INSTALLING FREEBSD

Whether you booted from CDROM, USB stick or floppy, the boot process will then get to the FreeBSD boot loader menu: Figure 2-1. FreeBSD Boot Loader Menu

Either wait ten seconds, or press Enter. After the procedure of device probing, you will see Figure 2-3. Use the arrow key to choose a country, region, or group. Then press Enter, it will set your country easily. Figure 2-3. Selecting Country Menu

If you selected United States as country, the standard American keyboard map will be used, if a different country is chosen the following menu will be displayed. Use the arrow keys to choose the correct keyboard map and press Enter. Figure 2-4. Selecting Keyboard Menu

After the country selecting, the sysinstall main menu will display.

2.5 Introducing Sysinstall

The sysinstall utility is the installation application provided by the FreeBSD Project. It is console based and is divided into a number of menus and screens that you can use to configure and control the installation process. The sysinstall menu system is controlled by the arrow keys, Enter, Tab, Space, and other keys. A detailed description of these keys and what they do is contained in sysinstall's usage information. To review this information, ensure that the Usage entry is highlighted and that the [Select] button is selected, as shown in Figure 2-5, then press Enter. The instructions for using the menu system will be displayed. After reviewing them, press Enter to return to the Main Menu. Figure 2-5. Selecting Usage from Sysinstall Main Menu

2.5.2 Selecting the Keymap Menu

To change the keyboard mapping, use the arrow keys to select Keymap from the menu and press Enter. This is only required if you are using a non-standard or non-US keyboard. Figure 2-8. Sysinstall Main Menu

A different keyboard mapping may be chosen by selecting the menu item using up/down arrow keys and pressing Space. Pressing Space again will unselect the item. When finished, choose the [ OK ] using the arrow keys and press Enter. Only a partial list is shown in this screen representation. Selecting [ Cancel ] by pressing Tab will use the default keymap and return to the Main Install Menu. Figure 2-9. Sysinstall Keymap Menu

2.5.3 Installation Options Screen

Select Options and press Enter. Figure 2-10. Sysinstall Main Menu

Figure 2-11. Sysinstall Options

The default values are usually fine for most users and do not need to be changed. The release name will vary according to the version being installed. The description of the selected item will appear at the bottom of the screen highlighted in blue. Notice that one of the options is Use Defaults to reset all values to startup defaults. Press F1 to read the help screen about the various options. Pressing Q will return to the Main Install menu.

2.5.4 Begin a Standard Installation

The Standard installation is the option recommended for those new to UNIX or FreeBSD. Use the arrow keys to select Standard and then press Enter to start the installation. Figure 2-12. Begin Standard Installation

2.6 Allocating Disk Space

Your first task is to allocate disk space for FreeBSD, and label that space so that sysinstall can prepare it. In order to do this you need to know how FreeBSD expects to find information on the disk.

2.6.1 BIOS Drive Numbering

Before you install and configure FreeBSD on your system, there is an important subject that you should be aware of, especially if you have multiple hard drives. In a PC running a BIOS-dependent operating system such as MS-DOS or Microsoft Windows, the BIOS is able to abstract the normal disk drive order, and the operating system goes along with the change. This allows the user to boot from a disk drive other than the so-called primary master. This is especially convenient for some users who have found that the simplest and cheapest way to keep a system backup is to buy an identical second hard drive, and perform routine copies of the first drive to the second drive using Ghost or XCOPY . Then, if the first drive fails, or is attacked by a virus, or is scribbled upon by an operating system defect, he can easily recover by instructing the BIOS to logically swap the drives. It is like switching the cables on the drives, but without having to open the case. More expensive systems with SCSI controllers often include BIOS extensions which allow the SCSI drives to be re-ordered in a similar fashion for up to seven drives.

A user who is accustomed to taking advantage of these features may become surprised when the results with FreeBSD are not as expected. FreeBSD does not use the BIOS, and does not know the logical BIOS drive mapping. This can lead to very perplexing situations, especially when drives are physically identical in geometry, and have also been made as data clones of one another. When using FreeBSD, always restore the BIOS to natural drive numbering before installing FreeBSD, and then leave it that way. If you need to switch drives around, then do so, but do it the hard way, and open the case and move the jumpers and cables.

