Beginners Guide - How To Set Up A FreeBSD Desktop From Scratch

D

Deleted member 30996

Guest
I'm going to guide you though the process of getting a fully functional FreeBSD 13.0-RELEASE desktop up and running, complete with system files and security settings, step-by-step as if you've never used UNIX or the command line. Now let's get started:

Insert your boot media and at the Welcome screen, choose the Install option and hit Enter. (You'll be using the Enter key to confirm all your choices.)

If you're in the US use the Default keyboard mapping when presented with that screen. If not, choose the keymap that you'll be using.

When presented with the Set Hostname screen enter your machine name.

At the Distribution Select screen choose:
Code:
lib32
ports
src
If you are not on a 64 bit machine the lib32 option will not be available. You do this with the arrow keys and the spacebar.

At the Partitioning menu choose Auto (UFS) Guided Disk Setup, for simplicity, and MBR for the Partition Scheme. It will give you a choice of where to install, choose your HDD which will be designated as ada0. There have been problems reported with this stage of installation and I changed from GPT to MBR to get past a sticking point. Your mileage may vary.

Choose Entire Disk at the next screen, as we won't be dual-booting with this tutorial.

At the next screen it will present you with the disk layout, choose Finish.

Now confirm this is what you really want to do, and Commit to the partitioning and installation of your new OS.

Now sit back and wait for it to install the base system, kernel, games, ports, and source code. It won't take long.

Your next task is to choose a password for the root account. Make it a strong one with upper and lower case letters, numbers, and other characters. At least 8 characters in length, the longer and more complex the better.

Now you'll configure your network interface. Choose your Ethernet card for starters. FreeBSD is not Linux, so it will have a different designation but you should be able to pick it out from a wireless card.

Now choose Yes when asked if you'd like to configure IPv4.

Choose Yes to configure DHCP. It will scan and pick up your router interface, go with it.

If you want to configure IPv6 at the next screen or not it's up to you.

Now set your timezone, choose No when it asks you if you use UTC, and proceed to the next screen to choose the proper time zone for you.

At the system Configuration screen choose to enable ntpdate, ntpd, and powerd. If you want to enable SSH choose SSHD too.

Choose No to enabling Crash Dump. It's not necessary.

At the System Hardening screen check the following boxes to enable the options:
Code:
Disable reading kernel message buffer for unprivledged users
Disable process dubugging facilities for unprivledged users
Ramndomize the PID for newly created processes
Disallow Dtrace destructive-mode
Choosing to disable reading kernel message buffer will disable the ability to use the dmesg command from the user account, showing a volume of system information, and you will have to log in as root to read it so it is an option you may wish to leave unchecked. We will set other variables ourselves later on.

Now's your chance to add a User account. Less privileged than root, it's what you'll be running in 99.9% of the time.

When asked if you want to invite the user to other groups make them members of:
Code:
wheel operator
Typed just like that.

Enter a password for that account, for the rest of the options choose the default option it recommends and just hit Enter to proceed from one to the next.

One account should be enough. When asked if you want to make another user account type no and hit Enter.

Now you're at the last screen of the build process. Exit and remove the installation media you used (CD, DVD, Flash drive) while it's restarting or it will loop back.

Now you're presented with a black screen which is our terminal. You've only installed the base system and no GUI or desktop have been installed at this point.

Log into your user account with the user name you chose and the password for it.

Now we're going to log into the root account by typing:

su


And entering the root password.

Now we're going to enable the pf firewall, which is taken from OpenBSD and the best all-around firewall going.

We're going to have to enter Easy Editor to make a ruleset and show the system where to look for it. Type:

ee /etc/pf.conf


And hit Enter.

You've just created a file called pf.conf in the /etc directory. Now type:
Code:
block in all
pass out all keep state
Hit the Esc key to bring up the options menu, choose file options, and save file.

Hit Esc again and exit Easy Editor back to the command line.

Now we have to show the system where to look for our ruleset and the logfile.

Then type:

ee /etc/rc.conf


You've just opened the file rc.conf in the /etc directory. This is a very important file and you should see some options already there, like your machine name and other options.

