|Last modified: 16-06-2020|
Introduction to FreeBSD
I originally started this tutorial after failing to secure a Windows2000 Pro host to act as a router to connect our LAN to the Net through cable modem, but I returned to FreeBSD to install a thinclient to run Asterisk on a compact flash.
Note that "Minimum Install" does not install the Ports system, and man pages: Run sysinstall > 'Configure' > 'Distributions' > 'man'
To stop the host, run "shutdown -p now".
FreeBSD comes with its own SSHd, so it doesn't show when you run pkg_info.
By default, only non-root users can SSH to the FreeBSD box, and only those who belong to the Wheel group can su to root (to add myuser to this group, "pw user mod myuser -G wheel").
If you want to allow root to connect to SSH directly, edit /etc/ssh/sshd_config to add "PermitRootLogin", and restart the SSHd service (/etc/rc.d/sshd restart).
If you want to only allow root to connect from such and such host, it looks like AllowHosts is not available with the version of SSH that comes with FreeBSD, and you'll have to use AllowUsers:
? PasswordAuthentication yes
To reduce clutter from script kiddies trying to connect to SSHd, just run it on a different port than TCP22.
Making sure your host is actually using the right time is very important, as I've had an issue compiling a Ports because the time was wrong.
"The ntpd(8) program changes the clock gradually, whereas ntpdate(8) sets the clock, no matter how great the difference between a machine's current clock setting and the correct time."
To create an alias for rm : /etc/cshrc?
/bin/csh is the default shell, but offers less features than Bash (eg. not tab completion). To install bash, run "pkg_add -r bash; bash". To make bash your default shell, create an /etc/make.conf containing with "MAKE_SHELL=sh", or log on and run "chsh" manually.
Important! Do NOT edit /root/.cshrc and /root/.login and add as last line in each: [ -x /usr/local/bin/bash ] && exec /usr/local/bin/bash . This will keep "make buildworld" from running.
To turn off beeping when using Bash :
To add 'll', vi ~/.profile, and add "alias ll='ls -alG'"
To create a new user account, run "adduser", and follow the on-screen instructions.
There are three ways to install applications in FreeBSD:
Applications are installed under /usr/local : settings in ./etc/, binaries in either ./bin or ./sbin.
To install packages (ie. pre-compiled binaries as opposed to using ports, ie. going from source code) : pkg_add /path/to/tar/gz/package . To query installed packages : pkg_info . To remove a package : pkg_delete . To list the files that make up a package, type pkg_info -L mypackage.1.2.3.
As said above, "Minimum Install" does not install the Ports system. To install, run sysinstall > Configure > Distributions > select "ports" > Select install media. Once done, you can update Ports with CVSup ("With CVSup, FreeBSD users can easily keep their own source trees up to date"), or, rather, its text-mode version CVSup-without-gui.
Note: csup replaces cvsup on 6.2. csup is a rewrite in C of cvsup. csup is already part of the standard install, so there's no need to download cvsup-without-gui
As an example, here's how to install the Apache Port:
By default, the DocumentRoot directory is /usr/local/www/data/
To check if any software in the Ports collection need upgrading, run
To upgrade a package through the Ports collection:
Note that it's sometimes required to restart a running process that uses a port (eg. upgrading PHP requires restarting Apache.)
To add PHP as a dynamic module to the port, and rebuild:
To uninstall a port, cd to its port location (eg. cd /usr/ports/sysutils/lsof) and run "make deinstall".
To have vim support the arrow keys, # cat ~/.vimrc:
To have TAB move 4 characters to the right:
FreeBSD uses fetch instead of wget, which some applications expect to find. To install wget, run this:
# cd /usr/ports/ftp/wget
# make install clean
pkg_add -rv python //installs 2.4.x
cd /usr/ports/lang/python25 ; make install
To add an IDE ZIP drive installed as slave on the IDE plug #2 (I had a 10GB hard-disk on IDE plug #1, the CD-ROM player as master on IDE plug #2), create a /zip directory, and run "mount -t msdos /dev/afd0s4 /zip". Add the relevant infos in /etc/fstab so you can just run "mount /zip".
