安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译

目录

概述

安装 FreeBSD

开启 SSH 登录

配置 IPF 防火墙

编译内核


概述

FreeBSD 是一款优秀的 UNIX 操作系统,本文介绍如果利用 FreeBSD 搭建防火墙以及如何编译内核,FreeBSD 系统内置了三款防火墙,PF、IPF 及 IPFW,这三款防火墙各有特点,本文以 IPF 防火墙为例,对配置文件进行设置及对内核进行编译。

安装 FreeBSD

此次安装选择 DVD 光盘安装,默认第 1 项,回车进入安装过程:
其他安装形式例如CD安装需要两张光盘,U盘网络安装的话,则需要联网。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第1张图片

Install 继续

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第2张图片

选择默认键盘方案

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第3张图片

输入一个主机名

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第4张图片

需要编译内核,所以这里复选了 ports 和 src。
但如果希望 ports 和 src 全部由网络上重新下载也可以:安装完毕后,重启进入命令提示符状态,输入 portsnap fetch extract 重新更新 ports 和 src。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第5张图片

选择设置分区的方式,默认 Auto (UFS)。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第6张图片

确定以 da0 安装 FreeBSD 系统。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第7张图片

提示分区操作将擦除此硬盘原有信息。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第8张图片

2G以下选择 MBR,否则就选择 GPT。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第9张图片

推荐的分区形式,如果有必要可以手动设置。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第10张图片

提交后将开始对硬盘写入信息,Back 可以取消(一旦 Commit 硬盘原有数据将会被覆盖)

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第11张图片

安装中……

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第12张图片

安装文件完毕后,需要对 root 设置初始密码。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第13张图片

选择一块网卡进行网络设置

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第14张图片

是否配置 IPv4

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第15张图片

若需要手动设置,则选否,否则就选择 DHCP

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第16张图片

手动设置 IP 地址,根据实际情况填写,作为网关防火墙的话,不用填写第三项 Default Router。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第17张图片

根据运营商状况,目前无需对 IPv6 设置

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第18张图片

设置 DNS,应根据当地运营商提供信息设置

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第19张图片

选择时区

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第20张图片

根据情况选择

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第21张图片

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第22张图片

设置日期和时间

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第23张图片

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第24张图片

选择是否同步系统时间,如果有VPN之类的加密软件,最好还是选上同步时间。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第25张图片

一些安全选项,视情况选择

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第26张图片

暂不添加用户

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第27张图片

选择 Exit 应用配置及退出安装环境,这个过程会花几秒钟。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第28张图片

无需进入 shell 环境,选择 No 继续退出。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第29张图片

如果光盘是优先引导的话,记得把光盘取出,然后回车,FreeBSD 将重启。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第30张图片

安装好的启动界面及登录界面

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第31张图片

账号 root 及刚才设置的密码即可登录

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第32张图片

开启 SSH 登录

编辑 /etc/rc.conf 添加。

sshd_enable="YES"

若要开启 root 的 SSH 访问(如果是多用户则不建议开启),编辑 /etc/ssh/sshd_config 打开或添加这个选项,配置完毕后需要重启系统。

PermitRootLogin yes

配置 IPF 防火墙

之所以要在防火墙未生效前配置防火墙,是因为一旦内核编译并安装完成,SSH 将无法被访问,本地操作则可以无视这个情况。

在 /etc/rc.conf 中添加 ipf 的启动项,其中包括 IPF 和 NAT,IPF 负责防火墙功能,配置 /etc/ipf.rules。NAT 负责地址转换,局域网上网就靠这个了,配置 /etc/ipnat.rules。

rc.conf 内添加以下内容,用作启用 ipf 和 ipnat

ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipmon_enable="YES"
ipmon_flags="-Dsn"
# ---------------------------------------
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
#----------------------------------------------------------------------

