Difference between revisions of "Floe"

From Wikifications
Jump to: navigation, search
(Installer options)
 
(NAT)
 
(19 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
==Install==
 
==Install==
 
Burn 5.4 ISO, boot from it.
 
Burn 5.4 ISO, boot from it.
===Installer Menu===
+
===Installer===
 
* Standard
 
* Standard
 
* Delete existing partition
 
* Delete existing partition
Line 11: Line 11:
 
* CD / DVD install
 
* CD / DVD install
 
* Yes to procede with installation
 
* Yes to procede with installation
 +
 +
===Initial configuration with sysinstall===
 +
* Can run later with:
 +
/usr/sbin/sysinstall
 +
 +
* Yes to create ethernet device
 +
* No to IPv6
 +
* No to DHCP
 +
* Configure as desired
 +
* Yes to bring it up
 +
* Yes to function as a gateway
 +
* No to configure inetd
 +
* Yes to enable SSH
 +
* No to FTP
 +
* No to NFS
 +
* No to NFS Client
 +
* No to customize console settings
 +
* Yes to set time zone
 +
* No
 +
* 2 for America
 +
* 45 - United States
 +
* 16 - Pacific time
 +
* Yes to PDT (or as applicable)
 +
* Yes to linux binary compatability
 +
* No to mouse
 +
* No to browse ports
 +
* Yes to add user account, configure as desired
 +
* Set r00t password
 +
* No to general config menu
 +
* Exit install, remove CD
 +
 +
==Ports==
 +
===Updating Ports with cvsup===
 +
* Install the cvsup port
 +
floe# cd /usr/ports/net/cvsup-without-gui
 +
floe# make install clean
 +
* As root:
 +
cp /usr/share/examples/cvsup/ports-supfile ~
 +
 +
Edit the ports-supfile
 +
* local mirror, such as freebsd.isc.org
 +
* Comment ports-all, uncomment desired ports or leave as default for maximum safety (no lost dependencies, etc)
 +
 +
Update:
 +
cvsup -g -L 2 /root/ports-supfile
 +
 +
===Automating port upgrades===
 +
This is probably a good idea. Last thing you want is some horrendous sshd vuln when you're out of the country or something... On the other hand, this represents a leap of faith that we won't end up with broken dependencies during a portupgrade due to some wacky change / failure... We'll cron a cvsup to keep the ports db recent, and use a tool called portupgrade to upgrade our installed ports.
 +
 +
Install portupgrade
 +
cd /usr/ports/sysutils/portupgrade
 +
make install clean
 +
 +
Create a package database for portupgrade
 +
pkgdb -u
 +
 +
Run portupgrade
 +
portupgrade -a
 +
 +
Create a script to do it all for us. I'll call it upgrade.sh
 +
 +
# Synchronize your ports collection (using the fastest_cvsup tool to get the fastest CVSup server)
 +
FASTEST_CVSUP=`fastest_cvsup -Q -c us`; echo $FASTEST_CVSUP
 +
/usr/local/bin/cvsup -g -L 2 -h $FASTEST_CVSUP /root/ports-supfile
 +
# Update the ports database
 +
/usr/local/sbin/portsdb -Uu
 +
# List the installed ports which need upgrading
 +
/usr/local/sbin/portversion -l "<"
 +
# Upgrade the installed ports
 +
/usr/local/sbin/portupgrade -a
 +
 +
Add it to cron
 +
echo "20 4 * * 7 /root/upgrade.sh" > mycron
 +
crontab mycron
 +
 +
Set up a forward for root
 +
echo "foo@you.com" > .forward
 +
 +
===Ports I like===
 +
*screen - a no brainer
 +
*mtr - nice traceroute / ping tool
 +
*ntraceroute - use the -A flag to see AS numbers for each hop
 +
*bash, zsh
 +
*fastest_cvsup
 +
*ifstat - per-interface bandwidth stats
 +
*sudo
 +
 +
==Networking==
 +
===Interface Configuration===
 +
Bring additional interface up and verify:
 +
root@floe[/root]ifconfig fxp0 10.0.1.1 255.255.255.0
 +
root@floe[/root]ifconfig fxp0                             
 +
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
 +
        options=8<VLAN_MTU>
 +
        inet 10.0.1.1 netmask 0xff000000 broadcast 255.255.255.0
 +
        inet6 fe80::2a0:c9ff:fedb:5100%fxp0 prefixlen 64 scopeid 0x2
 +
        ether 00:a0:c9:db:51:00
 +
        media: Ethernet autoselect (100baseTX)
 +
        status: active
 +
 +
Configure it for startup In /etc/rc.conf:
 +
ifconfig_fxp0="inet 10.0.1.1  netmask 255.255.255.0"
 +
 +
===DHCP Server===
 +
* Install /usr/ports/net/isc-dhcp3-server
 +
* Configure /etc/dhcpd.conf as desired. My config:
 +
# Configuration file for ISC dhcpd
 +
# option definitions common to all supported networks...
 +
option domain-name "dreness.com";
