Chapter 2 Installation

Nik Clayton
2.1. Which file do I download to get FreeBSD?
2.2. What do I do if the floppy images does not fit on a single floppy?
2.3. Where are the instructions for installing FreeBSD?
2.4. What do I need in order to run FreeBSD?
2.5. I have only 4 MB of RAM. Can I install FreeBSD?
2.6. How can I make my own custom install floppy?
2.7. Can I have more than one operating system on my PC?
2.8. Can Windows 95/98 co-exist with FreeBSD?
2.9. Windows 95/98 killed my boot manager! How do I get it back?
2.10. My A, T, or X series IBM Thinkpad locks up when I first booted up my FreeBSD installation. How can I solve this?
2.11. Can I install on a disk with bad blocks?
2.12. Strange things happen when I boot the install floppy! What is happening?
2.13. I booted from my ATAPI CDROM, but the install program says no CDROM is found. Where did it go?
2.14. Why can I not install from tape?
2.15. Can I install on my laptop over PLIP (Parallel Line IP)?
2.16. Which geometry should I use for a disk drive?
2.17. Are there any restrictions on how I divide the disk up?
2.18. Is FreeBSD compatible with any disk managers?
2.19. When I boot FreeBSD I get ``Missing Operating System''. What is happening?
2.20. Why can I not get past the boot manager's F? prompt?
2.21. Do I need to install the complete sources?
2.22. Do I need to build a kernel?
2.23. Should I use DES passwords, or MD5, and how do I specify which form my users receive?
2.24. Why does the boot floppy start, but hang at the Probing Devices... screen?
2.25. Why do I get a ``panic: can't mount root'' error when rebooting the system after installation?
2.26. What are the limits for memory?
2.27. What are the limits for ffs filesystems?
2.28. How can I put 1TB files on my floppy?
2.29. Why do I get an error message, ``archsw.readin.failed'' after compiling and booting a new kernel?
2.30. How do I upgrade from 3.X -> 4.X?
2.31. What are these ``security profiles''?

2.1. Which file do I download to get FreeBSD?

Prior to release 3.1, you only needed one floppy image to install FreeBSD, namely floppies/boot.flp. However, since release 3.1 the Project has added base support for a wide variety of hardware which needed more space, and thus for 3.x and 4.x we now use two floppy images, namely floppies/kernel.flp and floppies/mfsroot.flp. These images need to be copied onto floppies by tools like fdimage or dd(1).

If you need to download the distributions yourself (for a DOS filesystem install, for instance), below are some recommendations for distributions to grab:

  • bin/

  • manpages/

  • compat*/

  • doc/

  • src/ssys.*

Full instructions on this procedure and a little bit more about installation issues in general can be found in the Handbook entry on installing FreeBSD.

2.2. What do I do if the floppy images does not fit on a single floppy?

A 3.5 inch (1.44MB) floppy can accomodate 1474560 bytes of data. The boot image is exactly 1474560 bytes in size.

Common mistakes when preparing the boot floppy are:

  • Not downloading the floppy image in binary mode when using FTP.

    Some FTP clients default their transfer mode to ascii and attempt to change any end-of-line characters received to match the conventions used by the client's system. This will almost invariably corrupt the boot image. Check the size of the downloaded boot image: if it is not exactly that on the server, then the download process is suspect.

    To workaround: type binary at the FTP command prompt after getting connected to the server and before starting the download of the image.

  • Using the DOS copy command (or equivalent GUI tool) to transfer the boot image to floppy.

    Programs like copy will not work as the boot image has been created to be booted into directly. The image has the complete content of the floppy, track for track, and is not meant to be placed on the floppy as a regular file. You have to transfer it to the floppy ``raw'', using the low-level tools (e.g. fdimage or rawrite) described in the installation guide to FreeBSD.

2.3. Where are the instructions for installing FreeBSD?

Installation instructions can be found in the Handbook entry on installing FreeBSD.

