custom kernel installation

[Polytropon]

On Sat, 8 Jun 2013 01:17:35 +0200, Norman Khine wrote:
> thanks for the quick reply

You're welcome.



> On Sat, Jun 8, 2013 at 12:54 AM, Polytropon <freebsd at edvax.de> wrote:
> 
> > On Sat, 8 Jun 2013 00:37:02 +0200, Norman Khine wrote:
> > > hello,
> > > i have a dedicated server from OVH and have updated freebsd to 9.1 and
> > want
> > > to enable IPFW in the kernel as this is not enabled.
> >
> > Why not use the module for this? For many years now, you
> > do not need a custom kernel if you want to use IPFW (which
> > _had_ to be compiled into the kernel in the past). Use
> >
> >         # kldload ipfw.ko
> >
> 
> is it good idea to run this like this, would i have to do some settings, as
> i don't want to be locked out of the system?

Depends on your requirements. The kernel module is just the
"firewall infrastructure", and the ipfw _binary_ will then
control it. So it's probably a good idea to check your firewall
settings (for example in /etc/ipfw.conf) to reflect _exactly_
what you intend (e. g., _not_ disabling SSH).

See "man ipfw" for details on the firewall configuration file.
The system brings several preconfigured profiles. You can find
them in /etc/defaults/rc.conf (the firewall_ settings group,
especially "open" according to /etc/rc.firewall's comment
header, or for example "/etc/ipfw.conf", a file created on
your own). Do not use "closed". :-)

Here's a short example, nothing magic:

	-f flush
	add allow	tcp	from any to any ftp	in recv	xl0
	add allow	tcp	from any to any ssh	in recv	xl0

This is _one_ solution if you wanted to allow SSH and FTP
via the xl0 interface. Depending on what IPFW defaults to
(ALLOW or DENY), a different structure might apply. The
configuration line

	add allow	ip	from any to any

will allow everything.

Dealing with kernel modules _might_ be a security issue if
you define it to be one. For example, if you raise the syetem
security level, you won't be able to load or unload kernel
modules. In such a situation, only the functionality present
in the kernel at boot time will be available. This if course
requires a custom kernel as explained.

Otherwise it's a good and comfortable idea to load IPFW as
a kernel module. It can then be configured in the same way
as a kernel-based firewall.



> yes i would like to see if i can compile a kernel on an OVH box for freebsd
> i have tried, but there is always something that fails :-( so i wanted the
> use the one by OVH and modify it for my use.

For checking, you should first check if you can compile the
GENERIC kernel that's provided by the OS sources:

	# cd /usr/src
	# make buildkernel KERNCONF=GENERIC

If this works, you could install it and perform a reboot:

	# make installkernel KERNCONF=GENERIC
	# reboot

Then if you have "derived" your own kernel configuration file,
do the same with KERNCONF= and its name.



> > > so i got the 9.1 sources and now in /usr/src/sys/amd64/conf i have a
> > > GENERIC file, but this is too generic, besides i don't have access to the
> > > physical box.
> >
> > This file is what the GENERIC kernel (distributed with the OS)
> > has been generated from. Use it as a template for your own
> > custom kernel.
> >
> 
> well, there was no /usr/src when the system arrived from OVH i downloaded
> this from freebsd ftp site. so i will need to update it to suit my system
> and i was just looking for a shortcut.

If you have been using freebsd-update, it defaults to fetching
the OS sources (it's the "src" item in the "Components" list
of /etc/freebsd-update.conf. Your kernel and system sources
_might_ now be more current than the version you're running.
As I mentioned, it's neccessary to have world and kernel in
sync. The use of freebsd-update should have properly taken
care of this (e. g., updated world, GENERIC kernel, and the
sources for the whole thing to the current version).





-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...