New User, new server

Tue Jun 20 15:44:38 UTC 2017

On Tue, June 20, 2017 10:22 am, Jim Ohlstein wrote:
> Hello,
>
> On 06/20/2017 10:33 AM, Peter Ludikovsky wrote:
>> Hello,
>>
>> I recently acquired a former office tower to replace my old home
>> server (Debian 8), itself an even older office tower. As it's my
>> primary storage location for images and documents I want something
>> stable, and I want to try something besides Linux, so I'm going for
>> FreeBSD 11-RELEASE. Which brings a few questions:
>
> Good choice!
>
>>
>> 1) The new machine comes with a 128G SSD, in addition to the 2 4T
>> HDDs from the older server. I'd like to set up ZFS root, with a slice
>> of the SSD as ZIL and L2ARC, and the root mirrored across the SSD and
>> the 2 HDDs. Does this make sense, and if so what would be the ideal
>> slice layout? Or should I just use the whole SSD as ZIL/L2ARC?
>
> I wouldn't mirror anything across an SSD and a magnetic drive (or two).
> Pick either the SSD or the drives.
>
> ZIL/L2ARC may be overkill on a home system unless it's frequently
> accessed by multiple users, but if you insist on having both on one SSD,
> make them the only things on the drive, and keep everything else on the
> 4TB drives. It's best to have ZIL and L2ARC on different, dedicated
> devices, but your hardware eliminates that possibility.
>
>>
>> 1.1) Can I start this setup with just the SSD an one HDD, as to keep
>> the old server alive until everything is migrated?
>
> It's very easy to add to ZFS if you plan to mirror. You can add a
> striped drive, but the results won't be as good as if you create the
> zpool as striped.
>
>>
>> 2) Moving data from the old machine. Can I run zfs send/receive to
>> get the ZFS on Linux datasets onto FreeBSD, or do I need to (r)sync?
>
> It _should_ work, but rsync will work.
>
>>
>> 3) Firewalling: PF, IPFW, or IPFilter? The machine will be behind an
>> ISP provided router, but I'm paranoid enough to want an additional
>> firewall on that machine, and one that plays nice with fail2ban at
>> that.
>
> Unless you're running services that expect outside connections (say if
> this is a file server), it won't matter. In fact, it really doesn't
> matter anyway.

I originally used IPFilter, but at some point I switched over to IPFW. The
problem with IPFilter I had was: IPFilter has very small buffer, so on
busy server you end up with locked up connections once buffer gets filled.
To fix that you had to go and edit a couple of lines in IPFilter kernel
module, and recompile it... and keep doing it with every kernel update. It
is possible that that is changed, but if I were to start now, I either
would go with PF or IPFW (the last somehow virtually didn't have any
learning curve for Linux refugee - me).

Valeri

> Pick one, learn it, use it. I use PF. I've used the other
> two also. PF includes functionality for port redirection and NAT. I have
> no idea about fail2ban. I use PF tables and the expiretable utility.
>
>>
>> 4) As far as I understand it the host plays gateway for jails. Does
>> that mean that any firewalling is done there too? If so, is any
>> special configuration required besides enabling IP forwarding? (NAT,
>> â€¦)
>
> Yes. PF (at least) applies all rules to all packets. I'd assume the
> others do as well.
>
>>
>> 5) Currently all services on the machine run together. With FreeBSD
>> I'd like to jail them. Is there an easy way to convert, or will I be
>> creating jails for the services & shovel the data over as if it's a
>> fresh install?
>
> You'll have to create the jails manually and move your data. The ezjail
> utility, among others, makes this easy. Creating a cloned loopback for
> your jails allows them to communicate with each other while being
> isolated from the outside.
>
>>
>> Any pointers are appreciated. I'm in no hurry (old machine ain't
>> dying yet), and I'd rather do it slow & clean than fast & dirty.
>>
>
>
> --
> Jim Ohlstein
> Profesional Mailman Hosting
> https://mailman-hosting.com
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++