# Beginners Guide - How To Set Up A FreeBSD Desktop From Scratch



## Deleted member 30996 (Jul 19, 2017)

I'm going to guide you though the process of getting a fully functional FreeBSD 13.0-RELEASE desktop up and running, complete with system files and security settings, step-by-step as if you've never used UNIX or the command line. Now let's get started:

Insert your boot media and at the Welcome screen, choose the Install option and hit Enter. (You'll be using the Enter key to confirm all your choices.)

If you're in the US use the Default keyboard mapping when presented with that screen. If not, choose the keymap that you'll be using.

When presented with the Set Hostname screen enter your machine name.

At the Distribution Select screen choose:
	
	



```
lib32
ports
src
```
If you are not on a 64 bit machine the lib32 option will not be available. You do this with the arrow keys and the spacebar.

At the Partitioning menu choose Auto (UFS) Guided Disk Setup, for simplicity, and MBR for the Partition Scheme. It will give you a choice of where to install, choose your HDD which will be designated as ada0. There have been problems reported with this stage of installation and I changed from GPT to MBR to get past a sticking point. Your mileage may vary.

Choose Entire Disk at the next screen, as we won't be dual-booting with this tutorial.

At the next screen it will present you with the disk layout, choose Finish.

Now confirm this is what you really want to do, and Commit to the partitioning and installation of your new OS.

Now sit back and wait for it to install the base system, kernel, games, ports, and source code. It won't take long.

Your next task is to choose a password for the root account. Make it a strong one with upper and lower case letters, numbers, and other characters. At least 8 characters in length, the longer and more complex the better.

Now you'll configure your network interface. Choose your Ethernet card for starters. FreeBSD is not Linux, so it will have a different designation but you should be able to pick it out from a wireless card.

Now choose Yes when asked if you'd like to configure IPv4.

Choose Yes to configure DHCP. It will scan and pick up your router interface, go with it.

If you want to configure IPv6 at the next screen or not it's up to you.

Now set your timezone, choose No when it asks you if you use UTC, and proceed to the next screen to choose the proper time zone for you.

At the system Configuration screen choose to enable ntpdate, ntpd, and powerd. If you want to enable SSH choose SSHD too.

Choose No to enabling Crash Dump. It's not necessary.

At the System Hardening screen check the following boxes to enable the options:

```
Disable reading kernel message buffer for unprivledged users
Disable process dubugging facilities for unprivledged users
Ramndomize the PID for newly created processes
Disallow Dtrace destructive-mode
```
Choosing to disable reading kernel message buffer will disable the ability to use the dmesg command from the user account, showing a volume of system information, and you will have to log in as root to read it so it is an option you may wish to leave unchecked. We will set other variables ourselves later on.

Now's your chance to add a User account. Less privileged than root, it's what you'll be running in 99.9% of the time.

When asked if you want to invite the user to other groups make them members of:

```
wheel operator
```
Typed just like that.

Enter a password for that account, for the rest of the options choose the default option it recommends and just hit Enter to proceed from one to the next.

One account should be enough. When asked if you want to make another user account type no and hit Enter.

Now you're at the last screen of the build process. Exit and remove the installation media you used (CD, DVD, Flash drive) while it's restarting or it will loop back.

Now you're presented with a black screen which is our terminal. You've only installed the base system and no GUI or desktop have been installed at this point.

Log into your user account with the user name you chose and the password for it.

Now we're going to log into the root account by typing:
`su`

And entering the root password.

Now we're going to enable the pf firewall, which is taken from OpenBSD and the best all-around firewall going.

We're going to have to enter Easy Editor to make a ruleset and show the system where to look for it. Type:
`ee /etc/pf.conf`

And hit Enter.

You've just created a file called pf.conf in the /etc directory. Now type:

```
block in all
pass out all keep state
```
Hit the Esc key to bring up the options menu, choose file options, and save file.

Hit Esc again and exit Easy Editor back to the command line.

Now we have to show the system where to look for our ruleset and the logfile.

Then type:
`ee /etc/rc.conf`

You've just opened the file rc.conf in the /etc directory. This is a very important file and you should see some options already there, like your machine name and other options.

It's VERY IMPORTANT not to leave any option here uncommented on either end, meaning if you start an option it MUST begin and finish with quotes or you will not be able to start your system and have to enter Single User Mode to fix.

Use your arrow keys to scroll down past the lines that are already present and type these out:

```
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
```

Now to save time and effort later so we can download microcode updates to keep your processor firmware up-to-date edit in:


```
microcode_update_enable="YES"
```

Notice how each option begins and finishes with a quote? You'll be adding your own later so don't forget to check it closely before you exit out of Easy Editor when you do. (Always hit Enter after your last entry so you end up on a new blank line.)

Now hit Esc to save the file, and Esc again to exit Easy Editor.

Now we'll reboot to make the changes we've made take effect by entering the following command:
`shutdown -r now`

And hitting Enter. Your machine will now reboot and you'll be back at the starting screen. Log into your user account again and then su into the root account once you do.

OK, so you missed commenting a line in /etc/rc.conf, possibly after the "equals" symbol, are seeing a message to that effect and can't move past that point... Here's how to fix it without having to start completely over. Enter the following commands from where you are now to go into Single User Mode:
`fsck -y
mount -u /
mount -a -t ufs
swapon -a`

Now you can edit /etc/rc.conf through EE like before to find the error. Reboot afterwards to continue on.

Now we need to apply any security patches that have been issued since the install media was distributed. This is something you'll want to check every day to see if any new patches have been issued. Chances are it will be weeks in between, but you want to stay up to date.

Enter the following command from your root account:
`freebsd-update fetch`

It will download updates to the system if any are available. When it's finished use your down arrow key to scroll to the end and back to the command prompt. Then enter the following command:
`freebsd-update install`

It won't take as long to install them as it did it download them. Once it's done, reboot:
`shutdown -r now`

If the system hangs and it doesn't look like it's going to finish the reboot cycle do a hard reset with the power button, it will be alright to do so.

When it reboots enter your user account again, and su to the root account by entering:
`su`

And your root password. Now we'll populate the ports tree, which is where we'll get all our programs, with the following command:
`portsnap fetch extract`

If all went well with the initial installation it should download and populate the ports tree, which will take a few minutes.

Now download the database for 3rd party program vulnerabilities by entering the following command:
`pkg audit -F`

After it's done we'll build portmaster from the ports tree by entering the following command:
`cd /usr/ports/ports-mgmt/portmaster`

Now you've changed directories with the cd command and are in the portmaster directory. Enter the following command:
`make install clean`

It will show you a few screens of possible options, just click Enter at each screen to go with the default options, with the exception of IPV6 at the python27 screen if you did not configure IPV6 during the install process, and choose Yes when it asks you if you want to proceed.

It will compile the 3rd party program portmaster from source code which will take a few minutes. You have the option of building programs from source though ports or using pre-compiled binary packages through the pkg system. Using pkg is much faster, but by using ports you can choose your own program options and it's the way I've always done it so that's what we'll use in this tutorial.

Ports are also updated more often than packages. Therefore, it will be easier to keep your 3rd party software up to date when new vulnerabilities are discovered, and by starting out using ports you'll get a feel for compiling programs and gain more CLI time for experience purposes in the process.

I recommend not to mix ports and packages, so once you start using ports stay with it. After you gain some experience you may want to rebuild your system and switch from ports to packages. If you'd rather start using the pkg system consult the FreeBSD Handbook.

When it's finished you can get back to the root directory by typing:
`cd /`

We're going to put portmaster to work right away and update your microcode. It will gather all dependencies and what it deems necessary to be built along with a port. It will also make the process easier by allowing you to set the variables for each of them all at once and not as they are being built.

`portmaster sysutils/devcpu-data`

After it's finished type the command:

`service microcode_update start`

Now we're going to build rkhunter to watch for rootkits and associated file changes. We have a clean system now and will run it to get a baseline. Once you've finished the installation of the Base System and 3rd arty programs run it again. That way you have a clean baseline to go by. if in the future it shows changes in your daily security report

We're going to choose the option to build nmap along with rkhunter so it can scan for open ports while rkhunter runs.

Enter the following command:
`portmaster security/rkhunter`

And hit Enter.

You'll be presented with a screen giving you the option to install nmap during the build, along with other screens indicating dependencies portmaster will install during the build. Use the down arrow to move the cursor to nmap and hit the spacebar to enable the option. After the build finishes enter the following command:
`rehash`

Now summon rkhunter, then update the definitions for it and run a scan, following directions given to hit Enter as the scan proceeds:
`rkhunter
rkhunter --update
rkhunter --checkall`

Now update your base file with this command. I think of it as prop up data to remember it:
`rkhunter --propupd`

Next we'll build Xorg by entering the following command:
`portmaster x11/xorg`

It will present you with several option screens for programs that are built with the Xorg metadata port like xterm, xclock, drivers, etc. It won't be necessary to choose all the graphic card drivers it presents, but go ahead and choose VESA along with the driver for your card. Again, if you did not configure IPV6 uncomment that line when the curl and python36 dependency screens comes up during the build process.

If you have a boxen with Switichable Graphics drivers for both chips should be checked to be installed at the Driver Selection screen. I have a Thinkpad T400 that has Switchable Graphics with Intel GMA 4500MHD and ATI Mobility Radeon HD 3470 chips.  Both the Intel and ATI driver need to be checked for install at the driver selection screen during the install of x11/xorg.

Before you boot to the desktop it needs to be put into "Discreet" graphics mode in the BIOS. It then defaults to the Radeon chip and runs fine without any tweaking.

After Xorg is finally finished compiling (it will take a while) let's reboot by entering the following command:
`shutdown -r now`

After you have rebooted log into your user account, then into your root account by entering the following command and your root password:
`su`

Check to see if the ports tree has been updated or any new vulnerabilities have been found by entering the following commands:
`portsnap fetch update
pkg audit -F
freebsd-update fetch`

These are commands you'll be using on a regular basis to keep your system updated. Now we'll build fluxbox:
`portmaster x11-wm/fluxbox`

Fluxbox is a lightweight Window Manager that features transparency and has several nice styles to choose from. I can provide you with a few. I prefer it to desktops like KDE or Gnome due to all the extra baggage that comes bundled with them. The programs you'll install need to be added manually to the Fluxbox menu, which can be accessed and edited with leafpad from the /usr/home/username/.fluxbox directory. The . before the folder name designates it as a hidden folder.

When you get to the desktop, to populate your new menu with the programs you've installed without editing it manually run this command from the uer account:
`fluxbox-generate_menu`

If you would like to add icons to the fluxbox menu, you can create a small 32x32 image or find the one associated with the appropriate program to "Export As" an image in .xpm format from Gimp to where you want to save it. Then you link to the image from the fluxbox menu behind the command to call the program. It should look something like this:

```
[exec]   (urxvt) {urxvt} </usr/home/Trihexagonal/Images/iconred.xpm>
```

I am attaching at the bottom 3 fluxbox styles in .txt format if you would like to use them. 8ball.txt, bloodflow.txt and electricblue.txt. Remove the .txt extension, copy them to /usr/local/share/fluxbox/styles as root and they will appear with the rest in the default themes right-click fluxbox menu.

After it's done install your file manager:
`portmaster x11-fm/xfe`

Now for the text editor:
`portmaster editors/leafpad`

And the terminal we'll be using with fluxbox called urxvt, which uses an ~/.Xdefaults file for transparency and font selection I will supply:
`portmaster x11/rxvt-unicode`

When it's done compiling the programs we'll add the following lines to the rc.conf file by entering the following commands so it's activated on boot:
`echo 'dbus_enable="YES"' >> /etc/rc.conf
echo 'hald_enable="YES"' >> /etc/rc.conf`

This time you used the echo command instead of opening EE like before.

Now we need to log out of the root account and create a file called .xinitrc in your usr account folder by entering the following command from the usr account:
`ee /usr/home/usernamehere/.xinitrc`

The . before the file name designates it as a hidden file. You can make hidden files and folders visible in xfe options later.

Now type:

```
urxvt &
xfe &
fluxbox exec
```
Save and exit EE afterwards like you've done, reboot to make the changes we made take effect:
`shutdown -r now`

After it reboots log into your user account and enter the following command to bring up your desktop:
`startx`

If all went well, and it should if you've followed my instructions, you'll be presented with the fluxbox Window Manager screen, a urxvt terminal, and an xfe file manager window already open on the desktop. If you see a green and white WM you've logged in as root by mistake and need to reboot. Look over the xfe options to customize it to your taste.

If your box uses an older nvidia chip, maybe a Quardo NVS 140M or Quadro 1000M with Optimus, we have easy work first. Your card will need x11/nvidia-driver-304 or x11/nvidia-driver-340, emulators/linux_base-c7, x11/nvidia-settings and x11/nvidia-xconfig.

As root, run `nvidia-xconfig`. Run `ee /ect/rc.conf`, edit in `linux_enable="YES"`, save and exit. Run `ee /boot/loader.conf`. To cover all chips, Edit in:

`linux_load="YES"
nvidia_load="YES"
nvidia-modset_load="YES"`

Now save file, exit editor and reboot. Now we can boot to the desktop same as them and see a nvidia boot screen display before we land for mad skills.

I have uploaded an ~.Xdefaults file to customize urxvt as a text file attachment at the bottom of the post. Remove the .txt extension and replace the leading period to make it a hidden file again before placing it in your user directory.

