FreeBSD India

Setting up proxy on a FreeBSD server is very easy and helps to create a secure environment for your network, and also allows your whole network to access internet using a single internet connection.
Privoxy is a good proxy server. It’s very easy to use and worked well.

Installation
# cd /usr/ports/www/privoxy
# make install clean
# rehash

The configuration file is /usr/local/etc/privoxy/config, there is one line which must be changed:
listen-address 192.168.0.1:8119
The IP should be changed to your server’s internal LAN IP address. Also, it’s better to use a non-default port number for security reasons.

Bookmark to:

1) Install “mpd” from ports:

cd /usr/ports/net/mpd
make install

2) Once it’s done edit the sample configuration file in /usr/local/etc/mpd:

cd /usr/local/etc/mpd
vi (or your favourite editor) mpd.conf

3) Add this to your mpd.conf:

default:
load pptp1

pptp1:
new -i ng0 pptp1 pptp1
set iface disable on-demand
set iface enable proxy-arp
set iface idle 0
set iface enable tcpmssfix
set bundle enable multilink
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link keep-alive 10 60
set ipcp yes vjcomp
set ipcp ranges 192.168.1.1/32 192.168.1.51/32
set ipcp dns 192.168.1.1
set ipcp nbns 192.168.1.1 192.168.1.8
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e128
set ccp yes mpp-stateless

Change the ip to suite your needs.

The ‘ipcp dns’ line is to specify what DNS servers the client should use. The ‘ipcp nbns’ line is to specify what WINS (Netbios NS) servers the client should use. You can remove that line if you do not have a WINS server to use. The address assigned to the server (1922.168.1.1 in this case) can be assigned multiple times if you want to allow more than one client to connect at a time. You only need to specify different addresses for the clients (192.168.1.51 in this case).

4) Now edit mpd.links and add this in it:

pptp1:
set link type pptp
set pptp enable incoming
set pptp disable originate

5) Now edit mpd.secret to add user/passwords pair in it:

user “password”
user2 “password2″

etc…

6) Now secure the password file:

chmod 600 mpd.secret

7) Start MPD:

/usr/local/sbin/mpd -b

8) If you have any trouble run it without -b option as -b option is for  running it in background or as deamon:

Now you should have a VPN server for Windows clients that supports MPPE (Microsoft Point-to-Point Encryption), but not MPPC (Compression), because the compression libraries are not open source and are not included with ‘mpd’.

9) Starting mpd at boot:

Just add /usr/local/sbin/mpd -b to /etc/rc.local

Bookmark to:

When trying to serve a directory mounted with mount_smbfs on FreeBSD with the Apache 2.0.x server, large files (over 100K or so) won’t transfer correctly. To fix this problem use the EnableSendfile off directive within your Global, Directory or VirtualHost config.

Bookmark to:

The ports are mounted with mount_nullfs.

M=”/sbin/mount_nullfs -o rdonly /jailsata/PORTS/ports ”
$M /afs1/JAIL/Somejail1/usr/ports

In all jails there is a /etc/make.conf with in it
# jail
WRKDIRPREFIX = /var/tmp
PORTS_INDEX = /var/tmp/INDEX
DISTDIR = /var/tmp/distfiles
This make the ports work inside the jail with the ports collection mounted readonly.

Edit /usr/local/etc/pkgtools.conf
Use this setting;

module PkgConfig
ENV[’PORTSDIR’] ||= ‘/usr/ports’
ENV[’PORTS_INDEX’] ||= ENV[’PORTS_DBDIR’] + ‘/INDEX’
ENV[’PORTS_DBDIR’] ||= ‘/var/ports/db’
ENV[’PKG_DBDIR’] ||= ‘/var/db/pkg’
# a lot lower in the file!
#ENV[’PACKAGES’] ||= ENV[’PORTSDIR’] + ‘/packages’
#ENV[’PKG_PATH’] ||= ENV[’PACKAGES’] + ‘/All’
ENV[’PKG_BACKUP_DIR’] ||= ENV[’PKG_PATH’]

And make the dir with mkdir -p /var/ports/db

Bookmark to:

There is a patch available, not official though, so use it at your own risk:

http://people.freebsd.org/~pjd/patches/jail_2006012001.patch

for more details please visit:

http://blog.cg.nu/?cat=5

Bookmark to:

If you have freebsd 4.x or lower, you need to first install portsnap from ports.

