server monitoring
+ Reply to Thread
Results 1 to 9 of 9

Thread: Building the FreeBSD OS from scratch

  1. #1
    Join Date
    Oct 2002
    Posts
    50

    Building the FreeBSD OS from scratch

    Are you tired of being victimized? Sick of those funny virilli and trojans that keep infecting your Windows machine, the clunky antivirus/antimalware programs you continually have to update in an effort to deal with them, and the concept of "layered security"? Feeling like a slave to Bill Gates? Then you, my friend, should kick Windows off YOUR machine and start using FreeBSD! And, no, I don't mean Linux.


    "FreeBSD is a free Unix-like operating system descended from Research Unix via the Berkeley Software Distribution (BSD). Although for legal reasons FreeBSD cannot use the Unix trademark, it is a direct descendant of BSD, which was historically also called "BSD Unix" or "Berkeley Unix". The first version of FreeBSD was released in ****, and today FreeBSD is the most widely used open-source BSD distribution, accounting for more than three-quarters of all installed systems running open-source BSD derivatives.[2]

    FreeBSD has similarities with Linux, with two major differences in scope and licensing: FreeBSD maintains a complete operating system, i.e. the project delivers kernel, device drivers, userland utilities and documentation, as opposed to Linux delivering a kernel and drivers only and relying on third-parties for system software;[*] and FreeBSD source code is generally released under a permissive BSD license as opposed to the copyleft GPL used by Linux.

    The FreeBSD project includes a security team overseeing all software shipped in the base distribution. A wide range of additional third-party applications may be installed using the pkgng package management system or the FreeBSD Ports, or by directly compiling source code. Due to its permissive licensing terms, much of FreeBSD's code base has become an integral part of other operating systems such as Juniper JUNOS and Apple's OS X."

    https://en.wikipedia.org/wiki/FreeBSD


    We'll be building FreeBSD from scratch, which starts you off with the base system and a terminal. No flashy graphics, no desktop, no file manager, no web browser, no image manipulator, etc. You start with the base system, a terminal, and build *rd party apps as you see fit. If you're not familiar with the CLI, Command Line Interface, it's where you will be doing a good part of your work from, and all of it till you build a Window Manager, like Fluxbox, or Desktop Environment, like Gnome, as a GUI, or Graphic User Interface, which is what you're familiar with as a Windows or Linux user. If you've got an old PC or laptop laying around that just can't run the bloat that is Windows, FreeBSD can breathe new life in it and is the perfect solution to it collecting dust.

    The base system itself is very secure, is widely used as a server, and any vulnerabilities that are found from time to time are updated post haste. It's the *rd party apps you add on that are usually at the root of the problem, as in Flash or JAVA exploits. FreeBSD is not vulnerable to the Windows virus, trojans, or the vast majority of the exploits that plague it, or are beginning to plague Linux as it becomes more popular. However, it is still vulnerable to rootkits and you'll want to periodically run a program like rkhunter, but you can forget about an antivirus program if you adhere to basic computer security practices and restrain your clicking finger.

    There is a FreeBSD flavour called PC-BSD which already comes with a DE or WM and many of the programs you'll be using, but I do not recommend or use it personally.

    Go to http://www.freebsd.org/ and download the proper ISO to burn to a CD or DVD, or memstick img to transfer to a USB stick. You should take a look at the FreeBSD Handbook while you're there to give you a rough idea what's entailed in using the OS. It's an invaluable resource and answers any questions you may have down the road. While you're at it, check out the ports page to see what software is available for FreeBSD at no charge.

    http://www.freebsd.org/doc/en_US.ISO885*-*/books/handbook/
    http://www.freebsd.org/ports/

    FreeBSD is very different from using Windows, but you will be proud of yourself once you put in the time and effort to become proficient in it and leave Windows in the dust. As you should be. It's a major learning experience and not an undertaking for the weak at heart, but you can do it! I'm going to show you how.

