Posts Tagged ‘pkg’

FreeBSD post install configuration steps to make on fresh FreeBSD install to make ready for server and Desktop use

Saturday, October 28th, 2017

freebsd-post-install-configuration-steps-to-make-on-fresh-install-to-make-ready-for-server-freebsd-logo


1. Update binary packages

First thing to do just like on any new operating system install is to update / patch the server
 

# freebsd-update fetch
# freebsd-update install

 


2. Update FreeBSD port packages

As a FreeBSD administrator you will need ports every now and then so make sure you have them at their latest release for your FBSD release

 

# pkg update
# pkg upgrade

 


3. Install editors and bash

 

# pkg install nano vim joe bash bash_completion

 


4. Install sudo

To be able to run commands without becoming superuser root just like on any Linux you will probably want to have sudo package installed

# pkg install sudo

 

Sudo config file is under /usr/local/etc/sudoers

To edit it with syntax check enabled use visudo

 

# visudo

# sudo pkg update
 

 

If you want a regular account to have root superuser edit / modify and do things permissions

 

# pw groupmod wheel -M your_user_name

 

Then to make the wheel permissions work add to sudoers:

 

%wheel    ALL=(ALL=ALL)    ALL

5. FreeBSD modify personal information for account

 

# chpass your_user_name

To change your account and others to use bash instead of default freebsd csh

 

# csh -s /bin/bash your_user_name

 


7. Set a Static IP address for a FreeBSD server and configure DNS

Edit /etc/rc.local to look something like so

 

#ifconfig_em0="DHCP"
ifconfig_em0="inet 192.168.1.100 netmask 255.255.255.0"
# default gateway
defaultrouter="192.168.1.1"

 

/etc/rc.conf is also the file where you can easily enable / disable freebsd startup scripts

To restart network interafaces just like Debian Linux's /etc/init.d/networking restart type

 

# service netif restart
# service routing restart

 

To set Google DNS in FreeBSD just like in Linux add the IPs with nameserver prefix to /etc/resolv.conf

 

# echo 'nameserver 8.8.8.8' >> /etc/resolv.conf
# echo 'nameserver 8.8.8.8' >> /etc/resolv.conf
# echo 'search your-domain-name' >> /etc/resolv.conf

 

– If you need to change the hostname of the FreeBSD server change in /etc/rc.conf

hostname="your-freebsdhostname"

– To add multiple IP addresses to a network interface on FBSD add line like below to /etc/rc.conf

ifconfig_em0_alias0="192.168.1.5 netmask 255.255.255.255"
ifconfig_em0_alias1="192.168.1.6 netmask 255.255.255.255"

To apply changes and bring up the newly set multiple IPs

# service netif restart


8. Setting up proper timezone

If for some reason the Time zone is improperly set during FreeBSD install, you can later set that with

# tzsetup

9. Set up ntp time server synchronization daemon

# vim /etc/rc.conf

ntpd_enable="YES"
ntpd_sync_on_start="YES"

First command will bring up NTP server at start up and second make it synchroniza with Internet NTP servers, to restart ntp so it set proper time
immediately

# service ntpd start


10. Add additional SWAP space to FreeBSD server after install

– First we need to create the swap file with command and then set up proper permissions for it

# truncate -S 3G /swapf
# chmod 0600 /swapf

– Then to make the swapf being used on boot we need to add it to /etc/fstab

# echo "md99 none swap sw,file=/swapf,late 0 0" >> /etc/fstab

To immediately apply the new added swap to be used by the system run:

# swapon -aqL

To check various things on how swap is configured use

# swapinfo -g


11. Configure Firewall in FreeBSD

# vim /etc/rc.conf

firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

A very basic firewall to add to ipfw.rules file would be something like so:
 

    $IPF 70 allow all from any to any out keep-state
    $IPF 80 allow icmp from any to any
    # open port ftp

    $IPF 110 allow tcp from any to any 21 in
    $IPF 120 allow tcp from any to any 21 out

    # 22 for ssh
    $IPF 130 allow tcp from any to any 22 in
    $IPF 140 allow tcp from any to any 22 out

    # mail port 25

    $IPF 150 allow tcp from any to any 25 in
    $IPF 160 allow tcp from any to any 25 out

