bumbler
November 21st, 2003, 14:48
Desktop FreeBSD Part 2: Initial Setup
Ed Hurst 20 November 2003
================================================== ======================
There are several tasks to which we must attend before actually making use of our freshly installed FreeBSD system. Immediately upon reboot, you will find yourself in the console. While it is possible to setup and use the graphical login managers -- kdm, gdm or others -- it is important to note that this uses extra resources. One of our assumptions is that you might not have all that excess horsepower, so we'll stick with the console login for now.
The prompt says "login" and we need to work as root for awhile, so type "root" and ENTER, then enter the password -- nothing will display, so you have to really get it nailed down in your mind. Hit ENTER and prepare to work for awhile from the console/CLI.
FINAL X SETUP
First, let's visit the X server setup. The command "cd" means "change directory", so type at the prompt:
cd /etc/X11
then "ls" (list) to ensure that you have a file named "XF86Config". If it's not there, you'll have to rerun the script "xf86config". When we know it's there, type
pico XF86Config
because pico is for newbies the most usable editor on the machine for now. If you have a mouse with a scrolling wheel, we'll need to let the system know that. Scroll down to the section that says
# ***********************************
# Core Pointer's InputDevice section
# ***********************************
where you see the line
Option "Device" "/dev/sysmouse"
and just below it, add this line
Option "ZAxisMapping" "4 5"
making sure the indentation on this line matches the others. Next, if you have a graphics card that can put the monitor to sleep when you are away from the computer, scroll down to the section that says
# ************************
# Graphics device section
# ************************
and look for these lines
Section "Device"
Identifier
Driver
and add this line
Option "DPMS"
Most other settings you might want to change depend too much on your specific situation, so you'll need to do the research for things like adding TrueType fonts, which X server modules you want to run with your hardware, and so forth. For now, read the help lines at the bottom of the screen in the pico editor to learn that you can save the file by typing CTRL+O ("write Out") and close the editor with CTRL+X ("eXit") -- in typing notation, the caret (^) is shorthand for the CTRL key.
Now we are ready to try out the GUI. Still logged in as root, simply type "startx" and ENTER. Whatever desktop you've chosen as your default
should start. You probably won't have sound working yet. It's not so complicated that a newbie can't figure it out, but there are too many variables to deal with here. As a part of your initiation into the world of FreeBSD, I'll direct you to the =FreeBSD Handbook= that comes with your system. It comes in several languages, but the English version is found here:
/usr/share/doc/en_US.ISO8859-1/books/handbook/index.html
Since I am assuming you are running KDE, all you need to do is open the Konqueror browser and type that line in the location bar and hit ENTER. Scroll down the index page to section 16 for Multimedia and read about setting up sound cards. As for setting up KDE, just running it for the first time you will be introduced to a setup wizard that should handle most issues. Other options can be found in the KDE menu, under "Settings" where you will find the "Control Center." Explore it's options and experiement. Then do the same for your user account later.
SYSTEM MAIL
One of the most important tasks for managing your own system is to learn to read system mail. Every Open Source operating system uses this. If you ignored my advice and did not install postfix, you already have a system working, called sendmail. However, you should not attempt to use this for sending mail to the outside world -- it's too complicated for us mere mortals. If you took my advice and installed postfix, we'll need to do a little work to get it ready. In a later article I will explain how to use it for sending mail on the Internet, but for now we have make sure it's ready to run internally. There is a
bit of debate within the BSD community about this, but the typical method is to completely displace the old sendmail system and by running postfix under a pseudonym of "sendmail".
Here we also learn to use a GUI editor: Kedit. Look for it in the KDE menu system under "Editors" and click on the name. You'll need to set it up to suit you, by clicking the "Settings" in the menu bar and selecting the last option, "Configure Kedit". Check each option and make adjustments; it's all pretty self-explanatory. The most likely issue everyone wants to adjust is the font size. When you are finished, click the "OK" button. Now, click the icon in the toolbar at the top that looks like a file folder and open the file finder utility. On the upper right-hand side of this is an entry box with a drop down arrow at the far right end. Click the arrow and choose "Root Directory", then navigate into the "etc" directory. Look for a file named "rc.conf" and open it.
This is the master config file for the whole system. Get the format wrong and your machine may not boot. The main thing to remember is that each entry has the same format: an option name, an equal sign (=) and quotation marks surrounding the variables for that option. Be sure to have the double quotation marks before and after.
What follows is a quick and dirty method, and if you really want to understand what the options mean, you'll need to read the =FreeBSD Handbook= a great deal. For now, you'll have to trust me. Make sure your rc.conf file has the following lines in it:
hostname="name.local.bsd"
kern_securelevel_enable="NO"
linux_enable="YES"
nfs_reserved_port_only="YES"
sendmail_enable="YES"
sendmail_flags="-bd"
sendmail_outbound_enable="NO"
sendmail_submit_enable="NO"
sendmail_msp_queue_enable="NO"
sshd_enable="YES"
usbd_enable="YES"
network_interfaces="lo0 ppp0 tun0"
firewall_enable="YES"
firewall_script="/etc/firewall.conf"
firewall_logging="YES"
syslogd_enable="YES"
ifconfig_tun0=
router_enable="NO"
The first four lines should already be just fine; it's the items following that matter. Yes, that line with "ifconfig_tun0" is the exception, with no variable and no quotation marks. Save the file and close it, but not Kedit. Now lets open the file named /etc/mail/mailer.conf. Look at the file; it should have lines like this:
sendmail /usr/local/sbin/sendmail
send-mail /usr/local/sbin/sendmail
mailq /usr/local/sbin/sendmail
newaliases /usr/local/sbin/sendmail
#hoststat /usr/local/sbin/sendmail
#purgestat /usr/local/sbin/sendmail
The last two may not be there, and it won't matter. If they say anything else, change them to match those above. Save and close the file. Now open another file: /usr/local/etc/postfix/aliases. Near the top of this file is a line that says:
# Person who should get root's mail. Don't receive mail as root!
The next line should say "root:" and a space followed by your user account name. Mine is "jeh" so it looks like this:
root: jeh
This way, any mail the system sends to root will come to my user account. Once you have logged into your user account, at lease once each day, you should open a Konsole window (there's at least one icon somewhere on the toolbar for it, or you can find it in the menu under "System") and type the command "pine" and you should be able to figure it out from there. Pine puts the command options at the bottom of the screen, and flashes information just above that. Pine has all sorts of configuration options; just read the menu system carefully and see what's offered. For now, it's ready to read system mail as is.
FIREWALL
While FreeBSD is one of the most secure systems on the Internet, you still need to take normal precautions to prevent attacks. One of those is to setup a firewall. For now, I'm going to offer a pre-made firewall that has been put together with expert help. Copy it verbatim; cut and paste what's between the dashed lines. You can make refinements when you learn more about it. Remember, this is specifically designed for dialup users:
---------------------------------------------------------------
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference. Helps to make it easier to read.
fwcmd="/sbin/ipfw"
