Coretanium

The following document describes how to build a custom kernel in FreeBSD.

This tutorial is NOT for upgrading your kernel, if you want to upgrade your kernel please read this tutorial.

1) Make a copy of your GENERIC kernel (never use GENERIC unless you want your changes wasted when you do a cvsup update)
root@machine# cd /usr/src/sys/i386/conf
root@machine# cp GENERIC CUSTOMEKERNEL

2. Edit the CUSTOMKERNEL to configure support for new hardware. Make sure all the required modules are loaded. If a dependancy is missing, your kernel build will fail.

3. Compile and install your new kernel.

root@machine# cd /usr/src
root@machine# make buildkernel KERNCONF=CUSTOMKERNEL
root@machine# make installkernel KERNCONF=CUSTOMKERNEL

4. Reboot and you have a fully customised kernel build.

* If you are running your system in securelevel you will need to make some changes before doing the actual kernel installation! In your /etc/rc.conf set kern_securelevel to kern_securelevel=”-1″ and reboot your machine, then proceed with the install of your custom kernel. After your custom kernel has been installed you can change the values back to whatever your requirements are.

* By doing a “make clean” on every kernel build defeats the purpose of a makefile. There are times when the build should be cleaned up, you can do it by doing a “make clean” or “config -r” to clean up obj. By doing it every time may make your kernel build run twice as long and it’s not necesary!

FreeBSD-STABLE Howto

sync source via cvsup

cp /usr/share/examples/cvsup/stable-supfile /etc

vi /etc/stable-supfile

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html#CVSUP-MIRRORS

cvsup.uk.freebsd.org (sync all source)

cvsup /etc/stable-supfile

cd /usr/src/sys/i386/conf

cp GENERIC KERNEL

cd /usr/src
echo “KERNCONF=FIREWALL” >> /etc/make.conf
make buildworld
make buildkernel
make installkernel

shutdown -r now

The following document describes how to build your own BSD based firewall

1) Copy the GENERIC kernel to YOURKERNEL

root@machine# cd /usr/src/sys/i386/conf
root@machine# cp GENERIC YOURKERNEL

2) Compile the following into the kernel:

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPDIVERT

2) Add the following if your “paranoid”

options TCP_RESTRICT_RST
options TCP_DROP_SYNFIN

3) Edit /etc/rc.conf to add the firewall:

firewall_enable=”YES”
firewall_script=”/etc/fw/fwruleset”
natd_enable=”YES”
natd_interface=”tun0″
natd_flags=”-dynamic”

4) Create your firewall ruleset in /etc/fw/fwruleset

root@machine# mkdir /etc/fw
root@machine# vi fwruleset

sample firewall ruleset
# Define firewall command
fwcmd=”/sbin/ipfw”
# Force flushing of current rules
$fwcmd -f flush
# Divert all packets through tunnel interface
$fwcmd add divert natd all from any to any via tun0
# Allow all data from local interfaces – change to your interface
$fwcmd add allow ip from any to any via lo0
$fwcmd add allow ip from any to any via fxp0
# Allow all connections we initiate
$fwcmd add allow tcp from any to any out xmit tun0 setup
# Allow connections that are open to stay open
$fwcmd add allow tcp from any to any via tun0 established
# Allow access to apache and ssh from the internet
$fwcmd add allow tcp from any to any 80 setup
$fwcmd add allow tcp from any to any 22 setup
# Sends RESET to all ident packets
$fwcmd add reset log tcp from any to any 113 in recv tun0
# Only allow DNS queries to specified DNS servers
$fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0
# Allow them back
$fwcmd add allow udp from x.x.x.x 53 to any in recv tun0
# Allow ICMP
$fwcmd add 65435 allow icmp from any to any
# Deny rest
$fwcmd add 65435 deny log ip from any to any

Reboot your machine and you should have a fully functional firewall!