This article examines some of the common command differences a Linux user might encounter on a FreeBSD system.
More FreeBSD for Linux Users
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
As a newbie to FreeBSD coming from Linux these are really great to have! Keep them coming!
Dru Lavigne is doing tremendous work in writing howtos and very good quality guides to FreeBSD. FreeBSD already has the best documentation with the FreeBSD handbook and its man pages, and I began to consider her articles as part of that documentation.
Not to mention that some of the fortune cookies presented at login (for normal users) are now written by her. For example:
Need to see which daemons are listening for connection requests? Use
“sockstat -4l” for IPv4, and “sockstat -l” for IPv4 and IPv6.
— Dru <[email protected]>
“The author of dummynet has a useful dummynet tutorial and Erudition has a comprehensive NAT tutorial.”
I also have a NAT tutorial. Here it is:
put gateway_enable=”YES” in /etc/rc.conf
enable pf firewall, in rc.conf:
pf_enable=”YES”
pf_rules=”/etc/pf.conf” # rules definition file for pf
pflog_enable=”YES” # start pflogd(8)
pflog_logfile=”/var/log/fw/pflog” # where pflogd should store the logfile
In pf.conf, add these:
#macros
ext_if=name_of_your_external_interface (rl0 for instance)
internal_net=”192.168.0.1/16″
external_addr=”172.17.141.160″
int_if=name_of_your_internal_interface
#optional – this will hide nated machines and foil tcp fingerprinting
scrub on rl0 all reassemble tcp
#nat
nat on $ext_if from $internal_net to any -> ($ext_if)
#now that nat is done, you can actually set the filter to allow traffic:
#I/O traffic
pass quick on lo0 all
#default policy
block all
# allow outguing and return traffic
pass out quick on $ext_if proto tcp all modulate state
pass out quick on $ext_if proto { udp, icmp } all keep state
# allow nat
pass in quick on $int_if from $internal_net to any keep state
pass out quick on $int_if from any to $internal_net keep state
#optional stuff – for instance sshd
pass in quick log on $ext_if proto tcp to port 22 flags S/SA synproxy state
That’s it. Nice and easy, and now you have a powerful firewall on your machine that also does nat, and you don’t have to use a frontend like shorewall to the nightmare that iptables is and edit 3 files just to have nat allowed. Explanations:
S/SA check the SYN and ACK fields of the tcp packet and allow only those where S is set (return traffic is automatically allowed, don’t have to worry about that).
synproxy state – you could have used keep state here, to make a stateful rule. Synproxy will let the firewall finish the handshake first instead of passing it on to the sshd server (or other servers if you were to use apache of ftpd), making server more resistant to some DoS attacks.
Read the documentation: http://www.openbsd.org/faq/pf/
The point was to demonstrate how easy FreeBSD is. It is one of the most newbie friendly unix like operating systems for those who don’t look just for a point & click kinda quick windows replacement. I found it significantly easier to learn than any of the linux distroes I have tried, thanks to the clarity and sheer elegance of the system.
Great article overall, but why does Dru recommend vim5 when 6.3 is the latest stable I have no idea.
while we are at it: why does she recommend vi at all when we have ee.
As far as I know , BSD default shel is csh. Why author at first tell how to ad it, its useless.
But for used-all-my-life-LINUX-USER it good article.
the article, overall. But I like also idea behind separating /etc and /usr/etc. Nice. I wish some Linux distribution would follow this idea to avoid mess.
# allow nat
pass in quick on $int_if from $internal_net to any keep state
pass out quick on $int_if from any to $internal_net keep state
could be rewritten as:
$pre1 $post1
$pre2 $post2
when defined is :
pre1 = “pass in quick on inet_if from”
pre2 = “pass out on int_if from”
post1 = “internal_net to any keep state”
post2 = “any to internal_net keep state”
I like those shortcuts especially when i have to type a lot of rules with a great pattern similarity.Would be handy to put all those macros in separate files altogether so you could enter in pf.conf :
$pre 24.2.74.79 $post
$pre 24.2.74.178 $post
With:
pre = “pass in quick on ep0 inet proto tcp from ”
post = “to any port { 80, 6667 } keep state”
this would mean:
pass in quick on ep0 inet proto tcp from 21.14.24.80 to any
port = 80 keep state
pass in quick on ep0 inet proto tcp from 21.14.24.80 to any
port = 6667 keep state
pass in quick on ep0 inet proto tcp from 24.2.74.79 to any
port = 80 keep state
pass in quick on ep0 inet proto tcp from 24.2.74.79 to any
port = 6667 keep state
pass in quick on ep0 inet proto tcp from 24.2.74.178 to any
port = 80 keep state
pass in quick on ep0 inet proto tcp from 24.2.74.178 to any
port = 6667 keep state
“Typing sysctl -a | more is the equivalent of viewing every /proc entry at once, and then some.”
