step 4Installing FreeBSD and the Ports collection

Due to time constraints, I only have time to cover the required software and a brief overview of the installation process. Obtaining the OS Grab the CD ISOs or purchase the actual CDs or DVD from You can use either FreeBSD 5.4 or 6.0, either one works. Be sure you download the correct image for your architecture (only x86 is covered here). When in doubt, just grab the x86 and try it. I've never tried the AMD64 version of FreeBSD. The libraries were a pain to maintain with the AMD64 version of FC2 though. If you've used this architecture build, let me know how it works. If you have a 64-bit AMD processor, it is backwards compatible with the x86 architecture, so you have something to fallback to if you want to have an adventure in 64-bit computing. Preparing the installation media If you've downloaded the ISOs, burn them to CDs. Make sure your BIOS is set to use the CD/DVD drive as your primare boot device The OS Installation Process Follow FreeBSD's installation procedures. The default partition settings work fine for our purpose, but if you don't plan on rotating your logs regularly, you might want to increase the size of the /var partition. As far as the ports collection is concerned, there are two methods to consider. If you don't want to bother with manually installing only what you need, install the entire ports collection; otherwise, perform a minimal install » Update your ports collection. THIS IS IMPORTANT. If you do this PRIOR to building and installing any software, you'll save time later by not having to upgrade. » Make sure all of your hardware is recognized. You may want to install the nVidia or ATI drivers if you're going to be using a desktop environment like KDE or Gnome » Configure your ethernet interfaces » Reboot and make sure that everything works and that you have internet access (by using lynx to view a website, or a simple ping connectivity test) Again, any collaboration would be appreciated. See the intro for contact details.

4.16. you'll see pflog0 here also.and external-facing interfaces and IP addresses are.1 to 172. » Install and configure OpenSSH for network terminal emulation. Thanks for the resource Peter! » Install and configure any other software that you would like. For example. but if you have multiple devices using the same drivers. » 172. We've agreed to post some of his article here. he. wrote this article from memory. Also. and which machines should have access to what. .0/16 (172.16. stateful firewall.200 Will be the firewall's internal IP address.255. Internal hosts will have to route packets through this. I'll use the following: » "xl0" will be my internal interface.16. and Snarf (web interface for Snort logs). Things to know » You will need to know what your internal.16.3.200 will be my internal IP address. Things to decide You will need to decide what you want your internal network to look like when this is over. each device will have a unique number starting at zero and counting up. Pre-shared keys are definately recommended. In this guide I will use the following: 172. Bruteforceblocker (SSH bruteforce blocker). If you've configured pflog to monitor your firewall.185 will be my internet-facing IP address.254) will be assigned to a DHCP range.0. I recommend the Squid caching-proxy (installing as a reverse-proxy is nice too).1). 5Configuring your software Here is a VERY brief overview of the configuration process. What follows is taken directly from his howto. lo0 is your loopback device (IP 127.4. two great sources for information pertaining to PF are the PF User Guide and Peter Hansteen's Firewalling with OpenBSD's PF packet filter . These are named like so: The name of the driver used for the device followed by a number. (John) In this guide.3. Craig McLean was kind enough to let me integrate a how-to article on the same topic into this one. like I. ClamAV (antivirus) with vectoring through your firewall.1 to 172.0/24 (172. » The FreeBSD device name for your internal/external interfaces.0. but once the install is complete you should use: # ifconfig -ato find it out.16. » Confirm SSH connectivity from another machine on the LAN using OpenSSH (*nix) or PuTTY (Windows) » Install and configure the ported version of OpenBSD's PF packet-filtering. You can take a look at pf. but not a requirement. If you find any errors in it.254) Will be the internal network. » "dc0" will be my external interface. two Realtek based NICs will apear as rl0 and rl1.16. please let us know.16. You may not know your external IP yet. » 82.30. This number is typically 0 (zero). Snort IDS (Intrusion Detection System). » You will also need to know the IP address(es) of the DNS servers provided by your ISP.conf for an example of what your PF configuration file might look like. used for machines in the outside world to connect to me.16. This is not as complex as it sounds but it benefits us to work it out in advance. Please realize.