防火墙配置文件 /etc/ipf.rules

#=======================================================================================
# 2016/4/21
# 
# IPF 的匹配检索过程:
# 某个端口有动作,从上到下匹配检索,当发现了匹配的规则将不再向下检查,
# 即便后面的规则与当前规则有冲突,也以先检索到的为准。
#=======================================================================================
#	Intranet device / lan
#	em0="192.168.1.1
#	Internet device /
#	em1=""
#	tun0="dhcp"
#
# 手动输入重载 ipf 命令
# ipf -Fa -f /etc/ipf.rules
#---------------------------------------------------------------------------------------

# 编译内核时,已经默认完全拒绝,所以这两条规则已经无意义
#block in all
#block out all

#本地 (全开放)
pass in on lo0 all
pass out on lo0 all
#网卡 (全开放)
pass in on em0 all
pass out on em0 all
#网卡 (全开放)
pass in on em1 all
pass out on em1 all

# PPTP (出方向开放, 进方向禁止)
pass out on tun0 all
#pass in on tun0 all
# PPTP VPN
#pass out on tun1 all
#pass in on tun1 all
#---------------------------------------------------------------------------------------

#---------------------------------------------------------------------------------------
# lookback
#----------------------------------------------------------------
pass in  quick on lo0 proto tcp from any to any flags S keep state
pass out quick on lo0 proto tcp from any to any flags S keep state
pass in  quick on lo0 proto udp from any to any keep state
pass out quick on lo0 proto udp from any to any keep state
#----------------------------------------------------------------
pass in  quick on lo0 proto icmp all
pass out quick on lo0 proto icmp all
#----------------------------------------------------------------

#---------------------------------------------------------------------------------------
# link to pppoe device
#----------------------------------------------------------------
pass in  quick on em1 proto tcp from any to any flags S keep state
pass out quick on em1 proto tcp from any to any flags S keep state
pass in  quick on em1 proto udp from any to any keep state
pass out quick on em1 proto udp from any to any keep state
#----------------------------------------------------------------
pass in  quick on em1 proto icmp all
pass out quick on em1 proto icmp all
#----------------------------------------------------------------

#---------------------------------------------------------------------------------------
# lan
#----------------------------------------------------------------
pass in  quick on em0 proto tcp from any to any flags S keep state
pass out quick on em0 proto tcp from any to any flags S keep state
pass in  quick on em0 proto udp from any to any keep state
pass out quick on em0 proto udp from any to any keep state
#----------------------------------------------------------------
pass in  quick on em0 proto icmp all
pass out quick on em0 proto icmp all
#----------------------------------------------------------------

#---------------------------------------------------------------------------------------
# tun0 (PPPOE 拨号)
# 不限制对外访问, 但保持对外拒绝
#----------------------------------------------------------------
pass out quick on tun0 proto tcp from any to any flags S keep state
pass out quick on tun0 proto udp from any to any keep state
#pass in  quick on tun0 proto tcp from any to any flags S keep state
#pass in  quick on tun0 proto udp from any to any keep state
#----------------------------------------------------------------
# 允许部分(ping) ICMP 双向通过
pass out quick on tun0 proto icmp all
#pass in  quick on tun0 proto icmp all
pass in quick on tun0 proto icmp from any to any icmp-type 0
pass in quick on tun0 proto icmp from any to any icmp-type 8
#----------------------------------------------------------------

#----------------------------------------------------------------
# tun0 allow pptp (success)
#----------------------------------------------------------------
#pass out quick on tun0 proto tcp from any to any port = 1723 flags S keep state
#----------------------------------------------------------------
pass out proto gre from any to any keep state
pass in  proto gre from any to any keep state
#----------------------------------------------------------------

#----------------------------------------------------------------
# tun0 allow  income
#----------------------------------------------------------------
pass in quick on tun0 proto udp from any to any port = 1194 keep state
#----------------------------------------------------------------