The FreeBSD MBR is located in /boot/boot0. This is a copy of the MBR, as the real MBR must be placed on a special part of the disk, outside the FreeBSD area.
/etc/rc.conf (overrides entries in /etc/defaults/rc.conf) Note: Do not place any commands in /etc/rc.conf. To start daemons, or run any commands at boot time, place a script in /etc/rc.d/ or /usr/local/etc/rc.d instead.
To tell the host which DNS to query to resolve names, use /etc/resolv.conf
ifconfig_dc0="inet 192.168.1.3 netmask 255.255.255.0"
ifconfig_dc1="inet 10.0.0.1 netmask 255.255.255.0 media 10baseT/UTP"
ifconfig_fxp0_alias0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx"
rc.conf : gateway_enable="YES" . This option will set the sysctl variable net.inet.ip.forwarding (/etc/sysctl.conf) to 1. If you should need to stop routing temporarily, you can reset this to 0 temporarily.
The client-side program, dhclient, comes integrated within FreeBSD. To tell an interface to use DHCP for its IP configuration, edit your /etc/rc.conf to include the following: ifconfig_fxp0="DHCP" (replacing fxp0 with the actual driver name.) /etc/dhclient.conf . To tell an interface to switch to DHCP mode without making this change permanent (ie. no editing of rc.conf), just run "dhclient dc0", where dc0 is the name of the interface.
Once the interface received its DHCP configuration from the ISP, run "netstat -rn" to check the routing information.
Run "sockstat" to list open sockets.
Important files live in /usr/local/etc/samba/ and /var/db/samba/ . To check where smbd will look for smb.conf, run "smbd -b | grep smb.conf".
In user-level security, the client sends a session setup request directly following protocol negotiation. This request provides a username and password. The server can either accept or reject that username/password combination. At this stage the server has no idea what share the client will eventually try to connect to, so it can't base the accept/reject on anything other than: the username/password, and the name of the client machine.
In share-level security, the client authenticates itself separately for each share. It sends a password along with each tree connection request (share mount), but it does not explicitly send a username with this operation. The client expects a password to be associated with each share, independent of the user. This means that Samba has to work out what username the client probably wants to use, the SMB server is not explicitly sent the username.
MS Windows clients may use encrypted passwords as part of a challenge/response authentication model (a.k.a. NTLMv1 and NTLMv2) or alone, or clear-text strings for simple password-based authentication. It should be realized that with the SMB protocol, the password is passed over the network either in plaintext or encrypted, but not both in the same authentication request. MS Windows 95 pre-service pack 1 and MS Windows NT versions 3.x and version 4.0 pre-service pack 3 will use either mode of password authentication. All versions of MS Windows that follow these versions no longer support plain-text passwords by default.
The Guest account of the windows world is mapped to the user nobody in the unix world. This can be changed with the global option guest account which defaults to nobody. Also the guest ok parameter on every share deafult to no. The unix account nobody must exist in your account database. If the Guest has read or write access to the share depends on the mode bits of the path and wether the share has read only = no set.
To enable guest access to a share you need the following parameters in your smb.conf:
The other way to get public access is to use security = share. Then all access is mapped to the guest account. But this is not a good choice since you cant distinguish between authorized users and anonymous users.
If you don't have any 9x hosts, raise security thusly:
To launch SMB and NMBD manually : /usr/local/sbin/smbd -D ; /usr/local/sbin/nmbd -D .
When using security= user and using encrypted passwords (required for recent versions of Windows):
Add encrypted passwords for Samba users with "cd /usr/local/private ; mv smbpasswd smbpasswd.original ; touch smbpasswd ; chmod 0600 smbpasswd". Then, for each user, run "/usr/local/bin/smbpasswd -a uname".
Although the version of Asterisk available trough Ports is available a bit behind what's available on Digium's site, it's easier to compile it this way instead of using the raw source code.
