Description:

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v3) and Transport Layer Security (TLS v1, v1.1, v1.2, v1.3) protocols with full-strength cryptography world-wide. The project is managed by a worldwide community of volunteers who use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.

OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style license, which basically means that you are free to get and use it for commercial and non-commercial purposes, subject to some simple license conditions.

WWW: http://www.openssl.org/.

How to use

The OpenSSL program is a command line tool for using the various cryptography functions of OpenSSL’s crypto library from the shell. It can be used for:

• Creation and management of private keys, public keys, and parameters
• Public key cryptographic operations
• Creation of X.509 certificates, CSRs and CRLs
• Calculation of Message Digests
• Encryption and Decryption with Ciphers
• SSL/TLS Client and Server Tests
• Handling of S/MIME signed or encrypted mail
• Time Stamp requests, generation, and verification

Display version information for includes a stable OpenSSL with:

user@freebsdsrv:~ $ openssl version [enter]
OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024)
user@freebsdsrv:~ $

Display version information for the current package version(s) of OpenSSL with:

user@freebsdsrv:~ $ pkg search openssl | egrep '^openssl[0-9]+-[0-9]' [enter]
openssl111-1.1.1w_2            TLSv1.3 capable SSL and crypto library
openssl31-3.1.7_1              TLSv1.3 capable SSL and crypto library
openssl32-3.2.3_1              TLSv1.3 capable SSL and crypto library
openssl33-3.3.2_1              TLSv1.3 capable SSL and crypto library
openssl34-3.4.0                TLSv1.3 capable SSL and crypto library
user@freebsdsrv:~ $

Note: The latest stable version is the 3.4!
In this example, an update to the stable version of OpenSSL, version 3.4.0, will be performed!

Installation

Install openssl34 with:

user@freebsdsrv:~ $ sudo pkg install -y security/openssl34 [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	openssl34: 3.4.0

Number of packages to be installed: 1

The process will require 27 MiB more space.
8 MiB to be downloaded.
[1/1] Fetching openssl34-3.4.0.pkg: 100%    8 MiB   8.1MB/s    00:01    
Checking integrity... done (0 conflicting)
[1/1] Installing openssl34-3.4.0...
[1/1] Extracting openssl34-3.4.0: 100%
user@freebsdsrv:~ $

Configuration

Disable the use of the old version of OpenSSL in directory /usr/bin/ with:

user@freebsdsrv:~ $ sudo mv /usr/bin/openssl /usr/bin/openssl.default [enter]
user@freebsdsrv:~ $

Create a symbolic link to enable the use of the new version of OpenSSL with:

user@freebsdsrv:~ $ sudo ln -s /usr/local/bin/openssl /usr/bin/ ; ls -l /usr/bin/openssl [enter]
lrwxr-xr-x  1 root wheel 22 Dec  5 15:26 /usr/bin/openssl@ -> /usr/local/bin/openssl
user@freebsdsrv:~ $

Edit file /etc/ssl/openssl.cnf with:

user@freebsdsrv:~ $ sudo ee +168 /usr/local/openssl/openssl.cnf [enter]

This is an example:

...
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = SE
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Vastra Gotaland

localityName                    = Locality Name (eg, city)
localityName_default            = Hisings Karra

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Polymathic

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Support and Development

commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_default              = freebsdsrv.local.lan
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_default            = admin@local.lan
emailAddress_max                = 64

# SET-ex3                       = SET extension number 3
...

Generate a key and certificate for 10 year usage with:

user@freebsdsrv:~ $ sudo sh -c 'openssl req -newkey rsa:2048 -nodes -keyout /etc/ssl/server.key -x509 -days 3650 -out /etc/ssl/server.crt' [enter]
.....+.+........+....+..+.........+.+...+..+.+...+..+...+......+..................+.+++++++++++++++++++++++++++++++++++++++*.....+..+.....................+....+.....+.+++++++++++++++++++++++++++++++++++++++*....+....+...+..+......+.+...+..++++++
.+.................+...+.+..+.........+...+.+..+..................+....+++++++++++++++++++++++++++++++++++++++*.....+.+..+.......+++++++++++++++++++++++++++++++++++++++*..+.+......+...+.....+....+...+..+......+.......+.................+...+....+.....+...+...+...............+...+.+.........+......+......+..+.+..+....+........+......+............+.............+.........+..+....+.....+.+......+...+............+..+............+......+....+.....+.+.........+...+...........+......+...+.+..+....+...+.....+...+...+................+...+.....+.......+........+.+..+...+....+...........+.......+...+..+...+................+...+..+....+.....+.......+............+..+.+........+.+.....+....+.....+.......+.....+...+.+...+.....................+..+.........+...+..........+......+......+...+..+...................+.....+....+..+...................++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [SE]: [enter]
State or Province Name (full name) [Vastra Gotaland]: [enter]
Locality Name (eg, city) [Hisings Karra]: [enter]
Organization Name (eg, company) [Polymathic]: [enter]
Organizational Unit Name (eg, section) [Support and Development]: [enter]
Common Name (e.g. server FQDN or YOUR name) [freebsdsrv.local.lan]: [enter]
Email Address [admin@local.lan]: [enter]
user@freebsdsrv:/usr/local/etc/ssl $