2.4. What do I need in order to run FreeBSD?

You will need a 386 or better PC, with 5 MB or more of RAM and at least 60 MB of hard disk space. It can run with a low end MDA graphics card but to run X11R6, a VGA or better video card is needed.

See also the section on Chapter 3

2.5. I have only 4 MB of RAM. Can I install FreeBSD?

FreeBSD 2.1.7 was the last version of FreeBSD that could be installed on a 4MB system. Newer versions of FreeBSD, like 2.2, need at least 5MB to install on a new system.

All versions of FreeBSD, including 3.0, will run in 4MB of RAM, they just cannot run the installation program in 4MB. You can add extra memory for the install process, if you like, and then after the system is up and running, go back to 4MB. Or you could always just swap your disk into a system which has >4MB, install onto it and then swap it back.

There are also situations in which FreeBSD 2.1.7 will not install in 4 MB. To be exact: it does not install with 640 kB base + 3 MB extended memory. If your motherboard can remap some of the ``lost'' memory out of the 640kB to 1MB region, then you may still be able to get FreeBSD 2.1.7 up.

Try to go into your BIOS setup and look for a ``remap'' option. Enable it. You may also have to disable ROM shadowing.

It may be easier to get 4 more MB just for the install. Build a custom kernel with only the options you need and then get the 4MB out again.

You may also install 2.0.5 and then upgrade your system to 2.1.7 with the ``upgrade'' option of the 2.1.7 installation program.

After the installation, if you build a custom kernel, it will run in 4 MB. Someone has even succeeded in booting with 2 MB (the system was almost unusable though :-))

2.6. How can I make my own custom install floppy?

Currently there is no way to just make a custom install floppy. You have to cut a whole new release, which will include your install floppy.

To make a custom release, follow the instructions here.

2.7. Can I have more than one operating system on my PC?

Have a look at The multi-OS page.

2.8. Can Windows 95/98 co-exist with FreeBSD?

Install Windows 95/98 first, after that FreeBSD. FreeBSD's boot manager will then manage to boot Win95/98 and FreeBSD. If you install Windows 95/98 second, it will boorishly overwrite your boot manager without even asking. If that happens, see the next section.

2.9. Windows 95/98 killed my boot manager! How do I get it back?

You can reinstall the boot manager FreeBSD comes with in one of three ways:

  • Running DOS, go into the tools/ directory of your FreeBSD distribution and look for bootinst.exe. You run it like so:

        ...\TOOLS> bootinst.exe boot.bin
    

    and the boot manager will be reinstalled.

  • Boot the FreeBSD boot floppy again and go to the Custom installation menu item. Choose Partition. Select the drive which used to contain your boot manager (likely the first one) and when you come to the partition editor for it, as the very first thing (e.g. do not make any changes) select (W)rite. This will ask for confirmation, say yes, and when you get the Boot Manager selection prompt, be sure to select ``Boot Manager''. This will re-write the boot manager to disk. Now quit out of the installation menu and reboot off the hard disk as normal.

  • Boot the FreeBSD boot floppy (or CDROM) and choose the ``Fixit'' menu item. Select either the Fixit floppy or CDROM #2 (the ``live'' file system option) as appropriate and enter the fixit shell. Then execute the following command:

        Fixit# fdisk -B -b /boot/boot0 bootdevice
    

    substituting bootdevice for your real boot device such as ad0 (first IDE disk), ad4 (first IDE disk on auxiliary controller), da0 (first SCSI disk), etc.

2.10. My A, T, or X series IBM Thinkpad locks up when I first booted up my FreeBSD installation. How can I solve this?

A bug in early revisions of IBM's BIOS on these machines mistakenly identifies the FreeBSD partition as a potential FAT suspend-to-disk partition. When the BIOS tries to parse the FreeBSD partition it hangs.

According to IBM[1], the following model/BIOS release numbers incorporate the fix.

