Beginners Guide - How To Set Up A FreeBSD Desktop From Scratch

[bookwormep]

Trihex:
Bravo!

 

[Trihexagonal]

Thanks to micheal_hackson for making me aware of my reverse of correct usage of flags with powerd in my /etc/rc.conf file.

I've only been doing it like that for 12-13 years.

 

[Avery Freeman]

Hey, pretty sweet. Congrats on the FreeBSD News link, too.

My critiques were already said by most other people - namely, why ports for new users? When I first started with FreeBSD back in 2011 I thought compiling from source was the only way to install software - had a netbook at the time which worked fine, if I wanted to wait for days on end just to compile the simplest things and risk running out of disk space (try compiling FireFox on an Atom 220 with a 16GB PATA 1.8" SSD).

Not learning how to use pkg_add (as it was back then) was probably the main reason I skipped off to Linux (and other) for the following 7 years. Had a blast trying everything under the sun (everything from Debian to Arch, Alpine to Fedora, MeeGo (remember MeeGo?) and my personal favorites, the Solaris/ishes, like SmartOS and OmniOS - which are so, so great, and also so, so dead). So but anyway, I definitely don't recommend ports for new users, easier (or anyone who wants to get shit done in a hurry).

Also, I like that you explain how to mount flash drives, but I noticed there's no mention of fuse-ntfs? A lot of them come NTFS-formatted these days now that they're several GB in size, would help interoperability with other users, etc.

 

[Avery Freeman]

Shameless self-promotion:

https://forums.freebsd.org/threads/...r-recording-and-streaming-hdhomerun-tv.66054/

 

[Trihexagonal]

Hey, pretty sweet. Congrats on the FreeBSD News link, too.

My critiques were already said by most other people - namely, why ports for new users?

*snip*

Also, I like that you explain how to mount flash drives, but I noticed there's no mention of fuse-ntfs? A lot of them come NTFS-formatted these days now that they're several GB in size, would help interoperability with other users, etc.

This started out to be my own notes to myself so I wouldn't forget how to do things while I was offline for a little over a year. At some point I decided to try and make a tutorial out of it. If there had been something like this in '98 I would have started using FreeBSD then, but it looked beyond my skillset at the time to set it up. I wrote it for people who are just I like I was back then.

PC-BSD got me to the desktop. When they first started out they had a .pbi Push Button Installer which seemed like a Windows .exe to me. I was interested in FreeBSD so I taught myself to use ports. I think I benefited from the experience overall, and though I do use pkg on my OpenBSD boxen have only done so a handful of times with FreeBSD.

The thought of using pkg instead of instructing how to use ports never even occurred to me till much later when I realized it might not be as easy for new people to use ports-mgmt/portmaster as I thought it was.

I have Flash Drives as large as 128GB and the first thing I do with them is:

dd if=/dev/zero of=/dev/da0 bs=2m count=1
fdisk -BI /dev/da0
newfs_msdos /dev/da0s1

Shameless self-promotion:

https://forums.freebsd.org/threads/...r-recording-and-streaming-hdhomerun-tv.66054/

Oh, I see now you and me are going to be friends.

And after 20 years of honing shameless self-promotion into a sorcerous skill suitably consider yours truly a Talker.

 

[Avery Freeman]

Oh, hm, interesting, apparently .pbi files are used for FreeNAS plugins, too

Kind of reminds me of the 'one-click-installer' files for OpenSUSE. But not as reliable, apparently, from what I'm reading (looks like lots of incompatible changes from version to version). OpenSUSE is definitely Linux with training wheels.

Kind of more like a .BAT file than an .EXE, wouldn't you think? Since it's not compiled... (just a script)

Yeah, if you rewrite the guide for pkg and it'll get like a million times easier (and faster)

Why would you use FAT32 on a drive as large as 128GB? Why not ZFS? Or NTFS if you want near-universal compatibility? Don't you ever need to use them in other people's computers?

 

[Trihexagonal]

Yeah, if you rewrite the guide for pkg and it'll get like a million times easier (and faster)

I can say now with all certainty I won't be doing that. Even though it goes against all recommendations ports are what I prefer to use and take pleasure in doing so. I still think it best to give new people that command line experience and in compiling ports, but that's just my opinion. I carry over a lot of what I learned from my PC-BSD days.

I also include the option to use pkg if they so desire, more explicitly on my website than here. Here I take it they can figure it out to consult the Handbook for instruction in doing so, there I direct them to consult it, and the outline can still be followed.

