目錄
概述
安裝 FreeBSD
開啟 SSH 登入
配置 IPF 防火牆
編譯核心
概述
FreeBSD 是一款優秀的 UNIX 作業系統,本文介紹如果利用 FreeBSD 搭建防火牆以及如何編譯核心,FreeBSD 系統内置了三款防火牆,PF、IPF 及 IPFW,這三款防火牆各有特點,本文以 IPF 防火牆為例,對配置檔案進行設定及對核心進行編譯。
安裝 FreeBSD
此次安裝選擇 DVD CD光牒安裝,預設第 1 項,回車進入安裝過程:
其他安裝形式例如CD安裝需要兩張CD光牒,U盤網絡安裝的話,則需要聯網。
Install 繼續
選擇預設鍵盤方案
輸入一個主機名
需要編譯核心,是以這裡複選了 ports 和 src。
但如果希望 ports 和 src 全部由網絡上重新下載下傳也可以:安裝完畢後,重新開機進入指令提示符狀态,輸入 portsnap fetch extract 重新更新 ports 和 src。
選擇設定分區的方式,預設 Auto (UFS)。
确定以 da0 安裝 FreeBSD 系統。
提示分區操作将擦除此硬碟原有資訊。
2G以下選擇 MBR,否則就選擇 GPT。
推薦的分區形式,如果有必要可以手動設定。
送出後将開始對硬碟寫入資訊,Back 可以取消(一旦 Commit 硬碟原有資料将會被覆寫)
安裝中……
安裝檔案完畢後,需要對 root 設定初始密碼。
選擇一塊網卡進行網絡設定
是否配置 IPv4
若需要手動設定,則選否,否則就選擇 DHCP
手動設定 IP 位址,根據實際情況填寫,作為網關防火牆的話,不用填寫第三項 Default Router。
根據營運商狀況,目前無需對 IPv6 設定
設定 DNS,應根據當地營運商提供資訊設定
選擇時區
根據情況選擇
設定日期和時間
選擇是否同步系統時間,如果有VPN之類的加密軟體,最好還是選上同步時間。
一些安全選項,視情況選擇
暫不添加使用者
選擇 Exit 應用配置及退出安裝環境,這個過程會花幾秒鐘。
無需進入 shell 環境,選擇 No 繼續退出。
如果CD光牒是優先引導的話,記得把CD光牒取出,然後回車,FreeBSD 将重新開機。
安裝好的啟動界面及登入界面
賬号 root 及剛才設定的密碼即可登入
開啟 SSH 登入
編輯 /etc/rc.conf 添加。
sshd_enable="YES"
若要開啟 root 的 SSH 通路(如果是多使用者則不建議開啟),編輯 /etc/ssh/sshd_config 打開或添加這個選項,配置完畢後需要重新開機系統。
PermitRootLogin yes
配置 IPF 防火牆
之是以要在防火牆未生效前配置防火牆,是因為一旦核心編譯并安裝完成,SSH 将無法被通路,本地操作則可以無視這個情況。
在 /etc/rc.conf 中添加 ipf 的啟動項,其中包括 IPF 和 NAT,IPF 負責防火牆功能,配置 /etc/ipf.rules。NAT 負責位址轉換,區域網路上網就靠這個了,配置 /etc/ipnat.rules。
rc.conf 内添加以下内容,用作啟用 ipf 和 ipnat
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipmon_enable="YES"
ipmon_flags="-Dsn"
# ---------------------------------------
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
#----------------------------------------------------------------------
防火牆配置檔案 /etc/ipf.rules
#=======================================================================================
# 2016/4/21
#
# IPF 的比對檢索過程:
# 某個端口有動作,從上到下比對檢索,當發現了比對的規則将不再向下檢查,
# 即便後面的規則與目前規則有沖突,也以先檢索到的為準。
#=======================================================================================
# Intranet device / lan
# em0="192.168.1.1
# Internet device /
# em1=""
# tun0="dhcp"
#
# 手動輸入重載 ipf 指令
# ipf -Fa -f /etc/ipf.rules
#---------------------------------------------------------------------------------------
# 編譯核心時,已經預設完全拒絕,是以這兩條規則已經無意義
#block in all
#block out all
#本地 (全開放)
pass in on lo0 all
pass out on lo0 all
#網卡 (全開放)
pass in on em0 all
pass out on em0 all
#網卡 (全開放)
pass in on em1 all
pass out on em1 all
# PPTP (出方向開放, 進方向禁止)
pass out on tun0 all
#pass in on tun0 all
# PPTP VPN
#pass out on tun1 all
#pass in on tun1 all
#---------------------------------------------------------------------------------------
#---------------------------------------------------------------------------------------
# lookback
#----------------------------------------------------------------
pass in quick on lo0 proto tcp from any to any flags S keep state
pass out quick on lo0 proto tcp from any to any flags S keep state
pass in quick on lo0 proto udp from any to any keep state
pass out quick on lo0 proto udp from any to any keep state
#----------------------------------------------------------------