Linux machines will have ssh by default. This is a special group which contains all users who can become "root". it's probably because you are not a member of the "wheel" group. which ssh uses by default. Use dhclient for this.conf and making sure you have the following: sshd_enable="YES"in there.greenend. The Firewall . It can also make security audits more straightforward. we want this system to be protected from bad guys on the internet by using firewalling. Do this by editing the ssh daemon configuration file which lives at /etc/ssh/sshd_config and make sure you have ListenAddress 172. the services you want to be started when the system boots.16. and while you are there . In here you will put information on a variety of things. replacing 172.chiark. Your machine will be on the included by default with the OS. and share out our internet connection to other equipment on our network using NAT (Network Address Translation). you may need to setup DHCP on your external interface. and much more.200 with the internal IP address we decided on earlier. You should take the time to have a look at it before we move on.d/sshd startto start the service. windows users can get hold of PuTTY (www. If you find 'su' rejecting you.16.3. OpenSSH can be enabled on FreeBSD by editing /etc/rc. Now you can run # /etc/rc. If you don't absolutely need ssh from the internet. IP addresses. and people will try and get in. The pw command can also be used to add/modify/delete users and groups. Also. It's secure. (John) Setting up the System There is a really important file on your new FreeBSD machine. make sure you only listen for connections on the internal interface.make a backup copy! Add a User If you didn't do this during install. The hostname of the system. static IP addressing works just fine One of the ways they will do this is to try to guess usernames and passwords. you should add a non-root user which you can use on a day-to-day basis.200in there. you should disable passwordbased access and instead use publik-key authentication.3. (John) Set up OpenSSH OpenSSH (Open Secure SHell) should be your weapon of choice when connecting to your new FreeBSD host. It's called /etc/rc. If you decide that you need ssh access from the outside world.If the IP assigned by your ISP is dynamic. This can be done with the command: # adduserMake sure the user is in the group "wheel". and there are any number of clients you can use to connect to it.conf . Google will tell you how! Setting up Firewall and NAT Primarily. while using DHCP on your internal network is more user-friendly.

Keep it to hand as we go through these steps.0/16 to any# Allow our internal interface to talk to the internal networkpass out on xl0 from 172. it's the renowned "ipf HOWTO": www. you can use: # ipf -Fa -f /etc/ipf. » (maybe) Redirect access from machines on the internet to other machines on the local network. In a minute. » Redirect replies to internal traffic back to individual systems. you can refer to the PF Guide (openbsd.conf"ipfilter_flags= "" This should be pretty self-explanatory. but let's not worry about that yet. deny everything unless specified. If you want to clear out your firewall rules just use: # ipf -FaTo view all rules for inbound packets: # ipfstat -iand outbound: # ipfstat -o The 'ipf' functionality in FreeBSD is huge.While Craig covers using IP Filter here. You may find if hard to recover if you get it wrong. and suddenly find yourself disconnected :-) . read new rules from file /etc/ipf. though.obfuscation. Warning: Think very hard before changing firewall rules if you are connected over TCP/IP. This is where all our rules will live.confwhich translates as "Flush all. From here onwards. (John) First. You can start the firewall. » Block everything else. or desirable. "in" and "out" are going to have very specific meaning. eventually. Leave it commented for now. I will append a tutorial for using PF when I get the chance. we want to do the following: » Allow internal IP traffic to the firewall machine. » Redirect (where necessary) internal IP traffic to the .16.16. For now. I strongly suggest you take a look at both.200 to any# Allow tcp or udp from our external interface outwards to anywhere. so we need port 80pass in on dc0 proto tcp from any to any port = 80 flags S keep frags keep statepass in on dc0 proto tcp from any to any port = 443 flags S keep frags keep state# Likewise sendmail.d/ipf startIf you change the rules.block in on xl0 # Our internal interfaceblock out on xl0block in on dc0 # Our external interfaceblock out on dc0# Allow our internal network to come into the internal interfacepass in on xl0 from 172. using these rules.0. We decided earlier what logic we wanted. First we need to enable ipfilter.conf ipfilter_enable="YES"ipfilter_program="/sbin/ipf"ipfilter_rules="/etc/ipf. by issuing: # /etc/ and the sample configuration file that i've attached (pf. and want to reload the firewall tables. and can now translate that into rules: # First.conf).conf ". let me point you at another great URL.# pass in on dc0 proto tcp from any to any port = smtp flags S keep frags keep state# pass in on dc0 proto tcp from any to any port = smtps flags S keep frags keep state Those are the basics. "in" and "out" need to be used very carefully. /etc/ipf. keeping# a "state table" of connections and assembling fragmented packetspass out on dc0 proto tcp/udp from any to any keep state keep frags# Allow "ping" and its friends out from the external interfacepass out on dc0 proto icmp from any to any## Services## We're going to be running a web server. and the first thing to note is the location of the rules file. There's more info in the manpages. as they refer to "in" and "out" of a specific interface.3. That needs the following in /etc/rc. Logically. and at the link at the beginning of this section. Keep this in mind as we go on. This has only just scratched the surface of what is possible. » Allow machines on the internet access to certain ports/services on the firewall.

