OPNsense Forum

English Forums => General Discussion => Topic started by: interfaSys on January 15, 2016, 02:08:19 pm

Title: [SOLVED] Compile ports from source
Post by: interfaSys on January 15, 2016, 02:08:19 pm

Since OPNsense can be simply enabled on top of FreeBSD, does that mean, that I can simply fetch the list of packages and manually compile them using something like portmaster, using my custom make.conf containing security enabled cflags?

Title: Re: Compile ports from source
Post by: franco on January 15, 2016, 04:55:28 pm

The ports tree is fully in sync with FreeBSD, updated once a day most days.. On the box, do:

# pkg install git
# cd /usr
# git clone https://github.com/opnsense/ports
# cd /etc
# fetch https://raw.githubusercontent.com/opnsense/tools/master/config/15.7/make.conf

You should keep the make.conf defaults on top of your own modifications to avoid package dependency clashes. (Since you know portmaster, you probably know what to do in this case. :) )

A full list of binary packages directly installed via pkg can be found here:

https://github.com/opnsense/tools/blob/master/config/15.7/ports.conf

If you will share those modifications with us we can discuss and merge them into the standard build. I'm thinking Shawn from the HardenedBSD project would be happy to review as well.

Title: Re: Compile ports from source
Post by: interfaSys on January 17, 2016, 08:25:48 pm

Thanks for that, very useful.

I've noticed that stack protection has been added to some opnsense packages, like Suricata, that would have been the first thing I would have added.

Where are the cflags stored? They're not in the make.conf nor in the makefile.

Title: Re: Compile ports from source
Post by: franco on January 18, 2016, 07:39:08 am

If there's something in there it's what the individudal ports configurations already have... It's a bit hidden in the ports tree, generally:

# cd /usr/ports/your/port
# git grep ^CFLAGS

There may be some options that are sneaked in by default by either the individual ports configure stage (suricata is a good example, it doesn't really like CFLAGS overrides and overrides it again) or that are in the ports framework somewhere in:

# cd /usr/ports/Mk
# git grep ^CFLAGS

For FreeBSD, this would be the place to enable flags by default, for us it's probably make.conf since we don't want to diverge too much in the ports tree itself.

Title: Re: [SOLVED] Compile ports from source
Post by: interfaSys on January 18, 2016, 11:28:10 am

Thanks.  -fstack-protector is turned on by default.

Title: Re: [SOLVED] Compile ports from source
Post by: interfaSys on January 28, 2016, 12:47:09 am

Just did some tests and Clang in base is too old to be able to use some flags (fstack-protector-strong, -Wl,-z,relro,-z,now).
Is there any reason the project is not using a newer clang? A major FreeBSD branch usually stays for years with an old compiler.

Title: Re: [SOLVED] Compile ports from source
Post by: franco on January 28, 2016, 06:13:04 am

We use the base toolchain to not overcomplicate or introduce weirdness we can't get proper support for (base/kernel itself). Also, I don't know of anybody using clang from ports yet. A newer clang can surely be used there, but it needs test coverage, discussion and knowledge that I do not possess. :)

Title: Re: [SOLVED] Compile ports from source
Post by: interfaSys on January 28, 2016, 10:45:18 am

OK. I definitely think base/kernel should use the default compiler, but I'll experiment with clang from ports for ports