It's VERY IMPORTANT not to leave any option here uncommented on either end, meaning if you start an option it MUST begin and finish with quotes or you will not be able to start your system and have to enter Single User Mode to fix.

Use your arrow keys to scroll down past the lines that are already present and type these out:
Code:
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

Now to save time and effort later so we can download microcode updates to keep your processor firmware up-to-date edit in:

Code:
microcode_update_enable="YES"

Notice how each option begins and finishes with a quote? You'll be adding your own later so don't forget to check it closely before you exit out of Easy Editor when you do. (Always hit Enter after your last entry so you end up on a new blank line.)

Now hit Esc to save the file, and Esc again to exit Easy Editor.

Now we'll reboot to make the changes we've made take effect by entering the following command:

shutdown -r now


And hitting Enter. Your machine will now reboot and you'll be back at the starting screen. Log into your user account again and then su into the root account once you do.

OK, so you missed commenting a line in /etc/rc.conf, possibly after the "equals" symbol, are seeing a message to that effect and can't move past that point... Here's how to fix it without having to start completely over. Enter the following commands from where you are now to go into Single User Mode:

fsck -y
mount -u /
mount -a -t ufs
swapon -a


Now you can edit /etc/rc.conf through EE like before to find the error. Reboot afterwards to continue on.

Now we need to apply any security patches that have been issued since the install media was distributed. This is something you'll want to check every day to see if any new patches have been issued. Chances are it will be weeks in between, but you want to stay up to date.

Enter the following command from your root account:

freebsd-update fetch


It will download updates to the system if any are available. When it's finished use your down arrow key to scroll to the end and back to the command prompt. Then enter the following command:

freebsd-update install


It won't take as long to install them as it did it download them. Once it's done, reboot:

shutdown -r now


If the system hangs and it doesn't look like it's going to finish the reboot cycle do a hard reset with the power button, it will be alright to do so.

When it reboots enter your user account again, and su to the root account by entering:

su


And your root password. Now we'll populate the ports tree, which is where we'll get all our programs, with the following command:

portsnap fetch extract


If all went well with the initial installation it should download and populate the ports tree, which will take a few minutes.

Now download the database for 3rd party program vulnerabilities by entering the following command:

pkg audit -F


After it's done we'll build portmaster from the ports tree by entering the following command:

cd /usr/ports/ports-mgmt/portmaster


Now you've changed directories with the cd command and are in the portmaster directory. Enter the following command:

make install clean


It will show you a few screens of possible options, just click Enter at each screen to go with the default options, with the exception of IPV6 at the python27 screen if you did not configure IPV6 during the install process, and choose Yes when it asks you if you want to proceed.

It will compile the 3rd party program portmaster from source code which will take a few minutes. You have the option of building programs from source though ports or using pre-compiled binary packages through the pkg system. Using pkg is much faster, but by using ports you can choose your own program options and it's the way I've always done it so that's what we'll use in this tutorial.

Ports are also updated more often than packages. Therefore, it will be easier to keep your 3rd party software up to date when new vulnerabilities are discovered, and by starting out using ports you'll get a feel for compiling programs and gain more CLI time for experience purposes in the process.

I recommend not to mix ports and packages, so once you start using ports stay with it. After you gain some experience you may want to rebuild your system and switch from ports to packages. If you'd rather start using the pkg system consult the FreeBSD Handbook.

When it's finished you can get back to the root directory by typing:

cd /


We're going to put portmaster to work right away and update your microcode. It will gather all dependencies and what it deems necessary to be built along with a port. It will also make the process easier by allowing you to set the variables for each of them all at once and not as they are being built.

portmaster sysutils/devcpu-data

After it's finished type the command:

service microcode_update start

Now we're going to build rkhunter to watch for rootkits and associated file changes. We have a clean system now and will run it to get a baseline. Once you've finished the installation of the Base System and 3rd arty programs run it again. That way you have a clean baseline to go by. if in the future it shows changes in your daily security report

We're going to choose the option to build nmap along with rkhunter so it can scan for open ports while rkhunter runs.