2.6.2 Creating Slices Using FDisk

Note: No changes you make at this point will be written to the disk. If you think you have made a mistake and want to start again you can use the menus to exit sysinstall and try again or press U to use the Undo option. If you get confused and can not see how to exit you can always turn your computer off. After choosing to begin a standard installation in sysinstall you will be shown this message:
Message In the next menu, you will need to set up a DOS-style ("fdisk") partitioning scheme for your hard disk. If you simply wish to devote all disk space to FreeBSD (overwriting anything else that might be on the disk(s) selected) then use the (A)ll command to select the default partitioning scheme followed by a (Q)uit. If you wish to allocate only free space to FreeBSD, move to a partition marked "unused" and use the (C)reate command. [ OK ] [ Press enter or space ]

Press Enter as instructed. You will then be shown a list of all the hard drives that the kernel found when it carried out the device probes. Figure 2-13 shows an example from a system with two IDE disks. They have been called ad0 and ad2. Figure 2-13. Select Drive for FDisk

You might be wondering why ad1 is not listed here. Why has it been missed? Consider what would happen if you had two IDE hard disks, one as the master on the first IDE controller, and one as the master on the second IDE controller. If FreeBSD numbered these as it found them, as ad0 and ad1 then everything would work. But if you then added a third disk, as the slave device on the first IDE controller, it would now be ad1, and the previous ad1 would become ad2. Because device names (such as ad1s1a) are used to find filesystems, you may suddenly discover that some of your filesystems no longer appear correctly, and you would need to change your FreeBSD configuration. To work around this, the kernel can be configured to name IDE disks based on where they are, and not the order in which they were found. With this scheme the master disk on the second IDE controller will always be ad2, even if there are no ad0 or ad1 devices. This configuration is the default for the FreeBSD kernel, which is why this display shows ad0 and ad2. The machine on which this screenshot was taken had IDE disks on both master channels of the IDE controllers, and no disks on the slave channels. You should select the disk on which you want to install FreeBSD, and then press [ OK ]. FDisk will start, with a display similar to that shown in Figure 2-14. The FDisk display is broken into three sections. The first section, covering the first two lines of the display, shows details about the currently selected disk, including its FreeBSD name, the disk geometry, and the total size of the disk. The second section shows the slices that are currently on the disk, where they start and end, how large they are, the name FreeBSD gives them, and their description and sub-type. This

example shows two small unused slices, which are artifacts of disk layout schemes on the PC. It also shows one large FAT slice, which almost certainly appears as C: in MS-DOS / Windows, and an extended slice, which may contain other drive letters for MS-DOS / Windows. The third section shows the commands that are available in FDisk. Figure 2-14. Typical Fdisk Partitions before Editing

What you do now will depend on how you want to slice up your disk. If you want to use FreeBSD for the entire disk (which will delete all the other data on this disk when you confirm that you want sysinstall to continue later in the installation process) then you can press A, which corresponds to the Use Entire Disk option. The existing slices will be removed, and replaced with a small area flagged as unused (again, an artifact of PC disk layout), and then one large slice for FreeBSD. If you do this, then you should select the newly created FreeBSD slice using the arrow keys, and press S to mark the slice as being bootable. The screen will then look very similar to Figure 2-15. Note the A in the Flags column, which indicates that this slice is active, and will be booted from. If you will be deleting an existing slice to make space for FreeBSD then you should select the slice using the arrow keys, and then press D. You can then press C, and be prompted for size of slice you want to create. Enter the appropriate figure and press Enter. The default value in this box represents the largest possible slice you can make, which could be the largest contiguous block of unallocated space or the size of the entire hard disk. If you have already made space for FreeBSD (perhaps by using a tool such as PartitionMagic) then you can press C to create a new slice. Again, you will be prompted for the size of slice you would like to create.

Figure 2-15. Fdisk Partition Using Entire Disk

When finished, press Q. Your changes will be saved in sysinstall, but will not yet be written to disk.