#----------------------------------------------------------------
# tun0 allow https income
#----------------------------------------------------------------
pass in quick on tun0 proto tcp from any to any port = 443 keep state
#----------------------------------------------------------------

#---------------------------------------------------------------------------------------
# tun1 ( 如果有的话)
#----------------------------------------------------------------
pass in  quick on tun1 proto tcp from any to any flags S keep state
pass out quick on tun1 proto tcp from any to any flags S keep state
pass in  quick on tun1 proto udp from any to any keep state
pass out quick on tun1 proto udp from any to any keep state
#----------------------------------------------------------------
pass in quick on tun1 proto icmp all
pass out quick on tun1 proto icmp all
#----------------------------------------------------------------



#---------------------------------------------------------------------------------------

NAT 配置 /etc/ipnat.rules

#-------------------------------------------------------------------
# 命令行重载 NAT 时输入
# ipnat -CF -f /etc/ipnat.rules
#-------------------------------------------------------------------

# 地址转换
map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000
# 这个则处理所有来自内网的非 FTP 网络流量
map tun0 192.168.1.0/24 -> 0/32
# 处理来自内网的 FTP 访问
map tun0 192.168.1.0/24 -> 0/32 proxy port 21 ftp/tcp
# 处理来自网关的 FTP 访问
map tun0 0.0.0.0/0       -> 0/32 proxy port 21 ftp/tcp

# pptp  1723 拨号访问远程时需要放行 gre 协议
map tun0 0.0.0.0/0 -> 192.168.1.0/24 gre
map tun0 192.168.1.0/24 -> 0.0.0.0/0 gre

#-------------------------------------------------------------------
# 端口映射 需要时开启
# 在防火墙 ipf.rules 配置中也需要加入相应的放行规则
#-------------------------------------------------------------------
rdr tun0 0.0.0.0/0 port 443 -> 192.168.1.100 port 443
#rdr tun0 0.0.0.0/0 port 80 -> 192.168.1.102 port 80
#-------------------------------------------------------------------

编译内核

自定义的内核编译可以优化内核,默认内核 GENERIC 更适合开发,不适合生产环境,启用了所有驱动不说,还带有调试信息,编译内核可以减少部分不需要的驱动,并且将不需要的调试信息去除,提高内核的执行效率、降低内存空间的占用。

将防火墙编译到内核中执行效率更高,根据主机 CPU,选择相应的内核配置模板,内核配置在目录 /usr/src/sys 里面,如果需要配置 amd64 (64位) CPU,配置则在 /usr/src/sys/amd64/conf,如果是 i386 (32位) CPU,配置则在 /usr/src/sys/i386/conf,里面有一个 GENERIC 文件,就是通用配置,进入到相应 CPU 配置目录中,复制 GENERIC 到一个新文件,文件名随意。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第33张图片

复制 GENERIC 到 zero 文件,GENERIC 是默认内核配置文件,zero 将作为新的内核文件配置文件。

cd /usr/src/sys/amd64/conf
cp GENERIC zero

可以看到新文件 zero

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第34张图片

用 vi 或者 ee 编辑 zero,在末尾添加以下 IPF 防火墙配置

options IPFILTER
options IPFILTER_LOG
options IPFILTER_LOOKUP
options IPFILTER_DEFAULT_BLOCK

需要 PPPOE、PPTP 或者 VPN 等内核支持的,需要在配置添加以下选项

options   NETGRAPH
options   NETGRAPH_ETHER
options   NETGRAPH_PPPOE
options   NETGRAPH_SOCKET

如果无需调试内核(不做内核开发)则可以禁用这几个选项,在选项前面加上 # 符号,将其注释掉

#makeoptions    DEBUG=-g                # Build kernel with gdb(1) debug symbols
#makeoptions    WITH_CTF=1              # Run ctfconvert(1) for DTrace support

#options        KDB                     # Enable kernel debugger support.
#options        KDB_TRACE               # Print a stack trace for a panic.

