Step By Step FreeBSD as Internet Server

Installing FreeBSD

1. Select Region.
2. Select Standart Installation.
3. Use all drive for FreeBSD.
4. Create Disklabel, on my installation use 80GB of harddisk, and here my disk label
  - / 512MB
  - swap 1GB
  - /tmp 1GB
  - /usr 4GB
  - /var 2GB
  - /home 1GB
  - /cache (all the rest off harddisk space).
5. Select Distribution - 6. Kern-Developer Full binaries and doc, kernel source only.
6. When dialog box appears, select no to install ports.
7. Exit.
8. Select Distribution Media - CD
9. Confirmation Installation - YES, wait until finish.
10. After that, there is a question and always answer with NO, except for time zone and root password.
11. Reboot.

Install FreeBSD from CD-ROM, and follow this step :

After Installation

Setting Up Networking
- Edit the /etc/rc.conf
  
  defaultrouter="192.168.2.1" #Gateway ISP
  gateway_enable="YES" #opsi mesin sebagai gateway client
  hostname="NoFee" #Nama Mesin
  sshd_enable="YES"
  ifconfig_rl0="inet 192.168.2.103 netmask 255.255.255.0"
- Edit the /etc/resolv.conf, enter with your DNS server
- Edit the /etc/ssh/sshd_config
  
  Port 22 # You can change this.
  LoginGraceTime 10m
  PermitRootLogin yes
  MaxAuthTries 2
  PrintMotd yes
  UseDNS no
- Reboot the system.
Update to Stable with CVS
- First you need to install packages
  
  pkg_add -r cvsup-without-gui
- Create file : /root/cvs-suplife. Insert with this :
  
  *default host=cvsup.freebsd.or.id #change this address with your local freebsd mirror.
  *default base=/usr
  *default prefix=/usr
  *default release=cvs
  *default delete use-rel-suffix
  *default tag=RELENG_6
  *default compress
  src-all
  ports-all tag=.
- Then run :
  
  /usr/local/bin/cvsup -g -L2 cvs-supfile.
- The system will download all source and port with the lastest. In here is depend with your connection.
Build kernel for patching pf with altq.
- Follow this instruction
  
  cd /usr/src/sys/i386/conf
  cp GENERIC /etc/NoFee
  ln -s /etc/NoFee
- Edit /etc/NoFee.
  
  machine i386
  cpu I586_CPU
  cpu I686_CPU
  ident NoFee
  
  makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
  options SCHED_4BSD # 4BSD scheduler
  options PREEMPTION # Enable kernel thread preemption
  options INET # InterNETworking
  options FFS # Berkeley Fast Filesystem
  options SOFTUPDATES # Enable FFS soft updates support
  options UFS_ACL # Support for access control lists
  options UFS_DIRHASH # Improve performance on big directories
  options MD_ROOT # MD is a potential root device
  options MSDOSFS # MSDOS Filesystem
  options CD9660 # ISO 9660 Filesystem
  options PROCFS # Process filesystem (requires PSEUDOFS)
  options PSEUDOFS # Pseudo-filesystem framework
  options GEOM_GPT # GUID Partition Tables.
  options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!]
  options COMPAT_FREEBSD4 # Compatible with FreeBSD4
  options COMPAT_FREEBSD5 # Compatible with FreeBSD5
  options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
  options KTRACE # ktrace(1) support
  options SYSVSHM # SYSV-style shared memory
  options SYSVMSG # SYSV-style message queues
  options SYSVSEM # SYSV-style semaphores
  options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
  options KBD_INSTALL_CDEV # install a CDEV entry in /dev
  options ADAPTIVE_GIANT # Giant mutex is adaptive.
  #options SMP # this option for multi proccessor.
  options ALTQ
  options ALTQ_CBQ # Class Bases Queuing (CBQ)
  options ALTQ_RED # Random Early Detection (RED)
  options ALTQ_RIO # RED In/Out
  options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
  options ALTQ_PRIQ # Priority Queuing (PRIQ)
  options ALTQ_NOPCC # Required for SMP build
  options SHMMAX=33554432
  options SHMSEG=256
  options SHMMNI=512
  options SEMMNS=2048
  options SEMMNU=256
  options SEMMAP=256
  options SHMALL=16384 # max amount of shared memory (pages)
  options MSGMNB=16384 # max # of bytes in a queue
  options MSGMNI=96 # number of message queue identifiers
  options MSGSEG=4096 # number of message segments
  options MSGSSZ=128 # size of a message segment
  options MSGTQL=4096 # max messages in system
  device apic # I/O APIC
  # Bus support.
  device eisa
  device pci
  
  # ATA and ATAPI devices
  device ata
  device atadisk # ATA disk drives
  device ataraid # ATA RAID drives
  device atapicd # ATAPI CDROM drives
  device atapifd # ATAPI floppy drives
  device atapist # ATAPI tape drives
  options ATA_STATIC_ID # Static device numbering
  
