FreeBSD Network Address Translation DMZ

With FreeBSD, a NATD DMZ Firewall is within arms reach. FreeBSD is a free open source operating system for many different types of new or old computer equipment. It is highly configurable and easy to learn.

FreeBSD® is an advanced operating system for x86 compatible (including Pentium® and Athlon™), amd64 compatible (including Opteron™, Athlon™64, and EM64T), UltraSPARC®, IA-64, PC-98 and ARM architectures. It is derived from BSD, the version of UNIX® developed at the University of California, Berkeley. First, burn a copy of FreeBSD on a CD-ROM. The FreeBSD CD-ROM is bootable.

http://www.freebsd.org/where.html

In computer networking, Network Address Translation (NAT, also known as Network Masquerading, Native Address Translation or IP Masquerading) is a technique of transceiving network traffic through a router that involves re-writing the source and/or destination IP addresses and usually also the TCP/UDP port numbers of IP packets as they pass through. Checksums (both IP and TCP/UDP) must also be rewritten to take account of the changes. Most systems using NAT do so in order to enable multiple hosts on a private network to access the Internet using a single public IP address.

A NATD DMZ Firewall is noteworthy because it filters all the dangerous traffic from the internet into something a private network can understand. A DMZ also acts as a gateway to the internet for all machines on a private network.

To get started, install two RJ-45 network cards. Then connect a CAT-5 cable from the RJ-45 port on the first Ethernet device to a HUB. Then connect a CAT-5 cable to the second Ethernet device and connect the other end of the cable to a ethernet cable modem or a DSL modem. This device is thereby isolated from the HUB. Then connect any workstations or additional servers to the hub.

First using the installation CD, follow all the instructions. Don't give yourself a headache worrying about how to partition the hard drives. Simply delete all the slices by selecting them with arrow keys and deleting them with the "D" key. Press the "A" key to auto select the correct partition information and then press the "Q" key. The same goes for the disk structure. Press the "A" key to autoselect the correct information then press the "Q" key to save the information. The install program will then write to the partiton and copy all the data from CD-ROM to the hard disk.

Next, the installation program will ask you a few questions. Do not enable the first ethernet device or configure it to use DHCP. Select yes to enable the second ethernet device.

ENTER 192.168.0.1

would you like to configure this machine as a network gateway?>

YES

would you like to enable SSH login?

YES

do you want to have anonymous FTP access to this machine?

YES

Create a welcome message file for anoymous FTP users?

NO

Would you like to add linux binary compatablity?

YES

Like the address on your house, painted on your curb or on your mailbox; the standard protocol called TCP/IP uses a simple sequence of instructions that are simply on or off to identify a subset of secondary instructions. This matrices of 1's and 0's as a whole or in part is indicative of it's self. The mailman delivers the mail; the fire department can see your address clearly on the curb.

The "binary" (1's and 0's on or off) bits are broken into a matrices of four octets (1 octet = 8 bits). An IP address is interpreted by computers in dotted decimal format (like, 192.168.0.1). Each octet is delimited by a period (dot). The decimal value of each octet ranges from 0 to 255 or 00000000 - 11111111 in binary numbers that altogether has a value of 8 bits.

Let's say the first bit of an octet holds a value of 1 (on). The next bit in the octet matrices holds a value of 0 (off). The next holds a value of 0 (on). The next holds a value of 1(off). The next holds a value of 0(on). The next holds a value of 1(on). The next holds a value of 0(off). The last bit holds a value of 1 (on).

If all the binary bits of an octet matrices were a 1 (on), the decimal equivalent would be 255 as shown here:

1 1 1 1 1 1 1 1
128 64 32 16 8 4 2 1 (128+64+32+16+8+4+2+1=255)

More simply, the 8 bits of the binary number 10101010 (on|off|on|off|on|off|on|off) converts to the decimal number 170.

1 1 1 1 1 1 1 1 (on|on|on|on|on|on|on|on) converts to the decimal number 255

There are 8 bits in any given octet matrices.

This is an IP address in binary and that same IP address in decimal

170. 255. 255. 255 (decimal)

10101010.11111111.11111111.11111111 (binary)

For example, 10.1.23.19 is cited by Cisco Systems.

In 1996; TCP/IP oddly RESERVED a subset of binary numbers for a internal network. How or why?

"The Internet Engineering Taskforce" Contractors Request for Comments (RFC)

#1918

"With the proliferation of TCP/IP technology worldwide, including outside the internet itself, an increasing number of non-connected enterprises use this technology and its addressing capabilities for a sole intra-enterprise communications, without any intention to ever directly connect to other enterprises or the internet itself"

Operating a network is in fact indicative of it's self and the use of your own equipment communicating with TCP/IP subsequently will not acknowlege as a part or in whole the subset of equipment in places around the world.

Here is an input vector:

192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

I like 192.168.0.0 because it looks classy. The 0 means all 255 addresses. We used one of them, 192.168.0.1; Although you can also use:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)

A "/16" means it has more addresses to use than "/8" or "/12"; Yes I would like 1 bushel of crabs for my party. What!? they're not in season? Your catch didn't have enough regulation coke can sized keepers? You can find out the hard way that BLUE CRABS can be bought by the Chesapeake Bay, Maryland and Virginia; dungenous crabs can be bought in Seattle and are shipped worldwide; Alaskan king crabs can be bought in Alaska by the boat load and are also shipped world wide.

After entering the IP address of the second ethernet device, Select yes to use the server as a router/gateway, Select yes to enable SSH logins, and select yes to add a user. Add a user but DO NOT assign this user to any groups. Use all the default information.

Reboot.

Next, this is the most important step. If this step is not completed, older system hardware and some new hardware cannot parse data to the console correctly, especially under heavy loads and will fail. Configure the system from the console to allow you to log in as root so you can cut-and-paste with SSH.

Login as root and change to the /etc directory. Using your favorite editor, edit the group file.

Login: root
Password: *******

You should see "#"; a pound sign. The pound sign means you are logged in as root.

cd /etc

vi group

The Vi editor is easiest to use despite what you may have heard about UNIX text editors; everything is contingent upon a command line that is similar to the Shell you may be using.

Strike the ESC key:

then press the colon ":" key. This will give a command line.

Type $ ENTER

This will take you to the end of the file.

Strike the ESC key:

Then press the colon ":" key again.

Type /wheel ENTER

This will find the nearest instance of "wheel" relative to the blinking cursor position.

Strike the ESC key:

Now position the blinking cursor with the arrow keys just below the word "wheel".

Type :ins ENTER

Keep your eyes on "wheel:*:0:root" and type the same thing but add ,someuser such that you will now see:

:ins
Entering ex input mode.

wheel:*:0:root,someuser

Now strike CTRL-C

Observe what happened to the text with the Vi editor. If you make a mistake, position the blinking cursor at the beginning of the line and Strike the ESC key again.

Strike the ENTER key

Type :del

Try Again.

If a program tells you that there is an error in it, it will also tell you the line number. To go to a line:

Strike the ESC key

Type :123

This will take you to line 123

Now Save the file and exit.

Strike the ESC key.

Type :wq!

Take note that the file already has a name. And altogether you would have typed the sequence:

vi group ESC : /wheel ENTER ESC :ins ENTER wheel:*:0:root,someuser CTRL-C ESC :wq!

Your server is a delicate computational matrices that accepts input in a variety of ways. The most advantageous way to ensure the integrity of ALL of that data is to manually type and input every command and or command structure.

For example; when saving a Microsoft file by the integrated samba program, every return carriage is marked with a ^M when the ACII standard text file is viewed by your UNIX system. Although it is possible to use the CRTL-INS SHIFT-INS convention along with sub sequential standardized programming conventions; windows libraries bottlenecks and avoiding ^M's in Microsoft files altogether; the data that makes up that simple convenience is incorporated into the running system.

Taking a step further reveals striking results.