同时必须修改配置的 ident 值与新的复制得到的文件名相同

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第35张图片

还可以禁用一些用不到的驱动,例如 RAID(PC上通常不需要)驱动和用不到的网卡驱动,文章末尾会附上我的配置。

准备就绪后,就可以开始编译内核了,如果配置不正确编译开始或运行时都会被终止,并给出适当的提示。

而整个内核编译过程将非常消耗时间,根据CPU和硬盘性能,估计20分钟至数小时。

编译完成后,安装新内核前,请务必备份旧内核,可以确保新内核如果不正常,还可以通过重新载入旧内核启动系统,以便修改配置后重新编译内核,下面的命令中就有调用 mv 备份旧内核,备份的内核可以有多套,放不同的目录即可。

/* 进入 /usr/src 目录 */
cd /usr/src

/* 编译内核, KERNCON 指定了配置文件 */
make buildkernel KERNCONF=zero

/* 备份旧的内核到 GENERIC 目录 (如果新内核启动失败还可以自救,至少确保一个正常的内核存在是一个好习惯) */
mv /boot/kernel /boot/GENERIC

/* 安装新内核 KERNCON 指定了配置文件 */
make installkernel KERNCONF=zero

/* 重启系统 */
reboot

内核编译完成。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第36张图片

内核安装完成,输入 reboot 将重新启动系统。

安装 FreeBSD 12 设置 SSL 访问、编译 IPF 防火墙 内核编译_第37张图片

 

以下是我用的配置,禁用了 RAID 和部分旧款网卡,如果需要 RAID 支持需要在配置中重新启用。

#
# GENERIC -- Generic kernel configuration file for FreeBSD/amd64
#
# For more information on this file, please read the config(5) manual page,
# and/or the handbook section on Kernel Configuration Files:
#
#    https://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (https://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: releng/12.0/sys/amd64/conf/GENERIC 339704 2018-10-25 05:18:25Z imp $

cpu		HAMMER
ident		zero

#makeoptions	DEBUG=-g		# Build kernel with gdb(1) debug symbols
#makeoptions	WITH_CTF=1		# Run ctfconvert(1) for DTrace support