2.6.3 Install a Boot Manager

You now have the option to install a boot manager. In general, you should choose to install the FreeBSD boot manager if:

You have more than one drive, and have installed FreeBSD onto a drive other than the first one. You have installed FreeBSD alongside another operating system on the same disk, and you want to choose whether to start FreeBSD or the other operating system when you start the computer.

If FreeBSD is going to be the only operating system on this machine, installed on the first hard disk, then the Standard boot manager will suffice. Choose None if you are using a thirdparty boot manager capable of booting FreeBSD. Make your choice and press Enter. Figure 2-16. Sysinstall Boot Manager Menu

The help screen, reached by pressing F1, discusses the problems that can be encountered when trying to share the hard disk between operating systems. Figure 2-18. Sysinstall Disklabel Editor

Disklabel can automatically create partitions for you and assign them default sizes. The default sizes are calculated with the help of an internal partition sizing algorithm based on the

disk size. Try this now, by Pressing A. You will see a display similar to that shown in Figure 2-19. Depending on the size of the disk you are using, the defaults may or may not be appropriate. This does not matter, as you do not have to accept the defaults. Note: The default partitioning assigns the /tmp directory its own partition instead of being part of the / partition. This helps avoid filling the / partition with temporary files. Figure 2-19. Sysinstall Disklabel Editor with Auto Defaults

2.7 Choosing What to Install

2.7.1 Select the Distribution Set
Deciding which distribution set to install will depend largely on the intended use of the system and the amount of disk space available. The predefined options range from installing the smallest possible configuration to everything. Those who are new to UNIX and/or FreeBSD should almost certainly select one of these canned options. Customizing a distribution set is typically for the more experienced user. Press F1 for more information on the distribution set options and what they contain. When finished reviewing the help, pressing Enter will return to the Select Distributions Menu. If a graphical user interface is desired then the configuration of the X server and selection of a default desktop must be done after the installation of FreeBSD. More information regarding the installation and configuration of a X server can be found in Chapter 5. If compiling a custom kernel is anticipated, select an option which includes the source code. For more information on why a custom kernel should be built or how to build a custom kernel, see Chapter 8.

Obviously, the most versatile system is one that includes everything. If there is adequate disk space, select All as shown in Figure 2-25 by using the arrow keys and press Enter. If there is a concern about disk space consider using an option that is more suitable for the situation. Do not fret over the perfect choice, as other distributions can be added after installation. Figure 2-25. Choose Distributions

2.7.2 Installing the Ports Collection

After selecting the desired distribution, an opportunity to install the FreeBSD Ports Collection is presented. The ports collection is an easy and convenient way to install software. The Ports Collection does not contain the source code necessary to compile the software. Instead, it is a collection of files which automates the downloading, compiling and installation of third-party software packages. Chapter 4 discusses how to use the ports collection. The installation program does not check to see if you have adequate space. Select this option only if you have adequate hard disk space. As of FreeBSD 8.2, the FreeBSD Ports Collection takes up about 417 MB of disk space. You can safely assume a larger value for more recent versions of FreeBSD.
User Confirmation Requested Would you like to install the FreeBSD ports collection? This will give you ready access to over 20,000 ported software packages, at a cost of around 417 MB of disk space when "clean" and possibly much more than that if a lot of the distribution tarballs are loaded (unless you have the extra CDs from a FreeBSD CD/DVD distribution available and can mount it on /cdrom, in which case this is far less of a problem).

The Ports Collection is a very valuable resource and well worth having on your /usr partition, so it is advisable to say Yes to this option. For more information on the Ports Collection & the latest ports, visit: http://www.FreeBSD.org/ports [ Yes ] No

Select [ Yes ] with the arrow keys to install the Ports Collection or [ No ] to skip this option. Press Enter to continue. The Choose Distributions menu will redisplay. Figure 2-26. Confirm Distributions

If satisfied with the options, select Exit with the arrow keys, ensure that [ OK ] is highlighted, and pressing Enter to continue.