Model BIOS revision
T20 IYET49WW or later
T21 KZET22WW or later
A20p IVET62WW or later
A20m IWET54WW or later
A21p KYET27WW or later
A21m KXET24WW or later
A21e KUET30WW

It has been reported that later IBM BIOS revisions may have reintroduced the bug. This message from Jacques Vidrine to the FreeBSD laptop computer mailing list describes a procedure which may work if your newer IBM laptop does not boot FreeBSD properly, and you can upgrade or downgrade the BIOS..

If you have an earlier BIOS, and upgrading is not an option a workaround is to install FreeBSD, change the partition ID FreeBSD uses, and install new boot blocks that can handle the different partition ID.

First, you will need to restore the machine to a state where it can get through its self-test screen. Doing this requires powering up the machine without letting it find a FreeBSD partition on its primary disk. One way is to remove the hard disk and temporarily move it to an older ThinkPad (such as a ThinkPad 600) or a desktop PC with an appropriate conversion cable. Once it is there, you can delete the FreeBSD partition and move the hard disk back. The ThinkPad should now be in a bootable state again.

With the machine functional again, you can use the workaround procedure described here to get a working FreeBSD installation.

  1. Download boot1 and boot2 from http://people.freebsd.org/~bmah/ThinkPad/. Put these files somewhere you will be able to retrieve them later.

  2. Install FreeBSD as normal on to the ThinkPad. Do not use Dangerously Dedicated mode. Do not reboot when the install has finished.

  3. Either switch to the ``Emergency Holographic Shell'' (ALT+F4) or start a ``fixit'' shell.

  4. Use fdisk(8) to change the FreeBSD partition ID from 165 to 166 (this is the type used by OpenBSD).

  5. Bring the boot1 and boot2 files to the local filesystem.

  6. Use disklabel(8) to write boot1 and boot2 to your FreeBSD slice.

        # disklabel -B -b boot1 -s boot2 ad0sn
    

    n is the number of the slice where you installed FreeBSD.

  7. Reboot. At the boot prompt you will be given the option of booting OpenBSD. This will actually boot FreeBSD.

Getting this to work in the case where you want to dual boot OpenBSD and FreeBSD on the same laptop is left as an exercise for the reader.

2.11. Can I install on a disk with bad blocks?

Prior to 3.0, FreeBSD included a utility known as bad144, which automatically remapped bad blocks. Because modern IDE drives perform this function themselves, bad144 has been removed from the FreeBSD source tree. If you wish to install FreeBSD 3.0 or later, we strongly suggest you purchase a newer disk drive. If you do not wish to do this, you must run FreeBSD 2.x.

If you are seeing bad block errors with a modern IDE drive, chances are the drive is going to die very soon (the drive's internal remapping functions are no longer sufficient to fix the bad blocks, which means the disk is heavily corrupted); we suggest you buy a new hard drive.

If you have a SCSI drive with bad blocks, see this answer.

2.12. Strange things happen when I boot the install floppy! What is happening?

If you are seeing things like the machine grinding to a halt or spontaneously rebooting when you try to boot the install floppy, here are three questions to ask yourself:-

  1. Did you use a new, freshly-formatted, error-free floppy (preferably a brand-new one straight out of the box, as opposed to the magazine coverdisk that has been lying under the bed for the last three years)?

  2. Did you download the floppy image in binary (or image) mode? (do not be embarrassed, even the best of us have accidentally downloaded a binary file in ASCII mode at least once!)

  3. If you are using Windows95 or Win98 did you run fdimage or rawrite in pure DOS mode? These OS's can interfere with programs that write directly to hardware, which the disk creation program does; even running it inside a DOS shell in the GUI can cause this problem.

There have also been reports of Netscape causing problems when downloading the boot floppy, so it is probably best to use a different FTP client if you can.