You may see: "The connection was refused when attempting to contact 0"

It all depends on where zero is. No closer to solving why there is a ^M; taking a closer look at this algebraic equation might give a little better understanding of what is happening:

(x - 3)(x - 3) = 0 f(x) = (x - 3)(x - 3) The figure to the right plots -x along side a curiosity similar to crop circles or ^M's: Applied, Zero minus zero is zero. If x were a zero the equation would read: 0 multiplied by it's self is zero, zero multiplied by -3 is zero. -3 multiplied by zero is 0 and -3 multiplied by -3 is 9. 9 is equal to zero. Theoretically, now we are sure the equation, lets 9 equal to zero, because the of the inequality. However, the answer to the above equation is three, letting x equal the order of operations in standard form, then using the quadratic formula. Here are the results of some experiments with data mining where f(x) = -x following this kind of logic:

http://search.netscape.com/search/search?&fromPage=NS8BrowserRoll&query=1%3B21479003

http://search.netscape.com/search/search?&fromPage=NS8BrowserRoll&query=16660284

I like the picture on the cup to the right:

http://www.pbase.com/hreinnp/image/16660284

To be fairly certain data is not garbage; like that, cut and paste data into a terminal emulator with the vi editor using the keys, CTRL-INS highlighting the text such that it is blue ... or black ... and pressing the SHIFT-INS keys. Save the file and use the "cat" command to view the data again. Now cut and paste this data into your application.

Next, after the group file has been edited to include the new user, remotely login with SSH using the new user you created with the installation program.

You can now connect to the FreeBSD server from your windows workstation by using a SSH2 program like Secure CRT.

To Pre-configure a windows workstation to use a NATD FIREWALL, follow these instructions:

Left click "My Network Places" on the Windows workstation "desktop" such that it appears to turn BLUE in color. Next, right click the highlighted area. A "drop down menu" will appear.

Left click "Properties"

Next, Left click "Local Area Connection" such that it appears to turn BLUE in color. Next, right click the highlighted area. A "drop down menu" will appear.

Left click "Properties"

A "Dialogue" Box will appear:

Left click "Internet Protocol TCP/IP" such that it appears to turn BLUE in color. Next, right click the properties box. A "Dialogue box" will appear.

Next, the following decimal notated "fields" are variable elements within the subset of a function where ƒ(x) = the subsequent matrices of 1's and 0's that make up communication elements between a Windows Workstation and the FreeBSD DMZ are determined.

Next; make up an "IP Address"; It could be any address... really; but I like 192.168.0.0 because it looks classy. Addresses other than:

192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)

are said to be "non-routable"; the internet service provider is obviously not going to GIVE you an IP address that is whole or in part the internet; ideally we must get to the internet.

Enter 192.168.0.2

Next; enter a "Subnet Mask" A subnet mask divides the matrices into sections. LOL The Subnet Mask 255.255.255.0 includes the available addresses to immediate affect.

Enter 255.255.255.0

Why is there a Default Gateway Entry? A default gateway will tell you precisely how to get to the next hop. In this case the FreeBSD DMZ is the default gateway. The only difference is the FreeBSD DMZ stays put.

In the FreeBSD console type:

ifconfig fxp1

fxp1: flags=8843 mtu 1500
options=8
inet6 fe80::290:27ff:feac:9085%fxp1 prefixlen 64 scopeid 0x2
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:90:27:ac:90:85
media: Ethernet autoselect (100baseTX)
status: active

The section "inet" is the default gateway.

Enter 192.168.0.1

The next "field" is "Preferred DNS Server" now this is very dangerous.

Given that when information is contrived, it is again whole or in part, indigent; indicative of self loathing. What information do we have about DNS servers?

Do you remember the Internet Service Provider's Instructions? What were they? What will they be?

Enter 68.87.73.242

Click the OK button

Click the Close Button

Now use a windows program like Secure CRT to access the SU program to login to the root account which will enable you to parse all data correctly.

su -l root

You should see "#"; a pound sign. The pound sign means you are logged in as root.

There are several ways to make a working NATD firewall but so far I have only been able to do it one way:

Make a copy of the GENERIC kernel and add these lines
to the GENERIC file in /usr/src/sys/i386/conf/

cp /usr/src/sys/i386/conf/GENERIC /usr/src/sys/i386/conf/SQUIRREL

vi /usr/src/sys/i386/conf/SQUIRREL

options IPFIREWALL

options IPDIVERT
options IPFIREWALL_DEFAULT_TO_ACCEPT

options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD


2. Change to the /usr/src directory:

cd /usr/src

3. Compile the kernel:

make buildkernel KERNCONF=SQUIRREL

While the kernel is compiling, do not interrupt the terminal

You can stop this process at anytime by pressing CTRL-C

Building a new kernel takes about two hours to complete with a quad 533mhz pentium III Xeon server. Don't give up even though the terminal may look like it has stopped.

4. Install the new kernel:

make installkernel KERNCONF=SQUIRREL

The new kernel should auto recognize ALL of the hardware
devices on the working system, including multiple network
cards. Connect to the internet however you connect to it
through the first Ethernet device.

If you run into problems, remember ISP's use DHCP to assign
new network addresses to customers unless you request a
static IP.

1. first set up the DNS servers:

edit or create the file /etc/resolv.conf :

vi /etc/resolv.conf

search hsd1.va.comcast.net.
nameserver 68.87.73.242
nameserver 68.87.71.226

2. Use the ISP's windows software to register a new account like Comcast; this step is IMPERATIVE. For instance the Comcast cable modem switched network is FULL of windows computers and will not understand what you are doing at all; including but not limited to the help-desk technicians. If you are unsure about anything!; ask the representative to GUIDE you through the WINDOWS installation regardless. Make sure you follow ALL of their instructions to the LETTER.

Then disconnect and change your network cards physical address to your windows machine:

START->RUN->"CMD"

C:\ipconfig /all

Physical Address. . . . . . . . . : 00-08-74-15-61-07

Write this address, 00-08-74-15-61-07 down somewhere

Now edit the file /etc/rc.conf

vi /etc/rc.conf

ADD ALL THESE LINES AND REMOVE DUPLICATE ENTRIES IN THIS EXACT ORDER:

ifconfig_fxp0="DHCP"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="SIMPLE"
natd_enable="YES"
alias_address="76.111.89.19"
natd_interface="fxp0"
hostname="freebsd.nvita.org"
ifconfig_fxp1="inet 192.168.0.1 netmask 255.255.255.0"
inetd_enable="YES"
linux_enable="YES"
sshd_enable="YES"
tcp_extensions="YES"
lpd_enable="YES"
natd_flags="-f /etc/natd.conf"
usbd_enable="YES"

Now that these services are registered to start at boot up
reboot the FreeBSD computer; It won't know what vectors to use until it is rebooted:

Press CTRL-ALT-DELETE if you're still a windows person

OR

If I have thoroughly persuaded you type:

shutdown now

Press the ENTER key

#

Press the off button on the console

3. When the computer is rebooted log in as root and manually request a DHCP lease from the ISP and check connectivity using lynx

Whooo @@!...

Physical Address. . . . . . . . . : 00-08-74-15-61-07

Did you get that from the ISP??

Now type:

ipfw -f flush

ifconfig fxp0 ether 00:08:74:15:61:07

dhclient fxp0

DHCPDISCOVER on fxp0 to 255.255.255.255 port 67 interval 4
DHCPDISCOVER on fxp0 to 255.255.255.255 port 67 interval 8
DHCPOFFER from 10.240.217.1
DHCPREQUEST on fxp0 to 255.255.255.255 port 67
DHCPACK from 10.240.217.1
bound to 76.111.89.19 -- renewal in 102668 seconds.