You have the option of building programs from source though ports or using pre-compiled binary packages through the pkg system. Using pkg is much faster, but by using ports you can choose your own program options and it's the way I've always done it so that's what we'll use in this tutorial.

I hear people at another forum make the same argument about new users using a pre-rolled disto as opposed to one you build from the ground up. Same theory applies IMO. If you're going to learn to swim jump in the deep end, or at least edge them in that direction.

Why would you use FAT32 on a drive as large as 128GB? Why not ZFS? Or NTFS if you want near-universal compatibility? Don't you ever need to use them in other people's computers?

Why not? I only use them for storage and it stores just as well on FAT32. I've gifted music to family members on USB stick and they plug them into the car stereo to listen on long trips. It's interoperable with Windows and that's all they're capable of using anyway.

I had a 500GB USB HDD that came with NFST file system and used a FAT command for larger drives on it as well.

 

[Trihexagonal]

Updated to reflect changes in FreeBSD 12.0-RELEASE including modifying the Partitioning Scheme layout from GPT to MBR to avoid possible problems during the install process, changes to the System Hardening menu and instructions on how to get back the old PAGER behavior.

System settings for those who choose to build 11.2-RELEASE instead of 12.0-RELEASE are still included.

I also reordered the steps so enabling the pf firewall is the first thing done to reflect the order in which I actually build my machines, along with setting the PAGER in the process for continuity.

I also updated my site tutorial where you can see forum member screenshots of various DE and WM in addition to over 60 wallpapers Free not only for Christmas but 365 days a year!

 

[teo]

Open /etc/aliases and set the root mailbox address to:

root: username@machinename

and run the newaliases command. Your daily messages will then be available to read as root in the /var/mail directory.

A question, the configuration of the address of the root mailbox is to leave as it says the guide or is it necessary to put the name of the user and the machine replacing the example?

......rkhunter to scan for rootkits....

And how do I proceed with the output message given by the rkhunter packet?

Message from rkhunter-1.4.4:

******************************************************************************

You should keep your rkhunter database up-to-date.
This can be done automatically by putting this line to periodic.conf(5) files:

daily_rkhunter_update_enable="YES"
daily_rkhunter_update_flags="--update --nocolors"

Also, you can run rkhunter as a part of the daily security check by
putting this line to periodic.conf(5) files:

daily_rkhunter_check_enable="YES"
daily_rkhunter_check_flags="--checkall --nocolors --skip-keypress"

******************************************************************************

Greetings!

 

[Trihexagonal]

A question, the configuration of the address of the root mailbox is to leave as it says the guide or is it necessary to put the name of the user and the machine replacing the example?

This is mine on the machine I'm on now:

root:    jitte@unmei

jitte is my username and unmei my machine name. This allows me to get my daily reports as root in /var/mail/root.


The info from security/rkhunter goes in /etc/periodic.conf. If it doesn't exist, which it probably won't, create it and add these lines:

daily_rkhunter_update_enable="YES"
daily_rkhunter_update_flags="--update --nocolors"
daily_rkhunter_check_enable="YES"
daily_rkhunter_check_flags="--checkall --nocolors --skip-keypress"

Then it will run nightly and you'll get a report in your daily security mailings along with other relevant system info in that same file.

 

[teo]

This is mine on the machine I'm on now:

root:    jitte@unmei

jitte is my username and unmei my machine name. This allows me to get my daily reports as root in /var/mail/root.

For example, the name of the machine is the name of the hostname? Very kind of your to clarify.

 

[Trihexagonal]

For example, the name of the machine is the name of the hostname? Very kind of your to clarify.

Yes, that's how I set my Hostname during the install process when I set up networking:

When presented with the Set Hostname screen enter your machine name.

I use the machine name as the hostname on all my machines, all of which are on the same LAN. The router handles IP assignment, all have Internet access and each machine gets the daily mail report like they should.

 

[johnblue]

Enjoyed the howto Trihex! Good job.

Good sysadmin workflow is generally underpinned by logic. There is, of course, always room for customization shaped by our own individuality. I would recommend you revisit a couple of items in your list to make sure that the processes are sound and not a "five monkey" rule.

