Difference between revisions of "Floe"
(Installer options) |
(→NAT) |
||
(19 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
==Install== | ==Install== | ||
Burn 5.4 ISO, boot from it. | Burn 5.4 ISO, boot from it. | ||
− | ===Installer | + | ===Installer=== |
* Standard | * Standard | ||
* Delete existing partition | * Delete existing partition | ||
Line 11: | Line 11: | ||
* CD / DVD install | * CD / DVD install | ||
* Yes to procede with installation | * Yes to procede with installation | ||
+ | |||
+ | ===Initial configuration with sysinstall=== | ||
+ | * Can run later with: | ||
+ | /usr/sbin/sysinstall | ||
+ | |||
+ | * Yes to create ethernet device | ||
+ | * No to IPv6 | ||
+ | * No to DHCP | ||
+ | * Configure as desired | ||
+ | * Yes to bring it up | ||
+ | * Yes to function as a gateway | ||
+ | * No to configure inetd | ||
+ | * Yes to enable SSH | ||
+ | * No to FTP | ||
+ | * No to NFS | ||
+ | * No to NFS Client | ||
+ | * No to customize console settings | ||
+ | * Yes to set time zone | ||
+ | * No | ||
+ | * 2 for America | ||
+ | * 45 - United States | ||
+ | * 16 - Pacific time | ||
+ | * Yes to PDT (or as applicable) | ||
+ | * Yes to linux binary compatability | ||
+ | * No to mouse | ||
+ | * No to browse ports | ||
+ | * Yes to add user account, configure as desired | ||
+ | * Set r00t password | ||
+ | * No to general config menu | ||
+ | * Exit install, remove CD | ||
+ | |||
+ | ==Ports== | ||
+ | ===Updating Ports with cvsup=== | ||
+ | * Install the cvsup port | ||
+ | floe# cd /usr/ports/net/cvsup-without-gui | ||
+ | floe# make install clean | ||
+ | * As root: | ||
+ | cp /usr/share/examples/cvsup/ports-supfile ~ | ||
+ | |||
+ | Edit the ports-supfile | ||
+ | * local mirror, such as freebsd.isc.org | ||
+ | * Comment ports-all, uncomment desired ports or leave as default for maximum safety (no lost dependencies, etc) | ||
+ | |||
+ | Update: | ||
+ | cvsup -g -L 2 /root/ports-supfile | ||
+ | |||
+ | ===Automating port upgrades=== | ||
+ | This is probably a good idea. Last thing you want is some horrendous sshd vuln when you're out of the country or something... On the other hand, this represents a leap of faith that we won't end up with broken dependencies during a portupgrade due to some wacky change / failure... We'll cron a cvsup to keep the ports db recent, and use a tool called portupgrade to upgrade our installed ports. | ||
+ | |||
+ | Install portupgrade | ||
+ | cd /usr/ports/sysutils/portupgrade | ||
+ | make install clean | ||
+ | |||
+ | Create a package database for portupgrade | ||
+ | pkgdb -u | ||
+ | |||
+ | Run portupgrade | ||
+ | portupgrade -a | ||
+ | |||
+ | Create a script to do it all for us. I'll call it upgrade.sh | ||
+ | |||
+ | # Synchronize your ports collection (using the fastest_cvsup tool to get the fastest CVSup server) | ||
+ | FASTEST_CVSUP=`fastest_cvsup -Q -c us`; echo $FASTEST_CVSUP | ||
+ | /usr/local/bin/cvsup -g -L 2 -h $FASTEST_CVSUP /root/ports-supfile | ||
