commit 6910083da66d719b880069e6a3a21c3ef00677a1 Author: Vinicius Zavam egypcio@googlemail.com Date: Thu Oct 3 17:49:49 2019 +0000
update FreeBSD setup guide for middle/guard relays; - ensure we cover also pkg's bootstrap (for vanila systems w/o any available package); - track the 'latest' branch used by pkg to get more frequent packages updates; - use HTTPS:// on the repository url (needs extra package, ca_root_nss); - cover starting our daemon on port 443, but still as '_tor' non-root user. --- .../technical-setup/guard/freebsd/contents.lr | 104 ++++++++++++++------- 1 file changed, 69 insertions(+), 35 deletions(-)
diff --git a/content/relay-operations/technical-setup/guard/freebsd/contents.lr b/content/relay-operations/technical-setup/guard/freebsd/contents.lr index b442ca8..8744d31 100644 --- a/content/relay-operations/technical-setup/guard/freebsd/contents.lr +++ b/content/relay-operations/technical-setup/guard/freebsd/contents.lr @@ -6,68 +6,102 @@ title: FreeBSD --- body:
-# 1. Enable Automatic Software Updates +# 1. Enable Automatic Updates for Packages
One of the most imported things to keeps your relay secure is to install security updates timely and ideally automatically so you can not forget about it. Follow the instructions to enable [automatic software updates](updates) for your operating system.
-# 2. Install the tor package +# 2. Bootstrap `pkg`
-`pkg install tor ca_root_nss` +This article considers we have already a base installation of FreeBSD running, and only the base system (here, we are running 12.0-RELEASE). That means we do not have any packages installed neither the `pkg` packages manager itself (there's no `sudo` available - we are running commands as root).
-or for alpha releases: +To bootstrap and install `pkg` we should run the following command:
-`pkg install tor-devel ca_root_nss` +``` +pkg bootstrap +pkg update -f +``` + +### 2.1. Recommended Steps to Setup `pkg` + +To follow upstream updates in a "faster way" we recommend changing the 'quarterly' branch used by `pkg` to its 'latest' branch. + +One additional step is to prefer using HTTPS to fetch our packages, and updates - so here we also need an extra package to help us out (ca_root_nss).
-# 3. Put the configuration file `/usr/local/etc/tor/torrc` in place +Installing the `ca_root_nss` package:
``` -#change the nickname "myNiceRelay" to a name that you like -Nickname myNiceRelay -ORPort 9001 -ExitRelay 0 -SocksPort 0 -# Change the email address bellow and be aware that it will be published -ContactInfo tor-operator@your-emailaddress-domain -Log notice syslog +pkg install ca_root_nss ```
-# 4. Ensure that the `random_id` sysctl setting is enabled: +We are keeping the original setting used by `pkg` but setting a new one that will override it, so we set up a new directory and than create a configuration file to override what we need. This configuration file will be `/usr/local/etc/pkg/repos/FreeBSD.conf`. + +Creating the new directory:
``` -echo "net.inet.ip.random_id=1" >> /etc/sysctl.conf -sysctl net.inet.ip.random_id=1 +mkdir -p /usr/local/etc/pkg/repos ```
-# 5. Start the tor daemon and make sure it starts at boot: +This is how the new configuration file `/usr/local/etc/pkg/repos/FreeBSD.conf` must look like:
``` -sysrc tor_enable=YES -service tor start +FreeBSD: { + url: pkg+https://pkg.freebsd.org/$%7BABI%7D/latest +} ```
-### Optional but recommended +After applying all these changes, we update the packages list again and try to check if there's already a new update to apply:
-To get package updates faster after they have been build it is best to switch from the "quarterly" with "latest" repository. +``` +pkg update -f +pkg upgrade -y -f +```
-Create the following folder: +# 3. Install `tor` FreeBSD's Package
-`mkdir -p /usr/local/etc/pkg/repos` +Here we can choose to install the latest stable version, like:
-and create the file `/usr/local/etc/pkg/repos/FreeBSD.conf` with the following content: +``` +pkg install tor +``` + + ... or install an alpha release:
+ +``` +pkg install tor-devel ``` -FreeBSD: { enabled: no }
-FreeBSDlatest: { - url: "pkg+https://pkg.FreeBSD.org/$%7BABI%7D/latest", - mirror_type: "srv", - signature_type: "fingerprints", - fingerprints: "/usr/share/keys/pkg", - enabled: yes -} +# 4. Configure `/usr/local/etc/tor/torrc` + +This is a very simple version of the `torrc` configuration file in order to run a Middle/Guard relay on the Tor network: + +``` +Nickname myBSDRelay # Change your relay's nickname to something you like +ContactInfo your@email # Please write your email address and be aware that it will be published +ORPort 443 # You might want to use/try a different port, should you want to +ExitRelay 0 +SocksPort 0 +Log notice syslog +``` + +# 5. Ensure `net.inet.ip.random_id` is enabled: + +``` +echo "net.inet.ip.random_id=1" >> /etc/sysctl.conf +sysctl net.inet.ip.random_id=1 +``` + +# 6. Start `tor`: + +Here we set `tor` to start at boot time and use the setuid feature, in order to bind to lower ports like 443 (the daemon itself will still run as a regular non-privileged user). + +``` +sysrc tor_setuid=YES +sysrc tor_enable=YES +service tor start ```
-# 6. Final notes +# 7. Final Notes
If you are having troubles setting up your relay, have a look at our [help section](/relay/getting-help/). If your relay is now running, check out the [post-install](/relay/setup/post-install/) notes. --- @@ -79,4 +113,4 @@ section: Middle/Guard relay --- section_id: relay-operations --- -subtitle: How to deploy a middle/Guard relay on FreeBSD +subtitle: How to deploy a Middle/Guard relay on FreeBSD