    # dns (53) udp and tcp in
    $IPF 170 allow udp from any to any 53 in
    $IPF 175 allow tcp from any to any 53 in

    # dns (53) udp and tcp out
    $IPF 180 allow udp from any to any 53 out
    $IPF 185 allow tcp from any to any 53 out

    # http (80),
    $IPF 200 allow tcp from any to any 80 in
    $IPF 210 allow tcp from any to any 80 out
    # deny and log everything
    $IPF 500 deny log all from any to any

To launch the firewall
 

# service ipfw start


To list current FreeBSD Firewall rules use

# ipfw list

Finally if you need to check your connections to the server just like Linux's netstat you might consider using sockstat comand
 

# sockstat -4 -6

– 4 -6 will list you network connections for ipv4 and ipv6 both tcp and udp

How to downgrade package with apt-get on Debian / Ubuntu / Mint Linux

Thursday, October 19th, 2017

how-to-downgrade-debian-package-to-an-older-version-debian_package-box

 

How can I downgrade a debian package to an older version with apt-get?

Downgrading a package in Debian is not frequently required but sometimes it is a must lets say a package you just upgraded fails to communicate properly to an application, in my case that's Ejabberd server which was working pretty well with Yaxim, Bruno or Xabber Mobile android application clients, unfortunately right after periodic apt-get upgrades I do with apt due to security upgrade of deb package ejabberd=2.1.10-4+deb7u1 to ejabberd=2.1.10-4+deb7u2 it messed up and even though it worked fine with Desktop clients such as Gajim and Pidgin, there was no Android application on my Phone with Android 4.4 which was able to communicate properly with the TLS encrypted Jabber server so my only option was to downgrade back to ejabberd=2.1.10-4+deb7u1.

I looked through duckduckgo.com a short URL is (ddg.gg) but I couldn't find the old deb file to downgrade so I was in a situation …

 Then I duckduck goed (I've recently stopped using Google as Google is collecting too much data and sharing with NSA) and I found following instructions on downgrade

——— 

If you have the version number, or the target release, apt-get supports choosing a particular version or target release. More details can be found on manual page of apt-get. It can also be accessed from terminal by typing man apt-get

sudo apt-get install <package-name>=<package-version-number> OR

sudo apt-get -t=<target release> install <package-name>

is the command to be run. This can be used to down-grade a package to a specific version.

It has been helpfully pointed out in the comments that

    apt-cache showpkg <package-name> – lists all available versions. (h/t Sparhawk)
    apt-mark hold <package-name> "holds" – the package at the current version, preventing automatic upgrades. (h/t Luís de Sousa )


In other words All I had to do is as root superuser is:
 

apt-get install «pkg»=«version»

OR

aptitude install «pkg»=«version»

Where «pkg» is the name of the package, and «version» is the version number.


So I just issued following cmd:

root@pcfreak:~# apt-get install ejabberd=2.1.10-4+deb7u1
Четене на списъците с пакети… Готово
Изграждане на дървото със зависимости       
Четене на информацията за състоянието… Готово
Предложени пакети:
  libunix-syslog-perl
Следните НОВИ пакети ще бъдат инсталирани:
  ejabberd
0 актуализирани, 1 нови инсталирани, 0 за премахване и 3 без промяна.
Необходимо е да се изтеглят 1795 kB архиви.
След тази операция ще бъде използвано 3699 kB допълнително дисково пространство.
Изт:1 http://ftp.uk.debian.org/debian/ wheezy/main ejabberd amd64 2.1.10-4+deb7u1 [1795 kB]


P.S. Sorry for the cyrillic for those who can't read it but it is standard messages that Debian does in package install time.

Analogously you can do it for any other newer package that upgraded, later on to prevent further security updates of the package you will have to put the package on hold, that's as easy as running:
 

root@pcfreak:~# aptitude hold ejabberd
No packages will be installed, upgraded, or removed.
0 packages upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
Need to get 0 B of archives. After unpacking 0 B will be used.

 

FreeBSD 10.0 RELEASE is out pkg_add FreeBSD default package manager to be substituted with pkg

Thursday, January 23rd, 2014

freebsd 10 is out logo pkg add to be removed - freebsd big news pkg_add to be substituted by another package manager

New latest version of FreeBSD 10.0-RELEASE is out this. FBSD 10  is the latest stable release of 10 branch. The biggest change in FBSD 10 is removal of long time used pkg_add and its substitute with the newer and more advanced pkg. For BSD users who don't know pkg  stiill check out handbook on pkgng

Key highlights of FreeBSD 10 as taken from FreeBSD-10.0-RELEASE announcement;
 

  • GCC is no longer installed by default on architectures where clang(1) is the default compiler.

