安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译
程序员文章站
2022-04-24 12:33:58
...
目录
概述
FreeBSD 是一款优秀的 UNIX 操作系统,本文介绍如果利用 FreeBSD 搭建防火墙以及如何编译内核,FreeBSD 系统内置了三款防火墙,PF、IPF 及 IPFW,这三款防火墙各有特点,本文以 IPF 防火墙为例,对配置文件进行设置及对内核进行编译。
安装 FreeBSD
此次安装选择 DVD 光盘安装,默认第 1 项,回车进入安装过程:
其他安装形式例如CD安装需要两张光盘,U盘网络安装的话,则需要联网。
Install 继续
选择默认键盘方案
输入一个主机名
需要编译内核,所以这里复选了 ports 和 src。
但如果希望 ports 和 src 全部由网络上重新下载也可以:安装完毕后,重启进入命令提示符状态,输入 portsnap fetch extract 重新更新 ports 和 src。
选择设置分区的方式,默认 Auto (UFS)。
确定以 da0 安装 FreeBSD 系统。
提示分区操作将擦除此硬盘原有信息。
2G以下选择 MBR,否则就选择 GPT。
推荐的分区形式,如果有必要可以手动设置。
提交后将开始对硬盘写入信息,Back 可以取消(一旦 Commit 硬盘原有数据将会被覆盖)
安装中……
安装文件完毕后,需要对 root 设置初始密码。
选择一块网卡进行网络设置
是否配置 IPv4
若需要手动设置,则选否,否则就选择 DHCP
手动设置 IP 地址,根据实际情况填写,作为网关防火墙的话,不用填写第三项 Default Router。
根据运营商状况,目前无需对 IPv6 设置
设置 DNS,应根据当地运营商提供信息设置
选择时区
根据情况选择
设置日期和时间
选择是否同步系统时间,如果有VPN之类的加密软件,最好还是选上同步时间。
一些安全选项,视情况选择
暂不添加用户
选择 Exit 应用配置及退出安装环境,这个过程会花几秒钟。
无需进入 shell 环境,选择 No 继续退出。
如果光盘是优先引导的话,记得把光盘取出,然后回车,FreeBSD 将重启。
安装好的启动界面及登录界面
账号 root 及刚才设置的密码即可登录
开启 SSH 登录
编辑 /etc/rc.conf 添加。
sshd_enable="YES"若要开启 root 的 SSH 访问(如果是多用户则不建议开启),编辑 /etc/ssh/sshd_config 打开或添加这个选项,配置完毕后需要重启系统。
PermitRootLogin yes配置 IPF 防火墙
之所以要在防火墙未生效前配置防火墙,是因为一旦内核编译并安装完成,SSH 将无法被访问,本地操作则可以无视这个情况。
在 /etc/rc.conf 中添加 ipf 的启动项,其中包括 IPF 和 NAT,IPF 负责防火墙功能,配置 /etc/ipf.rules。NAT 负责地址转换,局域网上网就靠这个了,配置 /etc/ipnat.rules。
rc.conf 内添加以下内容,用作启用 ipf 和 ipnat
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipmon_enable="YES"
ipmon_flags="-Dsn"
# ---------------------------------------
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
#----------------------------------------------------------------------防火墙配置文件 /etc/ipf.rules
#=======================================================================================
# 2016/4/21
#
# IPF 的匹配检索过程:
# 某个端口有动作,从上到下匹配检索,当发现了匹配的规则将不再向下检查,
# 即便后面的规则与当前规则有冲突,也以先检索到的为准。
#=======================================================================================
# Intranet device / lan
# em0="192.168.1.1
# Internet device /
# em1=""
# tun0="dhcp"
#
# 手动输入重载 ipf 命令
# ipf -Fa -f /etc/ipf.rules
#---------------------------------------------------------------------------------------
# 编译内核时,已经默认完全拒绝,所以这两条规则已经无意义
#block in all
#block out all
#本地 (全开放)
pass in on lo0 all
pass out on lo0 all
#网卡 (全开放)
pass in on em0 all
pass out on em0 all
#网卡 (全开放)
pass in on em1 all
pass out on em1 all
# PPTP (出方向开放, 进方向禁止)
pass out on tun0 all
#pass in on tun0 all
# PPTP VPN
#pass out on tun1 all
#pass in on tun1 all
#---------------------------------------------------------------------------------------
#---------------------------------------------------------------------------------------
# lookback
#----------------------------------------------------------------
pass in quick on lo0 proto tcp from any to any flags S keep state
pass out quick on lo0 proto tcp from any to any flags S keep state
pass in quick on lo0 proto udp from any to any keep state
pass out quick on lo0 proto udp from any to any keep state
#----------------------------------------------------------------
pass in quick on lo0 proto icmp all
pass out quick on lo0 proto icmp all
#----------------------------------------------------------------
#---------------------------------------------------------------------------------------
# link to pppoe device
#----------------------------------------------------------------
pass in quick on em1 proto tcp from any to any flags S keep state
pass out quick on em1 proto tcp from any to any flags S keep state
pass in quick on em1 proto udp from any to any keep state
pass out quick on em1 proto udp from any to any keep state
#----------------------------------------------------------------
pass in quick on em1 proto icmp all
pass out quick on em1 proto icmp all