pass in quick on lo0 proto icmp all
pass out quick on lo0 proto icmp all
#----------------------------------------------------------------
#---------------------------------------------------------------------------------------
# link to pppoe device
#----------------------------------------------------------------
pass in quick on em1 proto tcp from any to any flags S keep state
pass out quick on em1 proto tcp from any to any flags S keep state
pass in quick on em1 proto udp from any to any keep state
pass out quick on em1 proto udp from any to any keep state
#----------------------------------------------------------------
pass in quick on em1 proto icmp all
pass out quick on em1 proto icmp all
#----------------------------------------------------------------
#---------------------------------------------------------------------------------------
# lan
#----------------------------------------------------------------
pass in quick on em0 proto tcp from any to any flags S keep state
pass out quick on em0 proto tcp from any to any flags S keep state
pass in quick on em0 proto udp from any to any keep state
pass out quick on em0 proto udp from any to any keep state
#----------------------------------------------------------------
pass in quick on em0 proto icmp all
pass out quick on em0 proto icmp all
#----------------------------------------------------------------
#---------------------------------------------------------------------------------------
# tun0 (PPPOE 撥号)
# 不限制對外通路, 但保持對外拒絕
#----------------------------------------------------------------
pass out quick on tun0 proto tcp from any to any flags S keep state
pass out quick on tun0 proto udp from any to any keep state
#pass in quick on tun0 proto tcp from any to any flags S keep state
#pass in quick on tun0 proto udp from any to any keep state
#----------------------------------------------------------------
# 允許部分(ping) ICMP 雙向通過
pass out quick on tun0 proto icmp all
#pass in quick on tun0 proto icmp all
pass in quick on tun0 proto icmp from any to any icmp-type 0
pass in quick on tun0 proto icmp from any to any icmp-type 8
#----------------------------------------------------------------
#----------------------------------------------------------------
# tun0 allow pptp (success)
#----------------------------------------------------------------
#pass out quick on tun0 proto tcp from any to any port = 1723 flags S keep state
#----------------------------------------------------------------
pass out proto gre from any to any keep state
pass in proto gre from any to any keep state
#----------------------------------------------------------------
#----------------------------------------------------------------
# tun0 allow vpn income
#----------------------------------------------------------------
pass in quick on tun0 proto udp from any to any port = 1194 keep state
#----------------------------------------------------------------