2.13. I booted from my ATAPI CDROM, but the install program says no CDROM is found. Where did it go?

The usual cause of this problem is a mis-configured CDROM drive. Many PCs now ship with the CDROM as the slave device on the secondary IDE controller, with no master device on that controller. This is illegal according to the ATAPI specification, but Windows plays fast and loose with the specification, and the BIOS ignores it when booting. This is why the BIOS was able to see the CDROM to boot from it, but why FreeBSD cannot see it to complete the install.

Reconfigure your system so that the CDROM is either the master device on the IDE controller it is attached to, or make sure that it is the slave on an IDE controller that also has a master device.

2.14. Why can I not install from tape?

If you are installing 2.1.7R from tape, you must create the tape using a tar blocksize of 10 (5120 bytes). The default tar blocksize is 20 (10240 bytes), and tapes created using this default size cannot be used to install 2.1.7R; with these tapes, you will get an error that complains about the record size being too big.

2.15. Can I install on my laptop over PLIP (Parallel Line IP)?

Connect the two computers using a Laplink parallel cable to use this feature:

Table 2-1. Wiring a parallel cable for networking

A-name A-End B-End Descr. Post/Bit

DATA0
-ERROR

2
15

15
2

Data

0/0x01
1/0x08

DATA1
+SLCT

3
13

13
3

Data

0/0x02
1/0x10

DATA2
+PE

4
12

12
4

Data

0/0x04
1/0x20

DATA3
-ACK

5
10

10
5

Strobe

0/0x08
1/0x40

DATA4
BUSY

6
11

11
6

Data

0/0x10
1/0x80

GND 18-25 18-25 GND -

See also this note on the Mobile Computing page.

2.16. Which geometry should I use for a disk drive?

Note: By the ``geometry'' of a disk, we mean the number of cylinders, heads and sectors/track on a disk - I will refer to this as C/H/S for convenience. This is how the PC's BIOS works out which area on a disk to read/write from.



This seems to cause a lot of confusion for some reason. First of all, the physical geometry of a SCSI drive is totally irrelevant, as FreeBSD works in term of disk blocks. In fact, there is no such thing as ``the'' physical geometry, as the sector density varies across the disk - what manufacturers claim is the ``physical geometry'' is usually the geometry that they have worked out results in the least wasted space. For IDE disks, FreeBSD does work in terms of C/H/S, but all modern drives will convert this into block references internally as well.

All that matters is the logical geometry - the answer that the BIOS gets when it asks ``what is your geometry?'' and then uses to access the disk. As FreeBSD uses the BIOS when booting, it is very important to get this right. In particular, if you have more than one operating system on a disk, they must all agree on the geometry, otherwise you will have serious problems booting!

For SCSI disks, the geometry to use depends on whether extended translation support is turned on in your controller (this is often referred to as ``support for DOS disks >1GB'' or something similar). If it is turned off, then use N cylinders, 64 heads and 32 sectors/track, where N is the capacity of the disk in MB. For example, a 2GB disk should pretend to have 2048 cylinders, 64 heads and 32 sectors/track.

If it is turned on (it is often supplied this way to get around certain limitations in MSDOS) and the disk capacity is more than 1GB, use M cylinders, 63 sectors per track (not 64), and 255 heads, where 'M' is the disk capacity in MB divided by 7.844238 (!). So our example 2GB drive would have 261 cylinders, 63 sectors per track and 255 heads.

If you are not sure about this, or FreeBSD fails to detect the geometry correctly during installation, the simplest way around this is usually to create a small DOS partition on the disk. The correct geometry should then be detected (and you can always remove the DOS partition in the partition editor if you do not want to keep it, or leave it around for programming network cards and the like).

Alternatively, there is a freely available utility distributed with FreeBSD called pfdisk.exe (located in the tools subdirectory on the FreeBSD CDROM or on the various FreeBSD FTP sites) which can be used to work out what geometry the other operating systems on the disk are using. You can then enter this geometry in the partition editor.