    I'm going to take you though the process of getting it up and running, but before we get started I advise you to take a look at the installation process as it's outlined in the Handbook to get a rough idea what you're in for. Don't be put off by the images of the installer and think it's too complicated for you to do. It manages to make it sound even harder than it really is by going though a detailed explanation of the partitioning process as well as every other possible problem you might, but probably won't, encounter. It will, however, describe how to transfer the memstick image to a Flash drive from inside Windows so if you're going to use that method check it out.

    http://www.freebsd.org/doc/en_US.ISO885*-*/books/handbook/bsdinstall.html

    As this is a lengthy process and tutorial, I'll break it up into sections in consecutive posts to preserve continuity. And yes, this is my hand-typed tutorial drawn from close to *0 years of using FreeBSD as my sole OS, not something I plagiarized from another source, and my effort to give something back to the forum after being a non-participating member for years. I've tried my best to be clear and concise and make what can seem like a daunting task as easy as possible for someone with no previous *NIX experience. Now lets get started.
    Last edited by Siseneg; 06-22-2016 at 05:00 PM. Reason: clarity

  2. #2
    Join Date
    Oct 2002
    Posts
    50

    continued

    Insert your boot media and at the Welcome screen choose the Install option and hit Enter. (You'll be using the Enter button to confirm all your choices.)

    If you're in the US use the Default keybo ard mapping when presented with that screen. If not, choose the keymap that you'll be using.

    When presented with the Set Hostname screen enter your machine name.

    At the Distribution Select screen choose all options with the possible exception of the Handbook, which requires and internet connection and you haven't configured that yet. Be sure to choose ports and src. You do this with the arrow keys and the spacebar.

    At the Partitioning menu choose Guided, for simplicity. It will give you a choice of where to install, choose your HD, which will be the largest and designated as ada0.

    Choose Entire Disk at the next screen, as we won't be dual-booting with this tutorial.

    At the next screen it will present you with the disk layout, choose Finish.

    Now confirm this is what you really want to do, and Commit to the partitioning and installation of your new OS.

    Now sit back and wait for it to install the base system, kernel, games, ports, and source code. It won't take long.

    Your next task is to choose a password for the root account. Make it a strong one with upper and lower case letters, numbers, and other characters. At least 8 characters in length, the longer and more complex the better.

    Now you'll configure your network interface. Choose your ethernet card for starters. FreeBSD is not Linux, so it will have a different designation but you should be able to pick it out from a wireless card.

    Now choose yes when asked if you'd like to configure IPv4.

    Choose Yes to configure DHCP. It will scan and pick up your router interface, go with it.

    If you want to configure IPv6 at the next screen or not it's up to you. I don't, but it's up to you.

    Now set your timezone, choose No when it asks you if you use UTC, and proceed to the next screen to choose the appropriate time zone for you.

    At the system Configuration screen choose to enable moused, ntpd, and powered. If you want to enable SSH choose SSHD too.

    Choose No to enabling Crash Dump. It's not necessary.

    Now's your chance to add a User account. Less privileged than root, it's what you'll be running in **.*% of the time.

    When asked of you want to invite the user to other groups make them members of:

    wheel operator

    Typed just like that, no comma.

    Enter an password for that account, the rest of the options choose the default option it recommends and just hit Enter to proceed from one to the next.

    One account should be enough, when asked if you want to make another user account type no and hit Enter.

    Now you're at the final screen of the build process. Exit and remove the installation media you used (CD, DVD, Flash drive) while it's restarting or it will loop back.

    Now you're presented with a black screen. You've only installed the base system and no GUI or desktop have been installed at this point.

    Log into your user account with the user name you chose and the password for it.

    Now you're at the terminal and we're going to log into the root account by typing:

    su

    and entering the root password.

    Now we'll populate the ports tree with the following command:

    portsnap fetch extract

    If all went well with the initial installation it should download and install the ports tree, which will take a few minutes.

    Now we're going to enable the pf firewall, which is taken from OpenBSD and the best all-around firewall going.

    We're going to have to enter Easy Editor to make a ruleset and show the system where to look for it.

    Type:

    ee /etc/pf.conf

    And hit Enter.

    You've just created a file called pf.conf in the /etc directory.

    Now type:

    block in all
    pass out all keep state

    Hit the Esc key to bring up the options menu, choose file options, and save file.

    Hit Esc again and exit Easy Editor back to the command line.

    Now we have to show the system where to look for our ruleset and the logfile.

    Type:

    ee /etc/rc.conf

    You've just opened the file rc.conf in the /etc directory. This is a very important file and you should see some options already there, like your machine name and other options.