#----------------------------------------------------------------
# tun0 allow https income
#----------------------------------------------------------------
pass in quick on tun0 proto tcp from any to any port = 443 keep state
#----------------------------------------------------------------
#---------------------------------------------------------------------------------------
# tun1 (vpn 如果有的話)
#----------------------------------------------------------------
pass in quick on tun1 proto tcp from any to any flags S keep state
pass out quick on tun1 proto tcp from any to any flags S keep state
pass in quick on tun1 proto udp from any to any keep state
pass out quick on tun1 proto udp from any to any keep state
#----------------------------------------------------------------
pass in quick on tun1 proto icmp all
pass out quick on tun1 proto icmp all
#----------------------------------------------------------------
#---------------------------------------------------------------------------------------
NAT 配置 /etc/ipnat.rules
#-------------------------------------------------------------------
# 指令行重載 NAT 時輸入
# ipnat -CF -f /etc/ipnat.rules
#-------------------------------------------------------------------
# 位址轉換
map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000
# 這個則處理所有來自内網的非 FTP 網絡流量
map tun0 192.168.1.0/24 -> 0/32
# 處理來自内網的 FTP 通路
map tun0 192.168.1.0/24 -> 0/32 proxy port 21 ftp/tcp
# 處理來自網關的 FTP 通路
map tun0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp
# pptp vpn 1723 撥号通路遠端時需要放行 gre 協定
map tun0 0.0.0.0/0 -> 192.168.1.0/24 gre
map tun0 192.168.1.0/24 -> 0.0.0.0/0 gre
#-------------------------------------------------------------------
# 端口映射 需要時開啟
# 在防火牆 ipf.rules 配置中也需要加入相應的放行規則
#-------------------------------------------------------------------
rdr tun0 0.0.0.0/0 port 443 -> 192.168.1.100 port 443
#rdr tun0 0.0.0.0/0 port 80 -> 192.168.1.102 port 80
#-------------------------------------------------------------------
編譯核心
自定義的核心編譯可以優化核心,預設核心 GENERIC 更适合開發,不适合生産環境,啟用了所有驅動不說,還帶有調試資訊,編譯核心可以減少部分不需要的驅動,并且将不需要的調試資訊去除,提高核心的執行效率、降低記憶體空間的占用。
将防火牆編譯到核心中執行效率更高,根據主機 CPU,選擇相應的核心配置模闆,核心配置在目錄 /usr/src/sys 裡面,如果需要配置 amd64 (64位) CPU,配置則在 /usr/src/sys/amd64/conf,如果是 i386 (32位) CPU,配置則在 /usr/src/sys/i386/conf,裡面有一個 GENERIC 檔案,就是通用配置,進入到相應 CPU 配置目錄中,複制 GENERIC 到一個新檔案,檔案名随意。
複制 GENERIC 到 zero 檔案,GENERIC 是預設核心配置檔案,zero 将作為新的核心檔案配置檔案。
cd /usr/src/sys/amd64/conf
cp GENERIC zero
可以看到新檔案 zero
用 vi 或者 ee 編輯 zero,在末尾添加以下 IPF 防火牆配置
options IPFILTER
options IPFILTER_LOG
options IPFILTER_LOOKUP
options IPFILTER_DEFAULT_BLOCK
需要 PPPOE、PPTP 或者 VPN 等核心支援的,需要在配置添加以下選項
options NETGRAPH
options NETGRAPH_ETHER
options NETGRAPH_PPPOE
options NETGRAPH_SOCKET
如果無需調試核心(不做核心開發)則可以禁用這幾個選項,在選項前面加上 # 符号,将其注釋掉
#makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
#makeoptions WITH_CTF=1 # Run ctfconvert(1) for DTrace support
#options KDB # Enable kernel debugger support.
#options KDB_TRACE # Print a stack trace for a panic.
