|This document is available in: English Castellano ChineseGB Deutsch Francais Italiano Nederlands Russian Turkce|
by Georges Tarbouriech
About the author:
Georges is a long time Unix user. He is very fond of the free versions of this great system.
Yes, you are reading LinuxFocus! However, other free Unixes exist and
they are of much interest and full of great features. This article is an
overview of another free Unix: FreeBSD.
When talking about free Unixes, people always "think Linux". Sure, Linux is
widespread and everybody (or almost) has heard about it. The number of new users
keeps growing and the medias (either "specialized" or not) make much "noise"
around it. One of the main reason of this success comes from the fact that Linux
especially runs on Intel machines, that is the most widespread computer architecture. Of
course, it can run with many other processors, since one of the idea behind Unix
was "we don't care about processors". Nevertheless, Linux would probably not have been as
successful if developed for a more "confidential" processor, or, at least, it
would have taken much longer.
But free Unix is not limited to Linux: the BSD "family" is there too. There are three main flavors: FreeBSD, NetBSD and OpenBSD. BSD stands for Berkeley Software Distribution. If you want some more information about Unix history, you can take a look at article 176 (Be advised that this article does not talk about the differences between BSD and System V: a book would be necessary for that.)
Each flavor has something specific:
Like most of the free software, FreeBSD can be downloaded from the FreeBSD web site.
Obviously, this requires a fast connection. Don't worry: you can find CDs
everywhere in the world.
The present release (at the time of this writing) is 4.6. The article talks about the i386 release.
Installing FreeBSD from CD-ROM (or other) is simple... even if there is no graphical interface to do so! You will use ncurses instead. Just follow the instructions and FreeBSD ends on your hard disk. As usual, you will have to partition your hard disk, configure a few things such as networking or even your kernel (optional). Next you will meet sysinstall, a very good tool doing much of the install work, as the name says. Whether you install the whole bunch of packages or only some of them is your choice. You can add them at any time, anyway.
The management of packages is also obvious. You can use the pkg commands, like under Solaris, for instance, or you may prefer the ports. In short, the pkg commands are like rpm's or deb's for Linux, while the ports are archives to be compiled with make and make install. In other words: nothing complex or difficult.
Since we compare to Linux, let us add there is a Linux compatibility package that you should install: it will allow you to compile and run Linux applications.
Again, everything is obvious and, just in case, a very good handbook is provided, explaining each step. Furthermore this last exists in various languages.
Accordingly, there is no need to spend too much time on this matter.
Again, we will not be able to mention everything. The most important is to know
where the essential files are. As usual, you will find them in the /etc
directory. They are called rc.something and can manage many different parts:
general configuration, firewall, network, sysctl, etc.
The file rc.conf is an important one, since, as its name says, the configuration can be tuned there. In this file you can tell the system whether or not start some daemons (sshd, sendmail, etc), the type of your firewall, if you want to enable kernel secure level or not, if you want to enable IPv6 or not, etc. There are lot of options and you can see all of them in the defaults file surprisingly called /etc/defaults/rc.conf. Do not get confused: this file contains the default settings not examples. That is, the /etc/rc.conf overrides these default settings. In other words, do not copy the /etc/defaults/rc.conf file to /etc/rc.conf or do not try to change it. The changes must be done in /etc/rc.conf.
For information, the choices made from sysinstall are automatically included in /etc/rc.conf (network card configuration, hostname, secure level, etc).
A very important note: FreeBSD comes with no active services in /etc/inetd.conf. This means, at first start, the daemons managed from inetd are off by defaults. In my humble opinion, this should be compulsory for every Unix system. Good point, anyway!
The other rc files will allow you to configure either the firewall or the sysctl and many others. This, of course, leads us to FreeBSD tuning.
One of the finest tools for tuning is called sysctl (under Linux too!). You can use it from the
command line to define a specific value or you can write a sysctl.conf file
(recommended unless you use the command line for testing purposes).
For instance, if your machine is used as a gateway, sysctl can allow ip forwarding with the command sysctl -w net.inet.ip.forwarding=1. For better security you can check that the packets coming to an interface have the IP address corresponding to this interface with the command sysctl -w net.inet.ip.check_interface=1. You can control most of the behavior of your system using sysctl: check the man page. Obviously, if you want to write these into a sysctl.conf file, then just add the arguments without the sysctl command it self. The file uses the variable = value format. The above examples then become:
Of course, your own sysctl.conf file is supposed to hold more than two lines since it can control everything on kernel level, well, almost!
