (2008-05-17), the mail/mutt-devel port in the FreeBSD ports tree.

Problem:
You want to use the mail client mutt to access your Gmail account.

Solution:
Mutt needs to be compiled with IMAP, SMTP and OpenSSL support for this to work. If you already have mutt installed, you can check the build flags with the following command:

mutt -v

If you do not see the options:

+USE_IMAP  +USE_SMTP +USE_SSL_OPENSSL

you will need to recompile mutt.

Compiling Mutt with IMAP, SMTP, OpenSSL Support in FreeBSD:
In FreeBSD, to compile mutt with the required options:

cd /usr/ports/mail/mutt-devel
make -DWITH_MUTT_IMAP \
 -DWITH_MUTT_IMAP_HEADER_CACHE \
 -DWITH_MUTT_SMTP \
 -DWITH_MUTT_CYRUS_SASL2
make install

Explanations:

• The WITH_MUTT_IMAP option enables IMAP server connectivity — disabled by default.
• The WITH_MUTT_IMAP_HEADER_CACHE option saves mail headers locally, enabling a quicker folder download time — especially useful if you use Gmail for mailing lists.
• The WITH_MUTT_SMTP option is not required if you only plan to read email locally, or if you run a local mail server.
• The WITH_MUTT_CYRUS_SASL2 option allows mutt to connect to the Gmail SMTP servers with TLS authentication — a requirement if you plan to send mail with mutt through Gmail.

Configuring Your ~/.muttrc:
As with all other mutt tricks, you need to edit your ~/.muttrc file to get IMAP/SMTP connectivity. My sample configuration is provided here:

set spoolfile = imaps://imap.gmail.com:993/INBOX        # Default to the inbox
set folder = "imaps://imap.gmail.com:993/"              # Connect to IMAP over SSL
set imap_user = 'my_username@gmail.com'                 # User name
set imap_pass = 'my_secret_password'                    # Password
set smtp_url="smtp://my_username@smtp.gmail.com:587/"   # User name
set smtp_pass = 'my_secret_password'                    # Password
set postponed="imaps://imap.gmail.com/[Gmail]/Drafts"   # Save 'postponed' mail to Drafts
set mail_check=300                                      # Check for new mail every 5 minutes
set imap_check_subscribed="yes"                         # Check 'subscribed' folders only
set imap_list_subscribed="yes"                          # List only 'subscribed' folders
set header_cache="~/.mutt/msgcache"                     # Location to save cached mail headers
set message_cachedir="~/.mutt/cache/bodies"             # Location to save cached mail bodies
set certificate_file="~.mutt/certs"                     # SASL2 certificate location
set timeout=60                                          # Reconnect every minute
macro generic,index,pager y ?                           # Press 'y' to change folders
bind pager,browser y exit                               # Press 'y' to change folders

Some options in my sample ~/.muttrc file may seem a bit odd at first, but after reading the sections below, should become more clear. If not, please use the contact form, and let me know what was unclear, or how I could improve this tutorial.

Individual Preferences:
This is the part that gets a bit tricky. This is the part where you, the reader, are required to be creative. Here’s what I mean:

• Gmail sees “Labels” as folders
• Gmail uses its own “default” folder — [Gmail]
• Labels exist outside of the [Gmail] folder

So, logically, the hierarchy would look as such:

[Gmail]
        /Inbox
        /Sent Mail
        /Drafts
Mutt-Users
Mutt-Devel
KDE-General
KDE-Devel
FreeBSD-Questions
FreeBSD-Stable
FreeBSD-Current
FreeBSD-PF
FreeBSD-Jails
School-Professors
School-Students
School-Clubs-CIS

Though this layout works perfectly fine, depending on how many labels you have, this can get a bit cumbersome, even with using header and body caching. The solution I found is to name labels in a Unix-like folder fashion. For instance, School-Clubs-CIS would the become School/Clubs/CIS, thus making the logical layout as any other Unix directory:

[Gmail]
        /Inbox
        /Sent Mail
        /Drafts
Lists
        /Mutt
                /Users
                /Devel
        /KDE
                /General
                /Devel
        /FreeBSD
                /Questions
                /Stable
                /Current
                /PF
                /Jails
School
        /Professors
        /Students
        /Clubs
                /CIS

As I said, this is where you have to be creative. My solution here will not work for everyone, and I’m certain there are many naming conventions others will prefer.