Enter the following command:

portmaster security/rkhunter


And hit Enter.

You'll be presented with a screen giving you the option to install nmap during the build, along with other screens indicating dependencies portmaster will install during the build. Use the down arrow to move the cursor to nmap and hit the spacebar to enable the option. After the build finishes enter the following command:
rehash

Now summon rkhunter, then update the definitions for it and run a scan, following directions given to hit Enter as the scan proceeds:
rkhunter
rkhunter --update
rkhunter --checkall


Now update your base file with this command. I think of it as prop up data to remember it:
rkhunter --propupd

Next we'll build Xorg by entering the following command:

portmaster x11/xorg


It will present you with several option screens for programs that are built with the Xorg metadata port like xterm, xclock, drivers, etc. It won't be necessary to choose all the graphic card drivers it presents, but go ahead and choose VESA along with the driver for your card. Again, if you did not configure IPV6 uncomment that line when the curl and python36 dependency screens comes up during the build process.

If you have a boxen with Switichable Graphics drivers for both chips should be checked to be installed at the Driver Selection screen. I have a Thinkpad T400 that has Switchable Graphics with Intel GMA 4500MHD and ATI Mobility Radeon HD 3470 chips. Both the Intel and ATI driver need to be checked for install at the driver selection screen during the install of x11/xorg.

Before you boot to the desktop it needs to be put into "Discreet" graphics mode in the BIOS. It then defaults to the Radeon chip and runs fine without any tweaking.

After Xorg is finally finished compiling (it will take a while) let's reboot by entering the following command:

shutdown -r now


After you have rebooted log into your user account, then into your root account by entering the following command and your root password:

su


Check to see if the ports tree has been updated or any new vulnerabilities have been found by entering the following commands:

portsnap fetch update
pkg audit -F
freebsd-update fetch


These are commands you'll be using on a regular basis to keep your system updated. Now we'll build fluxbox:

portmaster x11-wm/fluxbox


Fluxbox is a lightweight Window Manager that features transparency and has several nice styles to choose from. I can provide you with a few. I prefer it to desktops like KDE or Gnome due to all the extra baggage that comes bundled with them. The programs you'll install need to be added manually to the Fluxbox menu, which can be accessed and edited with leafpad from the /usr/home/username/.fluxbox directory. The . before the folder name designates it as a hidden folder.

When you get to the desktop, to populate your new menu with the programs you've installed without editing it manually run this command from the uer account:
fluxbox-generate_menu

If you would like to add icons to the fluxbox menu, you can create a small 32x32 image or find the one associated with the appropriate program to "Export As" an image in .xpm format from Gimp to where you want to save it. Then you link to the image from the fluxbox menu behind the command to call the program. It should look something like this:
Code:
[exec]   (urxvt) {urxvt} </usr/home/Trihexagonal/Images/iconred.xpm>

I am attaching at the bottom 3 fluxbox styles in .txt format if you would like to use them. 8ball.txt, bloodflow.txt and electricblue.txt. Remove the .txt extension, copy them to /usr/local/share/fluxbox/styles as root and they will appear with the rest in the default themes right-click fluxbox menu.

After it's done install your file manager:

portmaster x11-fm/xfe


Now for the text editor:

portmaster editors/leafpad


And the terminal we'll be using with fluxbox called urxvt, which uses an ~/.Xdefaults file for transparency and font selection I will supply:

portmaster x11/rxvt-unicode


When it's done compiling the programs we'll add the following lines to the rc.conf file by entering the following commands so it's activated on boot:

echo 'dbus_enable="YES"' >> /etc/rc.conf
echo 'hald_enable="YES"' >> /etc/rc.conf


This time you used the echo command instead of opening EE like before.

Now we need to log out of the root account and create a file called .xinitrc in your usr account folder by entering the following command from the usr account:

ee /usr/home/usernamehere/.xinitrc


The . before the file name designates it as a hidden file. You can make hidden files and folders visible in xfe options later.

