請先到官網下載ISO檔,我試過用USB stick安裝,但可能因為我的電腦太舊,使用USB stick安裝失敗。只好很浪費地燒一張CD來安裝,還好FreeBSD很小,燒一張一般的CD就可以了。只要下載Disk1 bootable CD就好,其他的都不用下載。
將電腦的Bios設成使用CD開機,就會進入CD Loading.... 然後進入安裝畫面。
記得取消games,但要勾選src和ports,不然後面安裝其他軟體或設定時會做很久。
使用Default安裝,裝到後面會問網路設定,直接設好,打開ssh,就可以遠端連線來做,很方便。
安裝完之後請陸續做完下面工作:
1. 更新ports:
root@test:/etc # portsnap fetch
root@test:/etc # portsnap extract
root@test:/etc # portsnap fetch update
這一段會蠻花時間的,視網路與電腦運算速度而定。10.0全程做完也要20分鐘,但快很多了。
2. 更新/etc/resolv.conf。
nameserver 127.0.0.1 //Bind還沒裝時,這段先#起來。
nameserver 168.95.192.1
nameserver 168.95.1.1
domain compnay.com
3. 重編kernel:
root@test:/etc # cd /sys/i386/conf
root@test:/sys/i386/conf # cp GENERIC newkernel
root@test:/sys/i386/conf # vi newkernel
修改:
ident newkernel
新增:
# ----- Firewall Settings ----- #
options IPFIREWALL
options IPDIVERT # for NAT
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
options DUMMYNET #use pipe to limit brand
# ----- END ----- #
.....................
newkernel: 371 lines, 14817 characters.
存檔退出。
root@test:/sys/i386/conf # config newkernel
Kernel build directory is ../compile/newkernel
Don't forget to do ``make cleandepend && make depend''
root@test:/sys/i386/conf # cd ../compile/newkernel/
root@test:/sys/i386/compile/newkernel # make cleandepend && make depend
............................................
modules/zlib/../../net/zlib.c
root@test:/sys/i386/compile/newkernel # make (這段就跑得久一點了)
..........................................
objcopy --only-keep-debug zlib.ko.debug zlib.ko.symbols
objcopy --strip-debug --add-gnu-debuglink=zlib.ko.symbols zlib.ko.debug zlib.ko
root@test:/sys/i386/compile/newkernel # make install
..........................
kldxref /boot/kernel
約末45min~1hrs完成。
4. 設定/etc/rc.conf。
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
gateway_enable="YES"
inetd_enable="YES"
linux_enable="YES"
#moused_enable="YES"
sshd_enable="YES"
# -- NIC Setting -- #
ifconfig_fxp0="inet 1.2.3.4. netmask 255.255.255.0"
ifconfig_fxp1="inet 192.168.100.1 netmask 255.255.255.0"
ifconfig_fxp1_alias0="inet 192.168.100.254 netmask 255.255.255.0"
defaultrouter="1.2.3.8"
hostname="tea.compnay.com"
# -- NATD Settings -- #
natd_enable="Yes"
natd_interface="fxp0"
natd_flags="-f /etc/natd.conf"
# NAT Example #
#natd_flags="-redirect_port tcp 192.168.1.220:80 211.75.215.107:80"
# -- DNS Settings -- #
named_enable="Yes"
named_flags="-c /etc/namedb/named.conf"
named_program="/usr/local/sbin/named"
# -- VPN Settings -- #
#mpd_enable="Yes"
#mpd_flags="-b"
# -- DHCP Settings -- #
#dhcpd_enable="Yes"
#dhcpd_ifaces="fxp1"
# -- Time Settings -- #
ntpd_enable="YES" # Run ntpdate to sync time on boot (or NO).