  • Unbound has been imported to the base system as the local caching DNS resolver.

  • BIND has been removed from the base system.

  • make(1) has been replaced with bmake(1), obtained from the NetBSD Project.

  • pkg(7) is now the default package management utility.

  • pkg_add(1), pkg_delete(1), and related tools have been removed.

  • Major enhancements in virtualization, including the addition of bhyve(8), virtio(4), and native paravirtualized drivers providing support for FreeBSD as a guest operating system on Microsoft Hyper-V.

  • TRIM support for Solid State Drives has been added to ZFS.

  • Support for the high-performance LZ4 compression algorithm has been added to ZFS.

    There is a big news for Raspberry Pi lovers as from FreeBSD 10 there is an official support for Raspberry Pi
    Happy new release. Cheers to testers 🙂

How to mount NTFS Windows XP filesystem on FreeBSD, NetBSD, OpenBSD

Friday, May 11th, 2012

Mounting NTFS hdd partitions on FreeBSD logo picture

A friend of mine bring home a Seagate External Hard Disk Drive using USB 3 as a communication media. I needed to attach the hard disk to my FreeBSD router to transfer him some data, the External HDD is formatted to use NTFS as a main file partition and hence to make the file transfers I had to somehow mount the NTFS partition on the HDD.

FreeBSD and other BSDs, just like Linux does not have embedded NTFS file system mount support.
In order to add an external write support for the plugged hdd NTFS I looked in the ports tree:

freebsd# cd /usr/ports
freebsd# make search name='ntfs'
Port: fusefs-ntfs-2010.10.2
Path: /usr/ports/sysutils/fusefs-ntfs
Info: Mount NTFS partitions (read/write) and disk images
Maint: ports@FreeBSD.org
B-deps: fusefs-libs-2.7.4 libiconv-1.13.1_1 libtool-2.4 libublio-20070103 pkg-config-0.25_1
R-deps: fusefs-kmod-0.3.9.p1.20080208_7 fusefs-libs-2.7.4 libiconv-1.13.1_1 libublio-20070103 pkg-config-0.25_1
WWW: http://www.tuxera.com/community/

Port: ntfsprogs-2.0.0_1
Path: /usr/ports/sysutils/ntfsprogs
Info: Utilities and library to manipulate NTFS partitions
Maint: ports@FreeBSD.org
B-deps: fusefs-libs-2.7.4 libiconv-1.13.1_1 libublio-20070103 pkg-config-0.25_1
R-deps: libublio-20070103 pkg-config-0.25_1
WWW: http://www.linux-ntfs.org/
freebs# cd sysutils/fusefs-ntfs/
freebsd# ls
Makefile distinfo files/ pkg-descr pkg-plist
freebsd# cat pkg-descr
The ntfs-3g driver is an open source, freely available read/write NTFS
driver, which provides safe and fast handling of the Windows XP, Windows
Server 2003 and Windows 2000 filesystems. Almost the full POSIX filesystem
functionality is supported, the major exceptions are changing the file
ownerships and the access rights.
WWW: http://www.tuxera.com/community/

Using ntfs-3g I managed to succeed mounting the NTFS on my old PC running FreeBSD ver. 7_2

1. Installing fuserfs-ntfs support on BSD

Before I can use ntfs-3g, to mount the paritition, I had to install fuserfs-ntfs bsd port, with:

freebsd# cd /usr/ports/sysutils/fusefs-ntfs
freebsd# make install clean
.....

I was curious if ntfsprogs provides other utilities to do the ntfs mount but whilst trying to install it I realized it is already installed as a dependency package to fusefs-ntfs.

fusefs-ntfs package provides a number of utilities for creating, mounting, fixing and doing various manipulations with Microsoft NTFS filesystems.

