Setup FreeBSD Server with full HDD encryption

Published:
I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I always use the hardware I do not need anymore.

Important:
I want to point out that al actions below will destroy all your data on your hard drive, you have been warned!
I have used this manual on FreeBSD 6.2 and now I am rewriting it for FreeBSD 8.1 -- there are some slight changes.   The original of this article is in Dutch, so please forgive me for translation problems.  Okay! Enough mumbo-Jumbo!  Let's start this 100+ steps manual.

A word from the FreeBSD hood
My BSD02 Server is a big tower from 1995 (modified, of course) with a motherboard: Compaq: Compaq Deskpro EN (933 Mhz). My dad taught me to use the saw on metal, and the power drill.

The first time I encountered to following error:
Fatal trap 12: page fault while in kernel mode
                      fault virtual adress      = 0x1
                      fault code                = supervisor read, page not present
                      instruction pointer       = 0x20:0xc06a6b14
                      stack pointer             = 0x28:0xcbf3b670
                      frame pointer             = 0x28:0xcbf3b670
                      code segment              = base 0x0, limit 0xfffff, type 0x1b
                                                = DPL 0, pres 1, def32 1, gran 1
                      processor eflags          = interrupt enabled, resume, IOPL = 0
                      current process           = 2 (g_event)
                      trap number               = 12
                      panic: page fault

Open in new window

What a drag... and more time to listen to some more music.

I just did this: Disable all power options in the BIOS Who needs them anyway?  Just like cars, burn as much as you can!

And then the keyboard responded 50% of the time intermitted:

>Number:         105368
>Category:       kern
>Synopsis:       geli passphrase prompt malfunctioning when mounting encrypted fs at boot time
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:      
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Nov 10 10:10:21 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Jost Menke
>Release:        6.2-BETA3, also tested 6.1-RELEASE
>Organization:
>Environment:
FreeBSD  6.2-BETA3 FreeBSD 6.2-BETA3 #0: Mon Oct 30 22:04:37 UTC 2006     root at o
pus.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
When running FreeBSD 6.2-BETA3 or 6.1-RELEASE in a VMware session with encrypted root filesystem, the geli password prompt does not work when the root fs is mounted at boot time. I put kern.geom.eli.visible_passphrase=1 into /boot/loader.conf to see what's wrong, result: the keyboard doesn't work at all. When kbdmux is deactivated by putting hint.kbdmux.0.disabled="1" into /boot/device.hints, the behaviour changes: Keyboard partly works, but about 90% of all keystrokes are lost. The problem only seems to occur when mounting encrypted volumes at boot time. Other people on the mailing list report similar problems running FreeBSD on real hardware.
>How-To-Repeat:
- Install 6.2-BETA3 or 6.1-RELEASE with encrypted root fs in VMware player
- Put kern.geom.eli.visible_passphrase=1 into /boot/loader.conf
- Also try to put hint.kbdmux.0.disabled="1" into /boot/device.hints
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:

The solution to all this grief is:
    Stop: hint.kbdmux.0.disabled="1" in /mnt/boot/device.hints  
is the solution.  Also I put dcons_load=”NO” in /mnt/boot/loader.conf

Configure future Harddisk

The harddisk that you are going to use to boot from in the future

1. Configuring hdd as Primary hdd

Of course, at home, I use cheapass hardware. Put your hdd that you are going to use as boot drive on the primary controller as Master and make sure the BIOS starts from a working CD-ROM drive.

Tip: Keep in mind that some hard drive with a special jumper setting will be seen as single hard drive.

2. Start FreeBSD installation

Start the FreeBSD Installation from CD/dvd
Choose your country, mine is Netherlands

3. Choose standard install

Choose the standard installation

4. You will be send to a FDISK-alike program

You will be send to a Fdisk alike program

5. Choose ad0 to configure

Choose ad0 to configure.

6. Make a 12000 MB (becomes ad0s1)

Make a 12000 MB (this becomes ad0s1)

7. Becomes (becomes ad0s2)

Fill up the empty space on your hdd (becomes ad0s2)
Standard FreeBSD configures the following:

Part - Mount - Size - Newfs 
                      ad0s1a - /    - 512MB - UFS2 - Y 
                      ad0s1b - swap - 732MB - SWAP -  
                      ad0s1d - /var - 1390MB - UFS2+S - Y 
                      ad0s1e - /tmp - 512MB - UFS2+S -  Y
                      ad0s1f - /usr - Rest - UFS2+S -  Y

Open in new window

The numbers above are just to low for today's needs, so I change them to:
Part - Mount - Size - Newfs 
                      ad0s1a - /    - 2000MB - UFS2 - Y 
                      ad0s1b - swap - 1000MB - SWAP -  
                      ad0s1d - /var - 2000MB - UFS2+S - Y 
                      ad0s1e - /tmp - 1000MB - UFS2+S -  Y
                      ad0s1f - /usr - Rest - UFS2+S -  Y

Open in new window

if you need more you can fondle around with these values.

9. Choose QUIT

Choose Q (Quit)

10. Choose BootMgr

Choose BootMgr
Don't choose the first options I will always get an error
    Invalid partition table

11. Choose OK

Choose OK

12. Time to setup separate partitions

Now it is Time to setup separate partitions, Choose ad0s1 (with your arrow keys)

13. Listen to: Body Moving

Listen to: Listen to: Body Movin'

14. Setup your hdd

Choose A for Defaullts
Part:       Mount:    Size:      Newfs
                      ad0s1a      /         512MB      UFS2
                      ad0s1b      swap      486MB      SWAP
                      ad0s1d      /var      1267MB     UFS2+S
                      ad0s1e      /tmp      512MB      UFS2+S
                      ad0s1f      /usr      1221MB     UFS2+S

Open in new window

If you got a bigger hdd than 10GB, change
    ad0s1a to 10GB
    ad0s1b to 3GB
    ad0s1D to 10GB
    ad0s1E to 10GB
    ad0s1f to (the rest that is left)

(And yes you can just enter 10GB)

15. Drink Bacardi Cola

Drink it up!