Now type:
Code:
urxvt &
xfe &
fluxbox exec
Save and exit EE afterwards like you've done, reboot to make the changes we made take effect:

shutdown -r now


After it reboots log into your user account and enter the following command to bring up your desktop:

startx


If all went well, and it should if you've followed my instructions, you'll be presented with the fluxbox Window Manager screen, a urxvt terminal, and an xfe file manager window already open on the desktop. If you see a green and white WM you've logged in as root by mistake and need to reboot. Look over the xfe options to customize it to your taste.

If your box uses an older nvidia chip, maybe a Quardo NVS 140M or Quadro 1000M with Optimus, we have easy work first. Your card will need x11/nvidia-driver-304 or x11/nvidia-driver-340, emulators/linux_base-c7, x11/nvidia-settings and x11/nvidia-xconfig.

As root, run nvidia-xconfig. Run ee /ect/rc.conf, edit in linux_enable="YES", save and exit. Run ee /boot/loader.conf. To cover all chips, Edit in:


linux_load="YES"
nvidia_load="YES"
nvidia-modset_load="YES"


Now save file, exit editor and reboot. Now we can boot to the desktop same as them and see a nvidia boot screen display before we land for mad skills.

I have uploaded an ~.Xdefaults file to customize urxvt as a text file attachment at the bottom of the post. Remove the .txt extension and replace the leading period to make it a hidden file again before placing it in your user directory.

From now on you can log into the root account through urxvt. Do so now by entering the su command followed by your root password:

su


Then update your ports tree and check to see if there are any vulnerabilities in your programs:

portsnap fetch update
pkg audit -F


It's doubtful any have been found in the relatively short time since you got started, but is something you want to do on a regular basis once you get things going. When vulnerabilities are found use portmaster to update the file with the "portmaster filename" command, or remove it by changing to the programs directory and using the "make deinstall clean" command. Be aware that if you deinstall a program it may break another program, if it is a dependency of that program.

There are still several things you need to do. You will need to create folders for Documents, Downloads, Images, Music, Videos, etc. in your /home/username directory manually through the xfe File dropdown menu. We will be tweaking files to harden the system as well.

First we need to create a couple files and edit rc.conf, this time using leafpad. You should still be in your root account in urxvt, so enter:

leafpad


To bring up that text editor as root. Copy this text into leafpad:
Code:
[devfsrules_common=7]
add path 'ad*' mode 0666 group operator
add path 'da*' mode 0666 group operator
add path 'acd*' mode 0666 group operator
add path 'cd*' mode 0666 group operator
add path 'mmcsd*' mode 0666 group operator
add path 'pass*' mode 0666 group operator
add path 'xpt*' mode 0666 group operator
add path 'ugen*' mode 0666 group operator
add path 'usbctl' mode 0666 group operator
add path 'usb*' mode 0666 group operator
add path 'lpt*' mode 0666 group operator
add path 'ulpt*' mode 0666 group operator
add path 'unlpt*' mode 0666 group operator
add path 'fd*' mode 0666 group operator
add path 'uscan*' mode 0666 group operator
add path 'video*' mode 0666 group operator
add path 'dvb/*' mode 0666 group operator
And save it as /etc/devfs.rules

That's in the /etc directory, the filename is devfs.rules

Now enter the following commands:

echo 'devd_enable="YES"' >> /etc/rc.conf
echo 'devfs_system_ruleset="devfsrules_common"' >> /etc/rc.conf


And reboot using the shutdown command.

Open Xfe as root and in the File dropdown menu choose New folder to create a new folder named da0s1 in the Media directory. Now you should be able to access a Flash drive. Enter the mount command for it:

mount -v -t msdosfs /dev/da0s1 /media/da0s1


And unmount it before removing the drive to prevent problems:

umount -v -t msdosfs /dev/da0s1 /media/da0s1


Now that we've got the basics done and closer to surfing the net let's tweak the pf.conf file to harden our firewall. The network interface designation for your Ethernet card should be something like msk0, em0 or bge0 and can be found using the following command:

ifconfig


Now navigate to /etc/pf.conf as root with leafpad and change it to the following.
Code:
### Macro name for external interface
ext_if = "Network Interface Designation Goes Here"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spoof
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any