2.17. Are there any restrictions on how I divide the disk up?

Yes. You must make sure that your root partition is below 1024 cylinders so the BIOS can boot the kernel from it. (Note that this is a limitation in the PC's BIOS, not FreeBSD).

For a SCSI drive, this will normally imply that the root partition will be in the first 1024MB (or in the first 4096MB if extended translation is turned on - see previous question). For IDE, the corresponding figure is 504MB.

2.18. Is FreeBSD compatible with any disk managers?

FreeBSD recognizes the Ontrack Disk Manager and makes allowances for it. Other disk managers are not supported.

If you just want to use the disk with FreeBSD you do not need a disk manager. Just configure the disk for as much space as the BIOS can deal with (usually 504 megabytes), and FreeBSD should figure out how much space you really have. If you are using an old disk with an MFM controller, you may need to explicitly tell FreeBSD how many cylinders to use.

If you want to use the disk with FreeBSD and another operating system, you may be able to do without a disk manager: just make sure the FreeBSD boot partition and the slice for the other operating system are in the first 1024 cylinders. If you are reasonably careful, a 20 megabyte boot partition should be plenty.

2.19. When I boot FreeBSD I get ``Missing Operating System''. What is happening?

This is classically a case of FreeBSD and DOS or some other OS conflicting over their ideas of disk geometry. You will have to reinstall FreeBSD, but obeying the instructions given above will almost always get you going.

2.20. Why can I not get past the boot manager's F? prompt?

This is another symptom of the problem described in the preceding question. Your BIOS geometry and FreeBSD geometry settings do not agree! If your controller or BIOS supports cylinder translation (often marked as ``>1GB drive support''), try toggling its setting and reinstalling FreeBSD.

2.21. Do I need to install the complete sources?

In general, no. However, we would strongly recommend that you install, at a minimum, the base source kit, which includes several of the files mentioned here, and the sys (kernel) source kit, which includes sources for the kernel. There is nothing in the system which requires the presence of the sources to operate, however, except for the kernel-configuration program config(8). With the exception of the kernel sources, our build structure is set up so that you can read-only mount the sources from elsewhere via NFS and still be able to make new binaries. (Because of the kernel-source restriction, we recommend that you not mount this on /usr/src directly, but rather in some other location with appropriate symbolic links to duplicate the top-level structure of the source tree.)

Having the sources on-line and knowing how to build a system with them will make it much easier for you to upgrade to future releases of FreeBSD.

To actually select a subset of the sources, use the Custom menu item when you are in the Distributions menu of the system installation tool.

2.22. Do I need to build a kernel?

Building a new kernel was originally pretty much a required step in a FreeBSD installation, but more recent releases have benefited from the introduction of a much friendlier kernel configuration tool. When at the FreeBSD boot prompt (boot:), use the -c flag and you will be dropped into a visual configuration screen which allows you to configure the kernel's settings for most common ISA cards.

It is still recommended that you eventually build a new kernel containing just the drivers that you need, just to save a bit of RAM, but it is no longer a strict requirement for most systems.

2.23. Should I use DES passwords, or MD5, and how do I specify which form my users receive?

The default password format on FreeBSD is to use MD5-based passwords. These are believed to be more secure than the traditional Unix password format, which used a scheme based on the DES algorithm. DES passwords are still available if you need to share your password file with legacy operating systems which still use the less secure password format (they are available if you choose to install the ``crypto'' distribution in sysinstall, or by installing the crypto sources if building from source). Which password format to use for new passwords is controlled by the ``passwd_format'' login capability in /etc/login.conf, which takes values of either ``des'' (if available) or ``md5''. See the login.conf(5) manpage for more information about login capabilities.

2.24. Why does the boot floppy start, but hang at the Probing Devices... screen?

If you have a IDE Zip or Jaz drive installed, remove it and try again. The boot floppy can get confused by the drives. After the system is installed you can reconnect the drive. Hopefully this will be fixed in a later release.