2.8 Choosing Your Installation Media

If Installing from a CDROM or DVD, use the arrow keys to highlight Install from a FreeBSD CD/DVD. Ensure that [ OK ] is highlighted, then press Enter to proceed with the installation. For other methods of installation, select the appropriate option and follow the instructions. Press F1 to display the Online Help for installation media. Press Enter to return to the media selection menu. Figure 2-27. Choose Installation Media

2.9 Committing to the Installation

The installation can now proceed if desired. This is also the last chance for aborting the installation to prevent changes to the hard drive.
User Confirmation Requested Last Chance! Are you SURE you want to continue the installation? If you're running this on a disk with data you wish to save then WE STRONGLY ENCOURAGE YOU TO MAKE PROPER BACKUPS before proceeding! We can take no responsibility for lost disk contents! [ Yes ] No

Select [ Yes ] and press Enter to proceed. The installation time will vary according to the distribution chosen, installation media, and the speed of the computer. There will be a series of messages displayed indicating the status. The installation is complete when the following message is displayed:
Message Congratulations! You now have FreeBSD installed on your system. We will now move on to the final configuration questions. For any option you do not wish to configure, simply select No. If you wish to re-enter this utility after the system is up, you may

do so by typing: /usr/sbin/sysinstall. [ OK ] [ Press enter or space ]

Press Enter to proceed with post-installation configurations. Selecting [ No ] and pressing Enter will abort the installation so no changes will be made to your system. The following message will appear:
Message Installation complete with some errors. You may wish to scroll through the debugging messages on VTY1 with the scroll-lock feature. You can also choose "No" at the next prompt and go back into the installation menus to retry whichever operations have failed. [ OK ]

This message is generated because nothing was installed. Pressing Enter will return to the Main Installation Menu to exit the installation.

IP Forwarding
From the sysinstall we had configured on installation, we have enabled this feature. But for ensure the configuration, we can check the configuration files by typing: # ee /etc/rc.conf Ensure that the file has the following lines. gateway_enable = YES.

Network Address Translation (NAT)

To enable firewall and NAT support at boot time, the following must be in /etc/rc.conf:
gateway_enable="YES" firewall_enable="YES" firewall_type="OPEN" natd_enable="YES" natd_interface="fxp0" natd_flags=""

Sets up the machine to act as a gateway. Running sysctl net.inet.ip.forwarding=1 would have the same effect. Enables the firewall rules in /etc/rc.firewall at boot. This specifies a predefined firewall ruleset that allows anything in. See /etc/rc.firewall for additional types. Indicates which interface to forward packets through (the interface connected to the Internet). Any additional configuration options passed to natd(8) on boot.

Having the previous options defined in /etc/rc.conf would run natd -interface fxp0 at boot. This can also be run manually. Note: It is also possible to use a configuration file for natd(8) when there are too many options to pass. In this case, the configuration file must be defined by adding the following line to /etc/rc.conf:
natd_flags="-f /etc/natd.conf"

The /etc/natd.conf file will contain a list of configuration options, one per line. For example the next section case would use the following file:
redirect_port tcp 192.168.0.2:6667 6667 redirect_port tcp 192.168.0.3:80 80

For more information about the configuration file, consult the natd(8) manual page about the -f option. Each machine and interface behind the LAN should be assigned IP address numbers in the private network space as defined by RFC 1918 and have a default gateway of the natd machine's internal IP address. For example, client A and B behind the LAN have IP addresses of 192.168.0.2 and 192.168.0.3, while the natd machine's LAN interface has an IP address of 192.168.0.1. Client A and B's default gateway must be set to that of the natd machine, 192.168.0.1. The natd machine's external, or Internet interface does not require any special modification for natd(8) to work.

Static Routing
The above example is perfect for configuring a static route on a running system. However, one problem is that the routing information will not persist if you reboot your FreeBSD machine. The way to handle the addition of a static route is to put it in your /etc/rc.conf file:
# Add Internal Net 2 as a static route static_routes="internalnet2" route_internalnet2="-net 192.168.2.0/24 192.168.1.2"

The static_routes configuration variable is a list of strings separated by a space. Each string references to a route name. In our above example we only have one string in static_routes. This string is internalnet2. We then add a configuration variable called route_internalnet2 where we put all of the configuration parameters we would give to the route(8) command. For our example above we would have used the command:
# route add -net 192.168.2.0/24 192.168.1.2

so we need "-net 192.168.2.0/24 192.168.1.2".

