HomePage » GeneralUnix » FreeBSD
FreeBSD knowledge
Kernel
Upgrading FreeBSD
Ports
Stalls at F1 prompt
Jumpstart
AddSwap
NFS
Null Mounts
ZFS
Few years ago, FreeBSD surprised me with its httpd performance compared to Redhat.
FreeBSD commands
sockstat -c (netstat equiv.) pciconf -lv (lspci equiv.) kldstat (lsmod equiv.) netstat -i (show interface errors) cmdwatch (watch equiv.)
Thanks to Sub for this one!
FreeBSD usage monitoring
iostat -w1 ad4 (show IO rate) netstat -I em0 -h -finet -w1 (Show nic rate)
Updating FreeBSD
Edit /etc/freebsd-update.conf, thenfreebsd-update fetch freebsd-update install
Changing shell
chsh <user>
Allowing users to su
# pw user mod some_user -G wheel # groups some_user
Startup (rc)
FreeBSD does not use InitV for system services. It uses BSD rc.conf. For example, to enable named on startup, put the following line to rc.conftomcat_enable="YES"
Next, write a rc script for starting / stopping. The following is a working example of tomcat
#!/bin/sh
. /etc/rc.subr
name="tomcat"
start_cmd="${name}_start"
stop_cmd="/usr/local/tomcat/bin/shutdown.sh"
extra_commands="version"
version_cmd="${name}_version"
tomcat_start() {
/usr/local/tomcat/bin/startup.sh
/usr/local/tomcat/bin/catalina.sh version
}
tomcat_version() {
/usr/local/tomcat/bin/catalina.sh version
}
load_rc_config $name
run_rc_command "$1"Format new drives
You can do it via sysinstall, or from command line:dd if=/dev/zero of=/dev/da3 bs=1k count=1 bsdlabel -Bw da3 auto newfs -n -o time -U /dev/da3a > da3a-newfs.log
Disk upgrade
One can use the built-in dump / restore command to migrate a partition to another one. The process can take up to hours depending on your partition size. Here are the steps:- Boot freebsd into single user mode by supplying boot -s to the boot loader
- Run sysinstall, do a fdisk on the new disk/partition
- Say the new partition is /dev/ad1s1, format the disk with the command newfs /dev/ad1s1
- Create the mount point for restore, say mkdir /mnt/usr
- Use this command to dump and restore ( dump -0f - /usr ) | ( cd /mnt/usr ; restore -rf - )
- Enable the filesystem by tunefs -n enable /dev/ad1s1
- Finally, modify /etc/fstab to point to the new slice
If fdisk is not working out, you can also try disklabel
- disklabel /dev/ad0s1
- disklabel -e /dev/ad0s1, edit the partition to change
- newfs -i 1024 /dev/ad0s1b (this is good. I's planing to use a partition to store the ports collection - which is a large amount of small files. The default 4096 inode size was giving me out of inode problems after the partition is ~250M/500M used. To get around it, use a smaller inode size.)
- edit /etc/fstab and mount
network settings
rc.conf
ifconfig_bge0="inet 1.2.3.4 netmask 255.255.255.0"
defaultrouter="1.2.3.254"
ifconfig_bge1="inet 10.0.0.135 netmask 255.255.255.0"
ifconfig_em0="inet 192.168.92.223 netmask 255.255.252.0"
ifconfig_bge0_alias0="inet 1.2.3.5 netmask 255.255.255.255"
#static routes
static_routes="backup00 backup01"
route_backup00="-net 192.168.12.0/24 192.168.92.1"
route_backup01="-net 192.168.31.0/24 192.168.92.1"
defaultrouter="1.2.3.254"
ifconfig_bge1="inet 10.0.0.135 netmask 255.255.255.0"
ifconfig_em0="inet 192.168.92.223 netmask 255.255.252.0"
ifconfig_bge0_alias0="inet 1.2.3.5 netmask 255.255.255.255"
#static routes
static_routes="backup00 backup01"
route_backup00="-net 192.168.12.0/24 192.168.92.1"
route_backup01="-net 192.168.31.0/24 192.168.92.1"
To restart networking
/etc/rc.d/netif restart
network tuning
/boot/loader.conf
kern.ipc.nmbclusters=64000
kern.ipc.maxsockbuf=8388608
net.inet.tcp.sendspace=3217968
net.inet.tcp.recvspace=3217968
kern.ipc.maxsockbuf=8388608
net.inet.tcp.sendspace=3217968
net.inet.tcp.recvspace=3217968
Some more on that
* net.inet.tcp.msl=7500
net.inet.tcp.msl defines the Maximum Segment Life. This is the maximum amount of time to wait for an ACK in reply to a SYN-ACK or FIN-ACK, in milliseconds. If an ACK is not received in this time, the segment can be considered "lost" and the network connection is freed.
