Category: FreeBSD

tftp-hpa – BSD derived TFTP Server

tftp-hpa – BSD derived TFTP Server

Description

tftp-hpa is portable, BSD derived tftp server. It supports advanced options such as blksize, blksize2, tsize, timeout, and utimeout. It also supported rule-based security options.

Requirements

The following application(s) must be installed, configured and running before tftp-hpa is installed:

  • None

Preparation for Installation

Start PuTTY on a Windows PC, Terminal on a Mac or similar terminal application on a Linux PC.

In this example Terminal on a Mac is used.

Open a remote SSH session to the server with:

Mac:~ user$ ssh user@192.168.1.4 [enter]
N.B.: Replace user@192.168.1.4 with User ID and IP Address on Your server!
[user@server ~]$

Enable superuser privileges with:

[user@server ~]$ sudo -s [enter]
Password: <-- passwd [enter]
[root@server /usr/home/user]#

N.B.: Enter user password, not the root password!

Installation

Search for tftp in the remote package repositories with:

[root@server /usr/home/user]# pkg search tftp  [enter]
atftp-0.7_3                    Advanced tftp server and client
nagios-check_tftp-1.0.1        Nagios plugin to check tftp servers
p5-TFTP-1.0                    TFTP client in Perl as described in RFC783
py27-tftpy-0.6.2               Pure Python TFTP Implementation
tftp-hpa-5.2                   Advanced tftp server
tftpgrab-0.2                   TFTP stream extractor
utftpd-0.2.4_2                 secure tftpd server with fine grained access and revision control
[root@server /usr/home/user]##

In this example, tftp-hpa will be installed.

Install port tftp-hpa with;

[root@server /usr/home/user]# pkg install tftp-hpa [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	tftp-hpa: 5.2

Number of packages to be installed: 1

38 KiB to be downloaded.

Proceed with this action? [y/N]: y [enter]
Fetching tftp-hpa-5.2.txz: 100%   38 KiB  39.3kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/1] Installing tftp-hpa-5.2...
[1/1] Extracting tftp-hpa-5.2: 100%
[root@server /usr/home/user]#

Configuration

packet filter (pf)

Access to the tftpd service must be enabled in the packet filter (pf) configuration file.

Start editing file /etc/pf.conf with:

[root@server /usr/home/user]# ee /etc/pf.conf [enter]

…and add port information to enable access to the TFTP service from clients on the local network as in this example:

...
# Ports:
#  53 TCP UDP   Domain Name System (DNS)
#  67 TCP UDP	Bootstrap Protocol (BOOTP) server
#  69 TCP UDP   Trivial File Transfer Protocol (TFTP)
# 123 TCP       Network Time Protocol
...
tcp_pass="{ 53,  67, 69, 123 }"
udp_pass="{ 53,  67, 69, }"
...
# Pass specified tcp traffic in to this server from LAN clients
pass in on $lan_if proto tcp from $lan_if:network to $lan_if port $tcp_pass

# Pass specified udp  traffic in to this server from LAN clients
pass in on $lan_if proto udp from $lan_if:network to $lan_if port $udp_pass

# Pass SSH traffic from LAN clients (for Admin)
pass in on $lan_if proto tcp from $lan_if:network to $lan_if port ssh
...

Check /etc/pf.conf for errors, but do not load ruleset with:

[root@server /usr/home/user]# pfctl -vvnf /etc/pf.conf [enter]

…and then reload /etc/pf.conf with:

[root@server /usr/home/user]# service pf reload [enter]
Reloading pf rules.
[root@server /usr/home/user]#

/tftpboot Directory

List current ZFS pool information with:

[root@server /usr/home/user]# zpool list [enter]
NAME    SIZE  ALLOC   FREE  EXPANDSZ   FRAG    CAP  DEDUP  HEALTH  ALTROOT
zroot  5,44T   254G  5,19T         -     2%     4%  1.00x  ONLINE  -
[root@server /usr/home/user]#

In this example, zroot pool was found.

Creates a dataset where the tftpboot files will be stored with:

[root@server /usr/home/user]# zfs create -o compression=lz4 -o mountpoint=/tftpboot zroot/tftpboot [enter]
[root@server /usr/home/user]#
[root@server /usr/home/user]# chown tftpd:tftpd /tftpboot [enter]
[root@server /usr/home/user]#
[root@server /usr/home/user]# chmod u=rwx,g=rx,o= /tftpboot [enter]
[root@server /usr/home/user]#

tftpd User

Create a separate user tftpd with group tftpd, no login shell and the home directory set to /nonexistent for running tftpd with:

Add a separate user group tftpd for running the tftpd service with:

[root@server /usr/home/user]# pw groupadd tftpd  [enter]
[root@server /usr/home/user]#

Add a separate user tftpd in group tftpd, no login shell and the home directory set to /nonexistent for running the tftpd service with:

[root@server /usr/home/user]# pw useradd tftpd -c tftp_manager -d /nonexistent -g tftpd -s /usr/sbin/nologin [enter]
[root@server /usr/home/user]#
[root@server /usr/home/user]# vipw [enter]
...
tftpd:*:4004:4003::0:0:tftp_manager:/nonexistent:/usr/sbin/nologin
...
[root@server /usr/home/user]#

Enable tftpd Service

List installed tftpd services with:

[root@server /usr/home/user]# service -r | grep tftpd [enter]
/usr/local/etc/rc.d/tftpd
[root@server /usr/home/user]#

Find the rcvar for /etc/rc.conf with:

[root@server /usr/home/user]# /usr/local/etc/rc.d/tftpd rcvar [enter]
# tftpd
#
tftpd_enable="NO"
#   (default: "")

[root@server /usr/home/user]#

To start tftpd at system boot, add information to /etc/rc.conf with this commands:

[root@server /usr/home/user]# echo '' >> /etc/rc.conf; echo '# tftpd-hpa' >> /etc/rc.conf; echo 'tftpd_enable="YES"' >> /etc/rc.conf; echo 'tftpd_flags="--ipv4 --secure --create --user tftpd --umask 027 --permissive --address 0.0.0.0:69 /tftpboot"' >> /etc/rc.conf [enter]
[root@server /usr/home/user]#

Optional: Add –blocksize 1468 to the tftpd_flags may improve the performance on some systems.

Display full list of tftpd options with:

[root@server /usr/home/user]# man in.tftpd [enter]

Start

Manually start tftpd with:

[root@server /usr/home/user]# service tftpd start [enter]
Starting tftpd.
[root@server /usr/home/user]#

Verify and Test

Check whether the tftpd service daemon is running:

[root@server /usr/home/user]# ps -x | grep tftp | grep -v grep [enter]
 2970  -  Is       0:00,00 /usr/local/libexec/in.tftpd --ipv4 --secure --create --user tftpd --umask 027 --permissive --address 0.0.0.0:69 /tftpboot -P /var/run/tftpd.pid -l
[root@server /usr/home/user]#

You should now have an operational TFTP server. Since your FreeBSD system also has a TFTP client, you can test that the server is running.

First, tftp to the address of your TFTP server as a regular user. Here, we will use the tftp client from the same computer, that is the TFTP server.

Connect to the TFTP service on the local host with:

[root@server /usr/home/user]# tftp localhost [enter]

If the server responds, your prompt will change to:

tftp>

If you type ?, you’ll get a list of command that the tftp client supports:

tftp> ? [enter]
Commands may be abbreviated.  Commands are:

connect 	connect to remote tftp
mode    	set file transfer mode
put     	send file
get     	receive file
quit    	exit tftp
verbose 	toggle verbose mode
status  	show current status
binary  	set mode to octet
ascii   	set mode to netascii
rexmt   	set per-packet retransmission timeout[-]
timeout 	set total retransmission timeout
trace   	enable 'debug packet'[-]
debug   	enable verbose output
blocksize	set blocksize[*]
blocksize2	set blocksize as a power of 2[**]
rollover	rollover after 64K packets[**]
options 	enable or disable RFC2347 style options
help    	print help information
packetdrop	artificial packetloss feature
?       	print help information

[-] : You shouldn't use these ones anymore.
[*] : RFC2347 options support required.
[**] : Non-standard RFC2347 option.
tftp>

Exit the tftp client with:

tftp> q [enter]
[root@server /usr/home/user]#
arp-scan ARP scanning and fingerprinting tool

arp-scan ARP scanning and fingerprinting tool

Description

arp-scan is a command-line tool that uses the ARP protocol to discover and fingerprint IP hosts on the local network. It is available for Linux and BSD under the GPL licence.

WWW: http://www.isc.org/products/DHCP/.

Preparation for Installation

Start PuTTY on a Windows PC, Terminal on a Mac or similar terminal application on a Linux PC.

In this example Terminal on a Mac is used.

Open a remote SSH session to the server with:

Mac:~ user$ ssh user@192.168.1.4 [enter]
N.B.: Replace user@192.168.1.4 with User ID and IP Address on Your server!
[user@server ~]$

Enable superuser privileges with:

[user@server ~]$ sudo -s [enter]
Password: <-- passwd [enter]
[root@server /usr/home/user]#

N.B.: Enter user password, not the root password!

Installation

Search for isc-dhcp in the remote package repositories with:

[root@server /usr/home/user]# pkg search arp-scan [enter]
arp-scan-1.9                   ARP scanning and fingerprinting tool
[root@server /usr/home/user]#

In this example arp-scan will be installed.

Install arp-scan with;

[root@server /usr/home/user]# pkg install arp-scan [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	arp-scan: 1.9

Number of packages to be installed: 1

252 KiB to be downloaded.

Proceed with this action? [y/N]: y [enter]
Fetching arp-scan-1.9.txz: 100%  252 KiB 258.2kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/1] Installing arp-scan-1.9...
[1/1] Extracting arp-scan-1.9: 100%
[root@server /usr/home/user]#

Configuration

No configuration needed!n

How to Use

Display up Network Interface Cards with:

[root@server /usr/home/user]# ifconfig -u [enter]
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
	ether 84:2b:2b:bf:b4:bf
	inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255 
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: lo 
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
	groups: pflog
[root@server /usr/home/user]#

In this example Network Interface Card em0 was found.