### Keep and modulate state of outbound traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

The following ruleset allows the machine running cupsd to be accessed by your other machines on the LAN:
Code:
[CODE]### CUPS_pf_rules_included
### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Allow CUPS to use tcp ports 80 and udp port 631
cups_tcp = "{ 80, 631 }"
cups_udp = "{ 631 }"

### Allow CUPS to be accessible (change to your other machines ifconfig -a LAN designation )
table <local> { CUPS machine LAN address }

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Allow LAN to talk to CUPS on your machine
pass in log quick from <local> to any keep state

### Block spoof
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Allow CUPS to talk to clients on LAN
pass out log on $ext_if proto tcp to any port $cups_tcp keep state
pass out log on $ext_if proto udp to any port $cups_udp keep state

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
Save, exit leafpad, and reboot through urxvt to make the changes take effect:

shutdown -r now


Open /etc/ttys in leafpad as root and change every instance of secure to insecure to require the root password to logon in Single User Mode.

Open /etc/ssh/sshd_config in leafpad and change or uncomment the following lines by removing the number sign to read as below:
Code:
AllowTcpForwarding no
PermitRootLogin no
Protocol 2
X11Forwarding no
PermitTTY no
Open /etc/passwd to delete the line of the toor account then run this command:
pw userdel toor

Open /etc/aliases and set the root mailbox address to:
Code:
root: username@machinename
and run the newaliases command. Your daily messages will then be available to read as root in the /var/mail directory.

Finally, open /etc/rc.conf in leafpad and add the following entries to what's already there:
Code:
mouse_type="auto"
ntpd_enable="YES"
ntpd_sync_on_start="YES"
powerd_enable="YES"
powerd_flags="-b adaptive -a hiadaptive"
sendmail_enable="NO"
fsck_y_enable="YES"
swapexd_enable="YES"
mixer_enable="YES"
snddetect_enable="YES"
syslogd_flags="-c -ss"
linux_enable="YES"
clear_tmp_enable="YES"
clean_tmp_X="YES"
avahi_daemon_enable="YES"
This will allow you to receive security updates via sendmail as root, enable Linux emulation for any programs you might install that need it, clear tmp files, etc. (It looks like sendmail is disabled but that takes the NONE variable.) Reboot one final time to ensure the file changes you've made go into effect.

With the exception of a few select programs you now have a fully functional FreeBSD desktop. In addition to a web browser you may want to build VLC to watch movies, Audacious to listen to music files, GIMP to manipulate images, nmap to portscan, bcrypt to encrypt password files, wipe to securely delete files, ePDFview to access PDF files, rkhunter to scan for rootkits, feh to change your desktop background, and gkrellm2 or conky for system stats.
 

Attachments

  • Xdefaults.txt
    3 KB · Views: 1,148
  • 8ball.txt
    5.9 KB · Views: 402
  • bloodflow.txt
    5.8 KB · Views: 385
  • electricblue.txt
    5.8 KB · Views: 364
Last edited by a moderator:
Where is the big bold warning that FreeBSD only supports Intel Integrated Graphics (HD Graphics) on CPUs that are 4 years old or older? That is kind of important to anyone thinking of building a new FreeBSD desktop.

https://wiki.freebsd.org/Graphics#Intel_Graphics

https://en.wikipedia.org/wiki/Haswell_(microarchitecture)

Also, why are you saying to compile everything from source? The package management system will have binaries ready to download and install without the need to compile. That will save a lot of time.
 
Mine is a 10 year old Intel i945GM and works without flaw so that didn't occur to me. My ATI Mobility Radeon HD 4250 (shows 4200 in dmesg) works, too.

The only problem I've ever had was with Optimus and entering mode 0 at the boot screen by choosing the 3rd option kept it from displaying multiple small screens. Once booted to the desktop it didn't give the proper resolution and needed Xorg -configure tweaking.

I learned how to set up a desktop some 12 years ago from a tutorial here on the site someone else wrote and it's my way of giving back to the community.
 
