Installing FreeBSD 5

Base Install (sysinstall)

1. Install the full distribution ("All system sources, binaries and X Window System").
2. Install the ports collection.
3. Configure the network.
4. Recommended packages:
   • bash
   • cvsup-without-gui (may not be available -- in this case, install later with portinstall)
   • ispell
   • kde
   • mozilla
   • portupgrade
   • rsync
   • screen (if available)
   • sudo
5. Note: If you want each user to have its own personal groups (Linux & Panther style), create the new groups first in sysinstall. Make sure any administrative accounts have group 0 (wheel) membership -- otherwise su will be unavailable.

Accounts & Basic Setup

1. Enable serial console: echo "-hD" > /boot.config # "man boot" for details
2. If you didn't enable serial terminal in sysinstall, do it now: echo 'ttyd0 "/usr/libexec/getty std.9600" vt100 on secure' >> /etc/ttys
3. visudo # uncomment full access for %wheel
4. cd /root && ftp http://www.reppep.com/~pepper/freebsd/install/reppep.tgz && tar xzf reppep.tgz && ls -lt reppep # get recommended additions & patches, and unpack as /root/reppep
5. If you have local patches, unpack them too: tar xzf local.tgz && ls -lt reppep
6. patch /etc/ssh/sshd_config /root/reppep/sshd_config.diff
7. Install your custom kernel configuration file in /usr/src/sys/i386/conf (if you have one).
8. cd /etc && cp /root/reppep/make.conf . && cat /root/reppep/rc.conf* >> rc.conf && vi resolv.conf rc.conf make.conf && egrep -v '(^$|^#)' rc.conf | sort | more # put your own customizations in rc.conf.local; make sure no variables are defined twice in rc.conf
9. mkdir -p /usr/sup && cp /root/reppep/cvsupfile /root/reppep/rc.firewall.local /root/reppep/periodic.conf /root/reppep/ntp.conf /etc && cp /root/reppep/refuse /usr/sup && vi /etc/cvsupfile /etc/ntp.conf /usr/sup/refuse
10. mkdir -p ~root/bin ~root/log
11. cd /root/reppep && cp build-world-kernel.sh cvsup.sh /root/bin && chmod u+x /root/bin/*.sh && rehash
12. mkdir -p /var/log/pkgtools && patch /usr/local/etc/pkgtools.conf /root/reppep/pkgtools.conf.diff
13. adduser -C

Upgrade Source, Kernel & World (do this periodically)

Note: The official recommendation, described at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html, is a bit more involved but safer. If you're not clear on the differences between this procedure and the official one, you should use the Handbook's procedure instead.

Warning: It's easy to break your system, or lock yourself out, when upgrading the kernel or world. Make sure you have console access (PS/2-style or serial) before upgrading.

1. cvsup.sh # upgrade FreeBSD base (kernel & world) source, and the ports tree; doesn't affect installed ports
2. cd /usr/src && mergemaster -p # mergemaster is potentially time-consuming, so it's nice to do it before taking the system down.
3. build-world-kernel.sh
4. make installkernel
5. shutdown -r now
6. Verify new kernel.
7. shutdown now # single-user
8. cd /usr/src && make installworld
9. mergemaster
10. shutdown -r now
11. Edit any additional configuration files in /etc or /usr/local/etc.
12. Test the network connection and firewall rules (perhaps with ipfw list).

Note: If you're using this section to upgrade a running system, rather than configuring a new one, run portupgrade -ai when satisfied with the kernel & world.

Configure BIND

1. (Assuming FreeBSD 5.3+ with BIND 9): cd /var/named/etc/namedb/ && sh make-localhost && vi named.conf && grep named /etc/rc.conf # should see named_enable="YES"
2. vi named.conf # mandatory: configure options & add zones
3. Install any (master) zone files
4. /etc/rc.d/named start && tail -20 /var/log/messages

Install Ports

1. cd /usr/ports/lang/perl5.8 && make install && rehash && perl --version # use.perl port no longer necessary
2. portupgrade -a ; portversion -l /< # try to upgrade everything -- if this doesn't work, follow the instructions under 20040226 in /usr/ports/UPDATING.
3. portinstall -f www/apache2 postfix imap-uw # force
4. portinstall analog cronolog curl docproj-nojadetex htmldoc lsof lynx-ssl mailman minicom netatalk nmap nut portaudit procmail portaudit smartmontools webmin squirrelmail drac mozilla ntop screen p5-MIME-Base64 p5-Time-HiRes pyzor p5-Mail-SpamAssassin && rehash
5. echo "- -noddp -passwdminlen 6 -loginmaxfail 6 -uamlist uams_dhx.so -advertise_ssh" >> /usr/local/etc/afpd.conf # to actually handle tunnelled ssh, also add something like "- -fqdn me.example.com"
6. vi /etc/pam.d/netatalk:

   netatalkauthrequiredpam_unix.sotry_first_passnetatalkaccountrequiredpam_unix.sotry_first_passnetatalksessionrequiredpam_permit.so