Scan local network and list all devices found:

[root@server /usr/home/user]# arp-scan --interface=em0 --localnet [enter]
Interface: em0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.1	50:c7:bf:01:cc:0f	(Unknown)
192.168.1.7	00:1b:21:a4:4e:cc	Intel Corporate
192.168.1.9	a4:5d:36:5d:30:e9	Hewlett Packard
192.168.1.10	00:08:9b:f8:db:03	ICP Electronics Inc.
192.168.1.11	00:11:32:0f:42:ec	Synology Incorporated
192.168.1.20	00:23:df:fd:6f:18	Apple, Inc
192.168.1.22	1c:1b:0d:66:e3:f0	(Unknown)
192.168.1.113	9c:20:7b:9a:d1:53	Apple Inc
192.168.1.210	00:04:a3:91:58:d1	Microchip Technology, Inc.
192.168.1.211	00:1d:ec:0a:e2:8b	Marusys
192.168.1.114	68:5b:36:00:8a:bd	POWERTECH INDUSTRIAL CO., LTD.
192.168.1.115	68:5b:36:00:81:0a	POWERTECH INDUSTRIAL CO., LTD.
192.168.1.132	60:c5:47:54:81:07	Apple, Inc.
192.168.1.201	d4:9a:20:5a:e8:0e	Apple, Inc
192.168.1.209	c8:69:cd:6e:26:30	(Unknown)
192.168.1.206	d0:ae:ec:4e:2e:67	Alpha Networks Inc.
192.168.1.205	68:5b:36:00:88:5b	POWERTECH INDUSTRIAL CO., LTD.

556 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.201 seconds (116.31 hosts/sec). 17 responded
[root@server /usr/home/user]#
isc-dhcp – ISC Dynamic Host Configuration Protocol server

isc-dhcp – ISC Dynamic Host Configuration Protocol server

Description

ISC’s Dynamic Host Configuration Protocol Distribution provides a freely redistributable reference implementation of all aspects of DHCP, through a suite of DHCP tools

  • A DHCP server (this port)
  • A DHCP client
  • A DHCP relay agent

WWW: http://www.isc.org/products/DHCP/.

Preparation for Installation

Start PuTTY on a Windows PC, Terminal on a Mac or similar terminal application on a Linux PC.

In this example Terminal on a Mac is used.

Open a remote SSH session to the server with:

Mac:~ user$ ssh user@192.168.1.4 [enter]
N.B.: Replace user@192.168.1.4 with User ID and IP Address on Your server!
[user@server ~]$

Enable superuser privileges with:

[user@server ~]$ sudo -s [enter]
Password: <-- passwd [enter]
[root@server /usr/home/user]#

N.B.: Enter user password, not the root password!

Installation

Search for isc-dhcp in the remote package repositories with:

[root@server /usr/home/user]# pkg search isc-dhcp [enter]
isc-dhcp43-client-4.3.5        The ISC Dynamic Host Configuration Protocol client
isc-dhcp43-relay-4.3.5         The ISC Dynamic Host Configuration Protocol relay
isc-dhcp43-server-4.3.5        ISC Dynamic Host Configuration Protocol server
[root@server /usr/home/user]#

In this example, sc-dhcp43-server will be installed.

Install isc-dhcp43-server with;

[root@server /usr/home/user]# pkg install isc-dhcp43-server [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	isc-dhcp43-server: 4.3.5

Number of packages to be installed: 1

The process will require 4 MiB more space.
989 KiB to be downloaded.

Proceed with this action? [y/N]: y [enter]
Fetching isc-dhcp43-server-4.3.5.txz: 100%  989 KiB   1.0MB/s    00:01    
Checking integrity... done (0 conflicting)
[1/1] Installing isc-dhcp43-server-4.3.5...
===> Creating groups.
Creating group 'dhcpd' with gid '136'.
===> Creating users
Creating user 'dhcpd' with uid '136'.
[1/1] Extracting isc-dhcp43-server-4.3.5: 100%
Message from isc-dhcp43-server-4.3.5:
****  To setup dhcpd, please edit /usr/local/etc/dhcpd.conf.

****  This port installs the dhcp daemon, but doesn't invoke dhcpd by default.
      If you want to invoke dhcpd at startup, add these lines to /etc/rc.conf:

	    dhcpd_enable="YES"				# dhcpd enabled?
	    dhcpd_flags="-q"				# command option(s)
	    dhcpd_conf="/usr/local/etc/dhcpd.conf"	# configuration file
	    dhcpd_ifaces=""				# ethernet interface(s)
	    dhcpd_withumask="022"			# file creation mask

****  If compiled with paranoia support (the default), the following rc.conf
      options are also supported:

	    dhcpd_chuser_enable="YES"		# runs w/o privileges?
	    dhcpd_withuser="dhcpd"		# user name to run as
	    dhcpd_withgroup="dhcpd"		# group name to run as
	    dhcpd_chroot_enable="YES"		# runs chrooted?
	    dhcpd_devfs_enable="YES"		# use devfs if available?
	    dhcpd_rootdir="/var/db/dhcpd"	# directory to run in
	    dhcpd_includedir="<some_dir>"	# directory with config-
						  files to include

****  WARNING: never edit the chrooted or jailed dhcpd.conf file but
      /usr/local/etc/dhcpd.conf instead which is always copied where
      needed upon startup.
[root@server /usr/home/user]#

Configuration

List installed services dhcp with:

[root@server /usr/home/user]# service -r | grep dhcp [enter]
/usr/local/etc/rc.d/isc-dhcpd
/usr/local/etc/rc.d/isc-dhcpd6
[root@server /usr/home/user]#

Find the rcvar for /etc/rc.conf:

[root@server /usr/home/user]# /usr/local/etc/rc.d/isc-dhcpd rcvar [enter]
# dhcpd
#
dhcpd_enable="NO"
#   (default: "")

[root@server /usr/home/user]#

To start isc-dhcp43-server on system boot, add information to /etc/rc.conf with this commands:

[root@server /usr/home/user]# echo '' >> /etc/rc.conf; echo '# ISC dhcpd' >> /etc/rc.conf; echo 'dhcpd_enable="YES"' >> /etc/rc.conf; echo 'dhcpd_ifaces="em0"' >> /etc/rc.conf [enter]
[root@server /usr/home/user]#

Replace the ’em0′ interface name with the interface (or interfaces, separated by whitespace) that your DHCP server should listen on for DHCP client requests.

Edit /usr/local/etc/dhcpd.conf with:

[root@server /usr/home/user]# ee /usr/local/etc/dhcpd.conf [enter]

N.B.: This is an example with support for client PXE Boot!

#
# dhcpd.conf
#

authoritative;

default-lease-time 3600;
max-lease-time 86400;

ddns-updates on;
ddns-domainname "example.net.";
ddns-rev-domainname "in-addr.arpa.";
ddns-update-style interim;

log-facility local7;

server-name "server.example.net";
server-identifier server.example.net;

allow client-updates;
allow unknown-clients;
do-forward-updates true;

include "/usr/local/etc/namedb/rndc.key";

# example.net
subnet 192.168.1.0 netmask 255.255.255.0 {
        range 192.168.1.200 192.168.1.249;
        option domain-name-servers 192.168.1.4;
        option subnet-mask 255.255.255.0;
        option routers 192.168.1.1;
        option broadcast-address 192.168.1.255;
        option ntp-servers 192.168.1.4;
        option domain-name "example.net.";
        default-lease-time 3600;
        max-lease-time 86400;
        next-server 192.168.1.4;
        option root-path "192.168.1.4:/tftpboot";
        filename "/gpxelinux.0";
        }

# Hosts Forward
zone example.net. {
        primary 127.0.0.1;
        key rndc-key;
        }

# Hosts Reverse
zone 1.168.192.in-addr.arpa. {
        primary 127.0.0.1;
        key rndc-key;
        }

Make sure that file /usr/local/etc/dhcpd.conf is not world readable with:

[root@server /usr/home/user]# chmod 640 /usr/local/etc/dhcpd.conf [enter]
[root@server /usr/home/user]#

 

Start

Manually start isc-dhcp43-server with;

[root@server /usr/home/user]# service isc-dhcpd start [enter]
Starting dhcpd.
Internet Systems Consortium DHCP Server 4.3.5
Copyright 2004-2016 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Config file: /usr/local/etc/dhcpd.conf
Database file: /var/db/dhcpd/dhcpd.leases
PID file: /var/run/dhcpd/dhcpd.pid
Wrote 0 leases to leases file.
Listening on BPF/igb0/00:1b:21:a4:4e:cc/192.168.1.0/24
Sending on   BPF/igb0/00:1b:21:a4:4e:cc/192.168.1.0/24
Sending on   Socket/fallback/fallback-net
[root@srv /usr/home/stureah]#
[root@server /usr/home/user]#

Display isc-dhcp43-server status with:

[root@server /usr/home/user]# service isc-dhcpd status [enter]
dhcpd is running as pid 31662.
[root@server /usr/home/user]#

View content of dhcpd-leases

[root@server /usr/home/user]# cat /var/db/dhcpd/dhcpd.leases [enter]
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.3.5

# authoring-byte-order entry is generated, DO NOT DELETE
authoring-byte-order little-endian;

lease 192.168.1.200 {
  starts 3 2017/03/01 14:32:06;
  ends 3 2017/03/01 15:32:06;
  tstp 3 2017/03/01 15:32:06;
  cltt 3 2017/03/01 14:32:06;
  binding state free;
  hardware ethernet e4:a7:a0:73:c4:ea;
  uid "\001\344\247\240s\304\352";
  set vendor-class-identifier = "MSFT 5.0";
.
.
[root@server /usr/home/user]#
BIND Domain Name Server

BIND Domain Name Server

Description

BIND is open source software that enables you to publish your Domain Name System (DNS) information on the Internet and to resolve DNS queries for your users. The name BIND stands for “Berkeley Internet Name Domain” because the software originated in the early 1980s at the University of California at Berkeley.

BIND is by far the most widely used DNS software on the Internet, providing a robust and stable platform on top of which organizations can build distributed computing systems with the knowledge that those systems are fully compliant with published DNS standards.

WWW: https://www.isc.org/software/bind.

Installed and configured package(s) requirement:

  1. OpenSSL – Open Secure Sockets Layer

Preparation for Installation

Start PuTTY on a Windows PC, Terminal on a Mac or similar terminal application on a Linux PC.

In this example Terminal on a Mac is used.

Open a remote SSH session to the server with:

Mac:~ user$ ssh user@192.168.1.4 [enter]
N.B.: Replace user@192.168.1.4 with User ID and IP Address on Your server!
[user@server ~]$

Enable superuser privileges with:

[user@server ~]$ sudo -s [enter]
Password: <-- passwd [enter]
[root@server /usr/home/user]#

N.B.: Enter user password, not the root password!