16. Press Q to Leave

Press Q to Leave

17. User (binaries and doc only)

Choose User (binaries and doc only)
Then choose your documentation language, I use en English Documentation

18. Say [NO] on FreeBSD ports selection, choose [OK]

Say [NO] on FreeBSD ports selection, choose [OK]

19. Choose Install from a FreeBSD CD/DVD

Choose Install from a FreeBSD CD/DVD

20. Choose OK

Choose [OK]

21. RU Sure?

Are you sure? [YES]  (File system is written, and installation started)
Please wait until all is installed

22. Configure Ethernet or SLIP/PP network devices?

Configure Ethernet or SLIP/PP network devices? [NO]

23. function as a network gateway?

function as a network gateway? [No]

24. configure inetd and the network services that it provides?

configure inetd and the network services that it provides?  [No]

25. like to enable SSH login? [YES]

like to enable SSH login? [YES]  (Always handy to change configurations with SSH from a working machine)

26. Do you want anonymous FTP access?

Do you want anonymous FTP access? [No] (Never do this or the software kiddies will get you)

27. NFS Server? [NO]

NFS Server? [NO]

28. BFS Client [NO]

BFS Client [NO]

29. customize your system console settings? ]NO]

customize your system console settings? ]NO]

30. Time Zone? [YES]

Time Zone? [YES]

31. 28. CMOS clock set to UTC… [NO]

28.      CMOS clock set to UTC… [NO]

32. 8. Europe

Choose 8. Europe (Or another continent, you will figure this out)

33. Netherlands

My country is Netherlands

34. CET reasonable? [YES]

CET reasonable? [YES]

35. enable Linux binary compatibility? [NO]

enable Linux binary compatibility? [NO] (I like to keep it as stable as possible)

36. PS/2, serial or BUS mouse? [NO]

PS/2, serial or BUS mouse? [NO] (Hardcore people use the keyboard)

37. FreeBSD package collection? [NO]

FreeBSD package collection? [NO] (We will install this on the encrypted partition later)

38. additional accounts to the system? [YES]

additional accounts to the system? [YES]
Add a user with the details you want

39. Set password for Root.

Set password for Root.
Remark! Use a different root password in the unencrypted part (this part) than on the encrypted part.

Type your password {ENTER}
Type it again {ENTER}

40. Last chance

Visit the general configuration menu for a chance to set any last options? [No]

41. Exit install

[X] Exit install. {ENTER}

42. Exit - Reboot

Are you sure you wish to exit? The system will reboot [Yes]
CD will be ejected
[Ok]

43. Power down the machine

Power down the machine as soon as the bios screen is visible.

Configurate temporary Harddisk

The harddisk that you are going to use for one or time

44. Switch hdd

Turn the computer off, disconnect the harddisk from the steps above and connect the other Temporary hdd as primary master slave.

45. Boot from cdrom

Boot from the FreeBSD cdrom that you have used in the above steps.
Do not use a different FreeBSD version, there are differences in the versions!

46. Choose standard installation

Choose standard installation

47. You will be send to Fdisk

You will be sent to a fdisk a like program. Create one slice [C], choose the default value (Whole harddisk).  (If you are using a harddisk that is a bit broken, make this slice smaller).

48. Press Q to leave

Press [Q] to leave.

49. Select Boot Manager

Select Boot Manager and choose [OK]

50. Arrange the slices


Part   - Mount - Size   - Newfs
                      ad0s1a - /     - 2000MB - UFS2 - Y 
                      ad0s1b - swap  - 1000MB - SWAP -  
                      ad0s1d - /var  - 2000MB - UFS2+S - Y 
                      ad0s1e - /tmp  - 1000MB - UFS2+S -  Y
                      ad0s1f - /usr  - Rest   - UFS2+S -  Y

Open in new window

51. Q to leave

Press Q to leave Fdisk

52. 6-User

Select 6 User Average user.....
Select en English Documentation

53. No FreeBSD ports selection

Select [No] FreeBSD ports selection

54. Install from CD/DVD

Select CD/DVD - Install from a FreeBSD CD/DVD

55. Select yes to install

Select [Yes] to install
Wait a moment for FreeBSD to do the installation

56. Configure Ethernet or SLIP/PP network devices? [NO]

Configure Ethernet or SLIP/PP network devices? [NO]

57. function as a network gateway? [NO]

function as a network gateway? [NO]

58. configure inetd and the network services that it provides? [NO]

configure inetd and the network services that it provides? [NO]

59. like to enable SSH login? [YES]

like to enable SSH login? [YES]

60. Do you want anonymous FTP access? [NO]

Do you want anonymous FTP access? [NO]

61. NFS Server? [NO]

NFS Server? [NO]

62. NFS Client [NO]

NFS Client [NO]

63. customize your system console settings? ]NO]

customize your system console settings? ]NO]

64. Time Zone? [YES]

Time Zone? [YES], Is this machine's CMOS clock set to UTC? [No]

65. 8 - Europe

Select 8. Europe

66. 34. Netherlands

34. Netherlands, Does the abbreviation `CEST` look reasonable? [Yes]

67. FreeBSD package collection

FreeBSD package collection [No]

68. additional accounts to the system? [YES]

Additional accounts to the system? [YES]
Enter the credentials for the extra user

69. Exit

[X] Exit

70. Set root password

Set root password, do not enter the same root password as the one you are going to use for the encrypted part.

71. Visit general configuration menu for a change to set any last options? [NO]

Visit general configuration menu for a change to set any last options? [NO]

72. Exit install

[X] Exit install, Are you sure you wish to exit? The system will reboot [Yes]

73. Are you sure you wish to exit

Are you sure you wish to exit [Yes], Sure to remove media from the drive: [Ok]

74. Turn off system when you see the BIOS screen

Turn off system when you see the BIOS screen


Make the encryption partition
=======================


75. Connect both harddisks to the system

Connect both harddisks to the system
Don't forget to set the harddisk to Master, if this harddisk has a separate setting for single harddisk.

76. Go to the BIOS

Enter the BIOS and disable booting from CDROM and make sure that you boot from harddisk temporary harddisk.

77. Log in under Root

Log in under Root

78. Check your devices

Check your devices
Type:
cd /dev
                      ls

Open in new window

Check if you see /ad0s2 (Hard disk 0 Slice 2). In some cases the device where you want to install your encrypted Freebsd can be /ad1s2, ad2s2 or even ad6s2. Be sure to check for s2.

79. Initialize the partition for encryption

Initialise the partition for encryption
Type:
geli init –b –s 4096 –l 256 /dev/ad0s2 

Open in new window

{ENTER}
Keep in mind that this can be different on your system, mostly my code will work without any problems

80. Enter new passphrase

You will be asked:
Enter new passphrase

Open in new window


Enter a long password for the encrypted partition that nobody knows. You need to enter this everytime you start your system!

81. Enter your passphrase a second time

Enter your passphrase a second time, if everything is ok you will be prompted:
Metadata backup can be found in /var/backups/ad0s2.eli and can be restored......