At the beginning of this article, we talked about secure levels. There are four different levels, from -1 to 3. -1 represents the insecure level and 3 represents the highest security level. It is recommended to understand what every level does before selecting one. Using levels other than -1 or 0 can lead to a system unable to work as you expect. The first drawback appears at level 1 since it can prevent you from properly using the X server. Neither can you load or unload kernel modules, for instance. You have been warned!
However, these high secure levels can be useful for a specific server needing high security. As a home user you should keep level 0, but it is up to you...
The chflags command is related to secure levels. Investigate this command, reading the man page: it is a very powerful one.
To continue with this would make a "securing FreeBSD" article, accordingly, let us go to the next chapter.
Let us assume that you just bought a FreeBSD 4.5 CD set. A few days later,
FreeBSD 4.6 is released. Bad luck!
Do not worry: FreeBSD comes with an upgrade system via CVS. You can use either anonymous CVS or CVSup. The first one is easier to use while the second one is more efficient. With these tools, the job consists of getting the new source tree and synchronize it.
Next, you will have to compile the whole new stuff using make buildworld. How to do this is quite well explained in the provided handbook. The important point is that this allows you to have a brand new system always up-to-date.
However, this is not the end of it. As always, as far as free software is concerned, vulnerabilities are found and very quickly solved. Unlike many proprietaries system where a vulnerability can stay unsolved for ever (and one day), people involved in free software react at the speed of light and provide you with patches. Obviously, it is your job to check what is going on. The FreeBSD web site has a security section holding advisories by release. There you can download .asc files (text files) telling you what you have to know: a description of the problem and its solution. Other web sites provide you with this information. Let us mention, for instance, linuxsecurity, CERT, etc.
This of course means you have to update your system.
You do not want to keep well known vulnerabilities in your system, do you ?
FreeBSD, like other free Unixes, provides you with patches.
Go and get these patches and apply them. For Linux users, the main difference comes from the fact that you do
not get a corrected package but a source patch instead. It means, that
you will have to recompile the kernel after having patched the source
code, this of course, implying the source code is installed on your machine.
This is true under Linux as well, but people often download the modified rpm
(for instance) at least for corrected applications, but also for patched kernel.
One of the most important difference between Linux and FreeBSD comes from the kernel. FreeBSD is based on BSD 4.4 and does not have various kernel versions like the Linux world. This means the kernel is a stable one but of course it becomes bigger through the time, being rather monolithic even if it can benefit from modules. The drawback is that you will have to compile your kernel more often than under Linux if you want to keep your system as secure as possible.
Anyway, I much prefer this philosophy than the Linux one but this is only my opinion. I do not think that having, let us say, 3 different kernels "on the work" can lead to stability. Not even to mention the applications that have to be "ported" from one version to the other, especially the one focusing on security. Another example could be the packet filtering system: 3 kernel versions, 3 different packet filtering software! And so on.
I have very much respect for the people doing this great job, but is it the right way to do things. Improvement is always a need but is it coherent to changing everything all the time? Never mind!
Obviously, you also can compile a new kernel to make it match your needs... and that time it is like under Linux. The way to do this is very well detailed in the handbook, so let us go to something else.
As already said, a vast majority of free software applications (if not all)
works under FreeBSD. You do not need the above mentioned ports or packages. You
can compile most of the available archives, whatever the software type.
For the desktop environments addicts, Gnome and KDE are available... and are included in the distribution. Same for the window managers. The great GNUstep framework also works very well under FreeBSD. To compile it you need a newer gcc version than the one included in the distribution: no problem! Just get the corresponding archive and compile the new compiler. Obviously, the GNUstep applications such as GNUMail.app, Gorm.app or ProjectBuider.app work fine too.
Really, all the software you run under Linux is available for FreeBSD... and there are many others!
For example, FreeBSD comes with a bunch of tools regarding security. Monitoring tools, managing tools, etc, are part of the distribution.
Firewalls, proxies, port scanners, IDS, etc, are also available. For instance, you can choose between IPsec or ipfw. You can use nessus, nmap, portsentry, etc. Again, most of them are part of the distribution and nothing prevents you from getting and compiling the latest versions.