By the way, this is where the ‘y’ in the ~/.muttrc file comes in — from the Inbox, pressing ‘y’ will take you to the folder list, where you can navigate through your folders.

Problem:
You want to host PHP based sites on Apache 2.2.x.

Solution:
You have to:

• Compile Apache
• Configure PHP5 to build the Apache module
• Compile PHP5
• Edit /usr/local/etc/apache/httpd.conf

Compiling Apache:
To compile apache, use the ports tree:

cd /usr/ports/www/apache22
make install clean

However, you do not have to compile apache from ports to use PHP:

pkg_add -r apache22

Configuring and Compiling PHP5:
To get the Apache module build, you do need to compile PHP from ports:

cd /usr/ports/lang/php5
make -DWITH_APACHE install clean

*Note: To get the php5 port to remember to build the apache module, use

make config; make install clean

rather than using the -DWITH_APACHE flag.

Editing httpd.conf:
Edit your /usr/local/etc/apache/httpd.conf to contain a section similar to the following:

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
<IfModule dir_module>
    DirectoryIndex index.php index.html
</IfModule>

By default, FreeBSD uses an 80×60 terminal. For people more comfortable at the command line, this makes working in a console environment difficult. To get a higher console resolution, you have to recompile your kernel.
Please note that enabling SC_PIXEL_MODE as required by this tutorial is CPU intensive, and if done on a laptop, may cause your battery life to decrease dramatically.

Add to the YOURKERNELNAME configuration file before compiling:

options		VESA
options		SC_PIXEL_MODE

After compiling a new kernel with the above parameters, reboot. Next, get a list of supported console resolutions:

vidcontrol -i mode | less

Add the following to the /etc/rc.conf file:

allscreens_flags="MODE_XXX"

where “XXX” is a resolution mode from your `vidcontrol -i mode` output.

Introduction:
PF, or Packet Filter, is an integrated tool to securely manage network traffic. The /etc/pf.conf file is divided into separate sections that have to be edited in a specific order. These sections are:

• Macros
• Options
• Normalization
• NAT/Redirection
• Filter Rules

Example /etc/pf.conf files can be found in /usr/share/examples/pf/.

Macros:
Macros are user-defined variables to replace strings in the PF config file.
Sample macro section:

ext_if="em0"
int_if="re0"
lan="10.0.0.0/8"
bad_sites="{myspace.com, wikipedia.org}"
good_sites="{freebsd,org, openbsd.org}"

* Note the names for the macros in this section, as I will reference them throughout the rest of this page.
In this example:

• ext_if is the external interface, or the interface connected to the internet
• int_if is the internal interface, or the interface connected to the LAN
• lan is the LAN network ID
• bad_sites are those we do not want allow access to
• good_sites are sites that we want to explicitly allow access to

Options:
Options tell PF how to handle certain traffic.
Sample option section:

set block-policy return         # Return reply on all blocked traffic
set loginterface $ext_if        # Log all traffic on external NIC

Normalization:
Packet normalization rules allow PF to keep traffic ‘in tact’.
Sample normalization section:

scrub in all            # Perform packet scrubbing on all traffic

NAT/Redirection:
Network Address Translation and packet redirection rules are configured in the NAT/RDR section.
Sample NAT/RDR section:

# Perform NAT from any LAN client to any destination on the external NIC
nat on $ext_if from $lan to any -> ($ext_if)

# Redirect all incoming traffic to the services server
rdr on $ext_if proto tcp from any to $ext_if port $tcp_services \
        -> $server port $tcp_services

Filter Rules:
The filter section of the /etc/pf.conf is where the actual packet filtering rules are configured.
Sample filter section:

block in                                # Block all incoming traffic by default
pass out quick on $ext_if keep state    # Allow all outgoing traffic by default
pass quick on lo0                       # Do not block loopback interface
pass in on $extif \                     # Allow incoming traffic on external NIC
        proto tcp from any \            #       using TCP protocol, from anywhere
        to $extif port $tcp_services \  #       to the external NIC, allowed ports
        keep state                      #       keep TCP state
pass in on $int_if keep state           # Pass in all traffic from LAN clients