Now edit the file /etc/rc.firewall and input the new data into the integrated firewall sub-script. Find and replace the following lines under the SIMPLE section defined in rc.conf with the new data:

# set these to your outside interface network and netmask and ip
oif="fxp0"
onet="76.111.89.0"
omask="255.255.255.0"
oip="76.111.89.19"

# set these to your inside interface network and netmask and ip
iif="fxp1"
inet="192.168.0.0"
imask="255.255.255.0"
iip="192.168.0.1"

setup_loopback

This file is somewhat complex and difficult to read. rc.firewall is the built-in configurable firewall script included with the FreeBSD distribution. According to the entries made in order in rc.conf; rc.firewall will load entries into a program called ipfw. ipfw is the FreeBSD firewall control program. The previous modifications listed are the only necessary modifications to be made to the file so long as rc.conf is edited with the changes listed in order above. This is fairly exclusive, not many operating systems can do this straight away. The following example makes a working packet stateful firewall that forwards requests on the external interface to several machines on a internal interface. Enter the following in the SIMPLE section of /etc/rc.firewall:

# Allow access to our WWW
${fwcmd} add pass tcp from any to ${oip} 21 setup
${fwcmd} add pass tcp from any to ${oip} 22 setup
${fwcmd} add pass tcp from any to ${oip} 80 setup
${fwcmd} add pass tcp from any to ${oip} 87 setup
${fwcmd} add pass tcp from any to ${oip} 88 setup
${fwcmd} add pass tcp from any to ${oip} 8080 setup
${fwcmd} add pass tcp from any to ${oip} 31337 setup
${fwcmd} add fwd 192.168.0.3,87 tcp from ${oip} to any 87
${fwcmd} add fwd 192.168.0.6,80 tcp from ${oip} to any 88
${fwcmd} add fwd 192.168.0.3,80 tcp from ${oip} to any 31337

#Deny SMB shares and printer on external interface
${fwcmd} add deny tcp from any to ${oip} 139 in
${fwcmd} add deny tcp from any to ${oip} 445 in
${fwcmd} add deny tcp from any to ${oip} 515 in

Next it is very likely that once you have requested the DHCP lease address from the internet service provider's DHCP pool, that you will receive the same address issued to your MAC address:

00:08:74:15:61:07

Again please do not bother the internet service provider with extraneous information they do not understand; and their computers do not understand. Complete the windows installation FIRST; and every time you have a problem connecting.

Next test connectivity with the lynx web-browser. The lynx web-browser is not included by default. Use the pkg_add utility to install it from a remote source now that internet service is running via fxp0:

Type pkg_add -r lynx

Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.0-release/Latest/lynx.tbz... Done.

Type lynx http://www.google.com

You should see a webpage:

Web Images Maps News Shopping Gmail more v Video Groups Books Scholar Finance Blogs
YouTube Calendar Photos Documents Reader
even more »

iGoogle | Sign in

Google

_______________________________________________________
Google Search I'm Feeling Lucky Advanced Search
Preferences
Language Tools

Advertising Programs - Business Solutions - About Google

©2008 Google

Now, the next step is tricky. We have to get natd to initialize on the interface by doing a DHCP request before it does anything else. The request will fail at boot time but the setup will not.

edit /etc/rc.conf one more time but add the following entry at the very top:

ifconfig_fxp0="ether 00:08:74:15:61:07"

If natd fails for ANY reason it will not re-intialize. Add to but do not take away from it. Write an empty file
vi /etc/natd.conf ESC wq!
There are no logs.

Next issue the shutdown command from the SSH terminal but this time add the -r or reboot flag.

shutdown -r now

When the server reboots issue the following commands one more time:

ifconfig fxp0 ether 00:08:74:15:61:07

dhclient fxp0

Check connectivity using the lynx browser. You should now see a webpage without using the ipfw -f flush command. This means natd has been parsed correctly.

The Client Server Model is simple. Don't make things hard on yourself.

There is a Client; and a Server ... I am talking to you; you are talking to me; now you are talking to me and I am listening. Talking at the same time is not productive at all. LOL

Each Server PROGRAM uses a "kernel" or matrices of data that in turn uses a language to communicate to the Client PROGRAM. That's it.. nothing special; CTRL-C

The most common language is TCP/IP; TCP/IP protocol uses what are called PORTS to accommodate 44529 Server PROGRAMS on any given KERNEL.

Each server program that has a running corresponding TCP/IP port can be viewed with the command:

netstat -a

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 squirrel.squirre.8649 192.168.0.6.4505 TIME_WAIT
tcp4 0 0 squirrel.squirre.8649 192.168.0.6.4501 TIME_WAIT
tcp4 0 0 squirrel.squirre.8649 192.168.0.6.4497 TIME_WAIT
tcp4 0 0 squirrel.squirre.8649 192.168.0.6.4493 TIME_WAIT
tcp4 0 0 squirrel.squirre.8649 192.168.0.6.4489 TIME_WAIT
tcp4 0 0 squirrel.squirre.ssh 192.168.0.2.1261 ESTABLISHED
tcp4 0 0 squirrel.squirre.netbi 192.168.0.2.1030 ESTABLISHED
tcp4 0 0 *.ftp *.* LISTEN
tcp4 0 0 *.* *.* CLOSED
tcp46 0 0 *.http *.* LISTEN

This output details the gmond client on port 8649; the ssh server, the netbios SMB server (samba), the FTP server, and the Apache http server. Port nothing is closed. Standardized ports list their names instead of the port number. For example, ssh is port 22, netbios is port 139, ftp is port 21, and http is port 80

Each server program is also assigned a process ID. This process ID makes it easy for the Administrator to stop and start server and client programs. You can view all the processes running on the FreeBSD server by using the top program.

top

PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
64397 mysql 4 20 0 42548K 20396K kserel 42:36 0.00% mysqld

282 root 1 96 0 2488K 1972K select 36:40 0.00% natd

In this example, 64397 is the "mysql" PID and 282 is the "natd" PID

Press CTRL-C to exit the TOP program.

Server programs usually include startup and stop scripts. Each startup and stop script not incorporated by the FreeBSD server can be started at boot time by using astart.sh.

find / -name "astart.sh"

vi /usr/local/etc/rc.d/astart.sh

kldload accf_http
mount -t linprocfs linprocfs /compat/linux/proc
/usr/local/share/mysql/mysql.server
/usr/local/apache2/bin/apachectl start
/usr/local/sbin/apache-tomcat-6.0.18/bin/startup.sh
/usr/local/samba/sbin/smbd
/usr/local/samba/sbin/nmbd
/usr/local/bin/tor --runasdaemon 1
/usr/local/sbin/ganglia_gmond/ganglia-3.1.0/gmond/gmond --conf /usr/local/sbin/ganglia_gmond/ganglia-3.1.0/gmond/gmond.conf

To start a server process, use it's control script. To stop a server process, use that very same control script.

For example to start a samba server:

/usr/local/etc/rc.d/samba.sh.sample start

To stop the samba server:

/usr/local/etc/rc.d/samba.sh.sample stop

To stop an internal process that does not incorporate a control script, view the output of the top program and issue the command:

kill -TERM processid

For example:

kill -TERM 64397

Some programs neither have a control script nor a PID that is listed by the top program. In this case, find the standardized .pid file created by the program that you want to stop. The .pid file only contains a PID number.

find / -name "*.pid"

/usr/local/sbin/ezbounce/ezbounce-1.04c/ezbounce.pid
/usr/local/sbin/mysql-5.0.51a-freebsd6.0-i386/data/c-98-204-175-23.hsd1.va.comcast.net.pid
/usr/local/apache2/logs/httpd.pid
/var/run/natd.pid
/var/run/devd.pid
/var/run/syslog.pid
/var/run/sshd.pid
/var/run/tor/tor.pid
/var/run/cron.pid
/var/run/smbd.pid
/var/run/nmbd.pid
/var/run/rinetd.pid

cat /usr/local/sbin/ezbounce/ezbounce-1.04c/ezbounce.pid

33047

kill -TERM 33047

rm -rf /usr/local/sbin/ezbounce/ezbounce-1.04c/ezbounce.pid

The process is started by it's execution and is terminated by the kernel level command "kill"

While you are logged on as the root, you can create additional users. Create a user name "squirrel". Optionally, this username can be the source directory for server programs like the samba SMB server.

