New User, new server

[Jim Ohlstein]

Hello,

On 06/20/2017 10:33 AM, Peter Ludikovsky wrote:
> Hello,
> 
> I recently acquired a former office tower to replace my old home
> server (Debian 8), itself an even older office tower. As it's my
> primary storage location for images and documents I want something
> stable, and I want to try something besides Linux, so I'm going for
> FreeBSD 11-RELEASE. Which brings a few questions:

Good choice!

> 
> 1) The new machine comes with a 128G SSD, in addition to the 2 4T
> HDDs from the older server. I'd like to set up ZFS root, with a slice
> of the SSD as ZIL and L2ARC, and the root mirrored across the SSD and
> the 2 HDDs. Does this make sense, and if so what would be the ideal
> slice layout? Or should I just use the whole SSD as ZIL/L2ARC?

I wouldn't mirror anything across an SSD and a magnetic drive (or two).
Pick either the SSD or the drives.

ZIL/L2ARC may be overkill on a home system unless it's frequently
accessed by multiple users, but if you insist on having both on one SSD,
make them the only things on the drive, and keep everything else on the
4TB drives. It's best to have ZIL and L2ARC on different, dedicated
devices, but your hardware eliminates that possibility.

> 
> 1.1) Can I start this setup with just the SSD an one HDD, as to keep
> the old server alive until everything is migrated?

It's very easy to add to ZFS if you plan to mirror. You can add a
striped drive, but the results won't be as good as if you create the
zpool as striped.

> 
> 2) Moving data from the old machine. Can I run zfs send/receive to
> get the ZFS on Linux datasets onto FreeBSD, or do I need to (r)sync?

It _should_ work, but rsync will work.

> 
> 3) Firewalling: PF, IPFW, or IPFilter? The machine will be behind an
> ISP provided router, but I'm paranoid enough to want an additional
> firewall on that machine, and one that plays nice with fail2ban at
> that.

Unless you're running services that expect outside connections (say if 
this is a file server), it won't matter. In fact, it really doesn't 
matter anyway. Pick one, learn it, use it. I use PF. I've used the other 
two also. PF includes functionality for port redirection and NAT. I have 
no idea about fail2ban. I use PF tables and the expiretable utility.

> 
> 4) As far as I understand it the host plays gateway for jails. Does
> that mean that any firewalling is done there too? If so, is any
> special configuration required besides enabling IP forwarding? (NAT,
> …)

Yes. PF (at least) applies all rules to all packets. I'd assume the 
others do as well.

> 
> 5) Currently all services on the machine run together. With FreeBSD
> I'd like to jail them. Is there an easy way to convert, or will I be 
> creating jails for the services & shovel the data over as if it's a 
> fresh install?

You'll have to create the jails manually and move your data. The ezjail 
utility, among others, makes this easy. Creating a cloned loopback for 
your jails allows them to communicate with each other while being 
isolated from the outside.

> 
> Any pointers are appreciated. I'm in no hurry (old machine ain't
> dying yet), and I'd rather do it slow & clean than fast & dirty.
> 


-- 
Jim Ohlstein
Profesional Mailman Hosting
https://mailman-hosting.com