From owner-freebsd-questions@FreeBSD.ORG Sat Jun 8 17:37:02 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id C568817B for ; Sat, 8 Jun 2013 17:37:02 +0000 (UTC) (envelope-from norman@khine.net) Received: from mail-oa0-x230.google.com (mail-oa0-x230.google.com [IPv6:2607:f8b0:4003:c02::230]) by mx1.freebsd.org (Postfix) with ESMTP id 92B2618E2 for ; Sat, 8 Jun 2013 17:37:02 +0000 (UTC) Received: by mail-oa0-f48.google.com with SMTP id f4so542124oah.35 for ; Sat, 08 Jun 2013 10:37:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=4k2tYM0h828PaPLL0plu2aaQx6RvF7+KIV0OGuIRV50=; b=kypn5gBu+yN0YSX4FsbV6Bgvu7/dg09bsW9qjn0tRii5TaS8CUPr3ITjsUXPI1Tr6q NW/lpJcNR6VHZ98lV4jdbfTjVXKwANNtdB3dUvJd1Bcf34nzloW7WMuWKuwwmIje4sAo MvZsH95UjJp4kCZCF2is90DOPWP6Na0wHpITXvQL0jlnIhIXnrkixPmQOraiG5zLm0yu i18wlIuTTYV0Hv5jbdBYoTrQ0O6YFN76nJAPZynlfvEfUEJ1hvI99XFp7tqhc1zEtWmp S8n/TVklrro4mE7u/2CzfHG1GlEiCsVlTCB6OiWI2jmsvE7erZ92uQuYhnSiIlbvNAuh q/eA== MIME-Version: 1.0 X-Received: by 10.60.124.100 with SMTP id mh4mr2829341oeb.122.1370713022089; Sat, 08 Jun 2013 10:37:02 -0700 (PDT) Received: by 10.76.115.137 with HTTP; Sat, 8 Jun 2013 10:37:01 -0700 (PDT) In-Reply-To: <20130608023828.1e1a059b.freebsd@edvax.de> References: <20130608005444.6741d6cd.freebsd@edvax.de> <20130608023828.1e1a059b.freebsd@edvax.de> Date: Sat, 8 Jun 2013 19:37:01 +0200 Message-ID: Subject: Re: custom kernel installation From: Norman Khine To: Polytropon X-Gm-Message-State: ALoCoQnhUwyE8jVjvBslUpF5mGEnbWTwTangopPXP9JDkAx+aKDZW5s1tiNcEiq4lrtw5eofS7iT Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jun 2013 17:37:02 -0000 great, i managed to compile and install the custom kernel with IPFW kernel support as discussed, thanks for your help! i would like to optimise the kernel to be more specific to my hardware, here is a breakdown of what i have: https://gist.github.com/nkhine/fcbcbe36221dc39491f9 here is what is left in my kernel, is there anything else i should take out? https://gist.github.com/nkhine/fcbcbe36221dc39491f9/revisions any advice much appreciated On Sat, Jun 8, 2013 at 2:38 AM, Polytropon wrote: > On Sat, 8 Jun 2013 01:17:35 +0200, Norman Khine wrote: > > thanks for the quick reply > > You're welcome. > > > > > On Sat, Jun 8, 2013 at 12:54 AM, Polytropon wrote: > > > > > On Sat, 8 Jun 2013 00:37:02 +0200, Norman Khine wrote: > > > > hello, > > > > i have a dedicated server from OVH and have updated freebsd to 9.1 > and > > > want > > > > to enable IPFW in the kernel as this is not enabled. > > > > > > Why not use the module for this? For many years now, you > > > do not need a custom kernel if you want to use IPFW (which > > > _had_ to be compiled into the kernel in the past). Use > > > > > > # kldload ipfw.ko > > > > > > > is it good idea to run this like this, would i have to do some settings, > as > > i don't want to be locked out of the system? > > Depends on your requirements. The kernel module is just the > "firewall infrastructure", and the ipfw _binary_ will then > control it. So it's probably a good idea to check your firewall > settings (for example in /etc/ipfw.conf) to reflect _exactly_ > what you intend (e. g., _not_ disabling SSH). > > See "man ipfw" for details on the firewall configuration file. > The system brings several preconfigured profiles. You can find > them in /etc/defaults/rc.conf (the firewall_ settings group, > especially "open" according to /etc/rc.firewall's comment > header, or for example "/etc/ipfw.conf", a file created on > your own). Do not use "closed". :-) > > Here's a short example, nothing magic: > > -f flush > add allow tcp from any to any ftp in recv xl0 > add allow tcp from any to any ssh in recv xl0 > > This is _one_ solution if you wanted to allow SSH and FTP > via the xl0 interface. Depending on what IPFW defaults to > (ALLOW or DENY), a different structure might apply. The > configuration line > > add allow ip from any to any > > will allow everything. > > Dealing with kernel modules _might_ be a security issue if > you define it to be one. For example, if you raise the syetem > security level, you won't be able to load or unload kernel > modules. In such a situation, only the functionality present > in the kernel at boot time will be available. This if course > requires a custom kernel as explained. > > Otherwise it's a good and comfortable idea to load IPFW as > a kernel module. It can then be configured in the same way > as a kernel-based firewall. > > > > > yes i would like to see if i can compile a kernel on an OVH box for > freebsd > > i have tried, but there is always something that fails :-( so i wanted > the > > use the one by OVH and modify it for my use. > > For checking, you should first check if you can compile the > GENERIC kernel that's provided by the OS sources: > > # cd /usr/src > # make buildkernel KERNCONF=GENERIC > > If this works, you could install it and perform a reboot: > > # make installkernel KERNCONF=GENERIC > # reboot > > Then if you have "derived" your own kernel configuration file, > do the same with KERNCONF= and its name. > > > > > > > so i got the 9.1 sources and now in /usr/src/sys/amd64/conf i have a > > > > GENERIC file, but this is too generic, besides i don't have access > to the > > > > physical box. > > > > > > This file is what the GENERIC kernel (distributed with the OS) > > > has been generated from. Use it as a template for your own > > > custom kernel. > > > > > > > well, there was no /usr/src when the system arrived from OVH i downloaded > > this from freebsd ftp site. so i will need to update it to suit my system > > and i was just looking for a shortcut. > > If you have been using freebsd-update, it defaults to fetching > the OS sources (it's the "src" item in the "Components" list > of /etc/freebsd-update.conf. Your kernel and system sources > _might_ now be more current than the version you're running. > As I mentioned, it's neccessary to have world and kernel in > sync. The use of freebsd-update should have properly taken > care of this (e. g., updated world, GENERIC kernel, and the > sources for the whole thing to the current version). > > > > > > -- > Polytropon > Magdeburg, Germany > Happy FreeBSD user since 4.0 > Andra moi ennepe, Mousa, ... > -- %>>> "".join( [ {'*':'@','^':'.'}.get(c,None) or chr(97+(ord(c)-83)%26) for c in ",adym,*)&uzq^zqf" ] )