Table of Contents

A step-by-step practical guide to installing & configuring FreeBSD 6.2, together with some very common applications, by Sebastiaan Giebels [sgie bels_freebsdATpc].

the new FreeBSD logo, as of Oct.2005 This will probably always be 'Work in progress', but I think it's pretty usable. I would welcome any comments or corrections. By continuing reading you agree to the disclaimer.

update 28 nov 2009: well, FreeBSD 8.0 is out. I hope this guide isn't too outdated yet, haven't found the time yet to check for inconsistencies with 8.0. Please report any serious problems to the e-mail adress a few lines above, and I'll try to fix them.

update 12 dec 2010: new wiki on LXC linux containers on debian squeeze

Commercial FreeBSD support NEW!!
We can help you with many of your configuration and installation problems, by phone, chat, or e-mail from our office in Eindhoven, the Netherlands/Nederland. Contact [freebsd_supportATpc] to find out how we can help you with your BSD issues & ask for our hourly rates. Languages spoken: dutch, english, german. We are not endorsed by or affiliated with The FreeBSD Foundation.

Partnership with Data Recovery Centrale Nederland for FreeBSD/Linux/Mac or any other UNIX based filesystem data recovery from our PC Probleemloos office in Eindhoven, the Netherlands/Nederland. Contact [unix recoveryATdata recovery] (remove the spaces, replace the AT) to find out how we can be of assistance.


For a few years I've been using the FreeBSD operating system now. I started with version 4.3 in 2001 (which a friend of me, with much more experience in BSD, installed) as a router/firewall on an old 486. Since then, I've been using this machine more and more, I've installed extra services (webserver, ftp-server, samba) on it to use it as a NAS-device, and I installed larger and larger harddisks, and stuffed it with all the unused RAM I had. I even installed software for Peer-2-peer file sharing (with a control interface that was accessible with a web browser).

Because of my lack of FreeBSD (and even Unix-) knowledge, I regularly messed things up. Not as bad as I did to my Linux PC (oh, damned dependency conflicts!) but still bad enough to set some things out of service. Fixing the things I broke was difficult, as I didn't read any manpages to get them working in the first place. Reinstalling FreeBSD from scratch took much time everytime I saw no way out, and often copying configuration files from the old installation to the new machine didn't work.

As other people were depending on this server too, I was 'strongly encouraged' to learn more about FreeBSD. I installed FreeBSD 4.8, 5.4 and a few others, and now, at FreeBSD version 6.2, I trust myself enough to write my experiences down, and let others use my knowledge. And if I would need to do another FreeBSD installation in the future, I'm sure that going though this manual step by step will get it installed in no-time. Except for the passwords , I think everything is in here, including personal preferences. There are a lot of other FreeBSD guides that might be better than this one, but this one is for FreeBSD 6.2, and contains everything I need in one page. I'll link to those other guides when appropriate. A new FreeBSD version, version 7.0, is under active development, with some nice features. I won't discuss it in the rest of this tutorial.

In my past BSD-days, I've grown accustomed to some applications. I've used Sendmail (now I'm using Postfix), I've used Boa (now I'm using Apache), I've used Mambo as a CMS (now I'm using Joomla!), and I even use vi (well, just enough to edit my .bashrc to set nano as my default editor :) ). I'm not one of those people that want to convince you that Postfix is a better e-mail server than Sendmail, I will just say that I've spent more time getting to know Postfix.
In the open-source world, you are overwhelmed with choices you can make: shells, editors, webservers, browsers. In any of those categories you can find tens, hundreds of good pieces of software which can all suit your needs. I make my choices with the help of the following criteria:

This guide explains how to install the software that I have chosen, and as a result of that it won't include Sendmail, Cyrus- & UW-IMAP, GiFT, boa, Mambo, pine, and thousands of other pieces of software that might do the job just as well.

I've taken almost all commands from man-pages or the internet (look here for a list of some good FreeBSD sites), and I'm sure: if somebody would have written on the internet "use rm -Rf / " as -the- solution for problems I was facing at first, I would have believed that person, leaving me not only with a problem-free pc, but a FreeBSD-free pc too… Please don't try rm -rf-ing your system to see what it does. After you've spent many hours of time configuring it all, rm -rf really hurts.

Why not Linux?

If you're wondering why I'm not using Linux on my server, read this on the design differences between BSD and Linux design roots. However, if I would be writing a guide purely for desktops instead of servers, it would probably be on Linux. A lot of applications written for Linux run on FreeBSD without a problem (just look at the amount of applications in the ports tree and you'll see I'm right). Besides, FreeBSD has Linux support, so it can even run a lot of binary Linux programs!

Document conventions

I will be using '<>' as my (fictional) hostname, '<my.freebsdpcs.ip.address>' or '<>' as my (fictional) ip, '<my.router.ip.address>' or '<>' as my default gateway (my DSL router) and '<freebsd_username>' as a username for my regular user (notice the '<' and '>' characters). The passwords i'm using (for the root user, <freebsd_username>-user, MySQL-database, phpMyAdmin) will all be referenced to as '<my_mothers_maiden_name>', '<my_very_secret_password>' or something like that throughout this document.

Do not use the same password for everything.


Don't assume that by using my settings and making the same choices I did, you'll be 100% safe against hackers. After I've changed my root password from 'secret' to something more challenging I might be safe, maybe not. As you know, software can contain bugs, or security holes. Some of these not-yet-discovered holes will probably be so big that even a elephant-sized hacker will be able to get into your system just by sneezing. It's your system, and your responsibility (not mine) to stay informed of security issues, and keeping up to date by applying the correct patches.

I'll be using portaudit to show you how to scan your system for ports/packages with security vulnerabilities.

As a basic security measure, I will show you how to limit direct access from the internet to MySQL and other software for which access from the outside is not required for proper functioning. Real firewall configuration I will do another time. I'm still not sure if I will be using ipf or pf. ipfw is horribly outdated my BSD-friend told me, so I'll won't be reinstalling that. For the routing however, I will use ipf/ipnat, because it should almost work 'out of the box' with just a few lines of code, and maybe I'll trow in some traffic shaping later on, with ALTQ (1: FreeBSD Handbook on PF) (2: PF:Packet Queueing and Prioritization) (3: Prioritizing empty TCP ACKs with pf and ALTQ) (4: Network Filtering by Operating System).


I will dive into backup strategies when I have some time left, currently, I'm using rsync to backup my maildir (bad idea to do this with rsync!), home directories (Including /root, butdon't forget to exclude all cache and temp folders!), configuration files (/etc, /usr/local/etc), and another folder with my documents, pictures, downloaded files etc. There are very nice backup tools available, which certainly should be inspected. I will search for the notes on backup procedures i took, and post them here as soon as I find them. /* The room I work in is very small, so having 2 different keyboards on my desk wouldn't leave me any place to sleep ;-). One way to solve this is using VMware Workstation 5.0 to create a 'virtual freebsd machine' and run it on my Windows XP machine, and I've found a better way by using a better solution using Synergy), and another way using TightVNC. When I'm sure I've installed the majority of the packages, I will copy (dd'd, or using a more intelligent approach) this from my VMware-environment to a real harddisk which I will put in my 'production server' which lives in another room. VMware Workstation also has a feature to take 'snapshots' of a virtual pc, which I can use to correct mistakes during installation, thus easily reverting to 'how it was before I wrecked it'. */

Who am I?

I’m 30 years old, and I work as an IT consultant in Eindhoven, the Netherlands.

I've started this blog around September 7 2007, that's an awful long time ago in unix terms, so check every software package for updates & security fixes, as the packages I'm showing you here might be horribly outdated.

More good advice

You might want to keep notes of the steps you're taking in getting a FreeBSD machine up and running, just like I did. Not only will this help you in case you're going to reinstall FreeBSD on the same or another machine anywhere in the future, but this will come in quite handy in case something breaks: You can walk back the steps to see where it went wrong, and if you're not able to fix it yourself and you're asking someone else to help you, you can give a lot of useful information to them.

Linking to this site

I'd appreciate an e-mail if you link to this page, so I can inform you if the address changes (my address is on the top of this page). Please use this URL when linking: . Contacting me will also motivate me to improve and update this guide, whenever necessary. If I get enough e-mails from people from germany or from the netherlands, I will translate it to those 'Deutch, deutsche handleitung' and 'Nederlands, nederlandse handleiding' as well. Any questions, corrections, etc. you can direct to the same e-mail address.

Let's get started..

Installing FreeBSD 6.2

As there already are an overwhelming number of guides for installing FreeBSD, but less on configuring it, I'll concentrate on the latter, and I'll only show a 'quick install guide'. Someone made a video of installing FreeBSD (not using my guide, BTW) and posted it on YouTube. And someone else made a video for version 6.2

This version with screenshots of every windows you'll see during the installation is very nice:

However, if you want me to tell you how I've done it, this is the way: I will assume you are using an empty harddisk to install FreeBSD (if not, backup your data!) There is a windows xp partition already on my hdd as I start installing FreeBSD. This is not a problem, but any mistake might make my Windows partition inaccessible after this installation.

I used a FreeBSD 6.2-RELEASE installation CD. You can download the ISO image from the FreeBSD website or use this link to an FTP server.
From the folder "ISO-IMAGES-i386/6.2/" download the file named '6.2-RELEASE-i386-disc1.iso' I will be using the 'i386'-architecture, even though I'll be running it on an AMD 64-bit processor and I could have chosen 'amd64'-architecture. I've tried it before, and noticed some software didn't work properly (like TightVNC and the drivers from NVidia) Because I'll be downloading almost all software from the internet during installation (instead of installing all from cd), the '…-disk2.iso' file is not needed. The '…-bootonly.iso' file is especially designed for this kind of installation, but I know I can use "…-disk1.iso" also for repair purposes, where the '…-bootonly.iso' is rather limited for this purpose.

I will skip the step to check the ISO-file for hacker-tampering by comparing the MD5 or SHA256 checksums. Follow the FreeBSD Installation Handbook on that one if you would like to be 100% sure you've downloaded an untampered version.

Burn this ISO-image to a cd, and boot from it.

After the boot-up process, a menu will appear asking for a "Country Selection". Simply choose your country ("Netherlands", in my case) with the up&down arrow keys, and confirm with the Return key, the next question is for the System Console Keymap, for me the default ("USA ISO") is ok, so I will just press enter. Next up, is the sysinstall Main Menu. I choose to do a 'Standard install', created a partition for use with FreeBSD (see next chapter), selected the "FreeBSD BootMgr", Added some disk labels (see next chapter too) The blue line is:

 "Disk: ad0   Partition name:ad0s3    Free: 40965750 blocks (20002MB)"

This means: a0 the first harddisk (jumpered as 'Primary Master'), as counting harddisks starts at 0

          ad0s3 is the third partition on the first harddisk (confirmation required..)

C to create a new slice in the free partition, enter the size for the new disk slice (for the first one, I entered "500MB", selected "FS", and specified "/" as the mount point). Click here to see the partition layout I prefer. Repeat the last step for all the disk slices you wish to make (for the swap-slice, select "Swap" instead of "FS") The created slices will have names like: ad0s3a, ad0s3b, ad0s3d, ad0s3e, ad0s3f, where the last vowel represents the slice order. Press 'q' to finish setting up the disk slices.

"Choose Distributions" … 8 User, confirm with the space-key, Would you like to install the FreeBSD ports collection? Yes, use the 'Tab'-key to go to 'OK', and press Enter to confirm. (Select "8 User" if you're not planning to use X-Windows right now, or X-User if you want to install X-Windows directly.)

I selected "FTP", at "Choose Installation Media", but I could have chosen CD/DVD just as well (if I would have downloaded the …-disc2.iso file as well) I selected "Netherlands -" as a FreeBSD FTP distribution site. Next up, is selecting the network card I'm using to conenct the internet (in my case, that will be the device called 'em0', for my On-board Intel Gigabit connection. Yours will almost certainly be different.) I did not choose for IPv6 (so it will go on using IPv4), I did choose "try DHCP", as my router will provide my FreeBSD pc with an IP address. You will see the IP address your router/dhcp server assigned to you in the next window. I filled in a hostname <freebsd62> and domain name <> to complete it, and click 'ok' Next up, is the question if we are sure everything sure we entered everything correctly. I am, so I select 'Yes'

I did select to install the ports tree (later on I will show how to use portsnap to update it).

It will congratulate you with the install. Let's continue..

- Now there will be a lot of questions, I won't dive deep into what they all mean, I'll just tell you what I did:

Do you want this machine to funciton as a network gateway? Yes (In the future, I want to use my FreeBSD machine as a network router)

Do you want to configure inetd and the network services that it provides? Yes ('inetd' is a tool which helps easy configuration of network services, like an e-mail server, … )

… With this in mind, do you wish to enable inetd? Yes

You are returned to the main installation menu. Choose 'Exit Installation' to finish & reboot.

Thoughts for partitioning in FreeBSD

I know the ports-tree will use quite a bit of space, because I'll be building a lot of applications from source. I'll guess a value of about 5GB is ok, for my maildir I'll take 2GB, and my www-folder to store my webpages will be maximum 1GB. The advantage of partitioning is, in my opinion, to prevent insufficient diskspace issues for certain things: Otherwise, if I would upload too much data (e.g. pictures) to my www-folder, my /var/maildir folder would run out of diskspace, which could result in e-mails getting lost; or no diskspace for logfiles in /var/log, which a hacker could use to prevent discovery of hacking activities.

As I'm the only user for e-mail on this system, I might want to look into 'quota' later on.

You can use the 'A' for automatic setup, which will set it up for you automatically, I did it by hand.

To read more about how the file system is organized (which directory has which purpose), enter:

man hier
My final layout
Mount pointsizepurpose
/500MB(root filesystem, kernel and base system)
/usr10GBthe majority of user utilities and applications
The /usr will also contain:
/usr/ports (probably around 5GB in size) for sources and builds from the ports tree and
/usr/src (+-1GB) which contains sources and builds, the kernel build files will be here too)
/usr/local/www (1GB) for the apache-webserver folder for all hosted domains)
/var5GBfiles that change regularly, like logfiles, spool and transient files)
The /var folder will (among other things) contain:
/var/maildir (2GB) the maildir folder where I'll store my e-mail
/var/db (1GB) mysql and other databases like the package-database
/var/log (500MB) logfiles
The numbers above are bases on a bit of experience, but certainly no guarantee
/tmp500MBtemporary storage

If your harddrive has more space, you can double the size of /usr.

After saving the partition layout, select: BootMgr as the boot manager to use.

You might have luck adjusting your partition sizes using a tool like 'Partition Magic'. You might also not be very lucky, shooting yourself in the foot by wiping out your entire harddisk in the process. Think now, correcting this later is a big PITA

Notice: If you want to change, add, or remove partitions once your system is installed & running, GEOM (FreeBSD's diskmanager) will not allow you to do fdisk-stuff while any part of the disk is mounted. You will have to boot from the FreeBSD installation cd-rom to do any modifications on partitions.

You will get an error message like: Error: Unable to write data to disk ad0 Disk partition write returned an error status!

"You cannot open /dev/ad0 for writing if any. slices or labels are open." See

Or, if you are getting paid by the minute for reading this step-by-step FreeBSD installation guide, go and read this GEOM tutorial.

Network configuration

Congratulations, you have succesfully installed …

Will this pc act as a router/gateway? Yes

Other settings

I did configure and enable the mouse daemon. Even if your box will not run as a X11/X-windows machine, you can use it for copy/paste actions in the console. Remember to set options to enable three-button mouse-simulation if you only have a 2-button mouse Flags= -3 +enter; enable + test it.

Group: Group name=<freebsd_username> (+ 4x enter) User: Login ID=<freebsd_username>, Group=<freebsd_username>, password=<something_secret>, Member groups: wheel (Tab, Tab, Tab, OK, X Exit) In the 'Member groups', I entered 'wheel' to allow this user to use 'su' to gain root status (which is, by the way, depreciated, but I've still got the habit to use su). Users that are not in the 'wheel'-group, cannot 'su' or perform root-tasks. Set root password: OK New Password: <my_mothers_maiden_name> Repeat Password: <my_mothers_maiden_name>

Your pc will reboot (remove the FreeBSD installation cd-rom) After the boot proces, you will be greeted with the 'login:' prompt. login: root password: <my_mothers_maiden_name>

You are greeted with the Message Of The Day (the contents of /etc/motd)

FIXMEConfigure your internet connection, with ifconfig and edit /etc/resolv.conf to include your dns servers if you haven't already done this during FreeBSD installat

on procedure.

About ports and packages

port / packages difference..

/usr/ports/INDEX-6 (or INDEX?) has a list with all the software in the portstree, with descriptions. If you're looking for an application to do this or that, search this file.

At this time, the only package that is installed is 'linux_base'. To see the list of all installed packages (excluding the things you've installed from source) just enter:


To search for a package in the list of installed packages, use

pkg_info | grep part_of_package_name

The FreeBSD package system can download and install pre-compiled binaries from the internet, which is one of the easiest and fastest way to install software onto FreeBSD. For some of the software, I will use the ports-tree, as packages are not as frequently updated as the ports. I will also install some software from source, when package or ports are both outdated or nonexistant.
Differences between packages and ports explained

I set the packagesite environment variable was set to a new location, to make sure that the most(?) recent packages will be downloaded, instead of the standard collection which was available at release-time of FreeBSD 6.2:


If you are already using BASH, use this instead:



Incremental ports-tree updater

Portsnap is part of the FreeBSD base system now, no installing required. Fetch & extract an updated ports tree from the internet:

portsnap fetch
portsnap extract

In future, use the following command to update your ports tree:

portsnap fetch update

<cron job>


Security auditor/checker for installed port and packages

This tool will protect me from installing vulnerable packages, that's why I like to install it ASAP.

Install package: (version 0.5.10)

pkg_add -r portaudit

Update security information and check installed ports&packages:

/usr/local/sbin/portaudit -Fda

It should give the following output if everything is ok: 0 problem(s) in your installed packages found.

Note: this tool won't protect me from installing insecure software from source.

It will run every night, and report any problems to me by e-mail to

If portaudit says some of the installed packages have security issues, use 'portupgrade' to install the latest version of that piece of software. In many cases this latest version has the security issues resolved. If you didn't configure portsnap to automatically fetch new ports every night using cron, you should run 'portsnap fetch update' before running portupgrade, to make sure you'll install the latest version.