同時必須修改配置的 ident 值與新的複制得到的檔案名相同
還可以禁用一些用不到的驅動,例如 RAID(PC上通常不需要)驅動和用不到的網卡驅動,文章末尾會附上我的配置。
準備就緒後,就可以開始編譯核心了,如果配置不正确編譯開始或運作時都會被終止,并給出适當的提示。
而整個核心編譯過程将非常消耗時間,根據CPU和硬碟性能,估計20分鐘至數小時。
編譯完成後,安裝新核心前,請務必備份舊核心,可以確定新核心如果不正常,還可以通過重新載入舊核心啟動系統,以便修改配置後重新編譯核心,下面的指令中就有調用 mv 備份舊核心,備份的核心可以有多套,放不同的目錄即可。
/* 進入 /usr/src 目錄 */
cd /usr/src
/* 編譯核心, KERNCON 指定了配置檔案 */
make buildkernel KERNCONF=zero
/* 備份舊的核心到 GENERIC 目錄 (如果新核心啟動失敗還可以自救,至少確定一個正常的核心存在是一個好習慣) */
mv /boot/kernel /boot/GENERIC
/* 安裝新核心 KERNCON 指定了配置檔案 */
make installkernel KERNCONF=zero
/* 重新開機系統 */
reboot
核心編譯完成。
核心安裝完成,輸入 reboot 将重新啟動系統。
以下是我用的配置,禁用了 RAID 和部分舊款網卡,如果需要 RAID 支援需要在配置中重新啟用。
#
# GENERIC -- Generic kernel configuration file for FreeBSD/amd64
#
# For more information on this file, please read the config(5) manual page,
# and/or the handbook section on Kernel Configuration Files:
#
# https://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (https://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: releng/12.0/sys/amd64/conf/GENERIC 339704 2018-10-25 05:18:25Z imp $
cpu HAMMER
ident zero
#makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
#makeoptions WITH_CTF=1 # Run ctfconvert(1) for DTrace support
options SCHED_ULE # ULE scheduler
options NUMA # Non-Uniform Memory Architecture support
options PREEMPTION # Enable kernel thread preemption
options VIMAGE # Subsystem virtualization, e.g. VNET
options INET # InterNETworking
options INET6 # IPv6 communications protocols
options IPSEC # IP (v4/v6) security
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
options TCP_OFFLOAD # TCP offload
options TCP_BLACKBOX # Enhanced TCP event logging
options TCP_HHOOK # hhook(9) framework for TCP
options TCP_RFC7413 # TCP Fast Open
options SCTP # Stream Control Transmission Protocol
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options UFS_GJOURNAL # Enable gjournal-based UFS journaling
options QUOTA # Enable disk quotas for UFS
options MD_ROOT # MD is a potential root device
options NFSCL # Network Filesystem Client
options NFSD # Network Filesystem Server
options NFSLOCKD # Network Lock Manager
options NFS_ROOT # NFS usable as /, requires NFSCL
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_RAID # Soft RAID functionality.
options GEOM_LABEL # Provides labelization
options EFIRT # EFI Runtime Services support
options COMPAT_FREEBSD32 # Compatible with i386 binaries
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options COMPAT_FREEBSD6 # Compatible with FreeBSD6
options COMPAT_FREEBSD7 # Compatible with FreeBSD7
options COMPAT_FREEBSD9 # Compatible with FreeBSD9
options COMPAT_FREEBSD10 # Compatible with FreeBSD10
options COMPAT_FREEBSD11 # Compatible with FreeBSD11
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options STACK # stack(9) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed.
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
options AUDIT # Security event auditing
options CAPABILITY_MODE # Capsicum capability mode
options CAPABILITIES # Capsicum capabilities
options MAC # TrustedBSD MAC Framework
options KDTRACE_FRAME # Ensure frames are compiled in
options KDTRACE_HOOKS # Kernel DTrace hooks
options DDB_CTF # Kernel ELF linker loads CTF data
options INCLUDE_CONFIG_FILE # Include this file in kernel
options RACCT # Resource accounting framework
options RACCT_DEFAULT_TO_DISABLED # Set kern.racct.enable=0 by default
options RCTL # Resource limits
# Debugging support. Always need this:
#options KDB # Enable kernel debugger support.
#options KDB_TRACE # Print a stack trace for a panic.