There are two implications for this. When you are trying to close a connection, if the final ACK is lost or delayed, the socket will still close, and more quickly. However if a client is trying to open a connection to you and their ACK is delayed more than 7500ms, the connection will not form. RFC 753 defines the MSL as 120 seconds (120000ms), however this was written in 1979 and timing issues have changed slightly since then. Today, FreeBSD's default is 30000ms. This is sufficient for most conditions, but for stronger DoS protection you will want to lower this to 7500, or maybe even less.
* net.inet.tcp.blackhole=2
net.inet.tcp.blackhole defines what happens when a TCP packet is received on a closed port. When set to '1', SYN packets arriving on a closed port will be dropped without a RST packet being sent back. When set to '2', all packets arriving on a closed port are dropped without an RST being sent back. This saves both CPU time because packets don't need to be processed as much, and outbound bandwidth as packets are not sent out.
* net.inet.udp.blackhole=1
net.inet.udp.blackhole is similar to net.inet.tcp.blackhole in its function. As the UDP protocol does not have states like TCP, there is only a need for one choice when it comes to dropping UDP packets. When net.inet.udp.blackhole is set to '1', all UDP packets arriving on a closed port will be dropped.
* net.inet.icmp.icmplim=50
The name 'net.inet.icmp.icmplim' is somewhat misleading. This sysctl controls the maximum number of ICMP "Unreachable" and also TCP RST packets that will be sent back every second. It helps curb the effects of attacks which generate a lot of reply packets.
* kern.ipc.somaxconn=32768
kern.ipc.somaxconn limits the maximum number of sockets that can be open at any one time. The default here is just 128. If an attacker can flood you with a sufficiently high number of SYN packets in a short enough period of time, all of your possible network connections will be used up, thus successfully denying your users access to the service.
# Then check w/net.inet.tcp.msl defines the Maximum Segment Life. This is the maximum amount of time to wait for an ACK in reply to a SYN-ACK or FIN-ACK, in milliseconds. If an ACK is not received in this time, the segment can be considered "lost" and the network connection is freed.
There are two implications for this. When you are trying to close a connection, if the final ACK is lost or delayed, the socket will still close, and more quickly. However if a client is trying to open a connection to you and their ACK is delayed more than 7500ms, the connection will not form. RFC 753 defines the MSL as 120 seconds (120000ms), however this was written in 1979 and timing issues have changed slightly since then. Today, FreeBSD's default is 30000ms. This is sufficient for most conditions, but for stronger DoS protection you will want to lower this to 7500, or maybe even less.
* net.inet.tcp.blackhole=2
net.inet.tcp.blackhole defines what happens when a TCP packet is received on a closed port. When set to '1', SYN packets arriving on a closed port will be dropped without a RST packet being sent back. When set to '2', all packets arriving on a closed port are dropped without an RST being sent back. This saves both CPU time because packets don't need to be processed as much, and outbound bandwidth as packets are not sent out.
* net.inet.udp.blackhole=1
net.inet.udp.blackhole is similar to net.inet.tcp.blackhole in its function. As the UDP protocol does not have states like TCP, there is only a need for one choice when it comes to dropping UDP packets. When net.inet.udp.blackhole is set to '1', all UDP packets arriving on a closed port will be dropped.
* net.inet.icmp.icmplim=50
The name 'net.inet.icmp.icmplim' is somewhat misleading. This sysctl controls the maximum number of ICMP "Unreachable" and also TCP RST packets that will be sent back every second. It helps curb the effects of attacks which generate a lot of reply packets.
* kern.ipc.somaxconn=32768
kern.ipc.somaxconn limits the maximum number of sockets that can be open at any one time. The default here is just 128. If an attacker can flood you with a sufficiently high number of SYN packets in a short enough period of time, all of your possible network connections will be used up, thus successfully denying your users access to the service.
netstat -m
other kernn tunings
kern.maxfiles= kern.maxfilesperproc=
Useful commands
# Show listening daemons and ports sockstat -4l # Show system parameters (including memory size) sysctl -a # lspci equvalent pciconf
Mount iso
mdconfig -a -t vnode -f /data/home/X/Bex301_Unix1.iso -u 0 mdconfig -a -t vnode -f /data/home/X/Bex301_Unix2.iso -u 1 mount -t cd9660 /dev/md0 disc1 mount -t cd9660 /dev/md1 disc2
# bsdsar
http://www.cyberciti.biz/faq/freebsd-bsdsar-installation-configuration/
dump & restore
dump -0uan -f /bk/fs.dump /dev/ad0s1a cd /tmproot restore -rf /bk/fs.dump
remote soft-updates
# boot up with FreeSBIE tunefs -n disable /dev/ad0s1a
completely disable sendmail
sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO"
procfs
proc /proc procfs rw 0 0
