SysAdmin.MD

This is a small guide that I used for quickly installing FreeBSD for Internet gates. I will update it periodically, so any comments are welcome. I don’t claim that this is the best way, it’s just my way.

1. Boot from FreeBSD installation CD

2. From Country Selection choose the US keyboard layout

3. Begin a Custom Installation

4. Enter Partition menu, choose Use Entire Disk. After that, choose Install a standart MBR

5. Choose Auto defaults when creating the partitions

6. From Distributions choose Kern-Developer

7. Press Yes when asked to install the ports collection

8. Go to Custom menu and unselect:

dict
doc

9. Commit all changes and wait until install finishes

10. Install packages:

pkg_add -r sudo mc nano links wget bash

11. Perform small server tuning. Add to /etc/make.conf:

WITHOUT_X11=yes

12. Upgrade FreeBSD ports collection:

portsnap fetch extract

13. Install screen from ports and use it:

cd /usr/ports/sysutils/screen
make install clean
cd
wget sysadmin.md/stuff/.screenrc
screen

14. Copy current server kernel config:

cd /usr/src/sys/i386/conf
cp GENERIC SSC.GATE

15. Alter kernel build options in config file SSC.GATE:

cpu             I686_CPU
ident           SSCGATE
options         DUMMYNET			# traffic shaper
options         IPFIREWALL			# firewall
options         IPDIVERT			# needed for NAT
options         IPFIREWALL_VERBOSE		# logging
options         IPFIREWALL_VERBOSE_LIMIT=500	# limit logging
options         IPFIREWALL_DEFAULT_TO_ACCEPT	# default rule to accept
options         IPFIREWALL_FORWARD		# forward packets

16. Compile and install kernel:

config SSC.GATE
cd ../compile/SSC.GATE
make depend && make && make install

17. Add to /etc/rc.conf:

firewall_enable="YES"
firewall_type="open"
firewall_logging="YES"
natd_enable="YES"
natd_interface="rl0"

18. Reboot

19. Configure DNS caching server. Enable named. Add to /etc/rc.conf:

named_enable="YES"

20. Alter /etc/namedb/named.conf:

listen-on       { 127.0.0.1; 192.168.0.1;};

21. Start named:

/etc/rc.d/named restart

22. Check if named works:

dig @192.168.0.1 sysadmin.md

23. Install DHCP server:

cd /usr/ports/net/isc-dhcp3-server/
make install clean

24. Compile DHCP with following options:

DHCP_PARANOIA
DHCP_JAIL
OPENSSL_BASE

25. Configure DHCP server. Create the file /usr/local/etc/dhcpd.conf with following contents:

option domain-name "srv.local";
option domain-name-servers 192.168.0.1, 205.234.170.215, 205.234.170.217;

default-lease-time 720000;
min-lease-time 720000;
max-lease-time 720000;

authoritative;

ddns-update-style none;

subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.2 192.168.0.254;
option routers 192.168.0.1;
}

26. Add to /etc/rc.conf:

dhcpd_enable="YES"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="xl1"
dhcpd_withuser="dhcpd"
dhcpd_withgroup="dhcpd"
dhcpd_chuser_enable="YES"
dhcpd_chroot_enable="YES"
dhcpd_devfs_enable="YES"
dhcpd_rootdir="/var/db/dhcpd"

27. Start DHCP server:

/usr/local/etc/rc.d/isc-dhcpd start

28. Configure firewall. Create a file /etc/fw and add the following rules to it:

#!/bin/sh

wanip="x.x.x.x"
wanif="xl0"
lannet="192.168.0.0/24"

ipfw disable firewall
ipfw -f flush
ipfw -f pipe flush
ipfw -f queue flush

#Perform NAT
ipfw add 1000 divert natd all from any to any via $wanif
ipfw enable firewall

# Shaping
/sbin/ipfw pipe 1 config bw 2048Kbit/s
/sbin/ipfw queue 1 config pipe 1 weight 50 mask dst-ip 0x00000000
/sbin/ipfw add queue 1 ip from any to 192.168.0.1/24

29. Make /etc/fw executable:

chmod 700 /etc/fw

30. After that add the following lines in /etc/rc.conf:

firewall_enable="YES"
firewall_script="/etc/fw"
natd_enable="YES"
natd_program="/sbin/natd -u -n xl0"

fsck_y_enable="YES"
sendmail_enable="NONE"

31. Reboot

Articles freebsd gate guide server