Type in a console:

adduser

Username: squirrel

After each entry is complete press the ENTER key. The default entry is the ENTER key.

Full name: squirrel

Uid (Leave empty for default):

Login group [squirrel]:

Login group is squirrel. Invite squirrel into other groups? []:
Login class [default]:
Shell (sh csh tcsh nologin) [sh]:
Home directory [/home/squirrel]:
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password: password
Enter password again: password
Lock out the account after creation? [no]:
Username : squirrel

Password : *****

Full Name : squirrel

Uid : 1005
Class :
Groups : squirrel
Home : /home/squirrel

Shell : /bin/sh
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (squirrel) to the user database.
Add another user? (yes/no): no
Goodbye!

to login as "squirrel" Type:

su -l squirrel

Login as root again:

su -l root

FreeBSD incorporates a "SMB" server that like windows; takes hours of deduction to make it work efficiently as an "Active Directory". Input vectors and other factors contribute to a working Active Directory matrices. Ideally, eliminating SMB netbios broadcasts with a WINS server will drastically improve the efficiency of a small or very large network because every Windows user believe it or not; makes a netbios broadcast at polled intervals adding each new vector to the local or switched traffic.

To install the latest version of samba:

Type cd /usr/local/sbin/

Type lynx http://us3.samba.org/samba/ftp/stable/

Scroll down to the latest version. They are not listed in order by the latest version but by the version number from greatest, latest; least, older.

Select the latest version number in .tar.gz format

Press the enter button

Press the D key

Press the down arrow key to "Save to disk"

Press the enter key

Press the enter key

Press CTRL-C to exit the lynx program

Exiting via interrupt: 2 ...

gunzip samba-NN.tar.gz

Where NN equals the version number of the file name

tar -xvf samba-NN.tar

Go to the newly created directory

cd samba-NN

Go to the source directory

cd source

Compile samba:

./configure

make

make install

The newer version of samba does not include a default configuration file. The server(s) will look for the configuration file in:

/usr/local/samba/lib/smb.conf

Add all these lines to create a simple share level file server:

vi /usr/local/samba/lib/smb.conf

[global]
interfaces = fxp1, 192.168.0.1/255.255.255.0
workgroup = WSQUIRRELSERVER
load printers = yes
log file = /var/log/log.%m
max log size = 50
security = share
SO_RCVBUF=8192

SO_SNDBUF=8192
socket options = TCP_NODELAY

[homes]
comment = Home Directories
browseable = yes
writeable = yes

[printers]
comment = All Printers
path = /var/spool/samba
browseable = yes
guest ok = no
writeable = no
printable = yes

[squirrel]
comment = Webserver
public = yes
browseable = yes
writeable = yes
printable = no
path = /usr/home/squirrel

The /usr/home/squirrel directory is the home directory of the user squirrel on the FreeBSD server.

Next make sure you are logged in as root and assign the top level directory specified in the path directive of smb.conf to the nobody group
the "." means the top level directory

cd /usr/home/squirrel

chown nobody .

dr-xr-xr-x 5 nobody operator 512 Mar 14 2007 .
drwxr-xr-x 4 root wheel 512 Mar 1 2007 ..

assign the secondary dir ".." to root.wheel

chown root ..

chgrp wheel ..

Now the user squirrel has access to his or her files via the Samba SMB share level server.

Next create the "pub" directory

mkdir /usr/home/squirrel/pub

chown nobody /usr/home/squirrel/pub

The pub directory will store all of the user ~squirrel 's web server documents.

The nobody group does not exist so no one has rights to write to it but the samba server.

Start the samba server:

/usr/local/samba/sbin/smbd
/usr/local/samba/sbin/nmbd

Now that the samba server is complete; you can configure the client workstations:

Left click "My Computer" on the Windows workstation "desktop" such that it appears to turn BLUE in color. Next, right click the highlighted area. A "drop down menu" will appear.

Left click "Map Network Drive"

A "Dialogue" Box will appear:

Left click the check box "Reconnect at logon"

A check mark will appear.

Next, click the "Browse.." button

A dialogue box will appear:

Double click "Microsoft Windows Network" such that it appears to turn BLUE in color and expands into directory tree.

Netbios broadcasts are turned on by default and the "Microsoft Windows Network" will expand into a directory tree that includes the SMB broadcast messages made by the samba server. The first 14 characters of the name specified in /etc/rc.conf will determine the name the samba includes in SMB broadcast messages.

/usr/local/etc/smb.conf specifies the name of the share windows computers will read. The name of the share we would like to access is "pub" a subfolder of the "squirrel" share specified in "/usr/local/etc/smb.conf"

Left click "pub" such that it appears to turn BLUE in color.

Click the "OK" button.

Click "Finish"

Windows will now display the contents of the samba share as a network drive.

Double left click "My Computer" on the windows desktop. You should see:

Now you have successfully configured your windows workstation!

You can now connect to the FreeBSD server from your windows workstation by using a SSH2 program like Secure CRT and access network data from a windows worksation easily.

What about a .com or a domain?

Visit:

http://www.e3internet.com/

There you can buy a domain name that is updated by the .root DNS servers

http://www.godady.com

Specializes in inexpensive domain names.

http://www.zoneedit.com/signup.html?

Sign up for free to use their DNS servers to direct a domain like giantfood.nl to a cable modem

ROOT SERVERS NET

IP ADDRESS <--->DNS SERVER<----> IP ADDRESS

Since it's impractical and not conical to use numbers to remember your favorite internet computer; domain names are names; furthermore remembering numbers and numerology is drastically different than phonetics. Microsoft.com is a domain. The difference is that there is a UNIVERSAL _root_servers RECORD which must be maintained and that is where the fee is involved; fees are different depending upon their schedule of services. This initial fee; for instance; the figure $5.95 /yr makes up any number of centralized services by the domain name solicitor to sell the computer name to you and successfully stay in contact with the universal world wide ROOT SERVERS NET. Obviously they are redundant; but having run a DNS server myself; it begins to cache the records it does have until it is restarted; then they are erased. How do you prove this? Run the command:

tcpdump -i fxp0 -nN -vvv -xX -s 1500 port 53 > dns_server

Very strange... If the output is compared and contrasted over several days you can conclude the "bind" DNS server while staying in contact with other DNS servers is DRASTICALLY more efficient.

It is therefore more advantageous to use a DNS server that has been sitting somewhere for years making billions of queries. However; recently, Network Solutions has made it nearly impossible to register your own DNS server. It used to be listed there in the automated forms; but is no longer there:

For instance: inverselog.com would be registered initially with the ROOT servers net by internic; then subsequent records held by network solutions would forward requests to your DNS server ns1.inverselog.com. The ns1.inverselog.com record would cache requests between you and network solutions and network solutions would cache requests with ROOT servers net and you could use ns1.inverselog.com and ns2.inverselog.com to register as many domain names as you want. So who runs ROOT servers net?

Aberdeen man!

Anyway, with a cable modem you still don't get a REVERSE delegation unless you need one; that's where it gets military; I guess it's ok with the TV. Oddly, if you have a dialup modem you can get a reverse DNS delegation. For instance all the requests sent to any other server on the internet will know that you ARE

giantfood.nl;

in this case with the cable modem YOU ARE

Type ifconfig fxp0

fxp0: flags=8843 mtu 1500
options=8
inet6 fe80::290:27ff:feac:85d4%fxp0 prefixlen 64 scopeid 0x1
inet 98.218.14.92 netmask 0xffffff00 broadcast 255.255.255.255
ether 00:08:74:15:61:07
media: Ethernet autoselect (100baseTX )
status: active

"98.218.14.92"

I told E3 internet who keeps up with incendiary .nl and .de domain name servers that my primary and secondary DNS servers are with free service, zoneedit.com

Next an exclusive UNIX program called Apache can serve as a "web server" The Apache webserver is exclusive because it can host what are called "Virtual Hosts" and "Proxy URL's"

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.

