HOWTO: Install and configure FreeBSD

vbimport

#1

Installing FreeBSD 5.3, applying security patches and setting it up as a firewall/gateway with optional QoS/shaping capabilities

Disclaimer: Screw ups are your own fault, not mine, your pet or your neighbour. Also, if you plan to not read the documentation and links that I refer to don’t even bother trying this.

I did a quick review and killed tons of typos and sentences that didn’t make any sense, hopefully it’s readable now.

Requirements:[ul]
[li] CD-R or CD-RW disc (floppies will also do but requires either a connection or a CD-R/RW disc).
[/li][li] Internet connection, no PPPoE and PPPoA (I wont cover those)
[/li]Note: USB modems will not be covered!
[li] Switch or DSL/Cable Gateway/Router (use only the LAN ports)
[/li][li] 2 network cables, one goes to the modem/outlet.
[/li][li] Basic UNIX knowledge and TCP/IP knowledge[/ul]
[/li]Computer requirements:[ul]
[li] Two supported NICs, link
[/li]Note: Realtek NICs are strongly recommended to be replaced due to performance issues (sucky hardware design). Netgear FA311 is for instance a great choice that’s cheap and widely spread.
For now ALTQ is only supported by the following drivers: bfe, em, fxp, fwe, ixgb, lnc, de, re, rl, sis, ste, vge, vr and xl so if your NIC uses another driver you can’t use ALTQ.
[li] A HDD that’s 2Gb or larger (dual boot will not be covered)
[/li][li] 32Mb RAM, (64Mb or more recommended)
[/li][li] Perferably a CPU equal to a Pentium or better
[/li][li] A monitor is needed for installation but you’ll do fine without it after installation.
[/li][li] A keyboard, a mouse wont be used at all[/ul]
[/li]Installation:

1. Locate a mirror using this link that’s close to you and grab the miniinst iso-file (and floppies if your computer can’t boot off a cd).
The needed files can be found using the following paths on a mirror:
/pub/FreeBSD/releases/i386/5.3-RELEASE/floppies/boot.flp - Boot floppy #1
/pub/FreeBSD/releases/i386/5.3-RELEASE/floppies/kern1.flp - Boot floppy #2
/pub/FreeBSD/releases/i386/5.3-RELEASE/floppies/kern2.flp - Boot floppy #3
/pub/FreeBSD/releases/i386/5.3-RELEASE/tools/fdimage.exe - Writing utility for floppy images
/pub/FreeBSD/ISO-IMAGES-i386/5.3/5.3-RELEASE-i386-miniinst.iso - Installation CD

2. Start the installation by booting up using either the floppies or installation disc. For more information regarding installation refer to chapter 2 in the handbook.

2.1 You will now be prompted if you want to use ACPI or not (along with other boot options which arent of any use right now) and since it’s poorly implented into BIOSes and old computers doesn’t supported at all it’s better to go with option 2 which disables it.
Note: If you have a fairly recent mainboard (Slot 1, Slot A or newer) you can give it a go, if you experience strange errors such as watchdog timeout and lockups restart the installation and disable ACPI.

2.2 Once the installer has booted up it’ll ask what type of installation you want to run and in this case standard installation is suitable.

2.3 When fdisk appears delete all existing partitions (if any) and create one that uses the whole drive for FreeBSD. Don’t forget to set it bootable before quiting fdisk.

2.4 Select standard MBR (Master Boot Record) when prompted.

2.5 Time to create slices, if you have a small drive (2-3Gb) make a swap slice that’s 128Mb and assign the rest of the remaining space to / (filesystem). This isn’t exactly ideal but since it’s a bit cramped you really can’t do anything about it. If you have a larger drive it’s recommended to make a few more slices. Swap should be about two times as large as amout of installed RAM.
/ 128M
/var 256-512M
/usr remaining space
Refer to the handbook for more information, chapter 2.5.5

2.6 We wont run X (graphical GUI) and neither do we need the source since we’ll grab newer version later on so go with a plain user installation with binares and docs only (option 8).

