Kristensen

FreeBSD 11 Development Desktop on Dell XPS13

Daemons

NGINX - Web Server

Nginx is a fast, feature rich web server with relatively straigth forward configuration. Configure it to serve websites from /data/httpd.

Write the following configuration.

load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;

worker_processes  1;

events {
	worker_connections  1024;
}


http {
	include mime.types;
	default_type application/octet-stream;

	sendfile on;
	keepalive_timeout 65;

	server {
		listen 80;
		server_name localhost;

		location ~ /\. {
			deny all;
		}

		location / {
			root /data/httpd/www;
			index index.html index.htm;
		}

		error_page 500 502 503 504  /50x.html;
		location = /50x.html {
			root /usr/local/www/nginx-dist;
		}
	}
}
	

PostgreSQL - Database Server

PostgreSQL is a fast, ACID compliant object-relational database with a multitude of advanced features.

Install PostgreSQL. Version 9.6 is the most recent stable release.

Configure PostgreSQL to run with the English locale and UTF-8 encoding in the directory /data/postgres.

With an admin user established and the server shut down you can switch to md5 encrypted passwords. Rewrite the file as shown below.

# TYPE  DATABASE    USER   ADDRESS        METHOD
local   all         all                   md5
host    all         all    127.0.0.1/32   md5
host    all         all    ::1/128        md5
	

Having changed the authentication mechanism restart the server.

CUPS - Common UNIX Printing Service

The common UNIX printing service is an implementation of the Internet Printing Protocol. It provides a number of printing features and is well supported on FreeBSD. Install it as follows.

PF - Firewall

FreeBSD comes with secure defaults, nonetheless add a layer to the security onion and enable the firewall.

Add this basic configuration.

ext_if="wlan0"

# Define one table to exclude bruteforce attackers.
table <bruteforce> persist

# Skip the loopback interface.
set skip on lo

# Clean inconsistencies in incoming traffic.
scrub in

# Default to blocking incoming traffic.
block in

# Block incoming packets with loopback address.
antispoof quick for {lo0}

# Filter packages from entries in bruteforce table.
block quick from <bruteforce>

# Allow access to ssh but block if more than three attempts are made in 30 seconds.
pass in on $ext_if proto tcp from any to ($ext_if) port 22 flags S/SA keep state (max-src-conn-rate 3/30, overload <bruteforce> flush global)

# Allow access to web server.
pass in quick on $ext_if proto tcp from any to ($ext_if) port 80 keep state
pass in quick on $ext_if proto tcp from any to ($ext_if) port 443 keep state

# Allow all outbound trafic from local net.
pass out on $ext_if to any keep state
	

Start the firewall on boot.