We already talked about desktop environments or window managers but we did not say a word about what they require to be able to run: the X Window System. XFree 4.* is now the default. For information, till FreeBSD 4.5, XFree 3.* was the default. That is, you had XFree 4.* in the distribution but the install process used to select XFree 3.*. Now, XFree 4.* is the default but you can still use version 3.* if you prefer.
Since we are talking about the i386 release, let us say most of the hardware
available works under FreeBSD, even when it is a bit old. For instance an old
3Com combo network card will work fine as soon as you define the media type in
the ifconfig command. If you use a BNC connection, enough to add media
10base2/BNC at the end of the ifconfig line in /etc/rc.conf.
Same for some old graphic cards: using XFree 4.* will solve most of the problems. This is particularly true for rather old ATI cards.
Anyway, to be sure you can consult the Hardware notes on the FreeBSD website.
We already mentioned a few tools such as firewalls, port scanners, etc. FreeBSD
comes with many other security tools. OpenSSH, OpenSSL, Kerberos, MD5, etc, are
part of the distribution. As usual, you cannot live without those tools, and of
course, again, you have to check for eventual vulnerabilities.
A recent example shows the importance of being very careful. Let us say that you are advised that a vulnerability has been discovered in OpenSSH, for example. The right behavior is to go to the home web site and download the corrected version.
Yes, but it is not enough! Please, do control the checksum of the package.
The example of OpenSSH has not be taken arbitrarily: a few weeks ago, someone replaced the original archive with a corrupt one. As usual, people at OpenSSH reacted quite fast. However, users having downloaded the package in this short lapse of time without verifying the checksum have installed a "bad" version. Hence, the need of using checksum... and the need of controlling it.
Even if it is out of the scope of this article, let us insist on the point that security, is before all a behavior.
Networking under FreeBSD is quite evolved. The IPv6 implementation is very well
done. The new means of communication are not left aside. If you use ADSL
or cable modems, configuration is very easy.
Many ISP use PPPoE today. FreeBSD manages this in a very simple way: a few lines in the ppp.conf file will do the trick. For PPPoA (ATM), only the Alcatel modem is supported at the moment. This should change in a very near future (perhaps, there are already other supported modems).
The provided handbook is not the only documentation available. You can also find a FAQ, an install guide, etc, on the FreeBSD website. Another important source of information can be found at http://www.freebsd-howto.com.
This is a very short overview of FreeBSD. This system, like the other free
Unixes is a very interesting one. It has many great features and really deserves
a try. Unfortunately this article cannot be a full review and lots of important
features have not even been mentioned.
FreeBSD will require some more Unix knowledge than some "Windowish" Linux distributions but it remains quite easy to use.
Of course, someone with no Unix knowledge at all may get into trouble, since one will often have to recompile the kernel after updating the system. However, this is a good way to learn, even if it can take "some" time. People today seem to have forgotten that, at the beginning, Unix was made by developers for developers, not for the home user or the normal user.
Luckily free and proprietary Unixes changed the original approach. Thanks to the many developers who made this possible. In the 80's, most of the today Linux users would have run away from Unix, only because of the installation process. The distributions were coming on tapes and the install phase could last a whole working day, the configuration process requiring at least another day. Not to mention the configuration of applications! And today, you can use Unix without even knowing it, with systems like Mac OS X. This was already true at the beginning of the 90's with OS X "father", NeXTstep.
This may seem off-topic, nevertheless NeXTstep lead the way for free and proprietary Unixes... and a few others! Bringing Unix to the home user was a challenge and at least, it happened. Congratulations to all the people involved in this challenge, whether they worked for money or for free. The ones working for free deserve a special mention and many more thanks ;-)
The fact that FreeBSD "shares" with Apple looks very good to me. Each one benefits from the other in the right way. Proprietary software always used free software... without "shouting" it too loud. Apple says openly that they use free software and so does SGI. Some others seem to do the same... but with ulterior motive. Anyway, I keep thinking that there is "room" for all... well, except for those who want the whole "room".
The "noise" about Linux keeps other free Unixes in the dark: so far, so good. This can have a bright side... and this is the main reason why I use FreeBSD. Of course, I keep using Linux (and many others): I like diversity!
If you feel like giving FreeBSD a try, this article will not be useless. Test it by yourself and you will discover the bunch of things not mentioned here.
I told you: we are living in a great time!
Webpages maintained by the LinuxFocus Editor team
© Georges Tarbouriech , FDL
Click here to report a fault or send a comment to LinuxFocus
2002-08-31, generated by lfparser version 2.29