Review the certificate with:

user@freebsdsrv:~ $ sudo sh -c 'openssl x509 -text -noout -in /etc/ssl/server.crt' [enter]
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            21:b3:69:65:0b:00:ec:5b:bf:55:2e:b3:58:10:e6:58:23:11:21:0b
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=SE, ST=Vastra Gotaland, L=Hisings Karra, O=Polymathic, OU=Support and Development, CN=freebsdsrv.local.lan, emailAddress=admin@local.lan
        Validity
            Not Before: Jan 27 16:26:04 2025 GMT
            Not After : Jan 25 16:26:04 2035 GMT
        Subject: C=SE, ST=Vastra Gotaland, L=Hisings Karra, O=Polymathic, OU=Support and Development, CN=freebsdsrv.local.lan, emailAddress=admin@local.lan
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bd:d0:43:bb:19:32:7f:b8:4d:36:57:20:02:e3:
                    07:6a:8b:e1:7c:4a:59:c0:78:be:72:c2:b6:e7:10:
                    c8:c5:b7:d0:2b:c5:e6:f7:f1:a7:cf:39:21:98:d2:
                    98:5b:69:d0:e6:e2:00:49:b9:3a:c7:e2:d5:32:4c:
                    d2:3d:b5:d7:91:32:23:7e:8e:4d:82:75:4a:10:54:
                    86:cf:b7:49:44:d0:32:d8:cb:f1:4a:7f:65:68:9a:
                    0b:59:f2:0d:0f:1a:55:19:57:c1:ce:69:d8:36:b4:
                    77:1a:45:29:b0:d6:2d:93:26:4c:f9:10:a2:71:1d:
                    ac:8e:c0:1a:1d:be:98:34:4a:e8:23:bd:e8:87:af:
                    01:7c:30:4c:70:1f:84:80:de:33:4e:f8:19:ae:3c:
                    d5:d0:2b:42:cb:2d:1b:74:79:36:f9:33:20:9e:58:
                    08:99:03:61:f3:60:e3:75:d7:d0:0a:0a:68:0b:b0:
                    ba:51:83:11:6d:cd:b2:06:6d:56:7f:b2:e4:6d:72:
                    1b:b1:a0:2c:18:f0:0c:0f:17:82:0d:61:a1:b2:0f:
                    c2:6f:11:08:6d:74:b6:3d:eb:9d:f4:94:4f:e3:66:
                    ae:36:0d:d8:e9:c5:db:1a:f6:2c:27:ce:66:a3:75:
                    46:e9:98:9b:70:53:37:44:33:a4:f1:68:65:d3:03:
                    72:01
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                D0:E3:3C:AA:67:16:7A:E0:4F:8B:66:16:49:15:E4:19:11:36:C7:23
            X509v3 Authority Key Identifier: 
                D0:E3:3C:AA:67:16:7A:E0:4F:8B:66:16:49:15:E4:19:11:36:C7:23
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        99:07:ac:20:4d:19:68:22:5b:0c:21:c0:9f:01:53:01:aa:a5:
        1b:2c:dd:64:7e:8f:33:4f:d3:58:cb:6e:7a:f6:38:00:85:c8:
        60:71:3a:51:94:da:ff:ed:f9:80:7e:c3:57:e8:c3:ea:88:be:
        5b:f1:ee:d9:fa:40:8a:ee:89:3a:9c:f9:ac:a5:68:ab:27:10:
        33:92:ef:2f:ee:1d:80:6e:90:e6:82:e1:ea:f1:f5:50:cc:6f:
        ce:db:78:00:94:6c:52:13:d5:71:e3:4a:4d:f2:b9:b6:7a:eb:
        41:cd:43:a5:86:ee:72:e0:3b:04:af:d2:a4:c5:47:d6:2b:86:
        82:96:21:a6:ab:47:61:54:0d:9a:70:62:e6:e9:7b:ae:b5:68:
        db:b9:49:dc:a0:55:55:45:64:a0:a0:fb:70:33:6b:8c:70:45:
        50:ef:13:e0:4e:53:d7:2f:16:63:55:16:61:ef:d3:f0:61:0b:
        ce:a5:04:3b:c2:91:e5:52:48:a3:60:b6:ab:ab:b7:2c:b1:65:
        1c:ac:c5:e8:f7:d8:3d:dc:56:cb:91:b4:27:56:ab:e2:0e:a6:
        fc:c1:72:b4:33:46:93:15:10:72:5c:34:01:09:af:43:65:90:
        bd:c6:bf:f0:89:b8:a2:b1:11:5a:1e:25:9d:3b:a0:5c:5c:b2:
        0f:44:5e:51
user@freebsdsrv:~ $

Display a list of files that have been created with:

user@freebsdsrv:~ $ ls -l /etc/ssl/ [enter]
total 49
drwxr-xr-x  2 root wheel   149 Nov 29 12:13 certs
-rw-r--r--  1 root wheel 12336 Nov 29 11:21 openssl.cnf
-rw-r--r--  1 root wheel  1554 Jan 27 17:26 server.crt
-rw-------  1 root wheel  1704 Jan 27 17:25 server.key
drwxr-xr-x  2 root wheel    54 Nov 29 12:12 untrusted
user@freebsdsrv:~ $

Reboot the system after installation of FreeBSD base OS with:

root@:~ # reboot [enter]
Connection to 192.168.1.250 closed by remote host.
Connection to 192.168.1.250 closed.

N.B.: Remove the FreeBSD Installation USB Stick before the system restarts!
In this example, login is performed remotely via the Terminal application from an Apple Mac Mini to a system with the local LAN IP Address 192.168.1.50 as user user.

user@Mac-mini ~ % ssh user@192.168.1.50 [enter]
The authenticity of host '192.168.1.50 (192.168.1.50)' can't be established.
ED25519 key fingerprint is SHA256:uU1ln2+R7xOW1IaKvIsrsBU+t0KFbop75RS5BcBQ0B0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.50' (ED25519) to the list of known hosts.
(user@192.168.1.50) Password for user@freebsdsrv:
FreeBSD 14.2-RELEASE (GENERIC) releng/14.2-n269506-c8918d6c7412

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List:        https://www.FreeBSD.org/lists/questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

To change this login announcement, see motd(5).
ZFS keeps a history of commands run against a specific pool using the
history subcommand to zpool:

zpool history

More details are available using the -i and -l parameters. Note that ZFS
will not keep the complete pool history forever and will remove older
events in favor of newer ones.
		-- Benedict Reuschling <bcr@FreeBSD.org>
user@freebsdsrv:~ $

SUDO – Execute Command As The Superuser

Description:

The best practice is to never log in as the root superuser interactively. If you do – you are doing it wrong!

sudo is a program that allows a permitted user to execute a command as the superuser or another user, as specified by the user’s security policy. Unlike the su utility, sudo authenticates the user against the user’s own password rather than that of the target user. Sudo allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This allows the delegation of specific commands to specific users on specific systems without sharing passwords among the users.