options 	SCHED_ULE		# ULE scheduler
options 	NUMA			# Non-Uniform Memory Architecture support
options 	PREEMPTION		# Enable kernel thread preemption
options 	VIMAGE			# Subsystem virtualization, e.g. VNET
options 	INET			# InterNETworking
options 	INET6			# IPv6 communications protocols
options 	IPSEC			# IP (v4/v6) security
options 	IPSEC_SUPPORT		# Allow kldload of ipsec and tcpmd5
options 	TCP_OFFLOAD		# TCP offload
options 	TCP_BLACKBOX		# Enhanced TCP event logging
options 	TCP_HHOOK		# hhook(9) framework for TCP
options		TCP_RFC7413		# TCP Fast Open
options 	SCTP			# Stream Control Transmission Protocol
options 	FFS			# Berkeley Fast Filesystem
options 	SOFTUPDATES		# Enable FFS soft updates support
options 	UFS_ACL			# Support for access control lists
options 	UFS_DIRHASH		# Improve performance on big directories
options 	UFS_GJOURNAL		# Enable gjournal-based UFS journaling
options 	QUOTA			# Enable disk quotas for UFS
options 	MD_ROOT			# MD is a potential root device
options 	NFSCL			# Network Filesystem Client
options 	NFSD			# Network Filesystem Server
options 	NFSLOCKD		# Network Lock Manager
options 	NFS_ROOT		# NFS usable as /, requires NFSCL
options 	MSDOSFS			# MSDOS Filesystem
options 	CD9660			# ISO 9660 Filesystem
options 	PROCFS			# Process filesystem (requires PSEUDOFS)
options 	PSEUDOFS		# Pseudo-filesystem framework
options 	GEOM_RAID		# Soft RAID functionality.
options 	GEOM_LABEL		# Provides labelization
options 	EFIRT			# EFI Runtime Services support
options 	COMPAT_FREEBSD32	# Compatible with i386 binaries
options 	COMPAT_FREEBSD4		# Compatible with FreeBSD4
options 	COMPAT_FREEBSD5		# Compatible with FreeBSD5
options 	COMPAT_FREEBSD6		# Compatible with FreeBSD6
options 	COMPAT_FREEBSD7		# Compatible with FreeBSD7
options 	COMPAT_FREEBSD9		# Compatible with FreeBSD9
options 	COMPAT_FREEBSD10	# Compatible with FreeBSD10
options 	COMPAT_FREEBSD11	# Compatible with FreeBSD11
options 	SCSI_DELAY=5000		# Delay (in ms) before probing SCSI
options 	KTRACE			# ktrace(1) support
options 	STACK			# stack(9) support
options 	SYSVSHM			# SYSV-style shared memory
options 	SYSVMSG			# SYSV-style message queues
options 	SYSVSEM			# SYSV-style semaphores
options 	_KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options 	PRINTF_BUFR_SIZE=128	# Prevent printf output being interspersed.
options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev
options 	HWPMC_HOOKS		# Necessary kernel hooks for hwpmc(4)
options 	AUDIT			# Security event auditing
options 	CAPABILITY_MODE		# Capsicum capability mode
options 	CAPABILITIES		# Capsicum capabilities
options 	MAC			# TrustedBSD MAC Framework
options 	KDTRACE_FRAME		# Ensure frames are compiled in
options 	KDTRACE_HOOKS		# Kernel DTrace hooks
options 	DDB_CTF			# Kernel ELF linker loads CTF data
options 	INCLUDE_CONFIG_FILE	# Include this file in kernel
options 	RACCT			# Resource accounting framework
options 	RACCT_DEFAULT_TO_DISABLED # Set kern.racct.enable=0 by default
options 	RCTL			# Resource limits

# Debugging support.  Always need this:
#options 	KDB			# Enable kernel debugger support.
#options 	KDB_TRACE		# Print a stack trace for a panic.

# Kernel dump features.
options 	EKCD			# Support for encrypted kernel dumps
options 	GZIO			# gzip-compressed kernel and user dumps
options 	ZSTDIO			# zstd-compressed kernel and user dumps
options 	NETDUMP			# netdump(4) client support

# Make an SMP-capable kernel by default
options 	SMP			# Symmetric MultiProcessor Kernel
options 	EARLY_AP_STARTUP

# CPU frequency control
device		cpufreq

# Bus support.
device		acpi
options 	ACPI_DMAR
device		pci
options 	PCI_HP			# PCI-Express native HotPlug
options		PCI_IOV			# PCI SR-IOV support

# Floppy drives
device		fdc

# ATA controllers
device		ahci			# AHCI-compatible SATA controllers
device		ata			# Legacy ATA/SATA controllers
device		mvs			# Marvell 88SX50XX/88SX60XX/88SX70XX/SoC SATA
device		siis			# SiliconImage SiI3124/SiI3132/SiI3531 SATA

# SCSI Controllers
device		ahc			# AHA2940 and onboard AIC7xxx devices
device		ahd			# AHA39320/29320 and onboard AIC79xx devices
device		esp			# AMD Am53C974 (Tekram DC-390(T))
device		hptiop			# Highpoint RocketRaid 3xxx series
device		isp			# Qlogic family
#device		ispfw			# Firmware for QLogic HBAs- normally a module
device		mpt			# LSI-Logic MPT-Fusion
device		mps			# LSI-Logic MPT-Fusion 2
device		mpr			# LSI-Logic MPT-Fusion 3
#device		ncr			# NCR/Symbios Logic
device		sym			# NCR/Symbios Logic (newer chipsets + those of `ncr')
device		trm			# Tekram DC395U/UW/F DC315U adapters
device		isci			# Intel C600 SAS controller
device		ocs_fc			# Emulex FC adapters