2.7 Same goes with ports collection, we’ll also grab it later to get the newest collection available.

2.8 Installation media, if you used the floppies and didn’t make a cd go with FTP and select a mirror near you otherwise select the CD since it’s faster and all you need is already on it.

2.8.1 If you selected FTP you’ll be promted to setup a network interface and it’s pretty straight forward. Most have no IPv6 and unless you have a static IP address your connection is using DHCP. Once your ISP’s DHCP server is detected the installer will ask you to verify the settings or input settings manually if you have a static IP address.

2.9 Confirm that you know what you’re doing otherwise the installer wont continue.

2.10 Once binaries and docs are installed you are now asked to setup a Network Interface unless you selected FTP as installation source and now it’s a good time to do that if you haven’t. Don’t worry about the second NIC, well set it up afterwards.

2.11 Since the installer doesn’t have the ability to read minds it’ll ask what you want to run and here’s a recommendation (based on my preferences) what you should answer. You can change it afterwards if you don’t agree anyways.

Do you want this machine to function as a network gateway? - Yes
It’ll ask if you want to enable SSH (I forgot to write down the question) and I highly recommend you to do so.
Do you want to configure inetd and the network services that it provides? - Yes
Do you want to have anonymous FTP access to this machine? - No
Do you want to configure this machine as an NFS server? - No
Do you want to configure this machine as an NFS client? - No

2.12 Setup keymap and keyboard layout.
The majority of users will be fine using IBM 850 (option 3) and using a local keyboard layout.

2.13 Set what time zone you’re in and how it’s set.

2.14 Some more questions regarding software and hardware.
Would you like to enable Linux binary compatibility? - No (You wont need it and if it’s needed FreeBSD is going to install it for you)
Is there are PS/2, serial or bus mouse connected? (forgot to write down the exact question again) - No
ACPI was disabled during boot, would you like to disable permanently? (See previous comment) - Yes
The FreeBSD package collection is a collection of hundreds of ready-to-run applications, from text editors to games to WEB servers and more. Would you like to browse the collection now? - No

2.15 Would you like to add any initial user accounts to the system? Adding at least one account for yourself at this stage is suggested since working as the “root” user is dangerous (it is easy to do things which will make the entire system unusable). - Yes
Fill in Login ID, Password, Full Name and set member groups to wheel.

2.16 Set root (admin) password, as with everything else I’d suggest that you set a hard password and not something obvious like the name of your pet.

2.17 Visit the general configuration menu for a chance to set any last options? - No

2.18 - Exit the installation
Congrats, you’ve now installed a fully fledged version of FreeBSD. =)

Download source code and ports

1. Login as root

2. Install the update/download software as a package (pre-compiled binary) by typing:

pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-5.3-release/All/cvsup-without-gui-16.1h.tbz"

3. Copy the needed configuration files to /etc

cp /usr/share/examples/cvsup/ports-supfile /etc && cp /usr/share/examples/cvsup/stable-supfile /etc

4. Edit (using either edit or vi) the ports-supfile (in /etc) and set a cvsup mirror. You can find a list of available ones here
This is the line that you should change:
*default host=CHANGE_THIS.FreeBSD.org

5. Edit the stable-supfile (in /etc) and change the cvsup mirror as mentioned above and change the release tag so you get the newest version of 5.3 with security patches applied (if any).
The release tag line that you should change:
*default release=cvs tag=RELENG_4 to *default release=cvs tag=RELENG_5_3

6. Start downloading by typing:

cvsup /etc/stable-supfile && cvsup /etc/ports-supfile

This will take a while so you probably want to take a snack or a cup of coffee.

To learn more about the ports and package system I suggest that you read chapter 4 in the handbook which you can find here: link

Optimizing and building world and kernel

Since we are already going to recompile to include all recent security patches we might as well optimize as much as possible to gain performance.