Prerequisites

To follow along, make sure you have,

• Root access to your FreeBSD server
• The password of the root user

Installation

Installation and configuration of sudo require superuser privileges. This sudo installation will be the only and last interactive login as the root superuser you will ever need to perform on this system.

Substitute the user identity with the root superuser identity with:

user@freebsdsrv:~ $ su - [enter]
Password: <-- RootPassWord [enter]
root@freebsdsrv:~ #

Install sudo with:

root@freebsdsrv:~ # pkg install -y security/sudo [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	gettext-runtime: 0.23
	indexinfo: 0.3.1
	sudo: 1.9.16p2

Number of packages to be installed: 3

The process will require 9 MiB more space.
2 MiB to be downloaded.
[1/3] Fetching indexinfo-0.3.1.pkg: 100%    6 KiB   5.9kB/s    00:01    
[2/3] Fetching sudo-1.9.16p2.pkg: 100%    2 MiB   1.9MB/s    00:01    
[3/3] Fetching gettext-runtime-0.23.pkg: 100%  235 KiB 241.2kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/3] Installing indexinfo-0.3.1...
[1/3] Extracting indexinfo-0.3.1: 100%
[2/3] Installing gettext-runtime-0.23...
[2/3] Extracting gettext-runtime-0.23: 100%
[3/3] Installing sudo-1.9.16p2...
[3/3] Extracting sudo-1.9.16p2: 100%
root@freebsdsrv:~ #

Configuration

A default sudo configuration file /usr/local/etc/sudoers was created as part of the installation process.

N.B.: /usr/local/etc/sudoers MUST be edited with the visudo command as root.

The use of visudo minimizes the risk of syntax or file permission errors that prevent sudo from running.

Start editing file /usr/local/etc/sudoers with:

root@freebsdsrv:~ # visudo [enter]
## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##
...

visudo use the famous vi editor commands. The following commands are needed for updating and saving or exiting without saving file /usr/local/etc/sudoers:

1. Use the arrow keys to move the cursor or…
2. Move the cursor up one line with key ‘K’, down one line with key ‘J’, left one character with key ‘H’ and right one character with key ‘L’
3. Press key ‘I’ to start inserting charters before the current cursor location
4. Press key ‘A’ to start inserting charters after the current cursor location
5. Press key ‘esc’ to abort inserting charters
6. Press key ‘X’ to delete the character under the cursor
7. Press key ‘:’, then ‘W’ and ‘Q’ to save and exit
8. Press key ‘:’, then ‘Q’ and ‘!’ to exit without saving

To delegate privileges to the example user user locate section User privilege specification in the file /usr/local/etc/sudoers.

Update settings as indicated in this example to allow members of the wheel group to substitute user identity without entering their password:

...
##
## User privilege specification
##
root ALL=(ALL:ALL) ALL

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL:ALL) ALL

## Same thing without a password
%wheel ALL=(ALL:ALL) NOPASSWD: ALL

## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL:ALL) NOPASSWD: ALL
...

Save and exit visudo by pressing [ esc ], [ : ] and the [ W ] and finally [ Q ]
Exit as root with:

root@freebsdsrv:~ # exit [enter]
user@freebsdsrv:~ $

N.B.: User user in this example is configured to be a member of group wheel!
Display privileges for the current user with:

user@freebsdsrv:~ $ sudo -l [enter]
Matching Defaults entries for user on freebsdsrv:
   
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Runas and Command-specific defaults for user:
    Defaults!/usr/local/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User user may run the following commands on freebsdsrv:
    (ALL : ALL) NOPASSWD: ALL
user@freebsdsrv:~ $

Colorized Directory Listings

Description:

Enable display of colors to directory contents listing for command ls and ll.

Configuration

Add two alias commands to file .profile for the user user with:

user@freebsdsrv:~ $ echo 'alias ll="ls -lGF"' | tee -a .profile ; sudo echo 'alias ls="ls -GF"' | tee -a .profile [enter]
alias ll="ls l-GF"
alias ls="ls -GF"
user@freebsdsrv:~ $

…and for root with:

user@freebsdsrv:~ $ sudo echo 'alias ll="ls -lGF"' | sudo tee -a /root/.profile ; sudo echo 'alias ls="ls -GF"' | sudo tee -a /root/.profile [enter]
alias ll="ls l-GF"
alias ls="ls -GF"
user@freebsdsrv:~ $

Log off your system with:

user@freebsdsrv:~ $ exit [enter]

…and then log in to the FreeBSD server and see colors as in this example:

user@freebsdsrv:~ $ ls -l /usr/local [enter]
drwxr-xr-x   2 root wheel 11 Jan 26 17:20 bin
drwxr-xr-x   6 root wheel 14 Jan 26 17:22 etc
drwxr-xr-x   3 root wheel  7 Jan 26 17:20 include
drwxr-xr-x   3 root wheel 14 Jan 26 17:20 lib
drwxr-xr-x   4 root wheel  4 Jan 26 17:20 libdata
drwxr-xr-x   3 root wheel  3 Jan 26 17:20 libexec
drwxr-xr-x   2 root wheel  7 Jan 26 17:20 sbin
drwxr-xr-x  10 root wheel 10 Jan 26 17:20 share
user@freebsdsrv:~ $

/boot/loader.conf

The file loader.conf contains descriptive information on bootstrapping the system. Through it, you can specify the kernel to be booted, parameters to be passed to it, and additional modules to be loaded; generally, set all variables described in loader(8).