Easy way to update/upgrade installed ports and packages to new version portupgrade-2.0.1_1,1 FreeBSD ports/packages administration and management tool s

Install package:

pkg_add -r portupgrade

(This will also install package 'ruby')

To update a package (for example proftpd), enter:

portupgrade -r -P proftpd

'-r' means 'recursive', so it will download all dependant packages too, and '-P' means 'use packages', so it will try to download & install a precompiled package, and only if this doesn't work it will compile the package itself (using the ports tree), and show the message:

  1. –> Using the port instead of a package

Alternative installation method:

cd /usr/ports/ports-mgmt/portupgrade
make clean deinstall install

Use this alternative installation if you see the following error when running portsnap or portupgrade:\ missing key: categories: Cannot read the portsdb! files/ <…cut…>.gz not found – snapshot corrupt.

Whenever you see a security issue with a package that is installed, try

portupgrade -r -P <name_of_the_package_you_want_to_upgrade_or_install>

Where 'packagename' is the name of the package you are trying to update. It will try to install the most recent package from the internet. (does it require a 'portsnap fetch update' to be aware of the newest versions of packages?)

Additional software installation

Now, where will I start?

Ports an package utilities (portsnap portinstall, portaudit) General utilities (nano editor, bash shell, (de-)compression tools, perl, screen, midnight commander) Network connectivity (proftpd, samba) Debugging / network analysis (nmap, trafshow) Security, logging, monit (portaudit) Backup (rsync + script, bacula, … )


A file editor Official URL:

Why do I want to install this: I can't work without this editor, and thus belongs to my basic necessities in unix-life. I know how to use the 'more difficult' editor VI, but don't see the need for you getting your knuckles bruised on it.

Install package: (version 1.2.5)

pkg_add -r nano

I set the 'EDITOR' environment variable to make 'crontab -e' and 'chpass' use the nano editor instead of 'vi':

setenv EDITOR nano

If you're using bash instead of 'sh' as a shell, use:

export EDITOR=nano

Usage is pretty straightforward. The command:

nano <filename>

will open <filename> for editing, creating a file if it doesn't exist. Important keyboard shortcuts (they appear on the bottom of the screen when you are using nano):

To run nano with word-wrapping disabled, run:

nano -w <filename>

Often, I'll start nano to edit a configuration file, and when try to save the file, I remember that I didn't 'su' to gain root-privileges to edit the file. I've created a small script around nano that will warn me whenever I try to open a file that is not writable:

Save the following as /usr/bin/nano (assuming that the 'real' nano is in /bin/nano : #!/bin/sh # # Small wrapper around nano, # Will show a warning when the file to be opened is not writable. # # by Sebastiaan Giebels <sgiebels_ nano script>   if [ -w $1 ]; then #file exists and is writable echo File is writable, continuing /bin/nano -w $1 $2 $3 $4 $5 $6 $7 else if [ ! -f $1 ]; then #file does not exist, new file? check if target folder is writable. dir=`dirname "$1"`; if [ -w $dir -a ! -d $1 ]; then /bin/nano -w $1 $2 $3 $4 $5 $6 $7 else echo Cannot write to directory $dir, STOP. fi else echo File exists, but is not writable by you, STOP. fi fi


The shortest introduction to 'Vi' ever:

Vi is a file editor, just like nano. It's installed by default on most UNIX operating systems, and has a lot of useful functions, learn them if you want. I'll just show you the most important Vi function:

Exiting Vi

To exit Vi, enter ':q' and press Return key (the moment you press ':', the cursor should jump to the bottom of the screen and show the ':' prompt). If that doesn't work, press ESC, enter ':q!' and press Return key, you will be safely returned to your precious command prompt.

To start Vi (for the kick of it, to boast to your friends, or just to test your 'l33t UNIX 5ki11Z'), enter:



Command shell with command completion (enter just a part of a command or filename , press the 'tab' key and bash will auto-complete the remainder, saving valuable time. Official URL:

Install package: (version 3.1.10_1 )

pkg_add -r bash

To test it, you must enter the full path to bash:


Your prompt will change, as a sign you are using a different shell now.

Change root shell from '/bin/sh' to '/usr/local/bin/bash' (I expect you to have installed nano in the previous step):

export EDITOR=nano
chpass root

Change the line 'Shell: /bin/csh' or 'Shell: /bin/sh' into: Shell: /usr/local/bin/bash Use CTRL-o + enter to save, then press CTRL-x to exit nano.

Now enter:

chpass <freebsd_username>

And do the same for your regular user account.

We're going to edit .bashrc, setting the environment variables EDITOR and PACKAGESITE:

nano /root/.bashrc

export EDITOR=nano /* export PACKAGESITE= */ Notice how we don't use 'setenv' as we did before, but 'export' as that is what it's called within BASH.

Now for the other users: /* Because non-root users aren't allowed to install packages, we can leave out 'export PACKAGESITE=…' */

su <freebsd_username>
nano ~/.bashrc

Add the following: export EDITOR=nano

Edit '.profile' too: BLOCKSIZE=M; export BLOCKSIZE EDITOR=nano; export EDITOR

bash prompt

Adjusting the bash prompt to provide more information (such as the username, hostname of the system, and the current working directory). I'll also trow some color in, to brighten up my day. :)

URL: (warning, dutch!!)\ URL: (warning, dutch!!)\

A very simple command prompt: export PS1="[\u@\h:\w]\$ "

You can also add colors to this string, see the links for more info. Personally I like Wolfman's prompt, It's colored, with the path in it, and on every system I give it a unique identifier with a unique color. This prevents me from accidently reboot the wrong system or perform even more harmfull actions to the wrong pc, as I can directly see which system it is I'm working on. Download the code for my bash prompt here

And this bash-feature is too, to colorize 'ls' output: export CLICOLOR=1

You can also have the .bashrc file with all the correct settings automaticaly created when you add a new user, if you make the changes to the file in the '/etc/skel' folder:

nano /etc/skel/.bashrc

ln -s .bashrc .bash_profile

changing the default blocksize

The environment variable 'BLOCKSIZE' is used in 'df' and a few othe tools, and tells the system in which units it should display number of bytes.

the standard output of 'df' begins with: Filesystem 1K-blocks Used Avail Capacity Mounted on ... Because harddisk drives nowadays are just under a terabyte, expressing sizes in 1K-blocks doesn't make it easier to read. Thats why I change it to megabyes instead of kilobytes:

nano /home/<freebsd_username>/.profile

Change the existing line with the '=K' to '=M', new situation: BLOCKSIZE=M; export BLOCKSIZE

Logout, login, run 'df', and the output should be much better readable: Filesystem 1M-blocks Used Avail Capacity Mounted on /dev/ad0s2a 495 74 381 16% / ... /dev/ad0s4a 44625 1977 39078 5% /mnt/big You see that my partition /dev/ad0s4a (mounted at /mnt/big) is around 45GB in size, 2GB used, and about 39GB free, the remainder is not shown, as it is some spare space needed to prevent disk fragmentation. More info here (see section 14.14), or read 'man tunefs' to read how to change the amount that FreeBSD uses to counter fragmentation.

changing the 'motd'

The Message-Of-The-Day (motd) that is shown everytime I login, is really too long for me. I use it now for noting which things I still have to install, configure and test.

I tend to loose 'notes' files in 'any-random-folder-here', but using /etc/motd as a substitute works for me. Don't do this if there are other users with login access to your machine, because they would see your todo-list too, which is not such a good idea if you put things like: "- fix remote exploitable bug in Apache" in the message.

Remove all but the first three lines, and enter any notes after the 3rd line:

nano /etc/motd

FreeBSD 6.2-RELEASE (FREEBSD62) #0: Mon Jan 4 01:56:50 CEST 2007 Welcome to FreeBSD!   Todo: - ...

changing the hostname

Set hostname (perhaps already set correctly during install):

nano /etc/rc.conf


changing the dns servers

Set up the DNS servers, if not already done so:

nano /etc/resolv.conf

nameserver <ip_address_of_myisp's_first_nameserver> nameserver <ip_address_of_myisp's_second_nameserver>


System time synchronization / Network Time Protocol Distribution Official URL:

The NTP-client (Network Time Protocol Client / ntpd) will set your systems time with the help of so called 'time servers' on the internet, which are very accurate clocks. In this way, your computers time is set correct exactly. It wil periodically re-sync your system time with atom clocks, to correct small differences.

Why do I want to install it: knowing the exact time is very important for logging error messages, investigating security issues, making backups, etcetera. Additionally, some computers don't have an accurate internal clock. This tool helps setting the system's time.

Install package: (version 4.2.0_1)

pkg_add -r ntp

Configuration: (change <my_isps_timeserver> to a timeserver near to you or your ISP. Your ISP can tell you what timeserver you should use (I found mine,, by searching on the keywords 'time server <my internet service provider name>') If you really can't find whats your ISP's timeserver, use one of the public time servers, like or

nano /etc/ntp.conf

server <my_isps_timeserver>

To make sure ntpd is started upon boot, add the correct line to /etc/rc.conf:

nano /etc/rc.conf


Now synchronize the time on your pc with the time of your chosen timeserver (probably only needed once.)

ntpd -gq

You will get a message like this one: ntpd: time set -7152.403129s If you, like me, are doing this installation on another pc than the pc that FreeBSD will run on, remember to run this command again on that other pc after installation.


'Screen' allows you to create 'virtual consoles', which allows you to run applications, and put them to the background with a few keypresses.
BSD Guides article on Setting Up Screen

Install port: (version 4.0.2_4)

portinstall screen

or, as an alternative, if you haven't installed portupgrade & portinstall:

cd /usr/ports/sysutils/screen
make install

Test it:


Start any application (like 'mc'), then press CTRL-a, followed by 'd' (=detach). Return to 'mc' by entering on the command line:

screen -R

You will re-attach (=R) to the previously disconnected screen session. Use the 'exit' command to exit a screen.


/* It will start screen, load a shell and drop you into it. You can exit it by exiting the shell (just type 'exit', and screen will close too). You can detach it by pressing Ctrl+A D You'll be returned to the non-screened shell, and the process running in screen will continue running in the background.

To re-attach to a screen session, enter: screen -R You'll return to your screen session jus where you left it. (however, if there's more than one screen running then it will give you a list of screens to attach to)

Inside the 'screen', there are various commands you can use: To create a new screen, press Ctrl+A C. You can do this any number of times.

* The following screen command will create a new screen session, '-d -m' means: start screen in "detached" mode. This creates a new session but doesn't attach to it. This is useful for system startup scripts. (So you can use this in /etc/rc.local to run anything in the background) '-S midnight' means: sets the screen-name to 'midnight' (so if you're running multiple screens you can easily find and re-attacht to it); 'mc' tell screen to start the command 'mc' (midnight commander, if you've installed it).

screen -dmS midnight mc

To attac to this screen, ener: screen -R midnight

*/ persistent screen session with many windows. To that end, added .screen -d -r to my .login.

(De-)compression tools (RAR,ZIP,ARJ,ZOO)

Install packages:

pkg_add -r unrar unzip zip unarj zoo

pkg_info will now also list the following packages to be installed (version numbers may be different in your case):


Practical Extraction and Result Language Very popular interpreted programming language

Install package: (version 5.8.8)

pkg_add -r perl

To install additional modules, I suggest you use the shell, as it is the easiest way (instead of unpacking/compiling/installing modules by hand)

perl -MCPAN -e shell

Search for a module:

i /whattosearchfor/

Installing a module:

install Module::Name

(e.g.: install Date::Format)

(See for more information


You don't have to be root to use perl modules, non-root works too:

mc, the Midnight Commander

A console file manager, a Norton Commander (nc) clone. It's like a 'swiss army knife', besides the dual-window file manager, it has a file exitor, ftp and smb (read:samba or windows file sharing) support.

Install package:

pkg_add -r mc

Or you can build it from source:

cd /usr/ports/sysutils/mc
make install


Command line HTTP downloader

Install package: (version 1.10.2)

pkg_add -r wget


wget-like command line http downloader with cookies-support

Install package: (version 7.15.3)

pkg_add -r curl

Network / connectivity


Official URL:


cd /usr/ports/ftp/proftpd
make install

Run on system startup:

nano /etc/rc.conf

Add: proftpd_enable="YES"


nano /usr/local/etc/proftpd.conf 

Remove <Anonymous> section (CTRL-K cuts lines, CTRL-U uncuts lines). You might also want to change 'Servername' to something less standard: Servername "//"   AuthUserFile /etc/proftpd/ftpd.passwd #UseIPv6 on UseIPv6 off DefaultRoot ~ # RequireValidShell off RequireValidShell off

You can find other configurations on the proftpd website. Download a basic configuration file from the proftpd website (make sure [curl|curl] is installed):

curl -o /usr/local/etc/proftpd.conf

You can use if you are planning on using virtual hosts.

?? mkdir /var/run/proftpd </html> PS: there is a sample configuration file in /usr/local/share/examples/proftpd/etc/proftpd.conf

Start it:

/usr/local/etc/rc.d/proftpd start

You should see the line 'Starting proftpd.'.

Test it:

ftp localhost

You will see something like: Trying ::1... ftp: connect to address ::1: Connection refused Trying Connected to localhost. 220 ProFTPD 1.3.0 Server ( [] Name (localhost:root): This confirms your FTP server is running. Try to login using your regular user password (as a security measure, ftp access for root is blocked)

In case of errors/problems: Add the following to /usr/local/etc/proftpd.conf: ExtendedLog /var/log/ftp.log DebugLevel 9 Restart proftpd, and check the ftp.log file for error messages

natd (internet sharing)

When you get just 1 internet IP address from your ISP, and you want to allow more computers access to the internet (without using proxy servers) you need NAT (Network Address Translation). Setting it up is easy, if you pay attention :)

You need 2 network cards/interfaces installed in your machine:

/dev/pub0 is my network interface connected to the internet, 
/dev/priv0 is my network interface conencted to the internal network.

Replace occurences of <pub0> and <priv0> with your network interface device names and remove the < > characters too. You can find your network interface names with the command:

ifconfig -a

Edit /etc/rc.conf, and check if your network cards are set up correctly, If your 'public' network card is connected to the internet an DSL- or Cable modem, it might be that your ISP provides you with an IP address, in this case, you'll probably already have 'ifconfig_pub0="DHCP"' in your rc.conf. My ISP gave me a fixed ip address (actually, a complete range), so in my case it's different: ifconfig_pub0="inet <my.public.ip.address> netmask <>"

Now for the second network card, that is connected to your internal network: ifconfig_priv0="inet netmask" You can choose any private network range (,,…) as long as it's not alreay used in your network.

nano /etc/rc.conf

Make sure the following lines are there (replace <pub0> with your own network interface, e.g. 'rl0'): gateway_enable="YES" # enable gateway firewall_enable="YES" # and firewall firewall_script="/etc/rc.firewall" # firewall configuration file firewall_type="open" # firewall type firewall_quiet="NO" # show all firewall rules natd_enable="YES" # enable natd natd_program="/sbin/natd" # path to natd natd_interface="<pub0>" # public/external network interface natd_flags="-f /etc/natd.conf" # extra options to natd

Test it (by starting natd manually):

natd -n <pub0>
ipfw -q add 00050 divert natd ip4 from any to any via <pub0>

= Setting up the client = Set up a computer ('client') on your internal network, ip address, netmask, gateway, and DNS servers from your ISP (you can probably find them with 'cat /etc/resolv.conf')

= Testing natd connectivity = On this client pc, go to a shell, (that's: Start → Run → cmd → [ok] for you windows people, or WindowsKey-R → cmd → [ok] for Vista unfortunates):


If everything is ok (no firewalls in the way) you should get 'Response from …'.

Next, ping another IP address (you can use the DNS server you found a moment ago):


If this works, natd works. Note: some servers/internetsites block 'ping': test if you can ping the address from your server, if this works, it should work from any client too.

Now test if you can ping a website by it's name.


If this works, you can start your internet browser, and use the internet with multiple computers.

Reboot, to make sure natd is started automatically/correctly upon the next boot.


CIFS / Windows Networking file sharing and more
Official URL:
Samba as a WINS/NetBIOS Server

Install package:

pkg_add -r samba3

Configure package:

nano /usr/local/etc/smb.conf

Configuration: FIXME

nano /usr/local/etc/smb.conf

# Usual location for this file: /usr/local/etc/smb.conf # Lines beginning with either a semi-colon or a pound sign (';' or '#') are comment lines, # you can use them for explaining what options mean, or for temporarily disabling options # by placing a # sign in front of the line. # The length and usage of spaces and other non-alphanumerical characters is limited for some options # Read the documentation # NOTE: After modifying this file, run the command "testparm" to check this file for syntax errors.   # Global options [global] # 'workgroup' = NT-Domain-Name or Workgroup-Name workgroup = WORKGROUP   # 'netbios name' is the name you will see in "Network Neighbourhood" (defaults to your hostname) netbios name = <name_of_this_server>   # server string is the equivalent of the NT Description field server string = FreeBSD Samba Server   # Logging: # this tells Samba to use a separate log file for each machine that connects: ; log file = /var/log/samba/log.%m # Standard location for samba log files is /var/log/samba/ # Put a capping on the size of the log files (in Kb). max log size = 50 # Set the log (verbosity) level (0 <= log level <= 10) ; log level = 3     # Which hosts to allow access to your SAMBA server # Don't forget to replace or remove the < > stuff with your own values # = localhost (don't forget to include this one, or else you'll have trouble testing it) # 192.168.*.*, 10.*.*.*, 172.16.*.* are local networks, optional. # is my ip adress and the number 27 is my netmask length (netmask = # because of the netmask, it will also allow all other computers in my network access. # You can use a network/netmask calculator like the one at # is the (fictional) static ip address of a friend who I want to give access hosts allow = 192.168. 10. 172.16. <> <>   # Denie traffic from all hosts (except from those configured with 'hosts allow') hosts deny =   # Make this server the local&preferred master server # Don't use these if there other servers for the same task on your network. local master = yes os level = 100 preferred master = yes wins support = yes domain master = yes   # I don't know what this does (<> is my broadcast address) remote announce = <> # Case sensitivity for filenames: read manual   # Networking Options: this might give better performance # See speed.txt and the manual pages for details socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192   # Printing: FIXME #printing = CUPS #printcapname = CUPS #map to guest = Bad User #show add printer wizard = No show add printer wizard = No   ; map to guest = Bad User ; security = share     [shared] comment = Some shared folder path = /tmp/shared read only = No guest ok = Yes nt acl support = No ; force user = freebsd ; force group = users   [music] comment = My MP3 collection path = /mnt/<musicdisc>/mp3/ read only = yes public = yes hosts allow = 192.168. 10. 172.16. <> <> hosts deny =   # Printer configuration with CUPS I will do another time. I've disabled it for now ;[printers] ; comment = Print Temporary Spool Configuration ; path = /var/spool/samba ; printable = Yes ; guest ok = Yes ; use clientdriver = Yes ; browseable = No

You can find out which computers on your local network support the SAMBA-protocol (running either 'real' Windows CIFS, or by using SAMBA on any other operating system):

nmblookup -B <my.networks.broadcast.address> -d 2 "*"

I used for my broadcast address, yours might be or like that.


openssl-0.9.8c SSL and crypto library This SSL Library allows communication over secure channels (HTTPS, IMAPS), and is required in this guide for Courier-IMAP, Apache, and OpenVPN)

Install package: (version 0.9.8c)

pkg_add -r openssl

Apache 2.2 Webserver


Install package: (version 2.2.0_7)

pkg_add -r apache22
nano /etc/rc.conf:



nano /etc/hosts:

mkdir /usr/local/www
nano /usr/local/etc/apache22/httpd.conf:

ServerAdmin .... ServerName ServerName DocumentRoot "/usr/local/www"

Change: <Directory "/usr/local/www/apache22/data"> ... </Directory> to → <Directory "/usr/local/www"> Options Indexes FollowSymLinks ExecCGI AllowOverride All Order allow,deny Allow from all </Directory>

Add: AddType application/x-httpd-php .php .php3 .php4 .php5 AddType application/x-httpd-php-source .phps   DirectoryIndex index.php index.cgi index.html   AddHandler cgi-script .cgi   NameVirtualHost *:80   <VirtualHost *:80> ServerAdmin webmaster@ DocumentRoot /www/ip ServerName </VirtualHost>   <VirtualHost *:80> ServerAdmin webmaster@<> DocumentRoot /usr/local/www/<> ServerName <> ErrorLog /var/log/<>-error_log CustomLog /var/log/<>-access_log combined </VirtualHost>

mkdir /usr/local/www/<>
apachectl configtest
apacectrl restart

Some time later, I noticed this error message upon manual start of apache: [warn] (2)No such file or directory: Failed to enable the 'httpready' Accept Filter I solved it temporarily by entering:

kldload accf_http

To load it on boot, add to your /boot/loader.conf:


I should check if the issue is resolved after the next reboot.