# Kernel dump features.
options EKCD # Support for encrypted kernel dumps
options GZIO # gzip-compressed kernel and user dumps
options ZSTDIO # zstd-compressed kernel and user dumps
options NETDUMP # netdump(4) client support
# Make an SMP-capable kernel by default
options SMP # Symmetric MultiProcessor Kernel
options EARLY_AP_STARTUP
# CPU frequency control
device cpufreq
# Bus support.
device acpi
options ACPI_DMAR
device pci
options PCI_HP # PCI-Express native HotPlug
options PCI_IOV # PCI SR-IOV support
# Floppy drives
device fdc
# ATA controllers
device ahci # AHCI-compatible SATA controllers
device ata # Legacy ATA/SATA controllers
device mvs # Marvell 88SX50XX/88SX60XX/88SX70XX/SoC SATA
device siis # SiliconImage SiI3124/SiI3132/SiI3531 SATA
# SCSI Controllers
device ahc # AHA2940 and onboard AIC7xxx devices
device ahd # AHA39320/29320 and onboard AIC79xx devices
device esp # AMD Am53C974 (Tekram DC-390(T))
device hptiop # Highpoint RocketRaid 3xxx series
device isp # Qlogic family
#device ispfw # Firmware for QLogic HBAs- normally a module
device mpt # LSI-Logic MPT-Fusion
device mps # LSI-Logic MPT-Fusion 2
device mpr # LSI-Logic MPT-Fusion 3
#device ncr # NCR/Symbios Logic
device sym # NCR/Symbios Logic (newer chipsets + those of `ncr')
device trm # Tekram DC395U/UW/F DC315U adapters
device isci # Intel C600 SAS controller
device ocs_fc # Emulex FC adapters
# ATA/SCSI peripherals
device scbus # SCSI bus (required for ATA/SCSI)
device ch # SCSI media changers
device da # Direct Access (disks)
device sa # Sequential Access (tape etc)
device cd # CD
device pass # Passthrough device (direct ATA/SCSI access)
device ses # Enclosure Services (SES and SAF-TE)
#device ctl # CAM Target Layer
# RAID controllers interfaced to the SCSI subsystem
#device amr # AMI MegaRAID
#device arcmsr # Areca SATA II RAID
#device ciss # Compaq Smart RAID 5*
#device dpt # DPT Smartcache III, IV - See NOTES for options
#device hptmv # Highpoint RocketRAID 182x
#device hptnr # Highpoint DC7280, R750
#device hptrr # Highpoint RocketRAID 17xx, 22xx, 23xx, 25xx
#device hpt27xx # Highpoint RocketRAID 27xx
#device iir # Intel Integrated RAID
#device ips # IBM (Adaptec) ServeRAID
#device mly # Mylex AcceleRAID/eXtremeRAID
#device twa # 3ware 9000 series PATA/SATA RAID
#device smartpqi # Microsemi smartpqi driver
#device tws # LSI 3ware 9750 SATA+SAS 6Gb/s RAID controller
# RAID controllers
#device aac # Adaptec FSA RAID
#device aacp # SCSI passthrough for aac (requires CAM)
#device aacraid # Adaptec by PMC RAID
#device ida # Compaq Smart RAID
#device mfi # LSI MegaRAID SAS
#device mlx # Mylex DAC960 family
#device mrsas # LSI/Avago MegaRAID SAS/SATA, 6Gb/s and 12Gb/s
#device pmspcv # PMC-Sierra SAS/SATA Controller driver
##XXX pointer/int warnings
##device pst # Promise Supertrak SX6000
#device twe # 3ware ATA RAID
# NVM Express (NVMe) support
device nvme # base NVMe driver
device nvd # expose NVMe namespaces as disks, depends on nvme
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device kbdmux # keyboard multiplexer
device vga # VGA video card driver
options VESA # Add support for VESA BIOS Extensions (VBE)
device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console
device sc
options SC_PIXEL_MODE # add support for the raster text mode
# vt is the new video console driver
device vt
device vt_vga
device vt_efifb
device agp # support several AGP chipsets
# PCCARD (PCMCIA) support
# PCMCIA and cardbus bridge support
#device cbb # cardbus (yenta) bridge
#device pccard # PC Card (16-bit) bus
#device cardbus # CardBus (32-bit) bus
# Serial (COM) ports
device uart # Generic UART driver
# Parallel port
device ppc
device ppbus # Parallel port bus (required)