By default, the delay before automatically booting is set to 10 seconds.
In this example, the delay is set to zero seconds with:

autoboot_delay=”0″!
Reset content and add autoboot_delay=”0″ to file /boot/loader.conf and verify entries to file /mnt/boot/loader.conf with:

user@freebsdsrv:~ $ sudo sh -c 'echo -e "autoboot_delay=\"0\"" >> /boot/loader.conf' ; cat /boot/loader.conf [enter]
geom_mirror_load="YES"
kern.geom.label.disk_ident.enable="0"
kern.geom.label.gptid.enable="0"
cryptodev_load="YES"
zfs_load="YES"
autoboot_delay="0"
user@freebsdsrv:~ $

/etc/hosts

The host file /etc/hosts contains information regarding the known hosts on the network.
This file provides a backup used when the name server is not running.
Only a few addresses should be included in this file. These include addresses for the local interfaces that ifconfig needs at boot time and a few machines on the local network.

user@freebsdsrv:~ $ sudo sh -c 'cat <<EOF > /etc/hosts
#
# Host Database
#
::1           localhost localhost.local.lan
127.0.0.1     localhost localhost.local.lan
192.168.1.50  freebsdsrv freebsdsrv.local.lan
EOF' ; cat /etc/hosts [enter]
#
# Host Database
#
::1           localhost localhost.local.lan
127.0.0.1     localhost localhost.local.lan
192.168.1.50  freebsdsrv freebsdsrv.local.lan
user@freebsdsrv:~ $

/etc/resolv.conf

The resolver configuration file contains information that is read by the resolver routines the first time a process invokes them. The file is designed to be human-readable and contains a list of keywords with values that provide various types of resolver information.

To configure the FreeBSD server as a DNS client, you need to edit or modify the /etc/resolv.conf file to define which name servers should use.

Display content of file /etc/resolv.conf with:

user@freebsdsrv:~ $ sudo sh -c 'cat <<EOF > /etc/resolv.conf
#
# Resolver Database
#
domain local.lan
nameserver 192.168.1.1
nameserver 208.67.222.222
nameserver 208.67.220.220
EOF' ; cat /etc/resolv.conf [enter]
#
# Resolver Database
#
domain local.lan
nameserver 192.168.1.1
nameserver 208.67.222.222
nameserver 208.67.220.220
user@freebsdsrv:~ $

Verify Configuration with:

ping

ping – send ICMP or ICMPv6 ECHO_REQUEST packets to network hosts.

user@freebsdsrv:~ $ ping -c 3 freebsdsrv.local.lan [enter]
PING freebsdsrv (192.168.1.50): 56 data bytes
64 bytes from 192.168.1.50: icmp_seq=0 ttl=64 time=0.036 ms
64 bytes from 192.168.1.50: icmp_seq=1 ttl=64 time=0.030 ms
64 bytes from 192.168.1.50: icmp_seq=2 ttl=64 time=0.026 ms

--- freebsdsrv ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.026/0.031/0.036/0.004 ms
user@freebsdsrv:~ $

user@freebsdsrv:~ $ ping -c 3 freebsdsrv [enter]
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.072 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.056 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.047 ms

--- localhost ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.047/0.058/0.072/0.010 ms
user@freebsdsrv:~ $

drill

drill is a tool designed to get all sorts of information out of the DNS.

user@freebsdsrv:~ $ drill freebsd.org [enter]
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 31073
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; freebsd.org.	IN	A

;; ANSWER SECTION:
freebsd.org.	3600	IN	A	96.47.72.84

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 37 msec
;; SERVER: 192.168.1.1
;; WHEN: Fri Oct 28 13:35:22 2022
;; MSG SIZE  rcvd: 45
user@freebsdsrv:~ $

Networking restart

Network interface setup is done using the netif, and routing setup is done using the routing.

N.B.: Always restart the netif and routing services together to avoid lockdown issues!

The right way to restart networking services on FreeBSD is:

user@freebsdsrv:~ $ sudo service netif restart ; sudo service routing restart [enter]
Stopping Network: lo0 em0.
...
Starting Network: lo0 em0.
...
delete host 127.0.0.1: gateway lo0 fib 0: gateway uses the same route
delete net default: gateway 192.168.1.1 fib 0: not in table
delete host ::1: gateway lo0 fib 0: gateway uses the same route
delete net fe80::: gateway ::1
delete net ff02::: gateway ::1
delete net ::ffff:0.0.0.0: gateway ::1
delete net ::0.0.0.0: gateway ::1
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 192.168.1.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
user@freebsdsrv:~ $
user@freebsdsrv:~ $

Log Console Messages To File

Configuration:

Enable all writes to /dev/console during boot to be logged to file /var/log/console.log with:

user@freebsdsrv:~ $ sudo sed -e 's/#console.info/console.info/' -i "" /etc/syslog.conf && cat /etc/syslog.conf | grep console.info [enter]
console.info					/var/log/console.log
user@freebsdsrv:~ $

Create file /var/log/console.log and then change file modes to mode 600 with:

user@freebsdsrv:~ $ sudo touch /var/log/console.log && sudo chmod -vv 600 /var/log/console.log [enter]
/var/log/console.log: 0100644 [-rw-r--r-- ] -> 0100600 [-rw------- ]
user@freebsdsrv:~ $

Restart syslogd to log all new console messages to file /var/log/console.log with:

user@freebsdsrv:~ $ sudo service syslogd restart [enter]
Stopping syslogd.
Waiting for PIDS: 808.
Starting syslogd.
user@freebsdsrv:~ $

A reboot is required to record all console messages on the system boot.
Reboot the system with:

user@freebsdsrv:~ $ sudo reboot [enter]
Connection to 192.168.1.50 closed by remote host.
Connection to 192.168.1.50 closed.

