Re: kernel options for ipv6 firewall
beni wrote: and I tried this also (from http://www.kame.net/~suz/freebsd-ipv6-config- guide.txt) : options IPV6FIREWALL #options IPV6FIREWALL_VERBOSE #options IPV6FIREWALL_VERBOSE_LIMIT=100 #options IPV6FIREWALL_DEFAULT_TO_ACCEPT But all I get is an unknown option error when I do a make buildkernel. That information is out of date. ipfw now handles both IPv4 and IPv6 without any extra kernel configuration required. All you need to do is write rules that reference IPv6 addresses etc. I've added also this to my /etc/rc.conf : #IPv6 gateway6_enable=YES ipv6_enable=YES #ipv6_gateway_enable=YES #ipv6_router_enable=YES ipv6_network_interfaces=vr0 tun0 # Enable ip6fw. ipv6_firewall_enable=YES ipv6_firewall_type=client # ipv6_firewall_quiet=NO ipv6_firewall_quiet=YES # suppress rule display. (By default, it's NO) ipv6_firewall_logging=YES # enable events logging. (By default, it's NO) ipv6_firewall_flags=# Flags passed to ip6fw when type is a filename Take a look at /etc/rc.firewall6 -- that just does for IPv6 what rc.firewall does for IPv4. Your settings above should enable it to work, but you'll need to put the correct network numbers, prefix len and IP address into the rc.firewall6 file. (Not a particularly nice piece of design: configuration information like that shouldn't require you to edit the actual rc script.) pf is enabled for ipv4. pf will also do IPv6 automatically. With pf's really very handy indeed feature of being able to deduce from the interface name the IP numbers / networks to put in the rulesets, you can write rules that operate on IPv4 only: pass in on $ext_if inet proto tcp \ from any to $ext_if port ssh \ flags S/SA keep state \ (max-src-conn-rate 3/30, overload ssh-bruteforce flush global) IPv6 only: pass in on $ext_if inet6 proto tcp \ from any to $ext_if port ssh\ flags S/SA keep state \ (max-src-conn-rate 3/30, overload ssh-bruteforce flush global) or both: pass in on $ext_if proto tcp\ from any to $ext_if port ssh \ flags S/SA keep state\ (max-src-conn-rate 3/30, overload ssh-bruteforce flush global) Although this last is internally transformed into two rules, one for the IPv4 address on the i/f, and the other for the IPv6 address. See 'pfctl -sr' for the generated rules. So on my machine, that becomes: pass in on de0 inet6 proto tcp from any to fe80::240:5ff:fea5:8db7 port = ssh flags S/SA keep state (source-track rule, max-src-conn-rate 3/30, overload ssh-bruteforce flush global, src.track 30) pass in on de0 inet proto tcp from any to 81.187.76.162 port = ssh flags S/SA keep state (source-track rule, max-src-conn-rate 3/30, overload ssh-bruteforce flush global, src.track 30) (not that I've yet seen any ssh bruteforce attempts over IPv6) If you need bandwidth limiting facilities, you can do this with pf as well, but you will have to compile a custom kernel to enable the ALTQ features. It's equivalent to IPFW's dummynet but there are subtle differences in the way it operates that may or may not be a show stopper for you. So what option(s) do I need to use a ipv6 firewall in my kernel ? Same as you need for either pf or ipfw with IPv4 -- in fact, you frequently don't need to modify the GENERIC kernel at all. You can just load ipfw as a kld. Same with pf, unless you need to use altq which still requires some compiled-in stuff in the kernel. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
RE: Kernel Options fo a File Server
man tuning? Cheers, Lars. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Carey Posted At: Tuesday, May 22, 2007 1:28 PM Posted To: FreeBSD-Questions Conversation: Kernel Options fo a File Server Subject: Kernel Options fo a File Server Hello, What would be the best Kernel options to run a file server? I will be using an Intel server mother board with one Xeon quad core CPU installed (this mother board has 2 CPU sockets) 2GB RAM and dual 500Gb SATA HDD's I am thinking of options that would make the kernel efficient as a pure file server. Thanks, Ivan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Kernel Options fo a File Server
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Carey Posted At: Tuesday, May 22, 2007 1:28 PM Posted To: FreeBSD-Questions Conversation: Kernel Options fo a File Server Subject: Kernel Options fo a File Server Hello, What would be the best Kernel options to run a file server? I will be using an Intel server mother board with one Xeon quad core CPU installed (this mother board has 2 CPU sockets) 2GB RAM and dual 500Gb SATA HDD's I am thinking of options that would make the kernel efficient as a pure file server. On 23/05/07, FreeBSD-Questions [EMAIL PROTECTED] wrote: man tuning? Cheers, Lars. Indeed, not so much kernel options, but filesystem options would likely benefit you the most, especially if you can determine ahead how big your average file size will be. -- -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Kernel Options fo a File Server