#----------------------------------------------------------------
#---------------------------------------------------------------------------------------
# lan
#----------------------------------------------------------------
pass in quick on em0 proto tcp from any to any flags S keep state
pass out quick on em0 proto tcp from any to any flags S keep state
pass in quick on em0 proto udp from any to any keep state
pass out quick on em0 proto udp from any to any keep state
#----------------------------------------------------------------
pass in quick on em0 proto icmp all
pass out quick on em0 proto icmp all
#----------------------------------------------------------------
#---------------------------------------------------------------------------------------
# tun0 (PPPOE 拨号)
# 不限制对外访问, 但保持对外拒绝
#----------------------------------------------------------------
pass out quick on tun0 proto tcp from any to any flags S keep state
pass out quick on tun0 proto udp from any to any keep state
#pass in quick on tun0 proto tcp from any to any flags S keep state
#pass in quick on tun0 proto udp from any to any keep state
#----------------------------------------------------------------
# 允许部分(ping) ICMP 双向通过
pass out quick on tun0 proto icmp all
#pass in quick on tun0 proto icmp all
pass in quick on tun0 proto icmp from any to any icmp-type 0
pass in quick on tun0 proto icmp from any to any icmp-type 8
#----------------------------------------------------------------
#----------------------------------------------------------------
# tun0 allow pptp (success)
#----------------------------------------------------------------
#pass out quick on tun0 proto tcp from any to any port = 1723 flags S keep state
#----------------------------------------------------------------
pass out proto gre from any to any keep state
pass in proto gre from any to any keep state
#----------------------------------------------------------------
#----------------------------------------------------------------
# tun0 allow vpn income
#----------------------------------------------------------------
pass in quick on tun0 proto udp from any to any port = 1194 keep state
#----------------------------------------------------------------
#----------------------------------------------------------------
# tun0 allow https income
#----------------------------------------------------------------
pass in quick on tun0 proto tcp from any to any port = 443 keep state
#----------------------------------------------------------------
#---------------------------------------------------------------------------------------
# tun1 (vpn 如果有的话)
#----------------------------------------------------------------
pass in quick on tun1 proto tcp from any to any flags S keep state
pass out quick on tun1 proto tcp from any to any flags S keep state
pass in quick on tun1 proto udp from any to any keep state
pass out quick on tun1 proto udp from any to any keep state
#----------------------------------------------------------------
pass in quick on tun1 proto icmp all
pass out quick on tun1 proto icmp all
#----------------------------------------------------------------
#---------------------------------------------------------------------------------------
NAT 配置 /etc/ipnat.rules
#-------------------------------------------------------------------
# 命令行重载 NAT 时输入
# ipnat -CF -f /etc/ipnat.rules
#-------------------------------------------------------------------
# 地址转换
map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000
# 这个则处理所有来自内网的非 FTP 网络流量
map tun0 192.168.1.0/24 -> 0/32
# 处理来自内网的 FTP 访问
map tun0 192.168.1.0/24 -> 0/32 proxy port 21 ftp/tcp