device lpt # Printer
device ppi # Parallel port interface device
#device vpo # Requires scbus and da
device puc # Multi I/O cards and multi-channel UARTs
# PCI Ethernet NICs.
device bxe # Broadcom NetXtreme II BCM5771X/BCM578XX 10GbE
device de # DEC/Intel DC21x4x (``Tulip'')
device em # Intel PRO/1000 Gigabit Ethernet Family
device ix # Intel PRO/10GbE PCIE PF Ethernet
device ixv # Intel PRO/10GbE PCIE VF Ethernet
device ixl # Intel 700 Series Physical Function
device iavf # Intel Adaptive Virtual Function
device le # AMD Am7900 LANCE and Am79C9xx PCnet
device ti # Alteon Networks Tigon I/II gigabit Ethernet
device txp # 3Com 3cR990 (``Typhoon'')
device vx # 3Com 3c590, 3c595 (``Vortex'')
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
#device ae # Attansic/Atheros L2 FastEthernet
#device age # Attansic/Atheros L1 Gigabit Ethernet
#device alc # Atheros AR8131/AR8132 Ethernet
#device ale # Atheros AR8121/AR8113/AR8114 Ethernet
#device bce # Broadcom BCM5706/BCM5708 Gigabit Ethernet
#device bfe # Broadcom BCM440x 10/100 Ethernet
#device bge # Broadcom BCM570xx Gigabit Ethernet
#device cas # Sun Cassini/Cassini+ and NS DP83065 Saturn
#device dc # DEC/Intel 21143 and various workalikes
#device et # Agere ET1310 10/100/Gigabit Ethernet
#device fxp # Intel EtherExpress PRO/100B (82557, 82558)
#device gem # Sun GEM/Sun ERI/Apple GMAC
#device hme # Sun HME (Happy Meal Ethernet)
#device jme # JMicron JMC250 Gigabit/JMC260 Fast Ethernet
#device lge # Level 1 LXT1001 gigabit Ethernet
#device msk # Marvell/SysKonnect Yukon II Gigabit Ethernet
#device nfe # nVidia nForce MCP on-board Ethernet
#device nge # NatSemi DP83820 gigabit Ethernet
#device pcn # AMD Am79C97x PCI 10/100 (precedence over 'le')
#device re # RealTek 8139C+/8169/8169S/8110S
#device rl # RealTek 8129/8139
#device sf # Adaptec AIC-6915 (``Starfire'')
#device sge # Silicon Integrated Systems SiS190/191
#device sis # Silicon Integrated Systems SiS 900/SiS 7016
#device sk # SysKonnect SK-984x & SK-982x gigabit Ethernet
#device ste # Sundance ST201 (D-Link DFE-550TX)
#device stge # Sundance/Tamarack TC9021 gigabit Ethernet
#device tl # Texas Instruments ThunderLAN
#device tx # SMC EtherPower II (83c170 ``EPIC'')
#device vge # VIA VT612x gigabit Ethernet
#device vr # VIA Rhine, Rhine II
#device wb # Winbond W89C840F
#device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# Wireless NIC cards
device wlan # 802.11 support
options IEEE80211_DEBUG # enable debug msgs
options IEEE80211_AMPDU_AGE # age frames in AMPDU reorder q's
options IEEE80211_SUPPORT_MESH # enable 802.11s draft support
device wlan_wep # 802.11 WEP support
device wlan_ccmp # 802.11 CCMP support
device wlan_tkip # 802.11 TKIP support
device wlan_amrr # AMRR transmit rate control algorithm
#device an # Aironet 4500/4800 802.11 wireless NICs.