After upgrading Zaptel, it turned out not to work on my hardware. Here's how to install the "portdowngrade" utility in FreeBSD 6.3, and downgrade both Zaptel and Asterisk:
FYI, PHP saves its session files under /var/temp/. Files are prefixed with sess_ and have the PHPSESSID cookie appended.
# make install
===> Installing for mysql-client-5.0.51
===> Generating temporary packing list
===> Checking if databases/mysql50-client already installed
===> mysql-client-5.0.51 is already installed
You may wish to ``make deinstall'' and install this port again
by ``make reinstall'' to upgrade it properly.
If you really wish to overwrite the old port of databases/mysql50-client
without deleting it first, set the variable "FORCE_PKG_REGISTER"
in your environment or the "make install" command line.
*** Error code 1
Stop in /usr/ports/databases/mysql50-client.
=> Set up NTPd, restart, retry
fastcgi.server = ( ".php" =>
#BAD ( "localhost" =>
"socket" => "/tmp/php-fastcgi.socket",
"bin-path" => "/usr/local/bin/php-cgi"
To mount a binary image file used to flash a CF card:
To read a Compact Flash through a USB card-reader:
It seems like FreeBSD doesn't support ext2fs by default, so if the CF card is partitioned with that filesystem, try "mount_ext2fs /dev/da1s1 /mnt/cf" instead.
FreeBSD on the Soekris net4501 By Michael R. Brumm
After moving the HD from a PC that used a Via Rhine embedded Ethernet interface (vr0) to a PC using an Intel 10/100 embedded interface (fxp0), you'll need to edit /etc/rc.conf to have this new interface to get its IP configuration from the DHCP server (if need be), and restart the network service (/etc/rc.d/netif restart).
To switch to single-user mode,type shutdown now and press Enter when prompted to do so. To return to multiuser mode, type exit.
The equivalent of Linux's "netstat -nltp" to list TCP apps listening on ports is "netstat -nat | grep LISTEN"
To search through the Ports collection, instead of using the usual "find /usr/ports -name "samba*", you can use this:
"crontab -e", and add the following:
0 0 ** 0 root /root/myscript.bash
Alternatively, some cron support a shorter, more readable format:
@weekly root /root/myscript.bash
kldstat = lsmod in Linux
kldunload = rmmog
kldload = insmod
Check /etc/defaults/rc.conf. If you need to disable some, set them to "NO" in /etc/rc.conf.
Have to log on as a regular user that belongs to the Wheel group, and su to root
# which lighttpd
# cat /usr/bin/lighttpd
/usr/local/sbin/lighttpd -f /usr/local/etc/lighttpd.conf $@
# lighttpd start
2008-01-13 22:27:26: (server.c.504) No configuration available. Try using -f option.
Must include the package's name + version number, eg. pkg_delete mutt-188.8.131.52_2
The problem is that dhclient updates /etc/resolve.conf to point to the ISP's DNS servers, which is not an issue : To resolve local hostnames (ie. hosts located on the LAN, just point the gateway to the host acting as DNS for the local host, so that external DNS servers will not be queried to resolve private hostnames.
At the console, running "chsh -s /usr/local/bin/bash ; echo $SHELL" still returns "/bin/csh".
# cat ~/.bash_profile
alias l='ls -lAFG'
bash: ll: command not found
"Portsnap is a system for securely downloading and updating a compressed snapshot of the FreeBSD ports tree, and using this compressed snapshot to extract or update a (uncompressed) copy of the ports tree. Historically, most people have used CVSup to keep their ports tree up to date, but CVSup has a number of limitations"
While in edit mode, hitting eg. left arrow displays A's
Make sure it's listed in /etc/rc.conf
Make sure the FQDN for the host is defined in either the DNS or in /etc/hosts.
pkg_info | grep mysql
pkg_info -L mysql-server-5.0.51
cd /usr/ports/audio/lame ; make install
lame -h -b 128 test.wav test.mp3