  # SCSI Controllers
  device ahb # EISA AHA1742 family
  device ahc # AHA2940 and onboard AIC7xxx devices
  options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
  # output. Adds ~128k to driver.
  device ahd # AHA39320/29320 and onboard AIC79xx devices
  options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
  # output. Adds ~215k to driver.
  device amd # AMD 53C974 (Tekram DC-390(T))
  device isp # Qlogic family
  device mpt # LSI-Logic MPT-Fusion
  device sym # NCR/Symbios Logic (newer chipsets + those of `ncr')
  device adv # Advansys SCSI adapters
  device adw # Advansys wide SCSI adapters
  device aha # Adaptec 154x SCSI adapters
  device aic # Adaptec 15[012]x SCSI adapters, AIC-6[23]60.
  device bt # Buslogic/Mylex MultiMaster SCSI adapters
  device ncv # NCR 53C500
  
  # SCSI peripherals
  device scbus # SCSI bus (required for SCSI)
  device ch # SCSI media changers
  device da # Direct Access (disks)
  device sa # Sequential Access (tape etc)
  device cd # CD
  device pass # Passthrough device (direct SCSI access)
  device ses # SCSI Environmental Services (and SAF-TE)
  
  # RAID controllers interfaced to the SCSI subsystem
  device amr # AMI MegaRAID
  device arcmsr # Areca SATA II RAID
  device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
  device ciss # Compaq Smart RAID 5*
  device dpt # DPT Smartcache III, IV - See NOTES for options
  device hptmv # Highpoint RocketRAID 182x
  device rr232x # Highpoint RocketRAID 232x
  device iir # Intel Integrated RAID
  device ips # IBM (Adaptec) ServeRAID
  
  # RAID controllers
  device aac # Adaptec FSA RAID
  device aacp # SCSI passthrough for aac (requires CAM)
  device ida # Compaq Smart RAID
  device mfi # LSI MegaRAID SAS
  device mlx # Mylex DAC960 family
  device pst # Promise Supertrak SX6000
  
  # atkbdc0 controls both the keyboard and the PS/2 mouse
  device atkbdc # AT keyboard controller
  device atkbd # AT keyboard
  device kbdmux # keyboard multiplexer
  device vga # VGA video card driver
  device splash # Splash screen and screen saver support
  
  # syscons is the default console driver, resembling an SCO console
  device sc
  device agp # support several AGP chipsets
  device pmtimer
  
  # PCI Ethernet NICs that use the common MII bus controller code.
  # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
  device miibus # MII bus support
  device fxp # Intel EtherExpress PRO/100B (82557, 82558)
  device rl # RealTek 8129/8139
  device sis # Silicon Integrated Systems SiS 900/SiS 7016
  device vr # VIA Rhine, Rhine II
  device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
  
  # Pseudo devices.
  device loop # Network loopback
  device random # Entropy device
  device ether # Ethernet support
  device tun # Packet tunnel.
  device pty # Pseudo-ttys (telnet etc)
  device md # Memory "disks"
  device gif # IPv6 and IPv4 tunneling
  device bpf # Berkeley packet filter
- Patching kernel.
  
  cd /usr/src
  make buildworld; make buildkernel KERNCONF=NoFee; make installkernel KERNCONF=NoFee
  
  If using dual proccessor :
  
  make -j4 buildworld; make -j4 buildkernel KERNCONF=NoFee; make installkernel KERNCONF=NoFee{/xtype_code}
- Reboot, then select 4 when the boot menu appear.
  fsck -p
  mount -u /
  mount -a -t ufs
  swapon -a
  cd /usr/src
  mergemaster -p
  make installworld
  mergemaster
  
  Reboot.
Add additional Packages.
I use this package for my server.
pkg_add -r bash; pkg_add -r pftop; pkg_add -r trafshow; pkg_add -r ifstat; pkg_add -r wget; pkg_add -r mc; pkg_add -r ntp; pkg_add -r net-snmp; pkg_add -r tcptrack
Configuration.
- Change to bash. {xtypo_code}chsh -s bash; rehash; bash
- Make user on group wheel can sudo, type visudo, then uncomment for wheel
  
  # Uncomment to allow people in group wheel to run all commands
  %wheel ALL=(ALL) ALL
  # Same thing without a password
  %wheel ALL=(ALL) NOPASSWD: ALL
- Editing /etc/rc.conf
  
  defaultrouter="192.168.2.1" #ISP Gateway
  gateway_enable="YES"
  hostname="NoFee" #Machine Name
  sshd_enable="YES"
  
  ifconfig_rl0="inet 192.168.2.103 netmask 255.255.255.0"
  ifconfig_rl0_alias0="inet 10.10.10.100 netmask 255.255.255.0"
  ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0"
  
  named_enable="YES"
  update_motd="NO"
  sendmail_enable="NO"
  sendmail_submit_enable="NO"
  sendmail_outbound_enable="NO"
  sendmail_msp_queue_enable="NO"
  clear_tmp_enable="YES"
  syslogd_flags="-ss"
  
  pf_enable="YES"
  pf_rules="/etc/pf.conf"
  pflog_enable="YES"
  pflog_logfile="/var/log/pflog"
  