Wait for the system to reboot, then log back in with a remote SSH client session.

Display file /var/log/console.log with:

user@freebsdsrv:~ $ sudo cat /var/log/console.log [enter]

…and look for ERRORs and WARNINGs.

Display lines with word warning, error or critical in file /var/log/console.log with:

user@freebsdsrv:~ $ sudo cat /var/log/console.log | grep -E -wi 'warning|error|critical' [enter]
user@ freebsdsrv:~ $

If any errors and warnings are found, fix the problem and restart service syslogd as described above.

Requirements:

Required hardware: USB Memory Stick, minimum size 2 GB

Required software: sudo and wget

Download files

user@freebsdsrv:~ $ wget https://download.freebsd.org/ftp/releases/ISO-IMAGES/14.2/FreeBSD-14.2-RELEASE-amd64-memstick.img [enter]
--2025-01-24 16:47:51--  https://download.freebsd.org/ftp/releases/ISO-IMAGES/14.2/FreeBSD-14.2-RELEASE-amd64-memstick.img
Resolving download.freebsd.org (download.freebsd.org)... 85.30.190.138, 2a02:80:0:3ffd::15:1
Connecting to download.freebsd.org (download.freebsd.org)|85.30.190.138|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1559351808 (1.5G) [application/octet-stream]
Saving to: ‘FreeBSD-14.2-RELEASE-amd64-memstick.img’

FreeBSD-14.2-RELEAS 100%[===================>]   1.45G  93.8MB/s    in 16s     

2025-01-24 16:48:07 (91.1 MB/s) - ‘FreeBSD-14.2-RELEASE-amd64-memstick.img’ saved [1559351808/1559351808]

user@freebsdsrv:~ $

user@freebsdsrv:~ $ wget https://download.freebsd.org/ftp/releases/ISO-IMAGES/14.2/CHECKSUM.SHA512-FreeBSD-14.2-RELEASE-amd64 [enter]
--2025-01-24 16:49:55--  https://download.freebsd.org/ftp/releases/ISO-IMAGES/14.2/CHECKSUM.SHA512-FreeBSD-14.2-RELEASE-amd64
Resolving download.freebsd.org (download.freebsd.org)... 85.30.190.138, 2a02:80:0:3ffd::15:1
Connecting to download.freebsd.org (download.freebsd.org)|85.30.190.138|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1811 (1.8K) [application/octet-stream]
Saving to: ‘CHECKSUM.SHA512-FreeBSD-14.2-RELEASE-amd64’

CHECKSUM.SHA512-Fre 100%[===================>]   1.77K  --.-KB/s    in 0s      

2025-01-24 16:49:55 (200 MB/s) - ‘CHECKSUM.SHA512-FreeBSD-14.2-RELEASE-amd64’ saved [1811/1811]

user@freebsdsrv:~ $

Verify file checksum

user@freebsdsrv:~ % sha512sum --ignore-missing -c CHECKSUM.SHA512-FreeBSD-14.2-RELEASE-amd64 [enter]
FreeBSD-14.2-RELEASE-amd64-memstick.img: OK
user@freebsdsrv:~ %

Prepare the USB Memory Stick

Insert the USB Memory Stick into a USB Port on the FreeBSD Computer.

N.B.: All Data on the USB Memory Stick will be lost!

Since USB devices are seen as a SCSI device, camcontrol can be used to list device information for the inserted USB Memory Stick with this command:

user@freebsdsrv:~ $ sudo camcontrol devlist [enter]
<KINGSTON SKC600MS1024G S4500105>  at scbus0 target 0 lun 0 (pass0,ada0)
<AHCI SGPIO Enclosure 2.00 0001>   at scbus1 target 0 lun 0 (ses0,pass1)
<Generic STORAGE DEVICE 9454>      at scbus2 target 0 lun 0 (da0,pass2)
<USB SanDisk 3.2Gen1 1.00>         at scbus3 target 0 lun 0 (da1,pass3)
user@freebsdsrv:~ %

…or show the list with:

user@freebsdsrv:~ % geom disk list [enter]
Geom name: ada0
Providers:
1. Name: ada0
   Mediasize: 1024209543168 (954G)
   Sectorsize: 512
   Stripesize: 4096
   Stripeoffset: 0
   Mode: r3w3e6
   descr: KINGSTON SKC600MS1024G
   lunid: 50026b7784547f24
   ident: 50026B7784547F24
   rotationrate: 0
   fwsectors: 63
   fwheads: 16

Geom name: da0
Providers:
1. Name: da0
   Mediasize: 15682240512 (15G)
   Sectorsize: 512
   Mode: r0w0e0
   descr: USB SanDisk 3.2Gen1
   lunname: USB     SanDisk 3.2Gen10401d35adeca736bcb13
   lunid: USB     SanDisk 3.2Gen10401d35adeca736bcb13
   ident: 0401d35adeca736bcb13031ed3ec52718ba62977e6bc9346b77babe3dc0b8413cbd00000000000000000000073fbf77f0096801881558107632a548f
   rotationrate: unknown
   fwsectors: 63
   fwheads: 255

user@freebsdsrv:~ %

In this example, SanDisk 3.2Gen1 registered as device da0 is the target USB Memory Stick.