Next, it is also advantageous to take advantage of Personal home Page, and HTML-embedded scripting language. (PHP) Along with the Apache project, it was originally designed for simple home page development. PHP has evolved to become and extended scripting language more capable than CGI (Common Gateway Interface) and SSI (Server Side Includes).

Thousands of Scripts can be downloaded from around the entire world which includes any number of complex program structures.

Collectively, you can design a PHP "script" which will leave you awestruck.

"Hot Scripts" is an excellent resource for many different kinds of PHP scripts.

http://www.hotscripts.com/PHP/Scripts_and_Programs/index.html

The Apache web server project has a contingency to become not only a server program that replies favorably to countless client software programs called web-browsers; but a project that delivers enhanced features. One of those features is the ability to use a secondary computer program to generate additional content. PHP uses the "DSO" "module" a module is a flexible internal function of the Apache web server. CGI (Common Gateway Interface) uses the PERL program (Practical Extraction and Reporting Language). Both CGI and PHP can be used concurrently on a Apache web server.

In 1989, Tim Berners-Lee proposed to his employer CERN (European Organization for Nuclear Research) a new project, which had the goal of easing the exchange of information between scientists by using a hypertext system.

A Web-Server or "hypertext system", although inherently indicative of it's self; allows scientists to draw their own conclusions more decisively. Wiki-pedia is an excellent example collection of current encylopedia aritcles that are published on the world wide web from thousands of contirbutors.

Copyrights by Wiki-pedia and Cisco Systems and this Web-server are all a subset of nvita.org. Tim Berners-Lee and CERN; are a subset of Wiki-pedia. In grade school, it is generally known that copyrighted material from a text book or any other source whether it's copyrighted or not is to be summarized and or paraphrased to demonstrate a degree of comprehension. In this case however, things can become somatic and it is important to be decisive and move forward quickly. For example, in many movies people are thrown through glass windows. That's not real glass, it's glass made of sugar that can be easily broken right? Analysis and deduction IS complicated and in some cases carries with it serious consquences and sacrifices. If you have dedicated yourself to staring in an action film where you have been thrown through glass made of sugar, chances are you would remember it. Can you avoid being thrown through a real glass window by being thrown through a window made of sugar? You and I know; not she and he ... LOL

First download and unzip the latest version of Apache:

Type in a console:

cd /usr/local/sbin/

lynx http://httpd.apache.org/download.cgi

or lynx (press the G key) http://httpd.apache.org/download.cgi

Press the down arrow key to "httpd-2.2.8.tar.gz"

Press the enter button

Press the D key

Press the down arrow key to "Save to disk"

Press the enter key

Press the enter key

Press CTRL-C to exit the lynx program

Exiting via interrupt: 2 ...

gunzip httpd-2_0_NN.tar.gz

Where NN equals the version number of the file name

tar -xvf httpd-2_0_NN.tar

Type in a console:

lynx http://www.php.net/downloads.php

Press the "Y" key to allow all cookies

Press the down arrow key to select the latest version in tar.gz format:

Complete Source Code

PHP 5.2.5 (tar.gz)

Press the enter key

Press the down arrow key to select a download mirror:

us.php.net

Press the enter key

Press the down arrow key to "Save to disk"

Press the enter key

Press the enter key

Press CTRL-C to exit the lynx program

Exiting via interrupt: 2 ...

Type where NN equals the version number of the file name

gunzip php-NN.tar.gz

tar -xvf php-NN.tar

The Apache web server can load secure socket layer encryption as part of the 2.0 release, independent of what are called loadable modules. In order to use SSL, the --enable-ssl flag must be specified at the FreeBSD configure command line. This will comple apache webserver with SSL. Loading the kernel with special arguments separate in features to the arrangement or order of reference specified by Apache in relation to the system kernel are null.

Type in a console where NN equals the version of the file:

cd httpd-2_0_NN

./configure --enable-so --enable-ssl

make all

make install

Next start the apache webserver:

/usr/local/apache2/bin/apachectl start

Next test the new server with the lynx browser:

lynx http://127.0.0.1

You should see "it worked" if it worked.

Press CRTL-C

Next stop the apache webserver:

/usr/local/apache2/bin/apachectl stop

Next it also advantageous to take advantage of the MySQL server. The SQL server project is related to the PHP project in so much they work closely together in many different ways. Primarily, MySQL is offered under license with no cost. Like any project, improvements are always made and are released accordingly. However, it's development can be linked all the way back to IBM in 1975. Using MySQL is frustrating and tedious, therefore it is tailored by many different operating system kernels as part of a new release.

Now, if you want to buy a pair of pants with a straight leg and no cuffs; buy a pair of DOCKERS . For example, it would be difficult to explain to the salesman that you want to buy pants with no alterations.

A 30-day evaluation version of MySQL server is free to download from the official MySQL website.

To install MySQL on FreeBSD; use the FreeBSD pgk_add command. pkg_delete deletes a package. pkg_add is also somewhat frustrating to use because if the kernel were updated, the correct repository is used automatically. However, if the FreeBSD kernel is outdated it will use an outdated source.

In a terminal .. type pkg_add -r mysql

Error: FTP Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.1-release/Latest/mysql.tbz: File unavailable (e.g., file not found, no access)

pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.1-release/Latest/mysql.tbz' by URL

Where's that mysql server?

Try:

ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/All/mysql-server-4.0.27.tbz

First you must determine how many I nodes are free. I-nodes create directory entries on a disk partition; just like it is necessary to make sure a network cable is seated securely; a power cord is plugged into the power source firmly; (unplugging a power cord and plugging it back into THE power grid) or the RJ-45 wall plate has a connection to the local hub.

Type: df -hi

Filesystem iused ifree %iused Mounted on
/dev/aacd0s1a 4483 61307 7% /

devfs 0 0 100% /dev

/dev/aacd0s1e 3848 61942 6% /tmp

/dev/aacd0s1f 306459 2378467 11% /usr

/dev/aacd0s1d 282621 1 100% /var

The default is to create an inode for every (4 * frag-size) bytes of data space. If fewer inodes are desired, a larger number should be used; to create more inodes a smaller number should be given. One inode is required for each distinct file, so this value effectively specifies the average file size on the file system.

You can see by the output of df we have only 1 I-node free on the /var file system. It is easy to say that we can agree and never change; but it far better to know that we have lived than never loved.

The matrices reads; /var has only one inode free.

Type cd /var

mkdir shoes

/var: create/symlink failed, no inodes free

You can use google to find out what that means:

http://www.google.com/search?hl=en&q=%2Fvar%3A+create%2Fsymlink+failed%2C+no+inodes+free&btnG=Google+Search

The FIRST listing tells us more information about i-nodes:

http://lists.freebsd.org/pipermail/freebsd-questions/2004-May/045547.html

"Short-term, the solution is to delete some files off your /var partition."

Type ls -la /var/spool/clientmqueue

drwxrwx--- 2 smmsp smmsp 264 May 22 20:56 /var/spool/clientmqueue

How do you reproduce that entry if you delete it?

