From owner-freebsd-questions@freebsd.org Tue Jun 20 15:44:38 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 00410D9B85F for ; Tue, 20 Jun 2017 15:44:38 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.20.71]) by mx1.freebsd.org (Postfix) with ESMTP id BAC453686 for ; Tue, 20 Jun 2017 15:44:37 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id 6B7DDCB8CDF; Tue, 20 Jun 2017 10:44:36 -0500 (CDT) Received: from 128.135.52.6 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Tue, 20 Jun 2017 10:44:36 -0500 (CDT) Message-ID: <31261.128.135.52.6.1497973476.squirrel@cosmo.uchicago.edu> In-Reply-To: References: <800e15b2-d7f5-d339-bd77-862e9d0cab5b@ludikovsky.name> Date: Tue, 20 Jun 2017 10:44:36 -0500 (CDT) Subject: Re: New User, new server From: "Valeri Galtsev" To: "Jim Ohlstein" Cc: "Peter Ludikovsky" , freebsd-questions@freebsd.org Reply-To: galtsev@kicp.uchicago.edu User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jun 2017 15:44:38 -0000 On Tue, June 20, 2017 10:22 am, Jim Ohlstein wrote: > Hello, > > On 06/20/2017 10:33 AM, Peter Ludikovsky wrote: >> Hello, >> >> I recently acquired a former office tower to replace my old home >> server (Debian 8), itself an even older office tower. As it's my >> primary storage location for images and documents I want something >> stable, and I want to try something besides Linux, so I'm going for >> FreeBSD 11-RELEASE. Which brings a few questions: > > Good choice! > >> >> 1) The new machine comes with a 128G SSD, in addition to the 2 4T >> HDDs from the older server. I'd like to set up ZFS root, with a slice >> of the SSD as ZIL and L2ARC, and the root mirrored across the SSD and >> the 2 HDDs. Does this make sense, and if so what would be the ideal >> slice layout? Or should I just use the whole SSD as ZIL/L2ARC? > > I wouldn't mirror anything across an SSD and a magnetic drive (or two). > Pick either the SSD or the drives. > > ZIL/L2ARC may be overkill on a home system unless it's frequently > accessed by multiple users, but if you insist on having both on one SSD, > make them the only things on the drive, and keep everything else on the > 4TB drives. It's best to have ZIL and L2ARC on different, dedicated > devices, but your hardware eliminates that possibility. > >> >> 1.1) Can I start this setup with just the SSD an one HDD, as to keep >> the old server alive until everything is migrated? > > It's very easy to add to ZFS if you plan to mirror. You can add a > striped drive, but the results won't be as good as if you create the > zpool as striped. > >> >> 2) Moving data from the old machine. Can I run zfs send/receive to >> get the ZFS on Linux datasets onto FreeBSD, or do I need to (r)sync? > > It _should_ work, but rsync will work. > >> >> 3) Firewalling: PF, IPFW, or IPFilter? The machine will be behind an >> ISP provided router, but I'm paranoid enough to want an additional >> firewall on that machine, and one that plays nice with fail2ban at >> that. > > Unless you're running services that expect outside connections (say if > this is a file server), it won't matter. In fact, it really doesn't > matter anyway. I originally used IPFilter, but at some point I switched over to IPFW. The problem with IPFilter I had was: IPFilter has very small buffer, so on busy server you end up with locked up connections once buffer gets filled. To fix that you had to go and edit a couple of lines in IPFilter kernel module, and recompile it... and keep doing it with every kernel update. It is possible that that is changed, but if I were to start now, I either would go with PF or IPFW (the last somehow virtually didn't have any learning curve for Linux refugee - me). Valeri > Pick one, learn it, use it. I use PF. I've used the other > two also. PF includes functionality for port redirection and NAT. I have > no idea about fail2ban. I use PF tables and the expiretable utility. > >> >> 4) As far as I understand it the host plays gateway for jails. Does >> that mean that any firewalling is done there too? If so, is any >> special configuration required besides enabling IP forwarding? (NAT, >> …) > > Yes. PF (at least) applies all rules to all packets. I'd assume the > others do as well. > >> >> 5) Currently all services on the machine run together. With FreeBSD >> I'd like to jail them. Is there an easy way to convert, or will I be >> creating jails for the services & shovel the data over as if it's a >> fresh install? > > You'll have to create the jails manually and move your data. The ezjail > utility, among others, makes this easy. Creating a cloned loopback for > your jails allows them to communicate with each other while being > isolated from the outside. > >> >> Any pointers are appreciated. I'm in no hurry (old machine ain't >> dying yet), and I'd rather do it slow & clean than fast & dirty. >> > > > -- > Jim Ohlstein > Profesional Mailman Hosting > https://mailman-hosting.com > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++