  1. Edit /etc/make.conf and insert the following lines
CPUTYPE=i586/mmx
CFLAGS= -O -pipe
COPTFLAGS= -O -pipe
NO_FORTRAN= true
NO_I4B= true
NO_LPR= true
NO_X= true
NOGAMES= true
NOPROFILE= true
USA_RESIDENT= yes

Don’t forget to change the CPUTYPE value according to what CPU you have.

#       (AMD CPUs)      athlon-mp athlon-xp athlon-4 athlon-tbird athlon k6-3
#                       k6-2 k6 k5
#       (Intel CPUs)    p4 p3 p2 i686 i586/mmx i586 i486 i386

Those who are familiar with GCC will probably notice that I’m using only -O instead of -O2 or even -O3 but there’s a good reason mainly because it brakes applications.
Penitum 4 users are advised to use p3 instead of p4 due to dodgy compiles.

2. Time to build world (base), this actually takes quite some time (roughly 9 hours on a P166MMX with 64Mb RAM, 6 hours on a P2 266Mhz 192Mb RAM) so I suggest that you do this while you’re asleep.
To start building simply type:

cd /usr/src && make buildworld

3. Once buildworld completes it’s time to add pf to the kernel and ALTQ (if your network cards are supported (ifconfig to display network interfaces) otherwise skip the ALTQ-part).
We are going to use the generic kernel config as a template and we don’t to mess it up so make a copy of it instead. You should by now come up with a name for the computer. No special characters and perferably not ridiculously long.

cd /usr/src/sys/i386/conf && cp GENERIC MYNAME

4. Edit MYNAME and do the following changes:
A few lines down you’ll see this line that says:
“ident GENERIC”
Change GENERIC so it has the same name as the file.
A few more lines down you’ll see this line:
options INET6 #IPv6 communications protocols
After that line you can insert the following lines to enable ALTQ (skip this part if your NIC isn’t supported).

options HZ=1000
options ALTQ
options	ALTQ_CBQ	# Class Bases Queueing
options	ALTQ_RED	# Random Early Drop
options	ALTQ_RIO	# RED In/Out
options	ALTQ_HFSC	# Hierarchical Packet Scheduler
options	ALTQ_CDNR	# Traffic conditioner
options	ALTQ_PRIQ	# Prioirity Queueing

If you card supports device polling (only bfe, em, fxp, fwe, ixgb, lnc, de, re, rl, sis, ste, vge, vr and xl) be sure to include kernel support.

options DEVICE_POLLING

Futher down you’ll see this line:
device apic # I/O APIC
After this one you add the following lines to add pf:

device pf
device pflog
device pfsync

Now you’re all set!

Just for the record (advanced users only), you can strip the kernel even more by removing scsi drivers, unused network drivers, firewire etc but there isn’t much to gain and you’ll most likely end up with a bad kernel if you don’t know what you’re doing.

5. Compile and install kernel and it’s done by two commands (just to be safe).

cd /usr/src && make buildkernel KERNCONF=MYNAME
make installkernel KERNCONF=MYNAME

If buildkernel fails you have most likely done something wrong and I suggest that you go back and check for possible errors.

6. Remember that we compiled world (base) a while ago? Now it’s time to install it. Reboot by simply typing reboot or shutdown -r now and go into single mode using the boot menu.

7. Mount appropriate filesystems and install buildworld

mount -p / && mount -a && swapon -a
cd /usr/src && make installworld

8. Take backup of /etc and run mergemaster

cp -Rp /etc /etc.old
mergemaster

Don’t overwrite any files that you’ve done changes in with mergemaster =)

9. All done, reboot and start as usual (option 1 at boot menu).

Configure and enable a buch of things…

1. Logon as root

2. Write your own ruleset for pf (firewall) and ALTQ (shaper).
A basic ruleset including NAT can be found below, and should be saved as /usr/local/etc/pf.conf.