Optional: Display information about device da0 with, for example:

user@freebsdsrv:~ % sudo diskinfo -v da0 [enter]
da1
	512         	# sectorsize
	15682240512 	# mediasize in bytes (15G)
	30629376    	# mediasize in sectors
	0           	# stripesize
	0           	# stripeoffset
	1906        	# Cylinders according to firmware.
	255         	# Heads according to firmware.
	63          	# Sectors according to firmware.
	USB SanDisk 3.2Gen1	# Disk descr.
	0401d35adeca736bcb13031ed3ec52718ba62977e6bc9346b77babe3dc0b8413cbd00000000000000000000073fbf77f0096801881558107632a548f	# Disk ident.
	umass-sim1  	# Attachment
	No          	# TRIM/UNMAP support
	Unknown     	# Rotation rate in RPM
	Not_Zoned   	# Zone Mode

user@freebsdsrv:~ %

Optional: Show the current partition information of the USB Memory Stick using this command:

user@freebsdsrv:~ % gpart show da0 [enter]
=>      63  30629313  da1  MBR  (15G)
        63      1985       - free -  (993K)
      2048  30625792    1  ntfs  (15G)
  30627840      1536       - free -  (768K)

user@freebsdsrv:~ %

N.B.: Your USB Memory Stick may have a different layout than this example!

WARNING: The next step will delete all information on the USB Memory Stick!

Destroy the partitioning scheme on the USB Memory Stick with the following:

user@freebsdsrv:~ % sudo gpart destroy -F da0 [enter]
da1 destroyed
user@freebsdsrv:~ %

Copy the FreeBSD image file to the USB Memory Stick

The image file FreeBSD-14.2-RELEASE-amd64-memstick.img is copied to the USB Memory Stick with the dd utility with this command:

user@freebsdsrv:~ % sudo sh -c 'dd if=FreeBSD-14.2-RELEASE-amd64-memstick.img of=/dev/da0 bs=4M conv=sync status=progress' [enter]
  1560281088 bytes (1560 MB, 1488 MiB) transferred 85.038s, 18 MB/s
372+0 records in
372+0 records out
1560281088 bytes transferred in 85.306856 secs (18290219 bytes/sec)
user@freebsdsrv:~ $

Delete downloaded files

user@freebsdsrv:~ % rm FreeBSD-14.2-*; rm CHECKSUM.SHA512-FreeBSD-14.2-* [enter]
user@freebsdsrv:~ %

List /dev setup on the USB stick da0 with:

user@freebsdsrv:~ $ ls /dev/da* [enter]
/dev/da0     /dev/da0s1   /dev/da0s2   /dev/da0s2a
user@freebsdsrv:~ $

In this example, /dev/da0s2a contains the FreeBSD-14.2-RELEASE-amd64 OS installation.

Mount /dev/da0s2a with read and write permissions on /mnt with:

user@freebsdsrv:~ $ sudo mount -o rw /dev/da0s2a /mnt [enter]
user@freebsdsrv:~ $

List directory contents of /mnt with:

user@freebsdsrv:~ $ ls -l /mnt [enter]
total 72
-r--r--r--   1 root wheel 6109 Nov 29 13:53 COPYRIGHT
drwxr-xr-x   2 root wheel 1024 Nov 29 13:51 bin
drwxr-xr-x  14 root wheel 1536 Nov 29 13:53 boot
dr-xr-xr-x   2 root wheel  512 Nov 29 13:50 dev
drwxr-xr-x  30 root wheel 2048 Nov 29 14:02 etc
drwxr-xr-x   4 root wheel 2048 Nov 29 13:51 lib
drwxr-xr-x   3 root wheel  512 Nov 29 13:50 libexec
drwxr-xr-x   2 root wheel  512 Nov 29 13:50 media
drwxr-xr-x   2 root wheel  512 Nov 29 13:50 mnt
drwxr-xr-x   2 root wheel  512 Nov 29 13:50 net
dr-xr-xr-x   2 root wheel  512 Nov 29 13:50 proc
drwxr-xr-x   2 root wheel  512 Nov 29 13:50 rescue
drwxr-x---   2 root wheel  512 Nov 29 13:53 root
drwxr-xr-x   2 root wheel 3072 Nov 29 13:51 sbin
drwxrwxrwt   2 root wheel  512 Nov 29 13:50 tmp
drwxr-xr-x  13 root wheel  512 Nov 29 13:53 usr
drwxr-xr-x  24 root wheel  512 Nov 29 13:50 var
user@freebsdsrv:~ $

Delete file /mnt/etc/rc.local with:

user@freebsdsrv:~ $ sudo rm /mnt/etc/rc.local [enter]
user@freebsdsrv:~ $

Update /etc/fstab

Update file fstab status from read-only to read-write with:

user@freebsdsrv:~ $ sudo sh -c 'sed -e "s/ro/rw/" -i "" /mnt/etc/fstab' ; cat /mnt/etc/fstab [enter]
/dev/ufs/FreeBSD_Install / ufs rw,noatime 1 1
user@freebsdsrv:~ $

Update /etc/rc.conf

Find a currently-unused IP address in your local network.
In this example, IP address 192.168.1.250 and netmask 255.255.255.0 will be hard-coded in file rc.conf.

user@freebsdsrv:~ $ sudo sh -c 'echo ifconfig_DEFAULT=\"inet 192.168.1.250 netmask 255.255.255.0\" >> /mnt/etc/rc.conf'; sudo sh -c 'echo defaultrouter=\"192.168.1.1\" >> /mnt/etc/rc.conf' ; sudo sh -c 'echo sshd_enable=\"YES\" >> /mnt/etc/rc.conf'; sudo sh -c 'echo keymap=\"se.kbd\" >> /mnt/etc/rc.conf'; cat /mnt/etc/rc.conf [enter]
sendmail_enable="NONE"
hostid_enable="NO"
ifconfig_DEFAULT="inet 192.168.1.250 netmask 255.255.255.0"
defaultrouter="192.168.1.1"
sshd_enable="YES"
keymap="se.kbd"
user@freebsdsrv:~ $