Installation

Search for bind in the remote package repositories with:

[root@server /usr/home/user]# pkg search bind <enter>
bind-tools-9.10.4P6            Command line tools from BIND: delv, dig, host, nslookup...
bind9-devel-9.12.0.a.2017.02.09 BIND DNS suite with updated DNSSEC and DNS64
bind910-9.10.4P6               BIND DNS suite with updated DNSSEC and DNS64
bind911-9.10.4P6               BIND DNS suite with updated DNSSEC and DNS64
bind99-9.9.9P6                 BIND DNS suite with updated DNSSEC and DNS64
bindgraph-0.3_1                RRDtool frontend for BIND statistics
bindtest-1.56_1                Test bind() semantics of IPv6 sockets
.
.
[root@server /usr/home/user]#

In this example, bind910 will be installed due to that bind911 has TCP_FASTOPEN error issues when running under FreeBSD 11.0-RELEASE-amd64.

Install bind910 with;

[root@server /usr/home/user]# pkg install bind910 [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 4 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	bind911: 9.10.4P6
	lmdb: 0.9.18_1
	idnkit: 1.0_6
	json-c: 0.12.1

Number of packages to be installed: 4

The process will require 61 MiB more space.
8 MiB to be downloaded.

Proceed with this action? [y/N]: y [enter]
Fetching bind911-9.10.4P6.txz: 100%    8 MiB   2.7MB/s    00:03    
Fetching lmdb-0.9.18_1.txz: 100%   87 KiB  89.5kB/s    00:01    
Fetching idnkit-1.0_6.txz: 100%  194 KiB 198.4kB/s    00:01    
Fetching json-c-0.12.1.txz: 100%   38 KiB  39.2kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/4] Installing lmdb-0.9.18_1...
[1/4] Extracting lmdb-0.9.18_1: 100%
[2/4] Installing idnkit-1.0_6...
[2/4] Extracting idnkit-1.0_6: 100%
[3/4] Installing json-c-0.12.1...
[3/4] Extracting json-c-0.12.1: 100%
[4/4] Installing bind911-9.10.4P6...
[4/4] Extracting bind911-9.10.4P6: 100%
Message from idnkit-1.0_6:
===>   NOTICE:

The idnkit port currently does not have a maintainer. As a result, it is
more likely to have unresolved issues, not be up-to-date, or even be removed in
the future. To volunteer to maintain this port, please create an issue at:

https://bugs.freebsd.org/bugzilla

More information about port maintainership is available at:

https://www.freebsd.org/doc/en/articles/contributing/ports-contributing.html#maintain-port
Message from bind911-9.10.4P6:
**********************************************************************
*            _  _____ _____ _____ _   _ _____ ___ ___  _   _         *
*           / \|_   _|_   _| ____| \ | |_   _|_ _/ _ \| \ | |        *
*          / _ \ | |   | | |  _| |  \| | | |  | | | | |  \| |        *
*         / ___ \| |   | | | |___| |\  | | |  | | |_| | |\  |        *
*        /_/   \_\_|   |_| |_____|_| \_| |_| |___\___/|_| \_|        *
*                                                                    *
*   BIND requires configuration of rndc, including a "secret" key.   *
*    The easiest, and most secure way to configure rndc is to run    *
*   'rndc-confgen -a' to generate the proper conf file, with a new   *
*            random key, and appropriate file permissions.           *
*                                                                    *
*     The /usr/local/etc/rc.d/named script will do that for you.     *
*                                                                    *
**********************************************************************
[root@server /usr/home/user]#

Configuration

List installed services named with:

[root@server /usr/home/user]# service -r | grep named
/usr/local/etc/rc.d/named
[root@server /usr/home/user]#

Find the rcvar for /etc/rc.conf:

[root@server /usr/home/user]# /usr/local/etc/rc.d/named rcvar
# named
#
named_enable="NO"
#   (default: "")

[root@server /usr/home/user]#

To start BIND at system boot, add information to /etc/rc.conf with this commands:

[root@server /usr/home/user]# echo '' >> /etc/rc.conf; echo '# BIND' >> /etc/rc.conf; echo 'named_enable="YES"' >> /etc/rc.conf; echo 'named_auto_forward="YES"' >> /etc/rc.conf [enter]
[root@server /usr/home/user]#

N.B.: named_auto_forward=”YES” tells BIND to pick forward Name Server(s) from file /etc/resolve.conf!

Automatically rotate the /var/named/var/log/named.log log file with:

[root@server /usr/home/user]# echo '/var/log/named.log                      600  9   100000 *     Z' >> /etc/syslog.conf [enter]
[root@server /usr/home/user]#

Update Resolve Config

Update file /etc/resolv.conf and set the local host as the primary DNS:

[root@server /usr/home/user]# ee /etc/resolv.conf [enter]
search		example.net
nameserver	127.0.0.1
nameserver	208.67.222.222
nameserver	208.67.220.220

N.B.: In this example OpenDNS Name Servers 208.67.222.222 and 208.67.220.220 is will be used by the local BIND Name Server for forward requests.

Generate Cryptograpic Key

Generate a rndc.key file with the following command:

[root@server /usr/home/user]# rndc-confgen -a [enter]
wrote key file "/usr/local/etc/namedb/rndc.key"
[root@server /usr/home/user]#

Change file modes on file /usr/local/etc/namedb/rndc.key with:

[root@server /usr/home/user]# chmod 440 /usr/local/etc/namedb/rndc.key [enter]
[root@server /usr/home/user]#

Display content of file /usr/local/etc/namedb/rndc.key with:

[root@server /usr/home/user]# cat /usr/local/etc/namedb/rndc.key [enter]
key "rndc-key" {
        algorithm hmac-md5;
        secret "XcwJ.............JSCMw==";
        };

N.B.: The content of file cat /usr/local/etc/namedb/rndc.key must be copied to the BIND configuration file /usr/local/etc/namedb/named.conf!

Configuration file

Edit the BIND configuration file for /usr/local/etc/namedb/named.conf with:

[root@server /usr/home/user]# ee /usr/local/etc/namedb/named.conf [enter]

N.B.: This is an example file. Please use it only as a template!

//
// named.conf
//

acl nets { 192.168.1/24; 127.0.0.1; };

options {
	// Relative to the chroot directory, if any, and should be fully qualified.
	directory       "/usr/local/etc/namedb/working";
	pid-file        "/var/run/named/pid";
	dump-file       "/var/dump/named_dump.db";
	statistics-file "/var/stats/named.stats";
	listen-on { 192.168.1.4; 127.0.0.1; };
	forwarders { 208.67.222.222; 208.67.220.220; };
	allow-query { nets; };
	allow-recursion { nets; };
	};

logging {
	channel log_file { file "/var/log/named/named.log" versions 3 size 5M;
	severity  debug 3 ; };
	category queries { log_file; };
	category xfer-in { log_file; };
	category xfer-out { log_file; };
	category default { log_file; };
	};

include "/usr/local/etc/namedb/rndc.key";

controls {
        inet 127.0.0.1 port 953 allow { nets; } keys { "rndc-key"; };
        inet 192.168.1.1 port 953 allow { nets; } keys { "rndc-key"; };
        };

//zone "." { type hint; file "named.root"; };
zone "localhost" { type master; file "/usr/local/etc/namedb/master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };
zone "255.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };

zone "example.net" {
        notify yes;
        type master;
        file "/usr/local/etc/namedb/dynamic/hosts-forward.db";
        allow-update { key rndc-key; };
        };

zone "1.168.192.in-addr.arpa" {
        notify yes;
        type master;
        file "/usr/local/etc/namedb/dynamic/hosts-reverse.db";
        allow-update { key rndc-key; };
        };

“Seed” zone files

Prepare a “seed” zone file for the domain the server should update dynamically.

In this example, the dynamic subdomain is going to be example.net. Remember to replace example.net with your domain name, it must match what you have used in file /var/named/etc/namedb/named.conf.

The “seed” zone file is very minimal and should contain information that WON’T ever change. In this case, that will be the SOA record, the NS records, and the MX record.

Create the forward “seed” zone file with:

[root@server /usr/home/user]# ee /usr/local/etc/namedb/dynamic/hosts-forward.db [enter]

N.B.: This is an example file!

$ORIGIN .
$TTL 3600       ; 1 hour
example.net  IN SOA  server.example.net. admin.example.net. (
                                0          ; serial
                                10800      ; refresh (3 hours)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
                        NS      server.example.net.
                        MX      10 server.example.net.
$ORIGIN example.net.
server                  A       192.168.1.1
ftp                     CNAME   server
mx                      CNAME   server
ns                      CNAME   server
www                     CNAME   server

Create the reverse “seed” zone file with:

[root@server /usr/home/user]# ee /usr/local/etc/namedb/dynamic/hosts-reverse.db [enter]

N.B.: This is an example file:

$ORIGIN .
$TTL 3600       ; 1 hour
1.168.192.in-addr.arpa  IN SOA  server.example.net. admin.example.net. (
                                0          ; serial
                                10800      ; refresh (3 hours)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
                        NS      server.example.net.
                        MX      10 server.example.net.
$ORIGIN 1.168.192.in-addr.arpa.
1                       PTR     server.example.net.

Feel free to modify based on what you want to do, you can add more aliases, A or MX records, and make sure to change your domain name above from example.net to your domain name. Make sure to add a “.” after words, also change your hostname from server to the hostname you are using.

admin.example.net is the e-mail address of the person responsible for the zone. Here we use a “.” instead of an “@” sign in the e-mail address.

name service needs to update the configuration for the dynamic IPs itself. Set write permission for the user bind with:

[root@server /usr/home/user]# chown bind:bind /usr/local/etc/namedb/dynamic/hosts-* [enter]
[root@server /usr/home/user]#

Create a new directory called /var/log/named with:

[root@server /usr/home/user]# mkdir /var/log/named [enter]
[root@server /usr/home/user]#

Change file owner and group with:

[root@server /usr/home/user]# chown bind:bind /var/log/named [enter]
[root@server /usr/home/user]#

Change file modes with:

[root@server /usr/home/user]# chmod 777 /var/log/named [enter]
[root@server /usr/home/user]#

Create a empty log files called /var/log/named/named.log with:

[root@server /usr/home/user]# touch /var/log/named/named.log [enter]
[root@server /usr/home/user]#

/var/log/named/named.log files must have write permission for user bind:

[root@server /usr/home/user]# chown bind:bind /var/log/named/named.log [enter]
[root@server /usr/home/user]#

Syntax Checks

named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a zone. This makes named-checkzone useful for checking zone files before configuring them into a name server.

[root@server /usr/home/user]# named-checkconf -zj [enter]
zone localhost/IN: loaded serial 42
zone 127.in-addr.arpa/IN: loaded serial 42
zone 255.in-addr.arpa/IN: loaded serial 42
zone example.net/IN: loaded serial 0
zone 1.168.192.in-addr.arpa/IN: loaded serial 0
[root@server /usr/home/user]#

Optional: rndc.conf

rndc.conf is the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to named.conf. Statements are enclosed in braces and terminated with a semi-colon. Clauses in the statements are also semi-colon terminated.

