欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

程序员文章站 2022-04-24 12:33:58
...

目录

概述

安装 FreeBSD

开启 SSH 登录

配置 IPF 防火墙

编译内核


概述

FreeBSD 是一款优秀的 UNIX 操作系统,本文介绍如果利用 FreeBSD 搭建防火墙以及如何编译内核,FreeBSD 系统内置了三款防火墙,PF、IPF 及 IPFW,这三款防火墙各有特点,本文以 IPF 防火墙为例,对配置文件进行设置及对内核进行编译。

安装 FreeBSD

此次安装选择 DVD 光盘安装,默认第 1 项,回车进入安装过程:
其他安装形式例如CD安装需要两张光盘,U盘网络安装的话,则需要联网。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

Install 继续

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

选择默认键盘方案

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

输入一个主机名

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

需要编译内核,所以这里复选了 ports 和 src。
但如果希望 ports 和 src 全部由网络上重新下载也可以:安装完毕后,重启进入命令提示符状态,输入 portsnap fetch extract 重新更新 ports 和 src。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

选择设置分区的方式,默认 Auto (UFS)。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

确定以 da0 安装 FreeBSD 系统。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

提示分区操作将擦除此硬盘原有信息。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

2G以下选择 MBR,否则就选择 GPT。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

推荐的分区形式,如果有必要可以手动设置。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

提交后将开始对硬盘写入信息,Back 可以取消(一旦 Commit 硬盘原有数据将会被覆盖)

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

安装中……

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

安装文件完毕后,需要对 root 设置初始密码。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

选择一块网卡进行网络设置

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

是否配置 IPv4

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

若需要手动设置,则选否,否则就选择 DHCP

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

手动设置 IP 地址,根据实际情况填写,作为网关防火墙的话,不用填写第三项 Default Router。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

根据运营商状况,目前无需对 IPv6 设置

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

设置 DNS,应根据当地运营商提供信息设置

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

选择时区

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

根据情况选择

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

设置日期和时间

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

选择是否同步系统时间,如果有VPN之类的加密软件,最好还是选上同步时间。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

一些安全选项,视情况选择

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

暂不添加用户

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

选择 Exit 应用配置及退出安装环境,这个过程会花几秒钟。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

无需进入 shell 环境,选择 No 继续退出。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

如果光盘是优先引导的话,记得把光盘取出,然后回车,FreeBSD 将重启。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

安装好的启动界面及登录界面

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

账号 root 及刚才设置的密码即可登录

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

开启 SSH 登录

编辑 /etc/rc.conf 添加。

sshd_enable="YES"

若要开启 root 的 SSH 访问(如果是多用户则不建议开启),编辑 /etc/ssh/sshd_config 打开或添加这个选项,配置完毕后需要重启系统。

PermitRootLogin yes

配置 IPF 防火墙

之所以要在防火墙未生效前配置防火墙,是因为一旦内核编译并安装完成,SSH 将无法被访问,本地操作则可以无视这个情况。

在 /etc/rc.conf 中添加 ipf 的启动项,其中包括 IPF 和 NAT,IPF 负责防火墙功能,配置 /etc/ipf.rules。NAT 负责地址转换,局域网上网就靠这个了,配置 /etc/ipnat.rules。

rc.conf 内添加以下内容,用作启用 ipf 和 ipnat

ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipmon_enable="YES"
ipmon_flags="-Dsn"
# ---------------------------------------
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
#----------------------------------------------------------------------

防火墙配置文件 /etc/ipf.rules

#=======================================================================================
# 2016/4/21
# 
# IPF 的匹配检索过程:
# 某个端口有动作,从上到下匹配检索,当发现了匹配的规则将不再向下检查,
# 即便后面的规则与当前规则有冲突,也以先检索到的为准。
#=======================================================================================
#	Intranet device / lan
#	em0="192.168.1.1
#	Internet device /
#	em1=""
#	tun0="dhcp"
#
# 手动输入重载 ipf 命令
# ipf -Fa -f /etc/ipf.rules
#---------------------------------------------------------------------------------------

# 编译内核时,已经默认完全拒绝,所以这两条规则已经无意义
#block in all
#block out all

#本地 (全开放)
pass in on lo0 all
pass out on lo0 all
#网卡 (全开放)
pass in on em0 all
pass out on em0 all
#网卡 (全开放)
pass in on em1 all
pass out on em1 all

