Floe

From Wikifications
Revision as of 16:19, 6 August 2005 by Dre (Talk | contribs) (NAT)

Jump to: navigation, search

Install

Burn 5.4 ISO, boot from it.

Installer

  • Standard
  • Delete existing partition
  • "a" for use entire disk
  • Standard - no boot manager
  • A - auto defaults for paritions
  • "User" installation set
  • "Yes" to ports
  • CD / DVD install
  • Yes to procede with installation

Initial configuration with sysinstall

  • Can run later with:
/usr/sbin/sysinstall
  • Yes to create ethernet device
  • No to IPv6
  • No to DHCP
  • Configure as desired
  • Yes to bring it up
  • Yes to function as a gateway
  • No to configure inetd
  • Yes to enable SSH
  • No to FTP
  • No to NFS
  • No to NFS Client
  • No to customize console settings
  • Yes to set time zone
  • No
  • 2 for America
  • 45 - United States
  • 16 - Pacific time
  • Yes to PDT (or as applicable)
  • Yes to linux binary compatability
  • No to mouse
  • No to browse ports
  • Yes to add user account, configure as desired
  • Set r00t password
  • No to general config menu
  • Exit install, remove CD

Ports

Updating Ports with cvsup

  • Install the cvsup port
floe# cd /usr/ports/net/cvsup-without-gui
floe# make install clean
  • As root:
cp /usr/share/examples/cvsup/ports-supfile ~

Edit the ports-supfile

  • local mirror, such as freebsd.isc.org
  • Comment ports-all, uncomment desired ports or leave as default for maximum safety (no lost dependencies, etc)

Update: 

cvsup -g -L 2 /root/ports-supfile

Automating port upgrades

This is probably a good idea. Last thing you want is some horrendous sshd vuln when you're out of the country or something... On the other hand, this represents a leap of faith that we won't end up with broken dependencies during a portupgrade due to some wacky change / failure... We'll cron a cvsup to keep the ports db recent, and use a tool called portupgrade to upgrade our installed ports.

Install portupgrade 

cd /usr/ports/sysutils/portupgrade
make install clean

Create a package database for portupgrade 

pkgdb -u

Run portupgrade 

portupgrade -a

Create a script to do it all for us. I'll call it upgrade.sh 

# Synchronize your ports collection (using the fastest_cvsup tool to get the fastest CVSup server)
FASTEST_CVSUP=`fastest_cvsup -Q -c us`; echo $FASTEST_CVSUP
/usr/local/bin/cvsup -g -L 2 -h $FASTEST_CVSUP /root/ports-supfile
# Update the ports database
/usr/local/sbin/portsdb -Uu
# List the installed ports which need upgrading
/usr/local/sbin/portversion -l "<"
# Upgrade the installed ports
/usr/local/sbin/portupgrade -a

Add it to cron 

echo "20 4 * * 7 /root/upgrade.sh" > mycron
crontab mycron

Set up a forward for root 

echo "foo@you.com" > .forward

Ports I like

  • screen - a no brainer
  • mtr - nice traceroute / ping tool
  • ntraceroute - use the -A flag to see AS numbers for each hop
  • bash, zsh
  • fastest_cvsup
  • ifstat - per-interface bandwidth stats
  • sudo

Networking

Interface Configuration

Bring additional interface up and verify: 

root@floe[/root]ifconfig fxp0 10.0.1.1 255.255.255.0
root@floe[/root]ifconfig fxp0                              
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       options=8<VLAN_MTU>
       inet 10.0.1.1 netmask 0xff000000 broadcast 255.255.255.0
       inet6 fe80::2a0:c9ff:fedb:5100%fxp0 prefixlen 64 scopeid 0x2 
       ether 00:a0:c9:db:51:00
       media: Ethernet autoselect (100baseTX)
       status: active

Configure it for startup In /etc/rc.conf: 

ifconfig_fxp0="inet 10.0.1.1  netmask 255.255.255.0"

DHCP Server

  • Install /usr/ports/net/isc-dhcp3-server
  • Configure /etc/dhcpd.conf as desired. My config:
# Configuration file for ISC dhcpd
# option definitions common to all supported networks...
option domain-name "dreness.com";
option domain-name-servers 64.81.79.2, 216.231.41.2;
default-lease-time 3600;
max-lease-time 86400;
authoritative;
ddns-update-style none;
# This is a very basic subnet declaration.
subnet 10.0.1.0 netmask 255.255.255.0 {
  range 10.0.1.10 10.0.1.20;
  option routers 10.0.1.1;
}
# Declare our public subnet so dhcpd doesn't whine
subnet 69.17.54.0 netmask 255.255.255.0 { }
  • Configure dhcp on startup in /etc/rc.local:
#dhcpd at boot up
/usr/local/sbin/dhcpd

DNS Server

  • We'll use a DNS server to provide hostnames for our local 10-net.
cd /etc/namedb
sh make-localhost
  • Configure /etc/namedb/named.conf
options {
        directory       "/etc/namedb";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        listen-on       { 127.0.0.1; 10.0.1.1; };
        forward only;
        forwarders { 64.81.79.2; 216.131.41.2; };
};
zone "." {
        type hint;
        file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
        type master;
        file "master/localhost.rev";
};
// RFC 3152
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
        type master;
        file "master/localhost-v6.rev";
};
// RFC 1886 -- deprecated
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
        type master;
        file "master/localhost-v6.rev";
};
zone "casa.dre" {
        type master;
        file "master/casa.dre";
};
zone "1.0.10.in-addr.arpa" {
        type master;
        file "master/1.0.10.in-addr.arpa";
};
  • Forward zone:
$TTL 3600
casa.dre. IN SOA floe.casa.dre. dre.mac.com. (
                        2005080601      ; Serial
                        10800           ; Refresh
                        3600            ; Retry
                        604800          ; Expire
                        86400 )         ; Minimum TTL
@       IN NS           ns1.casa.dre.
localhost       IN A    127.0.0.1
floe            IN A    10.0.1.1
@               IN A    10.0.1.1
$GENERATE 10-20 dhcp$ IN A 10.0.1.$
gw              IN CNAME floe
ns1             IN CNAME floe
  • Reverse zone:
$TTL 3600
1.0.10.in-addr.arpa. IN SOA floe.casa.dre. dre.mac.com. (
                        2005080601      ; Serial
                        10800           ; Refresh
                        3600            ; Retry
                        604800          ; Expire
                        86400 )         ; Minimum TTL
@       IN NS           ns1.casa.dre.
1            IN PTR    floe.casa.dre.
$GENERATE 10-20 $ IN PTR dhcp$.casa.dre.
  • Add to /etc/rc.conf:
named_enable="YES"
  • Edit /etc/resolv.conf:
nameserver      127.0.0.1

NAT

Enable IPF and IPNAT in /etc/rc.conf. IPF defaults to open. 

ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
  • Rules for basic NAT, where sis0 is my public interface, and 10.0.1.0/24 is my internal subnet. Place in /etc/ipnat.rules
map sis0 10.0.1.0/24 -> 0/32
  • Misc commands
ipf -Fa -f /etc/ipf.rules         #reload IPF rules
ipnat -CF -f /etc/ipnat.rules     #reload IPNAT rules

Misc

Time syncronization

Run ntpdate at startup. Place the following in /etc/rc.conf: 

ntpdate_enable="YES"

Configure /etc/ntp.conf: 

server time.apple.com
driftfile /var/db/ntp.drift
restrict default ignore

Run ntpd at startup (/etc/rc.conf): 

ntpd_enable="YES"

References

Retrieved from "https://dreness.com/wikimedia/index.php?title=Floe&oldid=91"