    It's VERY IMPORTANT not to leave any option here uncommented on either end, meaning if you start an option it MUST begin and finish with quotes or you will not be able to start your system, have to enter Single User to fix, and not something we're going to go into here, so keep that in mind.

    Use your arrow keys to scroll down past the lines that are already present and type these out:

    pf_enable="YES"
    pf_rules="/etc/pf.conf"
    pf_flags=""
    pflog_enable="YES"
    pflog_logfile="/var/log/pflog"
    pflog_flags=""

    Notice how each option begins and finishes with a quote? You'll be adding your own later so don't forget to check it closely before you exit out of Easy Editor when you do.

    Now hit Esc again to save the file, and ESC again to exit Easy Editor.

    Now we'll reboot to make the changed we've made take effect by entering the following command:

    shutdown -r now

    And hitting Enter. Your machine will now reboot and you'll be back at the starting screen. Log into your user account again and then su into the root account once you do.
    Last edited by Siseneg; 06-21-2016 at 11:38 PM. Reason: (Added a space to the word K e y b o a r d)

  3. #3
    Join Date
    Oct 2002
    Posts
    50

    continued

    OK, so you missed commenting a line in etc/rc.conf, possibly after the "equals" symbol, are seeing a message to that effect, and can't move past that point... Here's how to fix it without having to start completely over. Enter the following commands from where you are now:

    fsck -y
    mount -u /
    mount -a -t ufs
    swapon -a

    Now you can edit /etc/rc.conf through EE to find the error, reboot afterwards to continue on.


    Now we need to apply any security patches that have been issued since the install media was distributed. This is something you'll want to check each and every day to see if any new patches have been issued, chances are it will be weeks in between, but you want to stay up to date.

    Enter the following command:

    freebsd-update fetch

    It will download updates to the system if any are available. When it's finished use your down arrow key to scroll to the end and back to the command prompt. Then enter the following command:

    freebsd-update install

    It won't take as long to install them as it did it download them. Once it's done, reboot:

    shutdown -r now

    If the system hangs and it doesn't look like it's going to finish the reboot cycle do a hard reset with the power button, it will be alright to do so.

    When it reboots enter your user account again, and su to the root account by entering:

    su

    and your root password.

    Now we'll see if any updates have been made to the port tree by entering the following command:

    portsnap fetch update

    After it's done we'll build portmas ter (without the space) from the ports tree by entering the following command:

    cd /usr/ports/ports-mgmt/portmas ter

    Now you've changed directories with the cd command and are in that directory. Enter the following command:

    make install clean

    It will show you a few screen of possible options, just click Enter at each screen to go with the default options, and choose Yes when it asks you if you want to proceed.

    It will build the *rd party program portmas ter from source code which will take a few minutes. You have the option of building programs from source or using packages through the pkg system. pkg is much, much faster, but by building from source you can choose your own options, and it's the way I've been doing it for years, so that's what we'll use in this tutorial.

    It is NOT good to mix ports and packages, so once you start using ports stay with it. Once you gain some experience you may want to rebuild your system and switch from ports to packages. If you'd rather start out using the pkg system consult the FreeBSD Handbook, but you'll need to know what programs are available to use them.

    Ports are also updated more frequently than packages. Therefore, it will be easier to keep your *rd party software up to date when new vulnerabilities are discovered, and by starting out using ports you'll get a feel for compiling programs and gain more CLI time for experience purposes in the process. If you've only installed programs on a Windows machine with an .exe up till now this will be something completely different.

    Now, sit back and relax while it builds the port. Depending on your hardware, some programs could take quite a while. Next we'll build an old school filemanager called Midnight Commander, a graphic interface by installing xorg, a Windows Manager called Fluxbox, a file manager called xfe, and a text editor called Leafpad (which is similar to Notepad) to make it easier for you.

    When it's finished you can get back to the root directory by typing:

    cd /

    Enter the following command:

    cd /usr/ports/misc/mc

    Then type:

    make install clean

    and hit Enter.

    You'll be presented with several screens asking you if you'd like to change options for dependencies needed for MC. Just go with the default options for the most part with the possible exception being for IPV6 if you did not configure it during installation and PERL_64BITIBIT at the perl installation window if you're running a *2 bit machine. If not, hit the spacebar at those lines to uncomment it.