Open in new window

if not, enter the command again and try again.
Yes encryption is native

82. Attach the drive to FreeBSD

Attach the drive to FreeBSD
Type:
geli attach /dev/ad0s2

Open in new window


You can find the device (/dev/ad0s2) in /dev directory

83. Enter passphrase 1 time

Enter the passphrase that you have entered before to unlock the encrypted partition.
When everything goes well you will see:
GEOM_ELI: Device ad0s2.eli created.
                      GEOM_ELI: Encryption: AES-CBC 256
                      GEOM_ELI: Crypto: software

Open in new window


84. Arrange the partitions on the encrypted hdd

It's time to arrange the encrypted slice with partitions for the operating system.
bsdlabel –w /dev/ad0s2.eli 

Open in new window

{ENTER}

bsdlabel –e /dev/ad0s2.eli 

Open in new window

{ENTER}

Remember that ad0s2 can be something different on other systems, especially with IDE and Sata onboard

85. Edit partitions in slice with vi

An Editor will be started (vi)
Enter the following!
# /dev/ad0s2.eli:
                      8 partitions:
                      #       size      offset     fstype    [fsize    bsize    bps/cpg]
                      a:    500000           0     4.2BSD     0        0    
                      b:    236328      500000       swap     0        0
                      c:    ??????           0     unused     0        0     # don’t edit
                      d:    618164      736328     4.2BSD     0        0    
                      e:    250000     1354492     4.2BSD     0        0    
                      f:         *     1604492     4.2BSD     0        0

Open in new window


I=Insert [ESC=end Insert], x = remove one character
Don't remove the character C, but MOVE the character c
Arrange everything with TABs to get it underneath each other

86. Write the partitions

Press [ESC] to release insert, press :w to write the file, and then press :q to quit.
When no error appears all is well!

87. Check if the encrypted devices are made

To Check if the encrypted devices are made and visible to the system type:
cd /dev
                      ls

Open in new window

And search for ad0s2.eli, ad0s2.elia, ad0s2.elib, ad0s2.elid, ad0s2.elie, ad0s2.elif

88. Format the new encrypted partitions

It's time to format those new encrypted partitions
newfs –i 1024 /dev/ad0s2.elia

Open in new window

You will see some data over your devices and how many inodes your partition will have.
/dev/ad0s2.elia: 488.3 MB (1000000 sectors) block size 16384, fragment size 4096
                              using 4 cylinder groups of 122.08MB, 7813 blks, 31296 inodes.
                      super-block backups (for fsck –b #) at:
                      160, 250176, 500192, 750208

Open in new window

The switch -i 1024 will make it possible to write a lot of small files

89. Don't format swap, but the next

We don't need to format the swap partition, this is just a scratch disc so the next command will be:
newfs /dev/ad0s2.elid

Open in new window


90. Format tmp partition

After the /var we are going to format the /tmp partition:
newfs /dev/ad0s2.elie

Open in new window


91. format elif (the rest of the slice)

Format .elif, with this partition it is also very important to write a lot of files, especially because we are going to install the FreeBSD Ports collection.
newfs –i 1024 /dev/ad0s2.elif

Open in new window


Now your screen will fill up with a lot of numbers (This is formatting under linux, it gives me peace of mind)

92. Installing the OS encrypted style

Now all encrypted partitions are formatted we are going to install the OS, again use the same OS version as used on all the other partitions.

The first step, make a directory:
mkdir /fixed

Open in new window


We can use this directory to mount the encrypted partition

93. Connect encrypted partition

We are going to connect the encrypted partition
mount /dev/ad0s2.elia /fixed

Open in new window


94. Create directorys for the OS

Create all the directory's that are needed for FreeBSD
mkdir /fixed/var
                      mkdir /fixed/tmp
                      mkdir /fixed/usr

Open in new window


95. Mount all partitions for OS

Mount all the OS partitions:
mount /dev/ad0s2.elid /fixed/var
                      mount /dev/ad0s2.elie /fixed/tmp
                      mount /dev/ad0s2.elif /fixed/usr

Open in new window


96. Copy FreeBSD System

Copy FreeBSD OS to encrypted partition.
Set the directory and switch from command-line shell
/bin/sh
                      export DESTDIR=/fixed/
                      /bin/csh

Open in new window


97. Mount cdrom

Insert the FreeBSD install cd/dvd and mount it
mount /cdrom

Open in new window


98. Install FreeBSD

Go to the FreeBSD release directory
cd /cdrom/8.1-RELEASE/base
                      ./install.sh

Open in new window

99. Are you sure to write to /fixed

You are about to extract the base distribution into /fixed/ - are you SURE you want to do this over your installed system (y/n)?
when it says /fixed/ [Y]

0. STEPS 100 and higher begin here.


1. Install kernel files

The kernel files need to be installed separately
cd /cdrom/8.1-RELEASE/kernels
                      ./install.sh GENERIC

Open in new window


2. Install the help pages

We need some info, so we install the help pages
cd /cdrom/8.1-RELEASE/manpages
                      ./install.sh
                      cd /cdrom/8.1-RELEASE/catpages
                      ./install.sh

Open in new window

Arrows up and down do the same as under MS-DOS, you can scroll through your commands

3. Mount the future boot drive

Mount the drive where we are going to boot from:
mount /dev/ad0s1 /mnt

Open in new window


4. Copy Boot directory

Copy the boot directory to the unencrypted partition:
cp –Rpv /fixed/boot /mnt

Open in new window


The files will roll over your screen

5. Speed Up Boot Process

To speed up the boot process we will get the 2 files that are needed to boot:
cd /mnt/boot/kernel
                      gzip kernel geom_eli.ko acpi.ko

Open in new window


6. Boot from encrypted partition please

Now we are going to tell FreeBSD to boot from the encrypted partition.
vi /mnt/etc/fstab

Open in new window


7. Change fstab

Change the fstab file to the following (Mostly change s1? to s2.eli?):
# Device           Mountpoint     Fstype     Options     Dump   Pass#
                      /dev/ad0s2.elib    none           swap       sw                 0        0
                      /dev/ad0s2.elia    /              ufs        rw                 1        1
                      /dev/ad0s2.elie    /tmp           ufs        rw                 2        2
                      /dev/ad0s2.elif    /usr           ufs        rw                 2        2
                      /dev/ad0s2.elid    /var           ufs        rw                 2        2
                      /dev/acd0          /cdrom         cd9660     ro,noauto   0      0

Open in new window

In fstab you can tell FreeBSD what to mount at bootup, be careful!!  One mistake and you need to fix it in safe mode. I don't like that!

If you have a floppy drive in your system, you can add:
     /dev/fd0            /fdd        ufs        rw,noauto    0    0 to fstab


8. Write and close fstab

To save and close fstab, press [ESC], :w [ENTER], :q [ENTER]

9. Optional fdd mount directory

mkdir /fdd
                      mkdir /mnt/fdd
                      mkdir /fixed/fdd

Open in new window


10. Mount directory for cdrom

Make a mount directory for the cdrom
mkdir /cdrom
                      mkdir /mnt/cdrom
                      mkdir /fixed/cdrom

Open in new window


11. Copy fstab to the encrypted part

Copy fstab to the encrypted partition
cp /mnt/etc/fstab /fixed/etc

Open in new window


12. Disable kbdmux

Prevent problems by disabling "kbdmux", on my compaq my keyboard would only respond 50% of the time.
echo hint.kbdmux.0.disabled=\"1\" >> /mnt/boot/device.hints

Open in new window

Kbdmux is responsible for caching FireWire

13. Get password request at bootup

Tell FreeBSD to ask for the password of the encrypted partition at bootup:
echo geom_eli_load=\”YES\” >> /mnt/boot/loader.conf

Open in new window


14. All Steps Done?

ALL STEPS DONE!!!?????