Mine is a 10 year old Intel i945GM and works without flaw so that didn't occur to me. The only problem I've ever had was with Optimus and entering mode 0 at the boot screen by choosing the 3rd option kept it from displaying multiple small screens. Once booted to the desktop it didn't give the proper resolution and needed Xorg -configure tweaking.

I learned how to set up a desktop some 12 years ago from a tutorial here on the site someone else wrote and it's my way of giving back to the community.

It is nice that you are giving back to the community (I should do more myself) and a good beginner's guide is a useful thing to have for people who need more than the handbook (which requires reading several chapters to cover what you did in a single post).

But, in my opinion compiling from source doesn't usually count as "beginners" and skipping over limitations in things that people coming from Windows/OSX is going to add more pain and confusion for the beginners.

I also didn't see you mention how to set-up specific drivers in x.org for the person's video card. I haven't done this since the very early 2000's. My FreeBSD systems all run headless. The handbook does seam to mention it, so I expect you can get better performance with the right drivers:

https://www.freebsd.org/doc/handbook/x-config.html
 
I learned to set it up using ports and that's what I've always used, even when I used PC-BSD before switching to vanilla FreeBSD. It's not as fast as pkg by any means but I point that out and if they follow my instructions I don't think a Windows user would have a problem using ports-mgmt/portmaster. Some people say it's alright to mix ports and packages. I'm almost certain I read at one point it wasn't, though I will admit to doing it 3-4 times.

I do recommend, as a beginner, not to do it lest problems arise they can't troubleshoot. I only remember asking one problem question here on the forums, when I first started using FreeBSD, about why www/lynx wasn't working for me and it was because I had neglected to configure it not to use IPV6 when I hadn't set it up. But that's just me.

I do state to choose the driver for your card in addition to x11-drivers/xf86-video-vesa.

It won't be necessary to choose all the graphic card drivers it presents, but go ahead and choose VESA along with the driver for your card.


I may well be overestimating the average persons skill and abilities, but forcing them to learn is what I think best. I probably would have started using FreeBSD in '98 but the install screens intimidated me. I had the thrill of a lifetime the day I successfully installed it from scratch using that tutorial.
 
Last edited by a moderator:
..

I do state to choose the driver for your card in addition to VESA.

Okay. My desktop is an Intel NUC (https://www.newegg.ca/Product/Product.aspx?Item=N82E16856102146) with the i3-6100U. That means the integrated graphics (only option on that system, no room to add a separate video card) is the Intel HD Graphics 520. This system is nearly a year old at this point. (To be fair, I do have that system, it does run FreeBSD, I use it as a headless media server, not a desktop. It would be nice if I could play videos directly from it instead of streaming to a Windows Desktop. So I do actually want to do what I'm asking.)

What driver do I use to get x working on a full-HD (1920x1080) screen?

It would be really nice if I could play videos with VLC (https://www.freebsd.org/cgi/ports.cgi?query=vlc-2.2.6) but that requires using the graphics card for decoding and playing or it ends up being choppy.


I haven't actually tried to get the wifi working on FreeBSD yet but you didn't really cover wifi.
 
I'll have to venture a guess and say x11-drivers/xf86-video-intel. You're asking me about new hardware when all of my machines are Win7 vintage or older.

I've lived in a large apartment complex the last 10 years and have only used wi-fi to the extent of enabling my card so I could use kismet. I don't use it or advise doing so from a security standpoint alone.

I have my wpa_supplicant.conf somewhere but would have to look for it.

https://www.freebsd.org/doc/handbook/network-wireless.html
 
I recommend not to mix ports and packages, so once you start using ports stay with it. After you gain some experience you may want to rebuild your system and switch from ports to packages. If you'd rather start using the pkg system consult the FreeBSD Handbook.
As a neub I was under the impression it was OK to mix ports on top of packages.

This is a good guide to get xfce up and running easily using packages. And once you're up and running just a case of
freebsd-update fetch
... and if updates are available
freebsd-update install
... to keep the core updated
Along with
pkg upgrade
... to keep programs updated

A barrier I hit was that I needed a hint to be set otherwise the initial boot didn't load. At the first screen I take option 3 and enter

set hint.ahci.0.msi=0
boot

... to get booted. After that I added the hint to /boot/device.hints

hint.ahci.0.msi="0"

... so that was automatically set for subsequent boots.