From now on you can log into the root account through urxvt. Do so now by entering the su command followed by your root password:
`su`

Then update your ports tree and check to see if there are any vulnerabilities in your programs:
`portsnap fetch update
pkg audit -F`

It's doubtful any have been found in the relatively short time since you got started, but is something you want to do on a regular basis once you get things going. When vulnerabilities are found use portmaster to update the file with the "portmaster filename" command, or remove it by changing to the programs directory and using the "make deinstall clean" command. Be aware that if you deinstall a program it may break another program, if it is a dependency of that program.

There are still several things you need to do. You will need to create folders for Documents, Downloads, Images, Music, Videos, etc. in your /home/username directory manually through the xfe File dropdown menu. We will be tweaking files to harden the system as well.

First we need to create a couple files and edit rc.conf, this time using leafpad. You should still be in your root account in urxvt, so enter:
`leafpad`

To bring up that text editor as root. Copy this text into leafpad:

```
[devfsrules_common=7]
add path 'ad*' mode 0666 group operator
add path 'da*' mode 0666 group operator
add path 'acd*' mode 0666 group operator
add path 'cd*' mode 0666 group operator
add path 'mmcsd*' mode 0666 group operator
add path 'pass*' mode 0666 group operator
add path 'xpt*' mode 0666 group operator
add path 'ugen*' mode 0666 group operator
add path 'usbctl' mode 0666 group operator
add path 'usb*' mode 0666 group operator
add path 'lpt*' mode 0666 group operator
add path 'ulpt*' mode 0666 group operator
add path 'unlpt*' mode 0666 group operator
add path 'fd*' mode 0666 group operator
add path 'uscan*' mode 0666 group operator
add path 'video*' mode 0666 group operator
add path 'dvb/*' mode 0666 group operator
```
And save it as /etc/devfs.rules

That's in the /etc directory, the filename is devfs.rules

Now enter the following commands:
`echo 'devd_enable="YES"' >> /etc/rc.conf
echo 'devfs_system_ruleset="devfsrules_common"' >> /etc/rc.conf`

And reboot using the shutdown command.

Open Xfe as root and in the File dropdown menu choose New folder to create a new folder named da0s1 in the Media directory. Now you should be able to access a Flash drive. Enter the mount command for it:
`mount -v -t msdosfs /dev/da0s1 /media/da0s1`

And unmount it before removing the drive to prevent problems:
`umount -v -t msdosfs /dev/da0s1 /media/da0s1`

Now that we've got the basics done and closer to surfing the net let's tweak the pf.conf file to harden our firewall. The network interface designation for your Ethernet card should be something like msk0, em0 or bge0 and can be found using the following command:
`ifconfig`

Now navigate to /etc/pf.conf as root with leafpad and change it to the following.

```
### Macro name for external interface
ext_if = "Network Interface Designation Goes Here"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spoof
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any

### Keep and modulate state of outbound traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
```

The following ruleset allows the machine running cupsd to be accessed by your other machines on the LAN:

```
[CODE]### CUPS_pf_rules_included
### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Allow CUPS to use tcp ports 80 and udp port 631
cups_tcp = "{ 80, 631 }"
cups_udp = "{ 631 }"

### Allow CUPS to be accessible (change to your other machines ifconfig -a LAN designation )
table <local> { CUPS machine LAN address }

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Allow LAN to talk to CUPS on your machine
pass in log quick from <local> to any keep state

### Block spoof
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Allow CUPS to talk to clients on LAN
pass out log on $ext_if proto tcp to any port $cups_tcp keep state
pass out log on $ext_if proto udp to any port $cups_udp keep state

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
```
Save, exit leafpad, and reboot through urxvt to make the changes take effect:
`shutdown -r now`

Open /etc/ttys in leafpad as root and change every instance of secure to insecure to require the root password to logon in Single User Mode.

Open /etc/ssh/sshd_config in leafpad and change or uncomment the following lines by removing the number sign to read as below:

```
AllowTcpForwarding no
PermitRootLogin no
Protocol 2
X11Forwarding no
PermitTTY no
```
Open /etc/passwd to delete the line of the toor account then run this command:
`pw userdel toor`

Open /etc/aliases and set the root mailbox address to:

```
root: username@machinename
```
and run the `newaliases` command. Your daily messages will then be available to read as root in the /var/mail directory.

Finally, open /etc/rc.conf in leafpad and add the following entries to what's already there:

```
mouse_type="auto"
ntpd_enable="YES"
ntpd_sync_on_start="YES"
powerd_enable="YES"
powerd_flags="-b adaptive -a hiadaptive"
sendmail_enable="NO"
fsck_y_enable="YES"
swapexd_enable="YES"
mixer_enable="YES"
snddetect_enable="YES"
syslogd_flags="-c -ss"
linux_enable="YES"
clear_tmp_enable="YES"
clean_tmp_X="YES"
avahi_daemon_enable="YES"
```
This will allow you to receive security updates via sendmail as root, enable Linux emulation for any programs you might install that need it, clear tmp files, etc. (It looks like sendmail is disabled but that takes the NONE variable.) Reboot one final time to ensure the file changes you've made go into effect.

With the exception of a few select programs you now have a fully functional FreeBSD desktop. In addition to a web browser you may want to build VLC to watch movies, Audacious to listen to music files, GIMP to manipulate images, nmap to portscan, bcrypt to encrypt password files, wipe to securely delete files, ePDFview to access PDF files, rkhunter to scan for rootkits, feh to change your desktop background, and gkrellm2 or conky for system stats.


----------



## ekingston (Jul 19, 2017)

Where is the big bold warning that FreeBSD only supports Intel Integrated Graphics (HD Graphics) on CPUs that are 4 years old or older? That is kind of important to anyone thinking of building a new FreeBSD desktop.

https://wiki.freebsd.org/Graphics#Intel_Graphics

https://en.wikipedia.org/wiki/Haswell_(microarchitecture)

Also, why are you saying to compile everything from source? The package management system will have binaries ready to download and install without the need to compile. That will save a lot of time.


----------



## Deleted member 30996 (Jul 19, 2017)

Mine is a 10 year old Intel i945GM and works without flaw so that didn't occur to me. My ATI Mobility Radeon HD 4250 (shows 4200 in dmesg) works, too.

The only problem I've ever had was with Optimus and entering mode 0 at the boot screen by choosing the 3rd option kept it from displaying multiple small screens. Once booted to the desktop it didn't give the proper resolution and needed Xorg -configure tweaking.

I learned how to set up a desktop some 12 years ago from a tutorial here on the site someone else wrote and it's my way of giving back to the community.


----------



## ekingston (Jul 19, 2017)

Trihexagonal said:


> Mine is a 10 year old Intel i945GM and works without flaw so that didn't occur to me. The only problem I've ever had was with Optimus and entering mode 0 at the boot screen by choosing the 3rd option kept it from displaying multiple small screens. Once booted to the desktop it didn't give the proper resolution and needed Xorg -configure tweaking.
> 
> I learned how to set up a desktop some 12 years ago from a tutorial here on the site someone else wrote and it's my way of giving back to the community.



It is nice that you are giving back to the community (I should do more myself) and a good beginner's guide is a useful thing to have for people who need more than the handbook (which requires reading several chapters to cover what you did in a single post).

But, in my opinion compiling from source doesn't usually count as "beginners" and skipping over limitations in things that people coming from Windows/OSX is going to add more pain and confusion for the beginners.

I also didn't see you mention how to set-up specific drivers in x.org for the person's video card. I haven't done this since the very early 2000's. My FreeBSD systems all run headless. The handbook does seam to mention it, so I expect you can get better performance with the right drivers:

https://www.freebsd.org/doc/handbook/x-config.html


----------



## Deleted member 30996 (Jul 19, 2017)

I learned to set it up using ports and that's what I've always used, even when I used PC-BSD before switching to vanilla FreeBSD. It's not as fast as pkg by any means but I point that out and if they follow my instructions I don't think a Windows user would have a problem using ports-mgmt/portmaster. Some people say it's alright to mix ports and packages. I'm almost certain I read at one point it wasn't, though I will admit to doing it 3-4 times.

I do recommend, as a beginner, not to do it lest problems arise they can't troubleshoot. I only remember asking one problem question here on the forums, when I first started using FreeBSD, about why www/lynx wasn't working for me and it was because I had neglected to configure it not to use IPV6 when I hadn't set it up. But that's just me.

I do state to choose the driver for your card in addition to x11-drivers/xf86-video-vesa.



> It won't be necessary to choose all the graphic card drivers it presents, but go ahead and choose VESA along with the driver for your card.




I may well be overestimating the average persons skill and abilities, but forcing them to learn is what I think best. I probably would have started using FreeBSD in '98 but the install screens intimidated me. I had the thrill of a lifetime the day I successfully installed it from scratch using that tutorial.


----------



## ekingston (Jul 19, 2017)

Trihexagonal said:


> ..
> 
> I do state to choose the driver for your card in addition to VESA.



Okay. My desktop is an Intel NUC (https://www.newegg.ca/Product/Product.aspx?Item=N82E16856102146) with the i3-6100U. That means the integrated graphics (only option on that system, no room to add a separate video card) is the Intel HD Graphics 520. This system is nearly a year old at this point. (To be fair, I do have that system, it does run FreeBSD, I use it as a headless media server, not a desktop. It would be nice if I could play videos directly from it instead of streaming to a Windows Desktop. So I do actually want to do what I'm asking.)

What driver do I use to get x working on a full-HD (1920x1080) screen?

It would be really nice if I could play videos with VLC (https://www.freebsd.org/cgi/ports.cgi?query=vlc-2.2.6) but that requires using the graphics card for decoding and playing or it ends up being choppy.


I haven't actually tried to get the wifi working on FreeBSD yet but you didn't really cover wifi.


----------



## Deleted member 30996 (Jul 19, 2017)

I'll have to venture a guess and say x11-drivers/xf86-video-intel. You're asking me about new hardware when all of my machines are Win7 vintage or older.

I've lived in a large apartment complex the last 10 years and have only used wi-fi to the extent of enabling my card so I could use kismet. I don't use it or advise doing so from a security standpoint alone.

I have my wpa_supplicant.conf somewhere but would have to look for it.

https://www.freebsd.org/doc/handbook/network-wireless.html


----------



## rufwoof (Jul 19, 2017)

> I recommend not to mix ports and packages, so once you start using ports stay with it. After you gain some experience you may want to rebuild your system and switch from ports to packages. If you'd rather start using the pkg system consult the FreeBSD Handbook.


As a neub I was under the impression it was OK to mix ports on top of packages.

This is a good guide to get xfce up and running easily using packages. And once you're up and running just a case of 
freebsd-update fetch
... and if updates are available
freebsd-update install
... to keep the core updated
Along with
pkg upgrade
... to keep programs updated

A barrier I hit was that I needed a hint to be set otherwise the initial boot didn't load. At the first screen I take option 3 and enter

set hint.ahci.0.msi=0
boot

... to get booted. After that I added the hint to /boot/device.hints

hint.ahci.0.msi="0"

... so that was automatically set for subsequent boots.

Another problem I hit was that it doesn't install or offer to install a bootloader. I use grub4dos bootloader on the first partition and installed freeBSD to my third partition (sda3 in Linux speak (ada0s3)), adding a entry of

title FreeBSD
root (hd0,2)
chainloader +1

to the menu.lst file on the first (boot) partition enabled freebsd to be booted (the root (hd0,2) is just indicating the first disk, third partition (counts from zero)). I selected UFS as the partition format when installing freeBSD.


----------



## Deleted member 30996 (Jul 19, 2017)

rufwoof said:


> Another problem I hit was that it doesn't install or offer to install a bootloader. I use grub4dos bootloader on the first partition and installed freeBSD to my third partition (sda3 in Linux speak (ada0s3)), adding a entry of
> 
> title FreeBSD
> root (hd0,2)
> ...



In this tutorial partitioning is set up automagically and uses the entire disk:



> At the Partitioning menu choose Guided, for simplicity, and GPT for the Partition Scheme. It will give you a choice of where to install, choose your HDD which will be designated as ada0.
> 
> Choose Entire Disk at the next screen...



This is the exact method I've used to build FreeBSD 11.0-RELEASE on 5 different laptops and it installed a bootloader on all of them. It is also the exact method laid out in the FreeBSD Handbook:

https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/bsdinstall-partitioning.html

As I said, some people say it's alright to mix ports and packages. I thought it not best for a beginner and have only done so myself on 3-4 different occasions in 12 years. Using ports gives the person more experience with the command line and introduces them to compiling programs from source. Knowledge in these departments is a good thing IMO.

The option to consult the Handbook should the person prefer to use the pkg system is offered in the tutorial.


----------



## Deleted member 9563 (Jul 19, 2017)

Trihexagonal said:


> Knowledge in these departments is a good thing IMO.


It is. But since this is a "beginners guide", it is also likely to be of interest to people who don't plan to make a profession of it. There are lots of people out there who are interested in using FreeBSD (I see them every day on IRC and forums) but who don't have the time (or even interest) to pursue a deeper understanding. A didactic tone may not be the best plan since people with an academic intent will already know how to learn.

That said, your contribution is a good one.


----------



## Deleted member 30996 (Jul 19, 2017)

I first became interested in FreeBSD as a Windows user in '98 but it looked beyond my skill set at the time to set up. Had a tutorial been available to me that spelled it out like I attempt to do I would have taken the plunge and possibly been more knowledgeable myself at this point.

