片刻、瞬間、不知所云...

請先到官網下載ISO檔，我試過用USB stick安裝，但可能因為我的電腦太舊，使用USB stick安裝失敗。只好很浪費地燒一張CD來安裝，還好FreeBSD很小，燒一張一般的CD就可以了。只要下載Disk1 bootable CD就好，其他的都不用下載。

將電腦的Bios設成使用CD開機，就會進入CD Loading.... 然後進入安裝畫面。

記得取消games，但要勾選src和ports，不然後面安裝其他軟體或設定時會做很久。

使用Default安裝，裝到後面會問網路設定，直接設好，打開ssh，就可以遠端連線來做，很方便。

安裝完之後請陸續做完下面工作：

1. 更新ports：

root@test:/etc # portsnap fetch
root@test:/etc # portsnap extract 
root@test:/etc # portsnap fetch update

這一段會蠻花時間的，視網路與電腦運算速度而定。10.0全程做完也要20分鐘，但快很多了。

2. 更新/etc/resolv.conf。

nameserver 127.0.0.1   //Bind還沒裝時，這段先#起來。
nameserver 168.95.192.1
nameserver 168.95.1.1
domain compnay.com

3. 重編kernel：

root@test:/etc # cd /sys/i386/conf
root@test:/sys/i386/conf # cp GENERIC newkernel
root@test:/sys/i386/conf # vi newkernel

修改：
ident           newkernel

新增：
# ----- Firewall Settings ----- #
options IPFIREWALL
options IPDIVERT                        # for NAT
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
options DUMMYNET                        #use pipe to limit brand
# ----- END ----- #
.....................

newkernel: 371 lines, 14817 characters.

存檔退出。

root@test:/sys/i386/conf # config newkernel
Kernel build directory is ../compile/newkernel
Don't forget to do ``make cleandepend && make depend''

root@test:/sys/i386/conf # cd ../compile/newkernel/
root@test:/sys/i386/compile/newkernel # make cleandepend && make depend
............................................

modules/zlib/../../net/zlib.c
root@test:/sys/i386/compile/newkernel # make (這段就跑得久一點了)
..........................................
objcopy --only-keep-debug zlib.ko.debug zlib.ko.symbols
objcopy --strip-debug --add-gnu-debuglink=zlib.ko.symbols zlib.ko.debug zlib.ko

root@test:/sys/i386/compile/newkernel # make install
..........................
kldxref /boot/kernel

約末45min~1hrs完成。

4. 設定/etc/rc.conf。

# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
gateway_enable="YES"
inetd_enable="YES"
linux_enable="YES"
#moused_enable="YES"
sshd_enable="YES"


# -- NIC Setting -- #
ifconfig_fxp0="inet 1.2.3.4.  netmask 255.255.255.0"
ifconfig_fxp1="inet 192.168.100.1  netmask 255.255.255.0"
ifconfig_fxp1_alias0="inet 192.168.100.254  netmask 255.255.255.0"
defaultrouter="1.2.3.8"
hostname="tea.compnay.com"

# -- NATD Settings -- #
natd_enable="Yes"
natd_interface="fxp0"
natd_flags="-f /etc/natd.conf"
# NAT Example #
#natd_flags="-redirect_port tcp 192.168.1.220:80 211.75.215.107:80"

# -- DNS Settings -- #
named_enable="Yes"
named_flags="-c /etc/namedb/named.conf"
named_program="/usr/local/sbin/named"

# -- VPN Settings -- #
#mpd_enable="Yes"
#mpd_flags="-b"

# -- DHCP Settings -- #
#dhcpd_enable="Yes"
#dhcpd_ifaces="fxp1"

# -- Time Settings -- #
ntpd_enable="YES" # Run ntpdate to sync time on boot (or NO).

# -- MailScanner Settings -- #
sendmail_enable="No"
spamd_enable="Yes"
clamav_clamd_enable="Yes"
clamav_freshclam_enable="YES"
mailscanner_enable="Yes"
mailscanner_configfile="/usr/local/etc/MailScanner/MailScanner.conf"
mailscanner_pidfile="/var/run/MailScanner.pid"

# -- Firewall Settings -- #
#firewall_enable="Yes"
#firewall_type="simple"
firewall_type="open"
firewall_quiet="No"
firewall_logging="Yes"

# -- Apache Settings -- #
#apache22_enable="Yes"
#apache22_http_accept_enable="YES"

# -- MySQL Settings -- #
#mysql_enable="Yes"
#mysql_dbdir="/home/mysql"

# -- MailScanner Stop Settings -- #
#sendmail_enable="none"
#sendmail_outbound_enable="NO"
#sendmail_msp_queue_enable="NO"
#clamav_clamd_enable="Yes"
#clamav_freshclam_enable="Yes"