+ | # Update the ports database | ||
+ | /usr/local/sbin/portsdb -Uu | ||
+ | # List the installed ports which need upgrading | ||
+ | /usr/local/sbin/portversion -l "<" | ||
+ | # Upgrade the installed ports | ||
+ | /usr/local/sbin/portupgrade -a | ||
+ | |||
+ | Add it to cron | ||
+ | echo "20 4 * * 7 /root/upgrade.sh" > mycron | ||
+ | crontab mycron | ||
+ | |||
+ | Set up a forward for root | ||
+ | echo "foo@you.com" > .forward | ||
+ | |||
+ | ===Ports I like=== | ||
+ | *screen - a no brainer | ||
+ | *mtr - nice traceroute / ping tool | ||
+ | *ntraceroute - use the -A flag to see AS numbers for each hop | ||
+ | *bash, zsh | ||
+ | *fastest_cvsup | ||
+ | *ifstat - per-interface bandwidth stats | ||
+ | *sudo | ||
+ | |||
+ | ==Networking== | ||
+ | ===Interface Configuration=== | ||
+ | Bring additional interface up and verify: | ||
+ | root@floe[/root]ifconfig fxp0 10.0.1.1 255.255.255.0 | ||
+ | root@floe[/root]ifconfig fxp0 | ||
+ | fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 | ||
+ | options=8<VLAN_MTU> | ||
+ | inet 10.0.1.1 netmask 0xff000000 broadcast 255.255.255.0 | ||
+ | inet6 fe80::2a0:c9ff:fedb:5100%fxp0 prefixlen 64 scopeid 0x2 | ||
+ | ether 00:a0:c9:db:51:00 | ||
+ | media: Ethernet autoselect (100baseTX) | ||
+ | status: active | ||
+ | |||
+ | Configure it for startup In /etc/rc.conf: | ||
+ | ifconfig_fxp0="inet 10.0.1.1 netmask 255.255.255.0" | ||
+ | |||
+ | ===DHCP Server=== | ||
+ | * Install /usr/ports/net/isc-dhcp3-server | ||
+ | * Configure /etc/dhcpd.conf as desired. My config: | ||
+ | # Configuration file for ISC dhcpd | ||
+ | # option definitions common to all supported networks... | ||
+ | option domain-name "dreness.com"; | ||
+ | option domain-name-servers 64.81.79.2, 216.231.41.2; | ||
+ | default-lease-time 3600; | ||
+ | max-lease-time 86400; | ||
+ | authoritative; | ||
+ | ddns-update-style none; | ||
+ | # This is a very basic subnet declaration. | ||
+ | subnet 10.0.1.0 netmask 255.255.255.0 { | ||
+ | range 10.0.1.10 10.0.1.20; | ||
+ | option routers 10.0.1.1; | ||
+ | } | ||
+ | # Declare our public subnet so dhcpd doesn't whine | ||
+ | subnet 69.17.54.0 netmask 255.255.255.0 { } | ||
+ | * Configure dhcp on startup in /etc/rc.local: | ||
+ | #dhcpd at boot up | ||
+ | /usr/local/sbin/dhcpd | ||
+ | |||
+ | ===DNS Server=== | ||
+ | * We'll use a DNS server to provide hostnames for our local 10-net. | ||
+ | cd /etc/namedb | ||
+ | sh make-localhost | ||
+ | * Configure /etc/namedb/named.conf | ||
+ | options { | ||
+ | directory "/etc/namedb"; | ||
+ | pid-file "/var/run/named/pid"; | ||
+ | dump-file "/var/dump/named_dump.db"; | ||
+ | statistics-file "/var/stats/named.stats"; | ||
+ | listen-on { 127.0.0.1; 10.0.1.1; }; | ||
+ | forward only; | ||
+ | forwarders { 64.81.79.2; 216.131.41.2; }; | ||
+ | }; | ||
+ | zone "." { | ||
+ | type hint; | ||
+ | file "named.root"; | ||
+ | }; | ||
+ | zone "0.0.127.IN-ADDR.ARPA" { | ||
+ | type master; | ||
+ | file "master/localhost.rev"; | ||
