FreeBSD Gateway

FreeBSD Handbook: Setting Up the Serial Console

Boot Config

###
### rc.conf Boot Config File
### by Andreas Bachmann
###

### CONSOLE ####################################################################
font8x14="NO"
font8x16="swiss-8x16"
font8x8="swiss-8x8"
inetd_enable="NO"
keymap="swissgerman.cp850"

### NETWORK ####################################################################
hostname="gateway.lan.bachi.net"
ifconfig_vr0="DHCP"
ifconfig_vr1="10.0.0.1 255.0.0.0"
### ifconfig_vr2="10.0.0.5 255.0.0.0"
gateway_enable="YES"

### FIREWALL ###################################################################
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pf.log"
pflog_flags=""

### DAEMONS ####################################################################
sendmail_enable="NONE"

dhcpd_enable="YES"
dhcpd_ifaces="vr1"

sshd_enable="YES"

snmpd_enable="YES"
snmpd_flags="-a"
snmpd_pidfile="/var/run/snmpd.pid"

ntpdate_enable="YES"
ntpdate_hosts="swisstime.ethz.ch"

NTP

server 0.ch.pool.ntp.org
server 1.ch.pool.ntp.org
server 2.ch.pool.ntp.org
server 3.ch.pool.ntp.org

Kernel Config

###
### BACHI-NET Kernel Configurations File
### by Andreas Bachmann
###

machine     i386
cpu         I586_CPU
ident       GATEWAY-CF

###############################################################################
# CPU OPTIONS
options     CPU_GEODE
device      cpufreq                         # CPU frequency control
options     HZ=1000                         # Smoother scheduling
options     FLOWTABLE                       # per-cpu routing cache

###############################################################################
# SCHEDULING
options     SCHED_ULE                       # new scheduler
options     PREEMPTION                      # Preemptive Scheduler

###############################################################################
# POSIX P1003.1B
options     P1003_1B_SEMAPHORES             # POSIX-style semaphores
options     _KPOSIX_PRIORITY_SCHEDULING     # POSIX P1003_1B real-time extensions

###############################################################################
# PARTITIONING
options     GEOM_PART_GPT                   # GUID Partition Tables.
options     GEOM_LABEL                      # Provides labelization

###############################################################################
# TRUSTEDBSD MAC FRAMEWORK
options     MAC                             # TrustedBSD MAC Framework

###############################################################################
# FILE SYSTEM
options     FFS                             # Berkeley Fast Filesystem
options     PROCFS                          # Process filesystem (requires PSEUDOFS)
options     PSEUDOFS                        # Pseudo-filesystem framework
options     SOFTUPDATES                     # Enable FFS soft updates support
options     UFS_ACL                         # Support for access control lists
options     UFS_DIRHASH                     # Improve performance on big directories
options     UFS_GJOURNAL                    # Enable gjournal-based UFS journaling
options     MD_ROOT                         # MD is a potential root device

###############################################################################
# CRYPTO SUBSYSTEM
device      crypto                          # core crypto support
device      cryptodev                       # /dev/crypto for access to h/w

###############################################################################
# SECURITY POLICY PARAMETERS
options     AUDIT                           # Security event auditing

###############################################################################
# COMPATIBILITY OPTIONS
options     COMPAT_43                       # Compatible with BSD 4.3 [KEEP THIS!]
options     COMPAT_FREEBSD4                 # Compatible with FreeBSD4
options     COMPAT_FREEBSD5                 # Compatible with FreeBSD5
options     COMPAT_FREEBSD6                 # Compatible with FreeBSD6
options     COMPAT_FREEBSD7                 # Compatible with FreeBSD7

options     SYSVSHM                         # SYSV-style shared memory
options     SYSVMSG                         # SYSV-style message queues
options     SYSVSEM                         # SYSV-style semaphores

###############################################################################
# BUS TYPES
device      eisa                            # Extended Industry Standard Architecture (EISA) Bus
device      pci                             # Peripheral Computer Interface (PCI) Bus
device      uart                            # Universal Asynchronous Receiver/Transmitter (UART) Bus
device      miibus                          # Media Independent Interface (MII) Bus

###############################################################################
# SYSTEM MANAGEMENT INTERFACE DEVICES
device      pmtimer

###############################################################################
# DISK DEVICES
device      md                              # Memory "disks"

###############################################################################
# ATA DEVICES
device      ata                             #
device      atadisk                         # ATA disk drives
device      atapicam                        # emulate ATAPI devices as SCSI ditto via CAM

###############################################################################
# SCSI OPTIONS AND DEVICES
device      scbus                           # Base SCSI Code
device      ch                              # SCSI media changers
device      da                              # SCSI direct access devices (aka disks)
device      sa                              # SCSI tapes
device      cd                              # SCSI CD-ROMs
device      pass                            # CAM passthrough driver

options     SCSI_DELAY=300                  # Delay (in ms) before probing SCSI

###############################################################################
# NETWORKING OPTIONS AND DEVICES
options     INET                            # InterNETworking

options     NETGRAPH                        # netgraph(4) system

options     ALTQ                            # Alternate queuing
options     ALTQ_CBQ                        # Class Bases Queueing
options     ALTQ_RED                        # Random Early Detection
options     ALTQ_RIO                        # RED In/Out
options     ALTQ_HFSC                       # Hierarchical Packet Scheduler
options     ALTQ_CDNR                       # Traffic conditioner
options     ALTQ_PRIQ                       # Priority Queueing
options     ALTQ_NOPCC                      # Required for SMP build

device      loop                            # Network loopback
device      ether                           # Ethernet support
device      bpf                             # Berkeley packet filter
device      bridge                          # Network bridge device

device      pf                              # PF OpenBSD packet-filter firewall
device      pflog                           # logging support interface for PF

device      vr                              # VIA Rhine, Rhine II

###############################################################################
# PERIPHERAL DEVICES
device      atkbdc                          # AT keyboard controller
device      atkbd
device      kbdmux                          # keyboard multiplexer
device      psm

options     KBD_INSTALL_CDEV                # Install a CDEV entry in /dev

###############################################################################
# GRAPHIC DEVICES AND OPTIONS
device      vga                             # VGA video card driver
device      agp                             # support several AGP chipsets
device      splash                          # Splash screen and screen saver support