#### Variables ####
External="sis0"                                  							# External interface (Internet)
Internal="sis1"                                  							# Internal interface (LAN)
Loop="lo0"                                      							# Loopback interface
NoRoute= "{ 0.0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 169.254.0.0/16,
        172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0/3,
        255.255.255.255 }"                      							# Non routable IPs according to
                                                							# http://www.iana.org/assignments/ipv4-address-space
                                                							# http://rfc.net/rfc1918.html
icmp_types = "{ 0, 3, 4, 8, 11, 12 }"           							# ICMP

#### Options and optimizations ####
set loginterface $External
set optimization aggressive
set limit { frags 2500, states 5000 }
set block-policy drop

#### NORMALIZATION ####
# Scrubbing will automatically drop TCP packets that have invalid
# flag combinations, so there's no need for typical 'anti-portscan' rules that ipf
# and ipfw use.
scrub in on $External all no-df

#### NAT ####
nat on $External inet from 192.168.1.0/24 to any -> ($External)                                         # NAT
# rdr on $Internal proto tcp from any to any port 21 -> 127.0.0.1 port 8021				# FTP Proxy

### External interface ####
block in log on $External all                                                   			# Block everything by default
block in log quick on $External from $NoRoute to any                            			# Block spoofs
pass in inet proto icmp all icmp-type $icmp_types keep state                    			# ICMP

#### Loopback ####
pass in quick on $Loop all keep state   								# Allow everything
pass out quick on $Loop all keep state  								# Allow everything

#### Internal interface ####
pass in quick on $Internal all keep state       							# Allow everything
pass out quick on $Internal all keep state      							# Allow everything

#### Portforwards ####

#### Pass on external interface ####
block out log quick on $External from any to $NoRoute                                                   # Block spoofs
pass out quick on $External inet proto icmp all icmp-type $icmp_types keep state
pass out on $External all keep state

Remember to change the variables External och Internal to match your system.
You can find more information regarding pf here: OpenBSD’s PF FAQ, Solarflux (sample rulesets) and man pf.conf

3. Edit rc.conf and add the following lines so pf gets enabled during boot.

pf_enable="YES"
pf_logd="YES"
pf_rules="/usr/local/etc/pf.conf"

4. While you’re at it you might aswell configure your network interfaces, you’ll find at least one if these lines in rc.conf so all you have to do is to add the rest and alter them accordingly to fit your system.

network_interfaces="sis0 sis1 lo0"
ifconfig_sis0="DHCP"
ifconfig_sis1="inet 192.168.1.1 netmask 255.255.255.0"
ifconfig_lo0="inet 127.0.0.1"

5. Edit /etc/sysconf.conf to enable packet forwarding (routing) between interfaces and device polling. Ignore the line regarding device polling if your network interfaces doesn’t support it.

kern.polling.enable=1
net.inet.ip.forwarding=1
net.inet.ip.random_id=1

6. Enable ftp-proxy, even if this is optional I highly suggest you do so to avoid nasty ftp issues.
Edit /etc/inetd.conf and uncomment the last line regarding ftp-proxy and save.
Uncomment the line regarding ftp-proxy in /usr/local/etc/pf.conf .

7. Recompile and optimize Perl (optional).
Find out what version of Perl is installed, uninstall that package and install Perl using ports.


pkg_info |grep perl
pkg_delete <name of package>
Example: pkg_delete perl-5.8.5_1
cd /usr/ports/lang/perl5.8 && make install clean

8. Setup a DHCP Server (Network plug 'n play)
Install ISC’s DHCP Server using ports.

cd /usr/ports/net/isc-dhcp3-server && make install clean

Edit /etc/rc.conf to enable dhcpd upon boot up by adding the following lines:

dhcpd_enable="YES"
dhcpd_flags=""
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="sis1"

Remember to change dhcpd_ifaces to your internal interface.
Edit /usr/local/etc/dhcpd.conf and include the following sample lines:

# Default settings
default-lease-time 86400;
max-lease-time 86400;
option domain-name "athome";
option domain-name-servers 130.237.72.200, 195.54.155.2;
authoritative;
ddns-update-style none;

# LAN
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
option broadcast-address 192.168.1.255;
range 192.168.1.33 192.168.1.254;
}

Read the man pages for customization.