# PPTP (出方向开放, 进方向禁止)
pass out on tun0 all
#pass in on tun0 all
# PPTP VPN
#pass out on tun1 all
#pass in on tun1 all
#---------------------------------------------------------------------------------------

#---------------------------------------------------------------------------------------
# lookback
#----------------------------------------------------------------
pass in  quick on lo0 proto tcp from any to any flags S keep state
pass out quick on lo0 proto tcp from any to any flags S keep state
pass in  quick on lo0 proto udp from any to any keep state
pass out quick on lo0 proto udp from any to any keep state
#----------------------------------------------------------------
pass in  quick on lo0 proto icmp all
pass out quick on lo0 proto icmp all
#----------------------------------------------------------------

#---------------------------------------------------------------------------------------
# link to pppoe device
#----------------------------------------------------------------
pass in  quick on em1 proto tcp from any to any flags S keep state
pass out quick on em1 proto tcp from any to any flags S keep state
pass in  quick on em1 proto udp from any to any keep state
pass out quick on em1 proto udp from any to any keep state
#----------------------------------------------------------------
pass in  quick on em1 proto icmp all
pass out quick on em1 proto icmp all
#----------------------------------------------------------------

#---------------------------------------------------------------------------------------
# lan
#----------------------------------------------------------------
pass in  quick on em0 proto tcp from any to any flags S keep state
pass out quick on em0 proto tcp from any to any flags S keep state
pass in  quick on em0 proto udp from any to any keep state
pass out quick on em0 proto udp from any to any keep state
#----------------------------------------------------------------
pass in  quick on em0 proto icmp all
pass out quick on em0 proto icmp all
#----------------------------------------------------------------

#---------------------------------------------------------------------------------------
# tun0 (PPPOE 拨号)
# 不限制对外访问, 但保持对外拒绝
#----------------------------------------------------------------
pass out quick on tun0 proto tcp from any to any flags S keep state
pass out quick on tun0 proto udp from any to any keep state
#pass in  quick on tun0 proto tcp from any to any flags S keep state
#pass in  quick on tun0 proto udp from any to any keep state
#----------------------------------------------------------------
# 允许部分(ping) ICMP 双向通过
pass out quick on tun0 proto icmp all
#pass in  quick on tun0 proto icmp all
pass in quick on tun0 proto icmp from any to any icmp-type 0
pass in quick on tun0 proto icmp from any to any icmp-type 8
#----------------------------------------------------------------

#----------------------------------------------------------------
# tun0 allow pptp (success)
#----------------------------------------------------------------
#pass out quick on tun0 proto tcp from any to any port = 1723 flags S keep state
#----------------------------------------------------------------
pass out proto gre from any to any keep state
pass in  proto gre from any to any keep state
#----------------------------------------------------------------

#----------------------------------------------------------------
# tun0 allow vpn income
#----------------------------------------------------------------
pass in quick on tun0 proto udp from any to any port = 1194 keep state
#----------------------------------------------------------------

#----------------------------------------------------------------
# tun0 allow https income
#----------------------------------------------------------------
pass in quick on tun0 proto tcp from any to any port = 443 keep state
#----------------------------------------------------------------

#---------------------------------------------------------------------------------------
# tun1 (vpn 如果有的话)
#----------------------------------------------------------------
pass in  quick on tun1 proto tcp from any to any flags S keep state
pass out quick on tun1 proto tcp from any to any flags S keep state
pass in  quick on tun1 proto udp from any to any keep state
pass out quick on tun1 proto udp from any to any keep state
#----------------------------------------------------------------
pass in quick on tun1 proto icmp all
pass out quick on tun1 proto icmp all
#----------------------------------------------------------------



#---------------------------------------------------------------------------------------

NAT 配置 /etc/ipnat.rules

#-------------------------------------------------------------------
# 命令行重载 NAT 时输入
# ipnat -CF -f /etc/ipnat.rules
#-------------------------------------------------------------------

# 地址转换
map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000
# 这个则处理所有来自内网的非 FTP 网络流量
map tun0 192.168.1.0/24 -> 0/32
# 处理来自内网的 FTP 访问
map tun0 192.168.1.0/24 -> 0/32 proxy port 21 ftp/tcp
# 处理来自网关的 FTP 访问
map tun0 0.0.0.0/0       -> 0/32 proxy port 21 ftp/tcp

