From owner-freebsd-stable@FreeBSD.ORG Sun Feb 12 15:18:27 2012 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3E811106566B; Sun, 12 Feb 2012 15:18:27 +0000 (UTC) (envelope-from gregoire.leroy@retenodus.net) Received: from slow3-v.mail.gandi.net (slow3-v.mail.gandi.net [217.70.178.89]) by mx1.freebsd.org (Postfix) with ESMTP id CEA968FC19; Sun, 12 Feb 2012 15:18:26 +0000 (UTC) X-WhiteListed: mail was accepted with no delay X-WhiteListed: mail was accepted with no delay X-WhiteListed: mail was accepted with no delay X-WhiteListed: mail was accepted with no delay X-WhiteListed: mail was accepted with no delay X-WhiteListed: mail was accepted with no delay Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by slow3-v.mail.gandi.net (Postfix) with ESMTP id DD77839A52; Sun, 12 Feb 2012 15:48:17 +0100 (CET) X-Originating-IP: 217.70.178.136 Received: from mfilter7-d.gandi.net (mfilter7-d.gandi.net [217.70.178.136]) by relay4-d.mail.gandi.net (Postfix) with ESMTP id 36EB1172605; Sun, 12 Feb 2012 15:48:06 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mfilter7-d.gandi.net Received: from relay4-d.mail.gandi.net ([217.70.183.196]) by mfilter7-d.gandi.net (mfilter7-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024) with ESMTP id ZilxPrjy6+hU; Sun, 12 Feb 2012 15:48:03 +0100 (CET) X-Originating-IP: 212.234.55.192 Received: from rena.localnet (unknown [212.234.55.192]) (Authenticated sender: gregoire.leroy@retenodus.net) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 83C3417228F; Sun, 12 Feb 2012 15:47:59 +0100 (CET) From: =?iso-8859-1?q?Gr=E9goire_Leroy?= To: freebsd-ipfw@freebsd.org Date: Sun, 12 Feb 2012 15:47:57 +0100 User-Agent: KMail/1.13.7 (Linux/3.2.0-1-amd64; KDE/4.6.5; x86_64; ; ) References: <20120210145604.Horde.ewjpSpjmRSRPNSH0YRHxgAk@webmail.leidinger.net> <20120212173339.G93710@sola.nimnet.asn.au> In-Reply-To: <20120212173339.G93710@sola.nimnet.asn.au> X-KMail-Markup: true MIME-Version: 1.0 Message-Id: <201202121547.57404.gregoire.leroy@retenodus.net> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "Bjoern A. Zeeb" , stable@freebsd.org, ipfw@freebsd.org, Ian Smith , Panagiotis Christias Subject: Re: Reducing the need to compile a custom kernel X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Feb 2012 15:18:27 -0000 > > >> The question is, is this enough? Or asked differently, why are you > > >> compiling a custom kernel in a production environment (so I rule out > > >> debug options which are not enabled in GENERIC)? Are there options > > >> which you add which you can not add as a module (SW_WATCHDOG comes > > >> to my mind)? If yes, which ones and how important are they for you? > > >=20 > > > Hello, > > >=20 > > > we are currently using on every server (in order to maintain a single > > > custom kernel) the following options: > > >=20 > > > IPFIREWALL IPFIREWALL_DEFAULT_TO_ACCEPT > >=20 > > loadable, tunable there for this Hi, On my gateway I use these options with FreeBSD 8.2 : options IPFIREWALL=20 options IPFIREWALL_VERBOSE=20 options IPFIREWALL_VERBOSE_LIMIT=3D5=20 options IPFIREWALL_DEFAULT_TO_ACCEPT=20 options IPDIVERT=20 options IPFIREWALL_FORWARD=20 options DUMMYNET=20 options HZ=3D1000=20 Regards, Gr=E9goire Leroy