2.25. Why do I get a ``panic: can't mount root'' error when rebooting the system after installation?

This error comes from confusion between the boot block's and the kernel's understanding of the disk devices. The error usually manifests on two-disk IDE systems, with the hard disks arranged as the master or single device on separate IDE controllers, with FreeBSD installed on the secondary IDE controller. The boot blocks think the system is installed on wd1 (the second BIOS disk) while the kernel assigns the first disk on the secondary controller device wd2. After the device probing, the kernel tries to mount what the boot blocks think is the boot disk, wd1, while it is really wd2, and fails.

To fix the problem, do one of the following:

  1. For FreeBSD 3.3 and later, reboot the system and hit Enter at the Booting kernel in 10 seconds; hit [Enter] to interrupt prompt. This will drop you into the boot loader.

    Then type set root_disk_unit="disk_number" . disk_number will be 0 if FreeBSD is installed on the master drive on the first IDE controller, 1 if it is installed on the slave on the first IDE controller, 2 if it is installed on the master of the second IDE controller, and 3 if it is installed on the slave of the second IDE controller.

    Then type boot, and your system should boot correctly.

    To make this change permanent (ie so you do not have to do this every time you reboot or turn on your FreeBSD machine), put the line root_disk_unit="disk_number" in /boot/loader.conf.local .

  2. If using FreeBSD 3.2 or earlier, at the Boot: prompt, enter 1:wd(2,a)kernel and press Enter. If the system starts, then run the command echo "1:wd(2,a)kernel" > /boot.config to make it the default boot string.

  3. Move the FreeBSD disk onto the primary IDE controller, so the hard disks are consecutive.

  4. Rebuild your kernel, modify the wd configuration lines to read:

        controller      wdc0    at isa? port "IO_WD1" bio irq 14 vector wdintr
        disk            wd0     at wdc0 drive 0
        # disk            wd1     at wdc0 drive 1 # comment out this line
        
        controller      wdc1    at isa? port "IO_WD2" bio irq 15 vector wdintr
        disk            wd1     at wdc1 drive 0 # change from wd2 to wd1
        disk            wd2     at wdc1 drive 1 # change from wd3 to wd2
    

    Install the new kernel. If you moved your disks and wish to restore the previous configuration, replace the disks in the desired configuration and reboot. Your system should boot successfully.

2.26. What are the limits for memory?

For memory, the limit is 4 gigabytes. This configuration has been tested, see wcarchive's configuration for more details. If you plan to install this much memory into a machine, you need to be careful. You will probably want to use ECC memory and to reduce capacitive loading use 9 chip memory modules versus 18 chip memory modules.

2.27. What are the limits for ffs filesystems?

For ffs filesystems, the maximum theoretical limit is 8 terabytes (2G blocks), or 16TB for the default block size of 8K. In practice, there is a soft limit of 1 terabyte, but with modifications filesystems with 4 terabytes are possible (and exist).

The maximum size of a single ffs file is approximately 1G blocks (4TB) if the block size is 4K.

Table 2-2. Maximum file sizes

fs block size 2.2.7-stable 3.0-current works should work
4K 4T-1 4T-1 4T-1 >4T
8K >32G 8T-1 >32G 32T-1
16K >128G 16T-1 >128G 32T-1
32K >512G 32T-1 >512G 64T-1
64K >2048G 64T-1 >2048G 128T-1

When the fs block size is 4K, triple indirect blocks work and everything should be limited by the maximum fs block number that can be represented using triple indirect blocks (approx. 1K^3 + 1K^2 + 1K), but everything is limited by a (wrong) limit of 1G-1 on fs block numbers. The limit on fs block numbers should be 2G-1. There are some bugs for fs block numbers near 2G-1, but such block numbers are unreachable when the fs block size is 4K.