7. If desired: configure X (beyond the scope of this document) http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/x-config.html.
8. If and when X is working, you might want to KDE automatically at boot: echo 'ttyv9 "/usr/local/bin/kdm" xterm on secure' >> /etc/ttys, or use KDE with startx: echo exec startkde > ~/.xinitrc # as each user who will use X11

Configure Mail

amavisd-new

1. cd /etc/mail && mv mailer.conf mailer.conf.sendmail && cp /root/reppep/mailer.conf .
2. vi /etc/aliases && newaliases # forward for $myself & root
3. cd /usr/local/etc && cp /root/reppep/procmailrc . && vi procmailrc
4. patch /etc/inetd.conf /root/reppep/inetd.conf.diff && killall -HUP inetd # enables unencrypted imap -- I suggest blocking this in your firewall, which leaves it accessible on 127.0.0.1, if using webmail, and disabling the imap port otherwise

5. echo 'inetd_enable="YES"' >> /etc/rc.confecho 'inetd_flags="-wW -C 60"' >> /etc/rc.conf

6. Already in rc.conf.append: dracd_enable="YES"; add:

   echo 'rpcbind_enable="YES"' >> /etc/rc.confecho localhost > /usr/local/etc/dracd.host

7. For FreeBSD 5.x: cd /etc/pam.d && patch < /root/reppep/imap.diff && patch < /root/reppep/pop3.diff
8. For FreeBSD 4.x: patch /etc/pam.conf /root/reppep/pam.conf.diff
9. vipw && vi /etc/group && mkdir /home/spamd && chown spamd:spamd ~spamd # Create spamd account
10. razor-admin -create && razor-admin -register && pyzor discover # configure razor & pyzor
11. vi /usr/local/etc/mail/spamassassin/local.cf # customize SpamAssassin
12. echo localhost > /usr/local/etc/dracd.host && /usr/local/etc/rc.d/dracd.sh start
13. If using Postfix virtual hosts: vi /etc/mail/virtual && postmap /etc/mail/virtual
14. cd /usr/local/etc/postfix && cat /root/reppep/main.cf.* >> main.cf && vi + /usr/local/etc/postfix/main.cf && postfix stop ; killall sendmail ; postfix check && postfix start && sleep 1 && tail /var/log/maillog
15. cd /usr/ports/mail/imap-uw && make cert && chmod -x /usr/local/certs/imapd.pem # follow prompts
16. If desired: portinstall -f mysql-server # -f to get around the hold in pkgtools.conf

Configure Apache & SquirrelMail

# Copy config files and build diffs for <http://www.reppep.com/~pepper/freebsd/install>diff -u source/httpd.conf.php source/httpd.conf        > reppep/httpd.conf.diffdiff -u source/httpd.conf source/httpd.conf.local > local/reppep/httpd.conf.diff.local

1. mkdir -p /var/log/httpd /home/httpd && mv /usr/local/www /home/httpd && mv /home/httpd/data /home/httpd/htdocs && cd /usr/local/etc/apache2 && patch httpd.conf /root/reppep/httpd.conf.diff
2. Either apply a local patch (patch httpd.conf /root/reppep/httpd.conf.diff.local), or vi httpd.conf (set ServerAdmin & ServerName and review security)
3. mkdir -p ssl.crt ssl.key && ln -s /usr/local/certs/imapd.pem ssl.key/server.key && ln -s /usr/local/certs/imapd.pem ssl.crt/server.crt && touch vhost.conf && vi ssl.???/* vhost.conf && apachectl stop && apachectl configtest && apachectl startssl && apachectl fullstatus # remove cert from server.key & key from server.crt
4. apachectl configtest && apachectl graceful
5. cp /usr/local/etc/php.ini-recommended /usr/local/etc/php.ini
6. cd /usr/local/www/squirrelmail && ./configure
7. Test https://$hostname/mail/.
8. Verify SquirrelMail works (it uses unencrypted IMAP to localhost) & telnet $hostname imap fails properly, if blocked by firewall.
9. Add any desired SquirrelMail plugins.

webmin

1. cd /usr/local/lib/webmin/ && ./setup.sh
2. Visit https://$hostname:10000/
3. Webmin Configuration: IP Access Control: Configure "Only allow from listed addresses" to 127.0.0.1 & trusted IPs.
4. Webmin Users: Remove unused modules.
5. If mysql-server is installed, configure under Servers.
6. /usr/local/etc/rc.d/webmin.sh stop # use start argument later, to bring up webmin as needed

Test Everything!