Here is how mine is setup: » Cisco uBR900 cable modem provides connectivity to the internet.d/routing start# /etc/rc. we will use ISC's DHCPD from the ports collection.4.conf.conf contains: dhcpd_enable="YES"and start the dhcp server using # /usr/local/etc/rc. The WAN IP on the firewall is assigned by DHCP from the modem.16. The WAP has a static IP. we need to add some more lines to /etc/rc.0.d/ipnat start At this point. To do this. DHCP Server Setup The final step in the initial setup of your system will be to provide your clients with DHCP information. The second line will proxy outbout ftp access.16. select whichever options you want (I'd recommend at least PARANOIA and JAIL) # make install# cd /usr/local/etc# mv dhcpd.0/16 -> dc0/32 proxy port ftp ftp/tcpThe first line maps internet access outbound on dc0 to appear from "dc0/32".nnn.16. NAT allows many internal clients to share one internet address.0.200 as its router should be able to access the internet.255. .200.16.conf Then edit the dhcpd.11g D-link WAP and an 8port gigabit switch. so our rule is: map dc0 172.16. but provides wireless access through DHCP. and automatically assigns IP addresses (and more importantly.nnn.0/16 and static (no DHCP) » My firewall connects to a 24port switch. the same still applies.16.3.16. do: # /etc/rc.The NAT Next we want to set up Network Address Translation for other devices on our internal network. NAT is really easy to set up. # cd /usr/ports/net/isc-dhcp3-server# make From the menu. While my home network is a little different than Craigs.4.3.0 {range 172. Then ensure /etc/rc. but this time the rules are in /etc/ipnat. gateway information) to clients.conf file.255.rules.16.1 172.0.0.sample dhcpd. This is connected to a 108Mbps 802. I appreciate the help.0. We're going to allocate from 172.0 or stricter and 172. To do this..168.shared-network Dynamic-4-subnet {option routers 172. any client on the 172.log-facility local7.option domain-name-servers nnn.16.0/16 -> dc0/32 portmap tcp/udp automap dc0 172.0 netmask 255.rules"ipnat_flags=""Pretty much like the firewall stuff.0.1 to 172.4..0 network which has a netmask of 255.nnn.} You will need to substitute nnn.0. » The LAN network is 192.4.nnn with your ISP's domain name servers.nnn.0. This allows centralised management should things change. with its packets being "mapped" by the NAT setup on the firewall machine. To get ipnat up and running. so it looks like this: ddns-update-style start Thanks Craig.16.d/isc-dhcpd. » The modem is connected to my firewall.16. which is shorthand for "the IP address currently associated with the interface dc0". This is necessary if you don't want to have to use passive ftp all the time because the ftp protocol sucks.100.0/16 to use the internet. We want to allow anything on 172.100 for clients.conf: gateway_enable="YES"ipnat_enable="YES"ipnat_program="/sbin/ipnat"ipnat_rules="/etc/ip nat.subnet 172.

it is definitely easier to manage. It's all personal preference. All int rnal traffi moves unprohi itted by the firewall.» M fi ll provi no int rnal prot tion. Your setup may be different also. I don't have to add firewall rules everytime I want to access a new service. This includes outbound traffic also. While this may not be the most secure. i .