# 处理来自网关的 FTP 访问
map tun0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp
# pptp vpn 1723 拨号访问远程时需要放行 gre 协议
map tun0 0.0.0.0/0 -> 192.168.1.0/24 gre
map tun0 192.168.1.0/24 -> 0.0.0.0/0 gre
#-------------------------------------------------------------------
# 端口映射 需要时开启
# 在防火墙 ipf.rules 配置中也需要加入相应的放行规则
#-------------------------------------------------------------------
rdr tun0 0.0.0.0/0 port 443 -> 192.168.1.100 port 443
#rdr tun0 0.0.0.0/0 port 80 -> 192.168.1.102 port 80
#-------------------------------------------------------------------
编译内核
自定义的内核编译可以优化内核,默认内核 GENERIC 更适合开发,不适合生产环境,启用了所有驱动不说,还带有调试信息,编译内核可以减少部分不需要的驱动,并且将不需要的调试信息去除,提高内核的执行效率、降低内存空间的占用。
将防火墙编译到内核中执行效率更高,根据主机 CPU,选择相应的内核配置模板,内核配置在目录 /usr/src/sys 里面,如果需要配置 amd64 (64位) CPU,配置则在 /usr/src/sys/amd64/conf,如果是 i386 (32位) CPU,配置则在 /usr/src/sys/i386/conf,里面有一个 GENERIC 文件,就是通用配置,进入到相应 CPU 配置目录中,复制 GENERIC 到一个新文件,文件名随意。
复制 GENERIC 到 zero 文件,GENERIC 是默认内核配置文件,zero 将作为新的内核文件配置文件。
cd /usr/src/sys/amd64/conf
cp GENERIC zero可以看到新文件 zero
用 vi 或者 ee 编辑 zero,在末尾添加以下 IPF 防火墙配置
options IPFILTER
options IPFILTER_LOG
options IPFILTER_LOOKUP
options IPFILTER_DEFAULT_BLOCK需要 PPPOE、PPTP 或者 VPN 等内核支持的,需要在配置添加以下选项
options NETGRAPH
options NETGRAPH_ETHER
options NETGRAPH_PPPOE
options NETGRAPH_SOCKET如果无需调试内核(不做内核开发)则可以禁用这几个选项,在选项前面加上 # 符号,将其注释掉
#makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
#makeoptions WITH_CTF=1 # Run ctfconvert(1) for DTrace support
#options KDB # Enable kernel debugger support.
#options KDB_TRACE # Print a stack trace for a panic.同时必须修改配置的 ident 值与新的复制得到的文件名相同
还可以禁用一些用不到的驱动,例如 RAID(PC上通常不需要)驱动和用不到的网卡驱动,文章末尾会附上我的配置。
准备就绪后,就可以开始编译内核了,如果配置不正确编译开始或运行时都会被终止,并给出适当的提示。
而整个内核编译过程将非常消耗时间,根据CPU和硬盘性能,估计20分钟至数小时。
编译完成后,安装新内核前,请务必备份旧内核,可以确保新内核如果不正常,还可以通过重新载入旧内核启动系统,以便修改配置后重新编译内核,下面的命令中就有调用 mv 备份旧内核,备份的内核可以有多套,放不同的目录即可。
/* 进入 /usr/src 目录 */
cd /usr/src
/* 编译内核, KERNCON 指定了配置文件 */
make buildkernel KERNCONF=zero
/* 备份旧的内核到 GENERIC 目录 (如果新内核启动失败还可以自救,至少确保一个正常的内核存在是一个好习惯) */
mv /boot/kernel /boot/GENERIC
/* 安装新内核 KERNCON 指定了配置文件 */
make installkernel KERNCONF=zero
/* 重启系统 */
reboot内核编译完成。
内核安装完成,输入 reboot 将重新启动系统。
以下是我用的配置,禁用了 RAID 和部分旧款网卡,如果需要 RAID 支持需要在配置中重新启用。
#
# GENERIC -- Generic kernel configuration file for FreeBSD/amd64
#
# For more information on this file, please read the config(5) manual page,
# and/or the handbook section on Kernel Configuration Files:
#
# https://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (https://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: releng/12.0/sys/amd64/conf/GENERIC 339704 2018-10-25 05:18:25Z imp $
cpu HAMMER
ident zero
#makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
#makeoptions WITH_CTF=1 # Run ctfconvert(1) for DTrace support
options SCHED_ULE # ULE scheduler
options NUMA # Non-Uniform Memory Architecture support
options PREEMPTION # Enable kernel thread preemption
options VIMAGE # Subsystem virtualization, e.g. VNET
options INET # InterNETworking
options INET6 # IPv6 communications protocols
options IPSEC # IP (v4/v6) security
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
options TCP_OFFLOAD # TCP offload
options TCP_BLACKBOX # Enhanced TCP event logging
options TCP_HHOOK # hhook(9) framework for TCP
options TCP_RFC7413 # TCP Fast Open
options SCTP # Stream Control Transmission Protocol
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options UFS_GJOURNAL # Enable gjournal-based UFS journaling
options QUOTA # Enable disk quotas for UFS
options MD_ROOT # MD is a potential root device
options NFSCL # Network Filesystem Client
options NFSD # Network Filesystem Server
options NFSLOCKD # Network Lock Manager
options NFS_ROOT # NFS usable as /, requires NFSCL
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_RAID # Soft RAID functionality.