Another problem I hit was that it doesn't install or offer to install a bootloader. I use grub4dos bootloader on the first partition and installed freeBSD to my third partition (sda3 in Linux speak (ada0s3)), adding a entry of

title FreeBSD
root (hd0,2)
chainloader +1

to the menu.lst file on the first (boot) partition enabled freebsd to be booted (the root (hd0,2) is just indicating the first disk, third partition (counts from zero)). I selected UFS as the partition format when installing freeBSD.
 
Another problem I hit was that it doesn't install or offer to install a bootloader. I use grub4dos bootloader on the first partition and installed freeBSD to my third partition (sda3 in Linux speak (ada0s3)), adding a entry of

title FreeBSD
root (hd0,2)
chainloader +1

to the menu.lst file on the first (boot) partition enabled freebsd to be booted (the root (hd0,2) is just indicating the first disk, third partition (counts from zero)). I selected UFS as the partition format when installing freeBSD.

In this tutorial partitioning is set up automagically and uses the entire disk:

At the Partitioning menu choose Guided, for simplicity, and GPT for the Partition Scheme. It will give you a choice of where to install, choose your HDD which will be designated as ada0.

Choose Entire Disk at the next screen...

This is the exact method I've used to build FreeBSD 11.0-RELEASE on 5 different laptops and it installed a bootloader on all of them. It is also the exact method laid out in the FreeBSD Handbook:

https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/bsdinstall-partitioning.html

As I said, some people say it's alright to mix ports and packages. I thought it not best for a beginner and have only done so myself on 3-4 different occasions in 12 years. Using ports gives the person more experience with the command line and introduces them to compiling programs from source. Knowledge in these departments is a good thing IMO.

The option to consult the Handbook should the person prefer to use the pkg system is offered in the tutorial.
 
Knowledge in these departments is a good thing IMO.
It is. But since this is a "beginners guide", it is also likely to be of interest to people who don't plan to make a profession of it. There are lots of people out there who are interested in using FreeBSD (I see them every day on IRC and forums) but who don't have the time (or even interest) to pursue a deeper understanding. A didactic tone may not be the best plan since people with an academic intent will already know how to learn.

That said, your contribution is a good one. :)
 
I first became interested in FreeBSD as a Windows user in '98 but it looked beyond my skill set at the time to set up. Had a tutorial been available to me that spelled it out like I attempt to do I would have taken the plunge and possibly been more knowledgeable myself at this point.

It was only after becoming involved with PC-BSD, teaching myself to use ports and finding the tutorial I mentioned I felt confident to make the move.
 
I tried to update the tutorial using the appropriate tags for ports, files, etc. but got an error message to make a message of less than 20000 characters. :)
 
Where is the big bold warning that FreeBSD only supports Intel Integrated Graphics (HD Graphics) on CPUs that are 4 years old or older? That is kind of important to anyone thinking of building a new FreeBSD desktop.
Possibly right next to the "Use a nVidia card cause they support FreeBSD" notice.
 
Using pf firewall for new users is not a best idea IMHO,
ipfw is much easy to use for basic desktop,
to enable dbus and ipfw with ssh support, just add
Code:
dbus_enable="YES"

firewall_enable="YES"
firewall_type="workstation"
firewall_myservices="ssh"
#firewall_allowservices="any"
firewall_allowservices="192.168.0.0/24"
to /etc/rc.conf.
To enable automount, read this.

To install XFCE desktop environment, just type # pkg ins xorg xfce

To install a login manager — # pkg ins slim,
also you need to add slim_enable="YES" to /etc/rc.conf.
(After installation replace
Code:
login_cmd           exec /bin/sh - ~/.xinitrc %session
with
Code:
login_cmd           exec %session
in /usr/local/etc/slim.conf)
Also you can try to use this nice theme from this post.