Add /usr/local/etc/namedb/rndc.key to file /usr/local/etc/namedb/rndc.conf with:

[root@server /usr/home/user]# cat /usr/local/etc/namedb/rndc.key >> /usr/local/etc/namedb/rndc.conf
[root@server /usr/home/user]#

Edit the configuration file for rndc with:

[root@server /usr/home/user]# ee /usr/local/etc/namedb/rndc.conf [enter]

N.B.: This is an example file!

/*
 * rndc configuration file.
 */

options {
        default-server  localhost;
        default-key     "rndc-key";
};

server localhost {
        key             "rndc-key";
};

key "rndc-key" {
        algorithm hmac-md5;
        secret "XcwJ.............JSCMw==";
};

Start

Manually start BIND with;

[root@server /usr/home/user]# service named start [enter]
Starting named.
[root@server /usr/home/user]#

Test BIND status with:

[root@server /usr/home/user]# service named status [enter]
named is running as pid 64826.
[root@server /usr/home/user]#

Check the error logs with:

[root@server /usr/home/user]# grep named /var/log/messages [enter]
Mar  1 12:33:35 srv named[92074]: starting BIND 9.10.4-P6 <id:a6837d0> -u bind -c /usr/local/etc/namedb/named.conf
Mar  1 12:33:35 srv named[92074]: running on FreeBSD amd64 11.0-RELEASE-p2 FreeBSD 11.0-RELEASE-p2 #0: Mon Oct 24 06:55:27 UTC 2016     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC
Mar  1 12:33:35 srv named[92074]: built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-libxml2=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlopen=yes' '--sysconfdir=/usr/local/etc/namedb' '--disable-fetchlimit' '--disable-filter-aaaa' '--disable-fixed-rrset' '--without-geoip' '--with-idn=/usr/local' '--enable-ipv6' '--with-libjson' '--disable-largefile' '--without-python' '--disable-querytrace' '--enable-rpz-nsdname' '--enable-rpz-nsip' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--without-gssapi' '--with-openssl=/usr' '--disable-native-pkcs11' '--with-dlz-filesystem=yes' '--without-gost' '--enable-threads' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.0' 'build_alias=amd64-portbld-freebsd11.0' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector -isystem /usr/local/include -fno-strict-aliasing' 'LDFLAGS= -fstack-protector' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_P
Mar  1 12:33:35 srv named[92074]: ----------------------------------------------------
Mar  1 12:33:35 srv named[92074]: BIND 9 is maintained by Internet Systems Consortium,
Mar  1 12:33:35 srv named[92074]: Inc. (ISC), a non-profit 501(c)(3) public-benefit 
Mar  1 12:33:35 srv named[92074]: corporation.  Support and training for BIND 9 are 
Mar  1 12:33:35 srv named[92074]: available at https://www.isc.org/support
Mar  1 12:33:35 srv named[92074]: ----------------------------------------------------
Mar  1 12:33:35 srv named[92074]: command channel listening on 127.0.0.1#953
Mar  1 12:33:35 srv named[92074]: command channel listening on 192.168.1.4#953
[root@server /usr/home/user]#
[root@server /usr/home/user]# tail /var/log/named/named.log [enter]
.
zone_settimer: zone 100.51.198.IN-ADDR.ARPA/IN: enter
zone_timer: zone id.server/CH: enter
zone_maintenance: zone id.server/CH: enter
zone_settimer: zone id.server/CH: enter
[root@server /usr/home/user]#

Reload Config

Reload configuration file and zones after manual updates with:

[root@server /usr/home/user]# rndc reload [enter]
server reload successful
[root@server /usr/home/user]#

…or with:

[root@server /usr/home/user]# service named reload [enter]
server reload successful
[root@server /usr/home/user]#

How to use

Checked if the nameserver is working on the server:

[root@server /usr/home/user]# dig @localhost ns.example.net [enter]

; <<>> DiG 9.9.4 <<>> @localhost ns.example.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15863
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.example.net.	IN	A

;; AUTHORITY SECTION:
example.net.	3600	IN	SOA	server.example.net. admin.server.example.net. 247 10800 3600 604800 86400

;; Query time: 0 msec
;; SERVER: 192.168.1.4#53(192.168.1.4)
;; WHEN: Mon Aug  8 23:52:15 2011
;; MSG SIZE  rcvd: 91

[root@server /usr/home/user]#

You can try to dig for google.com to make sure all is good with your DNS server:

[root@server /usr/home/user]# dig @localhost google.com [enter]
	
; <<>> DiG 9.9.4 <<>> @localhost google.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4584
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 13, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		300	IN	A	173.194.32.36
google.com.		300	IN	A	173.194.32.33
google.com.		300	IN	A	173.194.32.32
google.com.		300	IN	A	173.194.32.41
google.com.		300	IN	A	173.194.32.39
google.com.		300	IN	A	173.194.32.38
google.com.		300	IN	A	173.194.32.35
google.com.		300	IN	A	173.194.32.46
google.com.		300	IN	A	173.194.32.40
google.com.		300	IN	A	173.194.32.37
google.com.		300	IN	A	173.194.32.34

;; AUTHORITY SECTION:
.			510352	IN	NS	f.root-servers.net.
.			510352	IN	NS	e.root-servers.net.
.			510352	IN	NS	k.root-servers.net.
.			510352	IN	NS	b.root-servers.net.
.			510352	IN	NS	j.root-servers.net.
.			510352	IN	NS	l.root-servers.net.
.			510352	IN	NS	m.root-servers.net.
.			510352	IN	NS	a.root-servers.net.
.			510352	IN	NS	h.root-servers.net.
.			510352	IN	NS	i.root-servers.net.
.			510352	IN	NS	g.root-servers.net.
.			510352	IN	NS	d.root-servers.net.
.			510352	IN	NS	c.root-servers.net.

;; Query time: 48 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 15 23:10:43 CET 2013
;; MSG SIZE  rcvd: 426

[root@server /usr/home/user]#

Manual dynamic DNS update

A dynamic DNS update can be performed with the nsupdate tool. The nsupdate tool requires that you have a valid key-file, /usr/local/etc/namedb/rndc.key that matches the key in file /usr/local/etc/namedb/named.conf.

In this example a new A record will be added for myhost.example.net with IP address 192.168.1.248:

[root@server /usr/home/user]# nsupdate -k /usr/local/etc/namedb/rndc.key [enter]
> update add myhost.example.net 3600 A 192.168.1.248 [enter]
> send [enter]
> [ctrl][D][root@server /usr/home/user]#

Verify the add of host myhost.example.net with:

[root@server /usr/home/user]# host myhost.example.net [enter]
myhost.example.net has address 192.168.1.248
[root@server /usr/home/user]#

Remove the A record entry for myhost.example.net so it doesn’t cause problems later with:

[root@server /usr/home/user]# nsupdate -k /usr/local/etc/namedb/rndc.key [enter]
> update delete myhost.example.net [enter]
> send [enter]
> [ctrl][D][root@server /usr/home/user]#

Verify the delete of host myhost.example.net with:

[root@server /usr/home/user]# host myhost.example.net [enter]
Host myhost.example.net not found: 3(NXDOMAIN)
[root@server /usr/home/user]#
UTF-8 Character Encoding

UTF-8 Character Encoding

Description

The LANG=xx_YY.ZZZZ environment variable sets the system locale to language code xx, country code YY, and character encoding ZZZZ. Language and country code affect default application language, number formatting, date and time formatting, string collation, currency settings, and more.

By enabling a locale using UTF-8 character encoding, the system can understand and display each of the 1112064 characters in the Unicode character set, instead of just US ASCII as is default with LANG=C.

Preparation for Installation

Start PuTTY on a Windows PC, Terminal on a Mac or similar terminal application on a Linux PC.

In this example Terminal on a Mac is used.

Open a remote SSH session to the server with:

Mac:~ user$ ssh user@192.168.1.4 [enter]
N.B.: Replace user@192.168.1.4 with User ID and IP Address on Your server!
[user@server ~]$

Enable superuser privileges with:

[user@server ~]$ sudo -s [enter]
Password: <-- passwd [enter]
[root@server /usr/home/user]#

N.B.: Enter user password, not the root password!

Available UTF-8 Locale

Display a list of every available UTF-8 locale on your computer with:

[root@server /usr/home/user]# locale -a | grep '\.UTF-8$' [enter]
af_ZA.UTF-8
am_ET.UTF-8
.
.
.
sv_SE.UTF-8
tr_TR.UTF-8
uk_UA.UTF-8
zh_CN.UTF-8
zh_HK.UTF-8
zh_TW.UTF-8
[root@server /usr/home/user]#

Customize UTF-8 Locale

In this example, as a Swede, I will use English as the default language with Swedish monetary, numeric and time settings.

Create a copy of the en_US.UTF-8 directory with:

[root@server /usr/home/user]# cp -R /usr/share/locale/en_US.UTF-8 /usr/share/locale/en_SE.UTF-8 [enter]
[root@server /usr/home/user]#

…then modify this directory with:

[root@server /usr/home/user]# cp /usr/share/locale/sv_SE.UTF-8/LC_MONETARY /usr/share/locale/en_SE.UTF-8/ [enter]
[root@server /usr/home/user]# cp /usr/share/locale/sv_SE.UTF-8/LC_NUMERIC /usr/share/locale/en_SE.UTF-8/ [enter]
[root@server /usr/home/user]#

Change to 24h clock in uptime, w etc with:

[root@server /usr/home/user]# ee /usr/share/locale/en_SE.UTF-8/LC_TIME [enter]

Edit the LC_TIME file, line 40 – 44, and line 58 as in this example. Do NOT delete the emty lines 42, 43 and 58!

Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
January
February
March
April
May
June
July
August
September
October
November
December
Sun
Mon
Tue
Wed
Thu
Fri
Sat
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
%H:%M:%S
%Y-%m-%d
%a %e %b %X %Y

%a %e %b %Y %X %Z
January
February
March
April
May
June
July
August
September
October
November
December
md

Edit the login class capability database in /etc/login.conf with:

[root@server /usr/home/user]# ee /etc/login.conf [enter]

It is recommended that LC_COLLATE be set to C because some programs still require ASCII ordering in order to function correctly.