# -- MailScanner Settings -- #
sendmail_enable="No"
spamd_enable="Yes"
clamav_clamd_enable="Yes"
clamav_freshclam_enable="YES"
mailscanner_enable="Yes"
mailscanner_configfile="/usr/local/etc/MailScanner/MailScanner.conf"
mailscanner_pidfile="/var/run/MailScanner.pid"
# -- Firewall Settings -- #
#firewall_enable="Yes"
#firewall_type="simple"
firewall_type="open"
firewall_quiet="No"
firewall_logging="Yes"
# -- Apache Settings -- #
#apache22_enable="Yes"
#apache22_http_accept_enable="YES"
# -- MySQL Settings -- #
#mysql_enable="Yes"
#mysql_dbdir="/home/mysql"
# -- MailScanner Stop Settings -- #
#sendmail_enable="none"
#sendmail_outbound_enable="NO"
#sendmail_msp_queue_enable="NO"
#clamav_clamd_enable="Yes"
#clamav_freshclam_enable="Yes"
↑剛裝起來時記得把firewall通通mark起來,不要啟動,免得網路不通。
5. 設定IPFW的規則:
# cd /etc
# vi rc.firewall
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via fxp0 //對外的網卡,一定要指對喔。
/sbin/ipfw add allow icmp from any to any icmptypes 0,8,11
/sbin/ipfw add deny icmp from any to any
/sbin/ipfw add pass all from 192.9.100.0/16 to me 21
/sbin/ipfw add drop tcp from any to me 21
/sbin/ipfw add pass all from any to any
更新完後請記得將rc.conf中的firewall開啟,規則就會啟動。
6. 開啟hosts.allow,新增可連入這台機器的ip:
# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
#ALL : ALL : allow
# Wrapping sshd(8) is not normally a good idea, but if you
# need to do it, here's how
#sshd : .evil.cracker.example.com : deny
# ------ SSH Allow Hosts list ----- #
sshd : 192.168.100.1 : allow
sshd : 192.168.100.2 : allow
# ------ End ----- #
# Protect against simple DNS spoofing attacks by checking that the
# forward and reverse records for the remote host match. If a mismatch
# occurs, access is denied, and any positive ident response within
# 20 seconds is logged. No protection is afforded against DNS poisoning,
# IP spoofing or more complicated attacks. Hosts with no reverse DNS
# pass this rule.
ALL : PARANOID : RFC931 20 : deny
# Allow anything from localhost. Note that an IP address (not a host
# name) *MUST* be specified for rpcbind(8).
ALL : localhost 127.0.0.1 : allow
# Comment out next line if you build libwrap without IPv6 support.
ALL : [::1] : allow
#ALL : my.machine.example.com 192.0.2.35 : allow
All : mycompany.com 192.168.100.0/24 : allow
# To use IPv6 addresses you must enclose them in []'s
#ALL : [fe80::%fxp0]/10 : allow
#ALL : [fe80::]/10 : deny
#ALL : [2001:db8:2:1:2:3:4:3fe1] : deny
#ALL : [2001:db8:2:1::]/64 : allow
# Sendmail can help protect you against spammers and relay-rapers
sendmail : localhost : allow
#sendmail : .nice.guy.example.com : allow
#sendmail : .evil.cracker.example.com : deny
sendmail : ALL : allow
# Exim is an alternative to sendmail, available in the ports tree
#exim : localhost : allow
#exim : .nice.guy.example.com : allow
#exim : .evil.cracker.example.com : deny
#exim : ALL : allow
# Rpcbind is used for all RPC services; protect your NFS!
# (IP addresses rather than hostnames *MUST* be used here)
#rpcbind : 192.0.2.32/255.255.255.224 : allow
#rpcbind : 192.0.2.96/255.255.255.224 : allow
rpcbind : ALL : deny
# NIS master server. Only local nets should have access
# (Since this is an RPC service, rpcbind needs to be considered)
#ypserv : localhost : allow
#ypserv : .unsafe.my.net.example.com : deny
#ypserv : .my.net.example.com : allow
ypserv : ALL : deny
# Provide a small amount of protection for ftpd
ftpd : localhost : allow
#ftpd : .nice.guy.example.com : allow
#ftpd : .evil.cracker.example.com : deny
#ftpd : ALL : allow
ftpd : 192.168.100.0/24 : allow
# You need to be clever with finger; do _not_ backfinger!! You can easily
# start a "finger war".
fingerd : ALL \
: spawn (echo Finger. | \
/usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
: deny
# The rest of the daemons are protected.
ALL : ALL \
: severity auth.info \
: twist /bin/echo "You are not welcome to use %d from %h."
7. 編輯hosts:
root@test:/etc # vi hosts
::1 localhost localhost.mycompany.com
127.0.0.1 localhost localhost.mycompany.com
192.9.100.1 mail mail.mycompany.com
192.9.100.2 server2 server2.mycompany.com
8. 新增natd.conf
root@test:/etc # touch natd.conf
雖然這個檔是空的,但一定要做喔,不然natd不會啟動。
9. 開啟firewall的設定:
root@test:/etc # vi rc.conf
# -- Firewall Settings -- #
#firewall_enable="Yes"
#firewall_type="simple"
firewall_type="open"
firewall_quiet="No"
firewall_logging="Yes"
打開firewall的設定。不過在其他軟體尚未安裝前,先用open,以免ports下載時有誤。
10. 重開機,將所有設定全部叫起來:
root@test:/etc # reboot
做完後重開機!Kernel編譯完成,NAT和防火牆完成。
留言列表