# pptp vpn 1723 拨号访问远程时需要放行 gre 协议
map tun0 0.0.0.0/0 -> 192.168.1.0/24 gre
map tun0 192.168.1.0/24 -> 0.0.0.0/0 gre

#-------------------------------------------------------------------
# 端口映射 需要时开启
# 在防火墙 ipf.rules 配置中也需要加入相应的放行规则
#-------------------------------------------------------------------
rdr tun0 0.0.0.0/0 port 443 -> 192.168.1.100 port 443
#rdr tun0 0.0.0.0/0 port 80 -> 192.168.1.102 port 80
#-------------------------------------------------------------------

编译内核

自定义的内核编译可以优化内核,默认内核 GENERIC 更适合开发,不适合生产环境,启用了所有驱动不说,还带有调试信息,编译内核可以减少部分不需要的驱动,并且将不需要的调试信息去除,提高内核的执行效率、降低内存空间的占用。

将防火墙编译到内核中执行效率更高,根据主机 CPU,选择相应的内核配置模板,内核配置在目录 /usr/src/sys 里面,如果需要配置 amd64 (64位) CPU,配置则在 /usr/src/sys/amd64/conf,如果是 i386 (32位) CPU,配置则在 /usr/src/sys/i386/conf,里面有一个 GENERIC 文件,就是通用配置,进入到相应 CPU 配置目录中,复制 GENERIC 到一个新文件,文件名随意。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

复制 GENERIC 到 zero 文件,GENERIC 是默认内核配置文件,zero 将作为新的内核文件配置文件。

cd /usr/src/sys/amd64/conf
cp GENERIC zero

可以看到新文件 zero

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

用 vi 或者 ee 编辑 zero,在末尾添加以下 IPF 防火墙配置

options IPFILTER
options IPFILTER_LOG
options IPFILTER_LOOKUP
options IPFILTER_DEFAULT_BLOCK

需要 PPPOE、PPTP 或者 VPN 等内核支持的,需要在配置添加以下选项

options   NETGRAPH
options   NETGRAPH_ETHER
options   NETGRAPH_PPPOE
options   NETGRAPH_SOCKET

如果无需调试内核(不做内核开发)则可以禁用这几个选项,在选项前面加上 # 符号,将其注释掉

#makeoptions    DEBUG=-g                # Build kernel with gdb(1) debug symbols
#makeoptions    WITH_CTF=1              # Run ctfconvert(1) for DTrace support

#options        KDB                     # Enable kernel debugger support.
#options        KDB_TRACE               # Print a stack trace for a panic.

同时必须修改配置的 ident 值与新的复制得到的文件名相同

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

还可以禁用一些用不到的驱动,例如 RAID(PC上通常不需要)驱动和用不到的网卡驱动,文章末尾会附上我的配置。

准备就绪后,就可以开始编译内核了,如果配置不正确编译开始或运行时都会被终止,并给出适当的提示。

而整个内核编译过程将非常消耗时间,根据CPU和硬盘性能,估计20分钟至数小时。

编译完成后,安装新内核前,请务必备份旧内核,可以确保新内核如果不正常,还可以通过重新载入旧内核启动系统,以便修改配置后重新编译内核,下面的命令中就有调用 mv 备份旧内核,备份的内核可以有多套,放不同的目录即可。

/* 进入 /usr/src 目录 */
cd /usr/src

/* 编译内核, KERNCON 指定了配置文件 */
make buildkernel KERNCONF=zero

/* 备份旧的内核到 GENERIC 目录 (如果新内核启动失败还可以自救,至少确保一个正常的内核存在是一个好习惯) */
mv /boot/kernel /boot/GENERIC

/* 安装新内核 KERNCON 指定了配置文件 */
make installkernel KERNCONF=zero

/* 重启系统 */
reboot

内核编译完成。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

内核安装完成,输入 reboot 将重新启动系统。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

 