It was only after becoming involved with PC-BSD, teaching myself to use ports and finding the tutorial I mentioned I felt confident to make the move.


----------



## Deleted member 30996 (Jul 20, 2017)

I tried to update the tutorial using the appropriate tags for ports, files, etc. but got an error message to make a message of less than 20000 characters.


----------



## drhowarddrfine (Jul 20, 2017)

ekingston said:


> Where is the big bold warning that FreeBSD only supports Intel Integrated Graphics (HD Graphics) on CPUs that are 4 years old or older? That is kind of important to anyone thinking of building a new FreeBSD desktop.


Possibly right next to the "Use a nVidia card cause they support FreeBSD" notice.


----------



## Deleted member 48958 (Jul 20, 2017)

Using pf firewall for new users is not a best idea IMHO,
ipfw is much easy to use for basic desktop,
to enable dbus and ipfw with ssh support, just add 
	
	



```
dbus_enable="YES"

firewall_enable="YES"
firewall_type="workstation"
firewall_myservices="ssh"
#firewall_allowservices="any"
firewall_allowservices="192.168.0.0/24"
```
 to /etc/rc.conf.
To enable automount, read this.

To install XFCE desktop environment, just type `# pkg ins xorg xfce`

To install a login manager — `# pkg ins slim`,
also you need to add _slim_enable="YES"_ to /etc/rc.conf.
(After installation replace

```
login_cmd           exec /bin/sh - ~/.xinitrc %session
```
with 
	
	



```
login_cmd           exec %session
```
 in /usr/local/etc/slim.conf)
Also you can try to use this nice theme from this post.

Install network manager — `# pkg ins networkmgr`
and follow these instructions.






If you would like to use a dock, install plank — `# pkg ins plank`

Additionally install Vertex theme and Numix icon theme

After all you'll get something like this







ekingston said:


> Where is the big bold warning that FreeBSD only supports Intel Integrated Graphics (HD Graphics) on CPUs that are 4 years old or older?


It is not true.


----------



## Deleted member 30996 (Jul 20, 2017)

ILUXA said:


> Using pf firewall for new users is not a best idea IMHO,
> ipfw is much easy to use for basic desktop,



We'll have to disagree on that point. While the implementation is not quite the same, the pf firewall comes from OpenBSD and is what I consider to be *the* superior packet filter firewall. I just finished an nmap slow comprehensive scan on all my FreeBSD boxen from the LAN and it returned a result of all 2000 ports scanned filtered or open|filtered. I ran my laptops connected directly to the internet for months without hesitation or resulting incursion.

As for ease of use, I supply what is basically the ruleset I use, minus a few rules some might feel unnecessary, and it is set and forget.

I already provide instructions on how to enable dbus:



> When it's done compiling the programs we'll add the following lines to the rc.conf file by entering the following commands so it's activated on boot:
> 
> echo 'dbus_enable="YES"' >> /etc/rc.conf
> echo 'hald_enable="YES"' >> /etc/rc.conf



From beginning to end this is exactly how set up my FreeBSD boxen and I have put many hours of work over the past year into refining it to be as clear, concise and comprehensive as possible. I do, however, welcome any and all critique.


----------



## Deleted member 48958 (Jul 20, 2017)

Trihexagonal said:


> We'll have to disagree on that point. While the implementation is not quite the same, the pf firewall comes from OpenBSD and is what I consider to be *the* superior packet filter firewall.


I agree, I meant "rookies" when I wrote "new users", english is not my native language, the point was that it is much more easy to configure ipfw, because you do not need to create any firewall rules, just add a few lines to the rc.conf.



Trihexagonal said:


> I already provide instructions on how to enable dbus


I saw, in that post I wrote an alternative way to configure a basic FreeBSD desktop. It should work fine, if all important steps from my post will be made.


----------



## Deleted member 30996 (Jul 20, 2017)

ILUXA said:


> I agree, I meant "rookies" when I wrote "new users", english is not my native language...



No problem. The rules are what I like best about it, being somewhat of a firewall tinkerer going back to ConSeal PC Firewall.


----------



## ekingston (Jul 21, 2017)

ILUXA said:


> ...
> 
> 
> It is not true.



Could you point me at the documentation to get Intel Integrated HD Graphics working on newer than Haswell processors?


----------



## Deleted member 48958 (Jul 21, 2017)

Despite that you wrote nothing about "Haswell", you wrote "CPUs that are 4 years old or older", for example Sandy Bridge and Ivy Bridge works fine on FreeBSD, but refer to this link, Haswell should work with FreeBSD 11 https://wiki.freebsd.org/Graphics#Intel_Graphics


----------



## Deleted member 30996 (Jul 27, 2017)

There is a vulnerability in graphics/OpenEXR and has been for several weeks. It's a dependency of graphics/gimp, which I use a lot, and when I tried building it from ports it stopped there like I thought it would. So I tried packages.

`pkg install gimp` did the full install of graphics/gimp even though `pkg audit -F` shows graphics/OpenEXR as vulnerable on my system now. I'm not worried about it because I take responsibility for my own actions, know that it's used for and can avoid it, but that seems like a good reason to me for a beginner to use ports in itself.

Edit: To top it off devel/dbus was set up incorrectly and I had to run `dbus-uuidgen --ensure` to create /var/lib/dbus/machine-id to get graphics/gimp or www/firefox to open. A first time thing for me.

I still say mixing ports and packages is bad medicine, but that's just me.


----------



## Deleted member 30996 (Jul 28, 2017)

Now that you've got your system set up fully, have committed yourself to using FreeBSD and will remain doing so ad infinitum, here's a tip to make it easier on yourself next time you build it from scratch.

Save your /etc folder to a USB drive for future use. The next time you build from scratch and are at the desktop you can cut your work down by opening editors/leafpad from your root account and typing:


```
[devfsrules_common=7]
add path 'usb*' mode 0666 group operator
```
and saving it as /etc/devfs.rules.

Open /etc/rc.conf  and add the following lines:

```
devd_enable="YES"
devfs_system_ruleset="devfsrules_common"
```
Open  x11-fm/xfe as root and create a new folder: /media/da0s1

Then you can mount the drive you saved the /etc folder on by using the mount command:

`mount -v -t msdosfs /dev/da0s1 /media/da0s1`

Now you can just copy off those important files individually that you spent so much time typing out. Just be careful.

Save your x11-wm/fluxbox menu and styles, too.

It's how I do it and it saves a lot of time and effort.


----------



## Deleted member 9563 (Jul 28, 2017)

Trihexagonal said:


> Save your /etc folder


I do that. Can save some work later for sure.


----------



## kshockk64 (Oct 12, 2017)

Great HOW TO. Very much appreciated. My first BSD build, went smoothly after I found this.
Just one question should there be an * after the usbctl?
[devfsrules_common=7]
add path 'usbctl' mode 0666 group operator
Thank You


----------



## Beastie (Oct 13, 2017)

kshockk64 said:


> Just one question should there be an * after the usbctl?
> [devfsrules_common=7]
> add path 'usbctl' mode 0666 group operator


Not necessarily. The wildcards in the other lines are there to match all the possible devices (e.g. ad0, ad1, ad2, etc). However there's only one usbctl, so it's a direct match.


----------



## Deleted member 30996 (Nov 13, 2017)

The FreeBSD News article linking to this tutorial.


----------



## bookwormep (Nov 14, 2017)

Trihex:
         Bravo!


----------



## Deleted member 30996 (Feb 10, 2018)

Thanks to micheal_hackson for making me aware of my reverse of correct usage of flags with powerd in my /etc/rc.conf file.

I've only been doing it like that for 12-13 years.


----------



## Avery Freeman (May 29, 2018)

Hey, pretty sweet.  Congrats on the FreeBSD News link, too. 

My critiques were already said by most other people - namely, why ports for new users?  When I first started with FreeBSD back in 2011 I thought compiling from source was the only way to install software - had a netbook at the time which worked fine, if I wanted to wait for days on end just to compile the simplest things and risk running out of disk space (try compiling FireFox on an Atom 220 with a 16GB PATA 1.8" SSD).  

Not learning how to use pkg_add (as it was back then) was probably the main reason I skipped off to Linux (and other) for the following 7 years.  Had a blast trying everything under the sun (everything from Debian to Arch, Alpine to Fedora, MeeGo (remember MeeGo?)  and my personal favorites, the Solaris/ishes, like SmartOS and OmniOS - which are so, so great, and also so, so dead).  So but anyway, I definitely don't recommend ports for new users, easier (or anyone who wants to get shit done in a hurry). 

Also, I like that you explain how to mount flash drives, but I noticed there's no mention of  fuse-ntfs?  A lot of them come NTFS-formatted these days now that they're several GB in size, would help interoperability with other users, etc.


----------



## Avery Freeman (May 29, 2018)

Shameless self-promotion: 

https://forums.freebsd.org/threads/...r-recording-and-streaming-hdhomerun-tv.66054/


----------



## Deleted member 30996 (May 29, 2018)

Avery Freeman said:


> Hey, pretty sweet.  Congrats on the FreeBSD News link, too.
> 
> My critiques were already said by most other people - namely, why ports for new users?
> 
> ...



This started out to be my own notes to myself so I wouldn't forget how to do things while I was offline for a little over a year. At some point I decided to try and make a tutorial out of it. If there had been something like this in '98 I would have started using FreeBSD then, but it looked beyond my skillset at the time to set it up. I wrote it for people who are just I like I was back then. 

PC-BSD got me to the desktop. When they first started out they had a .pbi Push Button Installer which seemed like a Windows .exe to me. I was interested in FreeBSD so I taught myself to use ports. I think I benefited from the experience overall, and though I do use pkg on my OpenBSD boxen have only done so a handful of times with FreeBSD. 

The thought of using pkg instead of instructing how to use ports never even occurred to me till much later when I realized it might not be as easy for new people to use ports-mgmt/portmaster as I thought it was.

I have Flash Drives as large as 128GB and the first thing I do with them is:


```
dd if=/dev/zero of=/dev/da0 bs=2m count=1
fdisk -BI /dev/da0
newfs_msdos /dev/da0s1
```




Avery Freeman said:


> Shameless self-promotion:
> 
> https://forums.freebsd.org/threads/...r-recording-and-streaming-hdhomerun-tv.66054/



Oh, I see now you and me are going to be friends.  

And after 20 years of honing shameless self-promotion into a sorcerous skill suitably consider yours truly a Talker.


----------



## Avery Freeman (May 29, 2018)

Oh, hm, interesting, apparently .pbi files are used for FreeNAS plugins, too

Kind of reminds me of the 'one-click-installer' files for OpenSUSE.  But not as reliable, apparently, from what I'm reading (looks like lots of incompatible changes from version to version).  OpenSUSE is definitely Linux with training wheels.

Kind of more like a .BAT file than an .EXE, wouldn't you think?  Since it's not compiled... (just a script)

Yeah, if you rewrite the guide for pkg and it'll get like a million times easier (and faster)  

Why would you use FAT32 on a drive as large as 128GB? Why not ZFS?   Or NTFS if you want near-universal compatibility?  Don't you ever need to use them in other people's computers?


----------



## Deleted member 30996 (May 29, 2018)

Avery Freeman said:


> Yeah, if you rewrite the guide for pkg and it'll get like a million times easier (and faster)



I can say now with all certainty I won't be doing that. Even though it goes against all recommendations ports are what I prefer to use and take pleasure in doing so. I still think it best to give new people that command line experience and in compiling ports, but that's just my opinion. I carry over a lot of what I learned from my PC-BSD days.

I also include the option to use pkg if they so desire, more explicitly on my website than here. Here I take it they can figure it out to consult the Handbook for instruction in doing so, there I direct them to consult it, and the outline can still be followed.



> You have the option of building programs from source though ports or using pre-compiled binary packages through the pkg system. Using pkg is much faster, but by using ports you can choose your own program options and it's the way I've always done it so that's what we'll use in this tutorial.



I hear people at another forum make the same argument about new users using a pre-rolled disto as opposed to one you build from the ground up. Same theory applies IMO. If you're going to learn to swim jump in the deep end, or at least edge them in that direction.



Avery Freeman said:


> Why would you use FAT32 on a drive as large as 128GB? Why not ZFS?   Or NTFS if you want near-universal compatibility?  Don't you ever need to use them in other people's computers?



Why not? I only use them for storage and it stores just as well on FAT32. I've gifted music to family members on USB stick and they plug them into the car stereo to listen on long trips. It's interoperable with Windows and that's all they're capable of using anyway.

I had a 500GB USB HDD that came with NFST file system and used a  FAT command for larger drives on it as well.


----------



## Deleted member 30996 (Dec 20, 2018)

Updated to reflect changes in FreeBSD 12.0-RELEASE including modifying the Partitioning Scheme layout from GPT to MBR to avoid possible problems during the install process, changes to the System Hardening menu and instructions on how to get back the old PAGER behavior.

System settings for those who choose to build 11.2-RELEASE instead of 12.0-RELEASE are still included.

I also reordered the steps so enabling the pf firewall is the first thing done to reflect the order in which I actually build my machines, along with setting the PAGER in the process for continuity.

I also updated my site tutorial where you can see forum member screenshots of various DE and WM in addition to over 60 wallpapers Free not only for Christmas but 365 days a year!


----------



## teo (Jan 7, 2019)

Trihexagonal said:


> Open /etc/aliases and set the root mailbox address to:
> 
> ```
> root: username@machinename
> ...