9. Reboot, and RTFM (seriously do it). http://www.freebsd.org/handbook
//Danne


#2

Installing a HTTP Server with PHP, FTP Server, Database Server and pfstat.

Disclaimer: Screw ups are your own fault, not mine, your pet or your neighbour. Also, if you plan to not read the documentation and links that I refer to don’t even bother trying this (I’m human you know so I’ve might made a typo somewhere).

First we’ll install everything and later on configure, as usual you need to be logged in as root.

Installation:
1. Install pfstat (generates graphs based on pf’s logs)

cd /usr/ports/sysutils/pfstat && make install clean

2. Install a Database Server, in this case PostgreSQL (8.0-branch)

cd /usr/ports/databases/postgresql80-server && make install clean

3. Even though PHP is in ports I’m more confident with compiling and customizing it by myself therefore we’ll install everything necessary to compile PHP. Note that I’m very ambiguous with features in PHP.

cd /usr/ports/ports/devel/bison1875 && make install clean
cd /usr/ports/textproc/stablotron && make install clean
cd /usr/ports/ftp/curl && make install clean
cd /usr/ports/www/p5-FastCGI && make install clean

3.1 Since we aren’t going to use ports for PHP we need to do everything manually. Creating a temp directory, download an decompress, set optimization flags, configure, install and copy necessary files.

mkdir /usr/local/build && cd /usr/local/build
fetch http://se2.php.net/distributions/php-4.3.10.tar.gz
tar zvxf php-4.3.10.tar.gz
cd php-4.3.10
setenv CFLAGS "-O2 -march=pentium-mmx -pipe -funroll-loops -D_REENTRANT -fPIC"
./configure --prefix=/usr/local/php4 --enable-fastcgi --enable-discard-path --enable-force-cgi-redirect --enable-yp --enable-xslt --with-xslt-sablot=/usr/local --with-expat-dir=/usr/local --enable-sockets --with-zlib --with-pgsql --with-gd=/usr/local --enable-gd-native-ttf --with-freetype-dir=/usr/local --with-curl --with-iconv-dir=/usr/local  --enable-track-vars  --enable-inline-optimization --with-openssl --enable-calendar --enable-exif --enable-bcmath
make install
setenv CFLAGS ""
cp php.ini-recommended /usr/local/php4/lib/php.ini
cd ../.. && rm -rf build

4. A FTP is very useful to upload webpages to your HTTP server and my choice for this is PureFTPd.

cd /usr/ports/ftp/pure-ftpd && make install clean

I’d recommend you to disable PAM support and enable ‘Per-user concurrency limits’ and ‘Bandwidth throttling’ when the installer asks.

5. All that’s left is the HTTP Server.

cd /usr/ports/www/lighttpd && make install clean

Configuration:

pfstat:
Documentation: http://www.benzedrine.cx/pfstat.cat8

In this case I pretty much follow the sample, you need to make a directory for pfstat to store the graphs so they are accessible.

mkdir -p /usr/local/www/data/stats/pfstat/

You also need to make an index file for the images, edit /usr/local/www/data/stats/pfstat/index.html with the following code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
    <title>FreeBSD Packet Filter Statistics</title>

  </head>

  <body text="#000000" bgcolor="#FFFFFF" link="#1919C0" vlink="#101030" alink="#FE0000">

    <img src="pfstat.jpg">
    <br>
    <a href="pfstat1.jpg"><img src="pfstat1-small.jpg"></a>
    <a href="pfstat2.jpg"><img src="pfstat2-small.jpg"></a>
    <a href="pfstat3.jpg"><img src="pfstat3-small.jpg"></a>