15. Shutdown machine

Shutdown the machine
shutdown –h NOW

Open in new window


16. Remove slave hdd

Remove the power from the machine and disconnect the slave drive.

17. Start machine and goto Bios

Power on the machine and make sure the BIOS starts from your hard drive with the encrypted partition on it.
If everything goes right there will be asked for a password for ad0s2, Enter the password that you have provided to ELI and press Enter.
You have 3 changes to enter the correct code, if you fail 3 times you cannot acces your encrypted partition anymore. Instead just power off the machine and try again
Attention If you have a PS/2 connection for your keyboard use a PS/2 Keyboard, USB will be initialized when you can login with your user name.

18. Login as Root

When you login as root and you don't need to enter a password you are on the encrypted hdd.

For FreeBSD systems I always use Rocket Raid cards, these are always recognized by FreeBSD

19. Attach your big array

I mainly use the FreeBSD server for storing files, at this time I have an Array of 8 TB, so I want to attach and encrypt this also.

First step go to the /dev directory to check for devices
cd /dev
                      ls

Open in new window

Look for da0 or ar0

20. Make the big array encrypted

Encrypt your big drive also
geli init –b –s 4096 –l 256 /dev/da0

Open in new window

Enter the passphrase for this array twice.

If all goes well you will be told where you can find the metadata backup.

21. Attach the array

Lets attach this big encrypted array:
geli attach /dev/da0

Open in new window

Enter your Passphrase that you have provided.

If all goes well there will be printed:
GEOM_ELI: Device da0.eli created
                      GEOM_ELI: Encryption: AES-CBC 256
                      GEOM_ELI: Crypto: software

Open in new window


22. Make partitions

Make partitions on the encrypted slice:
bsdlabel –w /dev/da0.eli
                      bsdlabel –e /dev/da0.eli

Open in new window


23. Change unused behind a:

[x] to delete characters, Press {I} to edit/insert, Change unused behind a: to 4.2BSD, [ESC], :w, :q

24. Format the big array

newfs /dev/da0.elia

Open in new window


A lot of numbers will come by.

My highest number is: 15626930752 ;-)

25. Create Mountpoint

Create a directory so we can mount the big array:
mkdir /encrypt_a

Open in new window


26. Mount big array

Type the following command to mount the big array:
mount /dev/da0.elia /encrypt_a

Open in new window


27. Check the size of your hdd

Once I head a RocketRaid card that would not go higher than 2TB, and I found out after a copy job of 1 week. So be sure to NOT make this mistake, check the harddives:
df -h

Open in new window

You will see the partition size, how much is avaiable and the percentage that is used.

28. Edit fstab again

Now that we are sure all harddisk space is correct, change the fstab file so the array will be mounted on startup.
vi /etc/fstab

Open in new window


Add the following at the bottom of the fstab file:
/dev/da0.elia           /encrypt_a      ufs     rw              2       2

Open in new window


29. Copy fstab to unencrypted

Mount and copy to the unencrypted part of the drive:
mount /dev/ad0s1a /mnt
                      cp /etc/fstab /mnt/etc

Open in new window


30. Reboot the machine

At startup you will be asked for the passphrase twice, one for ad0s2 and one for the da0
shutdown -r NOW

Open in new window


31. login as root

Enter the passphrases and login as root, further in this manual we will not login as root. I know this is not best practice.


Activate the Network
=================


32. Check name of network device

We got to know the name of the network device, so we look at the file: messages
vi /var/log/messages

Open in new window

Look for Ethernet address (You can search with /keyword), note the name, mine is: vr0

33. Activate network card

To activate the network card type:
sysinstall

Open in new window


34. Configure

Choose Configure

35. Networking

Choose Networking

36. Interfaces

Choose Interfaces

37. Choose vr0

In my case I choose vr0

38. Ipv6? No, DHCP [No].

Ipv6? No, DHCP [No].

39. Enter Network configuration

I use the following credentials:
Host: BSD0x
Ipv4 Gateway: 10.30.0.100
Nameserver: 10.30.0.100
Ipv4 Adress: 10.30.0.x

40. Bring xl0 interface up right now?

Bring xl0 interface up right now? [Yes]

41. Leave sysinstall

Press [X], [ENTER], Press [X], [ENTER], [X]

42. Restart system

Shutdown -r NOW

Open in new window



Creating Users and Groups
======================

43. Add user

To add a user type:
adduser

Open in new window


Enter all fields, and use the default settings.

This is my list:
david:*:1001:
                      mariska:*:1002:
                      mysql:*:1003:rsync
                      ftp:*:1004:david
                      richard:*:1005:
                      speciaal:*:1006:david
                      locatedb:*:1007:
                      install:*:1008:rsync,locatedb.makelist
                      rsync:*:1009:
                      fotos:*:1010:david,mariska,rsync,locatedb,bezoeker,MCX1,tessa,makelist
                      readwww:*:1011:david,mariska,rsync,locatedb,MCX1,makelist
                      sound:*:1012:david,locatedb,rsync,makelist
                      emulator:*:1013:david,locatedb,rsync,makelist
                      bezoeker:*:1014:
                      copycopy:*:1015:
                      MCX1:*:1016:
                      tessa:*:1017:
                      bewoner:*:1018:david,mariska,rsync,locatedb,MCX1,makelist
                      makelist:*:1020:
                      copycop:*:1021:
                      rootmail:*:1022:

Open in new window


44. Add groups

When all users have been made, add the groups:
pw groupadd bewoner

Open in new window


45. Edit user groups

To edit the user groups use:
vi /etc/group

Open in new window


It will look like this:
bewoner:*:1018:david,mariska,rsync,locatedb,MCX1,makelist

After 1018: you can enter the user names that must have acces to that group.


Activate SSH
===========

46. Activate SSH

Goto Sysinstall:
sysinstall

Open in new window


47. Configure, Networking, sshd

Configure, Networking, sshd, [OK], Exit, [Exit Install]

48. Check for ssh parameter

Edit rc.conf
vi /etc/rc.conf

Open in new window


Seach for sshd_enable="YES"

If it is not present add it yourself.

49. Reboot to make fingerprint

Reboot so FreeBSD make the fingerprint for SSH
shutdown -r NOW

Open in new window


After this reboot I usually login with ssh, don't forget to add a username to the Wheel group. FreeBSD does not accept external root acces.


Install Rsync (Synchronise data between systems)
=========================================

50. Install rsyncd

To install rsyncd insert the FreeBSD cd/DVD in your drive.