A question, the configuration of the address of the root mailbox is to leave as it says the guide or is it necessary to put the name of the user and the machine replacing the example?


Trihexagonal said:


> ......rkhunter to scan for rootkits....



And how do I proceed with the output message given by the rkhunter packet?


```
Message from rkhunter-1.4.4:

******************************************************************************

You should keep your rkhunter database up-to-date.
This can be done automatically by putting this line to periodic.conf(5) files:

daily_rkhunter_update_enable="YES"
daily_rkhunter_update_flags="--update --nocolors"

Also, you can run rkhunter as a part of the daily security check by
putting this line to periodic.conf(5) files:

daily_rkhunter_check_enable="YES"
daily_rkhunter_check_flags="--checkall --nocolors --skip-keypress"

******************************************************************************
```

Greetings!


----------



## Deleted member 30996 (Jan 7, 2019)

teo said:


> A question, the configuration of the address of the root mailbox is to leave as it says the guide or is it necessary to put the name of the user and the machine replacing the example?



This is mine on the machine I'm on now:


```
root:    jitte@unmei
```

jitte is my username and unmei my machine name. This allows me to get my daily reports as root in /var/mail/root.


The info from security/rkhunter goes in /etc/periodic.conf. If it doesn't exist, which it probably won't, create it and add these lines:


```
daily_rkhunter_update_enable="YES"
daily_rkhunter_update_flags="--update --nocolors"
daily_rkhunter_check_enable="YES"
daily_rkhunter_check_flags="--checkall --nocolors --skip-keypress"
```

Then it will run nightly and you'll get a report in your daily security mailings along with other relevant system info in that same file.


----------



## teo (Jan 7, 2019)

Trihexagonal said:


> This is mine on the machine I'm on now:
> 
> 
> ```
> ...




For example, the name of the machine is the name of the hostname? Very kind of your to clarify.


----------



## Deleted member 30996 (Jan 7, 2019)

teo said:


> For example, the name of the machine is the name of the hostname? Very kind of your to clarify.



Yes, that's how I set my Hostname during the install process when I set up networking:



Trihexagonal said:


> When presented with the Set Hostname screen enter your machine name.



I use the machine name as the hostname on all my machines, all of which are on the same LAN. The router handles IP assignment, all have Internet access and each machine gets the daily mail report like they should.


----------



## johnblue (Jan 8, 2019)

Enjoyed the howto Trihex!  Good job.  

Good sysadmin workflow is generally underpinned by logic.  There is, of course, always room for customization shaped by our own individuality.  I would recommend you revisit a couple of items in your list to make sure that the processes are sound and not a "five monkey" rule.

First is the installation of ports from the install media.  Is that really needed if nothing from ports is to be installed prior to connecting the Internet?  For example, if you decide to keep the install of ports then I would recommend that you remove the inital `portsnap fetch extract` (that just overwrites your existing ports) and replace it with `portsnap fetch update`.  And while I too agree command line experience is the best it also nice to know about shorter alternatives.  A "protip" of `portsnap auto` and explanation of the differences could be helpful.    Additionally, you now have a nice segue to introducing the new user to man pages by using `portsnap auto` as an example.

While on the topic of shorter commands, it is good to know that `shutdown -r now` can also be effected with a simple `reboot`.  Follow that with a quick blurb about `shutdown -p now` vs `poweroff` if, for nothing else, to point it out and let the reader choose their preference.

I would also recommend a slight explanation as to why you are asking the reader to add the new user to "wheel" and "operator".  I personally do not know the value in adding "operator" but that could just be because of my workflow of only using "wheel".

Lastly, I am a convert to less vs more pager setting.



SirDice pointed out that if you are in a man page you cannot scroll back and forth using more and it is a valid point.  Especially more so if a keyboard does not have a scroll lock key then less would be very handy.  That said, if you do not include an explanation (even if you monologue) for deviating from the "standard" then you are for sure creating a "five monkey" rule!


----------



## Deleted member 30996 (Jan 8, 2019)

Thanks for pointing out the example of the "five monkey" rule. That makes more sense to me than you can know on many levels. But I'm also working under the 20,000 character limit for a post rule and only words from the upper limit, usually having to do away with excess text to make room for edits and will see what I can do.


I hadn't actually thought about running `portsnap fetch extract` after already installing them from the install media. `portsnap auto` isn't a variable I was aware of or have even used.

I've always made myself a member of the wheel and operator group. It's how I learned to do it and comes in handy down the road. I've seen people talk about having to add themselves to a "video" group or whatnot to solve a problem that wouldn't have occurred had they been a member of the operator group.

The PAGER set to more is just the way it's always been for me and what I'm familiar with. SirDice I believe said the opposite, that it had already been less for him the whole time and he never even noticed the difference. Most people did and thought it was broke, including myself till I set it back to more.

A lot of the way I do things are how I taught myself to do it and just the way I've always done it.


----------



## johnblue (Jan 8, 2019)

Trihexagonal said:
			
		

> .. I'm also working under the 20,000 character limit for a post ..


Roger that.  While your howto is methodical, it is a heavy lift for a brand new user to go from OS install to a functional GUI.  If you were to break it into two parts with the GUI in a "part 2" thread it could help clear some room for more words.



> I've seen people talk about having to add themselves to a "video" group or whatnot to solve a problem that wouldn't have occurred had they been a member of the operator group.


Ah.  Understood.  A GUI problem.  I think the last time I attempted a GUI on a BSD box my mouse had a DB9 connector.





> .. had already been less for him the whole time ..


Correct.  I was talking more to the point of why you might want less instead of more.  man pages is a perfect example.

Give me a good, logical reason to do something different and I will flip-flop on an issue faster than some of the stable geniuses that are currently running the United States of America.


----------



## Deleted member 30996 (Jan 8, 2019)

johnblue said:


> Correct.  I was talking more to the point of why you might want less instead of more.  man pages is a perfect example.
> 
> Give me a good, logical reason to do something different and I will flip-flop on an issue faster than some of the stable geniuses that are currently running the United States of America.



With the PAGER set to "less" it jumped back 23 lines in the terminal when running `freebsd-update fetch`:

https://forums.freebsd.org/threads/...ops-at-the-editor-vi.68722/page-2#post-410704

That's in addition to uncommon behavior in the terminal when using ports-mgmt/portmaster not seen when using "more":

https://forums.freebsd.org/threads/freebsd-update-fetch-stops-at-the-editor-vi.68722/#post-410130

What advantage is given with man pages would seem outweighed by what appears as buggy behavior when using less compared to that seen when utilizing more.


To split up the tutorial now would put the second part behind all these posts, many of which raise or cover points that several different people found cause for concern in one form or another. If I made another thread it would be even more spread out. I am always open to suggestions and constructive criticism and have made several suggested or needed changes since posting it.

My goal is to get a person who has never used the terminal to a fully functional FreeBSD desktop in one easy lesson, so to speak. Not even the "Sam's Books" attempted that. Yes, that is pretty heavy lifting and a lot to ask from someone new especially using ports, but I do my best to spell it out. Hopefully, if I can get them to the end of the tutorial where they only have to set up a few choice 3rd party programs for themselves they will have picked up on it enough by that point to finish it out and take it from there. The Handbook should be their next stop. If I don't recommend that here it's because they're supposed to know it and do make a point of it on my site where I have it posted.

It's usually when people start out on their own experimenting with tweaking this or trying out that they run into problems they can't yet solve for themselves. That's good in a sense they are learning on their own and I'm all for it, but bad that they don't leave well enough alone while they have a working desktop to better learn more about the particulars before taking the chance of breaking something.

It's actually my task analysis of setting up a FreeBSD desktop using ports.


----------



## teo (Jan 8, 2019)

Trihexagonal said:


> Now we're going to enable the pf firewall, which is taken from OpenBSD and the best all-around firewall going.
> 
> We're going to have to enter Easy Editor to make a ruleset and show the system where to look for it. Type:
> `ee /etc/pf.conf`
> ...


Hello Trihexagonal , is still valid example of firewall for network security on the internet?


----------



## Deleted member 30996 (Jan 9, 2019)

teo said:


> Hello Trihexagonal , is still valid example of firewall for network security on the internet?



The minimal ruleset given at the beginnning will work on my desktops till I install my own even if it takes days:


```
block in all 
pass out all keep state
```

Here is the one I use on all my FreeBSD and OpenBSD boxen, with a different egress syntax for OpenBSD. It's all set to block so no big security breach to post it. Though you may not want or need all the rules I have you can use it as a syntax example of how to write your own:


```
### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in quick log on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
```

This is what it does:


```
root@unmei:/ # pfctl -s rules
scrub in on em0 all fragment reassemble
block drop log all
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! em0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.2 to any
block drop in on ! lo0 inet6 from ::1 to any
block drop in from no-route to any
block drop in from urpf-failed to any
block drop in quick on em0 inet from any to 255.255.255.255
block drop in log quick on em0 inet from 10.0.0.0/8 to any
block drop in log quick on em0 inet from 172.16.0.0/12 to any
block drop in log quick on em0 inet from 192.168.0.0/16 to any
block drop in log quick on em0 inet from 255.255.255.255 to any
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop in log quick on em0 proto tcp from any to any port = ssh
block drop in log quick on em0 proto tcp from any to any port = telnet
block drop in log quick on em0 proto tcp from any to any port = smtp
block drop in log quick on em0 proto tcp from any to any port = http
block drop in log quick on em0 proto tcp from any to any port = pop3
block drop in log quick on em0 proto tcp from any to any port = sunrpc
block drop in log quick on em0 proto tcp from any to any port = ntp
block drop in log quick on em0 proto tcp from any to any port = exec
block drop in log quick on em0 proto tcp from any to any port = login
block drop in log quick on em0 proto tcp from any to any port = shell
block drop in log quick on em0 proto tcp from any to any port = printer
block drop in log quick on em0 proto tcp from any to any port = x11
block drop in log quick on em0 proto tcp from any to any port = x11-ssh
block drop in log quick on em0 proto udp from any to any port = ntp
block drop in log quick on em0 proto udp from any to any port = biff
block drop in log quick on em0 proto udp from any to any port = who
block drop in log quick on em0 proto udp from any to any port = syslog
block drop in log quick on em0 proto udp from any to any port = printer
block drop in log quick on em0 proto udp from any to any port = mdns
block drop in log quick on em0 proto udp from any to any port = x11
block drop in log quick on em0 proto udp from any to any port = x11-ssh
pass out on em0 proto tcp all flags S/SA modulate state
pass out on em0 proto udp all keep state
pass out on em0 proto icmp all keep state
root@unmei:/ #
```


----------



## grahamperrin@ (Jan 9, 2019)

johnblue said:


> … the value in adding "operator" …





Trihexagonal said:


> … I've always made myself a member of the wheel and operator group. It's how I learned to do it and comes in handy down the road. I've seen people talk about having to add themselves to a "video" group or whatnot to solve a problem that wouldn't have occurred had they been a member of the operator group. …



*operator*

_In my case_


```
grahamperrin@momh167-gjp4-8570p:~ % pkg query %M | grep operator
For USB support your user needs to be in the operator group and needs read
% pw groupmod operator -m jerry
add path 'usb/*' mode 0660 group operator
grahamperrin@momh167-gjp4-8570p:~ %
```

The phrase in the first matched line was familiar – _For USB support your user needs to be in the operator group_ – so I used a search engine to find it in the freshports.org domain. Answer: emulators/virtualbox-ose


```
grahamperrin@momh167-gjp4-8570p:~ % pkg query %M virtualbox-ose | grep operator
For USB support your user needs to be in the operator group and needs read
% pw groupmod operator -m jerry
add path 'usb/*' mode 0660 group operator
grahamperrin@momh167-gjp4-8570p:~ %
```

_Generally_

Unfortunately, this finds nothing:


```
grahamperrin@momh167-gjp4-8570p:~ % pkg rquery %M | grep operator
grahamperrin@momh167-gjp4-8570p:~ %
```

– FreeBSD bug 230770 – ports-mgmt/pkg pkg rquery %M does not return messages

*video*


```
grahamperrin@momh167-gjp4-8570p:~ % pkg query %M | grep video | grep group
"video" group.
grahamperrin@momh167-gjp4-8570p:~ %
```

Without using a search engine, the requirement for this group membership is more memorable. drm-related. In my case:


```
grahamperrin@momh167-gjp4-8570p:~ % pkg query %M drm-legacy-kmod | grep video | grep group
"video" group.
grahamperrin@momh167-gjp4-8570p:~ %
```

Generally (see the pkg-message sections):

graphics/drm-legacy-kmod
graphics/drm-fbsd12.0-kmod
graphics/drm-current-kmod
There may be other video group requirements but (sorry) with bug 230770, I can't tell.


----------



## Polyatomic (Jan 9, 2019)

Trihexagonal said:


> But I'm also working under the 20,000 character limit for a post rule and only words from the upper limit, usually having to do away with excess text to make room for edits and will see what I can do.


Right honourable operator Trihexagonal, I extend a greeting to you. May I make a solitary suggestion, perhaps in future thread authorship you could reserve post #2 to effectively double the character limit. `:)`


----------



## Deleted member 30996 (Jan 9, 2019)

grahamperrin said:


> *operator*



In the instructions I provide to create a /etc/devfs.rules file all the group owners are the operator including the "video" group. I should always have coffee before posting. 