then I'm sure you've experienced your fair share of timeouts. Adding ALTQ support to your kernel To begin. your new kernel is ready to use. Change to the /usr/src directory. edit it with your favorite editor (pico is great for beginners). you should have ALTQ support compiled into your kernel. Now. because ALTQ support is disabled by default in FreeBSD. Priority-based queueing. Just follow my instructions. and you should be fine. FreeBSD is even kind enough to place the new kernel in your boot path. There are also a few additional features that you have at your disposal: random early detection and explicit congestion notification (ECN). then follow these steps (from the handbook) to compile it: 1. Don't worry. Instead of spending $100+ on a router that has this feature. add the folowing lines to the end of the file: #ALTQ OPTIONSoptions ALTQoptions ALTQ_CBQ # CLASS BASES QUEINGoptions ALTQ_RED # RANDOM EARLY DETECTIONoptions ALTQ_RIO # RED IN/OUToptions ALTQ_HFSC # HIERARCHIAL PACKET SCHEDULERoptions ALTQ_PRIQ # PRIORITY QUEUINGoptions ALTQ_NOPCC # REQUIRED FOR SMP BUILDNow save the file (I called mine FIREWALLKERNEL). Compile the kernel. After duplicating the GENERIC kernel configuration file. A new kernel is required. The most complicated thing you have to do is recompile your kernel. ALTQ is very easy to setup. calculates the average queue size. If the average queue size is above a maximum . Our next step is actually configuring ALTQ Configuring ALTQ ALTQ supports two kinds of packet prioritization: class-based (CBQ) and priority-based (PRIQ). The packets with the highest priority are processed first. I'll be using the "new" method. Packet prioritzation offers a solution to this problem. A specific portion of your overall bandwidth is then allocated to each one of these classes. read Enabling ALTQ . it's much easier than you think. # make installkernel KERNCONF=FIREWALLKERNELIf everything works. you can instead use ALTQ with PF to accomplish the same thing. lag. All you have to do is reboot your system (`shutdown -r now`).step 6Packet Prioritization Packet Prioritization with ALTQ If your WAN connection stays fairly saturated (with things like bittorrent). then drops or forwards packets depending on the level of congestion. read Building and Installing a Custom Kernel thorougly. # cd /usr/src 2. assigns priorities to packets. like it's name suggests. or slow page loads. or RED. # make buildkernel KERNCONF=FIREWALLKERNEL 3. Random early detection. Class-based queueing divides trafic into "classes". Install the new kernel. After you read that. Now.

This means that all traffic flowing through my internal interface will have 100% of its 100Mbps bandwidth. Leave me a comment to let me know if this helps anyone. Explicit congestion notification. device rl0. ecn)Notice my "bandwidth" options on the first and second lines. it's time to actually assign them to my firewall rules.threshold. and packets will be dropped depending on how close the queue size is to the upper and lower thresholds. I am able to have bittorrent running non-stop on my network. Simply add "queue <queue_name>" to the end of any rules that you would like to assign to the priority level identified by <queue_name>. I assigned a default priority to number 10. In my PF configuration file (pf. This is very easy. because packet prioritization relies on the level of saturation on an interface to determine when to start queuing packets. http. because my network sees a large variety of different types of traffic. By doing this. sets a flag in packets to notifiy hosts of network congestion. When a host that supports ECN receives a packet marked with this flag. and $ext_if is my external interface. Anywhere between these thresholds.conf that includes ALTQ configurations. number 1 being highest priority. ssh. it responds by throttling back it's activity. p2p}queue ssh priority 1 priqqueue http priority 2 priqqueue std priority 10 priq (default)queue p2p priority 13 priq (red. no packets will be dropped. p2p}altq on $ext_if priq bandwidth 5Mb queue {std. ssh. I then gave bittorrent a priority level of 15. because of its time-critical nature. device dc0): altq on $int_if priq bandwidth 100% queue {std. . This means that any traffic that matches my firewall rules and is NOT given a priority will default to priority level 10. I also gave SSH a high priority of 1. It has definately helped me. all packets will be dropped. And that's it.conf). Although my external interface may be connected at 10Mbps. or ECN. http. bt. I've attached a revised version of my pf. You'll notice I also assigned 100% of the bandwidth on my internal interface to ALTQ. without any noticeable increase in latency or throughput. Here is what my PRIQ configurations look like ($int_if is my internal interface. I chose priority-queueing. ecn)queue bt priority 15 priq (red. This is important. Packet prioritization is that simple. If the queue size is below a minimum threshold. bt. Priority-queuing uses numbers 1 through 15 to prioritize traffic. I set the ALTQ queue size on my external interface to 5Mb. Now that I've determined my priority levels. I am only allotted 5Mbps by my ISP.