Try google:

http://www.google.com/search?hl=en&q=chmod+drwxrwx---&btnG=Google+Search

http://forums.macosxhints.com/archive/index.php/t-3359.html

"Whoops, sheer laziness and cut and paste got the best of me. Yes, my perms are thus:

drwxrwx--- 2 smmsp smmsp 264 May 22 20:56 /var/spool/clientmqueue

I figured that this:

"sendmail must be a set-group-ID (default group: smmsp, recommended
gid: 25) program to allow for queueing mail in a group-writable
directory"

meant that the perms on sendmail should be:

-r-xr-sr-x

not

-r-sr-xr-x

in order to be able to write to a group writable dir. Of course, I've done 'sudo chmod g-w /' anyway. Ow this unix 'ease of configuring' is making my head hurt. Ok, I ain't touchin nuthin, (until I do some post graduate studies in computer science and am able to understand the sendmail.org page) since sendmail is working. Thanks for the warning"

Now that we have a better idea of what to do about it:

Type rm -rf /var/spool/clientmqueue

Type vi /var/spool/clientmqueue

Press the ESC key

Type :wq!

Type chmod -r-xr-sr-x /var/spool/clientmqueue

Type chown smmsp /var/spool/clientmqueue

Type chgrp smmsp /var/spool/clientmqueue

df -hi

Filesystem iused ifree %iused Mounted on
/dev/aacd0s1a 4483 61307 7% /

devfs 0 0 100% /dev

/dev/aacd0s1e 3848 61942 6% /tmp

/dev/aacd0s1f 306459 2378467 11% /usr

/dev/aacd0s1d 217794 64828 77% /var

64,827 i-nodes were used for the data file clientmqueue; clientmqueue is a data file ....

Now that they are free type:

pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/All/mysql-server-4.0.27.tbz

Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/All/mysql-server-4.0.27.tbz... Done.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/All/mysql-client-4.0.27.tbz... Done.
mysql:*:1004:
You already have a group "mysql", so I will use it.
mysql:*:1004:1004::0:0:MySQL Server:/home/mysql:/bin/sh
You already have a user "mysql", so I will use it.

Mysql is now installed correctly.

Now we can complete the PHP portion of the installation. PHP has a secondary libarary that can draw pictures in gif, jpeg, png and xpm formats dynamically. This project called "GD" is important to a large majority of different PHP scripts. GD can create dynamic images; images that do not need to be created by a secondary graphical interface program, but a few instructions to the FreeBSD kernel using the PHP language. PHP is not a standard access nomenclature like dynamic link libraries are to windows (.DLL) and many times will fail for one reason or another. Not very much attention is given to it's limits. Like any library; GD is difficult to install and anything more than installing GD as far as PHP goes is extremely difficult. To get a head start by installing the GD library, there are pre-requisites:

Type where NN equals the version number of the file name:

cd /usr/local/sbin/

ftp ftp://ftp.uu.net/graphics/jpeg/jpegsrc.v6b.tar.gz

gunzip jpegsrc.v6b.tar.gz

tar -xvf jpegsrc.v6b.tar

cd jpeg-6b

./configure --enable-shared

make all

make install

cd /usr/local/sbin

lynx http://prdownloads.sourceforge.net/libpng/libpng-1.2.26.tar.gz?download

gunzip libpng-1.2.26.tar.gz

tar -xvf libpng-1.2.26.tar

cd libpng-1.2.26

./configure

make all

make install

cd /usr/local/sbin

ftp ftp://metalab.unc.edu/pub/Linux/libs/X/libXpm-4.7.tar.gz

gunzip libXpm-4.7.tar.gz

tar -xvf libXpm-4.7.tar

cd xpm-3.4g

xmkmf

make Makefiles

make includes

make depend

make

make install

cd /usr/local/sbin

lynx http://download.savannah.gnu.org/releases/freetype/freetype-2.3.5.tar.gz

guznip freetype-2.3.5.tar.gz

tar -xvf freetype-2.3.5.tar

cd freetype-2.3.5

./configure

make all

make install

Now that all font libraries and additional libraries for different types of images have been installed; the GD project can be installed:

cd /usr/local/sbin

lynx http://www.libgd.org/releases/gd-2.0.35.tar.gz

gunzip gd-2.0.35.tar.gz

tar -xvf gd-2.0.35.tar

cd gd-2.0.35

./configure

After running the configure script you should see the following:

** Configuration summary for gd 2.0.34:

Support for PNG library: yes
Support for JPEG library: yes
Support for Freetype 2.x library: yes
Support for Fontconfig library: yes
Support for Xpm library: yes
Support for pthreads: yes

make all

make install

cd /usr/local/sbin

Type where NN equals the version number of the file name:

cd php-NN

Configure scripts have many options, most of those options can be found by scrolling through a .configure file.

ON ONE LINE type the following:

./configure --with-apxs2=/usr/local/apache2/bin/apxs --with-mysql --with-gd=/usr/local

--enable-gd-native-ttf --with-jpeg-dir=/usr/local/lib --with-zlib-dir=/usr/local/lib --with-png-dir=/usr/local/lib --with-xpm-dir=/usr/local/lib --with-freetype-dir=/usr/local/lib

make all

make install

As you can see here, PHP has incorporated some of the GD project into it's release version. Although it was orignially named "GIF draw" the project is part of the PHP project which in turn is part of the C programming language developed in 1972 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system. C has since spread to many other platforms including FreeBSD.

Your PHP installation is now complete.

Next, To use a webserver on an internal network with one IP address, there must be a catalyist to process the http request by the external firewall. The Apache webserver has a module to process a "Virtual Host" and a internal "Proxy"

To compile a PROXY module, "axps" from the inital unziped tarball directory will allow you to do this:

mod_proxy.so requires TWO source files:

cp /usr/local/sbin/httpd-2.2.8/modules/proxy/mod_proxy.c /usr/local/apache2/modules/mod_proxy.c

cp /usr/local/sbin/httpd-2.2.8/modules/proxy/proxy_util.c /usr/local/apache2/modules/proxy_util.c

Set the $apachehome directory so that the .c sourcefiles (independant of any local ./configure) do not need to be modifiled:

set apachehome=/usr/local/apache2/

Compile with axps:

$apachehome/bin/apxs -i -a -c /usr/local/apache2/modules/*proxy*.c

Compile these additional modules with axps:

cp /usr/local/sbin/httpd-2.2.8/modules/proxy/mod_proxy_http.c /usr/local/apache2/modules/mod_proxy_http.c

/usr/local/apache2/bin/apxs -i -a -c /usr/local/apache2/modules/mod_proxy_http.c

cp /usr/local/sbin/httpd-2.2.8/modules/filters/mod_deflate.c /usr/local/apache2/modules/mod_deflate.c

/usr/local/apache2/bin/apxs -i -a -c /usr/local/apache2/modules/mod_deflate.c

cp /usr/local/sbin/httpd-2.2.8/modules/metadata/mod_headers.c /usr/local/apache2/modules/mod_headers.c

/usr/local/apache2/bin/apxs -i -a -c /usr/local/apache2/modules/mod_headers.c

Now add these entries into httpd.conf and remove any duplicate entries:

LoadModule php5_module modules/libphp5.so
LoadModule proxy_module modules/mod_proxy.so
LoadFile /usr/lib/libz.so
AddOutputFilterByType DEFLATE application/x-javascript text/javascript text/css
LoadModule deflate_module modules/mod_deflate.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule headers_module modules/mod_headers.so

AddType application/x-httpd-php .php .phtml
AddType application/x-httpd-php-source .phps
AddType image/gif .gif .GIF
AddType image/ief .ief
AddType image/jpeg .jpeg .jpg .jpe .JPG
AddType image/tiff .tiff .tif
AddType image/png .png .PNG

IfModule dir_module

DirectoryIndex index.html index.php

/IfModule

Directory /usr/local/apache2/icons/

Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
Directory

Alias /icons/ "/usr/local/apache2/icons/"
AddType application/x-httpd-php .php .phtml
AddType application/x-httpd-php-source .phps
AddType image/gif .gif .GIF
AddType image/ief .ief
AddType image/jpeg .jpeg .jpg .jpe .JPG
AddType image/tiff .tiff .tif
AddType image/png .png .PNG