Update /boot/loader.conf

Add autoboot_delay=”0″ to file /mnt/boot/loader.conf and verify entries to file /mnt/boot/loader.conf with:

user@freebsdsrv:~ $ sudo sh -c 'echo -e "autoboot_delay=\"0\"" >> /mnt/boot/loader.conf' ; cat /mnt/boot/loader.conf  [enter]
vfs.mountroot.timeout="10"
kernels_autodetect="NO"
loader_menu_multi_user_prompt="Installer"
autoboot_delay="0"
user@freebsdsrv:~ $

Update /etc/ssh/sshd_config

user@freebsdsrv:~ $ sudo sed -e "s/#PermitRootLogin no/PermitRootLogin yes/" -i "" /mnt/etc/ssh/sshd_config ; sudo sed -e 's/#PasswordAuthentication no/PasswordAuthentication yes/' -i "" /mnt/etc/ssh/sshd_config ; sudo sed -e 's/#PermitEmptyPasswords no/PermitEmptyPasswords yes/' -i "" /mnt/etc/ssh/sshd_config ; sudo sed -e 's/#UsePAM yes/UsePAM no/' -i "" /mnt/etc/ssh/sshd_config ; sudo sed -e 's/#UseDNS yes/UseDNS no/' -i "" /mnt/etc/ssh/sshd_config ; cat /mnt/etc/ssh/sshd_config [enter]
#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
# Note that passwords may also be accepted via KbdInteractiveAuthentication.
PasswordAuthentication yes
PermitEmptyPasswords yes

# Change to no to disable PAM authentication
#KbdInteractiveAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#UseBlacklist no
#VersionAddendum FreeBSD-20221019

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server
user@freebsdsrv:~ $

user@freebsdsrv:~ $ sudo umount /mnt [enter]
user@freebsdsrv:~ $

Insert the modified USB into the target machine, boot it, and wait for a minute or so. You should be able to SSH into it as root.

user@iMac ~ % ssh root@192.168.1.250 [enter]   
The authenticity of host '192.168.1.250 (192.168.1.250)' can't be established.
ED25519 key fingerprint is SHA256:fJc/6q4xKsatzWj5voqi/Pst6R3oPLZN0Tgrrnm2ujY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes [enter]
Warning: Permanently added '192.168.1.250' (ED25519) to the list of known hosts.
FreeBSD 14.2-RELEASE (GENERIC) releng/14.2-n269506-c8918d6c7412

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List:        https://www.FreeBSD.org/lists/questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

To change this login announcement, see motd(5).
root@:~ #

bsdinstall

Run bsdinstall to install FreeBSD on the target machine.

root@:~ # bsdinstall [enter]

bsdconfig

If you’ve already installed FreeBSD, you may use bsdconfig to customise the server to suit your particular configuration. Most importantly, you can use the Package utility to load extra ‘3rd party’ software not provided in the base distributions.

root@:~ # bsdconfig [enter]

Description

tftp-hpa is portable, BSD derived tftp server. It supports advanced options such as blksize, blksize2, tsize, timeout, and utimeout. It also supported rule-based security options.

Requirements

The following application(s) must be installed, configured and running before tftp-hpa is installed:

• None

Preparation for Installation

Start PuTTY on a Windows PC, Terminal on a Mac or similar terminal application on a Linux PC.

In this example Terminal on a Mac is used.

Open a remote SSH session to the server with:

Mac:~ user$ ssh user@192.168.1.4 [enter]

[user@server ~]$

Enable superuser privileges with:

[user@server ~]$ sudo -s [enter]
Password: <-- passwd [enter]
[root@server /usr/home/user]#

N.B.: Enter user password, not the root password!

Installation

Search for tftp in the remote package repositories with:

[root@server /usr/home/user]# pkg search tftp  [enter]
atftp-0.7_3                    Advanced tftp server and client
nagios-check_tftp-1.0.1        Nagios plugin to check tftp servers
p5-TFTP-1.0                    TFTP client in Perl as described in RFC783
py27-tftpy-0.6.2               Pure Python TFTP Implementation
tftp-hpa-5.2                   Advanced tftp server
tftpgrab-0.2                   TFTP stream extractor
utftpd-0.2.4_2                 secure tftpd server with fine grained access and revision control
[root@server /usr/home/user]##

In this example, tftp-hpa will be installed.

Install port tftp-hpa with;

[root@server /usr/home/user]# pkg install tftp-hpa [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	tftp-hpa: 5.2

Number of packages to be installed: 1

38 KiB to be downloaded.

Proceed with this action? [y/N]: y [enter]
Fetching tftp-hpa-5.2.txz: 100%   38 KiB  39.3kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/1] Installing tftp-hpa-5.2...
[1/1] Extracting tftp-hpa-5.2: 100%
[root@server /usr/home/user]#

Configuration

packet filter (pf)

Access to the tftpd service must be enabled in the packet filter (pf) configuration file.

