Dancing Kayak - FreeBSD - After Performing a New Installation

Here's what to do after performing a new installation of FreeBSD (based on 4.9) on a machine

Edit System Configuration Files

Edit /etc/resolv.conf to include all name servers

View /etc/host.conf to choose the order in which you want the resolver client to perform name lookups (hosts file, then BIND name servers is standard order)

Setting up Randomization

Edit /etc/rc.conf to set up randomization for /dev/random. See http://people.freebsd.org/~dougb/randomness.html for more details. The basics include:

  1. # egrep -i irq /var/run/dmesg.boot
  2. Look for and record the IRQ numbers associated with
  3. Run rndcontrol -s ## for each IRQ in the above list, substituting ## for the IRQ number
  4. Edit /etc/rc.conf to add this line: rand_irqs="your list of IRQs, separated by single spaces"

Setting up an NTP server

This wasn't the easiest thing to figure out for a beginner FreeBSD system administrator. Here's what to do:

  1. Create the file /etc/ntp.conf with the following entries
  2. Add the following lines to /etc/rc.conf
  3. touch /var/log/ntp.log
  4. I read that it was necessary to add the following three options to your kernel configuration file, but I've only got the first two and NTP is working anyway
  5. Invoke /usr/sbin/ntpd with the above options, or wait until you reboot. You don't have to put it in the background - it will do that on its own.
  6. Open a (root) terminal window (if you are in X) and run tcpdump udp port 123 to watch the packets go between your machine and your selected time server.
  7. Run (as root) ntpq and type the commands associations and peers to watch the relationship develop over a period of around 15 minutes. Type exit or quit to exit ntpq.

The main thing that got me in the weeds for a while was not realizing that for every server or other such role entry you put in your ntp.conf file, you must create a restrict entry to specify access control for that machine. This is true if you put a restrict default ignore directive in your configuration file, which is sensible from a security standpoint, a default deny-access stance with other directives overriding that for specific IP addresses and/or IP ranges. This access control specification is in effect a firewall for your ntp daemon. You must poke holes in it for your desired servers and clients.

You must use a single IP address or IP range (with netmask), not a DNS-resolvable name, in each restrict directive.

Prepare SCSI devices

If you have more than 4 SCSI devices, see the section on MAKEDEV to ensure all are available

Prepare for System Backups (for SCSI systems)

Install the sysutils/cdrtools port

Install the sysutils/mkisofs port (depends on cdrtools)

Perform System Backups

Back up the root partition using dump, as recommended by the FreeBSD handbook

  1. dump -0ua -f /tmp/root0 /
  2. mkisofs -o /tmp/root0.iso /tmp/root0
  3. cdrecord dev=0,#,0 speed=## driveropts=### /tmp/root0.iso where # is the SCSI ID of the CD writer, ## is the speed at which you want your drive to write, and ### are the driver options that apply to your CD writer (like burnfree)
  4. mount -t cd9660 /dev/cd1c /cdrom
  5. diff /tmp/root0 /cdrom/root0
  6. umount /cdrom

Customize and Rebuild Kernel

Configure your machine so you support all the devices and options you need and removing what you don't want

  1. set CPUTYPE in /etc/make.conf (see /etc/defaults/make.conf)
  2. mkdir /usr/src/sys/i386/conf/RCS
  3. create the kernel configuration file by executing cp GENERIC yourHostName, where yourHostName should be replaced by the host name of your machine
  4. ci -u yourHostName
  5. co -l yourHostName
  6. edit the kernel configuration file, possibly adding appropriate options from the LINT file
  7. config yourHostName
  8. cd ../../compile/yourHostName
  9. make depend && make all install

Completing Firewall Support

  1. Add IPFILTER options (add between the "*** Options from LINT ***" and "*** Back to original file ***")
  2. Create /etc/ipf.rules with the firewall rules you want
  3. Add the following entries to /etc/rc.conf (see man rc.conf and /etc/defaults/rc.conf for more info)
  4. Rebuild the kernel - make depend && make all install

The entries in /etc/rc.conf and /etc/defaults/rc.conf tell the OS to load your firewall rules when booting. /etc/ipf.rules is the default name for the IPFilter rules file.

Modifying IPFilter Rules via a Script

IPFilter doesn't support named variables for substitution. For example, it would be nice to have variables for the DNS servers used, or for various other IP addresses, or interface names. This can be done by creating a script that starts off with something like this.

    # ipf.rules.script IPFilter configuration rules file builder.
    # Originally from FreeBSD handbook page on IPFilter.

    # Symbolic fields

    ispdns1="IP of DNS"
    ispdns2="IP of DNS"
    localnetwork="your local network base address with a .0 at the end"
    outif="the name of the network interface used for external access"

    # Rebuild ipf.rules
    cat > /etc/ipf.rules << EOF

The remainder of the script file contains the contents of the "here document" that can use variable substitution supported by the chosen shell.

To update the firewall rules in the kernel, run the following as root

  1. sh /etc/ipf.rules.script to build /etc/ipf.rules
  2. ipf -Fa to remove existing inbound and outbound rules
  3. ipf -f /etc/ipf.rules to add the new rules

Back to FreeBSD main page

Software development Tutoring Computer Security Video Contact