First is the installation of ports from the install media. Is that really needed if nothing from ports is to be installed prior to connecting the Internet? For example, if you decide to keep the install of ports then I would recommend that you remove the inital portsnap fetch extract (that just overwrites your existing ports) and replace it with portsnap fetch update. And while I too agree command line experience is the best it also nice to know about shorter alternatives. A "protip" of portsnap auto and explanation of the differences could be helpful. Additionally, you now have a nice segue to introducing the new user to man pages by using portsnap auto as an example.

While on the topic of shorter commands, it is good to know that shutdown -r now can also be effected with a simple reboot. Follow that with a quick blurb about shutdown -p now vs poweroff if, for nothing else, to point it out and let the reader choose their preference.

I would also recommend a slight explanation as to why you are asking the reader to add the new user to "wheel" and "operator". I personally do not know the value in adding "operator" but that could just be because of my workflow of only using "wheel".

Lastly, I am a convert to less vs more pager setting.



SirDice pointed out that if you are in a man page you cannot scroll back and forth using more and it is a valid point. Especially more so if a keyboard does not have a scroll lock key then less would be very handy. That said, if you do not include an explanation (even if you monologue) for deviating from the "standard" then you are for sure creating a "five monkey" rule!

 

[Trihexagonal]

Thanks for pointing out the example of the "five monkey" rule. That makes more sense to me than you can know on many levels. But I'm also working under the 20,000 character limit for a post rule and only words from the upper limit, usually having to do away with excess text to make room for edits and will see what I can do.


I hadn't actually thought about running portsnap fetch extract after already installing them from the install media. portsnap auto isn't a variable I was aware of or have even used.

I've always made myself a member of the wheel and operator group. It's how I learned to do it and comes in handy down the road. I've seen people talk about having to add themselves to a "video" group or whatnot to solve a problem that wouldn't have occurred had they been a member of the operator group.

The PAGER set to more is just the way it's always been for me and what I'm familiar with. SirDice I believe said the opposite, that it had already been less for him the whole time and he never even noticed the difference. Most people did and thought it was broke, including myself till I set it back to more.

A lot of the way I do things are how I taught myself to do it and just the way I've always done it.

 

[johnblue]

.. I'm also working under the 20,000 character limit for a post ..

Roger that. While your howto is methodical, it is a heavy lift for a brand new user to go from OS install to a functional GUI. If you were to break it into two parts with the GUI in a "part 2" thread it could help clear some room for more words.

I've seen people talk about having to add themselves to a "video" group or whatnot to solve a problem that wouldn't have occurred had they been a member of the operator group.

Ah. Understood. A GUI problem. I think the last time I attempted a GUI on a BSD box my mouse had a DB9 connector.

.. had already been less for him the whole time ..

Correct. I was talking more to the point of why you might want less instead of more. man pages is a perfect example.

Give me a good, logical reason to do something different and I will flip-flop on an issue faster than some of the stable geniuses that are currently running the United States of America.

 

[Trihexagonal]

Correct. I was talking more to the point of why you might want less instead of more. man pages is a perfect example.

Give me a good, logical reason to do something different and I will flip-flop on an issue faster than some of the stable geniuses that are currently running the United States of America.

With the PAGER set to "less" it jumped back 23 lines in the terminal when running freebsd-update fetch:

https://forums.freebsd.org/threads/...ops-at-the-editor-vi.68722/page-2#post-410704

That's in addition to uncommon behavior in the terminal when using ports-mgmt/portmaster not seen when using "more":

https://forums.freebsd.org/threads/freebsd-update-fetch-stops-at-the-editor-vi.68722/#post-410130

What advantage is given with man pages would seem outweighed by what appears as buggy behavior when using less compared to that seen when utilizing more.


To split up the tutorial now would put the second part behind all these posts, many of which raise or cover points that several different people found cause for concern in one form or another. If I made another thread it would be even more spread out. I am always open to suggestions and constructive criticism and have made several suggested or needed changes since posting it.

My goal is to get a person who has never used the terminal to a fully functional FreeBSD desktop in one easy lesson, so to speak. Not even the "Sam's Books" attempted that. Yes, that is pretty heavy lifting and a lot to ask from someone new especially using ports, but I do my best to spell it out. Hopefully, if I can get them to the end of the tutorial where they only have to set up a few choice 3rd party programs for themselves they will have picked up on it enough by that point to finish it out and take it from there. The Handbook should be their next stop. If I don't recommend that here it's because they're supposed to know it and do make a point of it on my site where I have it posted.