For block sizes of 8K and larger, everything should be limited by the 2G-1 limit on fs block numbers, but is actually limited by the 1G-1 limit on fs block numbers, except under -STABLE triple indirect blocks are unreachable, so the limit is the maximum fs block number that can be represented using double indirect blocks (approx. (blocksize/4)^2 + (blocksize/4)), and under -CURRENT exceeding this limit may cause problems. Using the correct limit of 2G-1 blocks does cause problems.

2.28. How can I put 1TB files on my floppy?

I keep several virtual ones on floppies :-). The maximum file size is not closely related to the maximum disk size. The maximum disk size is 1TB. It is a feature that the file size can be larger than the disk size.

The following example creates a file of size 8T-1 using a whole 32K of disk space (3 indirect blocks and 1 data block) on a small root partition. The dd command requires a dd that works with large files.

    % cat foo
    df .
    dd if=/dev/zero of=z bs=1 seek=`echo 2^43 - 2 | bc` count=1
    ls -l z
    du z
    df .
    % sh foo
    Filesystem  1024-blocks     Used    Avail Capacity  Mounted on
    /dev/da0a         64479    27702    31619    47%    /
    1+0 records in
    1+0 records out
    1 bytes transferred in 0.000187 secs (5346 bytes/sec)
    -rw-r--r--  1 bde  bin  8796093022207 Sep  7 16:04 z
    32        z
    Filesystem  1024-blocks     Used    Avail Capacity  Mounted on
    /dev/da0a         64479    27734    31587    47%    /

Bruce Evans, September 1998

2.29. Why do I get an error message, ``archsw.readin.failed'' after compiling and booting a new kernel?

You can boot by specifying the kernel directly at the second stage, pressing any key when the | shows up before loader is started. More specifically, you have upgraded the source for your kernel, and installed a new kernel builtin from them without making world. This is not supported. Make world.

2.30. How do I upgrade from 3.X -> 4.X?

We strongly recommend that you use binary snapshots to do this. 4-STABLE snapshots are available at releng4.FreeBSD.org.

If you wish to upgrade using source, please see the FreeBSD Handbook for more information.

Caution: Upgrading via source is never recommended for new users, and upgrading from 3.X to 4.X is even less so; make sure you have read the instructions carefully before attempting to upgrade via source.

2.31. What are these ``security profiles''?

A ``security profile'' is a set of configuration options that attempts to achieve the desired ratio of security to convenience by enabling and disabling certain programs and other settings. The more severe the security profile, the fewer programs will be enabled by default. This is one of the basic principles of security: do not run anything except what you must.

Please note that the security profile is just a default setting. All programs can be enabled and disabled after you have installed FreeBSD by editing or adding the appropriate line(s) to /etc/rc.conf. For more information, please see the rc.conf(5) manual page.

The following table describes what each of the security profiles does. The columns are the choices you have for a security profile, and the rows are the program or feature that the profile enables or disables.

Table 2-3. Possible security profiles

  Extreme Moderate
sendmail(8) NO YES
sshd(8) NO YES
portmap(8) NO MAYBE [a]
NFS server NO YES
securelevel(8) YES (2) [b] NO
Notes:
a. The portmapper is enabled if the machine has been configured as an NFS client or server earlier in the installation.
b. If you choose a security profile that sets the securelevel (Extreme or High), you must be aware of the implications. Please read the init(8) manual page and pay particular attention to the meanings of the security levels, or you may have significant trouble later!

Warning: The security profile is not a silver bullet! Even if you use the extreme setting, you need to keep up with security issues by reading an appropriate mailing list, using good passwords and passphrases, and generally adhering to good security practices. It simply sets up the desired security to convenience ratio out of the box.

Note: The security profile mechanism is meant to be used when you first install FreeBSD. If you already have FreeBSD installed, it would probably be more beneficial to simply enable or disable the desired functionality. If you really want to use a security profile, you can re-run sysinstall(8) to set it.

Notes

[1]

In an e-mail from Keith Frechette .

This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.

For questions about FreeBSD, read the documentation before contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.