###############################################################################
# SYSTEM CONSOLE DEVICES AND OPTIONS
device      sc                              # syscons console driver

###############################################################################
# MISCELLANEOUS DEVICES AND OPTIONS
device      random                          # Entropy device
device      pty                             # Pseudo-ttys (telnet etc)
device      snp                             # Snoop device
device      firmware                        # firmware assist module

###############################################################################
# UBS DEVICES AND OPTIONS

device      uhci                            # UHCI controller
device      ohci                            # OHCI controller
device      ehci                            # EHCI controller
device      usb                             # General USB code (mandatory for USB)

device      udbp                            # USB Double Bulk Pipe devices
device      uhid                            # Human Interface Device
device      ukbd                            # USB keyboard
device      ums                             # USB mouse
device      ulpt                            # USB printer

Bootloader Config

console="comconsole"

TTY Config

[...]
console none                            unknown off secure
#
ttyv0   "/usr/libexec/getty Pc"         cons25  off secure
# Virtual terminals
ttyv1   "/usr/libexec/getty Pc"         cons25  off secure
ttyv2   "/usr/libexec/getty Pc"         cons25  off  secure
ttyv3   "/usr/libexec/getty Pc"         cons25  off secure
ttyv4   "/usr/libexec/getty Pc"         cons25  off secure
ttyv5   "/usr/libexec/getty Pc"         cons25  off secure
ttyv6   "/usr/libexec/getty Pc"         cons25  off secure
ttyv7   "/usr/libexec/getty Pc"         cons25  off secure
ttyv8   "/usr/local/bin/xdm -nodaemon"  xterm   off secure
# Serial terminals
# The 'dialup' keyword identifies dialin lines to login, fingerd etc.
ttyu0   "/usr/libexec/getty std.9600"   vt100   on  secure
ttyu1   "/usr/libexec/getty std.9600"   dialup  off secure
ttyu2   "/usr/libexec/getty std.9600"   dialup  off secure
ttyu3   "/usr/libexec/getty std.9600"   dialup  off secure
# Dumb console
dcons   "/usr/libexec/getty std.9600"   vt100   off secure
# Pseudo terminals
ttyp0   none                    network
[...]

fstab Config

# Device                Mountpoint      FStype  Options         Dump    Pass#
/dev/ad0s1b             none            swap    sw              0       0
/dev/ad0s1a             /               ufs     rw              1       1
/dev/ad0s1d             /tmp            ufs     rw              2       2
/dev/ad0s1f             /usr            ufs     rw              2       2
/dev/ad0s1e             /var            ufs     rw              2       2

Disk Slices

[root@gateway /home/bachi]# df
Filesystem  1K-blocks   Used   Avail Capacity  Mounted on
/dev/ad0s1a    253678  27696  205688    12%    /
devfs               1      1       0   100%    /dev
/dev/ad0s1d    253678     12  233372     0%    /tmp
/dev/ad0s1f   2358280 997176 1172442    46%    /usr
/dev/ad0s1e    507630   9778  457242     2%    /var

[root@gateway /home/bachi]# fdisk
[...]
parameters extracted from in-core disklabel are:
cylinders=7964 heads=16 sectors/track=63 (1008 blks/cyl)
Media sector size is 512
Information from DOS bootblock is:
The data for partition 1 is:
sysid 165 (0xa5),(FreeBSD/NetBSD/386BSD)
    start 63, size 8016372 (3914 Meg), flag 80 (active)
        beg: cyl 0/ head 1/ sector 1;
        end: cyl 498/ head 254/ sector 63
[...]

PF Config

if_inet="vr0"                 # Internet
if_lan="vr1"                  # Intranet
torrent_client="10.0.0.251"
net_lan="10.0.0.0/8"

users = "{
    10.0.0.251,
    10.0.0.11,
    10.0.0.249,
    10.0.0.250,
    10.0.0.17
}"

nat on $if_inet from $net_lan to any -> ($if_inet)

#rdr on $if_inet proto tcp from any to $if_inet port { 6881, 6882, 8713 } -> $torrent_client
#rdr on $if_inet proto tcp from any to $if_inet port { 4000, 4001, 4002, 4080, 4662, 4666, 9335, 53357, 14890 } -> $torrent_client
#rdr on $if_inet proto tcp from any to $if_inet port { 80, 8080, 443 } -> $torrent_client
#rdr on $if_inet proto tcp from any to $if_inet port { 6000 }  -> $torrent_client

block all

pass in on $if_inet all
pass in on $if_lan from $users to any
pass out all

DHCPD Config

###
### GATEWAY DHCP Server Configuration
### by Andreas Bachmann
###

authoritative;
ddns-update-style ad-hoc;

default-lease-time                  600;
max-lease-time                      7200;

subnet 10.0.0.0 netmask 255.0.0.0 {
    option  subnet-mask             255.0.0.0;
    option  broadcast-address       10.255.255.255;
    option  domain-name-servers     195.134.157.20;
    option  routers                 10.0.0.1;

   range 10.0.0.10 10.0.0.254;
}

Leave a Reply

Your email address will not be published.