Few years ago,
FreeBSD surprised me with its httpd performance compared to Redhat.
sockstat -c (netstat equiv.)
pciconf -lv (lspci equiv.)
kldstat (lsmod equiv.)
netstat -i (show interface errors)
Thanks to Sub for this one!
Edit /etc/freebsd-update.conf, then
freebsd-update fetch
freebsd-update install
Changing shell
Allowing users to su
# pw user mod some_user -G wheel
# groups some_user
Startup (rc)
FreeBSD does not use
InitV for system services. It uses BSD rc.conf. For example, to enable named on startup, put the following line to rc.conf
Next, write a rc script for starting / stopping. The following is a working example of tomcat
#!/bin/sh
. /etc/rc.subr
name="tomcat"
start_cmd="${name}_start"
stop_cmd="/usr/local/tomcat/bin/shutdown.sh"
extra_commands="version"
version_cmd="${name}_version"
tomcat_start() {
/usr/local/tomcat/bin/startup.sh
/usr/local/tomcat/bin/catalina.sh version
}
tomcat_version() {
/usr/local/tomcat/bin/catalina.sh version
}
load_rc_config $name
run_rc_command "$1"
Format new drives
You can do it via sysinstall, or from command line:
dd if=/dev/zero of=/dev/da3 bs=1k count=1
bsdlabel -Bw da3 auto
newfs -n -o time -U /dev/da3a > da3a-newfs.log
Disk upgrade
One can use the built-in dump / restore command to migrate a partition to another one. The process can take up to hours depending on your partition size. Here are the steps:
- Boot freebsd into single user mode by supplying boot -s to the boot loader
- Run sysinstall, do a fdisk on the new disk/partition
- Say the new partition is /dev/ad1s1, format the disk with the command newfs /dev/ad1s1
- Create the mount point for restore, say mkdir /mnt/usr
- Use this command to dump and restore ( dump -0f - /usr ) | ( cd /mnt/usr ; restore -rf - )
- Enable the filesystem by tunefs -n enable /dev/ad1s1
- Finally, modify /etc/fstab to point to the new slice
If fdisk is not working out, you can also try disklabel
- disklabel /dev/ad0s1
- disklabel -e /dev/ad0s1, edit the partition to change
- newfs -i 1024 /dev/ad0s1b (this is good. I's planing to use a partition to store the ports collection - which is a large amount of small files. The default 4096 inode size was giving me out of inode problems after the partition is ~250M/500M used. To get around it, use a smaller inode size.)
- edit /etc/fstab and mount
network settings
ifconfig_bge0="inet 1.2.3.4 netmask 255.255.255.0"
defaultrouter="1.2.3.254"
ifconfig_bge1="inet 10.0.0.135 netmask 255.255.255.0"
ifconfig_em0="inet 192.168.92.223 netmask 255.255.252.0"
ifconfig_bge0_alias0="inet 1.2.3.5 netmask 255.255.255.255"
#static routes
static_routes="backup00 backup01"
route_backup00="-net 192.168.12.0/24 192.168.92.1"
route_backup01="-net 192.168.31.0/24 192.168.92.1"
To restart networking
network tuning
kern.ipc.nmbclusters=64000
kern.ipc.maxsockbuf=8388608
net.inet.tcp.sendspace=3217968
net.inet.tcp.recvspace=3217968
Some more on that
* net.inet.tcp.msl=7500
net.inet.tcp.msl defines the Maximum Segment Life. This is the maximum amount of time to wait for an ACK in reply to a SYN-ACK or FIN-ACK, in milliseconds. If an ACK is not received in this time, the segment can be considered "lost" and the network connection is freed.
There are two implications for this. When you are trying to close a connection, if the final ACK is lost or delayed, the socket will still close, and more quickly. However if a client is trying to open a connection to you and their ACK is delayed more than 7500ms, the connection will not form. RFC 753 defines the MSL as 120 seconds (120000ms), however this was written in 1979 and timing issues have changed slightly since then. Today,
FreeBSD's default is 30000ms. This is sufficient for most conditions, but for stronger
DoS protection you will want to lower this to 7500, or maybe even less.
* net.inet.tcp.blackhole=2
net.inet.tcp.blackhole defines what happens when a TCP packet is received on a closed port. When set to '1', SYN packets arriving on a closed port will be dropped without a RST packet being sent back. When set to '2', all packets arriving on a closed port are dropped without an RST being sent back. This saves both CPU time because packets don't need to be processed as much, and outbound bandwidth as packets are not sent out.
* net.inet.udp.blackhole=1
net.inet.udp.blackhole is similar to net.inet.tcp.blackhole in its function. As the UDP protocol does not have states like TCP, there is only a need for one choice when it comes to dropping UDP packets. When net.inet.udp.blackhole is set to '1', all UDP packets arriving on a closed port will be dropped.
* net.inet.icmp.icmplim=50
The name 'net.inet.icmp.icmplim' is somewhat misleading. This sysctl controls the maximum number of ICMP "Unreachable" and also TCP RST packets that will be sent back every second. It helps curb the effects of attacks which generate a lot of reply packets.
* kern.ipc.somaxconn=32768
kern.ipc.somaxconn limits the maximum number of sockets that can be open at any one time. The default here is just 128. If an attacker can flood you with a sufficiently high number of SYN packets in a short enough period of time, all of your possible network connections will be used up, thus successfully denying your users access to the service.
# Then check w/
netstat -m
Useful commands
# Show listening daemons and ports
sockstat -4l
# Show system parameters (including memory size)
sysctl -a
# lspci equvalent
pciconf
# Mount iso
mdconfig -a -t vnode -f /data/home/X/Bex301_Unix1.iso -u 0
mdconfig -a -t vnode -f /data/home/X/Bex301_Unix2.iso -u 1
mount -t cd9660 /dev/md0 disc1
mount -t cd9660 /dev/md1 disc2
%%
There are no comments on this page. [Add comment]