阿里云 ECS 部署 FreeBSD

配置防火墙

1
cat > /etc/ipfw.rules <<EOF
2
#!/bin/sh
3

4
ipfw -q -f flush
5

6
# No restrictions on Loopback Interface
7
ipfw -q add 00001 allow all from any to any via lo0
8

9
ipfw -q add 00009 check-state
10

11
# Deny all inbound traffic from non-routable reserved address spaces
12
ipfw -q add 000011 deny all from 192.168.0.0/16 to any in via vtnet0    # RFC 1918 private IP
13
ipfw -q add 000012 deny all from 172.16.0.0/12 to any in via vtnet0     # RFC 1918 private IP
14
ipfw -q add 000013 deny all from 10.0.0.0/8 to any in via vtnet0        # RFC 1918 private IP
15
ipfw -q add 000014 deny all from 127.0.0.0/8 to any in via vtnet0       # loopback
16
ipfw -q add 000015 deny all from 0.0.0.0/8 to any in via vtnet0         # loopback
17
ipfw -q add 000016 deny all from 169.254.0.0/16 to any in via vtnet0    # DHCP auto-config
18
ipfw -q add 000017 deny all from 192.0.2.0/24 to any in via vtnet0      # reserved for docs
19
ipfw -q add 000018 deny all from 204.152.64.0/23 to any in via vtnet0   # Sun cluster interconnect
20
ipfw -q add 000019 deny all from 224.0.0.0/3 to any in via vtnet0       # Class D & E multicast
21

22
# Deny fragments
23
ipfw -q add 000021 deny all from any to any frag in via vtnet0
24

25
# Deny ACK packets that did not match the dynamic rule table
26
ipfw -q add 000031 deny tcp from any to any established in via vtnet0
27

28
# Allow outbound ping
29
ipfw -q add 000041 allow icmp from any to any out via vtnet0 keep-state
30

31
# Allow access to public DNS
32
ipfw -q add 000111 allow tcp from any to 100.100.2.136 53 out via vtnet0 setup keep-state
33
ipfw -q add 000112 allow udp from any to 100.100.2.136 53 out via vtnet0 keep-state
34
ipfw -q add 000113 allow tcp from any to 100.100.2.138 53 out via vtnet0 setup keep-state
35
ipfw -q add 000114 allow udp from any to 100.100.2.138 53 out via vtnet0 keep-state
36

37
# Allow outbound HTTP and HTTPS connections
38
ipfw -q add 000121 allow tcp from any to any 80 out via vtnet0 setup keep-state
39
ipfw -q add 000122 allow tcp from any to any 443 out via vtnet0 setup keep-state
40

41
# Allow outbound NTP connections
42
ipfw -q add 000131 allow udp from any to any 123 out via vtnet0 keep-state
43

44
# Allow inbound SSH connections
45
ipfw -q add 000211 allow tcp from any to me 22 in via vtnet0 setup limit src-addr 10
46

47
# Allow inbound HTTP and HTTPS connections
48
ipfw -q add 000221 allow tcp from any to me 80 in via vtnet0 setup limit src-addr 20
49
ipfw -q add 000222 allow tcp from any to me 443 in via vtnet0 setup limit src-addr 20
50

51
# Reject other incoming connections
52
ipfw -q add 000999 deny all from any to any in via vtnet0
53
EOF
54

55
sysrc firewall_enable="YES"
56
sysrc firewall_script="/etc/ipfw.rules"
57

58
service ipfw start

配置时钟同步

配置时区

1
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

配置 NTP

1
sysrc ntpd_enable="YES"
2
sysrc ntpd_sync_on_start="YES"
3

4
service ntpd start

安装常用软件

screen

1
pkg install screen

htop

1
pkg install htop

nload

1
pkg install nload

bash

1
pkg install bash
2

3
chsh -s /usr/local/bin/bash

Nginx

1
pkg install nginx
2

3
sysrc nginx_enable="YES"
4

5
service nginx start

配置 Python 环境

PIP

1
mkdir -p ~/.config/pip
2

3
cat > ~/.config/pip/pip.conf <<EOF
4
[global]
5
index-url=http://mirrors.cloud.aliyuncs.com/pypi/simple/
6

7
[install]
8
trusted-host=mirrors.cloud.aliyuncs.com
9
EOF
10

11
python -m ensurepip --upgrade
12
python -m pip install --upgrade pip