以下是我用的配置,禁用了 RAID 和部分旧款网卡,如果需要 RAID 支持需要在配置中重新启用。

#
# GENERIC -- Generic kernel configuration file for FreeBSD/amd64
#
# For more information on this file, please read the config(5) manual page,
# and/or the handbook section on Kernel Configuration Files:
#
#    https://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (https://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: releng/12.0/sys/amd64/conf/GENERIC 339704 2018-10-25 05:18:25Z imp $

cpu		HAMMER
ident		zero

#makeoptions	DEBUG=-g		# Build kernel with gdb(1) debug symbols
#makeoptions	WITH_CTF=1		# Run ctfconvert(1) for DTrace support

options 	SCHED_ULE		# ULE scheduler
options 	NUMA			# Non-Uniform Memory Architecture support
options 	PREEMPTION		# Enable kernel thread preemption
options 	VIMAGE			# Subsystem virtualization, e.g. VNET
options 	INET			# InterNETworking
options 	INET6			# IPv6 communications protocols
options 	IPSEC			# IP (v4/v6) security
options 	IPSEC_SUPPORT		# Allow kldload of ipsec and tcpmd5
options 	TCP_OFFLOAD		# TCP offload
options 	TCP_BLACKBOX		# Enhanced TCP event logging
options 	TCP_HHOOK		# hhook(9) framework for TCP
options		TCP_RFC7413		# TCP Fast Open
options 	SCTP			# Stream Control Transmission Protocol
options 	FFS			# Berkeley Fast Filesystem
options 	SOFTUPDATES		# Enable FFS soft updates support
options 	UFS_ACL			# Support for access control lists
options 	UFS_DIRHASH		# Improve performance on big directories
options 	UFS_GJOURNAL		# Enable gjournal-based UFS journaling
options 	QUOTA			# Enable disk quotas for UFS
options 	MD_ROOT			# MD is a potential root device
options 	NFSCL			# Network Filesystem Client
options 	NFSD			# Network Filesystem Server
options 	NFSLOCKD		# Network Lock Manager
options 	NFS_ROOT		# NFS usable as /, requires NFSCL
options 	MSDOSFS			# MSDOS Filesystem
options 	CD9660			# ISO 9660 Filesystem
options 	PROCFS			# Process filesystem (requires PSEUDOFS)
options 	PSEUDOFS		# Pseudo-filesystem framework
options 	GEOM_RAID		# Soft RAID functionality.
options 	GEOM_LABEL		# Provides labelization
options 	EFIRT			# EFI Runtime Services support
options 	COMPAT_FREEBSD32	# Compatible with i386 binaries
options 	COMPAT_FREEBSD4		# Compatible with FreeBSD4
options 	COMPAT_FREEBSD5		# Compatible with FreeBSD5
options 	COMPAT_FREEBSD6		# Compatible with FreeBSD6
options 	COMPAT_FREEBSD7		# Compatible with FreeBSD7
options 	COMPAT_FREEBSD9		# Compatible with FreeBSD9
options 	COMPAT_FREEBSD10	# Compatible with FreeBSD10
options 	COMPAT_FREEBSD11	# Compatible with FreeBSD11
options 	SCSI_DELAY=5000		# Delay (in ms) before probing SCSI
options 	KTRACE			# ktrace(1) support
options 	STACK			# stack(9) support
options 	SYSVSHM			# SYSV-style shared memory
options 	SYSVMSG			# SYSV-style message queues
options 	SYSVSEM			# SYSV-style semaphores
options 	_KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options 	PRINTF_BUFR_SIZE=128	# Prevent printf output being interspersed.
options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev
options 	HWPMC_HOOKS		# Necessary kernel hooks for hwpmc(4)
options 	AUDIT			# Security event auditing
options 	CAPABILITY_MODE		# Capsicum capability mode
options 	CAPABILITIES		# Capsicum capabilities
options 	MAC			# TrustedBSD MAC Framework
options 	KDTRACE_FRAME		# Ensure frames are compiled in
options 	KDTRACE_HOOKS		# Kernel DTrace hooks
options 	DDB_CTF			# Kernel ELF linker loads CTF data
options 	INCLUDE_CONFIG_FILE	# Include this file in kernel
options 	RACCT			# Resource accounting framework
options 	RACCT_DEFAULT_TO_DISABLED # Set kern.racct.enable=0 by default
options 	RCTL			# Resource limits

# Debugging support.  Always need this:
#options 	KDB			# Enable kernel debugger support.
#options 	KDB_TRACE		# Print a stack trace for a panic.

