FreeBSD Setup and Basics

These are general notes on hardening and maintaining FreeBSD.

Sept 2015


Subscribe to these mailing lists to keep abreast of releases and security alerts:


-CURRENT is the bleeding edge. Analogous the Debian Unstable. Don’t use it unless we know why we need it (e.g. we’re doing FreeBSD development).

-STABLE is the main branch. It gets security updates, and some changes that have passed testing in CURRENT. Roughly analogous to Debian Testing.

-RELEASE is a snapshot STABLE that gets stamped as a point release (e.g. 10.1).This is usually what we want to use. Roughly analogous to Debian Stable. RELEASE gets security updates and critical fixes, and gets them as packaged binaries through freebsd-update.

Binary updates (i.e. freebsd-update) are only available for RELEASE.

Note: unlike Debian, on FreeBSD the base system and ports collection are separate, and updated/maintained separately. Also, home is located in /usr/home.

Updating FreeBSD Base

Assuming we’re using the stock kernel, we can do binary updates for our current version like:

# freebsd-update fetch
# freebsd-update install

If the kernel gets updated, restart the system.

If anything goes wrong, roll back the most recent updates with:

# freebsd-update rollback

Upgrade to a new version like:

# freebsd-update -r 10.2-RELEASE upgrade
# freebsd-update install

It’s strongly recommended to upgrade all packages/ports after a major version upgrade (kernel ABI changes tend to break third-party applications):

# pkg-static upgrade -f
# portmaster -af
# freebsd-update install

Binary Packages (finding, installing, updating, removing)

(If pkg is not already installed, run /usr/sbin/pkg and then pkg update.)

# pkg search foo
# pkg info foo
# pkg install foo
# pkg delete foo
# pkg autoremove


# pkg update
# pkg upgrade
# pkg audit -F

Source Ports (finding, installing, updating, removing)

(Download and extract the ports collection for the first time with portsnap fetch and postsnap extract.)

Keep the ports collection up to date with portsnap:

# portsnap fetch
# portsnap update

Find a port:

# whereis foo
 foo: /usr/ports/whatever/foo
# cd /usr/ports
# make search name=foo

Install or de-install a port:

# cd /usr/ports/whatever/foo
# make config-recursive; make install; make clean
# make deinstall

Upgrade installed ports using portmaster:

# cd /usr/ports/port-mgmt/portmaster
# make install clean
# portmaster -a

Read the latest warnings /usr/ports/UPDATING before updating ports (the latest entries are at the top of the file).


FreeBSD offers several option. Use IPFW.

Turn it on in /etc/rc.conf:


It offers a number of pre-defined firewall profiles. See /etc/rc.firewall. A reasonable choice for a stand-alone server is the client profiles; put this in /etc/rc.conf and customize /etc/rc.firewall:


Alternately, we can write our own rule set by setting this in /etc/rc.conf:


Our /etc/ipfw.rules might look like this (see ipfw(8)):

add="ipfw -q add"
ipfw -q -f flush
$add 10 pass all from any to any via lo0
$add 20 deny all from any to
$add 30 deny ip from to any
$add 40 deny ip from any to ::1
$add 50 deny ip from ::1 to any
$add 100 pass tcp from any to any established
$add 110 pass all from any to any frag
$add 1000 pass tcp from any to $pubip 22 keep-state
$add 1200 pass tcp from any to any 80 out keep-state
$add 1300 pass tcp from any to any 443 out keep-state
$add 2000 pass udp from me to any 53 keep-state
$add 2050 pass tcp from me to any 53 keep-state
$add 2100 pass udp from me to any 123 keep-state
$add 2200 pass tcp from me to any 25
$add 65000 deny all from any to any

(We may want to use specific networks for some of these, particularly the rules for ssh and smtp.)

Restart ipfw and load the new rules like:

# service ipfw restart

We check the rules with:

# ipfw list

We may want to throttle logging by adding this to /etc/sysctl.conf:


Securing ssh

Add our client key to ~/.ssh/authorized_keys.

Make sure root logins are disabled in /etc/ssh/sshd_config:

PermitRootLogin no

We don’t want password-only authentication. Use key-based auth or (on newer versions of sshd) key and password. Edit /etc/ssh/sshd_config:

PasswordAuthentication no


AuthenticationMethods publickey,password

Restart sshd:

# service sshd restart

We may also want to install sshguard (like fail2ban but with fewer dependencies):

# pkg install sshguard-ipfw

Add to /etc/rc.conf:


Start sshguard:

# service sshguard start


If we did not enable and configure ntp during install, do it now.

Configure the time zone:

# tzsetup

Add this to /etc/rc.conf:


Start ntpd:

# service ntpd start


FreeBSD ships Sendmail. Its default config is reasonable.

If we don’t often log into this box as root, we must send important notifications to another email address that we do read.

Edit /etc/mail/aliases and add:


Run newaliases to update the aliases database.



———————— Personal Preferences ————————

Packages I Like to Install

vim-lite sudo tmux git-lite curl


Use tcsh. Here’s a minimal .tcshrc:

set promptchars="%#"
set prompt = "--- %m %h %c %# "
setenv EDITOR vim
setenv VISUAL vim
setenv PAGER less
set autolist
alias l 'ls -FG'
alias la 'ls -FGa'
alias ll 'ls -FGlha'
alias h 'history 60 | sort -k2 | uniq -f2 | sort -bn'
setenv LSCOLORS "gxfxcxdxbxxggdabagacad"
bindkey "^W" backward-delete-word


After installing sudo, do visudo, and uncomment this line:


Make sure our user account is a member of the wheel group.