options GEOM_LABEL # Provides labelization
options EFIRT # EFI Runtime Services support
options COMPAT_FREEBSD32 # Compatible with i386 binaries
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options COMPAT_FREEBSD6 # Compatible with FreeBSD6
options COMPAT_FREEBSD7 # Compatible with FreeBSD7
options COMPAT_FREEBSD9 # Compatible with FreeBSD9
options COMPAT_FREEBSD10 # Compatible with FreeBSD10
options COMPAT_FREEBSD11 # Compatible with FreeBSD11
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options STACK # stack(9) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed.
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
options AUDIT # Security event auditing
options CAPABILITY_MODE # Capsicum capability mode
options CAPABILITIES # Capsicum capabilities
options MAC # TrustedBSD MAC Framework
options KDTRACE_FRAME # Ensure frames are compiled in
options KDTRACE_HOOKS # Kernel DTrace hooks
options DDB_CTF # Kernel ELF linker loads CTF data
options INCLUDE_CONFIG_FILE # Include this file in kernel
options RACCT # Resource accounting framework
options RACCT_DEFAULT_TO_DISABLED # Set kern.racct.enable=0 by default
options RCTL # Resource limits
# Debugging support. Always need this:
#options KDB # Enable kernel debugger support.
#options KDB_TRACE # Print a stack trace for a panic.
# Kernel dump features.
options EKCD # Support for encrypted kernel dumps
options GZIO # gzip-compressed kernel and user dumps
options ZSTDIO # zstd-compressed kernel and user dumps
options NETDUMP # netdump(4) client support
# Make an SMP-capable kernel by default
options SMP # Symmetric MultiProcessor Kernel
options EARLY_AP_STARTUP
# CPU frequency control
device cpufreq
# Bus support.
device acpi
options ACPI_DMAR
device pci
options PCI_HP # PCI-Express native HotPlug
options PCI_IOV # PCI SR-IOV support
# Floppy drives
device fdc
# ATA controllers
device ahci # AHCI-compatible SATA controllers
device ata # Legacy ATA/SATA controllers
device mvs # Marvell 88SX50XX/88SX60XX/88SX70XX/SoC SATA
device siis # SiliconImage SiI3124/SiI3132/SiI3531 SATA
# SCSI Controllers
device ahc # AHA2940 and onboard AIC7xxx devices
device ahd # AHA39320/29320 and onboard AIC79xx devices
device esp # AMD Am53C974 (Tekram DC-390(T))
device hptiop # Highpoint RocketRaid 3xxx series
device isp # Qlogic family
#device ispfw # Firmware for QLogic HBAs- normally a module
device mpt # LSI-Logic MPT-Fusion
device mps # LSI-Logic MPT-Fusion 2
device mpr # LSI-Logic MPT-Fusion 3
#device ncr # NCR/Symbios Logic
device sym # NCR/Symbios Logic (newer chipsets + those of `ncr')
device trm # Tekram DC395U/UW/F DC315U adapters
device isci # Intel C600 SAS controller
device ocs_fc # Emulex FC adapters
# ATA/SCSI peripherals
device scbus # SCSI bus (required for ATA/SCSI)
device ch # SCSI media changers
device da # Direct Access (disks)
device sa # Sequential Access (tape etc)
device cd # CD
device pass # Passthrough device (direct ATA/SCSI access)
device ses # Enclosure Services (SES and SAF-TE)
#device ctl # CAM Target Layer
# RAID controllers interfaced to the SCSI subsystem
#device amr # AMI MegaRAID
#device arcmsr # Areca SATA II RAID
#device ciss # Compaq Smart RAID 5*
#device dpt # DPT Smartcache III, IV - See NOTES for options
#device hptmv # Highpoint RocketRAID 182x
#device hptnr # Highpoint DC7280, R750
#device hptrr # Highpoint RocketRAID 17xx, 22xx, 23xx, 25xx
#device hpt27xx # Highpoint RocketRAID 27xx
#device iir # Intel Integrated RAID
#device ips # IBM (Adaptec) ServeRAID
#device mly # Mylex AcceleRAID/eXtremeRAID
#device twa # 3ware 9000 series PATA/SATA RAID
#device smartpqi # Microsemi smartpqi driver
#device tws # LSI 3ware 9750 SATA+SAS 6Gb/s RAID controller
# RAID controllers
#device aac # Adaptec FSA RAID
#device aacp # SCSI passthrough for aac (requires CAM)
#device aacraid # Adaptec by PMC RAID
#device ida # Compaq Smart RAID
#device mfi # LSI MegaRAID SAS