Premium principled poster Polyatomic, I'm pleased to pronounce the proposed plan to preserve the secondary position for supplementary pontification shall profit me plenty as a prolific penner of posts and praise your perceptivity profusely.


----------



## shamssaki (Jan 17, 2019)

is there any difficulties if i dont use firewall & single user mode.
(i use linux from 1998 and new to FreeBSD. Once I use 10.2 for 3 month. Now i installing 12.0 stable. )


----------



## shamssaki (Jan 17, 2019)

freebsd-update fetch not work
Mirror not found


----------



## SirDice (Jan 17, 2019)

shamssaki said:


> is there any difficulties if I don't use firewall & single user mode.


Not using a firewall is not a problem. Don't use single user mode for your day to day work. That's not going to work and is not what single user mode is for.



shamssaki said:


> freebsd-update fetch not work
> Mirror not found


Open a new thread for your issue and post the _whole_ error and commands.


----------



## teo (Feb 10, 2019)

Trihexagonal said:


> Open /etc/aliases and set the root mailbox address to:
> 
> ```
> root: username@machinename
> ...


 

Hello Trihexagonal, with respect to Sendmail, it is advisable to disable (NO) in the /etc/rc.conf configuration file after modifying the /etc/aliases  file? Or remain by default NONE in the /etc/rc.conf file ?

example:

# `ee /etc/rc.conf`

```
sendmail_enable="NONE"
```

Or:

# `ee /etc/rc.conf`

```
sendmail_enable="NO"
```


----------



## Deleted member 30996 (Feb 10, 2019)

teo said:


> Hello Trihexagonal, with respect to Sendmail, it is advisable to disable (NO) in the /etc/rc.conf configuration file after modifying the /etc/aliases  file? Or remain by default NONE in the /etc/rc.conf file ?



If you want to be able to continue receiving your local daily mail reports it needs to be left as I have outlined it in /etc/rc.conf:


```
sendmail_enable="NO"
```

The "NONE" variable is what turns it off completely.



> To only disable Sendmail's incoming mail service, use only this entry in /etc/rc.conf:
> 
> sendmail_enable="NO"
> 
> ...


----------



## teo (Feb 11, 2019)

Trihexagonal said:


> If you want to be able to continue receiving your local daily mail reports it needs to be left as I have outlined it in /etc/rc.conf:
> 
> 
> ```
> ...


Very kind, with your generosity helps to solve the difficulties.


----------



## Deleted member 30996 (Feb 11, 2019)

BTW, I block TCP port 25 with pf, still get my daily mail as root and did recently as today.

Running `sockstat -l4` shows it listening on that port:


```
root     sendmail   12345 3  tcp4   127.0.0.1:25          *:*
```


----------



## rube2112 (Feb 19, 2019)

ok....this kind of tutorial ticks me off....why?  because none of the disks I've tried even have the option to install......that makes it worthless for me


----------



## rube2112 (Feb 19, 2019)

ok someone deleted my comment.  You don't think its important to specify which download is the one used in this tutorial?  Am I supposed to guess?  None of the images I've downloaded even have the option to install  start as single user, multi user etc....no install option.


----------



## SirDice (Feb 19, 2019)

Settle down rube2112 . Nothing was deleted, your posts were held for moderation (as they do for _every_ new member). 

I _strongly_ suggest you start reading the handbook regarding the installation of FreeBSD: Chapter 2. Installing FreeBSD. 
I also suggest you actually read the announcement as it includes details _which_ download you should use. 








						FreeBSD 12.0-RELEASE Announcement
					

FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.




					www.freebsd.org
				




You should also read the release notes and errata:








						FreeBSD 12.0-RELEASE Release Notes
					

FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.




					www.freebsd.org
				











						FreeBSD 12.0-RELEASE Errata
					

FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.




					www.freebsd.org
				




If you came here expecting to be spoon fed, then I have some bad news for you. We don't do that. Nobody learns anything from blindly typing in a bunch of commands. We expect you to be smart enough to actually read the documentation and figure things out on your own. If you have any _specific_ questions regarding the documentation or if the documentation is unclear you're free to ask. 

If you want something that installs a nice desktop out-of-the-box I suggest you go have a look at TrueOS.


----------



## hukadan (Feb 19, 2019)

SirDice said:


> If you want something that installs a nice desktop out-of-the-box I suggest you go have a look at TrueOS.


I am not sure this is still the case. According to this blog post "_We know that some of you will still be looking for an out-of-the-box solution similar to legacy PC-BSD and TrueOS. We’re happy to announce that Project Trident will take over graphical FreeBSD development going forward._"


----------



## SirDice (Feb 19, 2019)

I wasn't aware of that. I'll keep that in mind the next time


----------



## rube2112 (Feb 19, 2019)

I read the article on which image to use, which is the one I have......I hate to break it to you, but there is no option to install.


----------



## tommiie (Feb 19, 2019)

rube2112 said:


> I read the article on which image to use, which is the one I have......I hate to break it to you, but there is no option to install.


Perhaps provide some more information then, instead of just stating that "it does not work."


----------



## SirDice (Feb 19, 2019)

rube2112 said:


> I read the article on which image to use, which is the one I have......I hate to break it to you, but there is no option to install.


Because you fail to mention _which_ image you downloaded I can only assume you have the wrong one.


----------



## rube2112 (Feb 19, 2019)

The information is, the tutorial says put in your boot disk and select the install option.  There is no install option.  It says single user, multi user.  A few other options, none of which are install.  And I disagree with the statement above about being "spoon fed"  I'm pretty good with linux.  The key thing that many developers have had to be taught over and over, are that most people don't want to become experts on how to set something up.  They just want to use operating system so they can then make a determination about whether or not its something they'd like to use.  I've never been able to get freebsd to run on anything.  Last attempt was about 5 years ago.  I got pretty good at linux, not by trying to figure out how to set it up, but by someone finally creating disks that would actually help you set it up.  Using the OS is what made me a better user.


----------



## SirDice (Feb 19, 2019)

rube2112 said:


> The information is, the tutorial says put in your boot disk and select the install option. There is no install option. It says single user, multi user. A few other options, none of which are install.


You're looking at the loader menu. Sit back and wait. Or hit enter if you don't want to wait 10 seconds.


----------



## Deleted member 30996 (Feb 19, 2019)

rube2112 said:


> ok....this kind of tutorial ticks me off....why?  because none of the disks I've tried even have the option to install......that makes it worthless for me



FreeBSD RELEASE is the only version supported here. 

I have a Thinkpad T61 sitting next to me I finished building FreeBSD 12.0-RELEASE on last night using the FreeBSD-12.0-RELEASE-amd64-dvd1.iso with all my programs compiled waiting for when I have time to boot to the desktop and proceed from there.


----------



## rube2112 (Feb 19, 2019)

It set up and doesn't recognize most of my hardware.  See ya in 5 years I guess.....


----------



## hukadan (Feb 19, 2019)

rube2112 said:


> See ya in 5 years I guess.....


And who knows, by the time you may have learnt how to post messages with enough information for others to help you.


----------



## teo (Feb 24, 2019)

Hello Trihexagonal, what I don't understand is where 255....2555 is generated and has continuation of the rest of the number in the next row. I don't know how to replace the numbers of those lines with the data I provide.


For example  the IP of the system default:


#`ifconfig`

```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=81009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
    ether 08:00:27:b2:7f:86
    inet 192.168.0.17 netmask 0xffffff00 broadcast 192.168.0.255 
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128 
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 
    inet 127.0.0.1 netmask 0xff000000 
    groups: lo 
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
    groups: pflog 
#
```


In his example he's like this:


```
### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all


### Pass loopback
set skip on lo0

### Block spooks

antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in quick log on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp
```


----------



## Deleted member 30996 (Feb 24, 2019)

teo said:


> Hello Trihexagonal, what I don't understand is where 255....2555 is generated and has continuation of the rest of the number in the next row. I don't know how to replace the numbers of those lines with the data I provide.
> 
> _snip_
> 
> ...



Is this what you mean? Those are bogons:



> *Bogon filtering* is the practice of filtering *bogons,* which are bogus (fake) IP addresses of a computer network. Bogons include IP packets on the public Internet that contain addresses that are not in any range allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated regional Internet registry (RIR) and allowed for public internet use. The areas of unallocated address space are called the *bogon space*.
> 
> Bogons also include reserved private address[1] and link-local address ranges, such as those in _10.0.0.0/8_, _172.16.0.0/12_, _192.168.0.0/16_, and _169.254.0.0/16_, which are reserved for private networks,[1] sometimes also known as Martian packets.
> 
> ...



I must admit I'm not familiar with the 169.254.0.0/16 entry but it doesn't show mine for 255.255.255.255 either.

Point being, those packets have no business coming from the WAN into your LAN. pf may block them by default, I'm not certain, but I know they're blocked this way. You don't need to change or enter anything unless you have a use for the ports I have blocked in my macro or allow services I don't use on my  machines.

That's the same ruleset I use, with the addition off the egress line you left out. It works on OpenBSD with a slight syntax change for egress, too.

You don't see many port 0 rules but there is a reason I block it and have carried that rule over from my Win98 days with ConSeal PC Firewall, the first piece of software I ever loved.






						Announcement Regarding Non-Cisco Product Security Alerts
					






					tools.cisco.com


----------



## alphacaptain (Jul 8, 2019)

Stuck at the part where I need to input portmaster misc/mc. I get "command not found." Any help please?


----------



## SirDice (Jul 8, 2019)

You skipped a step (namely the part that installs ports-mgmt/portmaster).


----------



## Deleted member 30996 (Jul 8, 2019)

I plan to change it to installing x11/rxvt-unicode as a terminal instead of x11/eterm like I currently run when I get around to it. I'm at the upper limit for characters in a post now so I might have to delete non-essential text to do it


----------



## teo (Jul 10, 2019)

Trihexagonal said:


> Open /etc/ttys in leafpad as root and change every instance of secure to insecure to require the root password to logon in Single User Mode.


For example this is the   /etc/ttys  directory, what should it look like? 

# vi /etc/ttys

```
# If console is marked "insecure", then init will ask for the root password
# when going to single-user mode.
console none                            unknown off insecure
#
ttyv0   "/usr/libexec/getty Pc"         xterm   onifexists secure
# Virtual terminals
ttyv1   "/usr/libexec/getty Pc"         xterm   onifexists secure
ttyv2   "/usr/libexec/getty Pc"         xterm   onifexists secure
ttyv3   "/usr/libexec/getty Pc"         xterm   onifexists secure
ttyv4   "/usr/libexec/getty Pc"         xterm   onifexists secure
ttyv5   "/usr/libexec/getty Pc"         xterm   onifexists secure
ttyv6   "/usr/libexec/getty Pc"         xterm   onifexists secure
ttyv7   "/usr/libexec/getty Pc"         xterm   onifexists secure
ttyv8   "/usr/local/bin/xdm -nodaemon"  xterm   off secure
# Serial terminals
# The 'dialup' keyword identifies dialin lines to login, fingerd etc.
ttyu0   "/usr/libexec/getty 3wire"      vt100   onifconsole secure
```


----------



## toorski (Jul 10, 2019)

My FreeBSD desktop is* Lumina*, for local and  remote GUI/DE play  – plain and simple.
I use *QTerminal *as my gateway to FreeBSD.  I install other GUI toys when I need it.

Although I do have KDE5 in FreeBSD too, though I seldom use it. And when I do, I always wonder why - I guess because it’s there and I can look at it - lol


----------



## SirDice (Jul 10, 2019)

Trihexagonal said:


> I must admit I'm not familiar with the 169.254.0.0/16 entry


IPv4 Link-local


----------



## Lamia (Jul 10, 2019)

SirDice said:


> IPv4 Link-local


Class B Private IP address range


----------



## tommiie (Jul 11, 2019)

Lamia said:


> Class B Private IP address range


The "Class B" (classes don't exist anymore) private IP address range is 172.16.0.0/12, something completely different from the IPv4 link-local IP address range of 169.254.0.0/16. Their usage also differs completely.


----------



## SirDice (Jul 11, 2019)

Private address ranges are defined in RFC-1918:

```
The Internet Assigned Numbers Authority (IANA) has reserved the
   following three blocks of the IP address space for private internets:

     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
```

The 169.254.0.0/16 range is defined in RFC-3927.


----------



## Deleted member 30996 (Nov 13, 2019)

Updated to reflect FreeBSD 12.1-RELEASE, to install x11/rxvt-unicode as a terminal and uploaded the ~/.Xdefaults file I use with it to get transparency and font selection as an attachment at the bottom of the post.


----------



## Deleted member 30996 (Nov 17, 2019)

Updated to show how to create and link to images from the fluxbox menu for use as icons.


----------



## userxbw (Nov 18, 2019)

Trihexagonal
on your setup post
there is no need to run HAL for X or xfce any more. I do not even add that to mine and I have  not seen any issue as a result of not having hald_enable="YES"  in rc.conf
post 2








						Question over /etc/rc.conf and hald_enable
					

Hi everybody, I'm a newcomer at world of FreeBSD, for years I used Debian and Gentoo GNU/Linux, and now my new computer have a FreeBSD desktop with XFCE, and I'm very glad with this OS.  My question is for /etc/rc.conf and the option hald_enable="YES", in my readings over installing and...




					forums.freebsd.org


----------



## Deleted member 30996 (Nov 18, 2019)

userxbw said:


> ...there is no need to run HAL for X or xfce any more. I do not even add that to mine and I have  not seen any issue as a result of not having hald_enable="YES"  in rc.conf



Those are recommended settings and the way I've done things for years. 