It's usually when people start out on their own experimenting with tweaking this or trying out that they run into problems they can't yet solve for themselves. That's good in a sense they are learning on their own and I'm all for it, but bad that they don't leave well enough alone while they have a working desktop to better learn more about the particulars before taking the chance of breaking something.

It's actually my task analysis of setting up a FreeBSD desktop using ports.

 

[teo]

Now we're going to enable the pf firewall, which is taken from OpenBSD and the best all-around firewall going.

We're going to have to enter Easy Editor to make a ruleset and show the system where to look for it. Type:

ee /etc/pf.conf


And hit Enter.

You've just created a file called pf.conf in the /etc directory. Now type:

block in all
pass out all keep state

Hit the Esc key to bring up the options menu, choose file options, and save file.

Hit Esc again and exit Easy Editor back to the command line.

Now we have to show the system where to look for our ruleset and the logfile.

Then type:

ee /etc/rc.conf


You've just opened the file rc.conf in the /etc directory. This is a very important file and you should see some options already there, like your machine name and other options.

It's VERY IMPORTANT not to leave any option here uncommented on either end, meaning if you start an option it MUST begin and finish with quotes or you will not be able to start your system and have to enter Single User Mode to fix.

Use your arrow keys to scroll down past the lines that are already present and type these out:

pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

Notice how each option begins and finishes with a quote? You'll be adding your own later so don't forget to check it closely before you exit out of Easy Editor when you do. (Always hit Enter after your last entry so you end up on a new blank line.)

Hello Trihexagonal , is still valid example of firewall for network security on the internet?

 

[Trihexagonal]

Hello Trihexagonal , is still valid example of firewall for network security on the internet?

The minimal ruleset given at the beginnning will work on my desktops till I install my own even if it takes days:

block in all 
pass out all keep state

Here is the one I use on all my FreeBSD and OpenBSD boxen, with a different egress syntax for OpenBSD. It's all set to block so no big security breach to post it. Though you may not want or need all the rules I have you can use it as a syntax example of how to write your own:

### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in quick log on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

This is what it does:

root@unmei:/ # pfctl -s rules
scrub in on em0 all fragment reassemble
block drop log all
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! em0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.2 to any
block drop in on ! lo0 inet6 from ::1 to any
block drop in from no-route to any
block drop in from urpf-failed to any
block drop in quick on em0 inet from any to 255.255.255.255
block drop in log quick on em0 inet from 10.0.0.0/8 to any
block drop in log quick on em0 inet from 172.16.0.0/12 to any
block drop in log quick on em0 inet from 192.168.0.0/16 to any
block drop in log quick on em0 inet from 255.255.255.255 to any
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop in log quick on em0 proto tcp from any to any port = ssh
block drop in log quick on em0 proto tcp from any to any port = telnet
block drop in log quick on em0 proto tcp from any to any port = smtp
block drop in log quick on em0 proto tcp from any to any port = http
block drop in log quick on em0 proto tcp from any to any port = pop3
block drop in log quick on em0 proto tcp from any to any port = sunrpc
block drop in log quick on em0 proto tcp from any to any port = ntp
block drop in log quick on em0 proto tcp from any to any port = exec
block drop in log quick on em0 proto tcp from any to any port = login
block drop in log quick on em0 proto tcp from any to any port = shell
block drop in log quick on em0 proto tcp from any to any port = printer
block drop in log quick on em0 proto tcp from any to any port = x11
block drop in log quick on em0 proto tcp from any to any port = x11-ssh
block drop in log quick on em0 proto udp from any to any port = ntp
block drop in log quick on em0 proto udp from any to any port = biff
block drop in log quick on em0 proto udp from any to any port = who
block drop in log quick on em0 proto udp from any to any port = syslog
block drop in log quick on em0 proto udp from any to any port = printer
block drop in log quick on em0 proto udp from any to any port = mdns
block drop in log quick on em0 proto udp from any to any port = x11
block drop in log quick on em0 proto udp from any to any port = x11-ssh
pass out on em0 proto tcp all flags S/SA modulate state
pass out on em0 proto udp all keep state
pass out on em0 proto icmp all keep state
root@unmei:/ #

 

[grahamperrin]