If need There you should find ShieldsUp!. . If you listen to the Security Now podcast with Leo Laport. Offline UPS's will work fine though. so long as they have a low switchover time. While most of the time (in my experience atleast) this can be fixed by running `fsck` in single-user mode with your disks unmounted. or worse. the effects could be devastating. If you're not using RSA/DSA pre-shared keys (why aren't you?). we are not creating a true bastion host . or even if you don't a UPS (Uninteruptable Power Supply) can save you many headaches. Because it is more cost-effective to combine the firewall with the IDS. the more inherent security your firewall will enjoy.freebsd. UPS's If you experience frequent power surges. a popular (and basic) security assessment tool. you can login as a normal user. we would have a bastion host. Bastion hosts and bastard systems Keep in mind that the less software that you you may have heard ShieldsUp! mentioned. Offline UPS's provide power from the outlet until they sense a power outtage. A zombie computer portscanned you and found that you're running the SSH ser vice (should you decide to allow WAN access). By installing JUST a firewall.more like a bastardized version of one. More software means more places for hackers to find vulnerabilities. This does not mean that someone is intentionally trying to hack into your network. and contains an overzealouz combination of letters.grc. destroy. There are two different types of UPS's: offline (or standby) and online. but more reliable. a UPS will provide reliable power to your firewall to keep it running smoothly. the most disturbing attempts are SSH bruteforces. this leads to corrupted data. in which case they switch over to battery power. This would be like spamming the planet with your social security number. If someone were to gain access through SSH. power outages. numbers. a UPS will eliminate this problem alltogether. In my experience. Online UPS's are a little more expensive than offline UPS's. and auditing software. make sure your login password is extra-long. Often times. FreeBSD doesn't like being shutdown instantaneously. AND symbols. Aren't you glad you have a firewall? My record for intrusion attempts after placing a firewall online is 3 minutes. There are literally THOUSANDS of zombie computers out there that mindlessly probe the internet looking for a system to call their own. Who's knocking down the door? Don't be suprised to see attacks within minutes of placing the firewall on the internet. Do I have a false sense of security? If you don't trust your firewall. Unless your power goes out for a prolonged amount of time. then at the very least. Online powersupplies have a zero switchover time (the amount of time it takes between loss of mains power and when stable power is supplied by the UPS) because they use inverters. then `su` your way to root. IPS. you can perform a quick and easy portscan on yourself by pointing a browser protected by your firewall to www.html for the list. Have a look at www. This is why your most important security measures should be placed here. Perhaps the dumbest thing you can do is allow root access to SSH.step 7Conclusion and where to find help You are not limitted to these utilities. FreeBSD has a vast collection of battle-proven security packages. This system is more than enough to provide reliable streaming media. is by doing the research yourself and diving right in. .freebsd. You'll find Nessus in your ports collection. or VPN access to our LAN. try some the IRC channels on Dalnet or Freenode. we will release the MyNAS project to provide a user-friendly interface to the NAS and an out-of-the-box file-sharing community. Nessus can be used to perform a MASSIVE assortment of security probes. We've even setup dynamic DNS services to provide internet access to our media through a custom web interface. and possibly become an alcoholic because of it.The best form of security auditing is by using a tool like Nessus. and a few gigabit ethernet NICs. wireless. 512MB of PC3200 DDR-RAM. file serving capabilities. When resorting to chatrooms. Google is also another valuable resource. or any flavor of Linux or Unix. be expecting insulting comments and a few "RTFM" RTFM The FreeBSD Handbook is the single-most important resource when working with FreeBSD. Just point your browser to www. Other uses I also build a NAS (Network Accessible/attached Storage) device using a more modern AMD K8. and SVN repositories to anyone with wired. but you'll be that much more elite once you figure it out.html and click on "Handbook". The best (and most enjoyable IMO) way to learn how to use FreeBSD. You'll screw your system up. As a last resort. and at www. Eventually. curse everyone and their mother.

Sign up to vote on this title
UsefulNot useful