From owner-freebsd-questions@freebsd.org Thu May 12 10:19:42 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 056B3B386D2 for ; Thu, 12 May 2016 10:19:42 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 69A111692 for ; Thu, 12 May 2016 10:19:40 +0000 (UTC) (envelope-from ml@my.gd) Received: by mail-lf0-x229.google.com with SMTP id u64so69363385lff.3 for ; Thu, 12 May 2016 03:19:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=my-gd.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=4bSAkYD1uIgmx4NcgHzyQGDRJaBPGs4JQxoYOedYjnA=; b=yXIBVFkO9P6asna06RIStGSZaznf+xCEzVGBWqPeYo6RnN7oYqi1Umt/7dTGrXoZbJ Vpqt2MpU/jLxnrjk9Cx6iHS8pQ2SEqio/rZkJGD8lJX4qYMNcYHVgBHtd6CyRXlgVZ7P mMjwRQAFk6eNTkKppZ4VEH0bgLV/m5/y9h99cX6+CtZt758LqPrM0xZdBl55pjx3XwEU xYIJGTWzLsMU3Le9P+UOitHCUdxZVQtSpup0Ag00XK/j/keKLTJGydqLuvuDJ2I0xV4z WAWGAvFjDnG3SaEVPQ++aIV1Jc00MnBx9EAHXip/LPIO7CJ9nFItKGpeGZFXRQo93QoA 0vJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=4bSAkYD1uIgmx4NcgHzyQGDRJaBPGs4JQxoYOedYjnA=; b=mgQRfHYgyIfX+mT5vD4M+hnAKJxd2ydFe19Uv2ze1wdscgs+jm66AAF3tU7XDD+5Ga zREK38EhjIiThXQcFlYssfG/TJZB9wAK9G34h2H/8zhGRjewtY+oG6Fc6f8bxHS5t6VX Q4IxNN6mWFHsiPJX1qMexkxWWEmfLCB+NN1nMXsTZjeiJFaX47LUKCpGE59unMLq3yw+ q/R+C1SJGLwxPylG68fUf4IRKQCk23Px3m3/DtB4+kFEBnefqPG4k2kbmRJD8pxx3vT6 RqsQPNuExfSm/WToz70sqPxCmI/K1E8zZ1YtBMggah/MZNk/U/Z95FEq1z7g40eE45Al n00Q== X-Gm-Message-State: AOPr4FXeDdTQNZxXSwVEt4TXuRpqnU7Z+diT7wo448L/RiEe5WFrjHwK6AeTtiYw089Bo/kgmsouh9c3faeMIw== MIME-Version: 1.0 X-Received: by 10.25.79.132 with SMTP id d126mr3995627lfb.119.1463048379018; Thu, 12 May 2016 03:19:39 -0700 (PDT) Received: by 10.112.58.131 with HTTP; Thu, 12 May 2016 03:19:38 -0700 (PDT) In-Reply-To: References: <1463013024.29740.2.camel@michaeleichorn.com> Date: Thu, 12 May 2016 12:19:38 +0200 Message-ID: Subject: Re: Custom kernel for NAT and PF ? From: Damien Fleuriot To: Chris Hale Cc: "Michael B. Eichorn" , FreeBSD Questions , krad Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2016 10:19:42 -0000 On 12 May 2016 at 09:13, krad wrote: > Agreed > > On 12 May 2016 at 01:30, Michael B. Eichorn > wrote: > > > On Wed, 2016-05-11 at 15:03 -0500, Chris Hale wrote: > > > I'm having to rebuild an old freebsd/pf firewall that uses ALTQ and > > > some > > > NAT directives. Would I need a custom kernel for NAT if I took out > > > all of > > > the ALTQ references? > > > > > > > The generic kernel is all you need for NAT with pf. > > While GENERIC works, one can definitely argue in favour of a custom kernel, what does one even need audio for on a server anyways ;) At the very least, you get shorter compilation times for your upgrade sessions so, that's that... Chris, if you can be bothered, do go for a custom, lightweight kernel. Typical use scenarios have you remove support for audio, wifi, bluetooth, usb printers, isa cards... Find below the configuration file I use on our 10.x production firewalls. I would not claim it is perfect, but it does the job for us. Do pay attention to the enabled NICs and storage device controllers which are tailored to our hardware ! Do also note we have commented some options, for example UFS_ACL since we do not use the extended features. == BEGIN == cpu HAMMER ident DAM makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols makeoptions WITH_CTF=1 # Run ctfconvert(1) for DTrace support options SCHED_ULE # ULE scheduler options PREEMPTION # Enable kernel thread preemption options INET # InterNETworking options INET6 # IPv6 communications protocols options TCP_OFFLOAD # TCP offload options SCTP # Stream Control Transmission Protocol options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support #options UFS_ACL # Support for access control lists options UFS_DIRHASH # Improve performance on big directories options UFS_GJOURNAL # Enable gjournal-based UFS journaling options QUOTA # Enable disk quotas for UFS options MD_ROOT # MD is a potential root device options NFSCL # New Network Filesystem Client options NFSD # New Network Filesystem Server options NFSLOCKD # Network Lock Manager #options NFS_ROOT # NFS usable as /, requires NFSCL options MSDOSFS # MSDOS Filesystem options CD9660 # ISO 9660 Filesystem options PROCFS # Process filesystem (requires PSEUDOFS) options PSEUDOFS # Pseudo-filesystem framework options GEOM_PART_GPT # GUID Partition Tables. options GEOM_RAID # Soft RAID functionality. options GEOM_LABEL # Provides labelization options COMPAT_FREEBSD32 # Compatible with i386 binaries options