# Force a flushing of the current rules before we reload.
${fwcmd} -f flush
# Allow all data from my network card and localhost.
${fwcmd} add allow ip from any to any via lo0
# Allow all connections that I initiate.
${fwcmd} add allow tcp from any to any out xmit tun0 setup
${fwcmd} add allow tcp from any to any out xmit ppp0 setup
# Once connections are made, allow them to stay open.
${fwcmd} add allow tcp from any to any via tun0 established
${fwcmd} add allow tcp from any to any via ppp0 established
# This sends a RESET to all ident packets.
${fwcmd} add reset log tcp from any to any 113 in recv tun0
${fwcmd} add reset log tcp from any to any 113 in recv ppp0
# Allow outgoing DNS queries ONLY to the specified servers.
${fwcmd} add allow udp from any to xxx.xx.xxx.xx 53 out xmit tun0
${fwcmd} add allow udp from any to xxx.xx.xxx.xx 53 out xmit tun0
${fwcmd} add allow udp from any to xxx.xx.xxx.xx 53 out xmit tun0
${fwcmd} add allow udp from any to xxx.xx.xxx.xx 53 out xmit ppp0
${fwcmd} add allow udp from any to xxx.xx.xxx.xx 53 out xmit ppp0
${fwcmd} add allow udp from any to xxx.xx.xxx.xx 53 out xmit ppp0
# Allow them back in with the answers...
${fwcmd} add allow udp from xxx.xx.xxx.xx 53 to any in recv tun0
${fwcmd} add allow udp from xxx.xx.xxx.xx 53 to any in recv tun0
${fwcmd} add allow udp from xxx.xx.xxx.xx 53 to any in recv tun0
${fwcmd} add allow udp from xxx.xx.xxx.xx 53 to any in recv ppp0
${fwcmd} add allow udp from xxx.xx.xxx.xx 53 to any in recv ppp0
${fwcmd} add allow udp from xxx.xx.xxx.xx 53 to any in recv ppp0
# Enable ICMP: remove type 8 if you don't want your host to be pingable
${fwcmd} add allow icmp from any to any icmptypes 0,3,11,12,13,14
# Deny all the rest.
${fwcmd} add drop log ip from any to any
---------------------------------------------------------------------
YOU MUST MAKE CHANGES IN THIS FILE! In the bottom half of the file, I have replaced the DNS addresses provided by my ISP with Xs. You must replace the Xs with the IP addresses of your own DNS servers. Notice that there are three of each entry that end in "tun0" and "ppp0" -- you may not have but one or two IP addresses provided by your ISP. They are the only ones who can give you this information. Ask for the IP addresses of their DNS servers. However, you must have duplicate information for the "tun0" version and the "ppp0" version. We will discuss why later. Make sure the number "53" appears in each line where you see it in the example above. Save this file as /etc/firewall.conf.
Two more Internet connection issues. Go to /etc/ppp and see if there is file named "options". If not, create one with a single word in it: noauth. Now go up one directory to /etc and open/create one more file named "resolv.conf". In this file, there must be at least two lines. The first one should read "domain" followed by a space and the name of your ISP: "something.net" for example. The next line(s) should be the word "nameserver" followed by the IP address of your ISP's DNS servers. It should look something like this:
domain something.net
nameserver xxx.xx.xxx.xx
nameserver xxx.xx.xx.xxx
Save and close. Now is the time to reboot. Look for the logout button in the menu of KDE, and logout of the GUI. At the command line type this:
shutdown -r now
When all is done, it should come back up to the command line. Log into your user account this time, then startx. In KDE, you can open the KPPP utility from the menu, under "Internet" and follow the instructions to set it up. Unless you are using one of several national ISPs, you will want to avoid the setup wizard. It is now safe to connect to the Internet.
=The next article will deal with adding a few important programs not included with the Install CD.=
Corrections gratefully received.
Ed Hurst 20 November 2003
================================================== ======================
There are several tasks to which we must attend before actually making use of our freshly installed FreeBSD system. Immediately upon reboot, you will find yourself in the console. While it is possible to setup and use the graphical login managers -- kdm, gdm or others -- it is important to note that this uses extra resources. One of our assumptions is that you might not have all that excess horsepower, so we'll stick with the console login for now.
The prompt says "login" and we need to work as root for awhile, so type "root" and ENTER, then enter the password -- nothing will display, so you have to really get it nailed down in your mind. Hit ENTER and prepare to work for awhile from the console/CLI.
FINAL X SETUP
First, let's visit the X server setup. The command "cd" means "change directory", so type at the prompt:
cd /etc/X11
then "ls" (list) to ensure that you have a file named "XF86Config". If it's not there, you'll have to rerun the script "xf86config". When we know it's there, type
pico XF86Config
because pico is for newbies the most usable editor on the machine for now. If you have a mouse with a scrolling wheel, we'll need to let the system know that. Scroll down to the section that says
# ***********************************
# Core Pointer's InputDevice section
# ***********************************
where you see the line
Option "Device" "/dev/sysmouse"
and just below it, add this line
Option "ZAxisMapping" "4 5"
making sure the indentation on this line matches the others. Next, if you have a graphics card that can put the monitor to sleep when you are away from the computer, scroll down to the section that says
# ************************
# Graphics device section
# ************************
and look for these lines
Section "Device"
Identifier
Driver
and add this line
Option "DPMS"
Most other settings you might want to change depend too much on your specific situation, so you'll need to do the research for things like adding TrueType fonts, which X server modules you want to run with your hardware, and so forth. For now, read the help lines at the bottom of the screen in the pico editor to learn that you can save the file by typing CTRL+O ("write Out") and close the editor with CTRL+X ("eXit") -- in typing notation, the caret (^) is shorthand for the CTRL key.
