Mainly intended for myself to document my config but this may be useful to others as well. Wherever possible this configuration uses LibreSSL as the OpenSSL library.
System overview
LAN: 192.2.0.0/24 Gateway: 192.2.0.254 Server: 192.2.0.1
Hardware
- Old laptop
- Pentium i5 520M 2.4GHz
- 4GB DDR3 SO-DIMM (8GB upgrade ordered)
- Storage (ZFS)
zroot: 120GB SSD Transcend JetDrive 420 (internal 2.5" SATA slot)
- zbay: 1TB HGST Travelstar 7K1000 2.5" HDD (Drivebay caddy)
zesata: 500GB Seagate Momentus 5400.6 2.5" HDD (not yet, eSATA-p external)
Intended use
Links will go to more detailed wiki articles
DHCP/DNS server
- File-server
- Backup target for Desktop and laptops
- Cloud storage server
- Web-server
- Personal website
- Family website
- Freelance website
Mail-server (AKA OpenSMTPd) (incl spam classification and virus scanning)
Software
dnsmasq for DHCP and dynamic DNS
Unbound as validating, caching and recursive DNS resolver
OpenLDAP as user and authentication backend
Samba 4.2 as file-server and for backup-target
rsync for backups
OpenVPN for secure internet access for my mobile devices
Apache 2.4 as web-server
OpenSMTPd as mail server
Dovecot as LDA and IMAP server
AMaVisD as networked scanner daemon
ClamAV as virus scanner
SpamAssassin as rule-based spam classifier
dspam as Bayesian spam classifier
- System management
Poudriere for keeping ports up-to-date
ezjail to manage the jails
smartmontools to monitor disks
Jails
Anything that can be connected from the internet is jailed. Mail scanner was separated provide additional isolation.
- db: Home of MariaDB server
- http: Home of Apache and the web applications and content
- mail: Home of MTA and IMAP-server
- scan: Home of Amavisd, clamav, spamassassin, dspam
- tor: Home of my TOR router
Every jail is firewalled using ipfw.
- tor gets access to the internet only (not LAN) and is denied anything else
- Allow all jails to access DNS
- jails get specific access, anything else is denied