To prevent visitors seeing which version/modules apache you're running, set ServerTokens to something else than 'Full', e.g.: ServerTokens Prod

mod_jail (optional)

FIXME Optional: mod_jail A module to run Apache in a secure jail (like 'chrooted') URL:

Custom 404-Errorhandler

It is possible in Apache, to use your own errorhandler for various errorcodes. You might want to have this to inform you of people clicking 'dead links' on your website.

nano /usr/local/etc/apache22/httpd.conf

ErrorDocument 404 "/cgi-bin/404_errorhandler.cgi"


Apache::MP3 is a perl module for Apache, which allows you to listen to the music stored on your server from a windows pc trough a browser & Winamp. Installation:

cd /usr/ports/www/p5-Apache-MP3 make

This will also install 'mod_perl'

Add this line to the 'LoadModule'-section in /usr/local/etc/apache22/httpd.conf: LoadModule perl_module libexec/apache22/

Visit the Apache::MP3 website for the rest of the installation instructions and all the documentation.

If you get this error: Syntax error on line ... of /usr/local/etc/apache22/httpd.conf: Invalid command 'PerlHandler', perhaps misspelled or defined by a module not included in the server configuration [root@freebsd62 /usr/local/etc/apache22]# Then the Apache mod_perl module isn't installed correctly.

Follow the rest of the installation instructions from the Apache::MP3 website

Restart apache:

apachectl restart

Make a symlink to the folder where you store your mp3 files (in my case, that would be /mnt/audio/music/ )

ln -s /mnt/audio/music /usr/local/www/

Apache::MP3 comes with a set of icons, and style sheet to go with the html pages it generates. To make apache::mp3 find them, follow the next steps.
In /usr/local/etc/apache22/httpd.conf, just below the <Directory /> … </Directory> section, add: <Directory /usr/local/share/Apache-MP3> AllowOverride None Order allow,deny Allow from all </Directory> And in the same file, just below the line '<IfModule alias_module>', add: Alias /apache_mp3 /usr/local/share/Apache-MP3

Browse to to see if it works

I've changed a few lines in httpd.conf, to make sure that .mp3-files are treated equally as .MP3-files (and the same for .m3u, .pls and ogg-vorbis files): AddType audio/mpeg mp3 MP3 Mp3 mP3 AddType audio/playlist m3u M3U M3u m3U AddType audio/x-scpls pls PLS PLs Pls pLS pLs plS AddType application/x-ogg ogg OGG Ogg OGg OgG oGG oGg ogG

As the files in my MP3 collection often have bad mp3-id3 tags, I have Apache::MP3 to use the filename instead of the MP3-ID3 tag. In the '<Location /songs>' section of the httpd.conf file (or whatever you used instead of '/songs' while following the Apache::MP3 installation instructions), add: PerlSetVar Fields filename PerlSetVar SortFields filename PerlSetVar DescriptionFormat "%f" PerlSetVar ReadMP3Info no You might like these settings too: PerlSetVar CacheDir /tmp/mp3_cache PerlSetVar PathStyle Arrows


Official URL: Requires: apache, php, mysql


cd /usr/ports/audio/kplaylist
make install

Configure kplaylist with Apache (see instructions on the official website), make sure apache has access to your mp3 collection, configure the database to use, configure kplaylist. Enter the location to your base mp3 folder in Filehandling → Base directory You can open the .m3u playlist files it generates with XMMS (or Winamp if you're using windows).

ISC DHCP-server (dhcpd)

On my computer network, there are some laptops. These laptops are not always connected to this network, but sometimes they are taken by their owner to another location, and plugged into another network. This makes it unpractical to set-up static ip adresses onto these machines themselves, as the network settings would probably have to be changed everytime the laptop is plugged into another network. This is why I will set up a DHCP server. This software will hand out network information like the unique ip adres the laptop may use, the netmask, the address of the default gateway, and which dns servers to use.

FIXME If you use 192.168.*.*, 10.*.*.* or 172.16.*.* adresses, …

Install package: (version 3.0.3_1) pkg_add -r isc-dhcp3-server (or portupgrade -r -P isc-dhcp3-server)

Configure package:

nano /etc/rc.conf:

dhcpd_enable="YES" # dhcpd enabled? dhcpd_flags="-q" # command option(s) dhcpd_conf="/usr/local/etc/dhcpd.conf" # configuration file dhcpd_ifaces="" # ethernet interface(s) dhcpd_withumask="022" # file creation mask

cp /usr/local/etc/dhcpd.conf.sample /usr/local/etc/dhcpd.conf
nano /usr/local/etc/dhcpd.conf

default-lease-time 86400; max-lease-time 172800; default-lease-time 86400; ddns-update-style interim;   option ntp-servers; option domain-name ""; option domain-name-servers; #,; option netbios-name-servers; #,; option netbios-node-type 8; ### NOTE ### # netbios-node-type=8 means set clients to Hybrid Mode # so they will use Unicast communication with the WINS # server and thus reduce the level of UDP broadcast # traffic by up to 90%. ############   subnet netmask { range dynamic-bootp; option subnet-mask; option routers; allow unknown-clients; # host hplj4 { # hardware ethernet 08:00:46:7a:35:e4; # fixed-address; # } } } subnet netmask { }

touch /var/db/dhcpd.leases

Start it:

/usr/local/etc/rc.d/isc-dhcpd start

Tools for dhcpd.conf management/control & dhcp leases check

Changing the DHCPD Logging File:

To have a backup dhcpd or a fallback dhcp server (running 2 dhcp servers on the same network): DHCP Failover on OpenBSD

BIND / named / DNS server

Official URL:

The BIND DNS Server (or 'named', as some call it) resolves (=translates) web adresses to ip adresses (e.g. for translating the host name '' to it's IP adress '')

There are two reasons for using it: * you want to act as a so called 'dns-proxy' or 'caching nameserver', which will limit network traffic to the nameserver of your ISP. * you are hosting websites and are doing DNS-server things yourself.

Install package:

pkg_add -r bind

Configuration of named is stored in /var/named/etc/named. This folder is symlinked to /etc/named (remember this when configuring the directories to backup). The important files are: * named.conf * *.zone (the files you will create for every domain name)

Configure package:

cd /etc/named
sh make-localhost
nano named.conf

Comment out the line "listen-on …": // listen-on {; };

Above the line "/ * An example master zone", insert the following for each domain you are running this nameserve for. Replace <> with the correct domain name (without the www-prefix). Remove the '<>' characters too: zone "<>" { type master; file "<>.zone/<>.zone"; };

For each domain:

mkdir <>.zone
cd <>.zone
nano <>.zone

Enter the following text (replace the <…> stuff with the correct information): $ORIGIN <>. ; // Don't for get to incease the Serial value everytime you make changes to this file ; // I like to use the current date, so I can see when was the last time I've changed it ; // If you are updating this file more than once a day, this is not a good solution. @ IN SOA <>. ( 20070701 ; Serial 14400 ; Refresh 1800 ; Retry 3600000 ; Expire 3600 ) IN NS <>. IN NS <>. IN MX 10 <>   localhost IN A <>. IN A <> * IN A <>

Test it (will show any configuration file errors, you can quit with CTRL-C):

/usr/sbin/named -t /var/named -u bind

05-Mar-2007 12:41:06.992 starting BIND 9.3.2-P2 -f -g -t /var/named -u bind 05-Mar-2007 12:41:07.003 loading configuration from '/etc/namedb/named.conf' 05-Mar-2007 12:41:07.004 listening on IPv4 interface rl0, <>#53 05-Mar-2007 12:41:07.006 command channel listening on 05-Mar-2007 12:41:07.006 command channel listening on ::1#953 05-Mar-2007 12:41:07.006 ignoring config file logging statement due to -g option 05-Mar-2007 12:41:07.007 zone 0.0.127.IN-ADDR.ARPA/IN: loaded serial 20070305 05-Mar-2007 12:41:07.007 zone loaded serial 20070305 05-Mar-2007 12:41:34.475 <>.zone/<>.zone:4: no TTL specified; using SOA MINTTL instead 05-Mar-2007 12:41:34.476 zone <>/IN: loaded serial 20070305 05-Mar-2007 12:41:34.476 running 05-Mar-2007 12:41:34.476 zone <>/IN: sending notifies (serial 20070305)

This is how it looks here, when it's running correctly.

Im my case, I got an error message: 05-Mar-2007 12:41:07.007 zone <>/IN: loading master file <>.zone/<>.zone: permission denied And it was immediately clear to me that copying the BIND/named configuration files from my backup to the /etc/named/ was ok, but that I had forgotten to give 'bind' access to the *.zone directories/files. I fixed it by entering:

chown -R bind /etc/named/*.zone

Configure it to run on system startup: Add the following line to /etc/rc.conf: named_enable="YES"

Start it:

/etc/rc.d/named start

wrote key file "/var/named/etc/namedb/rndc.key" Starting named.

<FIXME> You'll need some information on the domains you want to do DNS stuff for (I take as an example):


You'll get something like this (write it down, we'll need it later): Domain nameservers: <> <> <> <>

Ad Blocking with your own DNS Server


If you run your own dns server (BIND/named), you can use it to do some ad-blocking (and even prevent Google tracing your whereabouts!).

It works by blocking (actually, it is diverting) DNS request for a lot of banner-hosting domains. It even works against Google text-ads If other computers are using this pc as a dns server (you can configure this in dhcpd.conf, section 'option domain-name-servers'), they too will be 'protected' against evil advertisers that want to steal your precious time & bandwidth.

You can block banners, text ads, some known cookie harvesting sites, and even normal sites. Note that it will only block the DNS queries/resolving, if you (or one of the users in your network) uses another DNS server, it will get resolved correctly, and nothing is blocked this way. You cannot block IP's this way (or banner URLS like

, you would need a firewall to do that.

Create the zone file '/etc/namedb/': $TTL 24h @ IN SOA <>. hostmaster.<>. ( 2007100900 ; Serial yyyy/mm/dd/id 86400 ; Refresh (24 hours) 300 ; Retry (5 minutes) 604800 ; Expire (7 days) 3600 ) ; Negative Cache TTL (1 hour)   @ IN NS <>. @ IN A <server.dotted.ip.address> * IN A <server.dotted.ip.address> Replace <>, <> and <server.dotted.ip.address>. Make sure there are no spaces before the last three lines when you copy/past the text to a file. If you use as the <server.dotted.ip.address>, requests from other clients (other computers in your network that are configured to use this FreeBSD as their dns server) will try to get the banners from 'their' localhost, instead of from the webserver on the FreeBSD machine. I don't think there's much speed to gain, and I like having the FreeBSD server in the middle so I can take statistics how many banners are blocked.

Next, edit /etc/namedb/named.conf For each domain name you wish to block banners (WARNING: and all other stuff from the same domain!) from, add the next line to the end of the file: zone "<domainname.tld>" { type master; file "dummy-block"; }; Replace <domainname.tld> with the 'offending' site, like '', '' or ''. There are sites which list known advertising providers domains. You can find more of these domain names by googling on a few of the names above combined.

Instead of <domainname.tld> you can also use <subdomain.domainname.tld>, to prevent blocking important stuff.

Configure your FreeBSD server to use it's own dns server. Edit /etc/resolv.conf, and make sure the first entry is: nameserver

Remember to reload named whenever you have edited /etc/namedb/named.conf:

kill -HUP `cat /var/run/named/pid`


killall -1 named

Test it:


You should get a ping reply from '' or from your server's ip address.

If you run into problems, make sure named is running:

ps auxwww|grep named

If named isn't running, there might be something wrong with your configuration files. Start named in 'foreground' mode, showing all messages on the console:

named -g


cd /etc/namedb
named -f -d 9

Debug messages are stored in /etc/namedb/

Named won't start if the named.conf has errors, or duplicate entries (!)

You can start named correctly with the command:

/etc/rc.d/named start

Firefox has its own internal domain-name-based image blocking function, To configure/disable/adjust, open FireFox, click Edit → Preferences → Content → Exeptions-button just right of 'Load images automatically' It doesn't block text-ads, as far as I know, and works on that pc.

another URL: another URL:

There's a Firefox ad-blocking plugin, which works with a list of banner-serving sites, The list itself is available here: You can find more ad-serving hosts from the 'Filterset.G' file. This file however isn't direct compatible with named.conf, you've got to edit it.

After blocking *.google-analytics, Firefox gives this error: sent an unexpected / error message / code: -12263 I guess this has something to do with the secure https protocol not able to find a valid SSL certificate. I'm still searching for a nice solution, but I'll rather have the '12263' firefox error message than having google follow me on the net. ... Constant: SSL_ERROR_RX_RECORD_TOO_LONG "SSL received a record that exceeded the maximum permissible length." -12263

I think I need to have the URL redirect to an existing file.. or at least a webserver supporting ssl..

An example website giving this error is:


Network traffic monitoring (TCP/UDP)

Official URL: If you are looking for more advanced traffic monitoring tools (traffic sniffing tools), go google for: ethereal, ettercap, Wireshark (this one runs on Windows too)

This provides basic network traffic visualisation on a text-based terminal. You might also want to check out 'mrtg', which is another network load monitoring tool

Install package: (version 5.2.2,1)

pkg_add -r trafshow

Test it by running:


Select the correct network interface to monitor, and if there is any network traffic, you should see it.

If you get an error: No packet capture device available (no permission?) You are not running it as root. Get root privileges, or change the (read) permissions of the /dev/bpf0 and /dev/bpf1 devices. Don't make it world-readable (o+r), or else anyone with access to your computer can sniff on your network traffic, capture ftp-passwords and compromise your security! /* Reversing

Sometimes you are sitting on the wrong side of the link, and you would like to have mrtg report Incoming traffic as Outgoing and vice versa. This can be achieved by adding the '-' sign in front of the "Target" description. It flips the incoming and outgoing traffic rates. Example: Target[ezci]: -1:public@ezci-ether.domain */


TCP tool 'nc' Install package: (version 1.10_2)

pkg_add -r netcat


Very good portscanner

"Port scanning utility for large networks" Install package: (version 4.01)

pkg_add -r nmap



Install package: (version mysql-server-5.1.15)

pkg_add -r mysql51-server 

(includes mysql51-client-5.1.15)

pkg_add -r  mysql51-scripts
mkdir /var/db/mysql
chown mysql:mysql /var/db/mysql
nano /etc/rc.conf

Add: mysql_enable="YES"

Start MySQL manually:

/usr/local/etc/rc.d/mysql-server start

Now we are setting the MySQL database administrator password (you should choose a new password for <my_mothers_maiden_name> here, do not use your current root password):

mysql mysql -u root

You should get some infomation about the running MySQL engine, and a 'mysql>'-prompt. Enter the following lines (replacing <my_mothers_maiden_name> with some other password you have chosen): UPDATE user SET Password=PASSWORD('<my_mothers_maiden_name>') WHERE user='root'; FLUSH PRIVILEGES; EXIT

If successfull it will show you something like: 1 rows updated ...

If you get the following error: ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/tmp/mysql.sock' (38) then check if you have succesfully started the mysql daemon.



A popular web scripting language Official URL:

Install port (not using the package!): (version 5.1.6)

cd /usr/ports/lang/php5

Enable 'MULTIBYTE Enable zend multibyte support', leave other settings as they are: Options for php5 5.1.6 . ... . . [X] MULTIBYTE Enable zend multibyte support ...

make install

This will put the following executables (including the apache library in the correct place:


Now, install PHP5-extensions (version 1.0, as it is a meta-package)

cd /usr/ports/lang/php5-extensions

Select extra: bz2, ftp, gettext, mysqli, ncurses, openssl & zip. Do not select 'gd', as it will download lots of stuff

This will install: php5-bcmath-5.1.6 The bcmath shared extension for php php5-bz2-5.1.6 The bz2 shared extension for php php5-calendar-5.1.6 The calendar shared extension for php php5-ctype-5.1.6 The ctype shared extension for php php5-curl-5.1.6 The curl shared extension for php php5-dom-5.1.6 The dom shared extension for php php5-ftp-5.1.6 The ftp shared extension for php php5-gettext-5.1.6 The gettext shared extension for php php5-iconv-5.1.6 The iconv shared extension for php php5-imap-5.1.6 The imap shared extension for php php5-mcrypt-5.1.6 The mcrypt shared extension for php php5-mysqli-5.1.6 The mysqli shared extension for php php5-ncurses-5.1.6 The ncurses shared extension for php php5-openssl-5.1.6 The openssl shared extension for php php5-pcre-5.1.6 The pcre shared extension for php php5-posix-5.1.6 The posix shared extension for php php5-readline-5.1.6 The readline shared extension for php php5-session-5.1.6 The session shared extension for php php5-simplexml-5.1.6 The simplexml shared extension for php php5-sqlite-5.1.6 The sqlite shared extension for php php5-tokenizer-5.1.6 The tokenizer shared extension for php php5-xml-5.1.6 The xml shared extension for php php5-xmlreader-5.1.6 The xmlreader shared extension for php php5-xmlwriter-5.1.6 The xmlwriter shared extension for php php5-zlib-5.1.6 The zlib shared extension for php Test it:

make install
nano /usr/local/www/<your_freebsd_hostname>/phpinfo.php

<?php phpinfo(); ?> Point your browser to the URL: ht tp :/ / <your_freebsd_hostname>/phpinfo.php You should get lots of information about the php engine.