Here is a list of all the executable utilities helpful in NTFS fs management:

freebsd# pkg_info -L fusefs-ntfs\* | grep -E "/bin/|/sbin|README"
/usr/local/bin/lowntfs-3g
/usr/local/bin/ntfs-3g
/usr/local/bin/ntfs-3g.probe
/usr/local/bin/ntfs-3g.secaudit
/usr/local/bin/ntfs-3g.usermap
/usr/local/bin/ntfscat
/usr/local/bin/ntfscluster
/usr/local/bin/ntfscmp
/usr/local/bin/ntfsfix
/usr/local/bin/ntfsinfo
/usr/local/bin/ntfsls
/usr/local/sbin/mkntfs
/usr/local/sbin/ntfsclone
/usr/local/sbin/ntfscp
/usr/local/sbin/ntfslabel
/usr/local/sbin/ntfsresize
/usr/local/sbin/ntfsundelete
/usr/local/share/doc/ntfs-3g/README
/usr/local/share/doc/ntfs-3g/README.FreeBSD

The README and README.FreeBSD are wonderful, reading for those who want to get more in depth knowledge on using the up-listed utilities.

One utility, worthy to mention, I have used in the past is ntfsfix. ntfsfix resolve issues with NTFS partitions which were not unmounted on system shutdown (electricity outage), system hang up etc.

2. Start fusefs (ntfs) and configure it to auto load on system boot

Once fuserfs-ntfs is installed, if its necessery ntfs fs mounts to be permanently supported on the BSD system add fusefs_enable="YES" to /etc/rc.conf(the FreeBSD services auto load conf).

freebsd# echo 'fusefs_enable="YES"' >> /etc/rc.conf

One note to make here is that you need to have also dbus_enable="YES" and hald_enable="YES" in /etc/rc.conf, not having this two in rc.conf will prevent fusefs to start properly. Do a quick grep to make sure this two variables are enabled:

Afterwards fsusefs load up script should be run:

freebsd# /usr/local/etc/rc.d/fusefs start
Starting fusefs.

Another alternative way to load ntfs support on the BSD host is to directly load fuse.ko kernel module:

freebsd# /sbin/kldload fuse.ko

3. Mounting the NTFS partition

In my case, the Seagate hard drive was detected as da0, where the NTFS partition was detected as s1 (da0s1):

freebsd# dmesg|grep -i da0
da0 at umass-sim0 bus 0 target 0 lun 0
da0: Fixed Direct Access SCSI-4 device
da0: 40.000MB/s transfers
da0: 953869MB (1953525164 512 byte sectors: 255H 63S/T 121601C)br />GEOM_LABEL: Label for provider da0s1 is ntfs/Expansion Drive.
GEOM_LABEL: Label for provider da0s1 is ntfs/Expansion Drive.

Therefore further to mount it one can use mount_ntfs (to quickly mount in read only mode) or ntfs-3g for (read / write mode):

If you need to just quickly mount a disk drive to copy some data and umount it with no need for writting to the NTFS partition do;

freebsd# /sbin/mount_ntfs /dev/ad0s1 /mnt/disk

Note that mount_ntfs command is a native BSD command and have nothing to do with ntfs-3g. Therefore using it to mount NTFS is not the same as mounting it via ntfs-3g cmd

freebsd# /usr/local/bin/ntfs-3g -o rw /dev/da0s1 /mnt/disk/

Something, I've noticed while using ntfs-3g is, it fails to properly exit even when the ntfs-3g shell execution is over:

freebsd# ps ax |grep -i ntfs|grep -v grep
18892 ?? Is 0:00.00 /usr/local/bin/ntfs-3g -o rw /dev/da0s1 /mnt/disk/

I dunno if this is some kind of ntfs-3g bug or feature specific to all versions of FreeBSD or it is something local to FBSD 7.2

Thought ntfs-3g, keeps appearing in process list, praise God as of time of writting NTFS support on FreeBSD prooved to be stable.
Read / Write disk operations to the NTFS I tested it with works great. Just about 5 years ago I still remember write mode was still experimental. Now it seems NTFS mounts can be used with no hassle even on production machines.

4. Auto mounting NTFS partition on FreeBSD system boot

There are two approaches towards 'the problem' I can think of.
The better way to auto mount on boot (in my view) is through /etc/fstab use

If /etc/fstab + ntfs-3g is to be used, you will however change the default /sbin/mount_ntfs command to point to /usr/local/bin/ntfs-3g, i.e.:

freebsd# mv /sbin/mount_ntfs /sbin/mount_ntfs.orig
freebsd# ln -s /usr/local/bin/ntfs-3g /sbin/mount_ntfs

Then to mount /dev/da0s1 via /etc/fstab add line:

/dev/ad0s1 /mnt/disk ntfs rw,late 0 0

To not bother with text editor run:

freebsd# echo '/dev/ad0s1 /mnt/disk ntfs rw,late 0 0' >> /etc/fstab

I've red in posts in freebsd forums, there is also a way to use ntfs-3g for mounting partitions, without substituting the original bsd /sbin/mount_ntfs, the exact commands suggested to be used with no need to prior mv /sbin/mount_ntfs to /sbin/mount_ntfs.orig and link it to ntfs is:

/dev/ad0s1 /disk ntfs rw,mountprog=/usr/local/bin/ntfs-3g,late 0 0

For any other NTFS partitions, for instance /dev/ad0s2, /dev/ad2s1 etc. simply change the parititon name and mount points.