…and add a default character set and locale as in this example:

default:\
:passwd_format=sha512:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K,LC_COLLATE=C:\
:path=/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin ~/bin:\
:nologin=/var/run/nologin:\
:cputime=unlimited:\
:datasize=unlimited:\
:stacksize=unlimited:\
:memorylocked=64K:\
:memoryuse=unlimited:\
:filesize=unlimited:\
:coredumpsize=unlimited:\
:openfiles=unlimited:\
:maxproc=unlimited:\
:sbsize=unlimited:\
:vmemoryuse=unlimited:\
:swapuse=unlimited:\
:pseudoterminals=unlimited:\
:kqueues=unlimited:\
:umtxp=unlimited:\
:priority=0:\
:ignoretime@:\
:charset=UTF-8:\
:lang=en_SE.UTF-8:\
:umask=022:
.
.

Login shells will inherit the environment variables defined here in the default class or in a narrower class if it matches one.

After making this changesrRebuild the login database with:

[root@server /usr/home/user]# cap_mkdb /etc/login.conf [enter]
[user@server /usr/home/user]#

You may have to specify the new locale elsewhere (like /etc/profile) for non login shell uses such as GDM and other login managers.

[root@server /usr/home/user]# echo 'export LANG=en_SE.UTF-8' >> /etc/profile; echo 'export CHARSET=UTF-8' >> /etc/profile [enter]
[root@server /usr/home/user]#

…and add a default character set and locale as in this example:

You can read more in the Using Localization chapter of the Handbook.

On next login check your work by running:

[root@server /usr/home/user]# locale [enter]
LANG=en_SE.UTF-8
LC_CTYPE="en_SE.UTF-8"
LC_COLLATE="en_SE.UTF-8"
LC_TIME="en_SE.UTF-8"
LC_NUMERIC="en_SE.UTF-8"
LC_MONETARY="en_SE.UTF-8"
LC_MESSAGES="en_SE.UTF-8"
LC_ALL=
[root@server /usr/home/user]#
Post-installation Setup and Configuration

Post-installation Setup and Configuration

This page was last modified [last-modified]

First login

As the FreeBSD server boots, informational messages are displayed on the screen and after the system finishes booting, a login prompt is displayed as in this example:

FreeBSD/amd64 (srv.local) (ttyv0)

login:

Login as user root with the password you entered during the installation:

login: root [enter]
Password: <-- password [enter]

Display current Network settings

Display the current active Network Interface settings with:

$ ifconfig -u [enter]
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=81249b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LRO,WOL_MAGIC,VLAN_HWFILTER>
	ether 00:23:24:ba:1a:1b
	inet 192.168.1.21 netmask 0xffffff00 broadcast 192.168.1.255
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
$

In this example, Network Interface Controller, NIC, em0 has been found and it has been configured to have IP Address 192.168.1.21.

Remote login

To make life easier and permit you to copy commands from this web page go to another computer connected to the same local network as your FreeBSD server.

Start for example PuTTY on a Windows PC, Terminal on a Mac or a similar application on a Linux PC. In this example Terminal on a Mac is used.

Mac:~ user$ ssh user@192.168.1.21 [enter]

N.B.: The use of an SSH client is highly recommended for logging into the remote FreeBSD server!

ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to provide secure encrypted communications between two untrusted hosts over an insecure network.

N.B.: If an ssh login has been performed before to the selected IP Address a warning – in this example on an iMac – will be displayed:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:.....
Please contact your system administrator.
Add correct host key in /Users/user/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/user/.ssh/known_hosts:1
ECDSA host key for 192.168.1.21 has changed and you have requested strict checking.
Host key verification failed.
user@Users-iMac ~ %

On a Mac, use the following steps to get access to the hidden file known_hosts:

  1. Select and Copy the file name in the warning messag, in this example: /Users/user/.ssh/known_hosts
  2. Click on the Finder icon and verify that Finder is displayed next to the Apple icon
  3. Click on Go and then Go to folder…
  4. Click in the Go to the folder: field, past file name into it and then click button Go

A Finder window with file known_hosts should now be displayed on the screen.

Dubble-click known_hosts to open the file in TextEdit. Delete the offending line, save the file, quit TextEdit, and finally repeat the login command above.

The authenticity of host 'srv.local (192.168.1.21)' can't be established.
ECDSA key fingerprint is SHA256:...
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes [enter]
Warning: Permanently added 'srv.local' (ECDSA) to the list of known hosts.
Password for user@srv.local: <-- passwd [enter]
FreeBSD 12.2-RELEASE r366954 GENERIC 

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
If you have a CD-ROM drive in your machine, you can make the CD-ROM that is
presently inserted available by typing 'mount /cdrom' as root.  The CD-ROM
will be available under /cdrom/.  Remember to do 'umount /cdrom' before
removing the CD-ROM (it will usually not be possible to remove the CD-ROM
without doing this.)

Note: This tip may not work in all configurations.
user@server:~ $

sudo

The best practice is to never log in as the root superuser interactively. If you do – you are doing it wrong!

sudo is a program that allows a permitted user to execute a command as the superuser or another user, as specified by the user’s security policy. Unlike the su utility, sudo authenticates the user against the user’s own password rather than that of the target user. Sudo allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This allows the delegation of specific commands to specific users on specific systems without sharing passwords among the users.

Installation

Installation and configuration of sudo requires superuser privileges. This sudo installation will be the only and last interactive login as the root superuser you will ever need to perform on this system.

Substitute User identity to the root superuser identity with:

user@server:~ $ su -
Password: <-- passwd [enter]
root@server:~ #

Install sudo with:

root@server:~ # pkg install sudo [enter]
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y [enter]
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:12:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
Installing pkg-1.15.10...
Extracting pkg-1.15.10: 100%
Updating FreeBSD repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01    
Fetching packagesite.txz: 100%    6 MiB   1.1MB/s    00:06    
Processing entries: 100%
FreeBSD repository update completed. 31737 packages processed.
All repositories are up to date.
Updating database digests format: 100%
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	gettext-runtime: 0.21
	indexinfo: 0.3.1
	sudo: 1.9.3p1

Number of packages to be installed: 3

The process will require 5 MiB more space.
1 MiB to be downloaded.

Proceed with this action? [y/N]: y [enter]
[1/3] Fetching sudo-1.9.3p1.txz: 100%  925 KiB 473.4kB/s    00:02    
[2/3] Fetching gettext-runtime-0.21.txz: 100%  165 KiB 168.9kB/s    00:01    
[3/3] Fetching indexinfo-0.3.1.txz: 100%    6 KiB   5.8kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/3] Installing indexinfo-0.3.1...
[1/3] Extracting indexinfo-0.3.1: 100%
[2/3] Installing gettext-runtime-0.21...
[2/3] Extracting gettext-runtime-0.21: 100%
[3/3] Installing sudo-1.9.3p1...
[3/3] Extracting sudo-1.9.3p1: 100%
root@server:~ #

Configuration

A default sudo configuration file /usr/local/etc/sudoers was created as part of the installation process.

N.B.: /usr/local/etc/sudoers MUST be edited with the visudo command as root.

The use of visudo minimizes the risk for syntax or file permission errors that prevents sudo from running.

Start editing file /usr/local/etc/sudoers with:

root@server:~ # visudo [enter]
## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##
.
.
.

visudo use the famous vi editor commands. The following commands is needed for updating and saving or exit without saving file /usr/local/etc/sudoers:

  1. Use the arrow keys to move the cursor or…
  2. Move the cursor up one line with key ‘K’, down one line with key ‘J’, left one character with key ‘H’ and right one character with key ‘L’
  3. Press key ‘I’ to start inserting charters before the current cursor location
  4. Press key ‘A’ to start inserting charters after the current cursor location
  5. Press key ‘esc’ to abort inserting charters
  6. Press key ‘X’ to delete the character under the cursor
  7. Press key ‘:’, then ‘W’ and ‘Q’ to save and exit
  8. Press key ‘:’, then ‘Q’ and ‘!’ to exit without saving

To delegate privileges to the example user user locate section User privilege specification in the file /usr/local/etc/sudoers.

To allow user user to execute any command via sudo add the following text:

##
## User privilege specification
##
root ALL=(ALL) ALL
user ALL=(ALL) ALL

…or to allow user user as a members of group wheel to execute any command via sudo uncomment – delete the ‘#’ character. The line should look like this:

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL

Finally exit the root superuser identity with:

root@server:~ # exit [enter]
logout
$

Date and Time

Enable superuser privileges with:

$ sudo -s [enter]

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password: <-- passwd [enter]
#

Stop the ntpd daemon program if it is running with:

# service ntpd stop [enter]
Stopping ntpd.
Waiting for PIDS: 647.
#

Set the date and time via NTP, using this command:

# ntpdate -v -b pool.ntp.org [enter]
14 Feb 14:11:07 ntpdate[831]: ntpdate 4.2.8p8-a (1)
14 Feb 14:11:15 ntpdate[831]: step time server 79.138.40.123 offset 0.001542 sec
#

N.B.: The ntp server “pool.ntp.org” is recommended by ntp.org. You can also select another one, check out http://www.ntp.org for details.

Defaults

List defaults for ntpd with:

# cat /etc/defaults/rc.conf | grep ntpd_ [enter]
ntpd_enable="NO" # Run ntpd Network Time Protocol (or NO).
ntpd_program="/usr/sbin/ntpd" # path to ntpd, if you want a different one.
ntpd_config="/etc/ntp.conf" # ntpd(8) configuration file
ntpd_sync_on_start="NO" # Sync time on ntpd startup, even if offset is high
ntpd_flags="-p /var/run/ntpd.pid -f /var/db/ntpd.drift" # Flags to ntpd (if enabled).
#

Enable NTPd

To ensure the NTP server is started at boot time verify that line ntpd_enable=”YES” to has been added to file /etc/rc.conf with:

# echo '' >> /etc/rc.conf; echo '# Network Time Protocol' >> /etc/rc.conf [enter]
# echo 'ntpd_enable="YES"' >> /etc/rc.conf [enter]
# echo 'ntpd_sync_on_start="YES"' >> /etc/rc.conf [enter]
# echo 'ntpd_flags="-p /var/run/ntpd.pid -f /var/db/ntpd.drift -g"' >> /etc/rc.conf [enter]
#

If ntpd daemon program was running and stoped without any warnings or error above, then you should edit file /etc/rc.conf with:

# ee /etc/rc.conf [enter]

…and delete line ntpd_enable=”YES” above line # Network Time Protocol.

Configure NTPd

The /etc/ntp.conf configuration file is read at initial startup by the ntpd(8) daemon in order to specify the synchronization sources, modes and other related information.