  </body>

</html>

As usual we also need a configuration file and here’s a sample. Edit /usr/local/etc/pfstat.conf and paste/type the following lines:

image "/usr/local/www/data/stats/pfstat/pfstat.jpg" {
        from 1 weeks to now
        width 960 height 300
        left
                graph bytes_v4_in       label "incoming" color 0 192 0 filled,
                graph bytes_v4_out      label "outgoing" color 0 0 255
        right
                graph states_searches   label "states searches" color 192 192 0
}
image "/usr/local/www/data/stats/pfstat/pfstat1.jpg" {
        from 1 days to now
        width 960 height 300
        left
                graph bytes_v4_in       label "incoming" color 0 192 0 filled,
                graph bytes_v4_out      label "outgoing" color 0 0 255
        right
                graph states_entries    label "states" color 255 0 0
}
image "/usr/local/www/data/stats/pfstat/pfstat1-small.jpg" {
        from 1 days to now
        width 320 height 200
        left
                graph bytes_v4_in       label "incoming" color 0 192 0 filled,
                graph bytes_v4_out      label "outgoing" color 0 0 255
        right
                graph states_entries    label "states" color 255 0 0
}
image "/usr/local/www/data/stats/pfstat/pfstat2.jpg" {
        from 1 days to now
        width 960 height 300
        left
                graph packets_v4_in_pass  label "pass in"   color 0 192 0 filled,
                graph packets_v4_out_pass label "pass out"  color 0 0 255
        right
                graph packets_v4_in_drop  label "block in"  color 255 0 0,
                graph packets_v4_out_drop label "block out" color 192 192 0
}
image "/usr/local/www/data/stats/pfstat/pfstat2-small.jpg" {
        from 1 days to now
        width 320 height 200
        left
                graph packets_v4_in_pass  label "pass in"   color 0 192 0 filled,
                graph packets_v4_out_pass label "pass out"  color 0 0 255
        right
                graph packets_v4_in_drop  label "block in"  color 255 0 0,
                graph packets_v4_out_drop label "block out" color 192 192 0
}
image "/usr/local/www/data/stats/pfstat/pfstat3.jpg" {
        from 1 days to now
        width 960 height 300
        left
                graph states_inserts  label "inserts"  color 0 192 0 filled,
                graph states_removals label "removals"  color 0 0 255
        right
                graph states_searches label "searches"   color 255 0 0
}
image "/usr/local/www/data/stats/pfstat/pfstat3-small.jpg" {
        from 1 days to now
        width 320 height 200
        left
                graph states_inserts  label "inserts"  color 0 192 0 filled,
                graph states_removals label "removals"  color 0 0 255
        right
                graph states_searches label "searches"   color 255 0 0
}

As pfstat doesn’t run as a daemon we need make use of crontab to make it run continuously. To edit crontab type crontab -e and beware, you’ll be using vi as editor.

* * * * * /usr/local/bin/pfstat -q >>/var/log/pfstat
1 1 * * 1 tail -n 50000 /var/log/pfstat >/tmp/pfstat && mv /tmp/pfstat /var/log/pfstat
*/5 * * * * /usr/local/bin/pfstat -c /usr/local/etc/pfstat.conf -d /var/log/pfstat >/dev/null

All done, enjoy your graphs.

PostgreSQL:
Documentation: http://www.postgresql.org/docs/8.0/interactive/index.html

As we used ports pretty much everything is done, edit /etc/rc.conf and insert the following line to enable autostart of PostgreSQL:

postgresql_enable="YES"

Even though you may not need to it’s good to rehash your paths by simply typing rehash .
You also need to init a database and start, which is done by the following commands:

/usr/local/etc/rc.d/010.pgsql.sh initdb
/usr/local/etc/rc.d/010.pgsql.sh start

If you want to tweak PostgreSQL refer to the manual before editing /usr/local/pgsql/data/postgresql.conf .

