Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 8 Jun 2013 02:38:28 +0200
From:      Polytropon <freebsd@edvax.de>
To:        Norman Khine <norman@khine.net>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: custom kernel installation
Message-ID:  <20130608023828.1e1a059b.freebsd@edvax.de>
In-Reply-To: <CAKgQ7ULQkDG70nT8Ak=X1Rgbii_Tw+NsgndvSrT+J=zPcXAOTg@mail.gmail.com>
References:  <CAKgQ7UJL3yYdKPeb+c+=Cz9iBfPi5esH5imKgiYECrK6+g5=Yg@mail.gmail.com> <20130608005444.6741d6cd.freebsd@edvax.de> <CAKgQ7ULQkDG70nT8Ak=X1Rgbii_Tw+NsgndvSrT+J=zPcXAOTg@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Sat, 8 Jun 2013 01:17:35 +0200, Norman Khine wrote:
> thanks for the quick reply

You're welcome.



> On Sat, Jun 8, 2013 at 12:54 AM, Polytropon <freebsd@edvax.de> wrote:
> 
> > On Sat, 8 Jun 2013 00:37:02 +0200, Norman Khine wrote:
> > > hello,
> > > i have a dedicated server from OVH and have updated freebsd to 9.1 and
> > want
> > > to enable IPFW in the kernel as this is not enabled.
> >
> > Why not use the module for this? For many years now, you
> > do not need a custom kernel if you want to use IPFW (which
> > _had_ to be compiled into the kernel in the past). Use
> >
> >         # kldload ipfw.ko
> >
> 
> is it good idea to run this like this, would i have to do some settings, as
> i don't want to be locked out of the system?

Depends on your requirements. The kernel module is just the
"firewall infrastructure", and the ipfw _binary_ will then
control it. So it's probably a good idea to check your firewall
settings (for example in /etc/ipfw.conf) to reflect _exactly_
what you intend (e. g., _not_ disabling SSH).

See "man ipfw" for details on the firewall configuration file.
The system brings several preconfigured profiles. You can find
them in /etc/defaults/rc.conf (the firewall_ settings group,
especially "open" according to /etc/rc.firewall's comment
header, or for example "/etc/ipfw.conf", a file created on
your own). Do not use "closed". :-)

Here's a short example, nothing magic:

	-f flush
	add allow	tcp	from any to any ftp	in recv	xl0
	add allow	tcp	from any to any ssh	in recv	xl0

This is _one_ solution if you wanted to allow SSH and FTP
via the xl0 interface. Depending on what IPFW defaults to
(ALLOW or DENY), a different structure might apply. The
configuration line

	add allow	ip	from any to any

will allow everything.

Dealing with kernel modules _might_ be a security issue if
you define it to be one. For example, if you raise the syetem
security level, you won't be able to load or unload kernel
modules. In such a situation, only the functionality present
in the kernel at boot time will be available. This if course
requires a custom kernel as explained.

Otherwise it's a good and comfortable idea to load IPFW as
a kernel module. It can then be configured in the same way
as a kernel-based firewall.



> yes i would like to see if i can compile a kernel on an OVH box for freebsd
> i have tried, but there is always something that fails :-( so i wanted the
> use the one by OVH and modify it for my use.

For checking, you should first check if you can compile the
GENERIC kernel that's provided by the OS sources:

	# cd /usr/src
	# make buildkernel KERNCONF=GENERIC

If this works, you could install it and perform a reboot:

	# make installkernel KERNCONF=GENERIC
	# reboot

Then if you have "derived" your own kernel configuration file,
do the same with KERNCONF= and its name.



> > > so i got the 9.1 sources and now in /usr/src/sys/amd64/conf i have a
> > > GENERIC file, but this is too generic, besides i don't have access to the
> > > physical box.
> >
> > This file is what the GENERIC kernel (distributed with the OS)
> > has been generated from. Use it as a template for your own
> > custom kernel.
> >
> 
> well, there was no /usr/src when the system arrived from OVH i downloaded
> this from freebsd ftp site. so i will need to update it to suit my system
> and i was just looking for a shortcut.

If you have been using freebsd-update, it defaults to fetching
the OS sources (it's the "src" item in the "Components" list
of /etc/freebsd-update.conf. Your kernel and system sources
_might_ now be more current than the version you're running.
As I mentioned, it's neccessary to have world and kernel in
sync. The use of freebsd-update should have properly taken
care of this (e. g., updated world, GENERIC kernel, and the
sources for the whole thing to the current version).





-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20130608023828.1e1a059b.freebsd>