    MC will let you take a look at the directory tree to familiarize yourself with the layout, if you'd like to at the time, or you can do that later. You can bring up MC by typing mc at the CLI but at this point I would advise you only do so from the user account, and not as root, so you don't take the chance on tearing something up. The usr account has limited privileges, root is the SuperUser.

    Next we'll build xorg by entering the following commands:

    cd /usr/ports/x**/xorg
    make install clean

    It will present you with several option screens for programs that are built with the xorg metadata port, like xterm. xclock drivers etc. If won't be necessary to choose all the graphic card drivers it presents, but go ahead and choose VESA with the driver for your card. Again, if you did not configure IPV6 uncomment that line when the curl dependency screen comes up duing the xorg build process.

    Relax, you're doing great.

    After xorg is finally finished building we're going to put portmas ter to work building ports as it will find all needed dependencies before building and usually makes things go more smoothly, Enter the following (again, without the space) as root and hit Enter:

    portmas ter /usr/ports/x**-wm/fluxbox

    Fluxbox is a lightweight Window Manager that features transparency and has several nice styles to chose from. I much prefer it to desktops like KDE or Gnome due to all the extra baggage that comes bundled with them. Styles for fluxbox are available on the web if you search for them. I have one I always use, and could post it here, but I got it online too and tweaked it slightly.

    After it's done install your file manager:

    portmas ter /usr/ports/x**-fm/xfe

    Now for the text editor:

    portmas ter /usr/ports/editors/leafpad

    And the terminal we'll be using with fluxbox called Eterm, which like fluxbox, also features transparency:

    portmas ter /usr/ports/x**/eterm

    When it's done compiling the programs we'll add the following lines to the rc.conf file by entering the following commands so it's activated on boot:

    echo R*6;dbus_enable=̶*;YES̶*;R*6; >> /etc/rc.conf
    echo R*6;hald_enable=̶*;YES̶*;R*6; >> /etc/rc.conf

    This time you used the echo command instead of opening EE like before.

    Now we need to create a file called .xinitrc in your user account folder by entering the following command:

    ee /usr/home/usernamehere/.xinitrc

    (The . before the file name designates it as a hidden file. You can make hidden files visible in xfe options later.)

    Now type (yes, Eterm like it's typed):

    Eterm &
    xfe &
    fluxbox exec

    Save and exit EE afterwards like you've been doing, reboot to make the changes we made take effect:

    shutdown -r now

    (The forum edits the word p o r t m a s t e r so I added a space between letters. Enter the full word without the space in commands.)
    Last edited by Siseneg; 07-01-2016 at 02:43 AM.

  4. #4
    Join Date
    Oct 2002
    Posts
    50

    continued

    After it reboots log into your user account and enter the following command to bring up your desktop:

    startx

    If all went well, and it should if you've followed my instructions, you'll be presented with the fluxbox Window Manager screen, an Eterm terminal, and xfe file manager already open on the desktop. If you see a green and white WM you've logged in as root by mistake and need to reboot.

    From now on you can enter the root account through Eterm. Do so and update your ports tree now:

    portsnap fetch update

    Check to see if there are any vulnerabilities in your *rd party programs by entering the following command:

    pkg audit -F

    It's doubtful any have been found in the relatively short time since you got started, but is something you want to do on a regular basis once you get things going. When vulnerabilities are found use portmas ter to update the file or remove it using the deinstall command.

    There are still several things you need to do. Look through xfe to familiarize yourself with the directory structure, ports tree, etc. We will be tweaking files to harden the system as well.

    First we need to create a couple files and edit rc.conf, this time using leafpad. You should still be in your root account in Eterm, so enter:

    leafpad

    To bring up that text editor as root. Copy this text into leafpad:

    [devfsrules_common=7]

    add path 'ad*' mode 0666 group operator
    add path 'da*' mode 0666 group operator
    add path 'acd*' mode 0666 group operator
    add path 'cd*' mode 0666 group operator
    add path 'mmcsd*' mode 0666 group operator
    add path 'pass*' mode 0666 group operator
    add path 'xpt*' mode 0666 group operator
    add path 'ugen*' mode 0666 group operator
    add path 'usbctl' mode 0666 group operator
    add path 'usb*' mode 0666 group operator
    add path 'lpt*' mode 0666 group operator
    add path 'ulpt*' mode 0666 group operator
    add path 'unlpt*' mode 0666 group operator
    add path 'fd*' mode 0666 group operator
    add path 'uscan*' mode 0666 group operator
    add path 'video*' mode 0666 group operator
    add path 'dvb/*' mode 0666 group operator

    And save it as /etc/devfs.rules

    That's in the /etc directory, the filename is devfs.rules

    Now enter the following commands:

    echo 'devd_enable="YES"' >> /etc/rc.conf
    echo 'devfs_system_ruleset="devfsrules_common"' >> /etc/rc.conf

    And reboot using the shutdown command.