#device mlx # Mylex DAC960 family
#device mrsas # LSI/Avago MegaRAID SAS/SATA, 6Gb/s and 12Gb/s
#device pmspcv # PMC-Sierra SAS/SATA Controller driver
##XXX pointer/int warnings
##device pst # Promise Supertrak SX6000
#device twe # 3ware ATA RAID
# NVM Express (NVMe) support
device nvme # base NVMe driver
device nvd # expose NVMe namespaces as disks, depends on nvme
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device kbdmux # keyboard multiplexer
device vga # VGA video card driver
options VESA # Add support for VESA BIOS Extensions (VBE)
device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console
device sc
options SC_PIXEL_MODE # add support for the raster text mode
# vt is the new video console driver
device vt
device vt_vga
device vt_efifb
device agp # support several AGP chipsets
# PCCARD (PCMCIA) support
# PCMCIA and cardbus bridge support
#device cbb # cardbus (yenta) bridge
#device pccard # PC Card (16-bit) bus
#device cardbus # CardBus (32-bit) bus
# Serial (COM) ports
device uart # Generic UART driver
# Parallel port
device ppc
device ppbus # Parallel port bus (required)
device lpt # Printer
device ppi # Parallel port interface device
#device vpo # Requires scbus and da
device puc # Multi I/O cards and multi-channel UARTs
# PCI Ethernet NICs.
device bxe # Broadcom NetXtreme II BCM5771X/BCM578XX 10GbE
device de # DEC/Intel DC21x4x (``Tulip'')
device em # Intel PRO/1000 Gigabit Ethernet Family
device ix # Intel PRO/10GbE PCIE PF Ethernet
device ixv # Intel PRO/10GbE PCIE VF Ethernet
device ixl # Intel 700 Series Physical Function
device iavf # Intel Adaptive Virtual Function
device le # AMD Am7900 LANCE and Am79C9xx PCnet
device ti # Alteon Networks Tigon I/II gigabit Ethernet
device txp # 3Com 3cR990 (``Typhoon'')
device vx # 3Com 3c590, 3c595 (``Vortex'')
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
#device ae # Attansic/Atheros L2 FastEthernet
#device age # Attansic/Atheros L1 Gigabit Ethernet
#device alc # Atheros AR8131/AR8132 Ethernet
#device ale # Atheros AR8121/AR8113/AR8114 Ethernet
#device bce # Broadcom BCM5706/BCM5708 Gigabit Ethernet
#device bfe # Broadcom BCM440x 10/100 Ethernet
#device bge # Broadcom BCM570xx Gigabit Ethernet
#device cas # Sun Cassini/Cassini+ and NS DP83065 Saturn
#device dc # DEC/Intel 21143 and various workalikes
#device et # Agere ET1310 10/100/Gigabit Ethernet
#device fxp # Intel EtherExpress PRO/100B (82557, 82558)
#device gem # Sun GEM/Sun ERI/Apple GMAC
#device hme # Sun HME (Happy Meal Ethernet)
#device jme # JMicron JMC250 Gigabit/JMC260 Fast Ethernet
#device lge # Level 1 LXT1001 gigabit Ethernet
#device msk # Marvell/SysKonnect Yukon II Gigabit Ethernet
#device nfe # nVidia nForce MCP on-board Ethernet
#device nge # NatSemi DP83820 gigabit Ethernet
#device pcn # AMD Am79C97x PCI 10/100 (precedence over 'le')
#device re # RealTek 8139C+/8169/8169S/8110S
#device rl # RealTek 8129/8139
#device sf # Adaptec AIC-6915 (``Starfire'')
#device sge # Silicon Integrated Systems SiS190/191
#device sis # Silicon Integrated Systems SiS 900/SiS 7016
#device sk # SysKonnect SK-984x & SK-982x gigabit Ethernet
#device ste # Sundance ST201 (D-Link DFE-550TX)
#device stge # Sundance/Tamarack TC9021 gigabit Ethernet
#device tl # Texas Instruments ThunderLAN
#device tx # SMC EtherPower II (83c170 ``EPIC'')
#device vge # VIA VT612x gigabit Ethernet
#device vr # VIA Rhine, Rhine II
#device wb # Winbond W89C840F
#device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# Wireless NIC cards
device wlan # 802.11 support
options IEEE80211_DEBUG # enable debug msgs
options IEEE80211_AMPDU_AGE # age frames in AMPDU reorder q's
options IEEE80211_SUPPORT_MESH # enable 802.11s draft support
device wlan_wep # 802.11 WEP support
device wlan_ccmp # 802.11 CCMP support
device wlan_tkip # 802.11 TKIP support
device wlan_amrr # AMRR transmit rate control algorithm
#device an # Aironet 4500/4800 802.11 wireless NICs.