+ | }; | ||
+ | // RFC 3152 | ||
+ | zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" { | ||
+ | type master; | ||
+ | file "master/localhost-v6.rev"; | ||
+ | }; | ||
+ | // RFC 1886 -- deprecated | ||
+ | zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" { | ||
+ | type master; | ||
+ | file "master/localhost-v6.rev"; | ||
+ | }; | ||
+ | zone "casa.dre" { | ||
+ | type master; | ||
+ | file "master/casa.dre"; | ||
+ | }; | ||
+ | zone "1.0.10.in-addr.arpa" { | ||
+ | type master; | ||
+ | file "master/1.0.10.in-addr.arpa"; | ||
+ | }; | ||
+ | * Forward zone: | ||
+ | $TTL 3600 | ||
+ | casa.dre. IN SOA floe.casa.dre. dre.mac.com. ( | ||
+ | 2005080601 ; Serial | ||
+ | 10800 ; Refresh | ||
+ | 3600 ; Retry | ||
+ | 604800 ; Expire | ||
+ | 86400 ) ; Minimum TTL | ||
+ | @ IN NS ns1.casa.dre. | ||
+ | localhost IN A 127.0.0.1 | ||
+ | floe IN A 10.0.1.1 | ||
+ | @ IN A 10.0.1.1 | ||
+ | $GENERATE 10-20 dhcp$ IN A 10.0.1.$ | ||
+ | gw IN CNAME floe | ||
+ | ns1 IN CNAME floe | ||
+ | * Reverse zone: | ||
+ | $TTL 3600 | ||
+ | 1.0.10.in-addr.arpa. IN SOA floe.casa.dre. dre.mac.com. ( | ||
+ | 2005080601 ; Serial | ||
+ | 10800 ; Refresh | ||
+ | 3600 ; Retry | ||
+ | 604800 ; Expire | ||
+ | 86400 ) ; Minimum TTL | ||
+ | @ IN NS ns1.casa.dre. | ||
+ | 1 IN PTR floe.casa.dre. | ||
+ | $GENERATE 10-20 $ IN PTR dhcp$.casa.dre. | ||
+ | |||
+ | * Add to /etc/rc.conf: | ||
+ | named_enable="YES" | ||
+ | |||
+ | * Edit /etc/resolv.conf: | ||
+ | nameserver 127.0.0.1 | ||
+ | |||
+ | ===NAT=== | ||
+ | Enable IPF and IPNAT in /etc/rc.conf. IPF defaults to open. | ||
+ | ipfilter_enable="YES" | ||
+ | ipfilter_rules="/etc/ipf.rules" | ||
+ | ipnat_enable="YES" | ||
+ | ipnat_rules="/etc/ipnat.rules" | ||
+ | * Rules for basic NAT, where sis0 is my public interface, and 10.0.1.0/24 is my internal subnet. Place in /etc/ipnat.rules | ||
+ | map sis0 10.0.1.0/24 -> 0/32 | ||
+ | * Inbound port mapping / redirection | ||
+ | rdr sis0 69.17.54.143/32 port 80 -> 10.0.1.100 port 80 | ||
+ | * Misc commands | ||
+ | ipf -Fa -f /etc/ipf.rules #reload IPF rules | ||
+ | ipnat -CF -f /etc/ipnat.rules #reload IPNAT rules | ||
+ | ipnat -s #show nat stats | ||
+ | ipnat -l #list nat state table | ||
+ | |||
+ | ==Misc== | ||
+ | ===Time syncronization=== | ||
+ | Run ntpdate at startup. Place the following in /etc/rc.conf: | ||
+ | ntpdate_enable="YES" | ||
+ | |||
+ | Configure /etc/ntp.conf: | ||
+ | server time.apple.com | ||
+ | driftfile /var/db/ntp.drift | ||
+ | restrict default ignore | ||
+ | |||
+ | Run ntpd at startup (/etc/rc.conf): | ||
+ | ntpd_enable="YES" | ||
+ | |||
+ | ==References== | ||
+ | |||
+ | * [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html FreeBSD Handbook] | ||
+ | * [http://www.onlamp.com/pub/a/bsd/2002/04/04/ipsec.html IPSec Certificate Basics] | ||
+ | * [http://www.onlamp.com/pub/a/bsd/2001/12/10/ipsec.html IPSec Tunneling] |
Latest revision as of 16:33, 6 August 2005
Contents
Install
Burn 5.4 ISO, boot from it.
