This is a small guide that I used for quickly installing FreeBSD for Internet gates. I will update it periodically, so any comments are welcome. I don’t claim that this is the best way, it’s just my way.
1. Boot from FreeBSD installation CD
2. From Country Selection choose the US keyboard layout
3. Begin a Custom Installation
4. Enter Partition menu, choose Use Entire Disk. After that, choose Install a standart MBR
5. Choose Auto defaults when creating the partitions
6. From Distributions choose Kern-Developer
7. Press Yes when asked to install the ports collection
8. Go to Custom menu and unselect:
dict doc
9. Commit all changes and wait until install finishes
10. Install packages:
pkg_add -r sudo mc nano links wget bash
11. Perform small server tuning. Add to /etc/make.conf:
WITHOUT_X11=yes
12. Upgrade FreeBSD ports collection:
portsnap fetch extract
13. Install screen from ports and use it:
cd /usr/ports/sysutils/screen make install clean cd wget sysadmin.md/stuff/.screenrc screen
14. Copy current server kernel config:
cd /usr/src/sys/i386/conf cp GENERIC SSC.GATE
15. Alter kernel build options in config file SSC.GATE:
cpu I686_CPU ident SSCGATE options DUMMYNET # traffic shaper options IPFIREWALL # firewall options IPDIVERT # needed for NAT options IPFIREWALL_VERBOSE # logging options IPFIREWALL_VERBOSE_LIMIT=500 # limit logging options IPFIREWALL_DEFAULT_TO_ACCEPT # default rule to accept options IPFIREWALL_FORWARD # forward packets
16. Compile and install kernel:
config SSC.GATE cd ../compile/SSC.GATE make depend && make && make install
17. Add to /etc/rc.conf:
firewall_enable="YES" firewall_type="open" firewall_logging="YES" natd_enable="YES" natd_interface="rl0"
18. Reboot
19. Configure DNS caching server. Enable named. Add to /etc/rc.conf:
named_enable="YES"
20. Alter /etc/namedb/named.conf:
listen-on { 127.0.0.1; 192.168.0.1;};
21. Start named:
/etc/rc.d/named restart
22. Check if named works:
dig @192.168.0.1 sysadmin.md
23. Install DHCP server:
cd /usr/ports/net/isc-dhcp3-server/ make install clean
24. Compile DHCP with following options:
DHCP_PARANOIA DHCP_JAIL OPENSSL_BASE
25. Configure DHCP server. Create the file /usr/local/etc/dhcpd.conf with following contents:
option domain-name "srv.local"; option domain-name-servers 192.168.0.1, 205.234.170.215, 205.234.170.217;
default-lease-time 720000; min-lease-time 720000; max-lease-time 720000;
authoritative;
ddns-update-style none;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.2 192.168.0.254;
option routers 192.168.0.1;
}
26. Add to /etc/rc.conf:
dhcpd_enable="YES" dhcpd_conf="/usr/local/etc/dhcpd.conf" dhcpd_ifaces="xl1" dhcpd_withuser="dhcpd" dhcpd_withgroup="dhcpd" dhcpd_chuser_enable="YES" dhcpd_chroot_enable="YES" dhcpd_devfs_enable="YES" dhcpd_rootdir="/var/db/dhcpd"
27. Start DHCP server:
/usr/local/etc/rc.d/isc-dhcpd start
28. Configure firewall. Create a file /etc/fw and add the following rules to it:
#!/bin/sh
wanip="x.x.x.x" wanif="xl0" lannet="192.168.0.0/24"
ipfw disable firewall ipfw -f flush ipfw -f pipe flush ipfw -f queue flush
#Perform NAT ipfw add 1000 divert natd all from any to any via $wanif ipfw enable firewall
# Shaping /sbin/ipfw pipe 1 config bw 2048Kbit/s /sbin/ipfw queue 1 config pipe 1 weight 50 mask dst-ip 0x00000000 /sbin/ipfw add queue 1 ip from any to 192.168.0.1/24
29. Make /etc/fw executable:
chmod 700 /etc/fw
30. After that add the following lines in /etc/rc.conf:
firewall_enable="YES" firewall_script="/etc/fw" natd_enable="YES" natd_program="/sbin/natd -u -n xl0"
fsck_y_enable="YES" sendmail_enable="NONE"
31. Reboot