The second alternative to adding the NTFS to auto mount is through /etc/rc.local. /etc/rc.local content will be executed very late in system boot. :

echo '/usr/local/bin/ntfs-3g -o rw /dev/da0s1' >> /etc/rc.local

One disadvanage of using /etc/rc.local for mounting the partition is the hanging ntfs-3g in proc list:

freebsd# ps ax |grep -i ntfs|grep -v grep
18892 ?? Is 0:00.00 /usr/local/bin/ntfs-3g -o rw /dev/da0s1 /mnt/disk/

Though, I haven't tested it yet. Using the same methodology should be perfectly working on PC-BSD, DragonFlyBSD, NetBSD and OpenBSD.
I will be glad if someone who runs any of the other BSDs can confirm, following this instructions works fine on these BSDs too.

End of Management Games / Lectures

Wednesday, April 16th, 2008

Today was the last day of the lectures with Joop Vinke. Here is how my day passed. I woke up at 9:00, washed my teeth dressed combed my hair and went to the police station to look for our quarter police officer. I need to renew my personal ID card because it has been expired already for 4 years already. Thanks God everything went smoothly in the police station. After that I went to school we had lectures with Joop Vinke. After the school I went home and played around with my FreeBSD system. I succesfully upgraded gnome 2.20 to 2.22.

Using the binary packages from

http://www.marcuscom.com/tb/packages/7-STABLE-FreeBSD/gnome/. I’m trying to upgrade gnome from source for already almost 3 weeks with portmanager. After all of the required ports rebuilded still gnome wasn’t functioning, so in order to make it working I downloaded packages from http://www.marcuscom.com/tb/packages/7-STABLE-FreeBSD/gnome/ and ran a little loop with

for i in *; do pkg_add -vf $i; done

 

to make all the .tbz files install I did that yesterday night today at the afternoon everything was installed and gnome ran just fine I only had to link few libraries because they were searched on a different places. All works just fine now I only have to rebuild few of my games because they’re now linked to an old libraries. In the evening we went out with Javor for a coffee. As very often we went to the fountain we had a nice talk and then we went to his apartment to watch a film. He recommended a film called 1984 and we watched that. My impression is that this film is totally psychodelic and freaky, but still interesting to see. After I went home I went to see my grandma and now I’m home tired on a few steps of my bed 🙂 I should also mention that today I upgraded clamav on 3 of the servers I maintain. It seems there are few configuration options which changed in the new clamav release (0.93). It was an easy day as a whole if we don’t count my physical infirmity.

END—–

How to install OpenNTPD NTP server to synchronize system clock on FreeBSD for better security

Sunday, February 12th, 2012

FreeBSD, OpenBSD, NetBSD and Linux ntpd alternative server to synchronize server system time

Lately I've been researching on ntpd and wrote a two articles on how to install ntpd on CentOS, Fedora and how to install ntpd on FreeBSD and during my research on ntpd, I've come across OpenNTPD and decided to give it a go on my FreeBSD home router.
OpenBSD project is well known for it is high security standards and historically has passed the test of time for being a extraordinary secure UNIX like free operating system.
OpenBSD is developed in parallel with FreeBSD, however the development model of the two free operating systems are way different.

As a part of the OpenBSD to be independant in its basis of software from other free operating systems like GNU / Linux and FreeBSD. They develop the all around free software realm known OpenSSH. Along with OpenSSH, one interesting project developed for the main purpose of OpenBSD is OpenNTPD.

Here is how openntpd.org describes OpenNTPD:

"a FREE, easy to use implementation of the Network Time Protocol. It provides the ability to sync the local clock to remote NTP servers and can act as NTP server itself, redistributing the local clock."

OpenNTPD's accent just like OpenBSD's accent is security and hence for FreeBSD installs which targets security openntpd might be a good choice. Besides that the so popular classical ntpd has been well known for being historically "insecure", remote exploits for it has been released already at numerous times.