Installer
- Standard
- Delete existing partition
- "a" for use entire disk
- Standard - no boot manager
- A - auto defaults for paritions
- "User" installation set
- "Yes" to ports
- CD / DVD install
- Yes to procede with installation
Initial configuration with sysinstall
- Can run later with:
/usr/sbin/sysinstall
- Yes to create ethernet device
- No to IPv6
- No to DHCP
- Configure as desired
- Yes to bring it up
- Yes to function as a gateway
- No to configure inetd
- Yes to enable SSH
- No to FTP
- No to NFS
- No to NFS Client
- No to customize console settings
- Yes to set time zone
- No
- 2 for America
- 45 - United States
- 16 - Pacific time
- Yes to PDT (or as applicable)
- Yes to linux binary compatability
- No to mouse
- No to browse ports
- Yes to add user account, configure as desired
- Set r00t password
- No to general config menu
- Exit install, remove CD
Ports
Updating Ports with cvsup
- Install the cvsup port
floe# cd /usr/ports/net/cvsup-without-gui floe# make install clean
- As root:
cp /usr/share/examples/cvsup/ports-supfile ~
Edit the ports-supfile
- local mirror, such as freebsd.isc.org
- Comment ports-all, uncomment desired ports or leave as default for maximum safety (no lost dependencies, etc)
Update:
cvsup -g -L 2 /root/ports-supfile
Automating port upgrades
This is probably a good idea. Last thing you want is some horrendous sshd vuln when you're out of the country or something... On the other hand, this represents a leap of faith that we won't end up with broken dependencies during a portupgrade due to some wacky change / failure... We'll cron a cvsup to keep the ports db recent, and use a tool called portupgrade to upgrade our installed ports.
Install portupgrade
cd /usr/ports/sysutils/portupgrade make install clean
Create a package database for portupgrade
pkgdb -u
Run portupgrade
portupgrade -a
Create a script to do it all for us. I'll call it upgrade.sh
# Synchronize your ports collection (using the fastest_cvsup tool to get the fastest CVSup server) FASTEST_CVSUP=`fastest_cvsup -Q -c us`; echo $FASTEST_CVSUP /usr/local/bin/cvsup -g -L 2 -h $FASTEST_CVSUP /root/ports-supfile # Update the ports database /usr/local/sbin/portsdb -Uu # List the installed ports which need upgrading /usr/local/sbin/portversion -l "<" # Upgrade the installed ports /usr/local/sbin/portupgrade -a
Add it to cron
echo "20 4 * * 7 /root/upgrade.sh" > mycron crontab mycron
Set up a forward for root
echo "foo@you.com" > .forward
Ports I like
- screen - a no brainer
- mtr - nice traceroute / ping tool
- ntraceroute - use the -A flag to see AS numbers for each hop
- bash, zsh
- fastest_cvsup
- ifstat - per-interface bandwidth stats
- sudo
Networking
Interface Configuration
Bring additional interface up and verify:
root@floe[/root]ifconfig fxp0 10.0.1.1 255.255.255.0 root@floe[/root]ifconfig fxp0 fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=8<VLAN_MTU> inet 10.0.1.1 netmask 0xff000000 broadcast 255.255.255.0 inet6 fe80::2a0:c9ff:fedb:5100%fxp0 prefixlen 64 scopeid 0x2 ether 00:a0:c9:db:51:00 media: Ethernet autoselect (100baseTX) status: active
Configure it for startup In /etc/rc.conf:
ifconfig_fxp0="inet 10.0.1.1 netmask 255.255.255.0"
DHCP Server
- Install /usr/ports/net/isc-dhcp3-server
- Configure /etc/dhcpd.conf as desired. My config:
# Configuration file for ISC dhcpd # option definitions common to all supported networks... option domain-name "dreness.com"; option domain-name-servers 64.81.79.2, 216.231.41.2; default-lease-time 3600; max-lease-time 86400; authoritative; ddns-update-style none; # This is a very basic subnet declaration. subnet 10.0.1.0 netmask 255.255.255.0 { range 10.0.1.10 10.0.1.20; option routers 10.0.1.1; } # Declare our public subnet so dhcpd doesn't whine subnet 69.17.54.0 netmask 255.255.255.0 { }
- Configure dhcp on startup in /etc/rc.local:
#dhcpd at boot up /usr/local/sbin/dhcpd
DNS Server
- We'll use a DNS server to provide hostnames for our local 10-net.
cd /etc/namedb sh make-localhost
- Configure /etc/namedb/named.conf
options { directory "/etc/namedb"; pid-file "/var/run/named/pid"; dump-file "/var/dump/named_dump.db"; statistics-file "/var/stats/named.stats"; listen-on { 127.0.0.1; 10.0.1.1; }; forward only; forwarders { 64.81.79.2; 216.131.41.2; }; }; zone "." { type hint; file "named.root"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "master/localhost.rev"; }; // RFC 3152 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" { type master; file "master/localhost-v6.rev"; }; // RFC 1886 -- deprecated zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" { type master; file "master/localhost-v6.rev"; }; zone "casa.dre" { type master; file "master/casa.dre"; }; zone "1.0.10.in-addr.arpa" { type master; file "master/1.0.10.in-addr.arpa"; };
- Forward zone:
$TTL 3600 casa.dre. IN SOA floe.casa.dre. dre.mac.com. ( 2005080601 ; Serial 10800 ; Refresh 3600 ; Retry 604800 ; Expire 86400 ) ; Minimum TTL @ IN NS ns1.casa.dre. localhost IN A 127.0.0.1 floe IN A 10.0.1.1 @ IN A 10.0.1.1 $GENERATE 10-20 dhcp$ IN A 10.0.1.$ gw IN CNAME floe ns1 IN CNAME floe
- Reverse zone:
$TTL 3600 1.0.10.in-addr.arpa. IN SOA floe.casa.dre. dre.mac.com. ( 2005080601 ; Serial 10800 ; Refresh 3600 ; Retry 604800 ; Expire 86400 ) ; Minimum TTL @ IN NS ns1.casa.dre. 1 IN PTR floe.casa.dre. $GENERATE 10-20 $ IN PTR dhcp$.casa.dre.
- Add to /etc/rc.conf:
named_enable="YES"
- Edit /etc/resolv.conf:
nameserver 127.0.0.1
NAT
Enable IPF and IPNAT in /etc/rc.conf. IPF defaults to open.
ipfilter_enable="YES" ipfilter_rules="/etc/ipf.rules" ipnat_enable="YES" ipnat_rules="/etc/ipnat.rules"
- Rules for basic NAT, where sis0 is my public interface, and 10.0.1.0/24 is my internal subnet. Place in /etc/ipnat.rules
map sis0 10.0.1.0/24 -> 0/32
- Inbound port mapping / redirection
rdr sis0 69.17.54.143/32 port 80 -> 10.0.1.100 port 80
- Misc commands
ipf -Fa -f /etc/ipf.rules #reload IPF rules ipnat -CF -f /etc/ipnat.rules #reload IPNAT rules ipnat -s #show nat stats ipnat -l #list nat state table
Misc
Time syncronization
Run ntpdate at startup. Place the following in /etc/rc.conf:
ntpdate_enable="YES"
Configure /etc/ntp.conf:
server time.apple.com driftfile /var/db/ntp.drift restrict default ignore
Run ntpd at startup (/etc/rc.conf):
ntpd_enable="YES"