  snmpd_enable="YES"
  snmpd_flags="-a"
  snmpd_pidfile="/var/run/snmpd.pid"
  snmpd_conffile="/usr/local/share/snmp/snmpd.conf"
  
  ntpdate_enable="YES"
  ntpdate_hosts="pool.ntp.org"
- Editing /etc/sysctl.conf
  
  net.inet.tcp.recvspace=186880
  net.inet.tcp.sendspace=186880
  net.inet.udp.recvspace=186880
- Editing /boot/loader.conf
  
  autoboot_delay="1"
  kern.maxusers=0
  kern.maxfiles=32768
  kern.maxproc=16384
  kern.ipc.maxsockets=16384
  kern.ipc.maxsockbuf=1048576
  kern.ipc.somaxconn=16384
  kern.ipc.nmbclusters=65536
- Setting up Named.
  First you need copy or move the original named.conf.
  cp /etc/namedb/named.conf /etc/namedb/named.conf.orig
  
  Edit /etc/namedb/named.conf
  
  options {
  directory "/etc/namedb";
  pid-file "/var/run/named/pid";
  dump-file "/var/dump/named_dump.db";
  statistics-file "/var/stats/named.stats";
  
  listen-on { 127.0.0.1; 192.168.0.1; };
  forwarders { 127.0.0.1; 202.152.0.2; };
  allow-recursion { 127.0.0.1; 192.168.0.1/24; };
  };
  
  zone "." {
  type hint;
  file "named.root";
  };
  
  zone "0.0.127.IN-ADDR.ARPA" {
  type master;
  file "master/localhost.rev";
  };
  
  Then create localhost.rev
  sh /etc/namedb/make-localhost => fill with 127.0.0.1
- Editing /etc/resolv.conf
  
  nameserver 127.0.0.1
- Setting up SNMP
  - First you need to copy from example configuration of snmp :
    
    cp -p /usr/local/share/snmp/snmpd.conf.example /usr/local/share/snmp/snmpd.conf{/typo_code}
  - Change attribute :
    chmod 644 /usr/local/share/snmp/snmpd.conf
  - Editing /usr/local/share/snmp/snmpd.conf :
    {xtypo_code}com2sec local localhost NoFeebsd
    com2sec mynetwork 202.xxx.xxx.0/24 NoFeebsd
  - Start snmpd :
    
    /usr/local/etc/rc.d/snmpd start
- Installing squid
  - Download from squid-cache.org ; in here i used 2.6, after download, extract the source.
  - Under directory source of squid, configure before you make squid.
    
    ./configure '--enable-http-violations' '--sysconfdir=/etc/squid' '--enable-removal-policies=lru,heap' \
    '--enable-storeio=diskd,ufs,aufs' '--enable-delay-pools' '--disable-cache-digests' '--disable-wccp' \
    '--disable-wccpv2' '--enable-underscores' '--enable-pf-transparent' '--enable-ipf-transparent' \
    '--disable-follow-x-forwarded-for' '--enable-large-cache-files' '--enable-default-languages=English' \
    '--enable-err-languages=English' '--disable-ssl' '--disable-ident-lookups' '--disable-hostname-checks' \
    '--disable-htcp' '--enable-icp' '--enable-poll' '--with-large-files' '--with-maxfd=16384'
    
    make && make install clean
  - Script to handle squid command :
    
    #!/bin/sh
    # By No Fee (c) 2007
    
    case "" in
    start)
    echo "Starting Squid..."
    /usr/local/squid/sbin/squid -D
    ;;
    stop)
    echo "Stoping Squid..."
    /usr/local/squid/sbin/squid -k shutdown
    ;;
    restart)
    echo "Restarting Squid..."
    /usr/local/squid/sbin/squid -k reconfigure
    ;;
    ver)
    echo "You're using : "
    /usr/local/squid/sbin/squid -v
    ;;
    *)
    echo "Usage: `basename {xtypo_rounded3}#!/bin/sh
    # By No Fee (c) 2007
    
    case "$1" in
    start)
    echo "Starting Squid..."
    /usr/local/squid/sbin/squid -D
    ;;
    stop)
    echo "Stoping Squid..."
    /usr/local/squid/sbin/squid -k shutdown
    ;;
    restart)
    echo "Restarting Squid..."
    /usr/local/squid/sbin/squid -k reconfigure
    ;;
    ver)
    echo "You're using : "
    /usr/local/squid/sbin/squid -v
    ;;
    *)
    echo "Usage: `basename $0` {start|stop|restart|ver}" >&2
    exit 64
    ;;
    esac{/xtypo_rounded3}` {start|stop|restart|ver}" >&2
    exit 64
    ;;
    esac
    
    Then change permission : chmod 755 /usr/sbin/squid
  - To make squid running when system reboot, you need to edit /etc/rc.local
    
    if [ -x /usr/local/squid/sbin/squid ]; then
    echo -n 'starting squid'; /usr/local/squid/sbin/squid -D
    fi
- Now you can edit /etc/pf.conf, after that reboot the system and test your machine.