 +
option domain-name-servers 64.81.79.2, 216.231.41.2;
 +
default-lease-time 3600;
 +
max-lease-time 86400;
 +
authoritative;
 +
ddns-update-style none;
 +
# This is a very basic subnet declaration.
 +
subnet 10.0.1.0 netmask 255.255.255.0 {
 +
  range 10.0.1.10 10.0.1.20;
 +
  option routers 10.0.1.1;
 +
}
 +
# Declare our public subnet so dhcpd doesn't whine
 +
subnet 69.17.54.0 netmask 255.255.255.0 { }
 +
* Configure dhcp on startup in /etc/rc.local:
 +
#dhcpd at boot up
 +
/usr/local/sbin/dhcpd
 +
 +
===DNS Server===
 +
* We'll use a DNS server to provide hostnames for our local 10-net.
 +
cd /etc/namedb
 +
sh make-localhost
 +
* Configure /etc/namedb/named.conf
 +
options {
 +
        directory      "/etc/namedb";
 +
        pid-file        "/var/run/named/pid";
 +
        dump-file      "/var/dump/named_dump.db";
 +
        statistics-file "/var/stats/named.stats";
 +
        listen-on      { 127.0.0.1; 10.0.1.1; };
 +
        forward only;
 +
        forwarders { 64.81.79.2; 216.131.41.2; };
 +
};
 +
zone "." {
 +
        type hint;
 +
        file "named.root";
 +
};
 +
zone "0.0.127.IN-ADDR.ARPA" {
 +
        type master;
 +
        file "master/localhost.rev";
 +
};
 +
// RFC 3152
 +
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
 +
        type master;
 +
        file "master/localhost-v6.rev";
 +
};
 +
// RFC 1886 -- deprecated
 +
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
 +
        type master;
 +
        file "master/localhost-v6.rev";
 +
};
 +
zone "casa.dre" {
 +
        type master;
 +
        file "master/casa.dre";
 +
};
 +
zone "1.0.10.in-addr.arpa" {
 +
        type master;
 +
        file "master/1.0.10.in-addr.arpa";
 +
};
 +
* Forward zone:
 +
$TTL 3600
 +
casa.dre. IN SOA floe.casa.dre. dre.mac.com. (
 +
                        2005080601      ; Serial
 +
                        10800          ; Refresh
 +
                        3600            ; Retry
 +
                        604800          ; Expire
 +
                        86400 )        ; Minimum TTL
 +
@      IN NS          ns1.casa.dre.
 +
localhost      IN A    127.0.0.1
 +
floe            IN A    10.0.1.1
 +
@              IN A    10.0.1.1
 +
$GENERATE 10-20 dhcp$ IN A 10.0.1.$
 +
gw              IN CNAME floe
 +
ns1            IN CNAME floe
 +
* Reverse zone:
 +
$TTL 3600
 +
1.0.10.in-addr.arpa. IN SOA floe.casa.dre. dre.mac.com. (
 +
                        2005080601      ; Serial
 +
                        10800          ; Refresh
 +
                        3600            ; Retry
 +
                        604800          ; Expire
 +
                        86400 )        ; Minimum TTL
 +
@      IN NS          ns1.casa.dre.
 +
1            IN PTR    floe.casa.dre.
 +
$GENERATE 10-20 $ IN PTR dhcp$.casa.dre.
 +
 +
* Add to /etc/rc.conf:
 +
named_enable="YES"
 +
 +
* Edit /etc/resolv.conf:
 +
nameserver      127.0.0.1
 +
 +
===NAT===
 +
Enable IPF and IPNAT in /etc/rc.conf. IPF defaults to open.
 +
ipfilter_enable="YES"
 +
ipfilter_rules="/etc/ipf.rules"
 +
ipnat_enable="YES"
 +
ipnat_rules="/etc/ipnat.rules"
 +
* Rules for basic NAT, where sis0 is my public interface, and 10.0.1.0/24 is my internal subnet. Place in /etc/ipnat.rules
 +
map sis0 10.0.1.0/24 -> 0/32
 +
* Inbound port mapping / redirection
 +
rdr sis0 69.17.54.143/32 port 80 -> 10.0.1.100 port 80
 +
* Misc commands
 +
ipf -Fa -f /etc/ipf.rules        #reload IPF rules
 +
ipnat -CF -f /etc/ipnat.rules    #reload IPNAT rules
 +
ipnat -s                  #show nat stats
 +
ipnat -l                    #list nat state table
 +
 +
==Misc==
 +
===Time syncronization===
 +
Run ntpdate at startup. Place the following in /etc/rc.conf:
 +
ntpdate_enable="YES"
 +
 +
Configure /etc/ntp.conf:
 +
server time.apple.com
 +
driftfile /var/db/ntp.drift
 +
restrict default ignore
 +
 +
Run ntpd at startup (/etc/rc.conf):
 +
ntpd_enable="YES"
 +
 +
==References==
 +
 +
* [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html FreeBSD Handbook]
 +
* [http://www.onlamp.com/pub/a/bsd/2002/04/04/ipsec.html IPSec Certificate Basics]
 +
* [http://www.onlamp.com/pub/a/bsd/2001/12/10/ipsec.html IPSec Tunneling]