Type:
sysinstall

Open in new window


51. Configure

Choose Configure -> Packages -> CD/DVD

52. Net

Choose Net -> rsync-x.x.x_x, place an X in front of it en choose [OK] and then [Install], [OK]

53. Leave Sysinstall

Leave sysinstall

54. Configuring Rsync

Edit the file to edit the RsyncDEAMON
vi /usr/local/etc/rsyncd.conf

Open in new window


55. Make it look like this

# rsyncd.conf - Example file, see rsyncd.conf(5)
                      #
                      
                      # Set this if you want to stop rsync daemon with rc.d scripts
                      pid file = /var/run/rsyncd.pid
                      
                      # Edit this file before running rsync daemon!!
                      
                      uid = rsync
                      gid = rsync
                      use chroot = no
                      max connections = 4
                      syslog facility = local5
                      pid file = /var/run/rsyncd.pid
                      #auth users =david, speciaal, copycop, copycopy
                      #secrets file = /usr/local/etc/rsyncd.secrets
                      
                      [test]
                              path = /encrypt_a/tmp
                              comment = Test to sync the samba tmp directory
                      
                      [encrypt_a]
                              path = /encrypt_a
                      
                      [encrypt_a]
                              path = /encrypt_a
                              comment = Shared Directory Tree
                              auth users = copycop
                              hosts allow = 10.30.0.2
                              secrets file = /usr/local/etc/rsyncd.secrets
                      
                      #[ftp]
                      #       path = /var/ftp/pub
                      #       comment = whole ftp area (approx 6.1 GB)
                      
                      #[sambaftp]
                      #       path = /var/ftp/pub/samba
                      #       comment = Samba ftp area (approx 300 MB)
                      
                      #[rsyncftp]
                      #       path = /var/ftp/pub/rsync
                      #       comment = rsync ftp area (approx 6 MB)
                      
                      #[sambawww]
                      #       path = /public_html/samba
                      #       comment = Samba WWW pages (approx 240 MB)
                      
                      #[cvs]
                      #       path = /data/cvs
                      #       comment = CVS repository (requires authentication)
                      #       auth users = tridge, susan
                      #       secrets file = /usr/local/etc/rsyncd.secrets

Open in new window


56. change the rights

Change the rights of the configuration file:
chmod 0640 /usr/local/etc/rsyncd.conf

Open in new window


57. Make a new password file

Make a password file for rsyncd:
vi /usr/local/etc/rsyncd.secrets

Open in new window


Enter username:password
tridge:mypass
                      susan:herpass

Open in new window

58. Edit the rights for secrets file

Also make this file not readable to the outisde world:
chmod 0640 /usr/local/etc/rsyncd.secrets

Open in new window

When an error appears "Auth failed at module…. " Than the rights for the configuration file and/or secrets file are wrong. Or check if you did not make a typo in the configuration file to the secrets file.

59. Enter this in rc.conf if there is data

When you have data on your disc, you can add the following line to /etc/rc.conf:
rsyncd_enable=”YES”

Open in new window


60. NTP

Sync your time with NTP
Since FreeBSD it is not needed to install NTP anymore, just open the file /etc/rc.conf.
vi /etc/rc.conf
                      ntp_enable=”YES”

Open in new window

61. Make file /etc/ntp.conf

Make the file: /etc/ntp.conf
vi /etc/ntp.conf

Open in new window

62. Fill ntp file

File the NTP configuration file with:
# This is the configuration file for NTP
                      #  (Network Time Protocol).  More info at
                      #  www.NTP.org
                      
                      # This computer will act as a stratum 2 time
                      #  server, by referencing the following 4 or
                      #  more stratum 1 time servers:
                      
                      server nl.pool.ntp.org           iburst     # Netherlands
                      server be.pool.ntp.org           iburst     # Belgium
                      server de.pool.ntp.org           iburst     # Germany
                      server fr.pool.ntp.org           iburst     # France
                      server es.pool.ntp.org           iburst     # Spain
                      
                      
                      #  Since the clock on most PCs drifts around
                      #  significantly, let's use a file to
                      #  keep track of that drift and compensate
                      #  for it:
                      
                      driftfile /etc/ntp.drift

Open in new window

For alternate time servers visit: http://www.pool.ntp.org/en/


Edit welcome Message
==================

63. Change the welcome message

Yes I like to know where I log in with my machine, so we change the welcome message. Open the motd
vi /etc/motd

Open in new window


64. Empty the original message

Press dd real quick to delete a line.

I add the following:
FreeBSD 8.1-RELEASE (BSD03) - 2010 /Node:3 (Original file:/etc/motd.bak)
                      
                      Running:
                      - Apache2, Php 5, Mysql 5
                      - Pure-FTPd, SSH
                      - Samba 3
                      - NFS
                      
                      IP: 10.30.0.4 / Gateway: 10.30.0.100
                      
                      - FreeBSD Handbook: http://www.FreeBSD.org
                      - Use sysinstall to install additional Packages

Open in new window


Save it and it's done!


Install NFS to copy data
===================


65. Install NFS

To copy data the fastest way I use NFS, this is for FreeBSD the most efficient way.

66. Start system installer

sysinstall

Open in new window


67. NFS Steps

Choose [Configure] -> [Networking], put an X in front of NFS client & NFS server.and select [OK].

68. Warning to configure

There follows a warning that you have to configure: /etc/exports to allow hosts.

69. NFS Config file opened

The configuration file will be opened, add the following line at the bottom:
/encrypt_a -maproot=copycop 10.30.0.3

Open in new window

70. Exit the installer

Exit the installer.

71. Check the exports

vi /etc/exports

Open in new window

72. Check if NFS is startup at startup

Type:
vi /etc/rc.conf

Open in new window

There should be two lines with NFS in it.
nfs_server_enable="YES"
                      rpcbind_enable="YES"

Open in new window

73. Restart the machine


74. Try to mount NFS share

Try to mount the NFS share from another (FreeBSD) machine.
mount 10.30.0.3:/encrypt_a /mnt

Open in new window


75. Copy files

To copy file use the following command:
cd /mnt
                      cp –Rpv * /encrypt_a

Open in new window


Remark The parameters: –Rpv  will copy the owner and the date.

76. Absolutely sure

Want to be absolutely sure that all data is copied? Copy it twice with the command:
cp –Rpnv * /encrypt_a

Open in new window

Remark The option "n" will prevent overwriting files that already exist.

77. Safety first

When everything is copied, I advise you to place a hashtag "#" in front of the share in the file /etc/exports


Install Samba
==========

Install Samba so your window machine's can read the shares of FreeBSD.

I do not have much experience with samba 4, and there is not enough documentation about it, so this time I will choose samba3.

First we need to install the FreeBSD ports collection.

78. Start sysinstall for the ports collection

Type:
sysinstall

Open in new window

Choose Configure -> Distributions and place an "X" in front of Ports and select ok.

79. Choose cd/dvd

Choose cd/dvd and wait a moment to let the install complete the task.