As said above, we can have more than one string in static_routes. This allows us to create multiple static routes. The following lines shows an example of adding static routes for the 192.168.0.0/24 and 192.168.1.0/24 networks on an imaginary router:
static_routes="net1 net2" route_net1="-net 192.168.0.0/24 192.168.0.1" route_net2="-net 192.168.1.0/24 192.168.1.1"

Configuring the DHCP Server

dhcpd.conf

is comprised of declarations regarding subnets and hosts, and is perhaps most easily explained using an example :
option domain-name "example.com"; option domain-name-servers 192.168.4.100; option subnet-mask 255.255.255.0; default-lease-time 3600; max-lease-time 86400; ddns-update-style none; subnet 192.168.4.0 netmask 255.255.255.0 { range 192.168.4.129 192.168.4.254; option routers 192.168.4.1; } host mailhost { hardware ethernet 02:03:04:05:06:07; fixed-address mailhost.example.com; }

This option specifies the domain that will be provided to clients as the default search domain. See resolv.conf(5) for more information on what this means. This option specifies a comma separated list of DNS servers that the client should use. The netmask that will be provided to clients. A client may request a specific length of time that a lease will be valid. Otherwise the server will assign a lease with this expiry value (in seconds). This is the maximum length of time that the server will lease for. Should a client request a longer lease, a lease will be issued, although it will only be valid for maxlease-time seconds. This option specifies whether the DHCP server should attempt to update DNS when a lease is accepted or released. In the ISC implementation, this option is required. This denotes which IP addresses should be used in the pool reserved for allocating to clients. IP addresses between, and including, the ones stated are handed out to clients. Declares the default gateway that will be provided to clients. The hardware MAC address of a host (so that the DHCP server can recognize a host when it makes a request).

Specifies that the host should always be given the same IP address. Note that using a hostname is correct here, since the DHCP server will resolve the hostname itself before returning the lease information. Once you have finished writing your dhcpd.conf, you should enable the DHCP server in /etc/rc.conf, i.e. by adding:
dhcpd_enable="YES" dhcpd_ifaces="dc0"

Replace the dc0 interface name with the interface (or interfaces, separated by whitespace) that your DHCP server should listen on for DHCP client requests. Then, you can proceed to start the server by issuing the following command:
# /usr/local/etc/rc.d/isc-dhcpd start

Should you need to make changes to the configuration of your server in the future, it is important to note that sending a SIGHUP signal to dhcpd does not result in the configuration being reloaded, as it does with most daemons. You will need to send a SIGTERM signal to stop the process, and then restart it using the command above.

Proxy Server
The install I wanted to install a proxy/cache product to help with the slow dialup connection and to BLOCK some web sites. So I installed the Squid port (note this is an older version squid23 is the latest port). See Installing a port without installing the ports or Installing all the ports for more information about installing a port. But in short, you do this:
cd /usr/ports/www/squid21 make install

The cache You need to build the Cache directory first. The default is 100MB so if you don't have that much room, or want more, modify /usr/local/etc/squid/squid.conf appropriately The the '-z' option is used to build the cache
# /usr/local/sbin/squid -z

I got this message back - Permission denied

09:09:29| Creating Swap Directories FATAL: Failed to make swap directory /usr/local/squid/cache/00: (13) Permission denied Squid Cache (Version 2.1.PATCH2):Terminated abnormally. CPU Usage: 0.022 seconds Maximum Resident Size: 1000 KB Page faults with physical i/o: 0

After some search on the mailing list archives I found this solution:

> a. There is no space left on drive. > b. You have no /usr/local/squid/logs/ directory created before. (squid does > not create it itself. Create one manually) > c. Your /usr/local/squid/logs/cache.log is owned by root. You should > change it like this. "chown nobody.nogroup /usr/local/squid/logs/cache.log" > > Note that all of the files in ../log and ../cache directories must be owned > like that too. I then checked for the directories and they where there, but the owner was root. so:
# chown nobody.nogroup /usr/local/squid/logs mygateway # chown nobody.nogroup /usr/local/squid/cache

