pavement

Secure Kernel Source

From FreeBSDwiki
Revision as of 13:16, 6 August 2012 by 173.88.199.104 (Talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Secure Kernel Source

The following are things you can do in the kernel source to tighten up security even more. You can prefix statements with # to make it a comment to disable it or delete the statement all together.

Make these changes.

At the top the file is the following statement.

  1. options INET6 # IPv6 communications protocols

Ipv6 is a developmental protocol, if you are not testing this protocol on purpose, it should be disabled.


Followed by Memory disk root option. This allows a operating system to be placed into memory and run. Disable this option.

  1. option MD_Root # MD is a potential Root device


A few lines down are the network filesystem options. Comment these out to disable them.

  1. options NFSCLIENT # Network filesystem Client
  2. options NFSSERVER # Network filesystem Server
  3. options NFSLOCKD # Network Lock Manager
  4. options NFS_ROOT # NFS usable as root device


Comment out the following option because you disabled Ipv6 earlier.

  1. device faith #IPv6-to-IPv4 relaying (translation


Comment out all previous release compatible statements

  1. options COMPAT_FREEBSD4
  2. options COMPAT_FREEBSD5
  3. options COMPAT_FREEBSD6
  4. options COMPAT_FREEBSD7


Add this statement. You should have your IPFILTER or IPFIREWALL (IPFW) enabling statements already in your kernel source. Just to keep all the security options grouped together, place these by them.

options TCP_DROP_SYNFIN # Adds support for ignoring TCP packets

                              # with SYN+FIN. This prevents nmap from
                              # identifying the TCP/IP stack, but
                              # breaks support for RFC1644 extensions
                              # & is not recommended for web servers
                              # behind the firewall.


Add these statements. The comments with this option are from the LINT kernel source word for word. I have an Apache web server running on my gateway/firewall box, and I use this option and can not see anything wrong happening.


options ICMP_BANDLIM # Enables icmp error response bandwidth

                        # limiting. This will help protect from 
                        # D.O.S. packet attacks.

options RANDOM_IP_ID # Causes the ID field in IP packets to be

                        # randomized instead of incremented by 1 with
                        # each packet generated. This closes a minor
                        # information leak which allows remote
                        # observers to determine the rate of packet
                        # generation on the machine by watching the
                        # counter.


options NO_LKM # disable FBSD ability to dynamically load

                        # kernel modules. If you are using the IPFILTER
                        # load module don’t do this 


If you do not have a printer cabled off the parallel port of this PC then disable these options.

  1. Parallel port
  1. device ppc
  2. device ppbus # Parallel port bus (required)
  3. device lpt # Printer
  4. device plip # TCP/IP over parallel
  5. device ppi # Parallel port interface device


If you are not copying this system to other PCs with different hardware, then besides the security benefit you can also reduce the time it takes to compile the kernel by removing all unused device drivers. Review your /var/run/dmesg.boot log messages to see which devices you are really using and only keep those. Comment out all the others. Do not delete the following device; it is used by most NICs but does not show up in dmesg as used.

device miibus # NICs that use MII bus support

Personal tools