80. Start samba installation

I assume that you have your network cable plugged in and have internet.
Type:
cd /usr/ports/net/samba34
                      make install clean

Open in new window

81. Choose the following options

LDAP
CUPS
WINBIND
SWAT
SYSLOG
POPT

Choose [OK]

82. (optional) pkg_delete tdb-1.2.0

I had a warning when I try to install Samba 34, I had to execute the command:
pkg_delete tdb-1.2.0

Open in new window

To delete a conflicting package.

83. Start the installation

make install clean

Open in new window

Wait for FreeBSD to finish.

84. Additional modules

There will be asked if you would like to install LIBSIGSEGV, I did not place an X.

85. GNUTLS

There will be asked to install a cups client, there is already an X and just leave it that way.
CUPS is for print services.

86. openldap-client

You will be asked to install openldap-client, standard SASL is off and FETCH is on, leave it that way.

87. Samba Install Finished

You will get a notification that Samba is installed.
This port has installed the following startup scripts which may cause these network services to be started at boot time.
/usr/local/etc/rc.d/samba


88. Edit the samba configuration file

vi /usr/local/etc/smb.conf

Open in new window


89. Fill in the following parameters

After workgroup: Your workgroup name, I use Wayward
After Server string: The description of your server, I use BSD04 Samba Server
Add the string: time server = yes
After host allow: Add the ip adresses that have acces, I use: 10.30.0. 127. (So machine's with 10.30.0.x have acces and the localhost has acces)

To make shares you have to add the following lines:
# This one is useful for people to share files
                      [tmp]
                         comment = Temporary file space
                         path = /encrypt_a/tmp
                         writeable = no
                         public = yes

Open in new window


Every user gets his own drive:
# Private-drives
                      #
                      [private]
                         comment = Eigen Prive directory op de Server
                         path = /encrypt_a/Private/%U
                         public = no
                         writeable = yes
                         browseable = no

Open in new window


On the Appz drive force the right directory rights:

[appz]
                         comment = Programma's, Games en dergelijke.
                         path = /encrypt_a/Appz
                         public = no
                         writeable = yes
                         browseable = no
                         force create mode = 0775
                         force directory mode = 0775

Open in new window


With the drive we share, I only want acces level user and group:

[ons]
                         comment = Gezamelijke schijf
                         path = /encrypt_a/Ons
                         public = no
                         writeable = yes
                         browseable = no
                         force create mode = 0770
                         force directory mode = 0770

Open in new window


90. Start Samba at startup

Type:
vi /etc/rc.conf

Open in new window


and add the following lines:
nmbd_enable="YES"
                      smbd_enable="YES"

Open in new window


91. Configure the user that may acces samba

smbpasswd -a username

Open in new window

You will be asked to enter the password for this user twice.

92. To only change the password drop -a parameter

Drop de -a parameter to change the password of that user.

I always use the same usernames that I made in FreeBSD, so the usernames will be attached to the files the user save in the shares.

93. An Error with Samba

This was kinda new to me, an error while accessing the drives from a windows machine. The error: getpeername failed. Error was Socket is not connected

A fast searched, and you just need to put the following line in /usr/local/etc/smb.conf:
smb ports = 139

Open in new window


94. Cups errors

Also a need error about Cups, I changed these lines in my smb.conf:
load printers = no
                      printing = bsd
                      printcap name = /dev/null

Open in new window


To make everything clear, here is a full dump of my smb.conf:
# This is the main Samba configuration file. You should read the
                      # smb.conf(5) manual page in order to understand the options listed
                      # here. Samba has a huge number of configurable options (perhaps too
                      # many!) most of which are not shown in this example
                      #
                      # For a step to step guide on installing, configuring and using samba, 
                      # read the Samba-HOWTO-Collection. This may be obtained from:
                      #  http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
                      #
                      # Many working examples of smb.conf files can be found in the 
                      # Samba-Guide which is generated daily and can be downloaded from: 
                      #  http://www.samba.org/samba/docs/Samba-Guide.pdf
                      #
                      # Any line which starts with a ; (semi-colon) or a # (hash) 
                      # is a comment and is ignored. In this example we will use a #
                      # for commentry and a ; for parts of the config file that you
                      # may wish to enable
                      #
                      # NOTE: Whenever you modify this file you should run the command "testparm"
                      # to check that you have not made any basic syntactic errors. 
                      #
                      #======================= Global Settings =====================================
                      [global]
                      
                      # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
                         workgroup = Wayward 
                      
                      # server string is the equivalent of the NT Description field
                         server string = BSD03 Samba Server 
                      
                      ## Samba Time Server?
                      #
                         time server =yes
                      
                      ## getpeername failed. Error was socket is not connected, solution:
                      #
                      smb ports = 139
                      
                      # Security mode. Defines in which mode Samba will operate. Possible 
                      # values are share, user, server, domain and ads. Most people will want 
                      # user level security. See the Samba-HOWTO-Collection for details.
                         security = user
                      
                      # This option is important for security. It allows you to restrict
                      # connections to machines which are on your local network. The
                      # following example restricts access to two C class networks and
                      # the "loopback" interface. For more examples of the syntax see
                      # the smb.conf man page
                         hosts allow = 10.30.0. 127. 
                      
                      # If you want to automatically load your printer list rather
                      # than setting them up individually then you'll need this
                         load printers = no 
                      
                      # you may wish to override the location of the printcap file
                         printcap name = /dev/null 
                      
                      # on SystemV system setting printcap name to lpstat should allow
                      # you to automatically obtain a printer list from the SystemV spool
                      # system
                      ;   printcap name = lpstat
                      
                      # It should not be necessary to specify the print system type unless
                      # it is non-standard. Currently supported print systems include:
                      # bsd, cups, sysv, plp, lprng, aix, hpux, qnx
                         printing = bsd 
                      
                      # Uncomment this if you want a guest account, you must add this to /etc/passwd
                      # otherwise the user "nobody" is used
                      ;  guest account = pcguest
                      
                      # this tells Samba to use a separate log file for each machine
                      # that connects
                         log file = /var/log/samba34/log.%m
                      
                      # Put a capping on the size of the log files (in Kb).
                         max log size = 50
                      
                      # Use password server option only with security = server
                      # The argument list may include:
                      #   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
                      # or to auto-locate the domain controller/s
                      #   password server = *
                      ;   password server = <NT-Server-Name>
                      
                      # Use the realm option only with security = ads
                      # Specifies the Active Directory realm the host is part of
                      ;   realm = MY_REALM
                      
                      # Backend to store user information in. New installations should 
                      # use either tdbsam or ldapsam. smbpasswd is available for backwards 
                      # compatibility. tdbsam requires no further configuration.
                      ;   passdb backend = tdbsam
                      
                      # Using the following line enables you to customise your configuration
                      # on a per machine basis. The %m gets replaced with the netbios name
                      # of the machine that is connecting.
                      # Note: Consider carefully the location in the configuration file of
                      #       this line.  The included file is read at that point.
                      ;   include = /usr/local/etc/smb.conf.%m
                      