Start editing file /etc/pf.conf with:

[root@server /usr/home/user]# ee /etc/pf.conf [enter]

…and add port information to enable access to the TFTP service from clients on the local network as in this example:

...
# Ports:
#  53 TCP UDP   Domain Name System (DNS)
#  67 TCP UDP	Bootstrap Protocol (BOOTP) server
#  69 TCP UDP   Trivial File Transfer Protocol (TFTP)
# 123 TCP       Network Time Protocol
...
tcp_pass="{ 53,  67, 69, 123 }"
udp_pass="{ 53,  67, 69, }"
...
# Pass specified tcp traffic in to this server from LAN clients
pass in on $lan_if proto tcp from $lan_if:network to $lan_if port $tcp_pass

# Pass specified udp  traffic in to this server from LAN clients
pass in on $lan_if proto udp from $lan_if:network to $lan_if port $udp_pass

# Pass SSH traffic from LAN clients (for Admin)
pass in on $lan_if proto tcp from $lan_if:network to $lan_if port ssh
...

Check /etc/pf.conf for errors, but do not load ruleset with:

[root@server /usr/home/user]# pfctl -vvnf /etc/pf.conf [enter]

…and then reload /etc/pf.conf with:

[root@server /usr/home/user]# service pf reload [enter]
Reloading pf rules.
[root@server /usr/home/user]#

/tftpboot Directory

List current ZFS pool information with:

[root@server /usr/home/user]# zpool list [enter]
NAME    SIZE  ALLOC   FREE  EXPANDSZ   FRAG    CAP  DEDUP  HEALTH  ALTROOT
zroot  5,44T   254G  5,19T         -     2%     4%  1.00x  ONLINE  -
[root@server /usr/home/user]#

In this example, zroot pool was found.

Creates a dataset where the tftpboot files will be stored with:

[root@server /usr/home/user]# zfs create -o compression=lz4 -o mountpoint=/tftpboot zroot/tftpboot [enter]
[root@server /usr/home/user]#

[root@server /usr/home/user]# chown tftpd:tftpd /tftpboot [enter]
[root@server /usr/home/user]#

[root@server /usr/home/user]# chmod u=rwx,g=rx,o= /tftpboot [enter]
[root@server /usr/home/user]#

tftpd User

Create a separate user tftpd with group tftpd, no login shell and the home directory set to /nonexistent for running tftpd with:

Add a separate user group tftpd for running the tftpd service with:

[root@server /usr/home/user]# pw groupadd tftpd  [enter]
[root@server /usr/home/user]#

Add a separate user tftpd in group tftpd, no login shell and the home directory set to /nonexistent for running the tftpd service with:

[root@server /usr/home/user]# pw useradd tftpd -c tftp_manager -d /nonexistent -g tftpd -s /usr/sbin/nologin [enter]
[root@server /usr/home/user]#

[root@server /usr/home/user]# vipw [enter]
...
tftpd:*:4004:4003::0:0:tftp_manager:/nonexistent:/usr/sbin/nologin
...
[root@server /usr/home/user]#

Enable tftpd Service

List installed tftpd services with:

[root@server /usr/home/user]# service -r | grep tftpd [enter]
/usr/local/etc/rc.d/tftpd
[root@server /usr/home/user]#

Find the rcvar for /etc/rc.conf with:

[root@server /usr/home/user]# /usr/local/etc/rc.d/tftpd rcvar [enter]
# tftpd
#
tftpd_enable="NO"
#   (default: "")

[root@server /usr/home/user]#

To start tftpd at system boot, add information to /etc/rc.conf with this commands:

[root@server /usr/home/user]# echo '' >> /etc/rc.conf; echo '# tftpd-hpa' >> /etc/rc.conf; echo 'tftpd_enable="YES"' >> /etc/rc.conf; echo 'tftpd_flags="--ipv4 --secure --create --user tftpd --umask 027 --permissive --address 0.0.0.0:69 /tftpboot"' >> /etc/rc.conf [enter]
[root@server /usr/home/user]#

Optional: Add –blocksize 1468 to the tftpd_flags may improve the performance on some systems.

Display full list of tftpd options with:

[root@server /usr/home/user]# man in.tftpd [enter]

Start

Manually start tftpd with:

[root@server /usr/home/user]# service tftpd start [enter]
Starting tftpd.
[root@server /usr/home/user]#

Verify and Test

Check whether the tftpd service daemon is running:

[root@server /usr/home/user]# ps -x | grep tftp | grep -v grep [enter]
 2970  -  Is       0:00,00 /usr/local/libexec/in.tftpd --ipv4 --secure --create --user tftpd --umask 027 --permissive --address 0.0.0.0:69 /tftpboot -P /var/run/tftpd.pid -l
[root@server /usr/home/user]#

You should now have an operational TFTP server. Since your FreeBSD system also has a TFTP client, you can test that the server is running.

First, tftp to the address of your TFTP server as a regular user. Here, we will use the tftp client from the same computer, that is the TFTP server.

Connect to the TFTP service on the local host with:

[root@server /usr/home/user]# tftp localhost [enter]

If the server responds, your prompt will change to:

tftp>

If you type ?, you’ll get a list of command that the tftp client supports:

tftp> ? [enter]
Commands may be abbreviated.  Commands are:

connect 	connect to remote tftp
mode    	set file transfer mode
put     	send file
get     	receive file
quit    	exit tftp
verbose 	toggle verbose mode
status  	show current status
binary  	set mode to octet
ascii   	set mode to netascii
rexmt   	set per-packet retransmission timeout[-]
timeout 	set total retransmission timeout
trace   	enable 'debug packet'[-]
debug   	enable verbose output
blocksize	set blocksize[*]
blocksize2	set blocksize as a power of 2[**]
rollover	rollover after 64K packets[**]
options 	enable or disable RFC2347 style options
help    	print help information
packetdrop	artificial packetloss feature
?       	print help information

[-] : You shouldn't use these ones anymore.
[*] : RFC2347 options support required.
[**] : Non-standard RFC2347 option.
tftp>

Exit the tftp client with:

tftp> q [enter]
[root@server /usr/home/user]#