Another reason for someone to choose run openntpd instead of ntpd is its great simplicity. openntpd configuration is super simple.

Here are the steps I followed to have openntpd time server synchronize clock on my system using other public accessible openntpd servers on the internet.

1. Install openntpd through pkg_add -vr openntpd or via ports tree

a) For binar install with pkg_add issue:

freebsd# pkg_add -vr openntpd
...

b) if you prefer to compile it from source

freebsd# cd /usr/ports/net/openntpd
freebsd# make install clean
...

2. Enable OpenNTPD to start on system boot:

freebsd# echo 'openntpd_enable="YES"' >> /etc/rc.conf

3. Create openntpd ntpd.conf configuration file

There is a default sample ntpd.conf configuration which can be straight use as a conf basis:

freebsd# cp -rpf /usr/local/share/examples/openntpd/ntpd.conf /usr/local/etc/ntpd.conf

Default ntpd.conf works just fine without any modifications, if however there is a requirement the openntpd server to listen and accept time synchronization requests from only certain hosts add to conf something like:

listen on 192.168.1.2
listen on 192.168.1.3
listen on 2607:f0d0:3001:0009:0000:0000:0000:0001
listen on 127.0.0.1

This configuration will enable only 192.168.1.2 and 192.168.1.3 IPv4 addresses as well as the IPv6 2607:f0d0:3001:0009:0000:0000:0000:0001 IP to communicate with openntpd.

4. Start OpenNTPD service

freebsd# /usr/local/etc/rc.d/openntpd

5. Verify if openntpd is up and running

freebsd# ps axuww|grep -i ntp
root 31695 0.0 0.1 3188 1060 ?? Ss 11:26PM 0:00.00 ntpd: [priv] (ntpd)
_ntp 31696 0.0 0.1 3188 1140 ?? S 11:26PM 0:00.00 ntpd: ntp engine (ntpd)
_ntp 31697 0.0 0.1 3188 1088 ?? S 11:26PM 0:00.00 ntpd: dns engine (ntpd)
root 31700 0.0 0.1 3336 1192 p2 S+ 11:26PM 0:00.00 grep -i ntp

Its also good idea to check if openntpd has succesfully established connection with its peer remote openntpd time servers. This is necessery to make sure pf / ipfw firewall rules are not preventing connection to remote 123 UDP port:

freebsd# sockstat -4 -p 123
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
_ntp ntpd 31696 4 udp4 83.228.93.76:54555 212.70.148.15:123
_ntp ntpd 31696 6 udp4 83.228.93.76:56666 195.69.120.36:123
_ntp ntpd 31696 8 udp4 83.228.93.76:49976 217.75.140.188:123

By default openntpd is also listening to IPv6 if IPv6 support is enabled in freebsd kernel.

6. Resolve openntpd firewall filtering issues

If there is a pf firewall blocking UDP requests to in/out port 123 within /etc/pf.conf rule like:

block in log on $EXT_NIC proto udp all

Before the blocking rule you will have to add pf rules:

# Ipv4 Open outgoing port TCP 123 (NTP)
pass out on $EXT_NIC proto tcp to any port ntp
# Ipv6 Open outgoing port TCP 123 (NTP)
pass out on $EXT_NIC inet6 proto tcp to any port ntp
# Ipv4 Open outgoing port UDP 123 (NTP)
pass out on $EXT_NIC proto udp to any port ntp
# Ipv6 Open outgoing port UDP 123 (NTP)
pass out on $EXT_NIC inet6 proto udp to any port ntp

where $EXT_NIC is defined to be equal to the external lan NIC interface, for example:
EXT_NIC="ml0"

Afterwards to load the new pf.conf rules firewall has to be flushed and reloaded:

freebsd# /sbin/pfctl -f /etc/pf.conf -d
...
freebsd# /sbin/pfctl -f /etc/pf.conf -e
...

In conclusion openntpd should be more secure than regular ntpd and in many cases is probably a better choice.
Anyhow bear in mind on FreeBSD openntpd is not part of the freebsd world and therefore security updates will not be issued directly by the freebsd dev team, but you will have to regularly update with the latest version provided from the bsd ports to make sure openntpd is 100% secure.

For anyone looking for more precise system clock synchronization and not so focused on security ntpd might be still a better choice. The OpenNTPD's official page states it is designed to reach reasonable time accuracy, but is not after the last microseconds.