# Kernel dump features.
options 	EKCD			# Support for encrypted kernel dumps
options 	GZIO			# gzip-compressed kernel and user dumps
options 	ZSTDIO			# zstd-compressed kernel and user dumps
options 	NETDUMP			# netdump(4) client support

# Make an SMP-capable kernel by default
options 	SMP			# Symmetric MultiProcessor Kernel
options 	EARLY_AP_STARTUP

# CPU frequency control
device		cpufreq

# Bus support.
device		acpi
options 	ACPI_DMAR
device		pci
options 	PCI_HP			# PCI-Express native HotPlug
options		PCI_IOV			# PCI SR-IOV support

# Floppy drives
device		fdc

# ATA controllers
device		ahci			# AHCI-compatible SATA controllers
device		ata			# Legacy ATA/SATA controllers
device		mvs			# Marvell 88SX50XX/88SX60XX/88SX70XX/SoC SATA
device		siis			# SiliconImage SiI3124/SiI3132/SiI3531 SATA

# SCSI Controllers
device		ahc			# AHA2940 and onboard AIC7xxx devices
device		ahd			# AHA39320/29320 and onboard AIC79xx devices
device		esp			# AMD Am53C974 (Tekram DC-390(T))
device		hptiop			# Highpoint RocketRaid 3xxx series
device		isp			# Qlogic family
#device		ispfw			# Firmware for QLogic HBAs- normally a module
device		mpt			# LSI-Logic MPT-Fusion
device		mps			# LSI-Logic MPT-Fusion 2
device		mpr			# LSI-Logic MPT-Fusion 3
#device		ncr			# NCR/Symbios Logic
device		sym			# NCR/Symbios Logic (newer chipsets + those of `ncr')
device		trm			# Tekram DC395U/UW/F DC315U adapters
device		isci			# Intel C600 SAS controller
device		ocs_fc			# Emulex FC adapters

# ATA/SCSI peripherals
device		scbus			# SCSI bus (required for ATA/SCSI)
device		ch			# SCSI media changers
device		da			# Direct Access (disks)
device		sa			# Sequential Access (tape etc)
device		cd			# CD
device		pass			# Passthrough device (direct ATA/SCSI access)
device		ses			# Enclosure Services (SES and SAF-TE)
#device		ctl			# CAM Target Layer

# RAID controllers interfaced to the SCSI subsystem
#device		amr			# AMI MegaRAID
#device		arcmsr			# Areca SATA II RAID
#device		ciss			# Compaq Smart RAID 5*
#device		dpt			# DPT Smartcache III, IV - See NOTES for options
#device		hptmv			# Highpoint RocketRAID 182x
#device		hptnr			# Highpoint DC7280, R750
#device		hptrr			# Highpoint RocketRAID 17xx, 22xx, 23xx, 25xx
#device		hpt27xx			# Highpoint RocketRAID 27xx
#device		iir			# Intel Integrated RAID
#device		ips			# IBM (Adaptec) ServeRAID
#device		mly			# Mylex AcceleRAID/eXtremeRAID
#device		twa			# 3ware 9000 series PATA/SATA RAID
#device		smartpqi		# Microsemi smartpqi driver
#device		tws			# LSI 3ware 9750 SATA+SAS 6Gb/s RAID controller

# RAID controllers
#device		aac			# Adaptec FSA RAID
#device		aacp			# SCSI passthrough for aac (requires CAM)
#device		aacraid			# Adaptec by PMC RAID
#device		ida			# Compaq Smart RAID
#device		mfi			# LSI MegaRAID SAS
#device		mlx			# Mylex DAC960 family
#device		mrsas			# LSI/Avago MegaRAID SAS/SATA, 6Gb/s and 12Gb/s
#device		pmspcv			# PMC-Sierra SAS/SATA Controller driver
##XXX pointer/int warnings
##device		pst			# Promise Supertrak SX6000
#device		twe			# 3ware ATA RAID

# NVM Express (NVMe) support
device		nvme			# base NVMe driver
device		nvd			# expose NVMe namespaces as disks, depends on nvme

# atkbdc0 controls both the keyboard and the PS/2 mouse
device		atkbdc			# AT keyboard controller
device		atkbd			# AT keyboard
device		psm			# PS/2 mouse

device		kbdmux			# keyboard multiplexer

device		vga			# VGA video card driver
options 	VESA			# Add support for VESA BIOS Extensions (VBE)

device		splash			# Splash screen and screen saver support

# syscons is the default console driver, resembling an SCO console
device		sc
options 	SC_PIXEL_MODE		# add support for the raster text mode

