FreeBSD 11 Development Desktop on Dell XPS13

Daemons

NGINX - Web Server

Nginx is a fast, feature rich web server with relatively straigth forward configuration. Configure it to serve websites from /data/httpd.

• pkg install nginx
• mkdir -p /data/httpd/www
• chown -R www:www /data/httpd
• vi /usr/local/etc/nginx/nginx.conf
• echo 'nginx_enable="YES"' >> /etc/rc.conf

Write the following configuration.

load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;

worker_processes  1;

events {
	worker_connections  1024;
}


http {
	include mime.types;
	default_type application/octet-stream;

	sendfile on;
	keepalive_timeout 65;

	server {
		listen 80;
		server_name localhost;

		location ~ /\. {
			deny all;
		}

		location / {
			root /data/httpd/www;
			index index.html index.htm;
		}

		error_page 500 502 503 504  /50x.html;
		location = /50x.html {
			root /usr/local/www/nginx-dist;
		}
	}
}
		

PostgreSQL - Database Server

PostgreSQL is a fast, ACID compliant object-relational database with a multitude of advanced features.

Install PostgreSQL. Version 9.6 is the most recent stable release.

• pkg install postgresql96-server
• pkg install postgresql96-contrib
• mkdir -p /data/postgres
• echo 'postgresql_enable="YES"' >> /etc/rc.conf

Configure PostgreSQL to run with the English locale and UTF-8 encoding in the directory /data/postgres.

• pw usermod postgres -d /data/postgres/data96 -L standard
• echo 'PGDATA=/data/postgres/data96' > /data/postgres/.profile
• echo 'data PGDATA' >> /data/postgres/.profile
• chown -R postgres:postgres /data/postgres
• su - postgres
• initdb
• exit
• service postgresql start
• createuser -s -E -P -U postgres admin
• Enter password for new role:
• Enter it again:
• Password:
• service postgresql stop

With an admin user established and the server shut down you can switch to md5 encrypted passwords. Rewrite the file as shown below.

# TYPE  DATABASE    USER   ADDRESS        METHOD
local   all         all                   md5
host    all         all    127.0.0.1/32   md5
host    all         all    ::1/128        md5
		

Having changed the authentication mechanism restart the server.

• service postgresql start

CUPS - Common UNIX Printing Service

The common UNIX printing service is an implementation of the Internet Printing Protocol. It provides a number of printing features and is well supported on FreeBSD. Install it as follows.

• pkg install cups
• echo 'cupsd_enable="YES"' >> /etc/rc.conf

PF - Firewall

FreeBSD comes with secure defaults, nonetheless add a layer to the security onion and enable the firewall.

• vi /etc/pf.conf

Add this basic configuration.

ext_if="wlan0"
	
# Define one table to exclude bruteforce attackers.
table <bruteforce> persist

# Skip the loopback interface.
set skip on lo

# Clean inconsistencies in incoming traffic.
scrub in

# Default to blocking incoming traffic.
block in

# Block incoming packets with loopback address.
antispoof quick for {lo0}

# Filter packages from entries in bruteforce table.
block quick from <bruteforce>

# Allow access to ssh but block if more than three attempts are made in 30 seconds.
pass in on $ext_if proto tcp from any to ($ext_if) port 22 flags S/SA keep state (max-src-conn-rate 3/30, overload <bruteforce> flush global)

# Allow access to web server.
pass in quick on $ext_if proto tcp from any to ($ext_if) port 80 keep state
pass in quick on $ext_if proto tcp from any to ($ext_if) port 443 keep state
	
# Allow all outbound trafic from local net.
pass out on $ext_if to any keep state
		

Start the firewall on boot.

• echo 'pf_enable="YES"' >> /etc/rc.conf
• echo 'pflog_enable="YES"' >> /etc/rc.conf