From what I heard from most BSD'ers it's not really feasible to re-compile or customize the kernel much these days. If you truly need to compile/optimize the kernel you're already overworking your hardware. With that being said I’m curious myself, I'm always interested in squeezing a little out of my hardware. Ivan Carey wrote: Hello, What would be the best Kernel options to run a file server? I will be using an Intel server mother board with one Xeon quad core CPU installed (this mother board has 2 CPU sockets) 2GB RAM and dual 500Gb SATA HDD's I am thinking of options that would make the kernel efficient as a pure file server. Thanks, Ivan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Kernel-Options-fo-a-File-Server-tf3795709.html#a10771337 Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Kernel Options fo a File Server
PeterPluta wrote: From what I heard from most BSD'ers it's not really feasible to re-compile or customize the kernel much these days. If you truly need to compile/optimize the kernel you're already overworking your hardware. With that being said I’m curious myself, I'm always interested in squeezing a little out of my hardware. Ivan Carey wrote: Hello, What would be the best Kernel options to run a file server? I will be using an Intel server mother board with one Xeon quad core CPU installed (this mother board has 2 CPU sockets) 2GB RAM and dual 500Gb SATA HDD's I am thinking of options that would make the kernel efficient as a pure file server. Thanks, Ivan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] First, please don't top post. Thanks. I typically recompile a kernel for almost every new machine. You can certainly change a great deal of options within the kernel that you otherwise can't do. For instance do a 'make LINT' in /usr/src/sys/i386/conf and grok the LINT file for options. There are tons of tweaks you could do. If you want to tweak the file server I would look more into tunefs. man tunefs...this will probably be where you will find the most info about getting the most out of your filesystem. -Tom ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Kernel Options fo a File Server
On Wed, May 23, 2007 at 12:42:17PM -0700, PeterPluta wrote: Ivan Carey wrote: Hello, What would be the best Kernel options to run a file server? I will be using an Intel server mother board with one Xeon quad core CPU installed (this mother board has 2 CPU sockets) 2GB RAM and dual 500Gb SATA HDD's I am thinking of options that would make the kernel efficient as a pure file server. From what I heard from most BSD'ers it's not really feasible to re-compile or customize the kernel much these days. If you truly need to compile/optimize the kernel you're already overworking your hardware. With that being said I’m curious myself, I'm always interested in squeezing a little out of my hardware. (Please don't top post.) Recompiling the kernel and customizing it (i.e. leaving things out that you don't need) are not very hard at all. Things like enabling kernel thread preemption and file system softupdates might help with performance. But in general you could say that removing code for devices and subsystems that aren't used anyway might speed up booting a bit, but will not help much with speeding up daily usage. The tuning(7) manpage gives lots of tips on getting the best performance out of your system. Note that the kernel occupies only a small section of the material in that page. For instance, for a file server the file system layout is much moe important due to higher transfer speeds from the outer edges of the disks. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgp089WGtKO9Y.pgp Description: PGP signature
Re: Kernel Options fo a File Server
Ivan Carey wrote: Hello, What would be the best Kernel options to run a file server? I will be using an Intel server mother board with one Xeon quad core CPU installed (this mother board has 2 CPU sockets) 2GB RAM and dual 500Gb SATA HDD's I am thinking of options that would make the kernel efficient as a pure file server. Thanks, Ivan Even with a GENERIC kernel you're going to be disk-bound, unless you have them in RAID 0, in which case you'll be network bound. If you are running i386 you can take out 486 and 586 support, that's probably the biggest single improvement you can make, and it's incremental at best. --- Thanks, Josh Paetzel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: kernel options
Imran Imtiaz schrieb: where can i find all the customization options of ther kernel? See src/sys/conf/NOTES for platform-independent options and for example src/sys/i386/conf/NOTES for i386-specific options. Regards Björn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Kernel options optimal for desktop?