To allow PHP to connect to a MySQL database, install the port 'php5-mysql':

make install

Also install the port 'php5-extensions':

cd /usr/ports/lang/php5-extensions
make install

You will need to tag 'multibyte string' to run phpMyAdmin.

To configure Apache to use PHP, open '/usr/local/etc/apache22/httpd.conf', make sure that the following modifications are there, or add them: Add the line: LoadModule php5_module libexec/apache22/ And: AddType application/x-httpd-php .php .php3 .php4 .php5 AddType application/x-httpd-php-source .phps

Change: DirectoryIndex index.html index.cgi To: DirectoryIndex index.html index.cgi index.php


Web based/PHP frontend for MySQL administration
Official URL:

Installation (requires that php5 has been built with 'MULTIBYTE'/mbyte option):

cd /usr/ports/database/phpmyadmin
make install

Add the following to the Apache configuration file /usr/local/etc/apache22/httpd.conf. Replace <your_ip_address> with the IP address you want to connect from: Alias /phpmyadmin/ "/usr/local/www/phpMyAdmin/"   <Directory "/usr/local/www/phpMyAdmin/"> Options none AllowOverride Limit   Order Deny,Allow Deny from all Allow from <your_ip_address> </Directory>

Restart Apache:

  apachectl restart

Visit http:<>/phpMyAdmin/ WORK IN PROGRESS BELOW THIS LINE. Configuration: cd /usr/local/www/<>/pMA cp cd phpMyAdmin nano Documentation.txt Read the 'quick install' section. Create directory for saving configuration, : mkdir config Give it world writable permissions: chmod o+rw config I went to http:/ /<>/pMA/scripts/setup.php Under 'Servers', click 'Add' Set 'Authentication type' to 'HTTP' Click 'Add', click 'Save' Move file to current directory: mv config/ . Remove world read and write permision: chmod o-rw cp config.default.php nano <html> $cfg['PmaAbsoluteUri']='http:<>/pMA'; </html>

For now, I will use cookie authentication. This is not as secure as I'd like it to be (I would be happier if https was working), but I'll leave it for now: $i=0; $i++; $cfg['Servers'][$i]['host'] = 'localhost'; $cfg['Servers'][$i]['extension'] = 'mysqli'; $cfg['Servers'][$i]['auth_type'] = 'cookie'; $cfg['blowfish_secret'] = '<my_fathers_maiden_name>'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH!$

As an alternative, you can put the MySQL username and password in this configuration file, and use a .htpasswd file in the phpMyAdmin directory to limit access. In this case you would need to add/change the following configuration items in $cfg['Servers'][$i]['host'] = 'localhost'; $cfg['Servers'][$i]['extension'] = 'mysqli'; $cfg['Servers'][$i]['auth_type'] = 'config'; $cfg['Servers'][$i]['user']='root'; $cfg['Servers'][$i]['password']='<my_mothers_maiden_name>'; Protecting the phpMyAdmin with .htpasswd is something I will explain another time. Just stick with cookie authentication for now.

Restrict access to the configuration file (very important if you have stored the MySQL password in here):

chmod 600

Check your installation by browsing to http:/ /<>/phpMyAdmin If everything is ok, you should be asked for a username and a password. Enter the MySQL username and password you have configured earlier. After entering the correct password and pressing ok, you should see the phpMyAdmin page, where you can manage your MySQL databases.

protect pMA directory with .htaccess and .htpasswd:

nano .htaccess

AuthName "Restricted Area" AuthType Basic AuthUserFile /var/www/<mysite>/<my_protected_dir>/.htpasswd AuthGroupFile /dev/null require valid-user Change the AuthUserFile to the directory where you will put the .htpasswd file. You can change the 'AuthName' value too.

Now, let's create the .htpasswd file, which will contain the usernames and (encrypted) passwords of the users that will have access. Make sure you are in the correct directory, then enter:

htpasswd -c .htpasswd <username>

If the file .htpasswd already exists, remove the -c to add users to an existing .htpasswd file:

htpasswd .htpasswd <username>

You will be prompted for the password (2 times).

Check if it works, open your webbrowser and go to <mysite>/<my_protected_dir>/ It should prompt you for an username and a password.

For security, make sure all files starting with '.ht' are blocked from public viewing in your webserver configuration.


A Content Management System (CMS), similar like 'Mambo', another CMS Official URL:


cd /usr/ports/www/joomla
make install
cd /usr/local/www/joomla

Login to the phpMyAdmin website/configuration panel, and make a new database, named 'joomla'

Edit /usr/local/etc/apache22/httpd.conf, Add a line: Alias joomla /usr/local/www/joomla <FIXME>

Next, go to the site http:/ /<>/joomla/INSTALL.php website Session save path Not set, Unwriteable Database server: localhost username: root password: <MySQL_server_password> database: joomla   Site name: <Title_for_your_Joomla_website>   URL: http:/ /<>/joomla Path: /usr/local/www/joomla Your E-mail: Admin password: <my_mothers_maiden_name> (Username : admin)

Point your browser to: http:/ /<>/joomla You should get a message telling you that you should remove the installation-folder. We will do this:

cd /usr/local/www/joomla
rm -R installation

Reload the same URL (http:/ /<>/joomla) in your browser, you should see the default Joomla site now.

Browse to http:/ /<>/joomla/administrator/ to go to the configuration panel where you can add users, edit pages, install 'mambots' and themes, etc.

cd /usr/ports/www/coppermine
make install
nano /usr/local/etc/apache2/httpd.conf
  Alias /coppermine/ "/usr/local/www/coppermine/"
  <Directory "/usr/local/www/coppermine">
Options Indexes Followsymlinks MultiViews
AllowOverride None
Order allow,deny
Allow from all

use phpMyAdmin to create a database named 'coppermine',

apachectrl restart

browse to:

username: coppermine

MySQL Database Name: coppermine MySQL Username:root MySQL Password:


This is an easy to use wiki that I use for updating this page.
Official URL:

Click here to get an idea of the features DokuWiki has to offer

I needed a easy website content editor to publish this FreeBSD 6.2 manual online. I didn't want a CMS, as those generally depend on a database like MySQL, and these are too big for what I need. I've visited , did a search on 'wiki', and found DokuWiki. It's small, doesn't depend on databases (for example MySQL), uses PHP, has a 9 out of 10 user-rating, and is good for writing documentation. Excactly what I need!

Read for the original installation instructions, and make sure to read after installation to secure it properly.

Using ports:

cd /usr/ports/www/dokuwiki
make install

It will install in /usr/local/www/dokuwiki folder. You can rename the 'dokuwiki' folder, and place it somewhere else.

During installation it will ask which type of wiki this will be, as it can help you configure read/write access in different ways for registered/unregistered users. The 3 most common methods are:

After installation, move (or symlink) it to the /usr/local/www/<domain_name>/<foldername>, which would make it accessible in a browser at the URL http:/ /www.<domain_name>/<foldername>/ :

ln -s /usr/local/www/dokuwiki /usr/local/www/

Browse to: (don't forget the last '/') You should see some Dokuwiki page.

chown -R www data
chown -R www conf

Let's configure it (while still being in the dokuwiki folder). We will save all settings to local.php, Dokuwiki's main configuration file.

cp conf/local.php.dist conf/local.php
nano conf/local.php
$conf['start']       = 'freebsd62guide'; //name of start page
$conf['title']       = 'My FreeBSD 6.2 step-by-step installation guide';
$conf['allowdebug']  = 0;                //Allow debugging 
$conf['openregister']= 0;                //Allow everyone to register? (no)
$conf['autopasswd']  = 0;                //autogenerate passwords and email them (no)
$conf['breadcrumbs'] = 0;                //How many levels of previously visited pages to remember (0)
$conf['usewordblock'] = 0;               //Block spam based on wordlist (no)
$conf['useacl'] = 1;                     //Use Acces Control Lists (yes)
$conf['superuser'] = 'admin';            //The user which will have administrative rights
$conf['fetchsize']   = FALSE;
$conf['refcheck'] = 0;

Some more settings: (my dokuwiki is written in english, so I set the spellcheck accordingly) Enable spellchecker **yes** Recent changes **50** Language: **en** Send "HTTP 404/Page Not Found" for non existing pages **yes**

Make sure all configuration files are owned by the user Apache runs on:

chown -R www:www .

Making sure some files aren't 'world writable' (for security reasons):

chmod 664 doku.php
chmod 664 conf/users.auth.php

For editing the page, I want to setup a password More info on Acces Control Lists at URL:

Create a password (replace <your_password> with the password you wish to use in DokuWiki):

md5 -s <your_password>

This should output the following (I used 'password' as password): MD5 ("password") = 5f4dcc3b5aa765d61d8327deb882cf99

cp conf/acl.auth.php.dist conf/acl.auth.php

nano users.auth.php

Add the following lines (replace 5f4dcc3b5aa765d61d8327deb882cf99 with your own result): admin:5f4dcc3b5aa765d61d8327deb882cf99:::admins editor:$1$b283fa69$r0ZhbBepcfGD.nJ5kNFUV/:::users

cp conf/acl.auth.php.dist conf/acl.auth.php
nano conf/acl.auth.php

Add the following lines to allow all (registered) users to create and edit pages, and allow visitors only reading: * @users 4 * @ALL 1

By default, DokuWiki has 7 colored boxes at the bottom of the page, one of these is a link to the Creative Commons site. I've chosen the Creative Commons license 'by-nc-sa v2.5' to publish this guide, and I just need to change the version number of the CC-license to 2.5. It's easy to change that in the file dokuwiki/lib/tpl/default/footer.html
I've also removed the other buttons in this file which I won't need:

I'm leaving the 'Driven by DokuWiki' link in place.

In the file 'conf/acronyms.conf' you can add abbreviations and their meaning. I've used them to remind people that links like <my_mothers_maiden_name> should be replaced by their own passwords (go on, hover your mouse cursor over the text between the < and the >, and you will see).

I will make the configuration files available for download soon <FIXME>

<Download footer.html>
<Download /conf/local.php>
<Download /conf/acl.auth.php>
<Download /conf/user.auth.php>

March 4 2007 - I Just read this article about helping Google and other search engines to index your DokuWiki site, worth a read. In the .htaccess file that's mentioned on this article, I've changed some lines replacing 'doku.php' with '/freebsd/doku.php'. I bet this is not the best fix, but it works, and at this time, that's all I care about.

I've discovered that DokuWiki is telling search engine crawlers to "noindex,nofollow" in the file '/inc/template.php', so I've changed every noindex → index and nofollow → follow. Also, I added some code for adding the correct META-tags to my page. Couldn't find any other way to do this in the manual, but I must admit I didn't take more than a minute to search for it.. hints are welcome.

$KEYWORDS = "freebsd,guide, ... ";
$head['meta'][] = array( 'name'=>'keywords', 'content'=>$KEYWORDS);

$DESCRIPTION = "Installation and configuration of a FreeBSD server, ... ";
$head['meta'][] = array( 'name'=>'description', 'content'=>$DESCRIPTION);

DokuWiki has support for Multilingual sites, so I can use DokuWiki for my future dutch and german translation of this page.

To force the recaching/refresh/recompile/remake/refreshing of a DokuWiki page just add the parameter '?purge=true' after the … /your_dokuwiki.php file:

Optimizing your DokuWiki page for Search Engine Indexing:

I set indexdelay to 0, enabled 'useslash', and configured it to create a Google sitemap (which needed some re-editing).

quote: "Sitemap is generated by the indexer. To launch it manually, and debug it, try :" (replacing with your server name)

And I discovered how to count page-hits (a webcounter) within DokuWiki


wget tar -zxvf (filename) mv dokuwiki<…> dokuwiki mv dokuwiki /usr/local/www/<…> cd /usr/local/www/ chown -R root:wheel . http://.../dokuwiki/ Click on "installer script". The next page (DokuWiki installer) will tell you that some of your folders do not have the proper permission settings. Fix it by going to your dokuwiki folder, and enter:

chown www:www conf/ chown www:www data/ chown www:www data/pages/ chown www:www data/attic/ chown www:www data/media/ chown www:www data/meta chown www:www data/cache chown www:www data/locks chown www:www data/index (click retry) Wiki Name: (the html title of your wiki page will be "Page name [wiki name]") I used "by Sebasiaan Giebels" as the name for my wiki. Enable ACL (recommended) ticked Superuser: edit this just like e-mail and password Decide what kind of Wiki this should be (who should be allowed to write in it) I chose Public Wiki Click the button, and your new wiki should show up. Click on 'Login' (bottom-rigt) and login with your (Superuser) username and password Here you can edit your page etc. See Syntax and Playground Go to the Configuration Manager", and change the name for the start page. ( My Debian Linux on the NSLU2 installation & configuration guide Save the settings, and open …/dokuwiki/doku.php It should give the title you just entered (when the page name is still 'start', you've done something wrong in the previous step) , and tell you 'This topic does not exist yet'. Re-login (if needed) and click on the 'Create this page' button. Enter some text, save it, and reload the page */

Adding Video to DokuWiki (like Youtube video clips):

Hidden Comment


This tiny plugin allows you to leave notes to yourself (and other authors of your wiki) in the wiki source code that won't be shown on the wiki page.

extract the contents of the .zip file to <your_dokuwiki_path>/libs/plugins and it should work.

Example: The text /* between the slash-asterik and asterisk-slash */ is hidden Becomes:

The text /* between the slash-asterik and asterisk-slash */ is hidden


folded text

(example: ) (or */


A lightweight HTTP proxy server

Official URL: Install package:

pkg_add -r tinyproxy

Serial Console

This will allow me to access this FreeBSD pc over a serial cable. As one of these installations will run in a fire-safe basement, and I don't want to get my hands dirty everytime I accidently disable the Ethernet interface, stop SSH, ruin the firewall settings, or do something else which would otherwise result in the need for hands-on access. configuration:

nano boot.config
nano /etc/ttys
  # Serial terminal on COM1:
  ttyd0 "/usr/libexec/getty std.9600"  vt100   on secure

Options Message goes to none internal console -h serial console -D serial and internal consoles -Dh serial and internal consoles -P, keyboard present internal console -P, keyboard absent serial console

Compiling the FreeBSD Kernel

Compiling a new kernel can help overcome problems with new hardware (like my Gigabit onboard network card '/dev/nve0', which resets itself when I send lots of data through it), USB memmory sticks, etc. It's likely that a new kernel will speed up lots of things.

The correct way to upgrade your kernel has changes over the last FreeBSD versions, so you might find some manuals on FreeBSD kernel building that are outdated (like 'makedev', which isn't required anymore).

Steps we will be going through: 1. Getting the kernel sources 2. Updating the kernel sources to the most recent (stable) version 3. Configuring the kernel (changing the default configuration, to include for example tv-cards or hardware that isn't supported in the default 'stock' kernel. 4. Building (compiling) the new kernel & modules 5. Installing the new kernel 6. Testing the new kernel


Step 1: Install the kernel sources


Go to the 'Configuration menu', Distributions, src, sys. Uuse the space-key to tag it, tab & enter to confirm. After everything is done, exit sysinstall.

Lacking a bit of creativity, I will call my new kernel 'FREEBSD62'. I suggest you take your own name, in capitals. You can add a version number to it, so in the future you can find your old configurations easily.


[edit make.conf]<FIXME>
cd /usr/src
make update

Step 3: Performing the kernel configuration (If your architecture is amd64, replace 'i386' with 'amd64')

cd /usr/src/sys/i386/conf/

Copy the default kernel configuration to a new file:


Replace FREEBSD62 with a descriptive name for your freeBSD machine (I added '62' to easily remember that this machine is a FreeBSD version 6.2 installation) Now we can make the modifications (if any) to the new file:

nano FREEBSD62

Add any options you wish to include in your new kernel.

Kernel configuration item: Result:
options BRIDGE Required for using this PC as a router
options IPFILTER Required for using this PC as a router
options IPFILTER_LOG Required for using this PC as a router
device pf PF Firewall
options ALTQ ALTQ Traffic Shaping
options ALTQ_CBQ ALTQ Traffic Shaping
options ALTQ_RED ALTQ Traffic Shaping
options ALTQ_RIO ALTQ Traffic Shaping
options ALTQ_HFSC ALTQ Traffic Shaping
options ALTQ_CDNR ALTQ Traffic Shaping
options ALTQ_PRIQ ALTQ Traffic Shaping
device speaker #PC speaker You can play sound (also MP3) through the pc internal speaker
device dummynet #dummy networking device Required for OpenVPN? <FIXME>
device pass Required for access to USB disks, flashdrives, etc.??
options EXT2FS # linux FS Allows acces to EXT2FS Linux Extended File System v2
pseudo-device snp 'snoop' device, allows you to 'spy' on other terminals.

Other stuff: options SUIDDIR device vn options NMBCLUSTERS=65535

config FREEBSD62
cd ../compile/FREEBSD62
make cleandepend; make depend
make install

Restart your system by entering the command:


And voilá, you have built, installed and booted your new kernel. Confirm this (after logging in) by entering:

uname -a

It will tell you something like: FreeBSD 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Mon Jan 4 01:56:50 CEST 2007 This contains the FreeBSD version (FreeBSD 6.2-RELEASE), the compilation date (Mon Jan 4 01:56:50 CEST 2007, in my case) and the 'name' of the kernel (FREEBSD62)

FIXME:what if some kernel option names have changed with the kernel-source-upgrade?

=================== Increasing security a (small) bit


This will probably -decrease- security, but helps me out if someone needs restricted root access and I am not willing to give him the root password. Install package:

pkg_add -r sudo


Configure package:

nano /etc/rc.conf

Bash 3.0 with Syslog-command logging

I'd like to have record of all commands I type in my bash console. This will help recover from stupid mistakes as well as (very unlikely) have something to look into in case somebody succesfully compromised my PC. Locally stored logfiles arent really hard to modify for a hacker, I know.. The option I've found isn't perfect (allows thousands of ways around it), but it will do for the time being, and I will like its simplicity.

