Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 8 Jun 2013 02:38:28 +0200
From:      Polytropon <>
To:        Norman Khine <>
Subject:   Re: custom kernel installation
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Sat, 8 Jun 2013 01:17:35 +0200, Norman Khine wrote:
> thanks for the quick reply

You're welcome.

> On Sat, Jun 8, 2013 at 12:54 AM, Polytropon <> wrote:
> > On Sat, 8 Jun 2013 00:37:02 +0200, Norman Khine wrote:
> > > hello,
> > > i have a dedicated server from OVH and have updated freebsd to 9.1 and
> > want
> > > to enable IPFW in the kernel as this is not enabled.
> >
> > Why not use the module for this? For many years now, you
> > do not need a custom kernel if you want to use IPFW (which
> > _had_ to be compiled into the kernel in the past). Use
> >
> >         # kldload ipfw.ko
> >
> is it good idea to run this like this, would i have to do some settings, as
> i don't want to be locked out of the system?

Depends on your requirements. The kernel module is just the
"firewall infrastructure", and the ipfw _binary_ will then
control it. So it's probably a good idea to check your firewall
settings (for example in /etc/ipfw.conf) to reflect _exactly_
what you intend (e. g., _not_ disabling SSH).

See "man ipfw" for details on the firewall configuration file.
The system brings several preconfigured profiles. You can find
them in /etc/defaults/rc.conf (the firewall_ settings group,
especially "open" according to /etc/rc.firewall's comment
header, or for example "/etc/ipfw.conf", a file created on
your own). Do not use "closed". :-)

Here's a short example, nothing magic:

	-f flush
	add allow	tcp	from any to any ftp	in recv	xl0
	add allow	tcp	from any to any ssh	in recv	xl0

This is _one_ solution if you wanted to allow SSH and FTP
via the xl0 interface. Depending on what IPFW defaults to
(ALLOW or DENY), a different structure might apply. The
configuration line

	add allow	ip	from any to any

will allow everything.

Dealing with kernel modules _might_ be a security issue if
you define it to be one. For example, if you raise the syetem
security level, you won't be able to load or unload kernel
modules. In such a situation, only the functionality present
in the kernel at boot time will be available. This if course
requires a custom kernel as explained.

Otherwise it's a good and comfortable idea to load IPFW as
a kernel module. It can then be configured in the same way
as a kernel-based firewall.

> yes i would like to see if i can compile a kernel on an OVH box for freebsd
> i have tried, but there is always something that fails :-( so i wanted the
> use the one by OVH and modify it for my use.

For checking, you should first check if you can compile the
GENERIC kernel that's provided by the OS sources:

	# cd /usr/src
	# make buildkernel KERNCONF=GENERIC

If this works, you could install it and perform a reboot:

	# make installkernel KERNCONF=GENERIC
	# reboot

Then if you have "derived" your own kernel configuration file,
do the same with KERNCONF= and its name.

> > > so i got the 9.1 sources and now in /usr/src/sys/amd64/conf i have a
> > > GENERIC file, but this is too generic, besides i don't have access to the
> > > physical box.
> >
> > This file is what the GENERIC kernel (distributed with the OS)
> > has been generated from. Use it as a template for your own
> > custom kernel.
> >
> well, there was no /usr/src when the system arrived from OVH i downloaded
> this from freebsd ftp site. so i will need to update it to suit my system
> and i was just looking for a shortcut.

If you have been using freebsd-update, it defaults to fetching
the OS sources (it's the "src" item in the "Components" list
of /etc/freebsd-update.conf. Your kernel and system sources
_might_ now be more current than the version you're running.
As I mentioned, it's neccessary to have world and kernel in
sync. The use of freebsd-update should have properly taken
care of this (e. g., updated world, GENERIC kernel, and the
sources for the whole thing to the current version).

Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

Want to link to this message? Use this URL: <>