                      # Most people will find that this option gives better performance.
                      # See the chapter 'Samba performance issues' in the Samba HOWTO Collection
                      # and the manual pages for details.
                      # You may want to add the following on a Linux system:
                      ;   socket options = SO_RCVBUF=8192 SO_SNDBUF=8192
                      
                      # Configure Samba to use multiple interfaces
                      # If you have multiple network interfaces then you must list them
                      # here. See the man page for details.
                      ;   interfaces = 192.168.12.2/24 192.168.13.2/24 
                      
                      # Browser Control Options:
                      # set local master to no if you don't want Samba to become a master
                      # browser on your network. Otherwise the normal election rules apply
                      ;   local master = no
                      
                      # OS Level determines the precedence of this server in master browser
                      # elections. The default value should be reasonable
                      ;   os level = 33
                      
                      # Domain Master specifies Samba to be the Domain Master Browser. This
                      # allows Samba to collate browse lists between subnets. Don't use this
                      # if you already have a Windows NT domain controller doing this job
                      ;   domain master = yes 
                      
                      # Preferred Master causes Samba to force a local browser election on startup
                      # and gives it a slightly higher chance of winning the election
                      ;   preferred master = yes
                      
                      # Enable this if you want Samba to be a domain logon server for 
                      # Windows95 workstations. 
                      ;   domain logons = yes
                      
                      # if you enable domain logons then you may want a per-machine or
                      # per user logon script
                      # run a specific logon batch file per workstation (machine)
                      ;   logon script = %m.bat
                      # run a specific logon batch file per username
                      ;   logon script = %U.bat
                      
                      # Where to store roving profiles (only for Win95 and WinNT)
                      #        %L substitutes for this servers netbios name, %U is username
                      #        You must uncomment the [Profiles] share below
                      ;   logon path = \\%L\Profiles\%U
                      
                      # Windows Internet Name Serving Support Section:
                      # WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
                      ;   wins support = yes
                      
                      # WINS Server - Tells the NMBD components of Samba to be a WINS Client
                      #    Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
                      ;   wins server = w.x.y.z
                      
                      # WINS Proxy - Tells Samba to answer name resolution queries on
                      # behalf of a non WINS capable client, for this to work there must be
                      # at least one    WINS Server on the network. The default is NO.
                      ;   wins proxy = yes
                      
                      # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
                      # via DNS nslookups. The default is NO.
                         dns proxy = no 
                      
                      # Charset settings
                      ;   display charset = koi8-r
                      ;   unix charset = koi8-r
                      ;   dos charset = cp866
                      
                      # Use extended attributes to store file modes
                      ;    store dos attributes = yes
                      ;    map hidden = no
                      ;    map system = no
                      ;    map archive = no
                      
                      # Use inherited ACLs for directories
                      ;    nt acl support = yes
                      ;    inherit acls = yes
                      ;    map acl inherit = yes 
                      
                      # These scripts are used on a domain controller or stand-alone 
                      # machine to add or delete corresponding unix accounts
                      ;  add user script = /usr/sbin/useradd %u
                      ;  add group script = /usr/sbin/groupadd %g
                      ;  add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
                      ;  delete user script = /usr/sbin/userdel %u
                      ;  delete user from group script = /usr/sbin/deluser %u %g
                      ;  delete group script = /usr/sbin/groupdel %g
                      
                      
                      #============================ Share Definitions ==============================
                      [homes]
                         comment = Home Directories
                         browseable = no
                         writable = yes
                      
                      # Un-comment the following and create the netlogon directory for Domain Logons
                      ; [netlogon]
                      ;   comment = Network Logon Service
                      ;   path = /usr/local/samba/lib/netlogon
                      ;   guest ok = yes
                      ;   writable = no
                      ;   share modes = no
                      
                      
                      # Un-comment the following to provide a specific roving profile share
                      # the default is to use the user's home directory
                      ;[Profiles]
                      ;    path = /usr/local/samba/profiles
                      ;    browseable = no
                      ;    guest ok = yes
                      
                      
                      # NOTE: If you have a BSD-style print system there is no need to 
                      # specifically define each individual printer
                      [printers]
                         comment = All Printers
                         path = /var/spool/samba34
                         browseable = no
                      # Set public = yes to allow user 'guest account' to print
                         guest ok = no
                         writable = no
                         printable = yes
                      
                      # This one is useful for people to share files
                      ;[tmp]
                      ;   comment = Temporary file space
                      ;   path = /tmp
                      ;   read only = no
                      ;   public = yes
                      
                      # A publicly accessible directory, but read only, except for people in
                      # the "staff" group
                      ;[public]
                      ;   comment = Public Stuff
                      ;   path = /home/samba
                      ;   public = yes
                      ;   writable = yes
                      ;   printable = no
                      ;   write list = @staff
                      
                      # Other examples. 
                      #
                      # A private printer, usable only by fred. Spool data will be placed in fred's
                      # home directory. Note that fred must have write access to the spool directory,
                      # wherever it is.
                      ;[fredsprn]
                      ;   comment = Fred's Printer
                      ;   valid users = fred
                      ;   path = /homes/fred
                      ;   printer = freds_printer
                      ;   public = no
                      ;   writable = no
                      ;   printable = yes
                      
                      # A private directory, usable only by fred. Note that fred requires write
                      # access to the directory.
                      ;[fredsdir]
                      ;   comment = Fred's Service
                      ;   path = /usr/somewhere/private
                      ;   valid users = fred
                      ;   public = no
                      ;   writable = yes
                      ;   printable = no
                      
                      # a service which has a different directory for each machine that connects
                      # this allows you to tailor configurations to incoming machines. You could
                      # also use the %U option to tailor it by user name.
                      # The %m gets replaced with the machine name that is connecting.
                      ;[pchome]
                      ;  comment = PC Directories
                      ;  path = /usr/pc/%m
                      ;  public = no
                      ;  writable = yes
                      
                      # A publicly accessible directory, read/write to all users. Note that all files
                      # created in the directory by users will be owned by the default user, so
                      # any user with access can delete any other user's files. Obviously this
                      # directory must be writable by the default user. Another user could of course
                      # be specified, in which case all files would be owned by that user instead.
                      ;[public]
                      ;   path = /usr/somewhere/else/public
                      ;   public = yes
                      ;   only guest = yes
                      ;   writable = yes
                      ;   printable = no
                      
                      # The following two entries demonstrate how to share a directory so that two
                      # users can place files there that will be owned by the specific users. In this
                      # setup, the directory should be writable by both users and should have the
                      # sticky bit set on it to prevent abuse. Obviously this could be extended to
                      # as many users as required.
                      ;[myshare]
                      ;   comment = Mary's and Fred's stuff
                      ;   path = /usr/somewhere/shared
                      ;   valid users = mary fred
                      ;   public = no
                      ;   writable = yes
                      ;   printable = no
                      ;   create mask = 0765
                      
