From owner-freebsd-questions@FreeBSD.ORG Sat Jun 8 00:38:20 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 868C4584 for ; Sat, 8 Jun 2013 00:38:20 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) by mx1.freebsd.org (Postfix) with ESMTP id 371EA1BB6 for ; Sat, 8 Jun 2013 00:38:19 +0000 (UTC) Received: from r56.edvax.de (port-92-195-136-185.dynamic.qsc.de [92.195.136.185]) by mx01.qsc.de (Postfix) with ESMTP id D89853D214; Sat, 8 Jun 2013 02:38:18 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id r580cSK5003151; Sat, 8 Jun 2013 02:38:28 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Sat, 8 Jun 2013 02:38:28 +0200 From: Polytropon To: Norman Khine Subject: Re: custom kernel installation Message-Id: <20130608023828.1e1a059b.freebsd@edvax.de> In-Reply-To: References: <20130608005444.6741d6cd.freebsd@edvax.de> Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jun 2013 00:38:20 -0000 On Sat, 8 Jun 2013 01:17:35 +0200, Norman Khine wrote: > thanks for the quick reply You're welcome. > On Sat, Jun 8, 2013 at 12:54 AM, Polytropon wrote: > > > On Sat, 8 Jun 2013 00:37:02 +0200, Norman Khine wrote: > > > hello, > > > i have a dedicated server from OVH and have updated freebsd to 9.1 and > > want > > > to enable IPFW in the kernel as this is not enabled. > > > > Why not use the module for this? For many years now, you > > do not need a custom kernel if you want to use IPFW (which > > _had_ to be compiled into the kernel in the past). Use > > > > # kldload ipfw.ko > > > > is it good idea to run this like this, would i have to do some settings, as > i don't want to be locked out of the system? Depends on your requirements. The kernel module is just the "firewall infrastructure", and the ipfw _binary_ will then control it. So it's probably a good idea to check your firewall settings (for example in /etc/ipfw.conf) to reflect _exactly_ what you intend (e. g., _not_ disabling SSH). See "man ipfw" for details on the firewall configuration file. The system brings several preconfigured profiles. You can find them in /etc/defaults/rc.conf (the firewall_ settings group, especially "open" according to /etc/rc.firewall's comment header, or for example "/etc/ipfw.conf", a file created on your own). Do not use "closed". :-) Here's a short example, nothing magic: -f flush add allow tcp from any to any ftp in recv xl0 add allow tcp from any to any ssh in recv xl0 This is _one_ solution if you wanted to allow SSH and FTP via the xl0 interface. Depending on what IPFW defaults to (ALLOW or DENY), a different structure might apply. The configuration line add allow ip from any to any will allow everything. Dealing with kernel modules _might_ be a security issue if you define it to be one. For example, if you raise the syetem security level, you won't be able to load or unload kernel modules. In such a situation, only the functionality present in the kernel at boot time will be available. This if course requires a custom kernel as explained. Otherwise it's a good and comfortable idea to load IPFW as a kernel module. It can then be configured in the same way as a kernel-based firewall. > yes i would like to see if i can compile a kernel on an OVH box for freebsd > i have tried, but there is always something that fails :-( so i wanted the > use the one by OVH and modify it for my use. For checking, you should first check if you can compile the GENERIC kernel that's provided by the OS sources: # cd /usr/src # make buildkernel KERNCONF=GENERIC If this works, you could install it and perform a reboot: # make installkernel KERNCONF=GENERIC # reboot Then if you have "derived" your own kernel configuration file, do the same with KERNCONF= and its name. > > > so i got the 9.1 sources and now in /usr/src/sys/amd64/conf i have a > > > GENERIC file, but this is too generic, besides i don't have access to the > > > physical box. > > > > This file is what the GENERIC kernel (distributed with the OS) > > has been generated from. Use it as a template for your own > > custom kernel. > > > > well, there was no /usr/src when the system arrived from OVH i downloaded > this from freebsd ftp site. so i will need to update it to suit my system > and i was just looking for a shortcut. If you have been using freebsd-update, it defaults to fetching the OS sources (it's the "src" item in the "Components" list of /etc/freebsd-update.conf. Your kernel and system sources _might_ now be more current than the version you're running. As I mentioned, it's neccessary to have world and kernel in sync. The use of freebsd-update should have properly taken care of this (e. g., updated world, GENERIC kernel, and the sources for the whole thing to the current version). -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...