Latest revision as of 16:33, 6 August 2005

Install

Burn 5.4 ISO, boot from it.

Installer

  • Standard
  • Delete existing partition
  • "a" for use entire disk
  • Standard - no boot manager
  • A - auto defaults for paritions
  • "User" installation set
  • "Yes" to ports
  • CD / DVD install
  • Yes to procede with installation

Initial configuration with sysinstall

  • Can run later with:
/usr/sbin/sysinstall
  • Yes to create ethernet device
  • No to IPv6
  • No to DHCP
  • Configure as desired
  • Yes to bring it up
  • Yes to function as a gateway
  • No to configure inetd
  • Yes to enable SSH
  • No to FTP
  • No to NFS
  • No to NFS Client
  • No to customize console settings
  • Yes to set time zone
  • No
  • 2 for America
  • 45 - United States
  • 16 - Pacific time
  • Yes to PDT (or as applicable)
  • Yes to linux binary compatability
  • No to mouse
  • No to browse ports
  • Yes to add user account, configure as desired
  • Set r00t password
  • No to general config menu
  • Exit install, remove CD

Ports

Updating Ports with cvsup

  • Install the cvsup port
floe# cd /usr/ports/net/cvsup-without-gui
floe# make install clean
  • As root:
cp /usr/share/examples/cvsup/ports-supfile ~

Edit the ports-supfile

  • local mirror, such as freebsd.isc.org
  • Comment ports-all, uncomment desired ports or leave as default for maximum safety (no lost dependencies, etc)

Update:

cvsup -g -L 2 /root/ports-supfile

Automating port upgrades

This is probably a good idea. Last thing you want is some horrendous sshd vuln when you're out of the country or something... On the other hand, this represents a leap of faith that we won't end up with broken dependencies during a portupgrade due to some wacky change / failure... We'll cron a cvsup to keep the ports db recent, and use a tool called portupgrade to upgrade our installed ports.

Install portupgrade

cd /usr/ports/sysutils/portupgrade
make install clean

Create a package database for portupgrade

pkgdb -u

Run portupgrade

portupgrade -a

Create a script to do it all for us. I'll call it upgrade.sh

# Synchronize your ports collection (using the fastest_cvsup tool to get the fastest CVSup server)
FASTEST_CVSUP=`fastest_cvsup -Q -c us`; echo $FASTEST_CVSUP
/usr/local/bin/cvsup -g -L 2 -h $FASTEST_CVSUP /root/ports-supfile
# Update the ports database
/usr/local/sbin/portsdb -Uu
# List the installed ports which need upgrading
/usr/local/sbin/portversion -l "<"
# Upgrade the installed ports
/usr/local/sbin/portupgrade -a

Add it to cron

echo "20 4 * * 7 /root/upgrade.sh" > mycron
crontab mycron

Set up a forward for root

echo "foo@you.com" > .forward

Ports I like

  • screen - a no brainer
  • mtr - nice traceroute / ping tool
  • ntraceroute - use the -A flag to see AS numbers for each hop
  • bash, zsh
  • fastest_cvsup
  • ifstat - per-interface bandwidth stats
  • sudo