PHP:
Documentation: http://se.php.net/manual/en/ , http://www.lighttpd.net/documentation/fastcgi.html#preparing-php-as-a-fastcgi-program

All you have to do is to change line 472 in /usr/local/php4/lib/php.ini so it says:

cgi.fix_pathinfo=1

lighttpd:
Documentation: http://www.lighttpd.net/documentation/ , http://www.lighttpd.net/documentation/fastcgi.html#preparing-php-as-a-fastcgi-program

As usual it might be a good idea to add lighttpd to /etc/rc.conf .

lighttpd_enable="YES"

Even if lighttpd is a small and pretty simple you need to set it up to recognize PHP and change a few other things. Start by copying the sample file followed by editing.

copy /usr/local/etc/lighttpd.conf.sample /usr/local/etc/lighttpd.conf
edit /usr/local/etc/lighttpd.conf

In order for PHP to work you need mod_fastcgi which is disabled by default, enable it by removing ‘#’ at the beginning of the line.

A futher bit down you most likely want to add this line (below the accesslog.filename directive) which “fixes” accesslog for analyzation using AWStats for instance.

accesslog.format            = "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""

As we’re being minimalistic there’s only one more thing to add and that’s PHP4 support. If you scroll futher down you’ll eventually get to the fastcgi module, below the sample code add this:

fastcgi.server              = ( ".php" =>
                                ( "localhost" =>
                                  (  "socket" => "/tmp/php.socket",
                                    "bin-path" => "/usr/local/php4/bin/php",
                                    "min-procs" => 1,
                                    "max-procs" => 4,
                                    "max-load-per-proc" => 8,
                                    "idle-timeout" => 20
                                  )
                                )
                              )

Keep in mind that lighttpd can do a lot more so pay attention to the manual if you aren’t satisfied with the current config.

PureFTPd:
Documentation: http://www.pureftpd.org/README , http://www.pureftpd.org/README.Virtual-Users

Add PureFTPd to /etc/rc.conf

pureftpd_enable="YES"

Copy PureFTPd’s sample configuration

mv /usr/local/etc/pure-ftpd.conf.sample /usr/local/etc/pure-ftpd.conf

Editing pure-ftpd’s configuration file is very simple, for that reason I’ll just point out what you should or may want to change (if needed).

[ul][li]MaxClientsNumber
[/li][li]MaxClientsPerIP
[/li][li]NoAnonymous (change to yes)
[/li][li]PureDB (uncomment)
[/li][li]PassivePortRange (21060-21070)
[/li][li]KeepAllFiles (uncomment)[/ul]
[/li]As we’re going to use PureFTPd’s Virtual Users feature we need to create one user perferably dedicated. PureFTPd’s readme for Virtual Users explains this very good so read it. Remember that after adding a new user to PureFTPd you need to run ‘pure-pw mkdb’ (without ‘’). Keep in mind that the webroot is /usr/local/www/data/ so a users home directory should at least contain that path. Remember to create home directories if they doesn’t exist and set approperiate chmod or chown (chown --> ftpuser:ftpgroup).

pf:
Documentation: http://www.openbsd.org/faq/pf/ , https://solarflux.org/pf/ , http://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=FreeBSD+5.3-RELEASE+and+Ports&format=html
What’s left to do is to start all programs and open up approperiate ports the programs we just installed. Based on the firewall configuration above all you have to do is to add the following lines right under ‘#### Portforwards ####’ in /usr/local/etc/pf.conf.

pass in quick on $External proto tcp from any to any port 21 keep state                                                         # FTP
pass in quick on $External proto tcp from any to any port 80 keep state                                                         # HTTP
pass in quick on $External proto tcp from any to any port 21059 >< 21071 keep state                                             # FTP Passive

To reload the firewall configuration just run pfctl -f /usr/local/etc/pf.conf and you’re all set.

To start lighttpd, PureFTPd run:

/usr/local/etc/rc.d/lighttpd.sh start
/usr/local/etc/rc.d/pure-ftpd.sh start

If everything went well you should be able to access http://<ip>/stats/pfstat/ .
Congrats, you now have a fully fledged webserver.

I guess someone didn’t like this howto since it got unstickied :stuck_out_tongue:
//Danne