So now I tried to build the cache again:

# /usr/local/sbin/squid -z 2000/05/09 09:14:32| Creating Swap Directories

This time it worked! Testing Start the squid in Debug/Test mode and try your WIN98 client Browser. Be sure add the proxy name and port 3128 to the options/connection section [ed. note: I have remove the date from the following extract to ensure the lines fit without scrolling).
mygateway# /usr/local/sbin/squid -NCd1 09:30:54| 09:30:54| 09:30:54| 09:30:54| 09:30:54| 09:30:54| 09:30:54| 09:30:54| 09:30:54| 09:30:54| 09:30:54| 09:30:54| 09:30:54| 09:30:54| 09:30:54| 09:30:54| 09:30:54| 09:30:54| 09:32:10| 09:32:10| 09:32:10| 09:32:10| 09:32:10| 09:32:10| 09:32:10| 09:32:10| 09:32:10| 09:32:10| 09:32:10| 09:32:10| 09:32:10| 09:32:11| Starting Squid Cache version 2.1.PATCH2 for i386--freebsd3.2... Process ID 1026 With 1064 file descriptors available Performing DNS Tests... Successful DNS name lookup tests... helperOpenServers: Starting 5 'dnsserver' processes Unlinkd pipe opened on FD 13 Swap maxSize 102400 KB, estimated 7876 objects Target number of buckets: 157 Using 8192 Store buckets, replacement runs every 10 seconds Max Mem size: 8192 KB Max Swap size: 102400 KB Rebuilding storage in Cache Dir #0 (DIRTY) Loaded Icons. Accepting HTTP connections on port 3128, FD 35. Accepting ICP messages on port 3130, FD 36. Ready to serve requests. storeRebuildFromDirectory: DIR #0 done! Finished rebuilding storage disk. 0 Entries read from previous logfile. 0 Entries scanned from swap files. 0 Invalid entries. 0 With invalid flags. 0 Objects loaded. 0 Objects expired. 0 Objects cancelled. 0 Duplicate URLs purged. 0 Swapfile clashes avoided. Took 76 seconds ( 0.0 objects/sec). Beginning Validation Procedure storeLateRelease: released 0 objects Completed Validation Procedure

09:32:11| Validated 0 Entries 09:32:11| store_swap_size = 21k 09:32:31| parseHttpRequest: Unsupported method 'PROPFIND' 09:32:31| clientReadRequest: FD 14 Invalid Request ^C (Type Control C - to exit the squid) 09:33:44| 09:33:44| 09:33:44| 09:33:45| 09:33:45| 09:33:45| 09:33:45| 09:33:45| 09:33:45| Preparing for shutdown after 8 requests Waiting 0 seconds for active connections to finish FD 35 Closing HTTP connection Shutting down... FD 36 Closing ICP connection Closing unlinkd pipe on FD 13 storeDirWriteCleanLogs: Starting... Finished. Wrote 0 entries. Took 0 seconds ( 0.0 entries/sec).

I modifed /usr/local/etc/squid/squid.conf I added these lines right above the http_access deny all
# Add this to the squid.conf (ACL section) # acl ourhosts src 10.1.0.0/255.255.0.0 http_access allow ourhosts # http_access deny all

Then I start squid again and try the browser, it WORKED!

# /usr/local/sbin/squid -NCd1

FreeBSD Firewall Configuration

FreeBSD makes it very easy to set up a rule-based packet filtering firewall. You can protect just one host, or an entire network. You can easily add Network Address Translation too, so that you can connect up your whole internal network via only one IP address from the outside. There are three parts to this. 1. First, you have to make a few changes to your kernel. This isn't as hard as it sounds. Su to root, cd /usr/src/sys/i386/conf, and copy GENERIC to a new file. Let's call it ACME. This will be your new kernel config. Here are the changes you need to make:
2. *** GENERIC Sun Apr 27 20:41:46 2003 3. --- ACME Sun May 9 12:47:24 2004 4. *************** 5. *** 22,29 **** 6. cpu I486_CPU 7. cpu I586_CPU 8. cpu I686_CPU 9. ! ident GENERIC 10. maxusers 0 11. 12. #makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols 13. 14. --- 22,40 ---15. cpu I486_CPU