#device ath # Atheros NICs
#device ath_pci # Atheros pci/cardbus glue
#device ath_hal # pci/cardbus chip support
#options AH_SUPPORT_AR5416 # enable AR5416 tx/rx descriptors
#options AH_AR5416_INTERRUPT_MITIGATION # AR5416 interrupt mitigation
#options ATH_ENABLE_11N # Enable 802.11n support for AR5416 and later
#device ath_rate_sample # SampleRate tx rate control for ath
##device bwi # Broadcom BCM430x/BCM431x wireless NICs.
##device bwn # Broadcom BCM43xx wireless NICs.
#device ipw # Intel 2100 wireless NICs.
#device iwi # Intel 2200BG/2225BG/2915ABG wireless NICs.
#device iwn # Intel 4965/1000/5000/6000 wireless NICs.
#device malo # Marvell Libertas wireless NICs.
#device mwl # Marvell 88W8363 802.11n wireless NICs.
#device ral # Ralink Technology RT2500 wireless NICs.
#device wi # WaveLAN/Intersil/Symbol 802.11 wireless NICs.
#device wpi # Intel 3945ABG wireless NICs.
# Pseudo devices.
device crypto # core crypto support
device loop # Network loopback
device random # Entropy device
device padlock_rng # VIA Padlock RNG
device rdrand_rng # Intel Bull Mountain RNG
device ether # Ethernet support
device vlan # 802.1Q VLAN support
device tun # Packet tunnel.
device md # Memory "disks"
device gif # IPv6 and IPv4 tunneling
device firmware # firmware assist module
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device bpf # Berkeley packet filter
# USB support
options USB_DEBUG # enable debug msgs
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device xhci # XHCI PCI->USB interface (USB 3.0)
device usb # USB Bus (required)
device ukbd # Keyboard
device umass # Disks/Mass storage - Requires scbus and da
# Sound support
device sound # Generic sound driver (required)
device snd_cmi # CMedia CMI8338/CMI8738
device snd_csa # Crystal Semiconductor CS461x/428x
device snd_emu10kx # Creative SoundBlaster Live! and Audigy
device snd_es137x # Ensoniq AudioPCI ES137x
device snd_hda # Intel High Definition Audio
device snd_ich # Intel, NVidia and other ICH AC'97 Audio
device snd_via8233 # VIA VT8233x Audio
# MMC/SD
device mmc # MMC/SD bus
device mmcsd # MMC/SD memory card
device sdhci # Generic PCI SD Host Controller
# VirtIO support
device virtio # Generic VirtIO bus (required)
device virtio_pci # VirtIO PCI device
device vtnet # VirtIO Ethernet device
device virtio_blk # VirtIO Block device
device virtio_scsi # VirtIO SCSI device
device virtio_balloon # VirtIO Memory Balloon device
# HyperV drivers and enhancement support
device hyperv # HyperV drivers
# Xen HVM Guest Optimizations
# NOTE: XENHVM depends on xenpci. They must be added or removed together.
options XENHVM # Xen HVM kernel infrastructure
device xenpci # Xen HVM Hypervisor services driver
# VMware support
device vmx # VMware VMXNET3 Ethernet
# Netmap provides direct access to TX/RX rings on supported NICs
device netmap # netmap(4) support
###################################################################
# IPF KERNEL
###################################################################
options IPFILTER
options IPFILTER_LOG
options IPFILTER_LOOKUP
options IPFILTER_DEFAULT_BLOCK
##############################################
options NETGRAPH
options NETGRAPH_ETHER
options NETGRAPH_PPPOE
options NETGRAPH_SOCKET
###################################################################
Q群讨論 236201801