There are other programs that depend on sysutils/hal running. I don't install it if ports-mgmt/portmaster doesn't pull it in. If it does then it's good to go. If you don't need it that's great.


----------



## aimeec1995 (Jan 13, 2020)

there are a lot more tunables to tweak for heavy desktop use imo the biggest one being kern.sched.preempt_thresh and some network related ones


----------



## forgiven_noob (Jan 20, 2020)

the extended pf config does not run for me, claiming it has a syntax error


----------



## Deleted member 30996 (Jan 20, 2020)

forgiven_noob said:


> the extended pf config does not run for me, claiming it has a syntax error



I took those rules directly from the same ruleset I'm using now. Watch the boot screen and see if you can catch what lines it's on. The only thing I see ATM that could be a syntax error might appear on line #2. (If you didn't change "Network Interface Designation Goes Here" to what it shows in `ifconfig`.)

I've posted my full ruleset before. It's set to block so probably not a Microsoft level security breach to do so again for your benefit.


```
### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
```

It's up and doing what it's supposed to do:


```
root@unmei:/ # pfctl -s rules
scrub in on em0 all fragment reassemble
block drop log all
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! em0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.3 to any
block drop in on ! lo0 inet6 from ::1 to any
block drop in from no-route to any
block drop in from urpf-failed to any
block drop in quick on em0 inet from any to 255.255.255.255
block drop in log quick on em0 inet from 10.0.0.0/8 to any
block drop in log quick on em0 inet from 172.16.0.0/12 to any
block drop in log quick on em0 inet from 192.168.0.0/16 to any
block drop in log quick on em0 inet from 255.255.255.255 to any
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop in log quick on em0 proto tcp from any to any port = ssh
block drop in log quick on em0 proto tcp from any to any port = telnet
block drop in log quick on em0 proto tcp from any to any port = smtp
block drop in log quick on em0 proto tcp from any to any port = http
block drop in log quick on em0 proto tcp from any to any port = pop3
block drop in log quick on em0 proto tcp from any to any port = sunrpc
block drop in log quick on em0 proto tcp from any to any port = ntp
block drop in log quick on em0 proto tcp from any to any port = exec
block drop in log quick on em0 proto tcp from any to any port = login
block drop in log quick on em0 proto tcp from any to any port = shell
block drop in log quick on em0 proto tcp from any to any port = printer
block drop in log quick on em0 proto tcp from any to any port = x11
block drop in log quick on em0 proto tcp from any to any port = x11-ssh
block drop in log quick on em0 proto udp from any to any port = ntp
block drop in log quick on em0 proto udp from any to any port = biff
block drop in log quick on em0 proto udp from any to any port = who
block drop in log quick on em0 proto udp from any to any port = syslog
block drop in log quick on em0 proto udp from any to any port = printer
block drop in log quick on em0 proto udp from any to any port = mdns
block drop in log quick on em0 proto udp from any to any port = x11
block drop in log quick on em0 proto udp from any to any port = x11-ssh
pass out on em0 proto tcp all flags S/SA modulate state
pass out on em0 proto udp all keep state
pass out on em0 proto icmp all keep state
root@unmei:/ #
```


----------



## Deleted member 30996 (Jan 20, 2020)

aimeec1995 said:


> there are a lot more tunables to tweak for heavy desktop use imo the biggest one being kern.sched.preempt_thresh and some network related ones



I don't use any additional tunables, aimeec1995, but if you do and think it might be helpful to new users please feel free to post them here. 

I won't be adding anything to mine but others may find it useful and I don't mind.


----------



## teo (Feb 3, 2020)

Trihexagonal said:


> Later, if you would like to add icons to the fluxbox menu, you can create a small 32x32 image or find the one associated with the appropriate program to "Export As" an image in .xpm format from Gimp to where you want to save it. Then you link to the image from the fluxbox menu behind the command to call the program. It should look something like this:
> 
> ```
> [exec]   (urxvt) {urxvt} </usr/home/Trihexagonal/Images/iconred.xpm>
> ```



Hello Trihexagonal!

For example, to display the *xfe* icon on the menu, how should I proceed? And I'd also like to know what that's for. 


```
(urxvt) {urxvt}
```


----------



## Deleted member 30996 (Feb 3, 2020)

Hold on... I'm struggling here, lacking Actual Intelligence, my brain previously stored in a jar labeled "Abhorrent Insanity" and my wetware programming previously questioned in another of my AI threads.



teo said:


> For example, to display the *xfe* icon on the menu, how should I proceed?



Logic dictates to find the path and do it just like the provided instruction to do the other one:

"Later, if you would like to add icons to the fluxbox menu, you can create a small 32x32 image or find the one associated with the appropriate program to "Export As" an image in .xpm format from Gimp to where you want to save it. Then you link to the image from the fluxbox menu behind the command to call the program."



teo said:


> And I'd also like to know what that's for.
> 
> 
> ```
> ...



(urxvt) is the name of the program. {urxvt} invokes it.


----------



## userxbw (Feb 5, 2020)

my 2C on slim. I found using it that I always got a hit the F1 key to get a desktop to load first before login in. I worked out a simple little how to get it to login what desktop I wanted without having to do that anymore.
using bash, I assume sh too should work its rather basic.

if you have not set up sudo, use su passwd to login as root then change your shell to bash.

```
#chsh -s /usr/local/bin/bash <user name>
```

Using vi or nano, or whichever editor you installed.  Edit your slim.conf

sudo nano /usr/local/etc/slim.conf
move down to where you see this.

```
# NOTE: if your system does not have bash you need
# to adjust the command according to your preferred shell,
# i.e. for freebsd use:
#login_cmd           exec /bin/sh - ~/.xinitrc %session
login_cmd           exec /usr/local/bin/bash -login ~/.xinitrc %session
```
comment out the fist line login_cmd, uncomment the second login_cmd line, It does not have the local path to bash in the config file, change it to read what is posted.  now save, and exit the file. If you are using vi, then use vi commands.

in your home .xinitrc file.

```
#!/usr/bin/env bash

if [[ "$1" = 'default' ]] ;
then
       startxfce4
else
       exec $1
fi
```
chmod +x .xinitrc

that's it.


----------



## salparadise (Aug 22, 2020)

Thankyou for this guide, it's just what I needed. I played around with GhostBSD for a little while. Followed this guide a couple of times but got bored part way through a long compile and thought "just exactly why shouldn't I mix Ports and pkg's?" - answer, because the computer stops working properly. But it's good to learn, even painfully sometimes.
So I bit the bullet and stuck strictly to Ports. On the third time of doing this (took a while to get the simplicity of BSD, so there was some returning to Linux, only to get annoyed by it again) I knew enough to deviate in terms of what I built.
Fully working Desktop, more or less, just a few things that need sorting.


----------



## a6h (Aug 22, 2020)

salparadise said:


> So I bit the bullet and stuck strictly to Ports





salparadise said:


> Portmaster has been something of a revelation, as has 'pkg audit -F'


That's great. Also, I don't think it's a bad idea to take a look at ports-mgmt/poudriere








						Chapter 4. Installing Applications: Packages and Ports
					

FreeBSD provides two complementary technologies for installing third-party software: the FreeBSD Ports Collection, for installing from source, and packages, for installing from pre-built binaries




					www.freebsd.org
				





			VladimirKrstulja/Guides/Poudriere - FreeBSD Wiki


----------



## happy-yoga (Nov 18, 2020)

Will this tutorial work with FreeBSD 12.2? I am new to FreeBSD but want to learn. I want to set up on a Thinkpad x200 and a Thinkpad T480. Will this also apply to setting up on virtual machines?


----------



## drhowarddrfine (Nov 18, 2020)

happy-yoga Probably but it's three years old and doesn't mention ZFS. If it fails then you can always start over. It won't harm anything. Then you can just follow the Handbook instead.


----------



## happy-yoga (Nov 19, 2020)

drhowarddrfine said:


> happy-yoga Probably but it's three years old and doesn't mention ZFS. If it fails then you can always start over. It won't harm anything. Then you can just follow the Handbook instead.


I am confused about how to install using the qcow2 file on a KVM. Is there a special process for this? 
I was able to install on KVM using the regular iso file. Is it better to use the qcow2 file? Why/why not? I didn't see any mention of this in the handbook. I tried installing the qcow2 file but it didn't seem to work.


----------



## SirDice (Nov 19, 2020)

happy-yoga said:


> I am confused about how to install using the qcow2 file on a KVM. Is there a special process for this?


Those images are pre-build, pre-installed, configurations. You just load them as disk images and boot from them. 


happy-yoga said:


> Is it better to use the qcow2 file? Why/why not?


It depends on your situation. Some people like them, some create their own images. It all depends on your situation and what you want to do with them.


----------



## happy-yoga (Nov 19, 2020)

drhowarddrfine said:


> happy-yoga Probably but it's three years old and doesn't mention ZFS. If it fails then you can always start over. It won't harm anything. Then you can just follow the Handbook instead.


There are several things described in this Beginners Guide that I don't see in the Handbook. So I am confused on what I should follow. I assume I can combine this Beginners Guide with the Handbook. It seems logical, but I am a beginner and don't know what I really need to get the desktop working.


----------



## SirDice (Nov 19, 2020)

happy-yoga said:


> I am a beginner and don't know what I really need to get the desktop working.


Just go for it. Don't expect to get it right on your first attempt. Everybody is going to make mistakes the first couple of times. You're not going to believe the number of times I have reinstalled my systems over the last 20 or so years. That's all part of the learning experience. Try it, find out what works, what not. Learn from the mistakes you've made and try again.


----------



## drhowarddrfine (Nov 19, 2020)

SirDice said:


> You're not going to believe the number of times I have reinstalled my systems over the last 20 or so years.


You're not going to believe the number of times I have reinstalled my system over a few hours!

happy-yoga I understand the fear and desire to make the perfect system but keep in mind that it's easy to start from the beginning until you get it right. Make sure you write down what you did and liked so you're not reinstalling cause you forgot to do something. Also remember that some many and most things you install or configure on installation can be changed, modified, installed or removed afterwards.


----------



## a6h (Nov 19, 2020)

Same here. It was true for DOS, it's true for FreeBSD. Also keep and organise different version of configuration files in well-ordered folders (backup).


----------



## SirDice (Nov 19, 2020)

Don't be afraid to experiment. Not on important (work/production) systems though, don't do that. But for your own system at home or a test system at work, don't be afraid to break it in any way you can. You're never going to damage the computer. The worst that could happen is having to reinstall everything from scratch. And the more often you do this the easier it gets.


----------



## Argentum (Nov 19, 2020)

Hello girls!

I have several such systems running.






Always want to have ZFS and custom kernel.


----------



## drhowarddrfine (Nov 20, 2020)

Well, there is this.


----------



## happy-yoga (Nov 20, 2020)

drhowarddrfine thanks for the link. Have you installed the hello system? Since this is an alpha, does that mean each time they do an update I have to re-install everything? https://github.com/helloSystem/hello


----------



## drhowarddrfine (Nov 20, 2020)

I don't know anything about it other than what you can read there.


----------



## Deleted member 30996 (Feb 4, 2021)

Updated to reflect FreeBSD 12.2-RELEASE.


happy-yoga said:


> There are several things described in this Beginners Guide that I don't see in the Handbook. So I am confused on what I should follow. I assume I can combine this Beginners Guide with the Handbook. It seems logical, but I am a beginner and don't know what I really need to get the desktop working.



The Handbook is the Official Guide and required reading before asking questions. if you need to ask a question someone will always be happy to help.

I never look at the Handbook anymore. I keep one laptop running and if I can't remember something exactly will reference my own work. This is how I learned to do it and how I've been doing it for years. I prefer ports and they are what I've always used so if there is a problem I'm comfortable I can resolve it and move on.

I've built 4 different 12.2 machines so far and on 3 there was an issue that prevented portmaster from continuing.  Each time I manually installed the port that was the problem using  `make install clean`. Then I was able to restart portmaster and it finished the build from there.


----------



## Deleted member 30996 (Feb 9, 2021)

Updated to show what needs done for a machina with an older nvidia chip before you can boot to the desktop.


----------



## Deleted member 30996 (Feb 23, 2021)

Updated to include 3 x11-wm/fluxbox styles of different colors as .txt attachments and instructions how to put them to use, should you so desire.

8ball.txt, bloodflow.txt and electricblue.txt are the theme file names.

I set programs to use the same font for some system-wide symmetry.


----------



## Deleted member 30996 (Feb 24, 2021)

Updated to reflect steps needed done for a box with Switchable Graphics during the installation of x11/xorg and how to set it correctly in the BIOS before first boot to the desktop. 

The example given was for a T400 that has Switchable Graphics with Intel GMA 4500MHD and ATI Mobility Radeon HD 3470 chips to get it to run n the ATI chip.


----------



## Deleted member 30996 (Mar 12, 2021)

Updated to include installation of sysutils/devcpu-data early during the build process for download of firmware microcode updates at next boot.


----------



## KenGordon (Mar 15, 2021)

Good job, Trihex. I followed your tutorial...mostly....although I used `pkg install` instead of `make install clean` because in previous installs, there would be missing dependencies when compiling from the ports which didn't appear when using the packages. I had zero issues with your tutorial. It is excellent.