If you have freebsd 5.x or above, portsnap comes with the base, so you don’t need to install it.

If you are using portsnap for the first type

type

portsnap fetch extract update

then after whenever you want to run portsnapt just issue the following command:

portsnap update.

Bookmark to:

If you are searching for a sample sysctl.conf for your high traffic server, you may try the below mentioned parameters, some of the tweaks for freebsd to improve it’s performance under high load:
security.bsd.see_other_uids=0
net.inet.tcp.recvspace=65535
net.inet.tcp.sendspace=65535
#kern.ps_showallprocs=0
kern.ipc.shmmax=67108864
kern.ipc.shmall=32768
net.inet.tcp.inflight.enable=1
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2
kern.ipc.somaxconn=1024
net.inet.ip.check_interface=1
kern.maxfiles=32768
kern.maxfilesperproc=2000
kern.ipc.maxsockets=163840
kern.ipc.maxsockbuf=2097152
net.inet.ip.fw.dyn_syn_lifetime=1
net.inet.ip.fw.dyn_max=65535
net.inet.ip.fw.dyn_buckets=256
net.inet.ip.fw.dyn_udp_lifetime=5
net.inet.tcp.msl=7500

Bookmark to:

If your server/box gets stuck at fsck after a reboot or a crash, then just add the following lines to /etc/rc.conf:
fsck_y_enable=”YES”
It will run fsck automatically and will avoid your box getting stuck after reboot waiting for somebody to manually run fsck.

Bookmark to:

IF you don’t want to recompile kernel, just because you want to enable ipfw, you can use the following command to do so:

kldload ipfw && ipfw add 65534 allow all from any to any

Never issue the above command without ipfw add 65534 allow all from any to any else you might end up with a locked box.

Bookmark to:

Your kernel needs the following in its kernel configuration file:

options QUOTA

For instructions on how to create a new kernel, refer to the Configuring the FreeBSD Kernel section in the FreeBSD handbook. Pay special attention to the section on Building and Installing a Custom Kernel.

Specify the partitions:

Decide what partitions you want to enable quota checking on and modify /etc/fstab accordingly. For each partition for which you want quotas enabled, modify that line in the file. userquota is for individual user quotas whereas. groupquota is for entire group quotas (i.e. the restrictions apply to groups as a whole).

For example:

/dev/ad0s1f /home ufs rw,userquota,groupquota 2 2

quotacheck:

Start out by typing:

quotacheck -a

This will create all the needed database files for the next command to work

quotaon/quotaoff :

The following command will enable quotas for all quota-flagged partitions listed in /etc/fstab:

quotaon -a

You can also issue this command to enable quotas only for the partition /mount_point (replace /mount_point with the partition applicable to your needs):

quotaon /mount_point

quotaoff has the same syntax as quotaon, but as the name implies, it’s used to turn off quota.

user quotas :

To edit user quotas, issue the following command:

edquota -u username

This excerpt from the edquota man page should help with editing quotas:

Users are permitted to exceed their soft limits for a grace period that may be specified per filesystem. Once the grace period has expired, the soft limit is enforced as a hard limit. The default grace period for a filesystem is specified in /usr/include/ufs/ufs/quota.h. The -t flag can be used to change the grace period.

After you’re done editing the quota file, save your changes and exit the editor.

Repeat this step for each user that you want to have a quota. If you have a bunch of users that will use the same quota settings, type something like the following:

edquota -u -p user1 user2 user3 user4

This will copy the quota settings from user1 to user2, user3, and user4. Specify as many users as you need to copy the quotas.

group quotas :

Starting quotas at boot time:

To ensure quotas are enforced after a reboot, add the following line to /etc/rc.conf:

quota_enable="YES"
check_quotas="YES"

Checking the usage

There will come a time that you will want to check your quota usage. Simply type the following command to check your quota:

quota

Or, if you’re root, you can check quotas of other users by typing:

quota username

Bookmark to: