From owner-freebsd-questions@freebsd.org Tue Jun 20 15:22:47 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EC764D9AFB6 for ; Tue, 20 Jun 2017 15:22:47 +0000 (UTC) (envelope-from jim@mailman-hosting.com) Received: from maurice.jlkmail.com (maurice.jlkmail.com [IPv6:2606:c700:1:30::23:2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CDBD6287A for ; Tue, 20 Jun 2017 15:22:47 +0000 (UTC) (envelope-from jim@mailman-hosting.com) Received: from maurice.jlkmail.com (localhost [127.0.0.1]) by maurice.jlkmail.com (Postfix) with ESMTP id E9AE824C0C6C for ; Tue, 20 Jun 2017 11:22:46 -0400 (EDT) Authentication-Results: maurice.jlkmail.com (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=mailman-hosting.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= mailman-hosting.com; h=content-transfer-encoding :content-language:content-type:content-type:in-reply-to :mime-version:user-agent:date:date:message-id:from:from :references:to:subject:subject; s=dkim; t=1497972165; x= 1498836166; bh=l87JPAZOFIhY36s8gAEWaKjktti8lvNtVe4CxacXblU=; b=o M8uZReXezuXXetp6wjNrrAXQxkJSkvRhpIRyZ+a8FZyQLPOYKU1P0Sdei8meluyD YJH09m1fkbEAoFUbpLTzU3j77hGYPQvDyT70xcYsrLZN151QXz7mRDWMz9ybT8Mm XNCxnDbem1SE5ITEGAY5Y+4OaKeGVTI6c1WSXYteBw= X-Virus-Scanned: Debian amavisd-new at maurice.jlkmail.com X-Spam-Flag: NO X-Spam-Score: 4.296 X-Spam-Level: **** X-Spam-Status: No, score=4.296 tagged_above=-999 required=6.31 tests=[ALL_TRUSTED=-1, RAZOR2_CF_RANGE_51_100=0.365, RAZOR2_CF_RANGE_E8_51_100=2.43, RAZOR2_CHECK=2.5, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from maurice.jlkmail.com ([127.0.0.1]) by maurice.jlkmail.com (maurice.jlkmail.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id aCoaMrnaFaIi for ; Tue, 20 Jun 2017 11:22:45 -0400 (EDT) Received: from [192.168.1.164] (static-70-104-198-156.nrflva.fios.verizon.net [70.104.198.156]) by maurice.jlkmail.com (Postfix) with ESMTPSA id B787A24C00EA; Tue, 20 Jun 2017 11:22:44 -0400 (EDT) Subject: Re: New User, new server To: Peter Ludikovsky References: <800e15b2-d7f5-d339-bd77-862e9d0cab5b@ludikovsky.name> Cc: freebsd-questions@freebsd.org From: Jim Ohlstein Message-ID: Date: Tue, 20 Jun 2017 11:22:44 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 In-Reply-To: <800e15b2-d7f5-d339-bd77-862e9d0cab5b@ludikovsky.name> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jun 2017 15:22:48 -0000 Hello, On 06/20/2017 10:33 AM, Peter Ludikovsky wrote: > Hello, > > I recently acquired a former office tower to replace my old home > server (Debian 8), itself an even older office tower. As it's my > primary storage location for images and documents I want something > stable, and I want to try something besides Linux, so I'm going for > FreeBSD 11-RELEASE. Which brings a few questions: Good choice! > > 1) The new machine comes with a 128G SSD, in addition to the 2 4T > HDDs from the older server. I'd like to set up ZFS root, with a slice > of the SSD as ZIL and L2ARC, and the root mirrored across the SSD and > the 2 HDDs. Does this make sense, and if so what would be the ideal > slice layout? Or should I just use the whole SSD as ZIL/L2ARC? I wouldn't mirror anything across an SSD and a magnetic drive (or two). Pick either the SSD or the drives. ZIL/L2ARC may be overkill on a home system unless it's frequently accessed by multiple users, but if you insist on having both on one SSD, make them the only things on the drive, and keep everything else on the 4TB drives. It's best to have ZIL and L2ARC on different, dedicated devices, but your hardware eliminates that possibility. > > 1.1) Can I start this setup with just the SSD an one HDD, as to keep > the old server alive until everything is migrated? It's very easy to add to ZFS if you plan to mirror. You can add a striped drive, but the results won't be as good as if you create the zpool as striped. > > 2) Moving data from the old machine. Can I run zfs send/receive to > get the ZFS on Linux datasets onto FreeBSD, or do I need to (r)sync? It _should_ work, but rsync will work. > > 3) Firewalling: PF, IPFW, or IPFilter? The machine will be behind an > ISP provided router, but I'm paranoid enough to want an additional > firewall on that machine, and one that plays nice with fail2ban at > that. Unless you're running services that expect outside connections (say if this is a file server), it won't matter. In fact, it really doesn't matter anyway. Pick one, learn it, use it. I use PF. I've used the other two also. PF includes functionality for port redirection and NAT. I have no idea about fail2ban. I use PF tables and the expiretable utility. > > 4) As far as I understand it the host plays gateway for jails. Does > that mean that any firewalling is done there too? If so, is any > special configuration required besides enabling IP forwarding? (NAT, > …) Yes. PF (at least) applies all rules to all packets. I'd assume the others do as well. > > 5) Currently all services on the machine run together. With FreeBSD > I'd like to jail them. Is there an easy way to convert, or will I be > creating jails for the services & shovel the data over as if it's a > fresh install? You'll have to create the jails manually and move your data. The ezjail utility, among others, makes this easy. Creating a cloned loopback for your jails allows them to communicate with each other while being isolated from the outside. > > Any pointers are appreciated. I'm in no hurry (old machine ain't > dying yet), and I'd rather do it slow & clean than fast & dirty. > -- Jim Ohlstein Profesional Mailman Hosting https://mailman-hosting.com