    Now you should be able to access a Flash drive. Enter the mount command for it:

    mount -v -t msdosfs /dev/da0s* /media/da0s*

    And unmount it before removing the drive to prevent problems:

    umount -v -t msdosfs /dev/da0s* /media/da0s*

    Now that we've got the basics done and closer to surfing the net lets tweak the pf.conf file to harden our firewall. Your internet interface designation should be something like ath0 or msk0 and can be found using the following command:

    ifconfig

    Now navigate to /etc/pf.conf as root with leafpad and change it to the following.

    ###macro name for external interface
    ext_if = "Your Internet Interface Designation Goes Here"

    ### Reassemble fragmented packets
    scrub in on $ext_if all fragment reassemble

    ### Default deny everything
    block log all

    ### Pass loopback
    set skip on lo0

    ### Block spoof
    antispoof for lo0
    antispoof for $ext_if inet

    ### Keep and modulate state of outbound traffic
    pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

    Save, exit leafpad, and reboot through Eterm to make the changes take effect:

    shutdown -r now

    Open /etc/ttys in leafpad and change every instance of secure to insecure.

    Open /etc/ssh/sshd_config in leafpad and change the following lines to read as below. Uncomment the first two by removing the # at the beginning of the line and change the third to no:

    PermitRootLogin no
    Protocol 2
    X**Forwarding no

    Open /etc/passwd and delete the line of the toor account, then save and exit the file.




    You should now be well on your way to having a fully functional UNIX-like system. There are several more programs you'll want to build so you can continue to do anything you were doing on Windows, with more security and style, like VLC to watch movies, GIMP to manipulate images, nmap to scan (or zenmap for a GUI), bcrypt to encrypt password files, Firefox to browse the web, ePDFview to access PDF files, rkhunter to scan for rootkits, feh to change your desktop background, etc.


    Familiarize yourself with the ports tree and the programs it contains, the directory structure and its contents, and START STUDYING the FreeBSD Handbook on how to use your new OS. There is a FreeBSD forum that can be a valuable source of information, too.

    Whether or not you become proficient with FreeBSD is entirely up to you. If you have any problems or questions feel free to post and I'll do my best to answer them for you or direct you to the proper resource.
    Last edited by Siseneg; 09-30-2016 at 08:40 AM.

  5. #5
    Join Date
    Oct 2002
    Posts
    50

    Good news

    I'm happy to report that FreeBSD News picked up and linked back to my tutorial.

    https://www.freebsdnews.com/20*6/06/24/building-the-freebsd-os-from-scratch

  6. #6
    Join Date
    Oct 2002
    Posts
    50
    BSD Magazine also links back to the freebsdnews.com article about this tutorial in a July ** post on their English and Arabic Facebook accounts :

    https://www.facebook.com/MagBSD/posts/*04464*62**887*

    https://ar-ar.facebook.com/MagBSD/posts/8*0840**76*455*
    Last edited by Siseneg; 07-23-2016 at 02:36 PM.

  7. #7
    Join Date
    Oct 2002
    Posts
    50
    I've set up a website where an expanded version of this tutorial appears:

    Building A FreeBSD Desktop From Scratch
    http://nixdesktop.scienceontheweb.net/
    Last edited by Siseneg; 10-05-2016 at 09:43 PM.

  8. #8
    Join Date
    Oct 2002
    Posts
    50

    update

    Updated the tutorial at my site to reflect changes in the installer and hosted it with its own domain. The forum omits too many characters to edit it here.

    http://freebsdesktop.org
    http://freebsdesktop.org

  9. #9
    Join Date
    Oct 2002
    Posts
    50

    update

    Added FreeBSD themed wallpapers and Fluxbox styles to the updated tutorial at my site:

    http://freebsdesktop.org
    http://freebsdesktop.org

+ Reply to Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts