FreeBSD 11 Development Desktop on Dell XPS13


NGINX - Web Server

Nginx is a fast, feature rich web server with relatively straigth forward configuration. Configure it to serve websites from /data/httpd.

Write the following configuration.

load_module /usr/local/libexec/nginx/;
load_module /usr/local/libexec/nginx/;

worker_processes  1;

events {
	worker_connections  1024;

http {
	include mime.types;
	default_type application/octet-stream;

	sendfile on;
	keepalive_timeout 65;

	server {
		listen 80;
		server_name localhost;

		location ~ /\. {
			deny all;

		location / {
			root /data/httpd/www;
			index index.html index.htm;

		error_page 500 502 503 504  /50x.html;
		location = /50x.html {
			root /usr/local/www/nginx-dist;

PostgreSQL - Database Server

PostgreSQL is a fast, ACID compliant object-relational database with a multitude of advanced features.

Install PostgreSQL. Version 9.6 is the most recent stable release.

Configure PostgreSQL to run with the English locale and UTF-8 encoding in the directory /data/postgres.

With an admin user established and the server shut down you can switch to md5 encrypted passwords. Rewrite the file as shown below.

local   all         all                   md5
host    all         all   md5
host    all         all    ::1/128        md5

Having changed the authentication mechanism restart the server.

CUPS - Common UNIX Printing Service

The common UNIX printing service is an implementation of the Internet Printing Protocol. It provides a number of printing features and is well supported on FreeBSD. Install it as follows.

PF - Firewall

FreeBSD comes with secure defaults, nonetheless add a layer to the security onion and enable the firewall.

Add this basic configuration.

# Define one table to exclude bruteforce attackers.
table <bruteforce> persist

# Skip the loopback interface.
set skip on lo

# Clean inconsistencies in incoming traffic.
scrub in

# Default to blocking incoming traffic.
block in

# Block incoming packets with loopback address.
antispoof quick for {lo0}

# Filter packages from entries in bruteforce table.
block quick from <bruteforce>

# Allow access to ssh but block if more than three attempts are made in 30 seconds.
pass in on $ext_if proto tcp from any to ($ext_if) port 22 flags S/SA keep state (max-src-conn-rate 3/30, overload <bruteforce> flush global)

# Allow access to web server.
pass in quick on $ext_if proto tcp from any to ($ext_if) port 80 keep state
pass in quick on $ext_if proto tcp from any to ($ext_if) port 443 keep state
# Allow all outbound trafic from local net.
pass out on $ext_if to any keep state

Start the firewall on boot.