阿里云 ECS 部署 FreeBSD

配置防火墙

cat > /etc/ipfw.rules <<EOF
#!/bin/sh

ipfw -q -f flush

# No restrictions on Loopback Interface
ipfw -q add 00001 allow all from any to any via lo0

ipfw -q add 00009 check-state

# Deny all inbound traffic from non-routable reserved address spaces
ipfw -q add 000011 deny all from 192.168.0.0/16 to any in via vtnet0    # RFC 1918 private IP
ipfw -q add 000012 deny all from 172.16.0.0/12 to any in via vtnet0     # RFC 1918 private IP
ipfw -q add 000013 deny all from 10.0.0.0/8 to any in via vtnet0        # RFC 1918 private IP
ipfw -q add 000014 deny all from 127.0.0.0/8 to any in via vtnet0       # loopback
ipfw -q add 000015 deny all from 0.0.0.0/8 to any in via vtnet0         # loopback
ipfw -q add 000016 deny all from 169.254.0.0/16 to any in via vtnet0    # DHCP auto-config
ipfw -q add 000017 deny all from 192.0.2.0/24 to any in via vtnet0      # reserved for docs
ipfw -q add 000018 deny all from 204.152.64.0/23 to any in via vtnet0   # Sun cluster interconnect
ipfw -q add 000019 deny all from 224.0.0.0/3 to any in via vtnet0       # Class D & E multicast

# Deny fragments
ipfw -q add 000021 deny all from any to any frag in via vtnet0

# Deny ACK packets that did not match the dynamic rule table
ipfw -q add 000031 deny tcp from any to any established in via vtnet0

# Allow outbound ping
ipfw -q add 000041 allow icmp from any to any out via vtnet0 keep-state

# Allow access to public DNS
ipfw -q add 000111 allow tcp from any to 100.100.2.136 53 out via vtnet0 setup keep-state
ipfw -q add 000112 allow udp from any to 100.100.2.136 53 out via vtnet0 keep-state
ipfw -q add 000113 allow tcp from any to 100.100.2.138 53 out via vtnet0 setup keep-state
ipfw -q add 000114 allow udp from any to 100.100.2.138 53 out via vtnet0 keep-state

# Allow outbound HTTP and HTTPS connections
ipfw -q add 000121 allow tcp from any to any 80 out via vtnet0 setup keep-state
ipfw -q add 000122 allow tcp from any to any 443 out via vtnet0 setup keep-state

# Allow outbound NTP connections
ipfw -q add 000131 allow udp from any to any 123 out via vtnet0 keep-state

# Allow inbound SSH connections
ipfw -q add 000211 allow tcp from any to me 22 in via vtnet0 setup limit src-addr 6

# Allow inbound HTTP and HTTPS connections
ipfw -q add 000221 allow tcp from any to me 80 in via vtnet0 setup limit src-addr 3
ipfw -q add 000222 allow tcp from any to me 443 in via vtnet0 setup limit src-addr 3

# Reject other incoming connections
ipfw -q add 000999 deny all from any to any in via vtnet0
EOF

sysrc firewall_enable="YES"
sysrc firewall_script="/etc/ipfw.rules"

service ipfw start

配置时钟同步

配置时区

ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

配置 NTP

sysrc ntpd_enable="YES"
sysrc ntpd_sync_on_start="YES"

service ntpd start

更新 / 升级

更新补丁

freebsd-update fetch
freebsd-update install

升级版本

freebsd-update -r 13.2-RELEASE upgrade
freebsd-update install
nextboot -k GENERIC
shutdown -r now
freebsd-update install

安装常用软件

screen

pkg install screen

htop

pkg install htop

nload

pkg install nload

bash

pkg install bash

chsh -s /usr/local/bin/bash

Nginx

pkg install nginx

sysrc nginx_enable="YES"

service nginx start

配置 Python 环境

PIP

python -m ensurepip --upgrade
python -m pip install --upgrade pip

Virtualenv

pip install virtualenv