FreeBSD Installation Road map

Guidelines and tip for installing FreeBSD

This document describes some guidelines and tips I've used for many of my FreeBSD installations. It is the result of over two years of direct experience installing and configuring some 50+ FreeBSD servers. Almost all of these installs were based on the 4.x STABLE or RELEASE branches, so if you're looking at CURRENT or older branches (e.g. 3.x) then this guide probably won't help you much.

This article is not meant to be a guide for newbies to the FreeBSD world. If you fall into this category, read the FreeBSD Handbook and consider the book Absolute BSD by Michael Lucas.

Instead, this article is intending to complement the official handbook.

Disclaimer

 * THIS DOCUMENT IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR (MARK FOSTER OR
 * ANY CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
 * OF THE USE OF THIS DOCUMENT, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.

Pre-Install Considerations:

Media - what media will you install from? I use 4.8 Release CD-ROM but an FTP install gives you the "latest and greatest" from the stable branch.

In the early days I would often install from the boot/root floppies and then choose the FTP method from there. This is a perfectly reasonable way to install FreeBSD if you like the -STABLE branch and have the bandwidth. Where as a CD-ROM install can take 10-15 minutes, the FTP method will take upwards of an hour even on a fast pipe.

Partitioning - it's important to know what size your disks are before you start, and knowing what the box will do (email server, web server, etc).
Define your smaller and more active partitions eg. swap, /var) first so that they are closer to the outer/faster part of the drive. If you have multiple disks split your swap file amongst them all.

	/         96m	(most I've seen used on fbsd is ~64m)
	/var      512m	(4x+ for an email server, 2x for a webserver)
	/var/tmp  284m	(soft-linked as /tmp)
	swap 	    1g	(or 2x phys. memory)
	/usr	     3g+	( usually 4g unless space is tight)
	/home	    1g	(or softlink as /usr/home)
	/web	     1g	(if needed, or give to /usr)
	

If you have additional drives you can pad /var, /var/tmp and /usr or just mount it a /spare for future use.

Distributions

You will be asked which distributions to install. Choose Developer or X-developer if you know you'll need X

Packages

	net/cvsup-bin
	net/netcat
	net/trafshow
	security/chkrootkit
	security/logcheck
	security/portsentry
	(o)security/sudo	(if the shoe fits)
	shells/bash2
	shells/tcsh
	(o)sysutils/lsof	(or just use sockstat from base)

Post-Install Tricks

• Turn on soft-updates (speeds up i/o at the cost of data integrity if the system crashes...tunefs -p /filesystem will show current settings) this is a single-user mode action because /filesystem must be unmounted tunefs -n enable /filesystem
  (* this tip is deprecated as of 4.4-RELEASE)
• Consider using 'noatime' option on certain filesystems like /tmp & /var/log ...
• Enable sysctl parameters as follows[1]: These entries should be placed in /etc/sysctl.conf

  vfs.vmiodirenable=1
  hw.ata.wc=1
  kern.ipc.shm_use_phys=1
  kern.ipc.somaxconn=1024
  net.inet.tcp.always_keepalive=1
  net.inet.tcp.delayed_ack=0
  

  Explanation

  sysctl -w vfs.vmiodirenable=1

  improves performance on servers with lots of i/o & files such as mail servers, web caches and databases [4]

  sysctl -w hw.ata.wc=1

  enable IDE write caching - obviously this is only useful on an IDE system. [4]

  sysctl -w kern.ipc.shm_use_phys=1

  map shared memory segments to physical RAM (unpageable)

  sysctl -w kern.ipc.somaxconn=1024 (or higher)[1][2]

  sysctl -w net.inet.tcp.always_keepalive=1

  (default =1 per /etc/defaults/rc.conf) guarantee cleaning of dead tcp connections - good for web servers esp.

  sysctl -w net.inet.tcp.delayed_ack=0

  not sure but why would you want to delay it?? [2]

