custom kernel installation

Sat Jun 8 17:37:02 UTC 2013

great, i managed to compile and install the custom kernel with IPFW kernel
support as discussed, thanks for your help!

i would like to optimise the kernel to be more specific to my hardware,
here is a breakdown of what i have:

https://gist.github.com/nkhine/fcbcbe36221dc39491f9

here is what is left in my kernel, is there anything else i should take out?

https://gist.github.com/nkhine/fcbcbe36221dc39491f9/revisions

any advice much appreciated

On Sat, Jun 8, 2013 at 2:38 AM, Polytropon <freebsd at edvax.de> wrote:

> On Sat, 8 Jun 2013 01:17:35 +0200, Norman Khine wrote:
> > thanks for the quick reply
>
> You're welcome.
>
>
>
> > On Sat, Jun 8, 2013 at 12:54 AM, Polytropon <freebsd at edvax.de> wrote:
> >
> > > On Sat, 8 Jun 2013 00:37:02 +0200, Norman Khine wrote:
> > > > hello,
> > > > i have a dedicated server from OVH and have updated freebsd to 9.1
> and
> > > want
> > > > to enable IPFW in the kernel as this is not enabled.
> > >
> > > Why not use the module for this? For many years now, you
> > > do not need a custom kernel if you want to use IPFW (which
> > > _had_ to be compiled into the kernel in the past). Use
> > >
> > >         # kldload ipfw.ko
> > >
> >
> > is it good idea to run this like this, would i have to do some settings,
> as
> > i don't want to be locked out of the system?
>
> Depends on your requirements. The kernel module is just the
> "firewall infrastructure", and the ipfw _binary_ will then
> control it. So it's probably a good idea to check your firewall
> settings (for example in /etc/ipfw.conf) to reflect _exactly_
> what you intend (e. g., _not_ disabling SSH).
>
> See "man ipfw" for details on the firewall configuration file.
> The system brings several preconfigured profiles. You can find
> them in /etc/defaults/rc.conf (the firewall_ settings group,
> especially "open" according to /etc/rc.firewall's comment
> header, or for example "/etc/ipfw.conf", a file created on
> your own). Do not use "closed". :-)
>
> Here's a short example, nothing magic:
>
>         -f flush
>         add allow       tcp     from any to any ftp     in recv xl0
>         add allow       tcp     from any to any ssh     in recv xl0
>
> This is _one_ solution if you wanted to allow SSH and FTP
> via the xl0 interface. Depending on what IPFW defaults to
> (ALLOW or DENY), a different structure might apply. The
> configuration line
>
>         add allow       ip      from any to any
>
> will allow everything.
>
> Dealing with kernel modules _might_ be a security issue if
> you define it to be one. For example, if you raise the syetem
> security level, you won't be able to load or unload kernel
> modules. In such a situation, only the functionality present
> in the kernel at boot time will be available. This if course
> requires a custom kernel as explained.
>
> Otherwise it's a good and comfortable idea to load IPFW as
> a kernel module. It can then be configured in the same way
> as a kernel-based firewall.
>
>
>
> > yes i would like to see if i can compile a kernel on an OVH box for
> freebsd
> > i have tried, but there is always something that fails :-( so i wanted
> the
> > use the one by OVH and modify it for my use.
>
> For checking, you should first check if you can compile the
> GENERIC kernel that's provided by the OS sources:
>
>         # cd /usr/src
>         # make buildkernel KERNCONF=GENERIC
>
> If this works, you could install it and perform a reboot:
>
>         # make installkernel KERNCONF=GENERIC
>         # reboot
>
> Then if you have "derived" your own kernel configuration file,
> do the same with KERNCONF= and its name.
>
>
>
> > > > so i got the 9.1 sources and now in /usr/src/sys/amd64/conf i have a
> > > > GENERIC file, but this is too generic, besides i don't have access
> to the
> > > > physical box.
> > >
> > > This file is what the GENERIC kernel (distributed with the OS)
> > > has been generated from. Use it as a template for your own
> > > custom kernel.
> > >
> >
> > well, there was no /usr/src when the system arrived from OVH i downloaded
> > this from freebsd ftp site. so i will need to update it to suit my system
> > and i was just looking for a shortcut.
>
> If you have been using freebsd-update, it defaults to fetching
> the OS sources (it's the "src" item in the "Components" list
> of /etc/freebsd-update.conf. Your kernel and system sources
> _might_ now be more current than the version you're running.
> As I mentioned, it's neccessary to have world and kernel in
> sync. The use of freebsd-update should have properly taken
> care of this (e. g., updated world, GENERIC kernel, and the
> sources for the whole thing to the current version).
>
>
>
>
>
> --
> Polytropon
> Magdeburg, Germany
> Happy FreeBSD user since 4.0
> Andra moi ennepe, Mousa, ...
>

-- 
%>>> "".join( [ {'*':'@','^':'.'}.get(c,None) or chr(97+(ord(c)-83)%26) for
c in ",adym,*)&uzq^zqf" ] )