Copy (with WinSCP for example) the file bash-3.0-syslog.patch to your FreeBSD installation.

cd /usr/ports/shells/bash/

After the installation has downloaded, tested, extracted the files and has applied the patches, press CTRL-C when you see: "— Configuring for bash-3.0.16_1", then

cd /usr/ports/shells/bash/work/
patch < /home/freebsd/bash-3.0-syslog.patch
make install
nano /etc/syslog.conf		/var/log/bash.log
touch /var/log/bash.log
killall -1 syslogd

Re-login, and check /var/log/bash.log. It should show the last commands you have entered.

mrtg (Multi Router Traffic Grapher)

This is a tool to monitor the traffic load on network-links. I use it to see how much data goes through my DSL router (which supports SNMP, which is required for mrtg to work). My router doesn't have nice graphics on how much traffic it is sending to/receiving from the internet. mrtg checks every few minutes (using a cron-job) how much data has passes the router in either way (incoming & outgoing traffic). It stores this data, and generates nice diagrams in .png format. Click for an <FIXME:example> If any computer on my network would be sending out spam continuously, or if I have neglected to set a upload-rate limit for my peer-to-peer sharing software, this will show up in the diagrams, as the amount of data sent to the internet will be much higher than normal.

There is a windows application that can do much the same, it's called 'PRTG' (, you can download a 30-day trial version for free.

My DSL router has 3 interfaces: * 'ppp'-interface to connect to the internet (Point-to-Point-Protocol) * 'ethernet'-interface (one interface, but 4 physical ethernet ports as it does some switching too) * 'usb'-interface (which I don't use, and I won't include it in the configuration)

The snmp-data required from the router is always from the view of the router (how the router sees it coming in/out). What comes in on the ethernet-device (shown as incoming traffic on this device), goes out to the internet on the ppp-device (shown as outgoing traffic on this device). I'll use the ppp-interface to gather my statistics from, and not the ethernet device, because this device will also count the few bytes to the router itself (web configuration, dhcp-traffic, snmp traffic), which would impurify the statistics a bit.

pkg_add -r mrtg

As a regular user (non-root):

mkdir ~/mrtg
cd ~/mrtg
./cfgmaker --global 'Workdir: /home/freebsd/mrtg' --global 'Options[_]: growright' --output /home/freebsd/mrtg.cfg
nano mrtg.cfg
  EnableIPv6: no
  Workdir: /home/freebsd/mrtg
  Options[_]: growright
  Target[]: 4:public@
  SetEnv[]: MRTG_INT_IP="" MRTG_INT_DESCR="ppp-channel-1"
  MaxBytes[]: 115920
  Title[]: Traffic Analysis for 4 -- CopperJet RouterPlus
  PageTop[]: <H1>Traffic Analysis for 4 -- CopperJet RouterPlus</H1>
     <TR><TD>System:</TD>     <TD>CopperJet RouterPlus in Earth</TD></TR>
     <TR><TD>Maintainer:</TD> <TD></TD></TR>
     <TR><TD>Description:</TD><TD>ppp-channel-1  </TD></TR>
     <TR><TD>ifType:</TD>     <TD>ppp (23)</TD></TR>
     <TR><TD>ifName:</TD>     <TD></TD></TR>
     <TR><TD>Max Speed:</TD>  <TD>927.4 kbits/s</TD></TR>

Replace '' with the ip-address of your snmp-capable router (or other device that supports snmp) the "_4" is the device number of the ppp-interface on this device (yours might be different..)

Now we're going to get mrtg to run every 5 minutes to gather the statistics from the router, and we'll use a cronjob for this task. Start the cronjob editor:

crontab -e

Add the following line, replacing '/home/freebsd/mrtg/' with the location you've chosen to put the cfg file:

Here's a nice page on crontab / cron

Mail server configuration

This section will show you how you can handle e-mail on your FreeBSD server. It includes the Postfix mail transfer agent, ClamAV as a e-mail virusscanner, SpamAssassin to detect SPAM, procmail to do advanced custom mail processing/sorting, the courier IMAP / IMAPS server, the Squirrelmail webmail application, and a basic console e-mail reader (mutt).

The Postfix / Courier-IMAP / clamsmtp/clamav / SpamAssassin / Procmail setup is pretty common.

X-Windows (xorg)

X-Windows is not required if you want to use your FreeBSD pc just for server tasks, and I suggest that you install X-Windows only if you want to use your FreeBSD machine as a workstation too. Installing xorg 7.2 on FreeBSD together with the Gnome and KDE desktop managers, Synergy, TightVNC, NVidia driver, Pidgin instant messaging (ICQ/MSN/...), Mozilla Thunderbird, Firefox, Last.FM radio/audioscrobbler, and as a Microsoft Office alternative for MS Word, MS Excel, and other parts of the Microsoft Office Suite.

System health

virusscanner smartmontools file checksummer / integrety … portaudit monit applications/services/daemon checker


Tool to monitor hard disk health status on a regular basis, by using the SMART feature that is available on most modern harddisks.


From /usr/ports/sysutils/smartmontools/pkg_descr: The smartmontools package contains two utility programs (smartctl and smartd) to control and monitor storage systems using the Self-Monitoring, Analysis and Reporting Technology System (S.M.A.R.T.) built into most modern ATA and SCSI hard disks. It is derived from the smartsuite package, and includes support for ATA/ATAPI-5 disks.

cd /usr/ports/sysutils/smartmontools
make install

/* pkg_add -r smartmontools */

cp /usr/local/etc/smartd.conf.sample /usr/local/etc/smartd.conf
echo 'smartd_enable="YES"' >> /etc/rc.conf
nano /usr/local/etc/smartd.conf

Change the line: DEVICESCAN to (.. and do not forget to change <your_email_address>..): DEVICESCAN -a -o on -S on -s (S/../.././02|L/../../6/03) -m <your_email_address>

To start the smart monitoring tools (no reboot required):

/usr/local/etc/rc.d/smartd start

Testing it: FIXME

Network connectivity

isc dhcp server bind/named bounce trafshow netcat nmap

Hardware configuration

See also: brooktree tv card

Soundcard on FreeBSD


Let's start by trying the snd_driver kernel module, which is a 'wrapper' for all the available kernel sound modules:

kldload snd_driver

Check which driver was eventually used:


Example output: ... pcm0: <VIA VT8237> port 0xe800-0xe8ff irq 22 at device 17.5 on pci0 pcm0: <Avance Logic ALC850 AC97 Codec> pcm0: <VIA DXS Enabled: DXS 4 / SGD 1 / REC 1>

Find out the correct driver name:

cat /dev/sndstat

FreeBSD Audio Driver (newpcm) Installed devices: pcm0: <VIA VT8237> at io 0xe800 irq 22 kld snd_via8233 (5p/1r/1v channels duplex default) Look for snd_*, in my case the kernel module to use is snd_via8233 (on my other pc it's 'snd_ich') Now I'll unload all drivers, and re-load only the correct one (for me that'll be snd_via8233, you should use the module name which we saw in the previous step):

kldunload snd_driver
kldload snd_via8233

Test it: Method 1: dumping some random noise to the soundcard:

dd if=/dev/random of=/dev/audio0.0 bs=10K count=1

Method 2: playing a mp3 file (TODO: download link to mp3 file) This requires mpg321 to be installed

portinstall mpg321
mpg321 <some_file.mp3>

Have the correct module load on system startup (replace 'snd_via8233' with module name which we saw in the previous step):

nano /boot/loader.conf


Now you can install other music players, mp3blaster, xmms (if you're using X-windows)

Optional: Change the number of channels(?):

sysctl hw.snd.pcm0.vchans=4

/* sysctl -a | grep snd

hw.snd.pcm0.hwvol_step: 5 hw.snd.pcm0.hwvol_mixer: vol

sysctl -a | grep snd pcm0: <Intel ICH5 (82801EB)> port 0xe800-0xe8ff,0xee80-0xeebf mem 0xeffff800-0xeffff9ff,0xeffff400-0xeffff4ff irq 17 at device 31.5 on pci0 pcm0: <Analog Devices AD1985 AC97 Codec> pciconf -lv */

DVD/CD Burning with FreeBSD


Installation of burn software:

cd /usr/ports/sysutils/cdrtools
make install

cd /usr/ports/sysutils/dvd+rw-tools
make install

If you are running X, you might want to try out 'K3b' which has a nicer GUI

Another way (you might need to change the speed, or cd0 to cd1, depending on model & how it's connected):

growisofs -dvd-compat -speed=6 -Z /dev/cd0=</path/to/file.iso>

Executing 'builtin_dd if=<some_iso_file> of=/dev/pass0 obs=32k seek=0' /dev/pass0: "Current Write Speed" is 6.1x1352KBps. 32768/4196419584 ( 0.0%) @0.0x, remaining 12806:21 RBU 100.0% UBU 100.0% 32768/4196419584 ( 0.0%) @0.0x, remaining 21343:55 RBU 100.0% UBU 100.0% 32768/4196419584 ( 0.0%) @0.0x, remaining 27747:06 RBU 100.0% UBU 100.0% 32768/4196419584 ( 0.0%) @0.0x, remaining 34150:17 RBU 100.0% UBU 100.0% 32768/4196419584 ( 0.0%) @0.0x, remaining 42687:51 RBU 100.0% UBU 100.0% 32768/4196419584 ( 0.0%) @0.0x, remaining 49091:01 RBU 100.0% UBU 100.0% 32768/4196419584 ( 0.0%) @0.0x, remaining 55494:12 RBU 100.0% UBU 100.0% 5111808/4196419584 ( 0.1%) @1.1x, remaining 409:57 RBU 100.0% UBU 50.5% 30375936/4196419584 ( 0.7%) @5.5x, remaining 75:25 RBU 100.0% UBU 97.9% 58195968/4196419584 ( 1.4%) @6.0x, remaining 42:39 RBU 100.0% UBU 97.9% 86048768/4196419584 ( 2.1%) @6.0x, remaining 31:50 RBU 100.0% UBU 97.9% 113901568/4196419584 ( 2.7%) @6.0x, remaining 25:41 RBU 100.0% UBU 97.9% 141754368/4196419584 ( 3.4%) @6.0x, remaining 21:55 RBU 100.0% UBU 97.9% 169607168/4196419584 ( 4.0%) @6.0x, remaining 19:47 RBU 100.0% UBU 97.4% :-( unable to WRITE@LBA=14dc0h: Input/output error :-( write failed: Input/output error /dev/pass0: flushing cache :-( unable to FLUSH CACHE: Input/output error :-( unable to SYNCHRONOUS FLUSH CACHE: Input/output error

For cd-rom burning (no dvd-r, dvd+r, or dvd+-rw and such) you can use the free version of cdrecord. It doesn't do DVD media, at least, not in the free version. Usage:

cdrecord -v -multi -data speed=32 dev=1,1,0 </path/to/file.iso>

'-v' means 'verbose', -multi enables multi-session, -data =?

Your 'dev'-line will likely be different, find out the correct values for your cd/dvd burner by entering:

cdrecord -scanbus

Adjust the burn speed if needed, make sure you don't burn faster than your recordable/rewritable media is capable of.


The 'DACAL DC-300 CD Library II' is a 150 cd-changer / jukebox system, with an USB connection for controlled ejecting/inserting disks (there is no cdrom device inside, it's just for catalogizing your cd collection) The device comes with Windows drivers & cd catalog software, and you can connect multiple Dacal DC300 units to another, allowing you to control/catalog/store more than 150 cd's. The manufacturer does not provide drivers or support for Linux or FreeBSD/NetBSD/OpenBSD for its DC-300 unit.

Manufacturer Product URL:

I recently got some of these, as they were a lot cheaper than the 'Imation Disc Stakka' (a similar device, which just holds 100 disks). I also have 2 defective "Kubik Multiple CD-ROM 240 DISK CHANGER" -devices / -Jukebox units, which do have internal cd-rom drives (2 speed scsi cd-rom.. no dvd) waiting for extensive revisioning/upgrading.

There are two tools for controlling the Dacal units, I'll start with the smallest one:

There is a sourceforge project for a Linux changer control application, and it works on FreeBSD URL: Make sure you've installed Linux compatibility & Libusb (/usr/ports/devel/libusb), then download Dacal.c from Download URL:

Now compile it (I've had to edit 'Dacal.c' and remove the line '#inculde <malloc.h>' before compiling):

gcc Dacal.c -o Dacal -I/usr/local/include -L. -lnsl -lm -lc -L/usr/local/lib -lusb


gcc Dacal.c -o dacal -I/usr/local/include -L/usr/local/lib -lusb

Copy the created binary executable to a folder in your path:

cp dacal /usr/local/bin

The website also provides a script, but that didn't work for me:

Let's see if it works, by using 'dacal' to scan for Dacal devices on the usb bus:

dacal --list

Scanning for 'DACAL Co.' devices... Scan complete. Found 2 devices. Available 'DACAL Co.' devices: Dev# Bus Device DeviceID Identifier 1 /de /de 9914 DACAL Co. 2 /de /de 9972 DACAL Co. Test it, ejecting disk number 2 from my first Dacal device (having a device id 9914):

dacal 9914 2

For re-inserting, use the same command with the same number as the one you used for ejecting.

Method 2:

I came acros libcdorganizer "control cd organizer devices with a plugin-based architecture. Currently supports Dacal DC-300 and KDS CDM-751". I've tried compiling the source, and days later somehow I ended up downloading FreeBSD-i386 binaries, which worked nicely: Installation: Go to the download url for libcdorganizer, and download the latest FreeBSD binaries for libcdorganizer, libcdorganizer-modules, and libcdorganizer-utilities.

Extract the files:

cd /
tar -jxvf <?>/libcdorganizer-freebsd-i386-2.1.1.tar.bz2
tar -zxvf <?>/libcdorganizer-utilities-freebsd-i386-2.1.0.tar.bz2
tar -zxvf <?>/libcdorganizer-modules-freebsd-i386-2.1.0.tar.bz2
/usr/local/bin/lcdoctl -p

dacalDC300 - Id = 10170 Use the Id value you get (here it is 10170, your will be different) for identiyfing the DACAL units. Every unit probably has an unique number, you might want to write it with a sticker on the device itself. Without the correct ID value, it will give the error "Could not find device by id: 4294967295"

/usr/local/bin/lcdoctl -e 20 -d 10170

Connecting more than one DACAL unit (daisy chaining them with USB cables) works too, you will see the unit id's of the other DACAL units with the same 'lcdoctl -p' command.

If ejecting or inserting the cd does not work (for example when something is mechanically blocking the ejector), the display of the DACAL unit will show a '505' (or SOS) code, which you can overcome

Lets try to eject cd in the last slot (number 150, as slot numbering starts with 1, not with 0):

 /usr/local/bin/lcdoctl -e 150 -d 10170

Ejecting a disk when the ejector is already out won't work, and won't produce any error message. The ejector will automatically retract/pull back when idle for too long.

Inserting the disk:

/usr/local/bin/lcdoctl -i 0 -d 10170

The number (here 0) behind the '-i' parameer is just ignored by the utility, as the DC-300 only rotates its caroussel when ejecting.

Maybe in the near future, I'll build a web interface for it, and attach it to my MySQL database.. throw in a slot-loading dvd-writer, and have 3(units)x 150(dvd-r)x 4.5GB = just enough storage (2000GB, or 2TB for short) for all my mp3 music files ;)

By the way, I've disabled UHID in the kernel, but can't confirm this step is required to get things working -


A few days ago, I've bought a Gembird SilverShield SIS-PM 4 socket USB controlled power outlet. It comes with a control application for Windows, but I've also seen a Linux application for controlling the 4 controllable power sockets on it. It's certainly not expensive: I've paid less than 30 euro for it. I didn't know for sure if I'd be able to get this Gembird SIS-PM working with FreeBSD, but I tried, and was succesfull (using Linux emulation).

By the way, I've disabled UHID in the kernel, but can't confirm this step is required to get things working

Linux tools are available at using LibUSB). I've downloaded the most recent version at the sispmctl website

Make sure you've installed LibUSB:

cd /usr/ports/devel/libusb
make install

Compiling the Linux sispmctl tool:

cd /usr/src
tar -zvxf sispmctl-2.4b.tar.gz
cd /usr/src/sispmctl-2.4b
cd /usr/src/sispmctl-2.4b/src
gcc sispm_ctl.c nethelp.c main.c socket.c -o sispm_ctl -I/usr/local/include -L/usr/local/lib -lusb

Test it (the next command enables power on the first socket)

./sispm_ctl -o 1

Accessing Gembird #0 USB device /dev/ugen0 Switched outlet 1 on Switching socket number 1 off can be done with the parameter '-f 1'

Read the safety instructions in the booklet provided with the device: Maximum load current 10A. Don't switch high inductive loads, such as big motors, electric drills, washing machines. Personally I would not switch all sockets on at the same time, depending on the devices I've connected, and would leave a few seconds in between.

references: sispm_ctl.c:33:17: usb.h: No such file or directory

External USB 2.0 harddisk drive

After installing my new kernel, it works without problems (the device requires that the jumper on the IDE harddisk is set to 'master'): Plug it in, and check if it's detected by FreeBSD:


umass0: Genesyslogic USB Mass Storage Device, rev 2.00/0.33, addr 2 da0 at umass-sim0 bus 0 target 0 lun 0 da0: <WDC WD20 00JB-00EVA0 0811> Fixed Direct Access SCSI-0 device da0: 40.000MB/s transfers da0: 190782MB (390721968 512 byte sectors: 255H 63S/T 24321C)

Creating a new mountpoint, and mount the device

cd /mnt/
mkdir usb
mount /dev/da0<tab key to use autocomplete>

da0 da0s1 da0s1a da0s1b da0s1c da0s1d da0s1e da0s1f da0s2 da0s2c da0s2d

mount /dev/da0s1a /mnt/usb

If the partition on the drive is FAT32, NTFS or Ext2FS you might need the '-t <fstype>' parameter of mount, e.g.:

mount -t msdosfs /dev/da0s2 /mnt/usb

(?) check for correctness

Some (possibly useful) scripts

Here are some scripts I regularly use to perform various tasks.

Some basic shell scripting info at How to write a shell script

reboot safety protection against accidental use

I manage several servers remotely, and it happened to me, more than once, that I rebooted the wrong machine, because I didn't notice I was entering the command in the wrong terminal window. So I came up with a small shell script, that will 'wrap around' the original reboot command, providing some protection against quick fingers by requiring the hostname to be entered as an extra parameter. This way, as a safety measure, I will have to enter 'reboot freebsd62' (replacing freebsd62 with the name of the host I want to reboot) instead of just 'reboot' to restart the machine. As root:

mv /sbin/reboot /sbin/reboot-unsafe
nano /sbin/reboot

#!/bin/sh HOSTNAME=`hostname -s` if [ "$1" = "$HOSTNAME" ]; then echo Now rebooting `hostname -s` $2 $3 $4 $5 $6 $7 /sbin/reboot-unsafe $2 $3 $4 $5 $6 $7 exit 127 fi echo Safety lock for reboot, requiring hostname echo "Usage: reboot [hostname] [extra parameters]" echo "E.g: reboot $HOSTNAME"

chmod ugo+rx /sbin/reboot

Test it (make sure you have no other large tasks running in the background, like kernel compiles that you better not abort):


It shouldn't reboot, but just give you the syntax of the new reboot command.