Things to check out on a freshly-installed Box

Security, etc. Check ntpd -v and make sure the version is 4.0.99k or higher
fix /etc/ntp.conf or just run ntp -bAp /var/run/ntpd.pid from rc.conf

xntpd_enable="YES"              # Run ntpd Network Time Protocol (or NO).
xntpd_program="ntpd"            # path to ntpd, if you want a different one.
xntpd_flags="-bAp /var/run/ntpd.pid"    # Flags to ntpd (if enabled).

make sure inetd_enable="NO" or inetd_flags="-l -R 1024" if you must run it

Modify /etc/hosts.allow...
Disable ALL:ALL:ALLOW
then add/change these lines unless otherwise necessary

ALL : localhost 127.0.0.1 : allow
sshd : 123.231.132.0/255.255.255.0 : ALLOW
sshd : ALL : DENY
sendmail : ALL : deny
ftpd : ALL : deny
portmap : ALL : deny

OpenSSH - turn off protocol 1 and make PermitRootLogin=no if possible
set UseLogin no
(in /etc/ssh/sshd_config usually)

Other things to set in /etc/rc.conf

syslogd_flags="-s -s"
portmap_enable="NO"
sendmail_flags="-q30m" (only need -bd if this is a mail server)
named_enable="NO" (unless you need it)
clear_tmp_enable="YES" (unless you have a good reason not to)

Other Post-Install considerations

• Nagios- setup to monitor the host's health, availibility
• DNS - update dns zone records for the new host and maybe the one replaced
• Listening ports - do a 'netstat -na | grep LISTEN' to see network exposure - sanity check
• modify /etc/motd if you're bored
• add users
• mount nfs folders like /share
• copy /usr/share/examples/cvsup/stable-supfile to /etc and update your sources!
• Do the same as above but for selective ports (see ports-supfile)

Kernel Options

recompiling the kernel will usually be necessary at some point. Here are some options you will want to consider setting.

1. remove I386_CPU, I486_CPU and I586_CPU [1]
2. uncomment (or copy from LINT) IPFILTER and IPFILTER_LOG
3. set maxusers to 256 and no higher [1]
4. set NMBCLUSTERS to 8192 (or between 4096 and 32768)(use netstat -m to give an idea) [1][2]
5. set SCSI_DELAY to 5sec [1]
6. consider removing unnecessary devices SCSI, ISA,PCCARD and the like USB
7. do not compile BPF unless you KNOW you will need it [3]
8. consider setting pty number higher if it will be a busy multi-user system
9. add kern.ipc.somaxconn=1024 and kern.ipc.nmbclusters=4096 to /etc/sysctl.conf if the system will be a heavily-loaded network server. YMMV, go higher if you need to.[1]

References

[1] tuning (7) manpage
[2] Squid configuration tweaks
@ http://www.measurement-factory.com/results/public/cacheoff/N03/auto/b44/conf.html
[3] surlink.net FreeBSD Security Howto
[4] FreeBSD Handbook Chapter 6.9 Tuning Disks

Change Log

1st Draft June 18, 2001
2nd Draft June 28, 2001 - fixing misinformation, adding packages selections
3rd Draft Aug 20, 2001 - modified hosts.allow, fixed typo
4th Draft Aug 22, 2001 - removed reference to bad option NO_LKM
5th Draft Aug 24, 2001 - added portmap to /etc/hosts.allow and sysctl.conf
6th Draft Oct 11, 2001 - added clear_tmp_enable="YES" to rc.conf section
7th Draft Apr 11, 2002 - adding hw.ata.wc variable
8th Draft May 15, 2002 - added supfile info
9th Draft Aug 11, 2003 - converted to HTML, published as article on website
10th Draft May 13, 2004 - added systl variables for tuning

If I was helpful, please let me know.

$Id: setup-freebsd.html,v 1.8 2005/11/12 16:36:00 mdf Exp $