Also, I installed MATE after using fluxbox for a bit. As I have mentioned here more than once, I am trying to build a desktop on FreeBSD 12.2-RELEASE-p4 to enable the computo-klutzes in my family to completely dump Billy Gates' offerings. Fluxbox is a bit too simple for those folks.

MATE is working a treat! 

The only problem I have run into so far is that using your set up for pf made it impossible for CUPS to work. Inputting `http:localhost:631` into any browser I had installed (Firefox, Chromium (which I hate), and even Lynx) resulted in all of them returning a timeout, file not found error. I could only get it to work by commenting out of rc.conf all of those lines dealing with pf. I am sure that by correctly tweaking pf, that problem would go away, but I don't know enough yet to fix it.

I printed off all 36 of the man pages dealing with pf, and all the pages from the Handbook dealing with firewalls, although I have not yet had the necessary time to study them even once, let alone 4 or 5 times. ;-)

Since all of the 'pooters I am working with here are "workstations", I am wondering if I even need a firewall on each machine, since our router has a built-in firewall anyway?

Still, since I am a "belt and suspenders" type of tech, I would like to have a decent firewall on each machine. I am tempted to use IPFW.

Ken Gordon


----------



## Deleted member 30996 (Mar 16, 2021)

KenGordon said:


> Good job, Trihex. I followed your tutorial...mostly....although I used `pkg install` instead of `make install clean` because in previous installs, there would be missing dependencies when compiling from the ports which didn't appear when using the packages. I had zero issues with your tutorial. It is excellent.



I'm glad it worked for you. I just built a box from ground up using pkg instead of ports for the first time ever a couple days ago. I won't be changing from ports but it worked very nicely. The only problem was pkg willingly installed a vulnerable version of graphics/jasper and I had to `make deinstall clean` the old version before building an up-to-date version from ports.

If I read you correctly and you used `make install clean` all through the build instead of letting ports-mgmt/portmaster build all your 3rd party programs that is where I would say you ended up with missing dependencies.

I was going to have portmaster build jasper from ports but it looked like it was pulling in a lot more than I wanted or thought it needed to. So I used `make installl clean` to build it from ports and watched every minute of it to make sure my T43 wasn't going to over heat.

It still pulled in a lot of dependencies on it's own I wouldn't have thought required but I'm pretty sure not as many as portmaster planned on doing because I had already checked off the screens and declined the build.

I've built them from gound up using `make install clean` and ports-mgmt/portupgrade before I ever used portmaster so it's perfectly OK to do so. You just have to work that kind of thing out by hand and build the dependencies yourself as part of the learning  experience.

If you feel more comfortable using Mate you might as well use what you like and think your Family will be able to make the transition over to FreeBSD as seamlessly as possible.



> The only problem I have run into so far is that using your set up for pf made it impossible for CUPS to work.



You would catch me when I've been awake all night and the Processor wants to `shutdown now`. Let me just fix mine to work for you and post it. SirDice can comment on if that's right or not and enough to do it without hosing your ruleset. Or trading pf for ipfw which shouldn't be necessary under any circumstances.

I set it up to use UDP and TCP port 631. If you need to use TCP port 80 over the LAN add it to the "cups_tcp" macro and it should be good to go. Though I have not tried it out myself the syntax should be right if not the configuration .

Edit: And does now that I've made sure of it the next morning after wetware shutdown and should be recopied into /etc/pf.conf, KenGordon. If that did indeed work for you before editing:


```
### CUPS_pf_rules_included
### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Allow CUPS to use tcp and udp port 631
cups_tcp = "{  631 }"
cups_udp = "{ 631 }"

### Allow CUPS to be accessible (change to your other machines ifconfig -a LAN designation )
table <local> { 192.168.0.11, 192.168.0.12, 192.168.0.13 }

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Allow LAN to talk to CUPS on your machine
pass in log quick from <local> to any keep state

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Allow CUPS to talk to clients on LAN
pass out log on $ext_if proto tcp to any port $cups_tcp keep state
pass out log on $ext_if proto udp to any port $cups_udp keep state

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
```


----------



## Mjölnir (Mar 16, 2021)

Trihexagonal said:


> I've built 4 different 12.2 machines so far and on 3 there was an issue that prevented portmaster from continuing.  Each time I manually installed the port that was the problem using  `make install clean`. Then I was able to restart portmaster and it finished the build from there.


No comment... 
(Sorry I couldn't resist to add this note)


----------



## mickey (Mar 16, 2021)

Mjölnir said:


> No comment...
> (Sorry I couldn't resist to add this note)


Oh please


----------



## KenGordon (Mar 16, 2021)

Ha ha! You guys are a real kick!  

Anyway, thanks Trihex. I must say that your solution to my CUPS issue seems rather involved for what should be such a simple task. Nonetheless, I'll give it a try. 

I will say that what I first thought was a CUPS issue at least made me make certain my CUPS install was correct. Anyway, it works just fine now.

Oh. Also I did install and use correctly portmaster.

During my CUPS troubles, I at one time tried to `pkg deinstall cups`, which resulted in the deinstallation of a ton of other executables, all of which I had to manually reinstall. That was kind of annoying, but simply told me that I didn't know enough....yet.

Ken Gordon


----------



## Deleted member 30996 (Mar 16, 2021)

KenGordon said:


> Ha ha! You guys are a real kick!
> 
> Anyway, thanks Trihex. I must say that your solution to my CUPS issue seems rather involved for what should be such a simple task. Nonetheless, I'll give it a try.
> 
> I will say that what I first thought was a CUPS issue at least made me make certain my CUPS install was correct. Anyway, it works just fine now.


I'm glad that fixed it. I have never used anything but FTP to establish a remote connection to another box. Not telnet, SSH, rlogin, Xwindows, PCAnywhere, installed a trojan on mine or connected to a machine that isn't on my LAN. Only FTP, so I have aways blocked everything.

I don't use or need remote access to my Thinkpad Farm, am not a sharecropper and don't pick no cotton, so I disable it all. I ran a pfSense router though so am familiar with the way networking is generally done. I have more relevant books in .pdf form than I'll ever get read.

I did firewalk a would-be-wiseguy in chat 20 years ago, back when dirt was clean, and he freaked out bigtime when I told him his LAN machine designations. The year I went without cable or Internet, I only wanted to use wi-fi once and not have to go to the library.

I couldn't pick up our hotspot, but The County Courthouse, Sheriff Dept., Police Dept., Federal Building, a couple Churchs and a School are all within a 2 block range of Tom Sawyers Townhouse. All using WPS pin, too.

If you're going for a ride, go big or stay home is what Huck always told me. So I spoofed my MAC, took a limo to get my Oh_So_Important_Had_To_Have_It_Now Final Fantasy VI Walkthru, ditched the limo and vanished like Shadow back into the Final Fantasy VI realm.

So did their adhoc hotspot SSID the next day. The funny name gave away who it belonged to anyway and only attracted my attention. My MAC addy got theirs.


----------



## Deleted member 30996 (Apr 14, 2021)

Now that the change has been made and the ports tree sorted back out everything is back to normal there is no need to change the Tutorial from using `portsnap fetch update` at this time.

When the next RELEASE version is released with the new methodology for updating ports included in the base system I'll change the Tutorial to remain current with that version. 

Right now it isn't broke and I don't fix things till they are. (Advise I often give to people new to FreeBSD.) 

That seems to be the easiest way to go about it with minimal editing and still stay current with the version it addresses as installed since that still works as intended.


----------



## Deleted member 30996 (May 8, 2021)

Added my pf CUPS ruleset that allows the machine running cupsd to be accessed by other machines on the LAN:


----------



## El_Barto (Jul 26, 2021)

I just discovered yesterday `desktop-installer` 
I could kiss these people who made this tool.

Just install freebsd, then install the tool desktop-installer and run it.
It is an automated desktop installer.

Just made an error clicking to fast and had to run it again so maybe there was a mistake or bug but I had to add manually sddm enabled to rc.conf in order to have kde booting.


----------



## Deleted member 30996 (Jul 26, 2021)

El_Barto said:


> I just discovered yesterday `desktop-installer`
> I could kiss these people who made this tool.


When did you discover you couldn't do it for yourself?



El_Barto said:


> Just install freebsd, then install the tool desktop-installer and run it.
> It is an automated desktop installer.


Yes, sysutils/desktop-installer has been in the ports tree since Jan, 31 2010.


El_Barto said:


> Just made an error clicking to fast and had to run it again so maybe there was a mistake or bug but I had to add manually sddm enabled to rc.conf in order to have kde booting.


You may benefit from their sysutils/auto-admin program as well.

From your link:


> Unless your goal is to learn how to integrate the components of a Unix desktop environment, manual configuration would not be a good use of your valuable time.



That's what you'll be missing out on using it.



> There are some important issues that new FreeBSD users are unlikely to know about, such as ensuring that your ports tree and packages are in sync, how to correctly configure devd, sound devices and graphics drivers, to name a few.



When you get their desktop set up, show us the relevant system and security files so I can see how they compare to the ones I outline in my Tutorial.

It's not for everybody, so don't feel bad. My own Sister admits she couldn't follow it.
She works at a computer all day in the billing Dept. of a State Facility and only knows the Program she uses.

When It breaks downs she calls somebody to come fix it for her, like the people who can follow it.

Who you gonna call?
GhostBuSteD?


----------



## Deleted member 30996 (Oct 21, 2021)

Updated to show how to populate the fluxbox menu with the programs you've just installed by using a command once you get to the desktop:
`fluxbox-generate_menu`


----------



## Deleted member 30996 (Jan 2, 2022)

Updated to FreeBSD 13.0 RELEASE.


----------



## freezr (Jan 3, 2022)

I'd like to subscribe here since I am going to switch to FreeBSD in the very next few days.

p.s. I think that ipfw is better for a basic firewall protection.


----------



## scottro (Jan 3, 2022)

There's a saying that in Unix, there's always more than one way to do things. The corollary is Yeah, and someone will think your way is stupid.   
Trihex is saying his way is *the* way, it is *a* way that will help people new to FreeBSD get started with a working desktop solution.


----------



## astyle (Jan 4, 2022)

scottro said:


> There's a saying that in Unix, there's always more than one way to do things. The corollary is Yeah, and someone will think your way is stupid.
> Trihex is saying his way is *the* way, it is *a* way that will help people new to FreeBSD get started with a working desktop solution.


Damn, this is a good one.  My sentiments exactly. Yeah, some methods do have their drawbacks. The challenge here is to be professional enough to recognize the drawbacks, have a technical solution for them, and to avoid personal attacks by calling other methods stupid.


----------



## scottro (Jan 4, 2022)

Wow, I left out an important word. I *meant* to say "Trihex is *not* saying his way is the way,  Sorry. (Though I don't pretend to speak for him, either).


----------



## Deleted member 30996 (Jan 5, 2022)

tgl said:


> I'd like to subscribe here since I am going to switch to FreeBSD in the very next few days.
> 
> p.s. I think that ipfw is better for a basic firewall protection.


What are you basing your opinion on?

How long have you used pf and ipfw on a box to compare them?

I used ipfw on Solaris before pf became available on that platform.

I've used pf since becoming a beta tester for PC-BSD in June 2005 and personally prefer it. I carried my pf port 0 rule over from Win98 Conseal PC Firewall ruleset, so I have a long hostory of using rule-based firewalls.



scottro said:


> Wow, I left out an important word. I *meant* to say "Trihex is *not* saying his way is the way,  Sorry. (Though I don't pretend to speak for him, either).


What I am saying is that this is the way I install FreeBSD on my laptops line for line and it works for me every time.

I have 4 laptops running FreeBSD and know I'm going to end up with a stable build I compiled from the ground up on each one.

It originally started out as notes to my self so I wouldn't forget how and I've supplemented and updated it regularly to improve it.

I compile all 3rd party programs from ports, `portsnap fetch extract` and `portsnap fetch update` work just like they always have. I have yet to have to use a GIT client and there is no need to change the tutorial till I do..


----------



## freezr (Jan 7, 2022)

Trihexagonal said:


> What are you basing your opinion on?



IPFW is just easier to setup...


----------



## astyle (Jan 7, 2022)

tgl said:


> IPFW is just easier to setup...


yeah, and logic of PF is actually in reverse... and in either case, a misplaced rule may have the firewall working differently than intended, and a huge headache to debug THAT.


----------



## Lamia (Jan 7, 2022)

astyle said:


> yeah, and logic of PF is actually in reverse... and in either case, a misplaced rule may have the firewall working differently than intended, and a huge headache to debug THAT.


But with that comes enormous power in using PF. Traffic shaping - PF/ALTQ, VLAN, etc. I think someone made a GUI for easy learning & deployment. If none exists, now is the time in order for greater adoption and shorter barrier to entry.


----------



## Hakaba (Jan 8, 2022)

A beginner that want to try a desktop FreeBSD experience has too much things to focus on before the debate 'pf or ipfw'...
Each time there is step by step guide, you could read expert debate about the guide. But the natural target of this guide (beginner) is only afraid with this kind of discuss, no ?
If you know that there is an infinity number of base in arithmetic and we choose by default the base 10 but this is for stupid reason before learning addition, you just need a giant brain to learn addition.
Maybe the choice of the filter is stupid but it work and let beginner know that he need a filter. If the beginner is curious (and remember he read a FreeBSD desktop install, no doubt about his curiosity) he will learn about filter. If no, he will live with a filter...