#device ath # Atheros NICs
#device ath_pci # Atheros pci/cardbus glue
#device ath_hal # pci/cardbus chip support
#options AH_SUPPORT_AR5416 # enable AR5416 tx/rx descriptors
#options AH_AR5416_INTERRUPT_MITIGATION # AR5416 interrupt mitigation
#options ATH_ENABLE_11N # Enable 802.11n support for AR5416 and later
#device ath_rate_sample # SampleRate tx rate control for ath
##device bwi # Broadcom BCM430x/BCM431x wireless NICs.
##device bwn # Broadcom BCM43xx wireless NICs.
#device ipw # Intel 2100 wireless NICs.
#device iwi # Intel 2200BG/2225BG/2915ABG wireless NICs.
#device iwn # Intel 4965/1000/5000/6000 wireless NICs.
#device malo # Marvell Libertas wireless NICs.
#device mwl # Marvell 88W8363 802.11n wireless NICs.
#device ral # Ralink Technology RT2500 wireless NICs.
#device wi # WaveLAN/Intersil/Symbol 802.11 wireless NICs.
#device wpi # Intel 3945ABG wireless NICs.
# Pseudo devices.
device crypto # core crypto support
device loop # Network loopback
device random # Entropy device
device padlock_rng # VIA Padlock RNG
device rdrand_rng # Intel Bull Mountain RNG
device ether # Ethernet support
device vlan # 802.1Q VLAN support
device tun # Packet tunnel.
device md # Memory "disks"
device gif # IPv6 and IPv4 tunneling
device firmware # firmware assist module
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device bpf # Berkeley packet filter
# USB support
options USB_DEBUG # enable debug msgs
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device xhci # XHCI PCI->USB interface (USB 3.0)
device usb # USB Bus (required)
device ukbd # Keyboard
device umass # Disks/Mass storage - Requires scbus and da
# Sound support
device sound # Generic sound driver (required)
device snd_cmi # CMedia CMI8338/CMI8738
device snd_csa # Crystal Semiconductor CS461x/428x
device snd_emu10kx # Creative SoundBlaster Live! and Audigy
device snd_es137x # Ensoniq AudioPCI ES137x
device snd_hda # Intel High Definition Audio
device snd_ich # Intel, NVidia and other ICH AC'97 Audio
device snd_via8233 # VIA VT8233x Audio
# MMC/SD
device mmc # MMC/SD bus
device mmcsd # MMC/SD memory card
device sdhci # Generic PCI SD Host Controller
# VirtIO support
device virtio # Generic VirtIO bus (required)
device virtio_pci # VirtIO PCI device
device vtnet # VirtIO Ethernet device
device virtio_blk # VirtIO Block device
device virtio_scsi # VirtIO SCSI device
device virtio_balloon # VirtIO Memory Balloon device
# HyperV drivers and enhancement support
device hyperv # HyperV drivers
# Xen HVM Guest Optimizations
# NOTE: XENHVM depends on xenpci. They must be added or removed together.
options XENHVM # Xen HVM kernel infrastructure
device xenpci # Xen HVM Hypervisor services driver
# VMware support
device vmx # VMware VMXNET3 Ethernet
# Netmap provides direct access to TX/RX rings on supported NICs
device netmap # netmap(4) support
###################################################################
# IPF KERNEL
###################################################################
options IPFILTER
options IPFILTER_LOG
options IPFILTER_LOOKUP
options IPFILTER_DEFAULT_BLOCK
##############################################
options NETGRAPH
options NETGRAPH_ETHER
options NETGRAPH_PPPOE
options NETGRAPH_SOCKET
###################################################################
Q群讨论 236201801