# vt is the new video console driver
device		vt
device		vt_vga
device		vt_efifb

device		agp			# support several AGP chipsets

# PCCARD (PCMCIA) support
# PCMCIA and cardbus bridge support
#device		cbb			# cardbus (yenta) bridge
#device		pccard			# PC Card (16-bit) bus
#device		cardbus			# CardBus (32-bit) bus

# Serial (COM) ports
device		uart			# Generic UART driver

# Parallel port
device		ppc
device		ppbus			# Parallel port bus (required)
device		lpt			# Printer
device		ppi			# Parallel port interface device
#device		vpo			# Requires scbus and da

device		puc			# Multi I/O cards and multi-channel UARTs

# PCI Ethernet NICs.
device		bxe			# Broadcom NetXtreme II BCM5771X/BCM578XX 10GbE
device		de			# DEC/Intel DC21x4x (``Tulip'')
device		em			# Intel PRO/1000 Gigabit Ethernet Family
device		ix			# Intel PRO/10GbE PCIE PF Ethernet
device		ixv			# Intel PRO/10GbE PCIE VF Ethernet
device		ixl			# Intel 700 Series Physical Function
device		iavf			# Intel Adaptive Virtual Function
device		le			# AMD Am7900 LANCE and Am79C9xx PCnet
device		ti			# Alteon Networks Tigon I/II gigabit Ethernet
device		txp			# 3Com 3cR990 (``Typhoon'')
device		vx			# 3Com 3c590, 3c595 (``Vortex'')

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device		miibus			# MII bus support
#device		ae			# Attansic/Atheros L2 FastEthernet
#device		age			# Attansic/Atheros L1 Gigabit Ethernet
#device		alc			# Atheros AR8131/AR8132 Ethernet
#device		ale			# Atheros AR8121/AR8113/AR8114 Ethernet
#device		bce			# Broadcom BCM5706/BCM5708 Gigabit Ethernet
#device		bfe			# Broadcom BCM440x 10/100 Ethernet
#device		bge			# Broadcom BCM570xx Gigabit Ethernet
#device		cas			# Sun Cassini/Cassini+ and NS DP83065 Saturn
#device		dc			# DEC/Intel 21143 and various workalikes
#device		et			# Agere ET1310 10/100/Gigabit Ethernet
#device		fxp			# Intel EtherExpress PRO/100B (82557, 82558)
#device		gem			# Sun GEM/Sun ERI/Apple GMAC
#device		hme			# Sun HME (Happy Meal Ethernet)
#device		jme			# JMicron JMC250 Gigabit/JMC260 Fast Ethernet
#device		lge			# Level 1 LXT1001 gigabit Ethernet
#device		msk			# Marvell/SysKonnect Yukon II Gigabit Ethernet
#device		nfe			# nVidia nForce MCP on-board Ethernet
#device		nge			# NatSemi DP83820 gigabit Ethernet
#device		pcn			# AMD Am79C97x PCI 10/100 (precedence over 'le')
#device		re			# RealTek 8139C+/8169/8169S/8110S
#device		rl			# RealTek 8129/8139
#device		sf			# Adaptec AIC-6915 (``Starfire'')
#device		sge			# Silicon Integrated Systems SiS190/191
#device		sis			# Silicon Integrated Systems SiS 900/SiS 7016
#device		sk			# SysKonnect SK-984x & SK-982x gigabit Ethernet
#device		ste			# Sundance ST201 (D-Link DFE-550TX)
#device		stge			# Sundance/Tamarack TC9021 gigabit Ethernet
#device		tl			# Texas Instruments ThunderLAN
#device		tx			# SMC EtherPower II (83c170 ``EPIC'')
#device		vge			# VIA VT612x gigabit Ethernet
#device		vr			# VIA Rhine, Rhine II
#device		wb			# Winbond W89C840F
#device		xl			# 3Com 3c90x (``Boomerang'', ``Cyclone'')

