# Current kernel configuration



## Dre (Oct 23, 2010)

Is there a file somewhere on my system with my current kernel configuration?

All I want to do is add


```
options IPFIREWALL_VERBOSE
 options IPFIREWALL_VERBOSE_LIMIT=10
```
to my current system.


----------



## graudeejs (Oct 23, 2010)

`$ echo "/usr/src/sys/`uname -m`/conf/`uname -i`"` (by default /usr/src/sys/[red]your_FreeBSD_arch_here[/red]/conf/GENERIC) [Available if you have FreeBSD sources]
I suggest you copy it over, and then modify or include in your new kernel config, and set name in new file, and add options you like

For example: here's my kernel config:
http://aldis.git.bsdroot.lv/desktop/tree/ANTIGENERIC


----------



## SIFE (Oct 23, 2010)

There is GENERIC file under /usr/src/sys/${arch}/conf/, Where <arch> is i386 or amd64, depend in your CPU type.
You can also see /usr/src/sys/conf/NOTES for adding options to kernel.

```
cat /usr/src/sys/conf/NOTES | grep IPFIREWALL
```


----------



## Dre (Oct 23, 2010)

I actually found that file earlier but I didn't think it corresponded to my current kernel. I thought that 

```
option IPFIREWALL
```
 had to be included for ipfw to work and it's not in there. Yet ipfw works...


----------



## da1 (Oct 23, 2010)

I'm guessing you didn't read how to configure the FreeBSD kernel, did you ?


----------



## Dre (Oct 23, 2010)

```
cat /usr/src/sys/conf/NOTES | grep IPFIREWALL
# IPFIREWALL enables support for IP firewall construction, in
# conjunction with the `ipfw' program.  IPFIREWALL_VERBOSE sends
# logged packets to the system logger.  IPFIREWALL_VERBOSE_LIMIT
# WARNING:  IPFIREWALL defaults to a policy of "deny ip from any to any"
# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
# depends on IPFIREWALL if compiled into the kernel.
# IPFIREWALL_FORWARD enables changing of the packet destination either
# IPFIREWALL_NAT adds support for in kernel nat in ipfw, and it requires
options         IPFIREWALL              #firewall
options         IPFIREWALL_VERBOSE      #enable logging to syslogd(8)
options         IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
options         IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by default
options         IPFIREWALL_FORWARD      #packet destination changes
options         IPFIREWALL_NAT          #ipfw kernel nat support
# DUMMYNET enables the "dummynet" bandwidth limiter.  You need IPFIREWALL
```

Does that mean that IPFIREWALL_VERBOSE is already activated in my current kernel than?


----------



## phoenix (Oct 23, 2010)

SIFE said:
			
		

> There is GENERIC file under /usr/src/sys/${arch}/conf/, Where <arch> is i386 or amd64, depend in your CPU type.
> You can also see /usr/src/sys/conf/NOTES for adding options to kernel.
> 
> ```
> ...



Don't forget about /usr/src/sys/<arch>/conf/NOTES.  Both files are needed to see all the available options/devices.


----------



## gordon@ (Oct 23, 2010)

If you just want a GENERIC kernel with some tweaks, I would create a config file with something like:

```
include GENERIC

ident MYKERNEL-GENERIC
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
```

That should work for you.


----------



## pelmen (Oct 23, 2010)

For this options recompile of kernel is no mandatory


```
options         IPFIREWALL              #firewall
options         IPFIREWALL_VERBOSE      #enable logging to syslogd(8)
options         IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
options         IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by default
options         IPFIREWALL_NAT          #ipfw kernel nat support
```

equal in /boot/loader.conf:

```
ipfw_load="YES"
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=10
net.inet.ip.fw.default_to_accept=1

libalias_load="YES"
```


----------



## wblock@ (Oct 23, 2010)

Dre said:
			
		

> ```
> cat /usr/src/sys/conf/NOTES | grep IPFIREWALL
> ```



UUOC...
`%  grep IPFIREWALL /usr/src/sys/conf/NOTES`

...



> Does that mean that IPFIREWALL_VERBOSE is already activated in my current kernel than?



No, NOTES is a file of notes, examples of what can be in a kernel config file.  killasmurf86 showed how to locate the kernel file in use in post #2.


----------



## Dre (Oct 23, 2010)

wblock said:
			
		

> UUOC...
> `%  grep IPFIREWALL /usr/src/sys/conf/NOTES`
> 
> ...
> ...




What is it that I don't understand then?

```
grep IPFIREWALL /usr/src/sys/i386/conf/GENERIC
```
returns nothing...
How come ipfw works for me? (haven't been able to get logging to work though)


----------



## wblock@ (Oct 24, 2010)

Dre said:
			
		

> What is it that I don't understand then?
> 
> ```
> grep IPFIREWALL /usr/src/sys/i386/conf/GENERIC
> ...



`% kldstat`

Does that show ipfw.ko?  Then that module is not part of the kernel, but was loaded somehow.  Maybe included in /boot/loader.conf, maybe /etc/rc.d/ipfw auto-loads it.


----------



## Dre (Oct 24, 2010)

wblock said:
			
		

> `% kldstat`
> 
> Does that show ipfw.ko?  Then that module is not part of the kernel, but was loaded somehow.  Maybe included in /boot/loader.conf, maybe /etc/rc.d/ipfw auto-loads it.



ipfw appears to be loaded from somewhere else then.


```
kldstat
Id Refs Address    Size     Name
 1   19 0xc0400000 bb5504   kernel
 2    1 0xc0fb6000 13fe8    ipfw.ko
```

I've added

```
ipfw_load="YES"
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=100
net.inet.ip.fw.default_to_accept=1

libalias_load="YES"
```
to /boot/loader.conf

ipfw worked before I added those lines though.

I don't have a /etc/rc.d/ipfw file.



Any way of finding out if the logging functionality of ipfw is activated too? Can it be activated from outside the kernel in a similar way that the ipfw apparently is activated?


----------



## Dre (Oct 24, 2010)

To answer my own question.
Yes, the ipfw logging function can be activated from outside the kernel. (according to http://www.freebsd.org/doc/handbook/firewalls-ipfw.html)

Logging works for me if I put the

```
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
```
in /etc/sysctl.conf instead of in /boot/loader.conf.


----------