IndexOptions FancyIndexing +VersionSort

AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

DefaultIcon /icons/unknown.gif

ReadmeName README.html
HeaderName HEADER.html
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

DocumentRoot /usr/local/apache2/htdocs
ProxyPass /novell/ http://192.168.0.6:80/web/
ProxyPassReverse /novell/ http://www.nvita.org:88/

Directory /usr/home/squirrel/pub/cgi-bin/

Options None
Order allow,deny
Allow from all
/Directory

ScriptAlias /cgi-bin/ "/usr/home/squirrel/pub/cgi-bin/"

NameVirtualHost *:80

The following entries are example entries:

VirtualHost *:80

ServerName 76.111.89.19
DocumentRoot "/usr/home/squirrel/pub"
Alias /space "/usr/home/squirrel/incomming"
AccessFileName .htaccess
/VirtualHost

VirtualHost *:80

ServerName c-76-111-89-19.hsd1.va.comcast.net
DocumentRoot "/usr/home/squirrel/pub"
Alias /space "/usr/home/squirrel/incomming"
AccessFileName .htaccess
/VirtualHost

VirtualHost *:80

ServerName www.inverselog.com
ServerAlias inverselog.com *.inverselog.com
DocumentRoot "/usr/home/squirrel/pub/blog/cmsmadesimple"
UseCanonicalName On
ProxyVia Off
ProxyPass /cpu/ http://192.168.0.6:80/web/
ProxyPassReverse /cpu/ http://www.inverselog.com:88/
AccessFileName .htaccess
/VirtualHost

VirtualHost *:80

ServerName www.giantfood.nl
ServerAlias giantfood.nl *.giantfood.nl
UseCanonicalName On
ProxyVia Off
ProxyPass / http://192.168.0.3:80/
ProxyPassReverse / http://giantfood.nl:31337/
/VirtualHost

VirtualHost *:80

ServerName www.nvita.org
ServerAlias nvita.org *.nvita.org
UseCanonicalName On
ProxyVia Off
ProxyPass / http://192.168.0.3:87/
ProxyPassReverse / http://www.nvita.org:87/
/VirtualHost

Then you can start apache with the command:

kldload accf_http (the build reports an error if this command is
not issued)

/usr/local/sbin/apache2/bin/apachectl start

In this senerio, Apache 2 acts as a PHP MySQL enabled websever using a virtual host that forwards requests to a Microsoft Internet Information Server on an internal network. An article is also published about Internet Information Server on this website for more information.

Now you can take advantage of PHP and download some scripts. For example download and install the CMS made simple project. CMS made simple includes a content management system with user rights so friends and colleagues can edit selected pages directly on the website. The package is free and includes optional features as well as various themes.

cd /usr/home/squirrel/pub/blog

lynx http://dev.cmsmadesimple.org/frs/download.php/1928/cmsmadesimple-1.2.4.tar.gz

gunzip cmsmadesimple-1.2.4.tar.gz

tar -xvf cmsmadesimple-1.2.4.tar

Prepare MySQL server for first use:

/usr/local/bin/mysql_install_db

chown mysql /var/db/mysql/mysql
chown mysql /var/db/mysql/mysql/.
chown mysql /var/db/mysql/mysql/..
chown mysql /var/db/mysql/mysql/*

Start MySQL server:

/usr/local/share/mysql/mysql.server

Deny access to MySQL from external interface:

ipfw add deny tcp from any to 76.111.89.19 3306 in

Add the entry to /etc/rc.firewall:

${fwcmd} add deny tcp from any to ${oip} 3306 in

Set the root MySQL password:

mysqladmin -u root password yourpassword

Login to the MySQL server:

mysql -u root -p

Create a new database for CMS made simple:

mysql> create database inverselog;
mysql> grant usage on inverselog.* to root@localhost;
mysql> grant select, insert,delete on inverselog.* to root@localhost;
mysql> exit

Next to install a php project, it usually will use a php install page, just direct a browser to the install page to get started.

http://www.inverselog.com/install.php

Note that the lynx browser does not support dynamic html, just use your windows terminal.

FreeBSD has what's called a FTP Server. An FTP server allows files to be transfered from one computer to another on the internet. To configure FreeBSD to use an FTP server it must be enabled in the file /etc/inetd.conf

Type vi /etc/inetd.conf

Press the ESC key

:ins

ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l

Press CTRL-C

Press the ESC key

:wq!

In the initial installation program, setup asked if anonymous access is allowed. This is an internal function that isolates the "ftp" user from the rest of the FreeBSD file structure. You may want to greet your visitors with a message to their client program.

Type vi /etc/ftpwelcome

Press the ESC key

:ins

Welcome to NVITA.ORG Northern Virginia Information Technology Association. Please upload to the "incomming" directory. All files will be made available to the public via http://www.nvita.org/space/

Press CTRL-C

:wq!

Next although the FTP server can send files, ideally it should receive and store data too. However, it is fairly difficult to manage who is to delete such and such file and upload such and such file on a computer. Since there is no convention to manage this a simple rule system is put in place. In the following instance, everyone has the right to upload any file of any size and download any file of any size provided that they use the "incoming" directory. It is impossible to circumvent this convention because at any one time, everyone uses it.

The "incoming" directory can also be found on servers which store and forward developer software.

Ideally, you can also create a membership system that will allow registered users to freely upload and download with their own user names.

Create the incomming directory for the FreeBSD ftp server. This is not something to do in general, but they are specific instructions for FreeBSD.

cd /var
rm -rf ftp
ln -s /usr/home/squirrel ftp
mkdir /usr/home/squirrel/incoming/

Create the etc directory.

mkdir /usr/home/squirrel/etc/

Isolate the etc directory from the ftp user.

chgrp wheel /usr/home/squirrel/etc/

Incorporate the ftp user into the Anonoymous filesystem.

chown root /usr/home/squirrel/incoming/
chgrp ftp /usr/home/squirrel/incoming/
chown root /usr/home/squirrel/incoming/..
chgrp ftp /usr/home/squirrel/incoming/..
chmod 5777 /usr/home/squirrel/incoming/

chgrp wheel /usr/home/squirrel

The operator group has access to the FTP server but the operator group does not have access to nobody.

drwxr-xr-x 5 root wheel 512 Apr 8 22:14 .
drwxr-xr-x 3 root wheel 512 Apr 6 17:50 ..
-rw-r--r-- 1 squirrel squirrel 751 Apr 6 17:50 .cshrc
-rw-r--r-- 1 squirrel squirrel 248 Apr 6 17:50 .login
-rw-r--r-- 1 squirrel squirrel 158 Apr 6 17:50 .login_conf
-rw------- 1 squirrel squirrel 373 Apr 6 17:50 .mail_aliases
-rw-r--r-- 1 squirrel squirrel 331 Apr 6 17:50 .mailrc
-rw-r--r-- 1 squirrel squirrel 766 Apr 6 17:50 .profile
-rw------- 1 squirrel squirrel 276 Apr 6 17:50 .rhosts
-rw-r--r-- 1 squirrel squirrel 975 Apr 6 17:50 .shrc
drwxr-xr-x 2 root wheel 512 Apr 8 22:14 etc
drwsrwxrwt 2 root ftp 512 Apr 8 22:09 incoming
drwxr-xr-x 8 nobody squirrel 2560 Apr 8 20:17 pub

An anonymous user can thereby upload to the incomming directory. Although the anonymous user cannot delete a file; only add to the incoming directory.

For example; the directory "????¤??3??§??" cannot be read by the FreeBSD DMZ nor can the Apache webserver read the file. This file structure was created by a windows program called "Grims Ping". http://grimsping.cjb.net/ A windows FTP client can also read the file placed on the webserver. Although it may be interesting to collect these files and or file structures; they can only be read by Windows computers. This resembles the behavior of waterboarding. Waterboarding is strictly taboo and is soley at the discresion of the FreeBSD administrator. For example you may find ethnic groups to be closely knit communities. China town, the diamond district, etc.