# ATA/SCSI peripherals
device		scbus			# SCSI bus (required for ATA/SCSI)
device		ch			# SCSI media changers
device		da			# Direct Access (disks)
device		sa			# Sequential Access (tape etc)
device		cd			# CD
device		pass			# Passthrough device (direct ATA/SCSI access)
device		ses			# Enclosure Services (SES and SAF-TE)
#device		ctl			# CAM Target Layer

# RAID controllers interfaced to the SCSI subsystem
#device		amr			# AMI MegaRAID
#device		arcmsr			# Areca SATA II RAID
#device		ciss			# Compaq Smart RAID 5*
#device		dpt			# DPT Smartcache III, IV - See NOTES for options
#device		hptmv			# Highpoint RocketRAID 182x
#device		hptnr			# Highpoint DC7280, R750
#device		hptrr			# Highpoint RocketRAID 17xx, 22xx, 23xx, 25xx
#device		hpt27xx			# Highpoint RocketRAID 27xx
#device		iir			# Intel Integrated RAID
#device		ips			# IBM (Adaptec) ServeRAID
#device		mly			# Mylex AcceleRAID/eXtremeRAID
#device		twa			# 3ware 9000 series PATA/SATA RAID
#device		smartpqi		# Microsemi smartpqi driver
#device		tws			# LSI 3ware 9750 SATA+SAS 6Gb/s RAID controller

# RAID controllers
#device		aac			# Adaptec FSA RAID
#device		aacp			# SCSI passthrough for aac (requires CAM)
#device		aacraid			# Adaptec by PMC RAID
#device		ida			# Compaq Smart RAID
#device		mfi			# LSI MegaRAID SAS
#device		mlx			# Mylex DAC960 family
#device		mrsas			# LSI/Avago MegaRAID SAS/SATA, 6Gb/s and 12Gb/s
#device		pmspcv			# PMC-Sierra SAS/SATA Controller driver
##XXX pointer/int warnings
##device		pst			# Promise Supertrak SX6000
#device		twe			# 3ware ATA RAID

# NVM Express (NVMe) support
device		nvme			# base NVMe driver
device		nvd			# expose NVMe namespaces as disks, depends on nvme

# atkbdc0 controls both the keyboard and the PS/2 mouse
device		atkbdc			# AT keyboard controller
device		atkbd			# AT keyboard
device		psm			# PS/2 mouse

device		kbdmux			# keyboard multiplexer

device		vga			# VGA video card driver
options 	VESA			# Add support for VESA BIOS Extensions (VBE)

device		splash			# Splash screen and screen saver support

# syscons is the default console driver, resembling an SCO console
device		sc
options 	SC_PIXEL_MODE		# add support for the raster text mode

# vt is the new video console driver
device		vt
device		vt_vga
device		vt_efifb

device		agp			# support several AGP chipsets

# PCCARD (PCMCIA) support
# PCMCIA and cardbus bridge support
#device		cbb			# cardbus (yenta) bridge
#device		pccard			# PC Card (16-bit) bus
#device		cardbus			# CardBus (32-bit) bus

# Serial (COM) ports
device		uart			# Generic UART driver

# Parallel port
device		ppc
device		ppbus			# Parallel port bus (required)
device		lpt			# Printer
device		ppi			# Parallel port interface device
#device		vpo			# Requires scbus and da

device		puc			# Multi I/O cards and multi-channel UARTs

# PCI Ethernet NICs.
device		bxe			# Broadcom NetXtreme II BCM5771X/BCM578XX 10GbE
device		de			# DEC/Intel DC21x4x (``Tulip'')
device		em			# Intel PRO/1000 Gigabit Ethernet Family
device		ix			# Intel PRO/10GbE PCIE PF Ethernet
device		ixv			# Intel PRO/10GbE PCIE VF Ethernet
device		ixl			# Intel 700 Series Physical Function
device		iavf			# Intel Adaptive Virtual Function
device		le			# AMD Am7900 LANCE and Am79C9xx PCnet
device		ti			# Alteon Networks Tigon I/II gigabit Ethernet
device		txp			# 3Com 3cR990 (``Typhoon'')
device		vx			# 3Com 3c590, 3c595 (``Vortex'')

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device		miibus			# MII bus support
#device		ae			# Attansic/Atheros L2 FastEthernet
#device		age			# Attansic/Atheros L1 Gigabit Ethernet
#device		alc			# Atheros AR8131/AR8132 Ethernet
#device		ale			# Atheros AR8121/AR8113/AR8114 Ethernet
#device		bce			# Broadcom BCM5706/BCM5708 Gigabit Ethernet
#device		bfe			# Broadcom BCM440x 10/100 Ethernet
#device		bge			# Broadcom BCM570xx Gigabit Ethernet
#device		cas			# Sun Cassini/Cassini+ and NS DP83065 Saturn
#device		dc			# DEC/Intel 21143 and various workalikes
#device		et			# Agere ET1310 10/100/Gigabit Ethernet
#device		fxp			# Intel EtherExpress PRO/100B (82557, 82558)
#device		gem			# Sun GEM/Sun ERI/Apple GMAC
#device		hme			# Sun HME (Happy Meal Ethernet)
#device		jme			# JMicron JMC250 Gigabit/JMC260 Fast Ethernet
#device		lge			# Level 1 LXT1001 gigabit Ethernet
#device		msk			# Marvell/SysKonnect Yukon II Gigabit Ethernet
#device		nfe			# nVidia nForce MCP on-board Ethernet
#device		nge			# NatSemi DP83820 gigabit Ethernet
#device		pcn			# AMD Am79C97x PCI 10/100 (precedence over 'le')
#device		re			# RealTek 8139C+/8169/8169S/8110S
#device		rl			# RealTek 8129/8139
#device		sf			# Adaptec AIC-6915 (``Starfire'')
#device		sge			# Silicon Integrated Systems SiS190/191
#device		sis			# Silicon Integrated Systems SiS 900/SiS 7016
#device		sk			# SysKonnect SK-984x & SK-982x gigabit Ethernet
#device		ste			# Sundance ST201 (D-Link DFE-550TX)
#device		stge			# Sundance/Tamarack TC9021 gigabit Ethernet
#device		tl			# Texas Instruments ThunderLAN
#device		tx			# SMC EtherPower II (83c170 ``EPIC'')
#device		vge			# VIA VT612x gigabit Ethernet
#device		vr			# VIA Rhine, Rhine II
#device		wb			# Winbond W89C840F
#device		xl			# 3Com 3c90x (``Boomerang'', ``Cyclone'')

# Wireless NIC cards
device		wlan			# 802.11 support
options 	IEEE80211_DEBUG		# enable debug msgs
options 	IEEE80211_AMPDU_AGE	# age frames in AMPDU reorder q's
options 	IEEE80211_SUPPORT_MESH	# enable 802.11s draft support
device		wlan_wep		# 802.11 WEP support
device		wlan_ccmp		# 802.11 CCMP support
device		wlan_tkip		# 802.11 TKIP support
device		wlan_amrr		# AMRR transmit rate control algorithm
#device		an			# Aironet 4500/4800 802.11 wireless NICs.
#device		ath			# Atheros NICs
#device		ath_pci			# Atheros pci/cardbus glue
#device		ath_hal			# pci/cardbus chip support
#options 	AH_SUPPORT_AR5416	# enable AR5416 tx/rx descriptors
#options 	AH_AR5416_INTERRUPT_MITIGATION # AR5416 interrupt mitigation
#options 	ATH_ENABLE_11N		# Enable 802.11n support for AR5416 and later
#device		ath_rate_sample		# SampleRate tx rate control for ath
##device		bwi			# Broadcom BCM430x/BCM431x wireless NICs.
##device		bwn			# Broadcom BCM43xx wireless NICs.
#device		ipw			# Intel 2100 wireless NICs.
#device		iwi			# Intel 2200BG/2225BG/2915ABG wireless NICs.
#device		iwn			# Intel 4965/1000/5000/6000 wireless NICs.
#device		malo			# Marvell Libertas wireless NICs.
#device		mwl			# Marvell 88W8363 802.11n wireless NICs.
#device		ral			# Ralink Technology RT2500 wireless NICs.
#device		wi			# WaveLAN/Intersil/Symbol 802.11 wireless NICs.
#device		wpi			# Intel 3945ABG wireless NICs.

# Pseudo devices.
device		crypto			# core crypto support
device		loop			# Network loopback
device		random			# Entropy device
device		padlock_rng		# VIA Padlock RNG
device		rdrand_rng		# Intel Bull Mountain RNG
device		ether			# Ethernet support
device		vlan			# 802.1Q VLAN support
device		tun			# Packet tunnel.
device		md			# Memory "disks"
device		gif			# IPv6 and IPv4 tunneling
device		firmware		# firmware assist module

# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device		bpf			# Berkeley packet filter

# USB support
options 	USB_DEBUG		# enable debug msgs
device		uhci			# UHCI PCI->USB interface
device		ohci			# OHCI PCI->USB interface
device		ehci			# EHCI PCI->USB interface (USB 2.0)
device		xhci			# XHCI PCI->USB interface (USB 3.0)
device		usb			# USB Bus (required)
device		ukbd			# Keyboard
device		umass			# Disks/Mass storage - Requires scbus and da

# Sound support
device		sound			# Generic sound driver (required)
device		snd_cmi			# CMedia CMI8338/CMI8738
device		snd_csa			# Crystal Semiconductor CS461x/428x
device		snd_emu10kx		# Creative SoundBlaster Live! and Audigy
device		snd_es137x		# Ensoniq AudioPCI ES137x
device		snd_hda			# Intel High Definition Audio
device		snd_ich			# Intel, NVidia and other ICH AC'97 Audio
device		snd_via8233		# VIA VT8233x Audio

# MMC/SD
device		mmc			# MMC/SD bus
device		mmcsd			# MMC/SD memory card
device		sdhci			# Generic PCI SD Host Controller

# VirtIO support
device		virtio			# Generic VirtIO bus (required)
device		virtio_pci		# VirtIO PCI device
device		vtnet			# VirtIO Ethernet device
device		virtio_blk		# VirtIO Block device
device		virtio_scsi		# VirtIO SCSI device
device		virtio_balloon		# VirtIO Memory Balloon device

# HyperV drivers and enhancement support
device		hyperv			# HyperV drivers 

# Xen HVM Guest Optimizations
# NOTE: XENHVM depends on xenpci.  They must be added or removed together.
options 	XENHVM			# Xen HVM kernel infrastructure
device		xenpci			# Xen HVM Hypervisor services driver

# VMware support
device		vmx			# VMware VMXNET3 Ethernet

# Netmap provides direct access to TX/RX rings on supported NICs
device		netmap			# netmap(4) support

###################################################################
# IPF KERNEL
###################################################################

options   IPFILTER
options   IPFILTER_LOG
options   IPFILTER_LOOKUP
options   IPFILTER_DEFAULT_BLOCK
##############################################

options   NETGRAPH
options   NETGRAPH_ETHER
options   NETGRAPH_PPPOE
options   NETGRAPH_SOCKET
###################################################################

 

Q群讨论 236201801

 

你可能感兴趣的:(FreeBSD,操作系统,所有)