Date: Sat, 8 Jun 2013 19:37:01 +0200 From: Norman Khine <norman@khine.net> To: Polytropon <freebsd@edvax.de> Cc: freebsd-questions@freebsd.org Subject: Re: custom kernel installation Message-ID: <CAKgQ7UKr_SVWa%2BpdErrJzgRPDTL=KKoV8RBWD8yP4pJrUQKiDw@mail.gmail.com> In-Reply-To: <20130608023828.1e1a059b.freebsd@edvax.de> References: <CAKgQ7UJL3yYdKPeb%2Bc%2B=Cz9iBfPi5esH5imKgiYECrK6%2Bg5=Yg@mail.gmail.com> <20130608005444.6741d6cd.freebsd@edvax.de> <CAKgQ7ULQkDG70nT8Ak=X1Rgbii_Tw%2BNsgndvSrT%2BJ=zPcXAOTg@mail.gmail.com> <20130608023828.1e1a059b.freebsd@edvax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
great, i managed to compile and install the custom kernel with IPFW kernel support as discussed, thanks for your help! i would like to optimise the kernel to be more specific to my hardware, here is a breakdown of what i have: https://gist.github.com/nkhine/fcbcbe36221dc39491f9 here is what is left in my kernel, is there anything else i should take out? https://gist.github.com/nkhine/fcbcbe36221dc39491f9/revisions any advice much appreciated On Sat, Jun 8, 2013 at 2:38 AM, Polytropon <freebsd@edvax.de> wrote: > On Sat, 8 Jun 2013 01:17:35 +0200, Norman Khine wrote: > > thanks for the quick reply > > You're welcome. > > > > > On Sat, Jun 8, 2013 at 12:54 AM, Polytropon <freebsd@edvax.de> wrote: > > > > > On Sat, 8 Jun 2013 00:37:02 +0200, Norman Khine wrote: > > > > hello, > > > > i have a dedicated server from OVH and have updated freebsd to 9.1 > and > > > want > > > > to enable IPFW in the kernel as this is not enabled. > > > > > > Why not use the module for this? For many years now, you > > > do not need a custom kernel if you want to use IPFW (which > > > _had_ to be compiled into the kernel in the past). Use > > > > > > # kldload ipfw.ko > > > > > > > is it good idea to run this like this, would i have to do some settings, > as > > i don't want to be locked out of the system? > > Depends on your requirements. The kernel module is just the > "firewall infrastructure", and the ipfw _binary_ will then > control it. So it's probably a good idea to check your firewall > settings (for example in /etc/ipfw.conf) to reflect _exactly_ > what you intend (e. g., _not_ disabling SSH). > > See "man ipfw" for details on the firewall configuration file. > The system brings several preconfigured profiles. You can find > them in /etc/defaults/rc.conf (the firewall_ settings group, > especially "open" according to /etc/rc.firewall's comment > header, or for example "/etc/ipfw.conf", a file created on > your own). Do not use "closed". :-) > > Here's a short example, nothing magic: > > -f flush > add allow tcp from any to any ftp in recv xl0 > add allow tcp from any to any ssh in recv xl0 > > This is _one_ solution if you wanted to allow SSH and FTP > via the xl0 interface. Depending on what IPFW defaults to > (ALLOW or DENY), a different structure might apply. The > configuration line > > add allow ip from any to any > > will allow everything. > > Dealing with kernel modules _might_ be a security issue if > you define it to be one. For example, if you raise the syetem > security level, you won't be able to load or unload kernel > modules. In such a situation, only the functionality present > in the kernel at boot time will be available. This if course > requires a custom kernel as explained. > > Otherwise it's a good and comfortable idea to load IPFW as > a kernel module. It can then be configured in the same way > as a kernel-based firewall. > > > > > yes i would like to see if i can compile a kernel on an OVH box for > freebsd > > i have tried, but there is always something that fails :-( so i wanted > the > > use the one by OVH and modify it for my use. > > For checking, you should first check if you can compile the > GENERIC kernel that's provided by the OS sources: > > # cd /usr/src > # make buildkernel KERNCONF=GENERIC > > If this works, you could install it and perform a reboot: > > # make installkernel KERNCONF=GENERIC > # reboot > > Then if you have "derived" your own kernel configuration file, > do the same with KERNCONF= and its name. > > > > > > > so i got the 9.1 sources and now in /usr/src/sys/amd64/conf i have a > > > > GENERIC file, but this is too generic, besides i don't have access > to the > > > > physical box. > > > > > > This file is what the GENERIC kernel (distributed with the OS) > > > has been generated from. Use it as a template for your own > > > custom kernel. > > > > > > > well, there was no /usr/src when the system arrived from OVH i downloaded > > this from freebsd ftp site. so i will need to update it to suit my system > > and i was just looking for a shortcut. > > If you have been using freebsd-update, it defaults to fetching > the OS sources (it's the "src" item in the "Components" list > of /etc/freebsd-update.conf. Your kernel and system sources > _might_ now be more current than the version you're running. > As I mentioned, it's neccessary to have world and kernel in > sync. The use of freebsd-update should have properly taken > care of this (e. g., updated world, GENERIC kernel, and the > sources for the whole thing to the current version). > > > > > > -- > Polytropon > Magdeburg, Germany > Happy FreeBSD user since 4.0 > Andra moi ennepe, Mousa, ... > -- %>>> "".join( [ {'*':'@','^':'.'}.get(c,None) or chr(97+(ord(c)-83)%26) for c in ",adym,*)&uzq^zqf" ] )
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKgQ7UKr_SVWa%2BpdErrJzgRPDTL=KKoV8RBWD8yP4pJrUQKiDw>