↑剛裝起來時記得把firewall通通mark起來，不要啟動，免得網路不通。

5. 設定IPFW的規則：

# cd /etc
# vi rc.firewall

/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via fxp0   //對外的網卡，一定要指對喔。
/sbin/ipfw add allow icmp from any to any icmptypes 0,8,11
/sbin/ipfw add deny icmp from any to any
/sbin/ipfw add pass all from 192.9.100.0/16 to me 21
/sbin/ipfw add drop tcp from any to me 21
/sbin/ipfw add pass all from any to any

更新完後請記得將rc.conf中的firewall開啟，規則就會啟動。

6. 開啟hosts.allow，新增可連入這台機器的ip：

# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
#ALL : ALL : allow

# Wrapping sshd(8) is not normally a good idea, but if you
# need to do it, here's how
#sshd : .evil.cracker.example.com : deny

# ------ SSH Allow Hosts list ----- #
sshd : 192.168.100.1 : allow
sshd : 192.168.100.2 : allow
# ------ End ----- #

# Protect against simple DNS spoofing attacks by checking that the
# forward and reverse records for the remote host match. If a mismatch
# occurs, access is denied, and any positive ident response within
# 20 seconds is logged. No protection is afforded against DNS poisoning,
# IP spoofing or more complicated attacks. Hosts with no reverse DNS
# pass this rule.
ALL : PARANOID : RFC931 20 : deny

# Allow anything from localhost.  Note that an IP address (not a host
# name) *MUST* be specified for rpcbind(8).
ALL : localhost 127.0.0.1 : allow

# Comment out next line if you build libwrap without IPv6 support.
ALL : [::1] : allow
#ALL : my.machine.example.com 192.0.2.35 : allow
All : mycompany.com 192.168.100.0/24 : allow

# To use IPv6 addresses you must enclose them in []'s
#ALL : [fe80::%fxp0]/10 : allow
#ALL : [fe80::]/10 : deny
#ALL : [2001:db8:2:1:2:3:4:3fe1] : deny
#ALL : [2001:db8:2:1::]/64 : allow

# Sendmail can help protect you against spammers and relay-rapers
sendmail : localhost : allow
#sendmail : .nice.guy.example.com : allow
#sendmail : .evil.cracker.example.com : deny
sendmail : ALL : allow

# Exim is an alternative to sendmail, available in the ports tree
#exim : localhost : allow
#exim : .nice.guy.example.com : allow
#exim : .evil.cracker.example.com : deny
#exim : ALL : allow

# Rpcbind is used for all RPC services; protect your NFS!
# (IP addresses rather than hostnames *MUST* be used here)
#rpcbind : 192.0.2.32/255.255.255.224 : allow
#rpcbind : 192.0.2.96/255.255.255.224 : allow
rpcbind : ALL : deny

# NIS master server. Only local nets should have access
# (Since this is an RPC service, rpcbind needs to be considered)
#ypserv : localhost : allow
#ypserv : .unsafe.my.net.example.com : deny
#ypserv : .my.net.example.com : allow
ypserv : ALL : deny

# Provide a small amount of protection for ftpd
ftpd : localhost : allow
#ftpd : .nice.guy.example.com : allow
#ftpd : .evil.cracker.example.com : deny
#ftpd : ALL : allow
ftpd : 192.168.100.0/24 : allow

# You need to be clever with finger; do _not_ backfinger!! You can easily
# start a "finger war".
fingerd : ALL \
        : spawn (echo Finger. | \
         /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
        : deny

# The rest of the daemons are protected.
ALL : ALL \
        : severity auth.info \
        : twist /bin/echo "You are not welcome to use %d from %h."

7. 編輯hosts：

root@test:/etc # vi hosts

::1                     localhost localhost.mycompany.com
127.0.0.1               localhost localhost.mycompany.com
192.9.100.1             mail mail.mycompany.com
192.9.100.2             server2 server2.mycompany.com

8. 新增natd.conf

root@test:/etc # touch natd.conf  

雖然這個檔是空的，但一定要做喔，不然natd不會啟動。

9. 開啟firewall的設定：

root@test:/etc # vi rc.conf

# -- Firewall Settings -- #
#firewall_enable="Yes"
#firewall_type="simple"
firewall_type="open"
firewall_quiet="No"
firewall_logging="Yes"

打開firewall的設定。不過在其他軟體尚未安裝前，先用open，以免ports下載時有誤。

10. 重開機，將所有設定全部叫起來：

root@test:/etc # reboot

做完後重開機！Kernel編譯完成，NAT和防火牆完成。