This only shows you the equivalent information from the linux /proc/sys directory, it is NOT equivalent to the whole /proc directory (which contains a lot more stuff)!
funny that all these while I thought Dru Lavigne is a he, not she.
It didn’t take much time for me to switch from Gentoo to FreeBSD last year. I ordered the FreeBSD handbook and started smoothly.
Now all workstations and servers at the company run FreeBSD. Everything just works and is done real quick. The system works like a charm so far, performances are excellent. The documentation is also very good.
We’re running v.5.3 for production now.
Care to explain why? While I to prefer the BSDs I can’t really see the reason. Linux 2.6 is probably faster, more common, gentoo portage are probably just as capable or better than ports.
I to see the documentation of all of the big three BSDs (not counting BSD/OS here since that’s not free and I haven’t tried it) as a major point. Who needs 1000+ linux dists, or ~130 debian versions, many people start whatever dist but noone writes documentation for them, gentoo might be the great exception from that.
Most guys do.
while we are at it: why does she recommend vi at all when we have ee.
First of all, she wasn’t recommending Vi. She was recommending Vim. There is a big difference. Also, it was just an example to show you how easy it is to install software under FreeBSD using pkg_add.
A very good reason to use Vim is that ee is a simple editor, like Pico (or Nano). Vim, on the other hand, is a very powerful text editor. Yes, it is hard to learn, but once you do, you unlock all of its power.
I personally use Vim on all of my computer systems, which include Debian and Slackware Linux, FreeBSD, Mac OS X and Windows. Having just one editor to learn makes it a whole lot easier when I switch between platforms.
I’m not saying there’s anything wrong with ee, it’s just not in the same league as Vim.
I agree csh as the default root shell in FreeBSD is the most annoying thing about FreeBSD. Hopefully they will take a hint from NetBSD and allow you to shoose which shell you want to use for root. Good articles though i did not know about chpass after trying to edit /etc/passwd by hand at first then realizing that BSD uses a password hash i was subject to using useradd and usermod.
It’s funny to notice we never see any Linux-for-*BSD-users articles. 😉
Good articles though i did not know about chpass after trying to edit /etc/passwd by hand at first then realizing that BSD uses a password hash i was subject to using useradd and usermod.
You could use vipw(8) to directly edit the master password file. It invokes vi unless $EDITOR is set to something else (vim/joe/whatever).
disclosure: i have contributed to this wiki
There’s a new-ish wiki for FreeBSD users, mostly focused on quick and dirty how-tos at http://freebsdwiki.net — We’re not aiming to replace current documentation, but to have an easier to use and search for specific things in a friendlier format than the handbook.
I think the *special effects* of PF are very cool. Like the quick keyword. It seems many people don’t understand how to use it. If quick is used in a rule, the firewall don’t evaluate the other rules with a match. Like here:
# /etc/pf.conf
# Macros
EXT_IF=”rl0″
INT_IF=”rl1″
LOCAL_IF=”lo0″
LAN=”192.168.0.0/24″
NO_ROUTE=”{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }”
# Options
set optimization normal
set block-policy drop
set require-order yes
# Traffic Normalization
scrub in all
# Translation
nat on $EXT_IF inet from $LAN to any -> $EXT_IF
# Packet Filtering
block in log all
block out log all
antispoof log quick for $LOCAL_IF inet
pass in on $LOCAL_IF inet all keep state
pass out on $LOCAL_IF inet all keep state
antispoof log quick for $INT_IF inet
#block in log quick on $INT_IF inet from 192.168.0.6 to any
#block out log quick on $INT_IF inet from any to 192.168.0.6
pass in on $INT_IF inet from $LAN to any keep state
pass out on $INT_IF inet from $INT_IF to $LAN keep state
antispoof log quick for $EXT_IF inet
block in log quick on $EXT_IF inet from $NO_ROUTE to $EXT_IF
block return-rst in quick on $EXT_IF inet proto tcp from any to $EXT_IF port 113
pass in on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type 8 code 0 keep state
pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 22 flags S/SA modulate state
block out log quick on $EXT_IF inet from $EXT_IF to $NO_ROUTE
pass out on $EXT_IF inet from $EXT_IF to any keep state
Yeah, the flexibility (of syntax) in pf always fascinated me. I just thought for someone who always used linux it is easier to grasp it that way, but a good addition nevertheless.