                      #-=-=-=-=-=-=-=-=-= My Shares =-=-=-=-=-=-=-=-=-=-
                      #################################################
                      # All drives on the backup server are read only
                      #
                      
                      # This one is useful for people to share files
                      [tmp]
                         comment = Temporary file space
                         path = /encrypt_a/tmp
                         writeable = no
                         public = yes
                      
                      # Log share
                      #
                      [log]
                         comment = Log files of BSD03
                         path = /var/log  
                         public = yes
                         writeable = no
                         browseable = no
                      
                      # Private-drives
                      #
                      [private]
                         comment = Eigen Prive directory op de Server
                         path = /encrypt_a/Private/%U
                         public = no
                         writeable = yes
                         browseable = no
                      
                      # Appz Drive
                      #
                      [appz]
                         comment = Programma's, Games en dergelijke.
                         path = /encrypt_a/Appz
                         public = no
                         writeable = yes
                         browseable = no
                         force create mode = 0775
                         force directory mode = 0775
                      
                      # Special Drive
                      #
                      [special]
                         comment = Special Drives for: Ftp, Images, Sound, Apache 
                         path = /encrypt_a/Special
                         public = no
                         writeable = yes
                         browseable = no
                         force create mode = 0775
                         force directory mode = 0775
                      
                      # Media
                      #
                      [media]
                         comment = Media Audio, Video, Multimedia
                         path = /encrypt_a/Media
                         public = no
                         writeable = yes
                         browseable = no
                         force create mode = 0775
                         force directory mode = 0775
                      
                      # Ons
                      #
                      [ons]
                         comment = Gezamelijke schijf
                         path = /encrypt_a/Ons
                         public = no
                         writeable = yes
                         browseable = no
                         force create mode = 0770
                         force directory mode = 0770
                      
                      # Startup With batch files for connecting to BSD03
                      #
                      [startup]
                         comment = Batch files to connect to the BSD03 FreeBSD Server
                         path = /encrypt_a/Startup
                         public = yes
                         writeable = no
                         browseable = yes
                      
                      # Share to dump all the Ghost images from dos
                      [image]
                         comment = Drive to dump all the Ghost image's to 
                         path = /encrypt_a/Images
                         public = no
                         writeable = yes
                         browseable = yes 
                         force create mode = 0775
                         force directory mode = 0775
                      
                      # Shares for the Media Center
                      # 
                      [video]
                        comment = Video Files for the media center
                        path = /encrypt_a/Media/movies
                        writeable = yes
                        browseable = yes
                        force create mode = 0775
                        force directory mode = 0775
                      
                      [TV]
                        comment = Alle the tv programs we like to keep
                        path = /encrypt_a/Media/TV
                        writeable = yes
                        browsable = yes
                        force create mode = 0775
                        force directory mode = 0775
                      
                      [pictures]
                        comment = All our pictures
                        path = /encrypt_a/Media/pictures
                        writeable = yes
                        browseable = yes
                        force create mode = 0775
                        force directory mode = 0775
                      
                      [audio]
                        comment = All our avaible audio
                        path = /encrypt_a/Media/audio
                        writeable = yes
                        browseable = yes
                        force create mode = 0775
                        force directory mode = 0775

Open in new window



Install Pure FTPd (Php5, MySQL4.1, Apache22)
=====================================

95. Install Mysql 4.1

The first step will be to install MySql 4.1 (PureFTPd cannot handle MySQL5).
cd /usr/ports/databases/mysql41-server
                      make install clean

Open in new window

96. Add 2 lines to rc.conf

vi /etc/rc.conf

Open in new window


mysql_enable=”YES”
                      mysqllimits_enable=”NO”

Open in new window


97. Make the temp directory writable

chmod 0777 /tmp

Open in new window


98. Restart machine


99. Install PureFTPd

cd /usr/ports/ftp/pure-ftpd
                      make – config

Open in new window


0. STEPS 200 and higher begin here.


1. Select the following options

MYSQL
PRIVSEP
PERUSERLIMITS
THROTTLING
BANNER


2. Start the installation of PureFTPd

make install clean

Open in new window

3. Add PureFTPd to startup

Add PureFTPd to /etc/rc.conf to run it at startup.
/etc/rc.conf

Open in new window

# Pure-FTPd
                      pureftpd_enable="YES"

Open in new window

4. Download install script

fetch http://machiel.generaal.net/files/pureftpd/v2.x/script.mysql

Open in new window


Source: http://machiel.generaal.net/index.php?subject=pureftpd

5. Create mysql tables

mysql -u root -psecret < script.mysql

Open in new window


6. Go to the directory with the example file

Go to the directory where an example file of pure-ftpd is.

cd /usr/local/etc

Open in new window


7. Copy the example to use

cp pure-ftpd.conf.sample pure-ftpd.conf

Open in new window


8. Get the file for Mysql Needs

fetch http://machiel.generaal.net/files/pureftpd/v2.x/pureftpd-mysql.conf

Open in new window


9. Edit the Pureftp conf file

vi pureftpd.conf

Open in new window


10. Edit the following line

Search the following line and edit it

# MySQL configuration file (see README.MySQL)
                      MySQLConfigFile /usr/local/etc/pureftpd-mysql.conf

Open in new window


11. Add ftp account

adduser

Open in new window


Username: ftp and fill in the rest of the questions.

12. Start Pureftpd

/usr/local/etc/rc.d/pure-ftpd start

Open in new window


You can always stop Pureftp with: /usr/local/etc/rc.d/pure-ftpd stop

13. Install Apache

cd /usr/ports/www/apache22
                      make install clean

Open in new window


Choose the standard options

14. Start apache at startup

vi /etc/rc.conf

Open in new window


Add the following lines at the bottom:
# Apache 2
                      apache22_enable="YES"

Open in new window


15. Install Php5

cd /usr/ports/lang/php5

Open in new window


16. Choose php options

make config

Open in new window


Select [APACHE], and then [OK]

make install clean

Open in new window


17. Edit the configuration

vi /usr/local/etc/apache22/httpd.conf

Open in new window


Add the following two lines:
AddType application/x-httpd-php .php
                      AddType application/x-httpd-php-source .phps

Open in new window


18. Search Directory Index

Search for /DirectoryIndex

And replace it with:
DirectoryIndex index.htm index.php index.html

Open in new window


Save the configuration file.

19. Install php5 extensions

cd /usr/ports/lang/php5-extensions
                      make config

Open in new window


Select: MySQL, Posix, Session, and type:
make install clean

Open in new window


20. Select UTF-8 Support

Select UTF-8 Support and then [OK].

21. Restart the machine and check Apache

Restart the machine:
shutdown -r NOW

Open in new window


Check in a browser on the network by typing the ip adress of the FreeBSD server.

22. You are done!

Your very own encrypted FreeBSD machine is ready for use.
1
8,120 Views

Comments (1)

Top Expert 2015

Commented:
10+
Other bootloaders want you to set up active partition in fdisk.


*
v9 would prefer GPT

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.