Specify the NTP synchronization sources your server will use with:

# ee /etc/ntp.conf [enter]

The following three servers will give you a random set of three NTP servers geographically close to you:

##
# ntpd.conf
#
server 0.freebsd.pool.ntp.org iburst
server 1.freebsd.pool.ntp.org iburst
server 2.freebsd.pool.ntp.org iburst

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
restrict 127.127.1.0

leapfile "/etc/ntp/leap-seconds"

See http://www.pool.ntp.org/ for details.

Example: Sweden — se.pool.ntp.org:

#
# ntpd.conf
#
server 0.se.pool.ntp.org iburst
server 1.se.pool.ntp.org iburst
server 2.se.pool.ntp.org iburst
server 3.se.pool.ntp.org iburst

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
restrict 127.127.1.0

leapfile "/etc/ntp/leap-seconds"

The driftfile is by default /var/db/ntpd.drift.

Manually start NTPd

Start Network Time Protocol (NTP) daemon, using this command:

# service ntpd start [enter]
Starting ntpd.
#

NTP is a very cautious standard. It will report its stratum to 16 (the worst possible) until it’s sure that its in sync. This can take a few minutes to few hours.

Standard NTP query program

The ntpq utility is used to monitor NTP daemon ntpd operations and determine performance.

Print a list of the peers known to the server as well as a summary of their state:

# ntpq -pn localhost [enter]
remote refid st t when poll reach delay offset jitter
==============================================================================
-188.126.88.9 192.36.144.22 2 u 22 64 1 20.184 1.962 3.454
*192.36.143.130 .PPS. 1 u 26 64 3 18.953 8.415 27.720
+194.71.144.71 192.36.144.22 2 u 31 64 3 32.755 8.158 28.261
+83.168.200.199 192.36.143.154 2 u 28 64 3 15.500 7.787 27.919
#

N.B.: Waiting for “st” to drop to 2 (since those should be stratum 2 servers) before the server is used for time sync of local computers.

Documentation

Documentation in HTML format for the NTP server can be found in: /usr/share/doc/ntp/.

Base System Binary Update

The freebsd-update tool is used to fetch, install, and rollback binary updates to the FreeBSD base system.

Fetch

Fetch files necessary for upgrading to a new release with:

# freebsd-update fetch < enter>
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 4 mirrors found.
Fetching public key from update6.freebsd.org... done.
Fetching metadata signature for 11.0-RELEASE from update6.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 171 patches.....10....20....30....40....50....60....70....80....90....100....110....120....130....140....150....160....170 done.
Applying patches... done.
Fetching 6 files... done.
--More--(END)

Press key ‘Q’ to skip displaying the list of fetched files.

The following files will be removed as part of updating to 11.0-RELEASE-p7:
/usr/share/zoneinfo/America/Santa_Isabel
/usr/share/zoneinfo/Asia/Rangoon
--More--(END)

Press ‘space’ key to displaying a list of files that will be added.

The following files will be added as part of updating to 11.0-RELEASE-p7:
/usr/share/zoneinfo/Asia/Barnaul
/usr/share/zoneinfo/Asia/Famagusta
/usr/share/zoneinfo/Asia/Tomsk
/usr/share/zoneinfo/Asia/Yangon
/usr/share/zoneinfo/Europe/Astrakhan
/usr/share/zoneinfo/Europe/Kirov
/usr/share/zoneinfo/Europe/Ulyanovsk
--More--(END)

Press key ‘Q’ to skip displaying a list of files that will be updated.

#

Installation

The binary updates is installed with:

# freebsd-update install [enter]
src component not installed, skipped
Installing updates... done.
#

BASH – Bourne Again SHell

Bash is the GNU Project’s Bourne Again SHell, a complete implementation of the POSIX.2 shell spec, but also with interactive command line editing, job control on architectures that support it, csh-like features such as history substitution and brace expansion, and a slew of other features.

WWW: http://cnswww.cns.cwru.edu/~chet/bash/bashtop.html

Installation

Install bash with:

# pkg install bash [enter]
Updating FreeBSD repository catalogue...
Fetching meta.txz: 100% 944 B 0.9kB/s 00:01
Fetching packagesite.txz: 100% 6 MiB 2.0MB/s 00:03
Processing entries: 100%
FreeBSD repository update completed. 25860 packages processed.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
bash: 4.4.12

Number of packages to be installed: 1

The process will require 8 MiB more space.
1 MiB to be downloaded.

Proceed with this action? [y/N]: y [enter]
Fetching bash-4.4.12.txz: 100% 1 MiB 730.5kB/s 00:02
Checking integrity... done (0 conflicting)
[1/1] Installing bash-4.4.12...
[1/1] Extracting bash-4.4.12: 100%
Message from bash-4.4.12:
======================================================================

bash requires fdescfs(5) mounted on /dev/fd

If you have not done it yet, please do the following:

mount -t fdescfs fdesc /dev/fd

To make it permanent, you need the following lines in /etc/fstab:

fdesc /dev/fd fdescfs rw 0 0

======================================================================
#

Configuration

# mount -t fdescfs fdesc /dev/fd [enter]
#

Make this mount permanent with:

Start editing file /etc/fstab with;

# echo 'fdesc /dev/fd fdescfs rw 0 0' >> /etc/fstab
#

Change the current user’s shell setting to bash with:

# chsh -s /usr/local/bin/bash user [enter]
chsh: user information updated
# chsh -s /usr/local/bin/bash root [enter]
chsh: user information updated
#

Verify that bash is the default shell for user account user, with:

# cat /etc/passwd | grep user
.
.
.
user:*:1001:1001:Example User:/home/user:/usr/local/bin/bash
.
.
#

Verify that bash is the default shell for user account root, with:

# cat /etc/passwd | grep root
.
.
root:*:0:0:Charlie &:/root:/usr/local/bin/bash
.
.
#

Optional: Colorized ‘ls’ and ‘ll’ in BASH

Description

Enable ls color and add command ll with some color.

Configuration

Add two alias commands to file /etc/profile for all users with:

# echo "alias ll='ls -lGF'" >> /etc/profile; echo "alias ls='ls -GF'" >> /etc/profile [enter]
#

Revoke Privileges

Revoke superuser privileges with:

# exit [enter]
$

Log off your system with:

$ exit [enter]

Log Console Messages to File

Messages printed to the console during boot will pass by too fast to be read, or are too long to be copied.

Login to your system via a remote ssh session.

Enable superuser privileges with:

[user@server ~]$ sudo -s [enter]
[root@server /usr/home/user]#

Enable all writes to /dev/console to be logged to file /var/log/console.log with:

[root@server /usr/home/user]# ee /etc/syslog.conf [enter]

…and then uncomment line 21 as in this example:

console.info /var/log/console.log

Create file /var/log/console.log with:

[root@server /usr/home/user]# touch /var/log/console.log [enter]
[root@server /usr/home/user]#

…and then change file modes to mode 600 with:

[root@server /usr/home/user]# chmod 600 /var/log/console.log [enter]
[root@server /usr/home/user]#

Restart syslogd to log all new console messages to file /var/log/console.log with:

[root@server /usr/home/user]# service syslogd restart [enter]
Stopping syslogd.
Waiting for PIDS: 808.
Starting syslogd.
[root@server /usr/home/user]#

A reboot is required to record all console messages on system boot. Reboot the system with:

[root@server /usr/home/user]# reboot [enter]

Wait for system to reboot and the log back in with a remote ssh client session.

Enable superuser privileges with:

[user@server ~]$ sudo -s [enter]
[root@server /usr/home/user]#

Display file /var/log/console.log with:

[root@server /usr/home/user]# cat /var/log/console.log [enter]

…and look for ERRORs and WARNINGs as in this example:

.
.
Jan 14 15:51:11 server kernel: WARNING:
Jan 14 15:51:11 server kernel: New keymap: In /etc/rc.conf replace 'keymap=swedish.cp850.kbd' by 'keymap=se'.
.
.

If any errors and warnings is found, fix the problem and restart service syslogd as described above.

N.B.: The error displayed above has been fixed in the /etc/rc.conf example below!

Packet Filter (PF) Firewall

This PF setup is configured be very secure. All attempts to access the server via the network is blocked on all network ports with one critical exception; ssh clients on the local network using port 123 can access to allow for management of the headless server.

The example setup is designed to be used on a Headless Server with a single network interface card connected to a local network behind a firewall for internet access.

List LAN Network Card

List status up network interfaces with:

[root@server /usr/home/user]# ifconfig -u [enter]
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
ether xx:xx:xx:xx:xx:xx
inet 192.168.1.114 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
[root@server /usr/home/user]#

In this example Network Interface Card em0 will be used.

Packet Filter (pf) Config File

Create file /etc/pf.conf with:

[root@server /usr/home/user]# ee /etc/pf.conf [enter]

…and copy this text to the file:

################ FreeBSD pf.conf ##########################################
# Required order: options, normalization, queueing, translation, filtering.
# Note: translation rules are first match while filter rules are last match.
################ Macros ####################################################

# Macros
lan_if="em0" # Local Network Interface Card

# Ports:
# 123 TCP Network Time Protocol

tcp_pass="{ 123 }"

# Tables

### Options
set block-policy return

### Normalization
scrub on $lan_if all random-id reassemble tcp fragment reassemble

### Queueing

### Translation

### Filtering

# Skip filtering on loopback
set skip on lo0

# Block traffic trying to get into the loopback interface from outside.
block quick from any to lo0:network

# Block all traffic in on LAN NIC by default
block in on $lan_if

# Pass specified traffic in to this server from LAN clients
pass in on $lan_if proto tcp from $lan_if:network to $lan_if port $tcp_pass

# Pass SSH traffic from LAN clients (for Admin)
pass in on $lan_if proto tcp from $lan_if:network to $lan_if port ssh

# Pass icmp (for ping) on LAN NIC
pass in on $lan_if proto icmp

# Pass all traffic out on LAN NIC by default
pass out on $lan_if proto { tcp, udp, icmp } all

N.B.: Update lan_if=”em0″ to match your systems LAN Internet Network Card ID!

