配置防火墙
cat > /etc/ipfw.rules <<EOF
#!/bin/sh
ipfw -q -f flush
# No restrictions on Loopback Interface
ipfw -q add 00001 allow all from any to any via lo0
ipfw -q add 00009 check-state
# Deny all inbound traffic from non-routable reserved address spaces
ipfw -q add 000011 deny all from 192.168.0.0/16 to any in via vtnet0 # RFC 1918 private IP
ipfw -q add 000012 deny all from 172.16.0.0/12 to any in via vtnet0 # RFC 1918 private IP
ipfw -q add 000013 deny all from 10.0.0.0/8 to any in via vtnet0 # RFC 1918 private IP
ipfw -q add 000014 deny all from 127.0.0.0/8 to any in via vtnet0 # loopback
ipfw -q add 000015 deny all from 0.0.0.0/8 to any in via vtnet0 # loopback
ipfw -q add 000016 deny all from 169.254.0.0/16 to any in via vtnet0 # DHCP auto-config
ipfw -q add 000017 deny all from 192.0.2.0/24 to any in via vtnet0 # reserved for docs
ipfw -q add 000018 deny all from 204.152.64.0/23 to any in via vtnet0 # Sun cluster interconnect
ipfw -q add 000019 deny all from 224.0.0.0/3 to any in via vtnet0 # Class D & E multicast
# Deny fragments
ipfw -q add 000021 deny all from any to any frag in via vtnet0
# Deny ACK packets that did not match the dynamic rule table
ipfw -q add 000031 deny tcp from any to any established in via vtnet0
# Allow outbound ping
ipfw -q add 000041 allow icmp from any to any out via vtnet0 keep-state
# Allow access to public DNS
ipfw -q add 000111 allow tcp from any to 100.100.2.136 53 out via vtnet0 setup keep-state
ipfw -q add 000112 allow udp from any to 100.100.2.136 53 out via vtnet0 keep-state
ipfw -q add 000113 allow tcp from any to 100.100.2.138 53 out via vtnet0 setup keep-state
ipfw -q add 000114 allow udp from any to 100.100.2.138 53 out via vtnet0 keep-state
# Allow outbound HTTP and HTTPS connections
ipfw -q add 000121 allow tcp from any to any 80 out via vtnet0 setup keep-state
ipfw -q add 000122 allow tcp from any to any 443 out via vtnet0 setup keep-state
# Allow outbound NTP connections
ipfw -q add 000131 allow udp from any to any 123 out via vtnet0 keep-state
# Allow inbound SSH connections
ipfw -q add 000211 allow tcp from any to me 22 in via vtnet0 setup limit src-addr 6
# Allow inbound HTTP and HTTPS connections
ipfw -q add 000221 allow tcp from any to me 80 in via vtnet0 setup limit src-addr 3
ipfw -q add 000222 allow tcp from any to me 443 in via vtnet0 setup limit src-addr 3
# Reject other incoming connections
ipfw -q add 000999 deny all from any to any in via vtnet0
EOF
sysrc firewall_enable="YES"
sysrc firewall_script="/etc/ipfw.rules"
service ipfw start
配置时钟同步
配置时区
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
配置 NTP
sysrc ntpd_enable="YES"
sysrc ntpd_sync_on_start="YES"
service ntpd start
更新 / 升级
更新补丁
freebsd-update fetch
freebsd-update install
升级版本
freebsd-update -r 13.2-RELEASE upgrade
freebsd-update install
nextboot -k GENERIC
shutdown -r now
freebsd-update install
安装常用软件
screen
htop
nload
bash
pkg install bash
chsh -s /usr/local/bin/bash
Nginx
pkg install nginx
sysrc nginx_enable="YES"
service nginx start
配置 Python 环境
PIP
python -m ensurepip --upgrade
python -m pip install --upgrade pip
Virtualenv