Install network manager — # pkg ins networkmgr
and follow these instructions.
9kXgv35.png


If you would like to use a dock, install plank # pkg ins plank

Additionally install Vertex theme and Numix icon theme

After all you'll get something like this
xaf2rhO.png


Where is the big bold warning that FreeBSD only supports Intel Integrated Graphics (HD Graphics) on CPUs that are 4 years old or older?
It is not true.
 
Last edited by a moderator:
Using pf firewall for new users is not a best idea IMHO,
ipfw is much easy to use for basic desktop,

We'll have to disagree on that point. While the implementation is not quite the same, the pf firewall comes from OpenBSD and is what I consider to be the superior packet filter firewall. I just finished an nmap slow comprehensive scan on all my FreeBSD boxen from the LAN and it returned a result of all 2000 ports scanned filtered or open|filtered. I ran my laptops connected directly to the internet for months without hesitation or resulting incursion.

As for ease of use, I supply what is basically the ruleset I use, minus a few rules some might feel unnecessary, and it is set and forget.

I already provide instructions on how to enable dbus:

When it's done compiling the programs we'll add the following lines to the rc.conf file by entering the following commands so it's activated on boot:

echo 'dbus_enable="YES"' >> /etc/rc.conf
echo 'hald_enable="YES"' >> /etc/rc.conf

From beginning to end this is exactly how set up my FreeBSD boxen and I have put many hours of work over the past year into refining it to be as clear, concise and comprehensive as possible. I do, however, welcome any and all critique.
 
We'll have to disagree on that point. While the implementation is not quite the same, the pf firewall comes from OpenBSD and is what I consider to be the superior packet filter firewall.
I agree, I meant "rookies" when I wrote "new users", english is not my native language, the point was that it is much more easy to configure ipfw, because you do not need to create any firewall rules, just add a few lines to the rc.conf.

I already provide instructions on how to enable dbus
I saw, in that post I wrote an alternative way to configure a basic FreeBSD desktop. It should work fine, if all important steps from my post will be made.
 
I agree, I meant "rookies" when I wrote "new users", english is not my native language...

No problem. The rules are what I like best about it, being somewhat of a firewall tinkerer going back to ConSeal PC Firewall. :)
 
There is a vulnerability in graphics/OpenEXR and has been for several weeks. It's a dependency of graphics/gimp, which I use a lot, and when I tried building it from ports it stopped there like I thought it would. So I tried packages.

pkg install gimp did the full install of graphics/gimp even though pkg audit -F shows graphics/OpenEXR as vulnerable on my system now. I'm not worried about it because I take responsibility for my own actions, know that it's used for and can avoid it, but that seems like a good reason to me for a beginner to use ports in itself.

Edit: To top it off devel/dbus was set up incorrectly and I had to run dbus-uuidgen --ensure to create /var/lib/dbus/machine-id to get graphics/gimp or www/firefox to open. A first time thing for me.

I still say mixing ports and packages is bad medicine, but that's just me.
 
Last edited by a moderator:
Now that you've got your system set up fully, have committed yourself to using FreeBSD and will remain doing so ad infinitum, here's a tip to make it easier on yourself next time you build it from scratch.

Save your /etc folder to a USB drive for future use. The next time you build from scratch and are at the desktop you can cut your work down by opening editors/leafpad from your root account and typing:

Code:
[devfsrules_common=7]
add path 'usb*' mode 0666 group operator
and saving it as /etc/devfs.rules.

Open /etc/rc.conf and add the following lines:
Code:
devd_enable="YES"
devfs_system_ruleset="devfsrules_common"
Open x11-fm/xfe as root and create a new folder: /media/da0s1

Then you can mount the drive you saved the /etc folder on by using the mount command:

mount -v -t msdosfs /dev/da0s1 /media/da0s1

Now you can just copy off those important files individually that you spent so much time typing out. Just be careful.

Save your x11-wm/fluxbox menu and styles, too.

It's how I do it and it saves a lot of time and effort.
 
Last edited by a moderator:
Great HOW TO. Very much appreciated. My first BSD build, went smoothly after I found this.
Just one question should there be an * after the usbctl?
[devfsrules_common=7]
add path 'usbctl' mode 0666 group operator
Thank You
 
Back
Top