Skillnad mellan versioner av "Rootmanual:freenas"

Från Lysators datorhandbok, den ultimata referensen.
Hoppa till navigering Hoppa till sök
(add description for enabling pf firewall)
(add description for setting up kerberos)
Rad 35: Rad 35:
   
 
== Kerberos ==
  
== Kerberos ==
  +
  +
'''Before setting up kerberos, ensure that you use HTTPS!'''
   
 
Generate a kerberos keytab on a machine that is inside the kerberos realm for your new machine and export it.
  
Generate a kerberos keytab on a machine that is inside the kerberos realm for your new machine and export it.
  +
  +
Go to "Directory/Kerberos Keytabs" and add the exported keytab (ensure that this is done on a trusted computer).
  +
  +
To enable the kerberos service you need configure it in "Directory/Kerberos Realms":
  +
# Click add kerberos realm
  +
# Advanced
  +
Realm = LYSATOR.LIU.SE
  +
KDC = as-master.lysator.liu.se
  +
Admin Server = as-master.lysator.liu.se
  +
Password Server = as-master.lysator.liu.se
  +
# OK
  +
  +
Done
   
 
== NIS ==
  
== NIS ==

Versionen från 27 januari 2017 kl. 18.31

Useful documentation

After installing FreeNAS the User Guide documentation for the current version is available in the "Guide" tab.

Setting up a FreeNAS box

Go through the installation process. After the install make sure that you have the correct address assigned to the box. If not you could use the console menus to set it or drop to a shell.

Using the shell: 

ifconfig

Lists all the interfaces and note the interface you want to use 

ifconfig <interface> inet <IPv4 address/subnetmask> add

Sets the IPv4 for the interface you want to use 

ifconfig <interface> inet <IPv4 address> -alias

If you by accident set a address to the wrong interface 

route add default <gateway address>

Sets the default gatway 

service nginx restart

Nginx needs to be restarted since it does not serve on the correct address.

Disable the console menu

Go to System/Advanced: 

Enable Console Menu = false

Certficates & syslog server

Make sure that you start by using https, for this you need to have a valid certificate. You could if there for the moment are no signed certificate for the machine, generate a self-signed certificate.

To enable https and set syslog server, go to System/General: 

Certificate = your certificate
Protocol = HTTPS
WebGUI HTTP -> HTTPS redirect = yes
Syslog server = <Logserver with FQDN>

Kerberos

Before setting up kerberos, ensure that you use HTTPS!

Generate a kerberos keytab on a machine that is inside the kerberos realm for your new machine and export it.

Go to "Directory/Kerberos Keytabs" and add the exported keytab (ensure that this is done on a trusted computer).

To enable the kerberos service you need configure it in "Directory/Kerberos Realms":

  1. Click add kerberos realm
  2. Advanced
Realm = LYSATOR.LIU.SE
KDC = as-master.lysator.liu.se
Admin Server = as-master.lysator.liu.se
Password Server = as-master.lysator.liu.se
  1. OK

Done

NIS

Setup NIS settings: Directory/NIS 

NIS domain = lysator
NIS servers = nis.lysator.liu.se,ns-slave.lysator.liu.se
Secure mode = yes
Enable = yes

And save.

NFS

Setup the default nfs server settings: Service/nfs 

Number of Servers = 6
Serve UDP = yes
Enable NFSv4 = yes
support > 16 groups = yes
Log mountd = yes
Log rpc.statd & rpc.lockd = yes

Firewall

Setup pf on the FreeNAS box:

pf is installed by default so all we need to do is create a configuration and enable it.

To enable, open /etc/rc.conf with some editor (vi) and add the following at the end: 

pf_enable="YES"
pf_rules="<absolute path to your pf.conf with rules>"
gateway_enable="YES

pf.conf example: 

#External interface                                                             
ext_if="<interface name of external interface>"                                                                    
table <bruteforce> persist                                                      
set skip on lo0                                                                 
set block-policy return                                                         
scrub in all                                                                    
block in all                                                                    
block out all                                                                   
block quick from <bruteforce>                                                   
#Allow from management HTTP/HTTPS only                                          
pass in on $ext_if proto tcp from <management host> to any port 80 flags S/SA keep state                                                                          
pass in on $ext_if proto tcp from <management host> to any port 443 flags S/SA keep state                                                                         
#Allow internal traffic                                                         
pass in on $ext_if from 130.236.254.0/24 to any keep state                      
pass in on $ext_if from 2001:6b0:17:f0a0::0/64 to any keep state                
#Allow ssh from management only                                                 
block in on $ext_if proto tcp from 130.236.254.0/24 to any port { ssh }         
block in on $ext_if proto tcp from 2001:6b0:17:f0a0::0/64 to any port { ssh }   
pass in on $ext_if proto tcp from <management host> to any port { ssh }           
#Allow traffic out                                                              
pass out on $ext_if from any to any keep state

End with starting the service: 

service pf start
Hämtad från ”https://datorhandbok.lysator.liu.se/index.php?title=Rootmanual:freenas&oldid=5358