16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33.

cpu I586_CPU cpu I686_CPU ! ident ACME maxusers 0 + + # Enable ipfw. + options IPFIREWALL + options IPFIREWALL_VERBOSE + + # Enable ip6fw too. + options IPV6FIREWALL + options IPV6FIREWALL_VERBOSE + + # Enable NAT. + options IPDIVERT #makeoptions debug symbols DEBUG=-g #Build kernel with gdb(1)

In other words, change the ident and add the firewall options. Adding the IPV6FIREWALL options to the kernel doesn't actually enable IPv6; to do that, you have to add ipv6_enable="YES" to your /etc/rc.conf. However, if you have IPv6 enabled and you are setting up an IPv4 firewall, you must enable the IPv6 firewall as well. If you were to set up a v4 firewall and not a v6 firewall, all v6 packets would be allowed through, which would be bad. After setting up the config, build and install the new kernel:
# # # # # /usr/sbin/config ACME cd ../../compile/ACME make depend make make install

34. Second, edit /etc/rc.conf and add these defines to the end:
35. # Enable ipfw. 36. firewall_enable="YES" 37. firewall_type="type" here 38. firewall_quiet="NO" 39. 40. # Enable ip6fw. 41. ipv6_firewall_enable="YES" 42. ipv6_firewall_type="type" here 43. ipv6_firewall_quiet="NO" # see rc.firewall for what goes

# see rc.firewall6 for what goes

The firewall types should be "client" to secure a single stand-alone machine, or "simple" for a gateway guarding an internal network. If you want to do Network Address Translation, add these defines too:
# Enable natd. natd_enable="YES" natd_interface="fxp0" interface natd_flags="-m" if possible

# your public network # preserve port numbers

44. Third, you have to make a few edits in rc.firewall and rc.firewall6. The comments there explain what is needed, it's real easy. Look for the section with rules for your firewall type, either "client" or "simple". At the beginning of the section there will be a few defines for your IP numbers, network interfaces, etc.; fill these in. That's it, for a starter setup anyway. Reboot and you should be up and running.

Configuring the cron Utility

One of the most useful utilities in FreeBSD is cron(8). The cron utility runs in the background and constantly checks the /etc/crontab file. The cron utility also checks the /var/cron/tabs directory, in search of new crontab files. These crontab files store information about specific functions which cron is supposed to perform at certain times. The cron utility uses two different types of configuration files, the system crontab and user crontabs. The only difference between these two formats is the sixth field. In the system crontab, the sixth field is the name of a user for the command to run as. This gives the system crontab the ability to run commands as any user. In a user crontab, the sixth field is the command to run, and all commands run as the user who created the crontab; this is an important security feature. Note: User crontabs allow individual users to schedule tasks without the need for root privileges. Commands in a user's crontab run with the permissions of the user who owns the crontab. The root user can have a user crontab just like any other user. This one is different from /etc/crontab (the system crontab). Because of the system crontab, there is usually no need to create a user crontab for root. Let us take a look at the /etc/crontab file (the system crontab):
# /etc/crontab - root's crontab for FreeBSD # # $FreeBSD: src/etc/crontab,v 1.32 2002/11/22 16:13:39 tom Exp $ # # SHELL=/bin/sh PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin HOME=/var/log # # #minute hour mday month wday who command # # */5 * * * * root /usr/libexec/atrun

Like most FreeBSD configuration files, the # character represents a comment. A comment can be placed in the file as a reminder of what and why a desired action is performed. Comments cannot be on the same line as a command or else they will be interpreted as part of the command; they must be on a new line. Blank lines are ignored.