# Wireless NIC cards
device		wlan			# 802.11 support
options 	IEEE80211_DEBUG		# enable debug msgs
options 	IEEE80211_AMPDU_AGE	# age frames in AMPDU reorder q's
options 	IEEE80211_SUPPORT_MESH	# enable 802.11s draft support
device		wlan_wep		# 802.11 WEP support
device		wlan_ccmp		# 802.11 CCMP support
device		wlan_tkip		# 802.11 TKIP support
device		wlan_amrr		# AMRR transmit rate control algorithm
#device		an			# Aironet 4500/4800 802.11 wireless NICs.
#device		ath			# Atheros NICs
#device		ath_pci			# Atheros pci/cardbus glue
#device		ath_hal			# pci/cardbus chip support
#options 	AH_SUPPORT_AR5416	# enable AR5416 tx/rx descriptors
#options 	AH_AR5416_INTERRUPT_MITIGATION # AR5416 interrupt mitigation
#options 	ATH_ENABLE_11N		# Enable 802.11n support for AR5416 and later
#device		ath_rate_sample		# SampleRate tx rate control for ath
##device		bwi			# Broadcom BCM430x/BCM431x wireless NICs.
##device		bwn			# Broadcom BCM43xx wireless NICs.
#device		ipw			# Intel 2100 wireless NICs.
#device		iwi			# Intel 2200BG/2225BG/2915ABG wireless NICs.
#device		iwn			# Intel 4965/1000/5000/6000 wireless NICs.
#device		malo			# Marvell Libertas wireless NICs.
#device		mwl			# Marvell 88W8363 802.11n wireless NICs.
#device		ral			# Ralink Technology RT2500 wireless NICs.
#device		wi			# WaveLAN/Intersil/Symbol 802.11 wireless NICs.
#device		wpi			# Intel 3945ABG wireless NICs.

# Pseudo devices.
device		crypto			# core crypto support
device		loop			# Network loopback
device		random			# Entropy device
device		padlock_rng		# VIA Padlock RNG
device		rdrand_rng		# Intel Bull Mountain RNG
device		ether			# Ethernet support
device		vlan			# 802.1Q VLAN support
device		tun			# Packet tunnel.
device		md			# Memory "disks"
device		gif			# IPv6 and IPv4 tunneling
device		firmware		# firmware assist module

# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device		bpf			# Berkeley packet filter

# USB support
options 	USB_DEBUG		# enable debug msgs
device		uhci			# UHCI PCI->USB interface
device		ohci			# OHCI PCI->USB interface
device		ehci			# EHCI PCI->USB interface (USB 2.0)
device		xhci			# XHCI PCI->USB interface (USB 3.0)
device		usb			# USB Bus (required)
device		ukbd			# Keyboard
device		umass			# Disks/Mass storage - Requires scbus and da

# Sound support
device		sound			# Generic sound driver (required)
device		snd_cmi			# CMedia CMI8338/CMI8738
device		snd_csa			# Crystal Semiconductor CS461x/428x
device		snd_emu10kx		# Creative SoundBlaster Live! and Audigy
device		snd_es137x		# Ensoniq AudioPCI ES137x
device		snd_hda			# Intel High Definition Audio
device		snd_ich			# Intel, NVidia and other ICH AC'97 Audio
device		snd_via8233		# VIA VT8233x Audio

# MMC/SD
device		mmc			# MMC/SD bus
device		mmcsd			# MMC/SD memory card
device		sdhci			# Generic PCI SD Host Controller

# VirtIO support
device		virtio			# Generic VirtIO bus (required)
device		virtio_pci		# VirtIO PCI device
device		vtnet			# VirtIO Ethernet device
device		virtio_blk		# VirtIO Block device
device		virtio_scsi		# VirtIO SCSI device
device		virtio_balloon		# VirtIO Memory Balloon device

# HyperV drivers and enhancement support
device		hyperv			# HyperV drivers 

# Xen HVM Guest Optimizations
# NOTE: XENHVM depends on xenpci.  They must be added or removed together.
options 	XENHVM			# Xen HVM kernel infrastructure
device		xenpci			# Xen HVM Hypervisor services driver

# VMware support
device		vmx			# VMware VMXNET3 Ethernet

# Netmap provides direct access to TX/RX rings on supported NICs
device		netmap			# netmap(4) support

###################################################################
# IPF KERNEL
###################################################################

options   IPFILTER
options   IPFILTER_LOG
options   IPFILTER_LOOKUP
options   IPFILTER_DEFAULT_BLOCK
##############################################

options   NETGRAPH
options   NETGRAPH_ETHER
options   NETGRAPH_PPPOE
options   NETGRAPH_SOCKET
###################################################################

 

Q群讨论 236201801