Building the FreeBSD OS from scratch

[Siseneg]

OK, so you missed commenting a line in etc/rc.conf, possibly after the "equals" symbol, are seeing a message to that effect, and can't move past that point... Here's how to fix it without having to start completely over. Enter the following commands from where you are now:

fsck -y
mount -u /
mount -a -t ufs
swapon -a

Now you can edit /etc/rc.conf through EE to find the error, reboot afterwards to continue on.


Now we need to apply any security patches that have been issued since the install media was distributed. This is something you'll want to check each and every day to see if any new patches have been issued, chances are it will be weeks in between, but you want to stay up to date.

Enter the following command:

freebsd-update fetch

It will download updates to the system if any are available. When it's finished use your down arrow key to scroll to the end and back to the command prompt. Then enter the following command:

freebsd-update install

It won't take as long to install them as it did it download them. Once it's done, reboot:

shutdown -r now

If the system hangs and it doesn't look like it's going to finish the reboot cycle do a hard reset with the power button, it will be alright to do so.

When it reboots enter your user account again, and su to the root account by entering:

su

and your root password.

Now we'll see if any updates have been made to the port tree by entering the following command:

portsnap fetch update

After it's done we'll build portmas ter (without the space) from the ports tree by entering the following command:

cd /usr/ports/ports-mgmt/portmas ter

Now you've changed directories with the cd command and are in that directory. Enter the following command:

make install clean

It will show you a few screen of possible options, just click Enter at each screen to go with the default options, and choose Yes when it asks you if you want to proceed.

It will build the *rd party program portmas ter from source code which will take a few minutes. You have the option of building programs from source or using packages through the pkg system. pkg is much, much faster, but by building from source you can choose your own options, and it's the way I've been doing it for years, so that's what we'll use in this tutorial.

It is NOT good to mix ports and packages, so once you start using ports stay with it. Once you gain some experience you may want to rebuild your system and switch from ports to packages. If you'd rather start out using the pkg system consult the FreeBSD Handbook, but you'll need to know what programs are available to use them.

Ports are also updated more frequently than packages. Therefore, it will be easier to keep your *rd party software up to date when new vulnerabilities are discovered, and by starting out using ports you'll get a feel for compiling programs and gain more CLI time for experience purposes in the process. If you've only installed programs on a Windows machine with an .exe up till now this will be something completely different.

Now, sit back and relax while it builds the port. Depending on your hardware, some programs could take quite a while. Next we'll build an old school filemanager called Midnight Commander, a graphic interface by installing xorg, a Windows Manager called Fluxbox, a file manager called xfe, and a text editor called Leafpad (which is similar to Notepad) to make it easier for you.

When it's finished you can get back to the root directory by typing:

cd /

Enter the following command:

cd /usr/ports/misc/mc

Then type:

make install clean

and hit Enter.

You'll be presented with several screens asking you if you'd like to change options for dependencies needed for MC. Just go with the default options for the most part with the possible exception being for IPV6 if you did not configure it during installation and PERL_64BITIBIT at the perl installation window if you're running a *2 bit machine. If not, hit the spacebar at those lines to uncomment it.

MC will let you take a look at the directory tree to familiarize yourself with the layout, if you'd like to at the time, or you can do that later. You can bring up MC by typing mc at the CLI but at this point I would advise you only do so from the user account, and not as root, so you don't take the chance on tearing something up. The usr account has limited privileges, root is the SuperUser.

Next we'll build xorg by entering the following commands:

cd /usr/ports/x**/xorg
make install clean

It will present you with several option screens for programs that are built with the xorg metadata port, like xterm. xclock drivers etc. If won't be necessary to choose all the graphic card drivers it presents, but go ahead and choose VESA with the driver for your card. Again, if you did not configure IPV6 uncomment that line when the curl dependency screen comes up duing the xorg build process.

Relax, you're doing great.

After xorg is finally finished building we're going to put portmas ter to work building ports as it will find all needed dependencies before building and usually makes things go more smoothly, Enter the following (again, without the space) as root and hit Enter:

portmas ter /usr/ports/x**-wm/fluxbox

Fluxbox is a lightweight Window Manager that features transparency and has several nice styles to chose from. I much prefer it to desktops like KDE or Gnome due to all the extra baggage that comes bundled with them. Styles for fluxbox are available on the web if you search for them. I have one I always use, and could post it here, but I got it online too and tweaked it slightly.

After it's done install your file manager:

portmas ter /usr/ports/x**-fm/xfe

Now for the text editor:

portmas ter /usr/ports/editors/leafpad

And the terminal we'll be using with fluxbox called Eterm, which like fluxbox, also features transparency:

portmas ter /usr/ports/x**/eterm

When it's done compiling the programs we'll add the following lines to the rc.conf file by entering the following commands so it's activated on boot:

echo R*6;dbus_enable=̶*;YES̶*;R*6; >> /etc/rc.conf
echo R*6;hald_enable=̶*;YES̶*;R*6; >> /etc/rc.conf

This time you used the echo command instead of opening EE like before.

Now we need to create a file called .xinitrc in your user account folder by entering the following command:

ee /usr/home/usernamehere/.xinitrc

(The . before the file name designates it as a hidden file. You can make hidden files visible in xfe options later.)