First, the environment must be defined. The equals (=) character is used to define any environment settings, as with this example where it is used for the SHELL, PATH, and HOME options. If the shell line is omitted, cron will use the default, which is sh. If the PATH variable is omitted, no default will be used and file locations will need to be absolute. If HOME is omitted, cron will use the invoking users home directory. This line defines a total of seven fields. Listed here are the values minute, hour, mday, month, wday, who, and command. These are almost all self explanatory. minute is the time in minutes the command will be run. hour is similar to the minute option, just in hours. mday stands for day of the month. month is similar to hour and minute, as it designates the month. The wday option stands for day of the week. All these fields must be numeric values, and follow the twenty-four hour clock. The who field is special, and only exists in the /etc/crontab file. This field specifies which user the command should be run as. When a user installs his or her crontab file, they will not have this option. Finally, the command option is listed. This is the last field, so naturally it should designate the command to be executed. This last line will define the values discussed above. Notice here we have a */5 listing, followed by several more * characters. These * characters mean first-last, and can be interpreted as every time. So, judging by this line, it is apparent that the atrun command is to be invoked by root every five minutes regardless of what day or month it is. For more information on the atrun command, see the atrun(8) manual page. Commands can have any number of flags passed to them; however, commands which extend to multiple lines need to be broken with the backslash \ continuation character. This is the basic setup for every crontab file, although there is one thing different about this one. Field number six, where we specified the username, only exists in the system /etc/crontab file. This field should be omitted for individual user crontab files.

Network Time Protocol

NTP is configured by the /etc/ntp.conf file in the format described in ntp.conf(5). Here is a simple example:
server ntplocal.example.com prefer server timeserver.example.org server ntp2a.example.net driftfile /var/db/ntp.drift

The server option specifies which servers are to be used, with one server listed on each line. If a server is specified with the prefer argument, as with ntplocal.example.com, that server is preferred over other servers. A response from a preferred server will be discarded if it differs significantly from other servers' responses, otherwise it will be used without any consideration to other responses. The prefer argument is normally used for NTP servers that are known to be highly accurate, such as those with special time monitoring hardware. The driftfile option specifies which file is used to store the system clock's frequency offset. The ntpd(8) program uses this to automatically compensate for the clock's natural drift,

allowing it to maintain a reasonably correct setting even if it is cut off from all external time sources for a period of time. The driftfile option specifies which file is used to store information about previous responses from the NTP servers you are using. This file contains internal information for NTP. It should not be modified by any other process.

29.10.3.3 Controlling Access to Your Server By default, your NTP server will be accessible to all hosts on the Internet. The restrict option in /etc/ntp.conf allows you to control which machines can access your server. If you want to deny all machines from accessing your NTP server, add the following line to /etc/ntp.conf:
restrict default ignore

Note: This will also prevent access from your server to any servers listed in your local configuration. If you need to synchronise your NTP server with an external NTP server you should allow the specific server. See the ntp.conf(5) manual for more information. If you only want to allow machines within your own network to synchronize their clocks with your server, but ensure they are not allowed to configure the server or used as peers to synchronize against, add
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

instead, where 192.168.1.0 is an IP address on your network and 255.255.255.0 is your network's netmask.
/etc/ntp.conf can contain multiple restrict Control Support subsection of ntp.conf(5).

options. For more details, see the Access

29.10.4 Running the NTP Server

To ensure the NTP server is started at boot time, add the line ntpd_enable="YES" to /etc/rc.conf. If you wish to pass additional flags to ntpd(8), edit the ntpd_flags parameter in /etc/rc.conf. To start the server without rebooting your machine, run ntpd being sure to specify any additional parameters from ntpd_flags in /etc/rc.conf. For example:
# ntpd -p /var/run/ntpd.pid

SSH

The sshd is an option presented during a Standard install of FreeBSD. To see if sshd is enabled, check the rc.conf file for:
sshd_enable="YES"

This will load sshd(8), the daemon program for OpenSSH, the next time your system initializes. Alternatively, it is possible to use /etc/rc.d/sshd rc(8) script to start OpenSSH:
/etc/rc.d/sshd start

File Transfer Protocol (FTP

Configuration
Alternatively, ftpd can also be started as a stand-alone server. In this case, it is sufficient to set the appropriate variable in /etc/rc.conf:
ftpd_enable="YES"

After setting the above variable, the stand-alone server will be started at the next reboot, or it can be started manually by executing the following command as root:
# /etc/rc.d/ftpd start

You can now log on to your FTP server by typing:

% ftp localhost