Display the default packet filter (pf) and packet filter logging (pflog) settings with:

[root@server /usr/home/user]# cat /etc/defaults/rc.conf | grep -e "pf_\|pflog_" [enter]
pf_enable="NO" # Set to YES to enable packet filter (pf)
pf_rules="/etc/pf.conf" # rules definition file for pf
pf_program="/sbin/pfctl" # where the pfctl program lives
pf_flags="" # additional flags for pfctl
pflog_enable="NO" # Set to YES to enable packet filter logging
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_program="/sbin/pflogd" # where the pflogd program lives
pflog_flags="" # additional flags for pflogd
[root@server /usr/home/user]#

Service start on Boot

List installed pf services with:

[root@server /usr/home/user]# service -r | grep /pf [enter]
/etc/rc.d/pfsync
/etc/rc.d/pflog
/etc/rc.d/pf
[root@server /usr/home/user]#

Find the rcvar for /etc/rc.d/pf with:

[root@server /usr/home/user]# /etc/rc.d/pf rcvar [enter]
# pf : Packet filter
#
pf_enable="NO"
# (default: "")

[root@server /usr/home/user]#

..and for /etc/rc.d/pflog with:

[root@server /usr/home/user]# /etc/rc.d/pflog rcvar [enter]
# pf : Packet filter
#
pflog_enable="NO"
# (default: "")

[root@server /usr/home/user]#

Enable packet filter (pf) and packet filter logging (pflog) at boot with:

[root@server /usr/home/user]# echo '' >> /etc/rc.conf; echo '# Packet Filter (pf)' >> /etc/rc.conf; echo 'pf_enable="YES"' >> /etc/rc.conf; echo 'pflog_enable="YES"' >> /etc/rc.conf [enter]
[root@server /usr/home/user]#

Check /etc/pf.conf for errors, but do not load ruleset with:

[root@server /usr/home/user]# pfctl -vvnf /etc/pf.conf [enter]
int_if = "em0"
tcp_pass = "{ 123 }"
set block-policy return
set skip on { lo0 }
@0 scrub on em0 all random-id reassemble tcp fragment reassemble
@0 block return quick inet6 from any to ::1
@1 block return quick inet from any to 127.0.0.0/8
@2 block return in on em0 all
@3 pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.5 port = ntp flags S/SA keep state
@4 pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.5 port = netbios-ssn flags S/SA keep state
@5 pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.5 port = microsoft-ds flags S/SA keep state
@6 pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.5 port = ssh flags S/SA keep state
@7 pass in on em0 proto icmp all keep state
@8 pass out on em0 proto tcp all flags S/SA keep state
@9 pass out on em0 proto udp all keep state
@10 pass out on em0 proto icmp all keep state
[root@server /usr/home/user]#

Manually start the packet filter (pf) with:

[root@server /usr/home/user]# service pf start [enter]
Enabling pf

N.B.: This may disconnect the current ssh connections!

If you are disconnected, open a new remote ssh terminal session to the server and enable superuser privileges with:

[user@server ~]$ sudo -s
[root@server /usr/home/user]#

If everything is alright, then you will be able to verify the packet filter (pf) status with:

[root@server /usr/home/user]# service pf status [enter]
Status: Enabled for 0 days 00:13:15 Debug: Urgent

State Table Total Rate
current entries 1
searches 222 0.3/s
inserts 1 0.0/s
removals 0 0.0/s
Counters
match 79 0.1/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 14 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
map-failed 0 0.0/s
[root@server /usr/home/user]#

N.B.: Verify that the pf status is Enabled as in the example above.

Reload updates to /etc/pf.conf file with:

[root@server /usr/home/user]# service pf reload [enter]
[root@server /usr/home/user]#

…or load another file – in this example file /etc/pf.new – with:

[root@server /usr/home/user]# pfctl -vf /etc/pf.new [enter]
[root@server /usr/home/user]#

To see in real-time who is trying to connect to your server:

[root@server /usr/home/user]# tcpdump -n -e -ttt -i pflog0 [enter]
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 262144 bytes

When network activites is detected it will be listas as in this example:

00:00:00.000000 rule 28..16777216/0(match): block in on em0: 192.168.1.11.138 > 192.168.1.255.138: NBT UDP PACKET(138)
00:00:40.080628 rule 28..16777216/0(match): block in on em0: 192.168.1.11.137 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:25.057112 rule 28..16777216/0(match): block in on em0: 192.168.1.127.138 > 192.168.1.255.138: NBT UDP PACKET(138)
00:01:00.244084 rule 28..16777216/0(match): block in on em0: 192.168.1.10.137 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:13.685497 rule 28..16777216/0(match): block in on em0: 192.168.1.124.137 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.749718 rule 28..16777216/0(match): block in on em0: 192.168.1.124.137 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.096546 rule 28..16777216/0(match): block in on em0: 192.168.1.124.137 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.653724 rule 28..16777216/0(match): block in on em0: 192.168.1.124.137 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.093843 rule 28..16777216/0(match): block in on em0: 192.168.1.124.137 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
00:00:00.750227 rule 28..16777216/0(match): block in on em0: 192.168.1.124.137 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

Hit [ ctr ] and [ C ] to abort.

^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@server /usr/home/user]#

In this example a HP LaserJet printer is broadcasting UDB packages, port 137 – ‘NetBIOS Name Service, used for name registration and resolution’ – and port 138 – ‘NetBIOS Datagram Service’.

Show history:

[root@server /usr/home/user]# tcpdump -n -e -ttt -r /var/log/pflog [enter]

And that’s it. You have successfully implemented PF firewall on your FreeBSD server!

Configuration Files

/etc/rc.conf

The file rc.conf contains descriptive information about the local host name, configuration details for any potential network interfaces and which services should be started up at system initial boot time. In new installations, the rc.conf file is generally initialized by the system installation utility.

[root@server /usr/home/user]# cat /etc/rc.conf [enter]

Example: When option < Yes >, use DHCP, was selected in the Network Configuration dialog.

clear_tmp_enable="YES"
sendmail_enable="NONE"
hostname="server.example.net"
keymap="se"
ifconfig_em0="DHCP"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
zfs_enable="YES"
# ahci Advanced Host Controller Interface (AHCI)
# coretemp Device driver for Intel Core on-die digital thermal sensor
# i915kms Intel Graphics
kld_list="ahci coretemp i915kms"

# Network Time Protocol
ntpd_enable="YES"
ntpd_sync_on_start="YES"
ntpd_flags="-p /var/run/ntpd.pid -f /var/db/ntpd.drift -g"

# Packet Filter (pf)
pf_enable="YES"
pflog_enable="YES"

Example: When option < No >, use DHCP, was selected in the Network Configuration dialog.

clear_tmp_enable="YES"
sendmail_enable="NONE"
hostname="server.example.net"
keymap="se"
ifconfig_em0="inet 192.168.1.4 netmask 255.255.255.0"
defaultrouter="192.168.1.1"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
zfs_enable="YES"

# Network Time Protocol
ntpd_enable="YES"
ntpd_sync_on_start="YES"
ntpd_flags="-p /var/run/ntpd.pid -f /var/db/ntpd.drift -g"

# ahci Advanced Host Controller Interface (AHCI)
# coretemp Device driver for Intel Core on-die digital thermal sensor
# i915kms Intel Graphics
kld_list="ahci coretemp i915kms"

# Packet Filter (pf)
pf_enable="YES"
pflog_enable="YES"

Information will be added as required by programs and services installed on the system.

The ifconfig_em0 entry in the example file above

/boot/loader.conf

The file loader.conf contains descriptive information on bootstrapping the system. Through it you can specify the kernel to be booted, parameters to be passed to it, and additional modules to be loaded; and generally set all variables described in loader(8).

[root@server /usr/home/user]# cat /boot/loader.conf

Example: New installation of FreeBSD.

kern.geom.label.disk_ident.enable="0"
kern.geom.label.gptid.enable="0"
vfs.zfs.min_auto_ashift=12
zfs_load="YES"

Example: Modules and parameters added for a Intel HW based FreeBSD Server.

kern.geom.label.disk_ident.enable="0"
kern.geom.label.gptid.enable="0"
vfs.zfs.min_auto_ashift=12
zfs_load="YES"

# How many seconds to sit at the boot menu before booting
autoboot_delay="3"

# Use new graphical consol driver
kern.vty="vt"
hw.vga.textmode=1

# Displayed the colored Beastie logo to the right of the boot options menu
loader_logo="beastie"

Optional: Add Local User

The adduser utility is a shell script, implemented around the pw(8) command, for adding new users.

N.B.: Remember to invite the user into other group wheel to enable this user login remotely via a ssh client!

Create a new local user for remote login with:

[root@server /usr/home/user]# sudo adduser [enter]
Password: <-- passwd [enter]
Username: username [enter]
Full name: Full Name [enter]
Uid (Leave empty for default):
Login group [username]:
Login group is username. Invite username into other groups? []: wheel [enter]
Login class [default]:
Shell (sh csh tcsh nologin) [sh]:
Home directory [/home/username]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password:
Enter password again:
Lock out the account after creation? [no]:
Username : username
Password : *****
Full Name : Full Name
Uid : 1001
Class :
Groups : username wheel
Home : /home/username
Home Mode :
Shell : /bin/sh
Locked : no
OK? (yes/no): yes [enter]
adduser: INFO: Successfully added (username) to the user database.
Add another user? (yes/no): no [enter]
Goodbye!
[root@server /usr/home/user]#

Completion of Basic Installation

Power off the server with:

[root@server /usr/home/user]# poweroff [enter]

Wait for the server to perform power off, disconnect the monitor and the keyboard and then start the server again.

That’s it!

Your FreeBSD Headless Server is now ready for the next step, installation of services and utilities to fulfill your need of a secure and reliable local data and web server for your home or small office.

Create a USB Memory Stick for installation of FreeBSD 13.1-RELEASE-amd64

Create a USB Memory Stick for installation of FreeBSD 13.1-RELEASE-amd64

This page was last updated [last-modified]

A USB Memory Stick can be prepared to install FreeBSD 13.1-RELEASE.amd64 on a computer with Internet access running FreeBSD, MacOS, Linux, or Microsoft Windows.

FreeBSD

Requirements:

Required hardware: USB Memory Stick, minimum size 2 GB

Required software: sudo, wget

sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.

GNU wget is a free utility for non-interactive download of files from the Web. It supports HTTP, HTTPS, and FTP protocols, as well as retrieval through HTTP proxies.

Download the FreeBSD image file

Start a terminal session to or on the FreeBSD Computer.