The FTP server can be STOPPED altogether by removing the entry in inetd.conf:

vi /etc/inetd.conf

Position the blinking cursor with the arrow keys at the begining of the line:

ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l

Press the ESC key

:del

Press the ESC key

:ins

#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l

Press CRTL-C

Press the ESC key

:wq!

/usr/src/etc/rc.d/inetd stop

To start the FTP server type in a console:

/usr/src/etc/rc.d/inetd start

These settings are ideal for IRC users because every time you part or leave a channel the IRC server identifies your address to everyone in the channel. They can then visit your FTP server or your HTTP server.

Here is a greeting page I designed for users specified by IP address in httpd.conf. Click the following link to see my greeting page:

http://173.10.132.234

ServerName 173.10.132.234

DocumentRoot "/usr/home/squirrel/pub"
AccessFileName .htaccess

Since this address is tipically variable, or dynamic it must be updated every time a new IP address is issued.

Out of the thousands of programs for FreeBSD, If you want to IRC from your cell phone affordably; the Apache tomcat server, which is closely related to many of the "Java" based programs that run on Cell Phones, is simple to install.

First you need to download the Java SE JRE; or Java Standard Edtition; Java Runtime Environment.

Type cd /usr/ports/distfiles/

lynx http://java.sun.com/javase/downloads/ea.jsp

Choose the distribution for the linux platform and save it in the /usr/ports/distfiles/ directory of your FreeBSD computer.

FreeBSD can run programs designed to work with Linux. The linux program ldd included with FreeBSD can tell you what dependancies are needed to run a linux program configured to run in the FreeBSD Linux subsystem.

Extract the files:

Type ./*.bin

A bin file will extract it's self and begin to install the software contained inside of it.

Now use ldd to determine if the linux excuteable "java" is configured to run correctly on your FreeBSD system:

ldd /usr/ports/distfiles/jre1.6.0_10/bin/java

/usr/ports/distfiles/jre1.6.0_10/bin/java:
libpthread.so.0 => /lib/obsolete/linuxthreads/libpthread.so.0 (0x2806f000)
libjli.so => /lib/libjli.so (0x280c3000)
libdl.so.2 => /lib/libdl.so.2 (0x280cc000)
libc.so.6 => /lib/obsolete/linuxthreads/libc.so.6 (0x280d0000)
/lib/ld-linux.so.2 (0x28052000)

It looks like everything here is ok. However the recent release jre1.6.0_10, does not extract the library libjli.so to the /lib directory of FreeBSD. Use a good policy similar to the FTP server by adding to, but not taking away from the running system. Create an -addtional- symbolic link to this file in the /lib directory. In this particular example, FreeBSD has created the Linux Subsystem, the program "Java" has interpreted what files are needed from the Linux Subsystem:

find / -name "libc.so.6"

/usr/compat/linux/lib/libc.so.6

ldd /usr/ports/distfiles/jre1.6.0_10/bin/java

/usr/local/sbin/jre1.6.0_07/bin/java:
libpthread.so.0 => /lib/obsolete/linuxthreads/libpthread.so.0 (0x2806f000)
libjli.so => /lib/libjli.so (0x280c3000)
libdl.so.2 => /lib/libdl.so.2 (0x280cc000)
libc.so.6 => /lib/libc.so.6 (0x280d0000)
/lib/ld-linux.so.2 (0x28052000)

The output of ldd is an odd thing, it may be part of the FreeBSD runtime linker, or may be something else entirely:

ls -la /lib/libc.so.6

ls: libc.so.6: No such file or directory

Although ldd lists libraries required, it does not however compute the difference in terms. Instead, we return to our matrices of data once again, and add too but not take away from it's contents:

ln -s /usr/compat/linux/lib/libc.so.6 /lib/libc.so.6

..... continued ....

Now test the java executable:

./java -version

Java HotSpot(TM) Client VM warning: Can't detect initial thread stack location - find_vma failed
java version "1.6.0_07"
Java(TM) SE Runtime Environment (build 1.6.0_07-b06)
Java HotSpot(TM) Client VM (build 10.0-b23, mixed mode)

The java program also requires the linux proc file system:

mount -t linprocfs linprocfs /compat/linux/proc

Now that the JRE has been installed just download apache tomcat unzip it, and run it.

Type lynx http://tomcat.apache.org/download-60.cgi

In catalina.sh, just put the following entry at the top:

JAVA_HOME=/usr/ports/distfiles/jre1.6.0_10

Next, by default with no other modifications, tomcat will start correctly.

Type /usr/local/sbin/tomcat/apache-tomcat-6.0.10/bin/startup.sh

Sometimes the java run time build becomes volatile and does not agree with the operating system kernel. To create a control, files must be removed and then replaced.

Now check if Apache tomcat has access to the external interface:

ipfw list

You should see:

02400 allow tcp from any to 76.111.89.19 dst-port 8080 setup

If you don't see a similar entry type:

ipfw add allow tcp from any to 76.111.89.19 dst-port 8080 setup

Add this entry to /etc/rc.firewall

${fwcmd} add allow tcp from any to ${oip} dst-port 8080 setup



lynx http://127.0.0.1:8080

Another exclusive UNIX project is the TOR onion router. This will allow you to maintain anonymity in IRC sessions and or Internet data with other servers. It is easy to install but it has dependancies.

config.c is missing a semicolon character

run it:

/usr/local/bin/tor --runasdaemon 1

you have to create the tor config file in the specific directory

vi /usr/local/etc/tor/torrc

edit these lines:

RunAsDaemon 1
PidFile /var/run/tor/tor.pid

Then when the server is running it will connect to a pool of anonymous servers that act as gateways to any other place on the internet, such that the server reciving the connection request is doing so by the use of one of the servers in the pool; thus creating anonymity. Interestingly enough; these packets are not passed; but recreated by the TOR Server; like the food maker on StarTrek. Configure a client program like, Internet explorer or MirC or Firefox to use the TOR server under the "proxy" configuration section. The port the new TOR server will respond to is port 9050.

To get another tor server; server.. just kill the tor process by finding out what it's process ID is in the "top" program

top

PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
64397 mysql 4 20 0 42548K 20396K kserel 42:36 0.00% mysqld

282 root 1 96 0 2488K 1972K select 36:40 0.00% natd

in this example, 64397 is the "mysql" PID and 282 is the "natd" PID

Press CTRL-C to exit the TOP program.

then you will have to erase the pid file created independently by the TOR daemon (/var/run/tor/tor.pid) The pid file will also tell you what the process ID is:

cat /var/run/tor/tor.pid

kill -TERM PROCESSID

To remove any microsoft entries from the use of your new Samba file server, type in the vi editor:

g/^M/s/// (the ctrl-m has to be entered with the key strokes CTRL-V followed by CTRL-M)

FreeBSD is a very viable cost effective solution to implement on a small or large scale and can be implemented in a few hours with new or used equipment. FreeBSD is particularly useful when large scale network deployments require licensing and or very high overhead costs to deploy. Monitoring a test FreeBSD server for two years, FreeBSD has proven it's reliability. However, the only bottleneck seems to lie with the Internet service provider used, where the Internet IP address has changed. If the IP address is changed "dynamically" there is less cost associated with maintaining the Internet Service Provider's equipment. Further, internet service providers also save time and money by typically blocking inbound and outbound access to SMTP service and even in some cases, a local carrier such as COX Cable in Fairfax County, Virginia USA; will block HTTP service Outbound. There are however several inexspensive "business" internet services reserved, which provide a static IP and other sophisticated automated services at your request. Although you don't really need any of those things, when dealing with computer equipment, it is good policy to always make sure you do things by the book. I recommend FreeBSD without any reservations.