----------



## Deleted member 30996 (Jan 8, 2022)

I provide my own ruleset with the Tutorial posted on my site but adding that puts me over the 25,000 character limit for a message in the forums.

I'll provide it here and how it looks when it's working to remove any doubt about the efficacy of my ruleset:


```
### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010, 8080 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
```

Now we'll see how it looks at work on the box I'm posting from in real-time:


```
root@bakemono:/ # pfctl -s all
FILTER RULES:
scrub in on em0 all fragment reassemble
block drop log all
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! em0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.105 to any
block drop in on ! lo0 inet6 from ::1 to any
block drop in from no-route to any
block drop in from urpf-failed to any
block drop in quick on em0 inet from any to 255.255.255.255
block drop in log quick on em0 inet from 10.0.0.0/8 to any
block drop in log quick on em0 inet from 172.16.0.0/12 to any
block drop in log quick on em0 inet from 192.168.0.0/16 to any
block drop in log quick on em0 inet from 255.255.255.255 to any
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop in log quick on em0 proto tcp from any to any port = ssh
block drop in log quick on em0 proto tcp from any to any port = telnet
block drop in log quick on em0 proto tcp from any to any port = smtp
block drop in log quick on em0 proto tcp from any to any port = http
block drop in log quick on em0 proto tcp from any to any port = pop3
block drop in log quick on em0 proto tcp from any to any port = sunrpc
block drop in log quick on em0 proto tcp from any to any port = ntp
block drop in log quick on em0 proto tcp from any to any port = exec
block drop in log quick on em0 proto tcp from any to any port = login
block drop in log quick on em0 proto tcp from any to any port = shell
block drop in log quick on em0 proto tcp from any to any port = printer
block drop in log quick on em0 proto tcp from any to any port = x11
block drop in log quick on em0 proto tcp from any to any port = x11-ssh
block drop in log quick on em0 proto tcp from any to any port = http-alt
block drop in log quick on em0 proto udp from any to any port = ntp
block drop in log quick on em0 proto udp from any to any port = biff
block drop in log quick on em0 proto udp from any to any port = who
block drop in log quick on em0 proto udp from any to any port = syslog
block drop in log quick on em0 proto udp from any to any port = printer
block drop in log quick on em0 proto udp from any to any port = mdns
block drop in log quick on em0 proto udp from any to any port = x11
block drop in log quick on em0 proto udp from any to any port = x11-ssh
pass out on em0 proto tcp all flags S/SA modulate state
pass out on em0 proto udp all keep state
pass out on em0 proto icmp all keep state

STATES:
all tcp 192.168.1.105:41158 -> 52.40.115.173:443       ESTABLISHED:ESTABLISHED
all tcp 192.168.1.105:43665 -> 204.109.59.195:443       FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.1.105:24028 -> 204.109.59.195:443       TIME_WAIT:TIME_WAIT
all tcp 192.168.1.105:21429 -> 204.109.59.195:443       TIME_WAIT:TIME_WAIT
all udp 192.168.1.105:39634 -> 192.168.1.1:53       MULTIPLE:SINGLE
all tcp 192.168.1.105:44211 -> 204.109.59.195:443       TIME_WAIT:TIME_WAIT
all tcp 192.168.1.105:12709 -> 204.109.59.195:443       TIME_WAIT:TIME_WAIT
all udp 192.168.1.105:46655 -> 192.168.1.1:53       MULTIPLE:SINGLE

INFO:
Status: Enabled for 0 days 00:59:24           Debug: Urgent

State Table                          Total             Rate
  current entries                        8               
  searches                           51441           14.4/s
  inserts                             1012            0.3/s
  removals                            1004            0.3/s
Counters
  match                               1184            0.3/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start            60000 states
adaptive.end             120000 states
src.track                     0s

LIMITS:
states        hard limit   100000
src-nodes     hard limit    10000
frags         hard limit     5000
table-entries hard limit   200000

OS FINGERPRINTS:
762 fingerprints loaded
root@bakemono:/
```


----------



## Lamia (Jan 8, 2022)

Everyone is a beginner with a degree of knowing or awareness. No need being in a race of what should be used. 
And now the threadstarter just added another comment.
PF is deadly!

Thanks to the BSD community! FreeBSD, you rock!


----------



## Deleted member 30996 (Jan 9, 2022)

Here's what my /var/log/pf.yesterday shows for the day:


```
block drop log all [ Evaluations: 1654 Packets: 2 Bytes: 80 States: 0 ]
block drop in log quick on em0 inet from 192.168.0.0/16 to any [ Evaluations: 12 Packets: 12 Bytes: 2683 States: 0 ]
block drop in quick inet6 all [ Evaluations: 312 Packets: 312 Bytes: 52416 States: 0 ]
block drop out quick inet6 all [ Evaluations: 1330 Packets: 17 Bytes: 2929 States: 0 ]
```

I keep at least two machines online 24//7 and pay little attention to it,. Though I do have a /var/log/pflog widget for sysutils/gkrellm2 in front of me I can check in real-time for activity at a glance.


----------



## Deleted member 30996 (Jan 31, 2022)

Changed it to install security/rkhunter during the early build instead of misc/mc (due to post character limits). That's how I do it to get a clean baseline on a fresh system.

After all ports are complied you run it once again. That way if it alerts to a file change in the future you'll know iif t was due to your activity or not

I show how to change sshd and don't make any further changes in the rkhunter config file.


----------



## lechal (Feb 23, 2022)

Hi i am trying to install freebsd for the first time. The guide is very good but im not.
When to do this with the .Xdefaults file? "Remove the .txt extension and replace the leading period to make it a hidden file again before placing it in your user directory." 

sorry for asking stupid and tank you.


----------



## Deleted member 30996 (Feb 23, 2022)

It normally does not have an extension.

1. Open your File Manager from your usr account.
2. Remove the .txt extension from Xdefaults.txt
3. Name it .Xdefaults
4. Move it into your /usr/home/lechai directory.

Assuming your username here and machine usr name are the same.


----------



## eternal_noob (Feb 23, 2022)

Trihexagonal said:


> usr name


Sorry for nitpicking but "usr" means "Unix System Resources", not "user".


----------



## lechal (Feb 23, 2022)

Trihexagonal said:


> It normally does not have an extension.
> 
> 1. Open your File Manager from your usr account.
> 2. Remove the .txt extension from Xdefaults.txt
> ...


Hi again. I didnt find Xdefaults.txt. Maybe i did somthing wrong. Perhaps i install it again and see. Anyway tanks.


----------



## astyle (Feb 23, 2022)

lechal said:


> Hi again. I didnt find Xdefaults.txt. Maybe i did somthing wrong. Perhaps i install it again and see. Anyway tanks.


I'd suggest that you stick to the official FreeBSD Handbook. It's linked to at the top of this page (and any Forums page, frankly):




There's no $HOME/Xdefaults.txt anywhere. But if you follow the basic setup instructions in the Handbook, you'll get Xorg running no problem. As an exercise, I can also suggest that you think about _why_ the standard practice on FreeBSD forums is to suggest becoming familiar with the Handbook.  Hint: Nobody cares about popularity contests.


----------



## Deleted member 30996 (Feb 24, 2022)

eternal_noob said:


> Sorry for nitpicking but "usr" means "Unix System Resources", not "user".


There is no user directory on my FreeBSD machine. You must be a Windows user.






lechal said:


> Hi again. I didnt find Xdefaults.txt. Maybe i did somthing wrong. Perhaps i install it again and see. Anyway tanks.





Trihexagonal said:


> And the terminal we'll be using with fluxbox called urxvt, which uses an ~/.Xdefaults file for transparency and font selection I will supply:


It's at the very bottom of the post here. Download it:


----------



## 6502 (Feb 28, 2022)

eternal_noob said:


> Sorry for nitpicking but "usr" means "Unix System Resources", not "user".


'man hier' line for usr sounds like it comes from user. Maybe it is good to add "Unix System Resources" before explanation.


----------



## Deleted member 30996 (Mar 1, 2022)

Trihexagonal said:


> Assuming your username here and machine usr name are the same.


There was no misunderstanding of my meaning. Nitpicking an established pattern of behavior for nits not questioned or reviewed for content prior to posting.


Making baseless claims that are deleted once sober a problem astyle has to overcome and his postings  seen as appropriate and of no concern.

And there went your argument.


----------



## scottro (Mar 1, 2022)

Heh, actually eternal_noob is correct.  The directory /usr is for Unix System Resources.  I usually pronounce it "user"  It looks like your eye skipped a letter, they aren't saying there's a directory called "user".  I'm sure I'm not the only one that sometimes types usr for user.  I don't rememeber where or when I learned that I don't see it in the hier man page.


----------



## grahamperrin@ (Mar 1, 2022)

scottro said:


> … I don't rememeber where or when I learned that I don't see it in the hier man page.



<https://forums.freebsd.org/posts/558213> 

leads to some history, and a bug report
pictures a point at which the symbolic link is created.


----------



## Deleted member 30996 (Mar 1, 2022)

No, Scottro, actually I am correct and conveyed exactly what I wanted to in a FreeBSD usr vs. a Windows user. 
I have already posted a shot of my file manager with the usr/home/jitte Directory open so I know what I'm talking about

And nobody, not even the mouth that mutters nothing of matter, can spin it any other way.

Because it's not the first time I've said it here. In fact, I've said it many times and everyone knew what it meant then before it was made popular not to understand my posts.


----------



## scottro (Mar 1, 2022)

Not having followed this entire thread I'm not sure if there was any conflict about anything save what /usr stands for. Though actually, searching around it seems that /usr *might* have originally been meant for user and afterwards for Unix system resources.  A few seconds of start paging (which I use instead of google), shows this from LDP, which indicates it may have originally been user. 


			https://tldp.org/LDP/Linux-Filesystem-Hierarchy/html/usr.html
		


I'm not sure of the "not understanding your posts" either.  Knowing what you can do, I'm not gonna get in any arguments with you. 

But anyway, none of that takes away from the value of your tutorial, which I have said, more than once is helpful to the beginner.


----------



## grahamperrin@ (Mar 1, 2022)

scottro said:


> … /usr _might_ have originally been meant for user …



<https://old.reddit.com/comments/giaz0j/-/fqeekss/>:



> The original story about /home and /usr goes back to the early Unix days. Basically Ken Thompson and Dennis Ritchie ran out of disk space.



From Unix directory hierarchy history | Pixelstech.net (2016-10-21 (the linked story)):

"… where all the user home directories lived (which is why the mount was called /usr). …"

I recommend reading the page in its entirety. A few highlights, to put _user home directories_ in context:





The page's points of reference include:

Understanding the bin, sbin, usr/bin , usr/sbin split (2012-12-09)
– discussed: 

<https://old.reddit.com/r/programming/comments/rdweo/-/>  (still open for discussion)
<https://news.ycombinator.com/item?id=3519952>


----------



## Deleted member 30996 (Mar 2, 2022)

scottro said:


> I'm not sure of the "not understanding your posts" either.  Knowing what you can do, I'm not gonna get in any arguments with you.
> 
> But anyway, none of that takes away from the value of your tutorial, which I have said, more than once is helpful to the beginner.



You weren't a part of it, Scottro You and I are alright. We go way back to the early days of PC-BSD and have been friends a long time.
it was your tutorial on the pf firewall that taught how to use it on PC-BSD and gave me a skill that serves me well to this day on FreeBSD.

I subscribe to the same German youtube Shotokan channel I posted a nukite speedbreak demo video from here a few years ago.  Breaking the board with your fingertips like he does not something I've done, but my fist is through a board hanging on a string before it has a chance to move.


----------



## scottro (Mar 2, 2022)

That's a hard one to do, I doubt I could have even in my young days. (that is, punch an unsupported board, wouldn't even have tried nukite. )  
I have more martial arts misadventures than adventures, I fear.


----------



## tnt (Apr 23, 2022)

Hello and thank you Trihexagonal for the nice tutorial!

I know that this is an old thread, but I see it is not dead, so I will post my question anyway... You have the following instructions:



Trihexagonal said:


> Choose No to enabling Crash Dump. It's not necessary.
> 
> At the System Hardening screen check the following boxes to enable the options:
> 
> ...



When I was installing FreeBSD 13 on my old T430 to give it a try, this worked very well. However, currently I am setting up a *Pine RockPro64* _(aarch64)_, which uses an SD card image and thus skips the whole installation process. I looked at `bsdconfig`, but the security section there allows only setting up of security levels (e.g. none, 1, 2, etc.) without going into detail of what they mean. I tried increasing the security from 0 to 1, thinking it would have if not the exact, at least a similar effect. It might well be similar or better, but it went beyond what I intended or needed - I was unable to run `freebsd-update` with security level 1, so I reverted back for the time being.

Anyway, my plea is to give us (me) some equivalent instructions for the setup options (Disable process debugging.../Randomize PID.../etc.), which can be performed outside of the initial setup, on a pre-installed system. Would that be possible?

Thanks!


----------



## Deleted member 30996 (Apr 27, 2022)

Some of that ends up in different places. For instance:
/etc/rc.conf

```
clear_tmp_enable="YES"
syslogd_flags="-ss"
```

/boot/loader.conf

```
security.bsd.allow_destructive_dtrace=0
```


----------



## Deleted member 70435 (Jun 7, 2022)

this thread of yours seems to have attracted a lot of attention here on the forum, it should remain to help other members with difficulty.


----------



## huhhuh (Oct 7, 2022)

i follow this guide and now it show no loging or password please update.


----------