Download the FreeBSD-13.1-RELEASE-amd64-memstick.img image, 736 MByte, with:

[user@freebsd ~]$ wget wget https://download.freebsd.org/ftp/releases/ISO-IMAGES/13.1/FreeBSD-13.1-RELEASE-amd64-memstick.img --no-check-certificate -P ~/ [enter]

Download the CHECKSUM.SHA512-FreeBSD-13.1-RELEASE-amd64 image, 1.8 kByte, with:

[user@freebsd ~]$ wget https://download.freebsd.org/ftp/releases/ISO-IMAGES/13.1/CHECKSUM.SHA512-FreeBSD-13.1-RELEASE-amd64 --no-check-certificate -P ~/ [enter]

Calculate the checksum for the file with:

[user@freebsd ~]$ shasum -a 512 Downloads/FreeBSD-13.1-RELEASE-amd64-memstick.img [enter]
d4c58df629c7db6bf2ee2d43ae7f7b9e1c8b98fca0b89dd1afa1bed21891ecc2  /root/FreeBSD-13.1-RELEASE-amd64-memstick.img
root@server:~ #

…and compare the result with the checksum in file CHECKSUM.SHA512-FreeBSD-13.1-RELEASE-amd64 with:

[user@freebsd ~]$ cat Downloads/CHECKSUM.SHA512-FreeBSD-13.1-RELEASE-amd64 | grep
dbe066cb726b375eebca397aff12d18d6e48ad6c84b776253aabc2bbdff8fb9742e17fb68356581b0b20709002fdf9c3c77eccfd9c0c745e8f93a830264148a5 [enter]
SHA512 (FreeBSD-13.1-RELEASE-amd64-mini-memstick.img.xz) = dbe066cb726b375eebca397aff12d18d6e48ad6c84b776253aabc2bbdff8fb9742e17fb68356581b0b20709002fdf9c3c77eccfd9c0c745e8f93a830264148a5
user@server:~ #

Copy the FreeBSD image file to the USB Memory Stick

Insert the USB Memory Stick to a USB Port on the FreeBSD Computer.

N.B.: All Data on the USB Memory Stick will be lost!

Since USB devices are seen as a SCSI devices, camcontrol can be used to list device information for the inserted USB Memory Stick with this command:

[user@freebsd ~]$ sudo camcontrol devlist [enter]
Password: <-- passwd [enter] 
<ST1000DM010-2EP102 CC43>          at scbus2 target 0 lun 0 (pass0,ada0)
<AHCI SGPIO Enclosure 1.00 0001>   at scbus6 target 0 lun 0 (pass1,ses0)
<SanDisk Cruzer 7.01>              at scbus7 target 0 lun 0 (da0,pass2)
[user@freebsd ~]$

…or show the list with:

[user@freebsd ~]$ geom disk list [enter]
Geom name: cd0
Providers:
1. Name: cd0
   Mediasize: 0 (0B)
   Sectorsize: 2048
   Mode: r0w0e0
   descr: TSSTcorp DVD+-RW TS-L633A
   ident: (null)
   rotationrate: unknown
   fwsectors: 0
   fwheads: 0

Geom name: ada0
Providers:
1. Name: ada0
   Mediasize: 750156374016 (699G)
   Sectorsize: 512
   Stripesize: 4096
   Stripeoffset: 0
   Mode: r2w2e3
   descr: WDC WD7500BPKT-75PK4T0
   lunid: 50014ee2059f311c
   ident: WD-WXD1EC0PZ269
   rotationrate: 7200
   fwsectors: 63
   fwheads: 16

Geom name: da0
Providers:
1. Name: da0
   Mediasize: 8036285952 (7.5G)
   Sectorsize: 512
   Mode: r0w0e0
   descr: SanDisk Cruzer
   ident: 2444630C9FC0D053
   rotationrate: unknown
   fwsectors: 63
   fwheads: 255

[user@freebsd ~]$

In this example, SanDisk Cruzer 7.01 registered as device da0 is the target USB Memory Stick.

Optional: Display information about device da0 with, example:

[user@freebsd ~]$ diskinfo -v da0 [enter]
da0
	512         	# sectorsize
	8036285952  	# mediasize in bytes (7.5G)
	15695871    	# mediasize in sectors
	0           	# stripesize
	0           	# stripeoffset
	977         	# Cylinders according to firmware.
	255         	# Heads according to firmware.
	63          	# Sectors according to firmware.
	2444630C9FC0D053	# Disk ident.
	Not_Zoned   	# Zone Mode

[user@freebsd ~]$

Optional: Show the current partition information of the USB Memory Stick using this command:

[user@freebsd ~]$ gpart show da0 [enter]
=>      63  15695808  da0  MBR  (7.5G)
        63      1985       - free -  (993K)
      2048  15693823    1  !12  (7.5G)

[user@freebsd ~]$

N.B.: Your USB Memory Stick may have a different layout than in this example!

WARNING: The next step will delete all information on the USB Memory Stick!

Destroy the partitioning scheme on the USB Memory Stick with:

[user@freebsd ~]$ sudo gpart destroy -F da0 [enter]
Password: <-- passwd [enter]
da0 destroyed
[user@freebsd ~]$

The image file FreeBSD-13.1-RELEASE-amd64-memstick.img is copied to the USB Memory Stick with the dd utility with this command:

[user@freebsd ~]# sudo dd if=FreeBSD-13.1-RELEASE-amd64-memstick.img of=/dev/da0 bs=1m [enter]
Password: <-- passwd [enter]

When the copy process has been completed, a summary of the process will be displayed as in this example:

738+1 records in
738+1 records out
774215168 bytes transferred in 88.733136 secs (8725209 bytes/sec)
[user@freebsd ~]$

Delete FreeBSD-13.1-RELEASE-amd64-memstick.img file with:

[user@freebsd ~]# rm FreeBSD-13.1-RELEASE-amd64-memstick.img [enter]
rm CHECKSUM.SHA512-FreeBSD-13.1-RELEASE-amd64 [enter]
[user@freebsd ~]#

Disconnect the USB Memory Stick.

MacOS

Requirements:

Required hardware: USB Memory Stick, minimum size 2 GB

Required software: None

Download files

Click on https://download.freebsd.org/ftp/releases/ISO-IMAGES/13.1/FreeBSD-13.1-RELEASE-amd64-memstick.img to download the image file FreeBSD-13.1-RELEASE-amd64-memstick.img.
Click on https://download.freebsd.org/ftp/releases/ISO-IMAGES/13.1/CHECKSUM.SHA512-FreeBSD-13.1-RELEASE-amd64 to download the checksum file CHECKSUM.SHA512-FreeBSD-13.1-RELEASE-amd64.

Verify checksum

Launch the Terminal application.
Calculate the checksum for the file with:

user@iMac ~ % shasum -a 512 Downloads/FreeBSD-13.1-RELEASE-amd64-memstick.img [enter]
96bf96628a566cb33d736315dfb56e3076ab0d757ad6c94fa2235866007f7726dc42ac2b81abd7810ae40a945220088605dbf387ebed7d688a9b80dec5253247  Downloads/FreeBSD-13.1-RELEASE-amd64-memstick.img
user@iMac ~ %

Compare the result with the checksum in file CHECKSUM.SHA512-FreeBSD-13.1-RELEASE-amd64 with:

user@iMac ~ % grep 96bf96628a566cb33d736315dfb56e3076ab0d757ad6c94fa2235866007f7726dc42ac2b81abd7810ae40a945220088605dbf387ebed7d688a9b80dec5253247 Downloads/CHECKSUM.SHA512-FreeBSD-13.1-RELEASE-amd64 [enter]
SHA512 (FreeBSD-13.1-RELEASE-amd64-memstick.img) = 96bf96628a566cb33d736315dfb56e3076ab0d757ad6c94fa2235866007f7726dc42ac2b81abd7810ae40a945220088605dbf387ebed7d688a9b80dec5253247
user@iMac ~ %

The calculated checksum for the downloaded image file should match the posted checksum in the CHECKSUM.SHA512-FreeBSD-13.1-RELEASE-amd64 file.

Copy the FreeBSD image file to the USB Memory Stick

Insert the target USB Memory Stick to a USB Port on the Macintosh Computer.

Run the diskutil list command to find out the device name of the USB disk as in this example:

user@iMac ~ % diskutil list [enter]
/dev/disk0 (internal, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *1.0 TB     disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:                  Apple_HFS Macintosh HD            999.3 GB   disk0s2
   3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3

/dev/disk1 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *8.0 GB     disk1
   1:                        EFI EFI                     819.2 KB   disk1s1
   2: 83BD6B9D-7F41-11DC-BE0B-001560B84F0F               64.0 KB    disk1s2
   3:                FreeBSD UFS                         732.1 MB   disk1s3
   4:               FreeBSD Swap                         1.0 MB     disk1s4

user@iMac ~%

In this example, /dev/disk1 is the target USB Memory Stick.

Unmount the USB Memory Stick with:

user@iMac ~% diskutil unmountDisk /dev/disk1 [enter]
Unmount of all volumes on disk1 was successful
user@iMac ~%

Use dd to raw write the image file to the /dev/disk1.

WARNING: This will delete all information on the USB Memory Stick!

N.B.: Update /dev/rdisk1 in the next commando to the /dev/rdisk-number displayde on your Mac!

user@iMac ~% sudo dd if=Downloads/FreeBSD-13.1-RELEASE-amd64-memstick.img of=/dev/rdisk1 bs=4m [enter]
Password: <-- password [enter]

When the copy process has been completed, a summary of the process will be displayed as in this example:

279+1 records in
279+1 records out
1172165120 bytes transferred in 30.176911 secs (38843112 bytes/sec)
user@iMac ~%

Delete the FreeBSD-13.1-RELEASE-amd64-memstick.img file in Your Download folder.

Disconnect the USB Memory Stick.

Linux

Requirements:

Required hardware: USB Memory Stick, minimum size 2 GB.

Required software: None

(To be completed and verified)

Microsoft Windows

Requirements:

Required hardware: USB Memory Stick, minimum size 2 GB

Required software: Rufus (Selected to be used in this example)

Rufus is a utility that helps format and creates bootable USB flash drives, such as USB keys/pendrives, memory sticks, etc.

Download the latest version of Rufus from: https://rufus.akeo.ie

Save the Rufus utility executable file in a folder or on the desktop of your computer.

N.B. No installation is necessary!

Download the FreeBSD image file

Click on https://download.freebsd.org/ftp/releases/ISO-IMAGES/13.1/FreeBSD-13.1-RELEASE-amd64-memstick.img to download image file FreeBSD-13.1-RELEASE-amd64-memstick.img.

Copy the FreeBSD image file to the USB Memory Stick

Insert the USB Memory Stick to a USB Port on the Windows Computer.

Locate and double-click the Rufus Utility executable file to start the Rufus utility.

Verify that the inserted USB Memory Stick has been detected and selected in the Rufus dialog window.

Click on the CD drive icon and select the FreeBSD-13.1-RELEASE-amd64-memstick.img image file.

WARNING: The next step will delete all information on the USB Memory Stick!

Click the button Start and wait for the process to be completed.

Delete the FreeBSD-13.1-RELEASE-amd64-memstick.img file in Your Download folder.

Disconnect the USB Memory Stick.