COMPAT_FREEBSD4 # Compatible with FreeBSD4 options COMPAT_FREEBSD5 # Compatible with FreeBSD5 options COMPAT_FREEBSD6 # Compatible with FreeBSD6 options COMPAT_FREEBSD7 # Compatible with FreeBSD7 options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI options KTRACE # ktrace(1) support options STACK # stack(9) support options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed. options KBD_INSTALL_CDEV # install a CDEV entry in /dev options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4) options AUDIT # Security event auditing options CAPABILITY_MODE # Capsicum capability mode options CAPABILITIES # Capsicum capabilities options PROCDESC # Support for process descriptors options MAC # TrustedBSD MAC Framework options KDTRACE_FRAME # Ensure frames are compiled in options KDTRACE_HOOKS # Kernel DTrace hooks options DDB_CTF # Kernel ELF linker loads CTF data options INCLUDE_CONFIG_FILE # Include this file in kernel options RACCT # Resource accounting framework options RACCT_DEFAULT_TO_DISABLED # Set kern.racct.enable=0 by default options RCTL # Resource limits # Debugging support. Always need this: options KDB # Enable kernel debugger support. options KDB_TRACE # Print a stack trace for a panic. # Make an SMP-capable kernel by default options SMP # Symmetric MultiProcessor Kernel # CPU frequency control device cpufreq # Bus support. device acpi options ACPI_DMAR device pci # ATA controllers device ahci # AHCI-compatible SATA controllers device ata # Legacy ATA/SATA controllers options ATA_STATIC_ID # Static device numbering # SCSI Controllers device mpt # LSI-Logic MPT-Fusion device mps # LSI-Logic MPT-Fusion 2 device mpr # LSI-Logic MPT-Fusion 3 # ATA/SCSI peripherals device scbus # SCSI bus (required for ATA/SCSI) device da # Direct Access (disks) device pass # Passthrough device (direct ATA/SCSI access) # RAID controllers device mfi # LSI MegaRAID SAS # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard device kbdmux # keyboard multiplexer device vga # VGA video card driver device splash # Splash screen and screen saver support # syscons is the default console driver, resembling an SCO console device sc options SC_PIXEL_MODE # add support for the raster text mode # vt is the new video console driver device vt device vt_vga device vt_efifb device agp # support several AGP chipsets # Serial (COM) ports device uart # Generic UART driver # PCI Ethernet NICs. device em # Intel PRO/1000 Gigabit Ethernet Family device igb # Intel PRO/1000 PCIE Server Gigabit Family device ix # Intel PRO/10GbE PCIE PF Ethernet device ixv # Intel PRO/10GbE PCIE VF Ethernet # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device bce # Broadcom BCM5706/BCM5708 Gigabit Ethernet device bfe # Broadcom BCM440x 10/100 Ethernet device bge # Broadcom BCM570xx Gigabit Ethernet device re # RealTek 8139C+/8169/8169S/8110S device rl # RealTek 8129/8139 # Pseudo devices. device loop # Network loopback device random # Entropy device device padlock_rng # VIA Padlock RNG device rdrand_rng # Intel Bull Mountain RNG device ether # Ethernet support device vlan # 802.1Q VLAN support device tun # Packet tunnel. device md # Memory "disks" device gif # IPv6 and IPv4 tunneling device faith # IPv6-to-IPv4 relaying (translation) device firmware # firmware assist module # The `bpf' device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! # Note that 'bpf' is required for DHCP. device bpf # Berkeley packet filter # USB support options USB_DEBUG # enable debug msgs device uhci # UHCI PCI->USB interface device ohci # OHCI PCI->USB interface device ehci # EHCI PCI->USB interface (USB 2.0) device xhci # XHCI PCI->USB interface (USB 3.0) device usb # USB Bus (required) device ukbd # Keyboard # VirtIO support device virtio # Generic VirtIO bus (required) device virtio_pci # VirtIO PCI device device vtnet # VirtIO Ethernet device device virtio_blk # VirtIO Block device device virtio_scsi # VirtIO SCSI device device virtio_balloon # VirtIO Memory Balloon device # Custom options from hi-media device carp # Common Address Redundancy Protocol / virtual IPs device lagg # Link Aggregation / 802.3ad device vlan # VLAN tagging / 802.1Q device pf # Packet Filter device pflog # PF logging device pfsync # PF state sync # QoS / queueing / shapping options options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_PRIQ options ALTQ_NOPCC # ISCSI initiator device iscsi_initiator #options ISCSI_INITIATOR_DEBUG=9 options DEVICE_POLLING == END ==