Now we are ready to try out the GUI. Still logged in as root, simply type "startx" and ENTER. Whatever desktop you've chosen as your default
should start. You probably won't have sound working yet. It's not so complicated that a newbie can't figure it out, but there are too many variables to deal with here. As a part of your initiation into the world of FreeBSD, I'll direct you to the =FreeBSD Handbook= that comes with your system. It comes in several languages, but the English version is found here:
/usr/share/doc/en_US.ISO8859-1/books/handbook/index.html
Since I am assuming you are running KDE, all you need to do is open the Konqueror browser and type that line in the location bar and hit ENTER. Scroll down the index page to section 16 for Multimedia and read about setting up sound cards. As for setting up KDE, just running it for the first time you will be introduced to a setup wizard that should handle most issues. Other options can be found in the KDE menu, under "Settings" where you will find the "Control Center." Explore it's options and experiement. Then do the same for your user account later.
SYSTEM MAIL
One of the most important tasks for managing your own system is to learn to read system mail. Every Open Source operating system uses this. If you ignored my advice and did not install postfix, you already have a system working, called sendmail. However, you should not attempt to use this for sending mail to the outside world -- it's too complicated for us mere mortals. If you took my advice and installed postfix, we'll need to do a little work to get it ready. In a later article I will explain how to use it for sending mail on the Internet, but for now we have make sure it's ready to run internally. There is a
bit of debate within the BSD community about this, but the typical method is to completely displace the old sendmail system and by running postfix under a pseudonym of "sendmail".
Here we also learn to use a GUI editor: Kedit. Look for it in the KDE menu system under "Editors" and click on the name. You'll need to set it up to suit you, by clicking the "Settings" in the menu bar and selecting the last option, "Configure Kedit". Check each option and make adjustments; it's all pretty self-explanatory. The most likely issue everyone wants to adjust is the font size. When you are finished, click the "OK" button. Now, click the icon in the toolbar at the top that looks like a file folder and open the file finder utility. On the upper right-hand side of this is an entry box with a drop down arrow at the far right end. Click the arrow and choose "Root Directory", then navigate into the "etc" directory. Look for a file named "rc.conf" and open it.
This is the master config file for the whole system. Get the format wrong and your machine may not boot. The main thing to remember is that each entry has the same format: an option name, an equal sign (=) and quotation marks surrounding the variables for that option. Be sure to have the double quotation marks before and after.
What follows is a quick and dirty method, and if you really want to understand what the options mean, you'll need to read the =FreeBSD Handbook= a great deal. For now, you'll have to trust me. Make sure your rc.conf file has the following lines in it:
hostname="name.local.bsd"
kern_securelevel_enable="NO"
linux_enable="YES"
nfs_reserved_port_only="YES"
sendmail_enable="YES"
sendmail_flags="-bd"
sendmail_outbound_enable="NO"
sendmail_submit_enable="NO"
sendmail_msp_queue_enable="NO"
sshd_enable="YES"
usbd_enable="YES"
network_interfaces="lo0 ppp0 tun0"
firewall_enable="YES"
firewall_script="/etc/firewall.conf"
firewall_logging="YES"
syslogd_enable="YES"
ifconfig_tun0=
router_enable="NO"
The first four lines should already be just fine; it's the items following that matter. Yes, that line with "ifconfig_tun0" is the exception, with no variable and no quotation marks. Save the file and close it, but not Kedit. Now lets open the file named /etc/mail/mailer.conf. Look at the file; it should have lines like this:
sendmail /usr/local/sbin/sendmail
send-mail /usr/local/sbin/sendmail
mailq /usr/local/sbin/sendmail
newaliases /usr/local/sbin/sendmail
#hoststat /usr/local/sbin/sendmail
#purgestat /usr/local/sbin/sendmail
The last two may not be there, and it won't matter. If they say anything else, change them to match those above. Save and close the file. Now open another file: /usr/local/etc/postfix/aliases. Near the top of this file is a line that says:
# Person who should get root's mail. Don't receive mail as root!
The next line should say "root:" and a space followed by your user account name. Mine is "jeh" so it looks like this:
root: jeh
This way, any mail the system sends to root will come to my user account. Once you have logged into your user account, at lease once each day, you should open a Konsole window (there's at least one icon somewhere on the toolbar for it, or you can find it in the menu under "System") and type the command "pine" and you should be able to figure it out from there. Pine puts the command options at the bottom of the screen, and flashes information just above that. Pine has all sorts of configuration options; just read the menu system carefully and see what's offered. For now, it's ready to read system mail as is.