… the value in adding "operator" …

… I've always made myself a member of the wheel and operator group. It's how I learned to do it and comes in handy down the road. I've seen people talk about having to add themselves to a "video" group or whatnot to solve a problem that wouldn't have occurred had they been a member of the operator group. …

operator

In my case

grahamperrin@momh167-gjp4-8570p:~ % pkg query %M | grep operator
For USB support your user needs to be in the operator group and needs read
% pw groupmod operator -m jerry
add path 'usb/*' mode 0660 group operator
grahamperrin@momh167-gjp4-8570p:~ %

The phrase in the first matched line was familiar – For USB support your user needs to be in the operator group – so I used a search engine to find it in the freshports.org domain. Answer: emulators/virtualbox-ose

grahamperrin@momh167-gjp4-8570p:~ % pkg query %M virtualbox-ose | grep operator
For USB support your user needs to be in the operator group and needs read
% pw groupmod operator -m jerry
add path 'usb/*' mode 0660 group operator
grahamperrin@momh167-gjp4-8570p:~ %

Generally

Unfortunately, this finds nothing:

grahamperrin@momh167-gjp4-8570p:~ % pkg rquery %M | grep operator
grahamperrin@momh167-gjp4-8570p:~ %

– FreeBSD bug 230770 – ports-mgmt/pkg pkg rquery %M does not return messages

video

grahamperrin@momh167-gjp4-8570p:~ % pkg query %M | grep video | grep group
"video" group.
grahamperrin@momh167-gjp4-8570p:~ %

Without using a search engine, the requirement for this group membership is more memorable. drm-related. In my case:

grahamperrin@momh167-gjp4-8570p:~ % pkg query %M drm-legacy-kmod | grep video | grep group
"video" group.
grahamperrin@momh167-gjp4-8570p:~ %

Generally (see the pkg-message sections):

• graphics/drm-legacy-kmod
• graphics/drm-fbsd12.0-kmod
• graphics/drm-current-kmod

There may be other video group requirements but (sorry) with bug 230770, I can't tell.

 

[Polyatomic]

But I'm also working under the 20,000 character limit for a post rule and only words from the upper limit, usually having to do away with excess text to make room for edits and will see what I can do.

Right honourable operator Trihexagonal, I extend a greeting to you. May I make a solitary suggestion, perhaps in future thread authorship you could reserve post #2 to effectively double the character limit. :)

 

[Trihexagonal]

operator

In the instructions I provide to create a /etc/devfs.rules file all the group owners are the operator including the "video" group. I should always have coffee before posting.

Premium principled poster Polyatomic, I'm pleased to pronounce the proposed plan to preserve the secondary position for supplementary pontification shall profit me plenty as a prolific penner of posts and praise your perceptivity profusely.

 

[shamssaki]

is there any difficulties if i dont use firewall & single user mode.
(i use linux from 1998 and new to FreeBSD. Once I use 10.2 for 3 month. Now i installing 12.0 stable. )

 

[shamssaki]

freebsd-update fetch not work
Mirror not found

 

[SirDice]

is there any difficulties if I don't use firewall & single user mode.

Not using a firewall is not a problem. Don't use single user mode for your day to day work. That's not going to work and is not what single user mode is for.

freebsd-update fetch not work
Mirror not found

Open a new thread for your issue and post the whole error and commands.

 

[teo]

Open /etc/aliases and set the root mailbox address to:

root: username@machinename

and run the newaliases command. Your daily messages will then be available to read as root in the /var/mail directory.

Finally, open /etc/rc.conf in leafpad and add the following entries to what's already there:

mouse_type="auto"
ntpd_enable="YES"
ntpd_sync_on_start="YES"
powerd_enable="YES"
powerd_flags="-b adaptive -a hiadaptive"
sendmail_enable="NO"
fsck_y_enable="YES"
swapexd_enable="YES"
mixer_enable="YES"
snddetect_enable="YES"
syslogd_flags="-c -ss"
linux_enable="YES"
clear_tmp_enable="YES"
clean_tmp_X="YES"
avahi_daemon_enable="YES"

This will allow you to receive security updates via sendmail as root, enable Linux emulation for any programs you might install that need it, clear tmp files, etc. (It looks like sendmail is disabled but that takes the NONE variable.) Reboot one final time to ensure the file changes you've made go into affect.

Hello Trihexagonal, with respect to Sendmail, it is advisable to disable (NO) in the /etc/rc.conf configuration file after modifying the /etc/aliases file? Or remain by default NONE in the /etc/rc.conf file ?

example:

# ee /etc/rc.conf

sendmail_enable="NONE"

Or:

# ee /etc/rc.conf

sendmail_enable="NO"