Base Install (sysinstall)
- Install the full distribution ("All system sources, binaries and X Window System").
- Install the ports collection.
- Configure the network.
- Recommended packages:
bashcvsup-without-gui(may not be available -- in this case, install later withportinstall)ispellkdemozillaportupgradersyncscreen(if available)sudo
- Note: If you want each user to have its own personal groups (Linux & Panther style), create the new groups first in sysinstall. Make sure any administrative accounts have group 0 (
wheel) membership -- otherwisesuwill be unavailable.
Accounts & Basic Setup
- Enable serial console:
echo "-hD" > /boot.config# "man boot" for details - If you didn't enable serial terminal in
sysinstall, do it now:echo 'ttyd0 "/usr/libexec/getty std.9600" vt100 on secure' >> /etc/ttys visudo# uncomment full access for%wheelcd /root && ftp http://www.reppep.com/~pepper/freebsd/install/reppep.tgz && tar xzf reppep.tgz && ls -lt reppep# get recommended additions & patches, and unpack as/root/reppep- If you have local patches, unpack them too:
tar xzf local.tgz && ls -lt reppep patch /etc/ssh/sshd_config /root/reppep/sshd_config.diff- Install your custom kernel configuration file in
/usr/src/sys/i386/conf(if you have one). cd /etc && cp /root/reppep/make.conf . && cat /root/reppep/rc.conf* >> rc.conf && vi resolv.conf rc.conf make.conf && egrep -v '(^$|^#)' rc.conf | sort | more# put your own customizations inrc.conf.local; make sure no variables are defined twice inrc.confmkdir -p /usr/sup && cp /root/reppep/cvsupfile /root/reppep/rc.firewall.local /root/reppep/periodic.conf /root/reppep/ntp.conf /etc && cp /root/reppep/refuse /usr/sup && vi /etc/cvsupfile /etc/ntp.conf /usr/sup/refusemkdir -p ~root/bin ~root/logcd /root/reppep && cp build-world-kernel.sh cvsup.sh /root/bin && chmod u+x /root/bin/*.sh && rehashmkdir -p /var/log/pkgtools && patch /usr/local/etc/pkgtools.conf /root/reppep/pkgtools.conf.diffadduser -C
Upgrade Source, Kernel & World (do this periodically)
Note: The official recommendation, described at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html, is a bit more involved but safer. If you're not clear on the differences between this procedure and the official one, you should use the Handbook's procedure instead.
Warning: It's easy to break your system, or lock yourself out, when upgrading the kernel or world. Make sure you have console access (PS/2-style or serial) before upgrading.
cvsup.sh# upgrade FreeBSD base (kernel & world) source, and the ports tree; doesn't affect installed portscd /usr/src && mergemaster -p#mergemasteris potentially time-consuming, so it's nice to do it before taking the system down.build-world-kernel.shmake installkernelshutdown -r now- Verify new kernel.
shutdown now# single-usercd /usr/src && make installworldmergemastershutdown -r now- Edit any additional configuration files in
/etcor/usr/local/etc. - Test the network connection and firewall rules (perhaps with
ipfw list).
Note: If you're using this section to upgrade a running system, rather than configuring a new one, run portupgrade -ai when satisfied with the kernel & world.
Configure BIND
- (Assuming FreeBSD 5.3+ with BIND 9):
cd /var/named/etc/namedb/ && sh make-localhost && vi named.conf && grep named /etc/rc.conf# should seenamed_enable="YES" vi named.conf# mandatory: configure options & add zones- Install any (master) zone files
/etc/rc.d/named start && tail -20 /var/log/messages
Install Ports
cd /usr/ports/lang/perl5.8 && make install && rehash && perl --version#use.perl portno longer necessaryportupgrade -a ; portversion -l /<# try to upgrade everything -- if this doesn't work, follow the instructions under 20040226 in/usr/ports/UPDATING.portinstall -f www/apache2 postfix imap-uw# forceportinstall analog cronolog curl docproj-nojadetex htmldoc lsof lynx-ssl mailman minicom netatalk nmap nut portaudit procmail portaudit smartmontools webmin squirrelmail drac mozilla ntop screen p5-MIME-Base64 p5-Time-HiRes pyzor p5-Mail-SpamAssassin && rehashecho "- -noddp -passwdminlen 6 -loginmaxfail 6 -uamlist uams_dhx.so -advertise_ssh" >> /usr/local/etc/afpd.conf# to actually handle tunnelledssh, also add something like "- -fqdn me.example.com"- vi /etc/pam.d/netatalk:
netatalk auth required pam_unix.so try_first_pass netatalk account required pam_unix.so try_first_pass netatalk session required pam_permit.so
- If desired: configure X (beyond the scope of this document) http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/x-config.html.
