Date: Sat, 8 Jun 2013 02:38:28 +0200 From: Polytropon <freebsd@edvax.de> To: Norman Khine <norman@khine.net> Cc: freebsd-questions@freebsd.org Subject: Re: custom kernel installation Message-ID: <20130608023828.1e1a059b.freebsd@edvax.de> In-Reply-To: <CAKgQ7ULQkDG70nT8Ak=X1Rgbii_Tw%2BNsgndvSrT%2BJ=zPcXAOTg@mail.gmail.com> References: <CAKgQ7UJL3yYdKPeb%2Bc%2B=Cz9iBfPi5esH5imKgiYECrK6%2Bg5=Yg@mail.gmail.com> <20130608005444.6741d6cd.freebsd@edvax.de> <CAKgQ7ULQkDG70nT8Ak=X1Rgbii_Tw%2BNsgndvSrT%2BJ=zPcXAOTg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 8 Jun 2013 01:17:35 +0200, Norman Khine wrote: > thanks for the quick reply You're welcome. > On Sat, Jun 8, 2013 at 12:54 AM, Polytropon <freebsd@edvax.de> wrote: > > > On Sat, 8 Jun 2013 00:37:02 +0200, Norman Khine wrote: > > > hello, > > > i have a dedicated server from OVH and have updated freebsd to 9.1 and > > want > > > to enable IPFW in the kernel as this is not enabled. > > > > Why not use the module for this? For many years now, you > > do not need a custom kernel if you want to use IPFW (which > > _had_ to be compiled into the kernel in the past). Use > > > > # kldload ipfw.ko > > > > is it good idea to run this like this, would i have to do some settings, as > i don't want to be locked out of the system? Depends on your requirements. The kernel module is just the "firewall infrastructure", and the ipfw _binary_ will then control it. So it's probably a good idea to check your firewall settings (for example in /etc/ipfw.conf) to reflect _exactly_ what you intend (e. g., _not_ disabling SSH). See "man ipfw" for details on the firewall configuration file. The system brings several preconfigured profiles. You can find them in /etc/defaults/rc.conf (the firewall_ settings group, especially "open" according to /etc/rc.firewall's comment header, or for example "/etc/ipfw.conf", a file created on your own). Do not use "closed". :-) Here's a short example, nothing magic: -f flush add allow tcp from any to any ftp in recv xl0 add allow tcp from any to any ssh in recv xl0 This is _one_ solution if you wanted to allow SSH and FTP via the xl0 interface. Depending on what IPFW defaults to (ALLOW or DENY), a different structure might apply. The configuration line add allow ip from any to any will allow everything. Dealing with kernel modules _might_ be a security issue if you define it to be one. For example, if you raise the syetem security level, you won't be able to load or unload kernel modules. In such a situation, only the functionality present in the kernel at boot time will be available. This if course requires a custom kernel as explained. Otherwise it's a good and comfortable idea to load IPFW as a kernel module. It can then be configured in the same way as a kernel-based firewall. > yes i would like to see if i can compile a kernel on an OVH box for freebsd > i have tried, but there is always something that fails :-( so i wanted the > use the one by OVH and modify it for my use. For checking, you should first check if you can compile the GENERIC kernel that's provided by the OS sources: # cd /usr/src # make buildkernel KERNCONF=GENERIC If this works, you could install it and perform a reboot: # make installkernel KERNCONF=GENERIC # reboot Then if you have "derived" your own kernel configuration file, do the same with KERNCONF= and its name. > > > so i got the 9.1 sources and now in /usr/src/sys/amd64/conf i have a > > > GENERIC file, but this is too generic, besides i don't have access to the > > > physical box. > > > > This file is what the GENERIC kernel (distributed with the OS) > > has been generated from. Use it as a template for your own > > custom kernel. > > > > well, there was no /usr/src when the system arrived from OVH i downloaded > this from freebsd ftp site. so i will need to update it to suit my system > and i was just looking for a shortcut. If you have been using freebsd-update, it defaults to fetching the OS sources (it's the "src" item in the "Components" list of /etc/freebsd-update.conf. Your kernel and system sources _might_ now be more current than the version you're running. As I mentioned, it's neccessary to have world and kernel in sync. The use of freebsd-update should have properly taken care of this (e. g., updated world, GENERIC kernel, and the sources for the whole thing to the current version). -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130608023828.1e1a059b.freebsd>