You can always use the old reboot command if you want to, by entering:


ff (find-file)


ff <i>some-pattern</i>

Will find files down the directory structure which have a filename containing 'some-pattern'

nano /bin/ff

#!/bin/sh find . -print | grep -i "$1"

chmod ugo+x /bin/ff


nano /bin/forall

#!/bin/sh if [ 1 = `expr 2 \> $#` ] then echo Usage: $0 [directory] [command_to_run] [optional_arguments] echo Where [directory] is the directory containing the filenames you want to use as a parameter of [command_to_run] exit 1 fi dir=$1 shift find $dir -type f -print | xargs "$@"

chmod ugo+x /bin/forall


forall /etc cat

Will run cat /etc/<firstfile>, cat /etc/<nextfile>, cat /etc/<nextfile>, … , cat /etc/<lastfile>


Sometimes, you might want to have an audible beep coming from your pc's internal speaker to get your attention. You can use it in scripts you write, or wherever it suits you:

nano /usr/local/bin/beep #!/bin/sh /usr/bin/perl -e 'print "\a"'

There must be an even easier way for this.. haven't found it though. (like /usr/ports/audio/beep .. but that requires 'device speaker' in the kernel, doesn't it? )

Enhancing security

Blocking SSH/FTP access from IP's which repeatedly fail authentication for ssh, ftp, … (configurable): URL: FIXME

PuTTY / SSH-client

To connect from a windows machine to this FreeBSD machine you will need a ssh-client. A good one is Putty. I suggest you download the full installation package, as it will also include nice tools for key-management.

To get putty to connect to a ssh-server (like the one our FreeBSD machine is running) Go to Start → Programs → Putty → PuTTYgen (the authentication-key generator) Click on 'Generate' and follow the instructions. After a key has been created, you can optionally protect it with a password (so whenever this key is loaded in your authentication-key agent, this password is asked). Click on "save private key" and "save public key" to save both keys under meaningful names like: key_freebsd62-private.ppk and key_freebsd62-public.ppk (ppk file extension is needed for PuTTY agent).

Read on with (chapter 8 too)

You might notice there's a problem with the 'Home' and 'End' keys, they're just generating the '~'-character. To fix this, enter:

export TERM=linux

Add the same command to ~/.bash_profile, or ~/.bashrc, or ~/.profile, and everything.

If the backspace key doesn't work as expected, there are a few ways to fix it. Fixing the backspace key can be done inside the putty configuration. In putty, click 'Change Settings…' → Terminal → Keyboard Here, set 'The Backspace key' to 'Control-H'. Save, re-login, and test.

If connecting to your FreeBSD machine takes a long time, there might be a problem with reverse DNS lookups. You can add the following line aftet the last line in /etc/ssh/sshd_config: UseDNS no Which will disable DNS lookups. You will have to restart OpenSSH for this to work.

Password-less login with ssh

If you have accounts on more than one server (e.g. ServerA and ServerB), it is possible to login from ServerA to ServerB, without having to enter a password. This is done by creating a key from the computer you are logging in -from- (ServerA), and adding this key to the .ssh/autorized_keys file in the homedir of the user account on the server you are logging in -to- (ServerB)


(Any comments from other professionals on my choice of rsa vs. dsa are welcome)

Configure sshd to allow access based on private key authentication:

nano /etc/ssh/sshd_config

#AuthorizedKeysFile .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys

On ServerA, where <freebsd_username_on_ServerA> is the user that should get passwordless access to ServerB:

su <freebsd_username_on_ServerA>
ssh-keygen -t rsa

Generating public/private rsa key pair. Enter file in which to save the key (/home/<freebsd_username_on_ServerA>/.ssh/id_rsa): (just press enter) Enter passphrase (empty for no passphrase): (just press enter) Enter same passphrase again: (just press enter) Your identification has been saved in /home/<freebsd_username_on_ServerA>/.ssh/id_rsa. Your public key has been saved in /home/<freebsd_username_on_ServerA>/.ssh/ The key fingerprint is: 35:c3:4c:89:cb:e5:08:13:d4:23:49:3f:07:c9:eb:d6 <freebsd_username_on_ServerA>

Now, the file .ssh/ exists, and contains the public key, which we will copy to ServerB. There are two ways to do this. Method 1: copy the file to ServerB with "scp", and then logging into the ServerB to add the contents of to .ssh/authorized_keys; Method 2, which I will use, uses cat & ssh with a network pipe. cat sends the contents of to ssh trough a pipe, and on the ServerB side, cat is used again to add the key directly to the file .ssh/authorized_keys on ServerB:

Make sure you are the correct user (use 'su' if you need to), then:

cat ~/.ssh/ | ssh <ServerB> -l <username_on_ServerB> 'cat >>.ssh/authorized_keys'

If this doesn't work, you can try the 'longer' method:

scp ~/.ssh/ <username_on_ServerB>@<ServerB>:~ 
ssh <ServerB> -l <username_on_ServerB> -C cat \~/ \>\> \~/.ssh/authorized_keys

Test it:

ssh <ServerB> -l <username_on_ServerB>

If you want to make a SSH connection from your Windows pc to your FreeBSD server, use PuTTY. If you don't want to enter your password everytime you connect to your FreeBSD machine, you can use the Pageant (Putty SSH authentication agent) application to remember your passwords and enter them for you. This application comes with the PuTTY Windows installer, which you can find on the PuTTY website.

Read the PuTTY manual, Chapter 9 or follow these PuTTY/PuTTYgen/PageAnt configuration instructions with nice screenshots (skip the SourceForge related stuff, that's not required)

You can create a shortcut of your .PPK file, and place it in the Start Menu → Startup folder, so your key gets loaded upon windows boot.


Check which TCP sockets are listening:

sockstat -4

Increasing security by disallowing normal users to list/enter root folder:

chmod 700 /root

(this is about the same as 'chmod go-rx /root')

Clear the /tmp folder on a regular basis: /etc/rc.conf:


Increasing security by disallowing normal users to see processes of other users:

nano /etc/sysctl.conf

Increasing security by using Blowfish-encryption for passwords

nano /etc/login.conf
  :	passwd_format=blf:\

(note: between ':' and 'p' is a TAB, not a space!) Below :ignoretime@:\, add:

  :	idletime=30:\ 

Inactive users will be logged out after 30 minutes. Rebuild login-database:

cap_mkdb /etc/login.conf

Change root password:


And for other users:

passwd <username>
more /etc/master.passwd

Passwords should start with $2. Change the adduser tool to Blowfish:

nano /etc/auth.conf


A VPN (Virtual Private Network) allows users that are not directly connected to your network to 'log in' to your network from any location (e.g. over the internet) and use all network resources that are available to regular users that are directly connected you your network. This VPN software works in Linux, FreeBSD and Windows. (v2.0.6)
URL: (only windows and Linux examples)
BEST for bridging: URL

Others, possibly old:
Windows URL: OpenVPN GUI


portinstall security/openvpn

First decide if you need routing or bridging ( I need 'bridiging', because (quote): "you would like to allow browsing of Windows file shares across the VPN without setting up a Samba or WINS server."

I've got a private network. I know that all of the clients don't use the 10.*.*.* network, which is vital to avoid problems.

–server-bridge and –secret cannot be used together … must use SSL/TLS keys) cp -R /usr/local/share/doc/openvpn/easy-rsa /home/<my_freebsd_username>

Follow the instructions in the 'Creating Certificates'-section of this page: Copy the resulting files: ca.crt, and the right clientXXX.crt/clientXXX.key file combination to the client's 'config' folder.

Client configuration file:

dev tap
remote 1194

ca ca.crt
cert sebastiaan.crt
key sebastiaan.key


Configuration: Edit /etc/rc.conf to have openvpn start on next boot, and to configure basic the type of network (routed/bridged, tun/tap)

nano /etc/rc.conf
openvpn_enable="YES"  # YES or NO

For a bridged network:

ifconfig_bridge0="addm rl1 up"

Edit the OpenVPN configuration files:

mkdir /usr/local/etc/openvpn
nano /usr/local/etc/openvpn/openvpn.conf

Copy/paste the following configuration data:

Next, start the VPN server:

/usr/local/etc/rc.d/openvpn start

Check which(udp or tcp) port numbers OpenVPN uses, and configure port forwarding on your router accordingly (port number 1194 or 5000?)

If you have a working basic configuration, you might want to add bridging. Bridiging in FreeBSD is done differently than it is done in Linux. or search on "openvpn freebsd bridge"

Copying FreeBSD to another harddisk

After you have installed FreeBSD, I'm going to show you how to copy the complete installation to another drive. This also works if you have created a virtual machine in VMware and want to copy the files to a real harddrive. There are a few ways to do this:


The easiest is using 'dd'. This makes a 1:1 copy of harddisk-A to harddisk-B. I think it's comparable with Norton Ghosts 'clone entire disk' function.

It's best done in FreeBSD 'single user mode', to prevent data corruption. Switch to single user mode (entering 'shutdown now' will do the trick), alternatively you can reboot, and at the boot prompt press the space bar. You'll see the boot prompt: Type '?' for a list of commands, or 'help' for more detailed help Enter:

boot -s

Enter full pathname of shell or RETURN for /bin/sh: Press the enter key and you will see the root prompt: #

WARNING: if you have the device names wrong (or if your mistakenly mix 'if' with 'of'), you will destroy the data on the original harddisk.

dd if=/dev/ad0 of=/dev/ad1 bs=1M

if = where dd pulls the data from (remember 'i' as in 'IN') of = where dd puts the data to (remember 'o' as in 'OUT') bs = the blocksize, or how many bytes of data to read/write at once.

Depending on the size of your 'from'-harddisk, and the read/write speeds, it will take a while to finish (and it won't tell you how long it takes) Most harddisks nowadays are capable of 25MB/second writes or better. If your original harddisk is 80GB, it'll take less than an hour to finish.

After copying is done, umount all partitions (by hand?), and shutdown your computer (so you can disconnect cables from the newly prepared harddisk)

dump / restore

URL (english): (dutch version here)
Here is a good article on the subject Migrating FreeBSD From One Harddrive To Another. It's currently better than my text.

To copy a prepared FreeBSD 6.2 installation to a new hard disk drive, first use the FreeBSD installation cdrom and install the base system on the new harddisk (create and mount the correct partitions!) (to make sure you don't overwrite your existing installation and the the bootsector is written correctly, do this on another pc, or disconnect the harddisk with the fully prepared FreeBSD 6.2 installation, and connect the new hard disk drive instead) Write down the device names of your partitions and where you've mounted them (e.g.: /dev/ad0s1a is mounted on '/', /dev/ad0s1d is mounted on '/usr', /dev/ad0s1e is mounted on '/var', /dev/… is swap)

If you're done, connect both harddisks (and make sure that the 'full' one is booted from) When FreeBSD has booted, mount the partitions of the second harddisk at /mnt/newroot/ The device names (/dev/… may differ, depending on how you've connected the new hardisk and how you've partitioned it.

mount /dev/ad2s1a /mnt/newroot
mount /dev/ad2s1d /mnt/newroot/usr
mount /dev/ad2s1e /mnt/newroot/var
mount /dev/ad2s1f /mnt/newroot/tmp

You don't need to mount the swap partition.

/sbin/dump -0uan -f - /usr | gzip -2 | ssh -c blowfish \

    <username_on_target_machine>@<> dd of=/mnt/<large_storage_space_disk>/dump-usr-<sourcemachine_identifier>.gz
DUMP: WARNING: should use -L when dumping live read-write filesystems!
 ls -al / | grep snap
  drwxrwxr-x   2 root  operator     512 Sep  4 01:47 .snap
chmod 0770 /.snap/
ls -al / | grep snap
  drwxrwx---   2 root  operator     512 Sep  4 01:47 .snap


dump -L ...
mkdir /mnt/root
mount /dev/ad2s1a /mnt/root
mkdir /mnt/root/var
mount /dev/ad2s1f /mnt/root/var
mkdir /mnt/root/var/maildir
mkdir /mnt/root/usr/local/www
mount /dev/ad2s1d /mnt/root/var/maildir
mount /dev/ad2s1e /mnt/root/var/www
?cd /dir; dump 0af - / | restore xf -
cd /mnt/root; dump -oaf - /var | restore xf -
cd /mnt/root/var; dump -oaf - /var | restore xf -
cp -Rp /var/www /mnt/root/var/www
umount /mnt/root/var/maildir
umount /mnt/root/var/www
umount /mnt/root/var
umount /mnt/root

'Things to do' after copying all to a new harddisk

Remember that the copy of the disk you've just created contains a lot of security sensitive information: passwords (in different locations), private ssh-keys, mysql databases & root password, and perhals even SSL certificates. Make sure to change passwords, ssh-keys, and remove all other private stuff if you're using this disk copy to quickly setup another server! /* /etc/passwd, /etc/ssh/*, */.ssh/*, *muttrc*, mysql root password */

If you'll be using this copy of your FreeBSD installation in another server, It's likely that some device names will change, for example, the name of the network interface changed from /dev/em0 to /dev/sk0 when I put the drive in another pc, so I had to edit /etc/rc.conf. Edit /etc/rc.conf to correct the hostname and network settings too (and adjust /etc/hosts and /etc/resolv.conf too)

Backup with FreeBSD

See also: rsync


  1. Harddisk based backup (but in the future I want to use dvd-disks)
  2. FreeBSD/Linux/Windows* compatible, one tool for all os's
  3. Network based (over the internet to another location)
  4. transmitting only the file differences during backups, preserving bandwidth
  5. detecting file renames / moves (by file checksum?), so preserving diskspace
  6. Diskspace conservative: no backupped file should be more than once in the backup
  7. A Daily incremental backup should take less than 24hours :)
  8. Verify-backup functionality (SHA1-hash?)
  9. Ease of restore
  10. No 'fatal backup-errors' when I haven't used my laptop (which is supposed to be backuped every day) for a few days
  11. Possibility to make 4.7GB big backup files that can be backed up to DVD.
  12. Possibility to restore older versions of a file than the last backed-up

Backup system using hardlinks:




pkg_add -r lynx pkg_add -r ncftp

$ perl -MCPAN -e shell Are you ready for manual configuration? [yes] CPAN build and cache directory? [/root/.cpan] Cache size for build directory (in MB)? [10] Perform cache scanning (atstart or never)? [atstart] Cache metadata (yes/no)? [yes] Your terminal expects ISO-8859-1 (yes/no)? [yes] File to save your history? [/root/.cpan/histfile] Number of lines to save? [100] Policy on building prerequisites (follow, ask or ignore)? [ask] Where is your gzip program? [/usr/bin/gzip] Where is your tar program? [/usr/bin/tar] Where is your unzip program? [/usr/local/bin/unzip] Where is your make program? [/usr/bin/make] Where is your lynx program? [] /usr/local/bin/lynx Where is your wget program? [/usr/local/bin/wget] Warning: ncftpget not found in PATH Where is your ncftpget program? [] Where is your ncftp program? [] /usr/local/bin/ncftp Where is your ftp program? [/usr/bin/ftp] Where is your gpg program? [/usr/local/bin/gpg] What is your favorite pager program? [more] What is your favorite shell? [/usr/local/bin/bash] Your choice: [] Your choice: [] Your choice: [] Timeout for inactivity during Makefile.PL? [0] Your ftp_proxy? Your http_proxy? Your no_proxy? Select your continent (or several nearby continents) [] 4 Select your country (or several nearby countries) [] 21 .. (4) .. Select as many URLs as you like (by number), put them on one line, separated by blanks, e.g. '1 4 5' [] Enter another URL or RETURN to quit: [] install Apache::MP3

cd /usr/local/etc/apache22/
nano httpd.conf

AddType audio/mpeg mp3 MP3 AddType audio/playlist m3u M3U AddType audio/x-scpls pls PLS AddType application/x-ogg ogg OGG <Location /songs> SetHandler perl-script PerlHandler Apache::MP3 </Location>

# Or use the Apache::MP3::Sorted subclass to get sortable directory listings <Location /songs> SetHandler perl-script PerlHandler Apache::MP3::Sorted </Location> mount_nullfs /mnt/muziek/ /var/www/

—- Unsatisfied dependencies detected during [L/LD/LDS/Apache-MP3-4.00.tar.gz] —–


Shall I follow them and prepend them to the queue of modules we are processing right now? [yes]

Please provide a full path to 'apxs' executable (press Enter if you don't have it installed): Please provide the location of the Apache directory: FIXME /usr/local/share/apache22/

Do you want to install Inline::C? [y]

Shall I … [y]

named, rc.conf hostname + te starten apps

find . -mtime +1 # find files modified more than 48 hours ago

Directories to backup:



cd /usr/ports/sysutils/bacula-client/work/bacula-2.0.3/src/cats nano ./grant_mysql_privileges change:




Save, exit, and: ./grant_mysql_privileges -p ... Privileges for bacula granted.

same edit with next files, then: $ ./create_mysql_database -p Enter password: Creation of bacula database succeeded.

$ ./make_mysql_tables -p Enter password: Creation of Bacula MySQL tables succeeded. The FreeBSD port creates this user and group for you

cd /usr/ports/sysutils/bacula-server
make install
cd /usr/ports/sysutils/bacula-client
make install
cd /usr/local/etc/
cp bacula-dir.conf.sample bacula-dir.conf
cp bacula-fd.conf.sample bacula-fd.conf
cp bacula-sd.conf.sample bacula-sd.conf

To start the bacula daemons on a FreeBSD system, issue the following command:

/usr/local/etc/rc.d/ start

To confirm they are all running:

ps auwx | grep bacula

root 63416 0.0 0.3 2040 1172 ?? Ss 4:09PM 0:00.01 /usr/local/sbin/bacula-sd -v -c /usr/local/etc/bacula-sd.conf root 63418 0.0 0.3 1856 1036 ?? Ss 4:09PM 0:00.00 /usr/local/sbin/bacula-fd -v -c /usr/local/etc/bacula-fd.conf root 63422 0.0 0.4 2360 1440 ?? Ss 4:09PM 0:00.00 /usr/local/sbin/bacula-dir -v -c /usr/local/etc/bacula-dir.conf

echo 'bacula=yes' » /etc/rc.conf echo 'baculadir=yes' » /etc/rc.conf echo 'baculasd=yes' » /etc/rc.conf echo 'baculafd=yes' » /etc/rc.conf

bacula conf:

Pool {

Maximum Volume Jobs = 8
Recycle = yes: na 8 backup-sessies? mag er begonnen worden met het opnieuw herbruiken van de 1e volume
RunBeforeJob = "/sbin/mount -o softdep,noatime /dev/sd4a /mnt/sd4a/"
RunAfterJob = "/sbin/umount /dev/sd4a"
Max Start Delay: uren dat gewacht moet worden na het niet kunnen bereiken van een fs totdat er een error verstuurd wordt.
Write Bootstrap: schrijf metadata ook naar fd
Pool Type = Backup
Accept Any Volume = yes
AutoPrune = yes

Mailserver Address


Official URL: Highly optimized file synchronization tool (network capable), transmits only the difference of the files (saving bandwidth & time)

Install package: (version 2.6.6)

pkg_add -r rsync

I found out it's not a good idea to backup your maildir with rsync: # Mail comes in (and gets backed up) # You read it (the filename changes to mark it as 'seen', and the new file gets backed up) # You move it to another folder (and guess.. it gets backed up again). So almost every mail that comes in, is read, and gets sorted is therefore backed up 3 times! Has a link to an mp3 of 'the rsync algorithm'

to prevent rsync 'file has vanished' error messages:


This tool can forward incoming TCP or UDP network connections to another host/port. Usefull if you want to redirect traffic from one port to another, or to another host. There are firewall rules to do this, but sometimes I find it easier to use 'bounce'.