- If and when X is working, you might want to KDE automatically at boot:
echo 'ttyv9 "/usr/local/bin/kdm" xterm on secure' >> /etc/ttys, or use KDE withstartx:echo exec startkde > ~/.xinitrc# as each user who will use X11
Configure Mail
amavisd-new
cd /etc/mail && mv mailer.conf mailer.conf.sendmail && cp /root/reppep/mailer.conf .vi /etc/aliases && newaliases# forward for $myself &rootcd /usr/local/etc && cp /root/reppep/procmailrc . && vi procmailrcpatch /etc/inetd.conf /root/reppep/inetd.conf.diff && killall -HUP inetd# enables unencryptedimap-- I suggest blocking this in your firewall, which leaves it accessible on127.0.0.1, if using webmail, and disabling theimapport otherwiseecho 'inetd_enable="YES"' >> /etc/rc.conf echo 'inetd_flags="-wW -C 60"' >> /etc/rc.conf
- Already in
rc.conf.append:dracd_enable="YES"; add:echo 'rpcbind_enable="YES"' >> /etc/rc.conf echo localhost > /usr/local/etc/dracd.host
- For FreeBSD 5.x:
cd /etc/pam.d && patch < /root/reppep/imap.diff && patch < /root/reppep/pop3.diff - For FreeBSD 4.x:
patch /etc/pam.conf /root/reppep/pam.conf.diff vipw && vi /etc/group && mkdir /home/spamd && chown spamd:spamd ~spamd# Create spamd accountrazor-admin -create && razor-admin -register && pyzor discover# configure razor & pyzorvi /usr/local/etc/mail/spamassassin/local.cf# customize SpamAssassinecho localhost > /usr/local/etc/dracd.host && /usr/local/etc/rc.d/dracd.sh start- If using Postfix virtual hosts:
vi /etc/mail/virtual && postmap /etc/mail/virtual cd /usr/local/etc/postfix && cat /root/reppep/main.cf.* >> main.cf && vi + /usr/local/etc/postfix/main.cf && postfix stop ; killall sendmail ; postfix check && postfix start && sleep 1 && tail /var/log/maillogcd /usr/ports/mail/imap-uw && make cert && chmod -x /usr/local/certs/imapd.pem# follow prompts- If desired:
portinstall -f mysql-server# -f to get around the hold inpkgtools.conf
Configure Apache & SquirrelMail
# Copy config files and build diffs for <http://www.reppep.com/~pepper/freebsd/install> diff -u source/httpd.conf.php source/httpd.conf > reppep/httpd.conf.diff diff -u source/httpd.conf source/httpd.conf.local > local/reppep/httpd.conf.diff.local
mkdir -p /var/log/httpd /home/httpd && mv /usr/local/www /home/httpd && mv /home/httpd/data /home/httpd/htdocs && cd /usr/local/etc/apache2 && patch httpd.conf /root/reppep/httpd.conf.diff- Either apply a local patch (
patch httpd.conf /root/reppep/httpd.conf.diff.local), orvi httpd.conf(setServerAdmin&ServerNameand review security) mkdir -p ssl.crt ssl.key && ln -s /usr/local/certs/imapd.pem ssl.key/server.key && ln -s /usr/local/certs/imapd.pem ssl.crt/server.crt && touch vhost.conf && vi ssl.???/* vhost.conf && apachectl stop && apachectl configtest && apachectl startssl && apachectl fullstatus# remove cert fromserver.key& key fromserver.crtapachectl configtest && apachectl gracefulcp /usr/local/etc/php.ini-recommended /usr/local/etc/php.inicd /usr/local/www/squirrelmail && ./configure- Test https://$hostname/mail/.
- Verify SquirrelMail works (it uses unencrypted IMAP to localhost) &
telnet $hostname imapfails properly, if blocked by firewall. - Add any desired SquirrelMail plugins.
webmin
cd /usr/local/lib/webmin/ && ./setup.sh- Visit https://$hostname:10000/
- Webmin Configuration: IP Access Control: Configure "Only allow from listed addresses" to 127.0.0.1 & trusted IPs.
- Webmin Users: Remove unused modules.
- If mysql-server is installed, configure under Servers.
/usr/local/etc/rc.d/webmin.sh stop# usestartargument later, to bring upwebminas needed
扫一扫
520
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