FIREWALL
While FreeBSD is one of the most secure systems on the Internet, you still need to take normal precautions to prevent attacks. One of those is to setup a firewall. For now, I'm going to offer a pre-made firewall that has been put together with expert help. Copy it verbatim; cut and paste what's between the dashed lines. You can make refinements when you learn more about it. Remember, this is specifically designed for dialup users:
---------------------------------------------------------------
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference. Helps to make it easier to read.
fwcmd="/sbin/ipfw"
# Force a flushing of the current rules before we reload.
${fwcmd} -f flush
# Allow all data from my network card and localhost.
${fwcmd} add allow ip from any to any via lo0
# Allow all connections that I initiate.
${fwcmd} add allow tcp from any to any out xmit tun0 setup
${fwcmd} add allow tcp from any to any out xmit ppp0 setup
# Once connections are made, allow them to stay open.
${fwcmd} add allow tcp from any to any via tun0 established
${fwcmd} add allow tcp from any to any via ppp0 established
# This sends a RESET to all ident packets.
${fwcmd} add reset log tcp from any to any 113 in recv tun0
${fwcmd} add reset log tcp from any to any 113 in recv ppp0
# Allow outgoing DNS queries ONLY to the specified servers.
${fwcmd} add allow udp from any to xxx.xx.xxx.xx 53 out xmit tun0
${fwcmd} add allow udp from any to xxx.xx.xxx.xx 53 out xmit tun0
${fwcmd} add allow udp from any to xxx.xx.xxx.xx 53 out xmit tun0
${fwcmd} add allow udp from any to xxx.xx.xxx.xx 53 out xmit ppp0
${fwcmd} add allow udp from any to xxx.xx.xxx.xx 53 out xmit ppp0
${fwcmd} add allow udp from any to xxx.xx.xxx.xx 53 out xmit ppp0
# Allow them back in with the answers...
${fwcmd} add allow udp from xxx.xx.xxx.xx 53 to any in recv tun0
${fwcmd} add allow udp from xxx.xx.xxx.xx 53 to any in recv tun0
${fwcmd} add allow udp from xxx.xx.xxx.xx 53 to any in recv tun0
${fwcmd} add allow udp from xxx.xx.xxx.xx 53 to any in recv ppp0
${fwcmd} add allow udp from xxx.xx.xxx.xx 53 to any in recv ppp0
${fwcmd} add allow udp from xxx.xx.xxx.xx 53 to any in recv ppp0
# Enable ICMP: remove type 8 if you don't want your host to be pingable
${fwcmd} add allow icmp from any to any icmptypes 0,3,11,12,13,14
# Deny all the rest.
${fwcmd} add drop log ip from any to any
---------------------------------------------------------------------
YOU MUST MAKE CHANGES IN THIS FILE! In the bottom half of the file, I have replaced the DNS addresses provided by my ISP with Xs. You must replace the Xs with the IP addresses of your own DNS servers. Notice that there are three of each entry that end in "tun0" and "ppp0" -- you may not have but one or two IP addresses provided by your ISP. They are the only ones who can give you this information. Ask for the IP addresses of their DNS servers. However, you must have duplicate information for the "tun0" version and the "ppp0" version. We will discuss why later. Make sure the number "53" appears in each line where you see it in the example above. Save this file as /etc/firewall.conf.
Two more Internet connection issues. Go to /etc/ppp and see if there is file named "options". If not, create one with a single word in it: noauth. Now go up one directory to /etc and open/create one more file named "resolv.conf". In this file, there must be at least two lines. The first one should read "domain" followed by a space and the name of your ISP: "something.net" for example. The next line(s) should be the word "nameserver" followed by the IP address of your ISP's DNS servers. It should look something like this:
domain something.net
nameserver xxx.xx.xxx.xx
nameserver xxx.xx.xx.xxx
Save and close. Now is the time to reboot. Look for the logout button in the menu of KDE, and logout of the GUI. At the command line type this:
shutdown -r now
When all is done, it should come back up to the command line. Log into your user account this time, then startx. In KDE, you can open the KPPP utility from the menu, under "Internet" and follow the instructions to set it up. Unless you are using one of several national ISPs, you will want to avoid the setup wizard. It is now safe to connect to the Internet.
=The next article will deal with adding a few important programs not included with the Install CD.=
Corrections gratefully received.