Now type (yes, Eterm like it's typed):

Eterm &
xfe &
fluxbox exec

Save and exit EE afterwards like you've been doing, reboot to make the changes we made take effect:

shutdown -r now

(The forum edits the word p o r t m a s t e r so I added a space between letters. Enter the full word without the space in commands.)

[Siseneg]

After it reboots log into your user account and enter the following command to bring up your desktop:

startx

If all went well, and it should if you've followed my instructions, you'll be presented with the fluxbox Window Manager screen, an Eterm terminal, and xfe file manager already open on the desktop. If you see a green and white WM you've logged in as root by mistake and need to reboot.

From now on you can enter the root account through Eterm. Do so and update your ports tree now:

portsnap fetch update

Check to see if there are any vulnerabilities in your *rd party programs by entering the following command:

pkg audit -F

It's doubtful any have been found in the relatively short time since you got started, but is something you want to do on a regular basis once you get things going. When vulnerabilities are found use portmas ter to update the file or remove it using the deinstall command.

There are still several things you need to do. Look through xfe to familiarize yourself with the directory structure, ports tree, etc. We will be tweaking files to harden the system as well.

First we need to create a couple files and edit rc.conf, this time using leafpad. You should still be in your root account in Eterm, so enter:

leafpad

To bring up that text editor as root. Copy this text into leafpad:

[devfsrules_common=7]

add path 'ad*' mode 0666 group operator
add path 'da*' mode 0666 group operator
add path 'acd*' mode 0666 group operator
add path 'cd*' mode 0666 group operator
add path 'mmcsd*' mode 0666 group operator
add path 'pass*' mode 0666 group operator
add path 'xpt*' mode 0666 group operator
add path 'ugen*' mode 0666 group operator
add path 'usbctl' mode 0666 group operator
add path 'usb*' mode 0666 group operator
add path 'lpt*' mode 0666 group operator
add path 'ulpt*' mode 0666 group operator
add path 'unlpt*' mode 0666 group operator
add path 'fd*' mode 0666 group operator
add path 'uscan*' mode 0666 group operator
add path 'video*' mode 0666 group operator
add path 'dvb/*' mode 0666 group operator

And save it as /etc/devfs.rules

That's in the /etc directory, the filename is devfs.rules

Now enter the following commands:

echo 'devd_enable="YES"' >> /etc/rc.conf
echo 'devfs_system_ruleset="devfsrules_common"' >> /etc/rc.conf

And reboot using the shutdown command.

Now you should be able to access a Flash drive. Enter the mount command for it:

mount -v -t msdosfs /dev/da0s* /media/da0s*

And unmount it before removing the drive to prevent problems:

umount -v -t msdosfs /dev/da0s* /media/da0s*

Now that we've got the basics done and closer to surfing the net lets tweak the pf.conf file to harden our firewall. Your internet interface designation should be something like ath0 or msk0 and can be found using the following command:

ifconfig

Now navigate to /etc/pf.conf as root with leafpad and change it to the following.

###macro name for external interface
ext_if = "Your Internet Interface Designation Goes Here"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spoof
antispoof for lo0
antispoof for $ext_if inet

### Keep and modulate state of outbound traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

Save, exit leafpad, and reboot through Eterm to make the changes take effect:

shutdown -r now

Open /etc/ttys in leafpad and change every instance of secure to insecure.

Open /etc/ssh/sshd_config in leafpad and change the following lines to read as below. Uncomment the first two by removing the # at the beginning of the line and change the third to no:

PermitRootLogin no
Protocol 2
X**Forwarding no

Open /etc/passwd and delete the line of the toor account, then save and exit the file.




You should now be well on your way to having a fully functional UNIX-like system. There are several more programs you'll want to build so you can continue to do anything you were doing on Windows, with more security and style, like VLC to watch movies, GIMP to manipulate images, nmap to scan (or zenmap for a GUI), bcrypt to encrypt password files, Firefox to browse the web, ePDFview to access PDF files, rkhunter to scan for rootkits, feh to change your desktop background, etc.


Familiarize yourself with the ports tree and the programs it contains, the directory structure and its contents, and START STUDYING the FreeBSD Handbook on how to use your new OS. There is a FreeBSD forum that can be a valuable source of information, too.

Whether or not you become proficient with FreeBSD is entirely up to you. If you have any problems or questions feel free to post and I'll do my best to answer them for you or direct you to the proper resource.

[Siseneg]

I'm happy to report that FreeBSD News picked up and linked back to my tutorial.

https://www.freebsdnews.com/20*6/06/24/building-the-freebsd-os-from-scratch

[Siseneg]

BSD Magazine also links back to the freebsdnews.com article about this tutorial in a July ** post on their English and Arabic Facebook accounts :

https://www.facebook.com/MagBSD/posts/*04464*62**887*

https://ar-ar.facebook.com/MagBSD/posts/8*0840**76*455*

[Siseneg]

I've set up a website where an expanded version of this tutorial appears:

Building A FreeBSD Desktop From Scratch
http://nixdesktop.scienceontheweb.net/

[Siseneg]

Updated the tutorial at my site to reflect changes in the installer and hosted it with its own domain. The forum omits too many characters to edit it here.

http://freebsdesktop.org

[Siseneg]

Added FreeBSD themed wallpapers and Fluxbox styles to the updated tutorial at my site:

http://freebsdesktop.org