Networking

Interface Configuration

Bring additional interface up and verify:

root@floe[/root]ifconfig fxp0 10.0.1.1 255.255.255.0
root@floe[/root]ifconfig fxp0                              
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       options=8<VLAN_MTU>
       inet 10.0.1.1 netmask 0xff000000 broadcast 255.255.255.0
       inet6 fe80::2a0:c9ff:fedb:5100%fxp0 prefixlen 64 scopeid 0x2 
       ether 00:a0:c9:db:51:00
       media: Ethernet autoselect (100baseTX)
       status: active

Configure it for startup In /etc/rc.conf:

ifconfig_fxp0="inet 10.0.1.1  netmask 255.255.255.0"

DHCP Server

  • Install /usr/ports/net/isc-dhcp3-server
  • Configure /etc/dhcpd.conf as desired. My config:
# Configuration file for ISC dhcpd
# option definitions common to all supported networks...
option domain-name "dreness.com";
option domain-name-servers 64.81.79.2, 216.231.41.2;
default-lease-time 3600;
max-lease-time 86400;
authoritative;
ddns-update-style none;
# This is a very basic subnet declaration.
subnet 10.0.1.0 netmask 255.255.255.0 {
  range 10.0.1.10 10.0.1.20;
  option routers 10.0.1.1;
}
# Declare our public subnet so dhcpd doesn't whine
subnet 69.17.54.0 netmask 255.255.255.0 { }
  • Configure dhcp on startup in /etc/rc.local:
#dhcpd at boot up
/usr/local/sbin/dhcpd

DNS Server

  • We'll use a DNS server to provide hostnames for our local 10-net.
cd /etc/namedb
sh make-localhost
  • Configure /etc/namedb/named.conf
options {
        directory       "/etc/namedb";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        listen-on       { 127.0.0.1; 10.0.1.1; };
        forward only;
        forwarders { 64.81.79.2; 216.131.41.2; };
};
zone "." {
        type hint;
        file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
        type master;
        file "master/localhost.rev";
};
// RFC 3152
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
        type master;
        file "master/localhost-v6.rev";
};
// RFC 1886 -- deprecated
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
        type master;
        file "master/localhost-v6.rev";
};
zone "casa.dre" {
        type master;
        file "master/casa.dre";
};
zone "1.0.10.in-addr.arpa" {
        type master;
        file "master/1.0.10.in-addr.arpa";
};
  • Forward zone:
$TTL 3600
casa.dre. IN SOA floe.casa.dre. dre.mac.com. (
                        2005080601      ; Serial
                        10800           ; Refresh
                        3600            ; Retry
                        604800          ; Expire
                        86400 )         ; Minimum TTL
@       IN NS           ns1.casa.dre.
localhost       IN A    127.0.0.1
floe            IN A    10.0.1.1
@               IN A    10.0.1.1
$GENERATE 10-20 dhcp$ IN A 10.0.1.$
gw              IN CNAME floe
ns1             IN CNAME floe
  • Reverse zone:
$TTL 3600
1.0.10.in-addr.arpa. IN SOA floe.casa.dre. dre.mac.com. (
                        2005080601      ; Serial
                        10800           ; Refresh
                        3600            ; Retry
                        604800          ; Expire
                        86400 )         ; Minimum TTL
@       IN NS           ns1.casa.dre.
1            IN PTR    floe.casa.dre.
$GENERATE 10-20 $ IN PTR dhcp$.casa.dre.
  • Add to /etc/rc.conf:
named_enable="YES"
  • Edit /etc/resolv.conf:
nameserver      127.0.0.1

NAT

Enable IPF and IPNAT in /etc/rc.conf. IPF defaults to open.

ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
  • Rules for basic NAT, where sis0 is my public interface, and 10.0.1.0/24 is my internal subnet. Place in /etc/ipnat.rules
map sis0 10.0.1.0/24 -> 0/32
  • Inbound port mapping / redirection
rdr sis0 69.17.54.143/32 port 80 -> 10.0.1.100 port 80
  • Misc commands
ipf -Fa -f /etc/ipf.rules         #reload IPF rules
ipnat -CF -f /etc/ipnat.rules     #reload IPNAT rules
ipnat -s                   #show nat stats
ipnat -l                    #list nat state table

Misc

Time syncronization

Run ntpdate at startup. Place the following in /etc/rc.conf:

ntpdate_enable="YES"

Configure /etc/ntp.conf:

server time.apple.com
driftfile /var/db/ntp.drift
restrict default ignore

Run ntpd at startup (/etc/rc.conf):

ntpd_enable="YES"

References