Results 1 to 7 of 7

Thread: FreeBSD Kernel ??

  1. #1

    Question FreeBSD Kernel ??

    Well, I'm re-compiling my kernel and was wanting some opinions on good and bad features to use in the kernel;-) Would like it to be a secure server.

    Also, which is better for a web/mail server.
    DNS - Name Server or a Caching Name Server

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    Re: FreeBSD Kernel ??

    Originally posted here by phaza7
    Well, I'm re-compiling my kernel and was wanting some opinions on good and bad features to use in the kernel;-) Would like it to be a secure server.

    Also, which is better for a web/mail server.
    DNS - Name Server or a Caching Name Server
    Just use the GENERIC kernel. Unless you have some exotic hardware in your machine.
    Also take a look at man security.

    As for the DNS server. Set it up as an caching DNS (forward the requests to the DNS server(s) of your ISP) unless you want to run an authoritive dns server for your own domains.

    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    119
    Hi,
    Instead of using the GENERIC kernel, comment out things that u don't have(customize the kernel) and try adding firewall support too.


    BlackMask

  4. #4
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    isn't ipf enabled in GENERIC?

    The downside of running a custom kernel is that support/troubleshooting is harder/takes more time, trial/error...

    My personal philosophy is why mess with generic if you don't need to?

    Ammo
    Credit travels up, blame travels down -- The Boss

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    You could create a really small kernel (just enough to get it to boot). Most stuff will get loaded by kldload anyway. This is also where your security risk (kernel-wise) will be. For a really secure kernel disable loadable kernel modules and compile everything you need static in the kernel.

    You can also add the following to /etc/rc.conf:
    kern_securelevel_enable="YES"
    kern_securelevel="3"

    see init(8) for more info about security levels.


    Edit: Just took a look at GENERIC from 4.8-STABLE. There is no ipf or ipfilter in there. You will need to enable 1 or the other. See LINT for more info.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Senior Member
    Join Date
    Aug 2002
    Posts
    508
    Hi,

    -If you wanna use IPFilter options, you need to customised your kernel by adding:
    "options IPFILTER"
    "options IPFILTER_LOG"
    IPFilter uses a default accept stance. If you prefer a default deny stance, you can adding following:
    "options IPFILTER_DEFAULT_BLOCK"
    My FreeBSD's using IPFilter (FreeBSD 5) and IPFW (FreeBSD 4.8)
    These options are not in the GENERIC kernel.
    - I secure my kernel using this command:
    # chflags schg /kernel <<< This would keep anyone from replacing your kernel:"both intruder and you"

    And if you want to unset this flags you need to run securelevel =-1 and do this command:
    # chflags noschg /kernel

    - I set my securelevel to 3
    - I turn off "pseudo-device bpf" << it's used for packet sniffer and for the DHCP client and server.If you don't need any of those, turn this off.

    Cheerss
    Not an image or image does not exist!
    Not an image or image does not exist!

  7. #7
    thanxs, not generic I roll my own
    generic doesn't sound secure

    thanxs for the help

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •