In this post I'll describe the changes made to the kernel and some of the Squeeze packages for the Freaky Wall.
The plan is to submit whishlist bugs to the BTS on the hope of having all what is needed for this project available on Debian after the Squeeze release, as my feeling is that a freeze is not the right time to push this changes... ;)
I'm giving access here to all the changes made to the source packages, but if anyone wants the binary packages (amd64 only) send me an email and I'll give you the URL of an apt repository that contains all the modified packages (it's the one at work, that contains other modified packages) or, if there is interest, I can put them on people.debian.org.
To be able to build the firewall we need a kFreeBSD kernel with some options not compiled on the version distributed with Debian.
To compile the kernel I've followed the procedure described on the following debian-bsd mailing list post:
Basically I've done the following:
apt-get build-dep kfreebsd-8 apt-get source kfreebsd-8 cd kfreebsd-8-8.1 cat >> debian/arch/amd64/amd64.config << EOF # Add pflog, pfsync, ALTQ and CARP support # ---------------------------------------- # http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html device pf device pflog device pfsync options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) options ALTQ_NOPCC # Required for SMP build # http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/carp.html device carp EOF vi debian/changelog dpkg-buildpackage -B -uc
Once the package was built I installed the new kernel package and rebooted the machine.
To be able to use some utilities related to
pf I have built patched
versions of three packages:
freebsd-utils: I have included
ftp-proxyon the package and have added some options to allow the use of additional interface types with
There were a lot of changes needed:
ftp-proxyMakefiles are missing from the original tarball, I modified the
debian/rules, but I build my packages against the original tarball, with the extra files included directly on the package .diff.gz.
pflogddaemon needs a
_pflogduser and group and a
/var/run/_pflogddirectory, so I've added the directory and the creation of the user and group to the package post-install.
ftp-proxydaemon uses the
proxyuser when dropping privileges and I've modified the code to make it use the
/var/run/ftp-proxydirectory for the chroot.
Some C header files that are not available on
-devpackages were missing and I put them on the packages' debian directory. I've created a
debian/includedirectory and moved there the original
debian/netdirectory and added the headers
debian/include/net/if_lagg.hto add bridging support to
debian/include/pcap-int.hlibpcap private headers to be able to compile the
As I'm not familiar with the way people changes code for kFreeBSD some of the patches are a little bit dirty, but at least things work; besides, probably I should also have had to include init.d scripts for
ftp-proxy, but I have not done it at the package level yet, as what I got was enough to work with the tools.
On the next post I'll describe how I've configured the system, the network interfaces and the different utilities patched and compiled on this post.