Install package: (version 1.0)

pkg_add -r bounce

Usage: to divert traffic coming in on port 25 to another_host:25, use:

bounce -p 25 25

Optional: add this command to /etc/rc.local to start it automatically when booting.

Java 2 on FreeBSD (v1.5)

New link, URL:

stuff below is older:

When running java, I got an error message (but the program runs without noticable problems): Java HotSpot(TM) Client VM warning: Can't detect initial thread stack location Solution:

mount -t linprocfs linprocfs /compat/linux/proc

or, add the following line to /etc/fstab: FIXME

Not so good alternative, not tested: follow the instructions on this page for downloading the three required files to /usr/ports/distfiles

cd /usr/ports/java/jdk15

Warning: this will install X-Windows too. FIXME


This tool will show a overview of the running processes in a structured tree. This way you can see which process has started another process, etc. portinstall -P pstree


portinstall -P pstree


I'd rather have TrueCrypt working on FreeBSD.. Some people are working on patches for TrueCrypt 5.0 on FreeBSD 7.0 PRERELEASE/RC2, but I wouldn't yet recommend to use it on stable machines, as there were some stability issues. (which may of course be fixed at the time you're reading this.

In the meantime, here is another way to use encryption with the use of CFS (Cryptographic FileSystem):

Quick start instructions:

  /usr/local/cfsd-bootstrap localhost

mountpoint, set the cfsd_mountpoint variable in /etc/rc.conf):

  mkdir /crypt

monit Service Manager

Official URL:

Monit is a tool which periodically checks if all the important services/daemons are running ok, if you're running out of memory/diskspace, etc etc. (monit-4.9)

I had some problems today with clamd failing to load, and because I didn't notice it, some mails couldn't be delivered. Last week, I upgraded all my ports, and didn't notice the dhcp server/daemon (isc-dhcpd) wasn't automatically restarted after the upgrade, until some people started complaining.

Now I've got it running to monitor the following services/daemons: -apache -dhcpd -courier-imap (including courier-authdaemond) -postfix -clamd (including freshclam and clamsmtpd) -spamassassin-daemon mlnet (mldonkey, an e-donkey-/bittorrent-/etc. client with webinterface) proftpd samba (smbd/nmbd)

Still have to configure: -natd(?) NAT (newsgroup/usenet download manager with webinterface) -mysql -backup application(?) -diskspace -system load -(probably even more, don't know yet)

Installation (as root):

cd /usr/ports/sysutils/monit
make install

Configuration: (

echo monit_enable=\"YES\" >> /etc/rc.conf
cp /usr/local/etc/monitrc.sample /usr/local/etc/monitrc
chmod 0700 /usr/local/etc/monitrc

set httpd port 2812 and allow localhost # allow localhost allow # and any host from 10.*.*.* # no password required: # allow admin:monit # require user 'admin' with password 'monit'

I want to send alerts (like services not running, hosts not accessible) to my e-mail address (replace this with your own address): set alert

In case e-mail alerts can't be delivered, they can be stored as files (optional):

mkdir /var/monit

set eventqueue basedir /var/monit # set the base directory where events will be stored # slots 100 # optionaly limit the queue size <html>     Start it: /usr/local/etc/rc.d/monit start <html> Starting monit daemon with http interface at [localhost:2812]

To reload the monit configuration (after you've made changes to the files in the /usr/local/etc/monit.d folder):

/usr/local/etc/rc.d/monit reload

Read more at: /usr/local/share/doc/monit/examples.html

I'll have to see if I can make a mail2sms gateway, so I can receive notifications of problems on my phone

$ mount /dev/ad0s2 /mnt/usb/
mount: /dev/ad0s2 on /mnt/usb: incorrect super block

Sure, it's fat32.. d�hh..

mount_msdosfs /dev/ad0s2 /mnt/usb/
ls /mnt/usb/
c-mon&~2     marcco~1     ratata~1.rat
c-mon&~1     fav.dat      ratata~1     settings.dat

Short filenames (8.3), like fat16.. Hey.. this is VFAT/Fat32, let's retry:

umount /mnt/usb
$ mount_msdosfs -l /dev/ad0s2 /mnt/usb/
mount_msdosfs: /dev/ad0s2: Invalid argument
$ mount_msdosfs -o longnames /dev/ad0s2 /mnt/usb/
mount_msdosfs: /dev/ad0s2: Invalid argument
fsck_msdosfs /dev/da0s1

** /dev/da0s1 ** Phase 1 - Read and Compare FATs FAT starts with odd byte sequence (00000000ffffffff) Correct? [yn] y FAT starts with odd byte sequence (00000000ffffffff) Correct? [yn] y ** Phase 2 - Check Cluster Chains ** Phase 3 - Checking Directories ** Phase 4 - Checking for Lost Files Next free cluster in FSInfo block (32689) not free fix? [yn] y 117 files, 628340 free (157085 clusters)

cp -R /boot/kernel /boot/kernel.GENERIC nano cvs-supfile cvsup cvs-supfile cd sys/i386/conf nano FREEBSD62-4 $ config FREEBSD62-4 ERROR: version of config(8) does not match kernel! /usr/src/UPDATING

      make kernel-toolchain


cd /usr/src update world?/

make buildworld make installworld?

Ping a host by it's MAC address (instead of it's IP) Installation:

portinstall arping

(/usr/ports/net/arping) Usage:

arping <MAC_ADDRESS>

(e.g.: 00:0e:a6:82:11:69) enter 'arp -a' to see the arp/ip tables to test nice -n -15 arping -n 1 00:50:fc:27:00:a9 ?


kernel + base system upgrade: -Install cvsup- (nogui?) cd /usr/src /etc/make.conf /usr/src/cvs-supfile

make update buildworld kernel make installworld (dangerous)


edit /etc/make.conf or supfile to also update /usr/ports along the way cd /usr/ports make update

MSDOSFS_LARGE kernel tickrate = HZ=1000? tinky..

/etc/sysctl.conf net.inet6.ipv.v6only=0


Install the 'system sources'

Will install the sources for the basic system binaries. Needed for the update.


Go to "Configure", "Distributions", "src", and select 'All'. Choose 'exit' and follow the instruction to install. Choose Exit → Exit Installation when finished.

Install CVSup

portinstall -P cvsup-without-gui

edit the cvsup configuration

Choose cvsup server (page bottom): You can also install fastest-cvsup (pkg_add -r fastest_cvsup) and use 'fastest_cvsup -q -c <your country code>' to find the fastest freebsd cvsup mirror in your country. Or use fastest_cvsup in one go, after you've configured the cvs-supfile: ### cvsup -L 2 -h '(fastest_cvsup -q -c us)' /etc/cvs-supfile

I've chosen to use FreeBSD 6-STABLE (RELENG_6), which contains the latest sources found to be STABLE-worthy. There is also 'HEAD' or 'CURRENT', which contains all the new stuff that will be coming in FreeBSD 7. But I'll stick with STABLE.

My /etc/cvs-supfile : *default *default base=/usr *default prefix=/usr *default release=cvs tag=RELENG_6 *default delete use-rel-suffix src-all

Updating the ports tree can be done by cvsup by setting it up here, but I prefer using portsnap, as it's faster, uses less bandwidth, and it's more secure.

modify /etc/make.conf

SUP_UPDATE=yes SUP=/usr/local/bin/cvsup SUPFILE=/etc/cvs-supfile SUPFLAGS=-g -L 2 -z -h <b></b> CFLAGS= -O -pipe KERNCONF=<b>FREEBSD62</b>

update the kernel and system sources

make update (or 'cvsup cvs-supfile'?)

create/edit the kernel config

cd /usr/src/sys/i386/conf/
nano FREEBSD62

I like to comment-out the following: ident FREEBSD62 #options INET6 #cpu I486_CPU #cpu I586_CPU

options MSDOSFS # MSDOS Filesystem options QUOTA #device uhid # "Human Interface Devices"

I've disabled uhid to get my sis-pm USB controlled 4 power socket working.

  1. Why does "options MSDOSFS_LARGE " not work yet?


cd /usr/src
make buildworld
make buildkernel

(I like to split these two commands, as shown. You could however also 'make buildworld buildkernel' (or even 'make buildworld buildkernel installkernel ').

Install the new kernel

make installkernel

Updating /etc/* files using mergemaster

mergemaster -p

This will update configuration files in /etc, unfortunately you're asked a lot of questions if you have already installed and configured a lot of application.

Install the world binaries

make installworld

The order: 'buildworld buildkernel installkernel installworld' is important!



How to automatically login with a non-root user and run gnome (gnome-session without using gdm) or kde (without using kdm)

This neat trick will auto-login with the specified username on tty1 (the window at Alt-F1..). You can then automatically run gnome or kde with the specified username.

I didn't get KDE/Gnome autologin working with the GDM/KDM settings (it kept asking for a password), so I had to resort to another way to have it do auto log-in: trough the user's shell:

First, we're going to have the user automatically logged in to the shell (steps 1,2,3), and to


nano /etc/gettytab

Add this to the bottom of the file (change 'my_freebsd_username' with an existing username you wish to use for auto-login): my_freebsd_username:\ :al=my_freebsd_username:ht:np:sp#115200:

nano /etc/ttys

Change the line starting with 'ttyv0' (change 'Pc' with the username you wish to use for auto-login, I used 'my_freebsd_username') ttyv0 "/usr/libexec/getty my_freebsd_username" cons25 on secure

Reboot the system, and you will see that after the system has booted, you will have a shell prompt (instead of a login prompt).

Step 3: Change my_freebsd_username to the username you wish to use to auto-login, and edit the .profile of that user:

su my_freebsd_username
cd ~my_freebsd_username
nano .profile

#default: do not start X: STARTX="no" #but if tty=0 and shell-level=1, do start X: [ `tty` = "/dev/ttyv0" ] && [ $SHLVL = "1" ] && STARTX="yes" [ $STARTX = "yes" ] && { #Sleep a second, because my computer is too fast: #/bin/sleep 1 /usr/local/bin/startx -- :1 } # Note to Linux users: change /dev/ttyv0 to /dev/tty1; change /usr/local/bin/startx to /usr/bin/startx.

In the file /home/my_freebsd_username/.xinitrc you need to set the window manager to start (KDE, Gnome, or another), together with any other applications you wish to start with X-windows (I start my browser, e-mail client, chat/instant messaging client)

#!/bin/sh   # screen saver after five minutes: xset s 300   # fix that annoying backspace problem xmodmap -e "keycode 22=BackSpace"   # Allow any application run on localhost to access this X session: xhost +localhost   # Instant messaging / chat client (Pidgin, formerly known as GAIM): pidgin &   # E-mail client (Mozilla Thunderbird): thunderbird &   # Webbrowser (Mozilla Firefox): firefox &   # Konsole (shell) window: konsole &   # Background screen session (why?) screen -dmS xsessie &   # Audiomixer (set to 50% volume): /usr/sbin/mixer 50:50 /usr/sbin/mixer pcm 100:100   # Start the VNC server, so remote computers can access this pc's desktop: x11vnc -rfbauth ~/.vnc/passwd -forever -shared &   # Start a VNC-viewer in listening mode (port 5500), with low quality settings, which make it faster over slow network links: vncviewer -bgr233 -compresslevel 9 -quality 0 -listen 0 &   # Start the Gnome desktop environment: exec gnome-session # Or, to use KDE: # Start the KDE desktop environment: #exec startkde

Console 'screen saver'

This will put your monitor in standy after you have not used it for a while (saving power, and thus money). It will only work when you're on the console (not in X-windows):

kldload green_saver.ko

Or add 'green_saver_load="YES"' to /etc/loader.conf, to have it loaded on system startup.

Printing in FreeBSD

Installing a laser/deskjet or other printer in FreeBSD, and make it available to other computers through Samba for Windows computers. I'll make it a multi-step project

0. Preparations 1. Apsfilter

Official URL: URL:

cd /usr/ports/print/apsfilter
make WITH_GHOSTSCRIPT_AFPL=yes BATCH=yes APSFILTER_ALL=yes install clean

I'm not 100% sure if it should be WITH_GHOSTSCRIPT_AFPL or WITH_GHOSTSCRIPT_GNU

cd /usr/local/share/apsfilter

Found ghostscript version 8.60 ... You have to upgrade at least to gs version 6.50! But you should upgrade to gs 7.00 for full driver support prior installing printers with SETUP. Do you you want to continue? [Y/n] y ... Licence ... Accept license [Y|y|J|j|N|n] ? y The Owner of your spooldir seems to be: root The Group of your spooldir seems to be: daemon Is this correct? [y/n] y saving original printcap -> /etc/printcap.orig creating a working copy of printcap -> /etc/printcap.old It seems you have configured a printer with this script before. Do you want to (a)dd another printer entry or to (o)verwrite the existing entries? a/o? o In the APSFILTER main menu: Select 1 (Printer Driver Selection) Select 3 (printer driver natively supported by ghostscript) My printer is a HP LaserJet 4L using the ljet4l, so I've entered '160' at the 'Enter number:' input. Choose for yourself. Do you want to use ljet4l? [Y|n] y   Select 2 (Interface Setup) The printer is connected trough a parallel cable, so in the interface setup, I've selected option 1 (local parallel/USB) The printer is connected to the first (and only) LPT port, FreeBSD calls this '/dev/lpt0': Full path of parallel print device: /dev/lpt0   Select 3 (Paper Format) Here in the Netherlands, A4 is the standard, so I've chosen option 1 (DIN A4)   To test if the settings work, we'll print a test page. Make sure your printer is powered on, and connected correctly. Select T (Print Test Page) Select T (Print a test page)   If the testpage looked ok, you can now choose option I (Install printer with values shown above)   ** creating printcap entry for printer aps1... creating spooldir ... remember SETUP settings in printers apsfilterrc file... ** done.   Finish the installation with 'Q'.

Don't forget to send the APSFILTER author a snail-mail, as requested. To restart the printer daemons:

lpc restart all
/etc/rc.d/lpd restart

Backup your /etc/printcap file:

cp -n /etc/printcap /etc/printcap-backup-<current_date_without_spaces>

1a. testing with lpr Download (or use google to find a .ps file) Print it:


2. CUPS 2a. testing 3. Samba 3a. Windows network printer driver installation 3b. testing 4. print to pdf

work in progress /* cupsd_enable="YES" /usr/local/etc/rc.d/cupsd start Starting cupsd.


cd /usr/ports/print/gimp-gutenprint/ make install /usr/ports/print/ghostscript-gnu deselected all x11* /usr/ports/print/ghostscript-gnu conflicteerd met ==⇒ ghostscript-gnu-7.07_17 conflicts with installed package(s):



Print to PDF using Samba (warning: dutch page):

P2P and other music/movie downloading apps

MLdonkey: edonkey, overket, kademlia(?) SABnzbd: newsgroups FTD4Linux: newsgroups index community/database



portinstall net-p2p/amule2


A P2P client with web/http frontend Official URL:

Among the supported Peer2peer protocols are:

cd /usr/ports/net-p2p/mldonkey
make install

Add the following line to /etc/rc.conf: mlnet_enable="YES" mlnet_user="<my_freebsd_username>" So mldonkey is started as a daemon upon next boot, with the permissions as <my_freebsd_username>. To increase security, you can create another user account and use this for running mlnet.

Run it:

su <my_freebsd_username>

By default, mldonkey's web interface runs on http://localhost:4080 This means you will either have to edit the configuration files, or really login using a browser on the same FreeBSD machine. If you're seeing the '403 Forbidden - Connection from <X.X.X.X> rejected (see downloads.ini, allowed_ips) MLDonkey/2.9.1 at <my.dotted.ip.address> Port 4080"-error, you're not accessing the mlnet/mldonkey web interface from localhost.

nano <my_freebsd_userame>/.mldonkey/downloads.ini:

Change the 'allowed_ips'-line to include the ip's you're connecting from (this example allows local/private networks 192.168.*.* and 10.*.*.* to connect): allowed_ips = [ ""; ""; ""; ] Note: mlnet writes its configuration when it closes to the files. So first close mlnet, then edit the configuration files, then re-start mlnet.

With a webbrowser, go to: http:/ /<your.freebsd.machine.ipaddress>:4080 It will complain about an empty admin password. To fix this, in the upper-right input bar/field enter: useradd admin <your_mothers_maiden_name> Replace <your_mothers_maiden_name> with a password of your own. Preferably shorter. :)

If you want allow others to access mldonkey, they don't need admin access. Add another 'regular' user account for them (replace <login> and <password>): useradd <login> <password>

Don't know yet what's the solution to the next error I saw when I tried the same on my other box: gmake[1]: *** [lablgtktop] Segmentation fault: 11 (core dumped) Perhaps I'll make the world again. And make it a better place for all of us to live in, with less errors.