# Packet Filtering
block in log all
block out log all
I also love those short cuts. That two-liner can be combined into a single one:
block log all
Someone asked:
Care to explain why? While I to prefer the BSDs I can’t really see the reason. Linux 2.6 is probably faster, more common, gentoo portage are probably just as capable or better than ports.
Gentoo portage is not better than ports. Believe me, I used both, see my explanation here:
http://www.osnews.com/comment.php?news_id=8461&offset=51&rows=60
Why BSD? I don’t really care for performance. Oh well, I do care somewhat, but even though currently 5.3-RELEASE seems to have a worse performance than linux 2.6, I’d rather by a better cpu for 50$ than change. Why? Because the sheer elegance, transparency and maintainability of the system. I have to add that I was an english major and currently I do my Ph.D in literary theory and philosophy – so computer science and unix is as far from my real-world job as any could be. Nevertheless, a few years ago I became interested in linux, and I tried out various distroes over they years: rh 7.3, mandrake 9.0/9.1, debian testing/unstable, – and I always felt that urge to try out something new. I know many linux noobs feel the same way, that’s why we like to visit distrowatch so much. In short, I was looking for something, and when I finally tried FreeBSD, it was the first time I felt at home. I’ve been using it for 1.5 years now, and feel absolutely no need to change. It gave me the first opportunity to learn unix in-depth.
Despite what one may think at first, FreeBSD is a noob-friendly unix-like operating system. Not newbie friendly as a point-and-click quick replacement of windows (for those looking for that, linux is a better choice), but for those who want to learn how unix works. That’s partly due to the excellent documentation, and partly because the system layout, rcNg (the init system), the firewall (be it pf or ipfw) and generally the userland is better layed out and more simple. Doing fairly complex things with the pf firewall was just an example of the simplicity I am talking about – the whole system layout reflects that approach. And it is partly due to the excellent and newbie friendly community and bsdforums.org (I was very much surprised at how tolerant and patient bsd users are, even compared to mandrakeforums.org and pclinuxonline).
Besides, just a few days ago, the ULE scheduler came back on line in 5-STABLE, and I’m using it since then without problems. For the uninitiated: ULE was supposed to become the default for 5.x, but due to problems with it before release, the old scheduler became the default. Now it seems it have stabilized – not that I had problems with it before (I used it since 5.1 till it was disabled in 5.3-BETA7) – but others had. ULE offers interactivity on the desktop compared to most recent 2.6 releases, as well as performance that I think would be on par with linux. It is unfortunate that it wasn’t available when the recent mysql performance test was conducted. See this performance boost:
http://lists.freebsd.org/pipermail/freebsd-stable/2005-February/011…
Anyway, as I said, that ~25% that 5.3 seems to be behind linux would not be incentive enough for me to change, even if it should still hold true with ULE. Also, please try not to flame. Some (I know, it might be just a small but vocal minority) linux users are very sensitive when their OS is criticized. If you look at my post carefully, I didn’t say anything bad about linux – not that it would make much sense, no one uses just the kernel. Yeah, FreeBSD is much much better to me (both as a learning platform and for my everyday purposes ranging from running a server to using as a desktop, watching tv, encoding videos, etc.) than any of the distroes I have mentioned. That includes gentoo as well, which was a huge disappointment (not because it is that bad, it is more likely that because the hype surrounding it created high expectations on my part). Slackware however, seemed refreshing, even though I have tried it only after running FreeBSD for half a year. I still have it in fact, but I don’t remember when was the last time I booted into it. So no flames please, you asked for an opinion, and you got an (admittedly subjective) one.
funny that all these while I thought Dru Lavigne is a he, not she.
That’s her:
http://ezine.daemonnews.org/200405/bsdcan_2004/bsdcan_2004-Pages/Im…
Notice the reddish hair
All those willing to post their long pf configuration files should send it to solarflux.org instead of crowding OS News.
” For example, your first Ethernet NIC won’t be /dev/eth0. ”
i cant rember having any nics in /dev
iptables ws pf and other stuff
thats all about taste my iptables use one file not 3 and isnt much more advanced than the first pf exampel.
i have run pf and its nice but i cant really se the big diffrence from iptables but when i want to run a real fw i use clavister nuff about that.
“I agree csh as the default root shell in FreeBSD is the most annoying thing about FreeBSD. Hopefully they will take a hint from NetBSD and allow you to shoose which shell you want to use for root.”
—snip—————
FYI: you can statically complie (certain) shells and make them your default.
AFAIK the C shell is not the default root shell, it’s sh.
Good article.
/bin/sh is set as the default root shell during install, but the only other shells installed are csh and tcsh. bash and the other shells are available through ports or sysinstall or pkg_get -r, but they have to be assigned during account creation or chsh.