Alexander Polakov wrote: Good time of day to all freebsd-questions readers! I'm using FreeBSD 6.0 for my desktop. I think the GENERIC kernel is not optimal for desktop usage. So can you advise me what options to use for better performance? My hardware is a Pentium 3 [EMAIL PROTECTED] chipset, 512 Mb RAM, ATA100 30 GB HDD, GeForce2 MX400 video. Read the kernel section of the handbook. Read man tuning and man make.conf, but for a simple beginning, figure out what tasks you want to benchmark (see ls /usr/ports/benchmarks), and get a baseline with the GENERIC kernel. Then you want to set CPUTYPE, disable the cpu I486_CPU and cpu I586_CPU statements, and maybe disable drivers you don't need, IPv6 (aka options INET6), etc. Be prepared to roll back to a working kernel if you change too much. Benchmark some more, and see whether you find anything interesting. Be prepared to have someone tell you to run /usr/src/tools/tools/ministat. :-) -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Kernel Options
bsd hack wrote: Hi, I am working with the Kernel config file to optimize it and also to improve the overall security of the system! Hi, that's good. I'll try to give you some ideas to start inline below: I have the following quetions: (1) There are a few options that are not available in the default kernel... like the IPFIREWALL options(and the like)... I basically need to know all possible options I can add to the kernel config file! Have a look at /usr/src/sys/i386/conf/NOTES file (assuming your machine architecture is i386, if not look in specific directory): # cat /usr/src/sys/i386/conf/NOTES | head # # NOTES -- Lines that can be cut/pasted into kernel and hints configs. # # This file contains machine dependent kernel configuration notes. For # machine independent notes, look in /sys/conf/NOTES. It points you to another file: usr/src/sys/conf/NOTES. There are options with explanations in both files. Also check FreeBSD Handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html (2) I guess these options can be used to set the kernel variables accessible through the sysctl command. So can I create my own options so that I can set a few kernel variables as and when I build the custom kernel? Any sysctl variable can be set in /etc/sysctl.conf file which is used before system goes to multi-user state. Many of them can be even changed live. Check man sysctl(8), it will also bring loader.conf(5) to your attention. Thank you. -HKR Good luck, Karol -- Karol Kwiatkowski freebsd at orchid dot homeunix dot org ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Kernel Options
On 2004-07-28 12:02, bsd hack [EMAIL PROTECTED] wrote: I have the following quetions: (1) There are a few options that are not available in the default kernel... like the IPFIREWALL options(and the like)... I basically need to know all possible options I can add to the kernel config file! Try reading these: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html (2) I guess these options can be used to set the kernel variables accessible through the sysctl command. So can I create my own options so that I can set a few kernel variables as and when I build the custom kernel? I don't think so. Read the Handbook sections I posted above for details. (3) and also my aim includes optimizing the kernel... so by enabling only the options I need to I should get a get optimization... is there anything else that can be done? If security is what concerns you, the Handbook has also this chapter: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security.html There also many online articles that deal with the issue of security on a BSD system. Google will reveal dozens of them, but here's a starting pointer just to get you going: http://www.onlamp.com/pub/ct/13 Cheers, Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]