A newsgroup download tool, capable of handling NZB-files, with integrated PAR2 checker, extracter, and a web interface. Where you would use a tool like 'GrabIt' on Windows, SABnzbd does the same job, but better, for UNIX (Linux, BSD, etc)


cd /usr/ports/sabnzbd
make install

<FIXME> Aug2007: I think the most recent version of CherryPy doesn't work with the SABnzbd-version I'm currently using, with the following error:

Traceback (most recent call last): File "/usr/local/bin/", line 37, in ? import cherrypy ImportError: No module named cherrypy

Re-install it:

export PYTHONPATH="/usr/local/lib/python2.5/site-packages/"
cd /usr/ports/news/sabnzbd
make deinstall
make clean
make install

If you get any errir when doig make install about missing directories:

mkdir /usr/local/share/sabnzbd
mkdir /usr/local/share/doc/sabnzbd 
cd /usr/ports/www/py-cherrypy
make deinstall
cd /usr/ports/www/py-cherrypy-old
make deinstall
make clean
make install

**************************************************************************** Check /usr/local/share/SABnzbd for SABnzbd.ini.sample and templates See /usr/local/share/doc/SABnzbd for README.txt etc **************************************************************************** ===> Registering installation for SABnzbd-0.2.5

I like to have all configuration files in /etc or /usr/local/etc, which I backup regularly. So I'll move SABnzbd's configuration file there:

cd /usr/local/share/SABnzbd
mv SABnzbd.ini /usr/local/etc/
ln -s /usr/local/etc/SABnzbd.ini SABnzbd.ini

Configuration is done in the SABnzbd.ini file, which we just moved to /usr/locale/etc The things you want to edit are: username = <some username> password = <some password> download_dir = ... complete_dir = ... nzb_backup_dir = ... cache_dir = ... log_dir = ... dirscan_dir = ... And, do not forget to enter your newsserver in the [servers] section of the same file.

Start it:

/usr/local/bin/ -d -f /usr/local/share/SABnzbd/SABnzbd.ini

You might want to put this line in /etc/rc.local to have it start up at boot (you can also use 'su' to run it as another user, but make sure that the directories mentioned in SABnzbd.ini are writable for that user). Or, even easier: add this crontab entry for the user you want to run SABnzbd as: @reboot /usr/local/bin/screen -dmS nzb /usr/local/bin/ -f /usr/local/etc/SABnzbd.ini

Test it by opening a web browser to http://localhost:8080/sabnzbd/connections/ To allow other computers to access SABnzbd or to use another port number, edit the correct sections in SABnzbd.ini

rtorrent - Console Bittorrent-p2p client


This is a bittorrent client with all the feautures you will find in other clients like Azureus, but all console-based.

Installation (as root):

cd /usr/src 
tar -zxvf libtorrent-0.11.0.tar.gz
cd libtorrent-0.11.0
make install

cd /usr/src

tar -zxvf rtorrent-0.7.0.tar.gz
cd rtorrent-0.7.0
make install

Go back to your non-root user account, then:

cp /usr/src/rtorrent-0.7.0/doc/rtorrent.rc ~/.rtorrent.rc
nano ~/.rtorrent.rc

According to some manpage, this will increase the processing speed for hashing the already downloaded parts ( ). Add the lines:

  hash_read_ahead = 8
  hash_max_tries = 5
  hash_interval = 10

Now let's start it in a screen session:

screen rtorrent

You can add torrent files by entering the URL to the torrent file Use CTRL-q to quit (download will not continue) or CTRL-A D (screen detach hotkey) to detach this window

I might want to start this program everytime my FreeBSD boots, next time.

VOIP telephony

Asterisk* PBX

The Asterisk* PBX software package allows me to set-up a telephone system. I have special hardware for this (a Linksys Sipura SPA-3000 (or SPA3K as some call it), and a Grandstream GXP2000 VoIP phone. Together with my VoipBuster account I will use Asterisk* to manage my home telephone system, my business telephone line, and route calls over the cheapest path from caller to callee.

Note: Asterisk, is way too complicated to have you up and running (with configured hardware) in a few minutes. I put it here for completeness, not as a quick-tutorial how to get it running at your site. There is a lot of documentation available on Asterisk.

Work in progress: I'm working on 'My Asterisk PBX Installation and Configuration Guide', to help you understand and use asterisk telephony system in no-time. For more configuration, browse to my "My Asterisk installation and configuration guide" page. You'll find a lot of extensions.conf examples there.

Install port: (version

cd /usr/ports/net/asterisk

Check which version will be installed when you would use the ports tree:

cat distfiles

Visit the website to check if any serious bugs have been found after this release.

There are a lot of bugfixes and othe updates since the version in the ports got updated, but lets install anyway:

make install

There's a known problem with mpg123 (& Asterisk), where mpg123 is eating CPU time up to 100%, this should solve it: (yet untested)

Some other information about this:

There is an add-on to change the pitch of your voice: (yet untested) ?

I should have a look at this site, it might have some good configuration examples: (didn't have much examples)

Options for asterisk 1.4.3 │ │ ┌────────────────────────────────────────────────────────────────┐ │ │ │ [X] OGGVORBIS Enable Ogg Vorbis support │ │ │ │ [X] ODBC Enable ODBC support │ │ │ │ [ ] POSTGRES Enable PostgreSQL support │ │ │ │ [ ] RADIUS Enable RADIUS accounting support │ │ │ │ [X] SNMP Enable SNMP support │ │ │ │ [X] H323 Enable H.323 support │ │ │ │ [X] JABBER Enable Jabber and Gtalk support │ │ │ │ [ ] ZAPTEL Enable Zaptel support │ │ │ │ (I disabled POSTGRES, RADIUS, and ZAPTEL)

Won't run on/under FreeBSD

The following software I want to use is not yet FreeBSD compatible (as far as I can see):


A lot of information in this guide comes from the FreeBSD Handbook on FreeBSD Installation. Bookmark it, it's good! It's translated in many different languages , and there is some more official and unofficial documentation here.

I've discovered another site which contains installation instructions and general help on FreeBSD (6.0) topics

BSD Guides has some nice FreeBSD guides too

I don't get the impression it gets updated a lot, but in the past The FreeBSD Diary helped me out a lot. - Doing stuff with FreeBSD, OpenBSD, NetBSD & Mac OSX - FreeBSD help, how-to guides and more - the FreeBSD ports collection - 'generic' Unix Tutorial, focussed on usage, no installation. How To Install a Secure BSD System Installing FreeBSD 6.1

I'm currently working on ...

It takes half a second or more to 'start selecting' the text where I've clicked. That is, when trying to select a piece of text in X, if I do it too fast, it misses a part.

The same goes for resising windows, and other mouse stuff
I've tried the 'solution' to revert to PS/2, but that didn't make a difference

Improving this guide

You are welcome to send any links, fixes, comments, or compliments to the e-mail address listed at the top of this guide.


Junk below this line

Other FreeBSd page:

Do make clean if you are hunting ghosts

routed draaien

cd /usr/ports/security/nmap

Granting mount/umount access to all users. The first step is to allow users to run the mount command to actually mount a filesystem and to allow them to run the umount command. This is done by adding the following line to your /etc/sysctl.conf file.


This option will be set within the kernel at next system boot, to enable it immediately run the following command as root:

  sysctl vfs.usermount=1

It is important to note that while setting this variable allows ALL users to run the mount/umount commands to mount and unmount filesystems, mounting and unmounting will only be possible if:

The second issue is typically not a problem, users can always generate an empty directory to host the mount. The first issue is what allows us to restrict access to certain devices for mounting by particular users. However, this security is limited, while we can stop a user from mounting a device entirely, when permission is granted to mount the device, that user can mount it with whatever mount options they like.

9.23. How do I let ordinary users mount floppies, CDROMs and other removable media?

Ordinary users can be permitted to mount devices. Here is how:

    As root set the sysctl variable vfs.usermount to 1.
    # sysctl -w vfs.usermount=1
    As root assign the appropriate permissions to the block device associated with the removable media.
    For example, to allow users to mount the first floppy drive, use:
    # chmod 666 /dev/fd0
    To allow users in the group operator to mount the CDROM drive, use:
    # chgrp operator /dev/acd0c
    # chmod 640 /dev/acd0c

/etc/group add after operator … : your username


extract, so that /usr/local/www/ip/mp3/getid3/getid3/getid3.php exists

nano kplaylist.php

enable the getid3 package. getid package must reside under getid3/ under the directory this file exists. If it does not, please change the 'include' statement below. $cfg['enablegetid3'] = 1;

where the getid3.php file exists $cfg['getid3include'] = 'getid3/getid3/getid3.php'; kplaylist.php resides in /usr/local/www/ip/mp3/ last line */ /* NFS: /usr/ports/sysutils/xcdroast]# make You must be root to use xcdroast. To use it as normal user, click "enable-nonroot" after starting it at first as root. But beware! This is a security risk! It modifies the following files and gives them the set-user-ID-on-execution bit: xcdwrap Are you sure you want this? If not, hit Ctrl+C right now This is a security risk! XCDRost will use an own wrapping utility which gets a SUID Bit after enabling the non-root mode inside the application! Notes for FreeBSD 5.x and onwards users: 1. The FreeBSD k3b port supports SCSI drives only. If you have IDE CD or DVD drives, use them through the cam system. See Chapter 12.5.9 of the handbook ( 2. Your CD and DVD drives must have a mount point in /etc/fstab. They have to be accessed through their atapicam device if possible. I.e. the drives have to be adressed by e.g. /dev/cd0 instead of /dev/acd0. 3. k3b has to be started from a root console, which is not recommended. Alternatively do ALL of the following: 3a. set the suid flag on cdrecord and cdrdao. The 'Notes' chapter of 'man cdrecord' discusses this. 3b. - For every user who should be able to use k3b and for every CD or DVD device add a directory in the users home directory. These directories must be owned by the corresponding user. For each such directory add a line in /etc/fstab (see remark 2), like: /dev/cd0c /usr/home/XXX/cdrom cd9660 ro,noauto,nodev,nosuid 0 0 Furthermore allow user mounts as described in topic 9.22 of the FAQ: To make the chmod's to /dev/cdX permanent, do the following: * add 'devd_enable="YES"' to /etc/rc.conf * add a 'perm cdX 666' to /etc/devfs.conf for each cd/dvd device. X is the device number. If you prefer allow access for a group only, add a 'perm cdX 660' instead, followed by an 'own cdX root:XXX' where XXX is the group name. Alternatively (especially if you are using hot plug capable CD or DVD drives) you could add an 'add path 'cd*' mode 666' or an 'add path 'cd*' mode 660 group XXX' to your /etc/devfs.rules under '[system=10]'. To enable it, add a 'devfs_system_ruleset="system"' to your /etc/rc.conf. - or just give mount and umount the suid flag, which is a security leak. 3c. Every user who should be able to use k3b must have read and write access to all pass through devices connected with CD and DVD drives and to the /dev/xpt0 device. Run 'camcontrol devlist' to identify those devices (seek string 'passX' at the end of each line and modify the rights of /dev/passX). Note, that this is a security leak as well but that there is no alternative! To make this changes permanent, add 'devd_enable="YES"' to /etc/rc.conf as described above. Furthermore add a 'perm passX 666' for each pass device and a 'perm xpt0 666'. If you prefer to bind the access rights to a group, use the own command as described above. If you prefer to set this rights dynamically, add a line 'add path 'pass*' …' to your /etc/devfs.rules as described above. 4. Check, that DMA is activated for atapi devices: 'sysctl hw.ata.atapi_dma' If not, set it to 1 and put a 'hw.ata.atapi_dma=1' into /boot/loader.conf. 5. Create a directory on a partition, which has enough disk space to hold a CDs or DVDs content (usually below /usr). Enter this directory in Settings→ Configure K3b…→Misc. 6. If you experience problems while burning CDs, try to set the cdrdao driver manually. To do so choose Settings→Configure K3b…→Devices. Below the CD recorder click on the string "auto" behind "Cdrdao driver:" For most of the recent drives "generic-mmc" or "generic-mmc-raw" should work. See 7. To burn video CDs install the port multimedia/vcdimager. 8. To rip DVDs additionally install the ports multimedia/transcode, multimedia/libdvdread and multimedia/xvid.The ripping process itself is described in 9. To burn bootable video CDs, install the port multimedia/emovix. 10. To burn DVDs, install the port sysutils/dvd+rw-tools. 11. To normalize the volumes of audio cds, install the port audio/normalize. 12. To rip into more audio formats, install the port audio/sox. To read this instructions again, type 'make showinfo' in the k3b port directory ==⇒ Running ldconfig /sbin/ldconfig -m /usr/local/lib ==⇒ Registering installation for k3b-1.0.3 */ umass0: Unsupported ATAPI command 0x4a - trying anyway umass0: Unsupported ATAPI command 0xac - trying anyway When I power up my Plextor PX-716AL external USB 2.0 DVD burner, 'dmesg' detects it: <html> umass0: PLEXTOR DVDR PX-716AL, rev 2.00/4.13, addr 2 cd0 at umass-sim0 bus 0 target 0 lun 0 cd0: <PLEXTOR DVDR PX-716AL 1.01> Removable CD-ROM SCSI-0 device cd0: 1.000MB/s transfers </html> However, there's something wrong with the speed (just 1.000MB/s will surely result in a lot of buffer underruns). If I disconnect and reconnect the USB cable, the troughput (at 40.000MB/s) is ok, as shown by the 'dmesg' output: <html> umass0: PLEXTOR DVDR PX-716AL, rev 2.00/4.13, addr 2 cd0 at umass-sim0 bus 0 target 0 lun 0 cd0: <PLEXTOR DVDR PX-716AL 1.01> Removable CD-ROM SCSI-0 device cd0: 40.000MB/s transfers cd0: cd present [2213904 x 2048 byte records] </html> Maybe I'll take some time to check if it has something to do with a kernel option about usb / uhid / ugen. Probably I'll try to remember it and remember to unplug/replug the usb connector when I've touched the Plextor's power switch. ===== reverse ssh ===== ssh -nNT -R 8022: …@… copy paste select text gnome terminal Game Integrity 20004-error in Wolfenstein: Enemy Territory: ===== PXE Windows XP installation ===== I'm trying to boot a laptop with a broken cd-rom drive from the network, using PXE. The following text and links describe my progress. It is not working at the moment. Best link one so far: tftp dgram udp wait root /usr/libexec/tftpd tftpd -s /tftpboot tftp dgram udp wait root /usr/libexec/tftpd tftpd -l -s /mnt/…/install tftp localhost <html> tftp> get test.txt tftp> quit </html> If you try to download a non-existing file, you'll see the following error: <html> Error code 1: File not found </html> Try to download the file you want to use (the one you set up in dhcpd.conf) I will assume you've already installed the dhcp server ( net/isc-dhcp3-server ) The DHCP server/daemon needs a few configuration options to allow PXE boots: next-server; filename "pxeboot"; option root-path ""; echo dhcpd_enable=YES » /etc/rc.conf /usr/local/etc/rc.d/isc-dhcpd start inetd_enable=YES And after you've installed windows unattended, you might want to install as well: unattended installation for Windows: ===== How to mount an ISO image ==== Mounting an ISO image with FreeBSD (mount, mdconfig) mkdir /mnt/iso mdconfig -a -t vnode -u 0 -f /path/to/iso/image/file.iso mount -t cd9660 /dev/md0 /mnt/iso To unmount: mount -u /mnt/iso mdconfig -d -u 0 You can mount multiple ISO's at the same time, just replace '0' and 'md0' with '1' and 'md1', or '2' and 'md2' and so on, and use another mount point instead of /mnt/iso If you have a NRG (Nero Burning Rom image file), you can convert it with nrg2iso: Installation: portinstall sysutils/nrg2iso Usage: nrg2iso <image.nrg> <image.iso> <image.iso> will be created from image.nrg If the iso file is created, you can mount it ===== OpenArena ===== A 3D shoot-em-up: OpenArena is an open-source content package, together with the GPL'd Quake III Arena 3D engine. URL: Installation: cd /usr/ports/games/openarena make make install As my NVidia graphics card is already configured in X, there's nothing important left to configure. Run it: openarena One time however, I did receive an error when starting openarena: <html>Sys_Error: GLimp_Init() - could not load OpenGL subsystem</html> The next day it worked just fine, and I don't remember doing anything special.. /* does not work yet cd /usr/ports/security/denyhosts make make install echo denyhosts_enable="YES"»/etc/rc.conf. touch /etc/hosts.deniedssh nano /etc/hosts.allow Add to the top of this file: <html> sshd : /etc/hosts.deniedssh : deny sshd : ALL : allow <html> Start it: /usr/local/etc/rc.d/denyhosts start BLOCK_SERVICE = sshd <html> Starting denyhosts. </html> ——————————————————————————- Configiration options can be found in /usr/local/etc/denyhosts.conf ——————————————————————————- In order to proper working of denyhosts 1. edit your /etc/hosts.allow file and add: sshd : /etc/hosts.deniedssh : deny sshd : ALL : allow 2. issue the following command if /etc/hosts.deniedssh does not exist yet touch /etc/hosts.deniedssh ——————————————————————————- Warning: syslogd should ideally be run with the -c option; this will ensure that denyhosts notices multiple repeated login attempts. /usr/local/lib/codecs]# mv all-20071007/* . [root@freebsd62 /usr/local/lib/codecs]# rmdir all-20071007/ Hackbar other stuff Save As Image for www/linux-opera textproc/linux-aspell Dutch ASPELL_NL=yes * OpenSearchFox Download Statusbar Measuring network speed in linux with nc (netcat) and dd: (can also be used for getting wireless network troughput numbers) On machine A (sending): time dd if=/dev/mem bs=1M count=10 | nc <ip.of.machine.b> 1234 On machine B (receiving): nc -l -p 1234 > /dev/null Replace /dev/mem with a device that can deliver data faster than your network device can send. In this example, 10 blocks of 1MB (10 mbyte in total) is transferred, after which it tell you how much time it took. Divide them to find out the speed per second. Increase or decrease 'count'-value depending on your first estimate of troughput, to make sure the transfer will take 10 seconds or more. ugen0: National Instruments NI USB-6008, rev 2.00/1.01, addr 2 <code> #!/bin/bash #Small application that will download all (20) sms messages from my Siemens mobile phone # Works with siemens GSM c35, c35i, s25, c25, s35, s35i, c45, c45i, etc. Make sure to use correct cable. # Needs: scmxx ( portinstall comms/scmxx ), optional: 'gscmxx' #make sure it can write to sms.txt, or else it will remove all messages without writing them to disk. for 1) ### Inner for loop ### do scmxx -b 19200 -d /dev/ttyd0 –get –binary –sms –slot $j –out - » sms.txt # if file exists sms.txt', delete sms from phone memory: scmxx -b 19200 -d /dev/ttyd0 –remove –sms –slot $j done </code> ==== Spamassassin filter on relay country ==== Install perl module: perl -MCPAN -e 'install IP::Country::Fast' Configure spamassassin: nano /etc/spamassassin/init.pre: uncomment: loadplugin Mail::SpamAssassin::Plugin::RelayCountry Easy cron documentation / syntax explained: Requeue all messages / retry to deliver all queued messages in the Postfix defer / deferred queue folders postsuper -r ALL Perl one-liner command line search replace text in files (with backup): perl -i.bak -p -e's/old/new/g' filename mount_smbfs -I <ip> <samba_username>@<ip>/<sharename> <mountpoint>


~~DISCUSSION|Please leave a comment or any feedback!~~

1) j = 1 ; j ⇐ 20; j++