Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
[SOLVED] Compile ports from source
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] Compile ports from source (Read 12256 times)
interfaSys
Full Member
Posts: 165
Karma: 13
[SOLVED] Compile ports from source
«
on:
January 15, 2016, 02:08:19 pm »
Since OPNsense can be simply enabled on top of FreeBSD, does that mean, that I can simply fetch the list of packages and manually compile them using something like portmaster, using my custom make.conf containing security enabled cflags?
«
Last Edit: January 18, 2016, 07:39:18 am by franco
»
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: Compile ports from source
«
Reply #1 on:
January 15, 2016, 04:55:28 pm »
The ports tree is fully in sync with FreeBSD, updated once a day most days.. On the box, do:
# pkg install git
# cd /usr
# git clone
https://github.com/opnsense/ports
# cd /etc
# fetch
https://raw.githubusercontent.com/opnsense/tools/master/config/15.7/make.conf
You should keep the make.conf defaults on top of your own modifications to avoid package dependency clashes. (Since you know portmaster, you probably know what to do in this case.
)
A full list of binary packages directly installed via pkg can be found here:
https://github.com/opnsense/tools/blob/master/config/15.7/ports.conf
If you will share those modifications with us we can discuss and merge them into the standard build. I'm thinking Shawn from the HardenedBSD project would be happy to review as well.
Logged
interfaSys
Full Member
Posts: 165
Karma: 13
Re: Compile ports from source
«
Reply #2 on:
January 17, 2016, 08:25:48 pm »
Thanks for that, very useful.
I've noticed that stack protection has been added to some opnsense packages, like Suricata, that would have been the first thing I would have added.
Where are the cflags stored? They're not in the make.conf nor in the makefile.
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: Compile ports from source
«
Reply #3 on:
January 18, 2016, 07:39:08 am »
If there's something in there it's what the individudal ports configurations already have... It's a bit hidden in the ports tree, generally:
# cd /usr/ports/your/port
# git grep ^CFLAGS
There may be some options that are sneaked in by default by either the individual ports configure stage (suricata is a good example, it doesn't really like CFLAGS overrides and overrides it again) or that are in the ports framework somewhere in:
# cd /usr/ports/Mk
# git grep ^CFLAGS
For FreeBSD, this would be the place to enable flags by default, for us it's probably make.conf since we don't want to diverge too much in the ports tree itself.
Logged
interfaSys
Full Member
Posts: 165
Karma: 13
Re: [SOLVED] Compile ports from source
«
Reply #4 on:
January 18, 2016, 11:28:10 am »
Thanks. -fstack-protector is turned on by default.
Logged
interfaSys
Full Member
Posts: 165
Karma: 13
Re: [SOLVED] Compile ports from source
«
Reply #5 on:
January 28, 2016, 12:47:09 am »
Just did some tests and Clang in base is too old to be able to use some flags (fstack-protector-strong, -Wl,-z,relro,-z,now).
Is there any reason the project is not using a newer clang? A major FreeBSD branch usually stays for years with an old compiler.
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: [SOLVED] Compile ports from source
«
Reply #6 on:
January 28, 2016, 06:13:04 am »
We use the base toolchain to not overcomplicate or introduce weirdness we can't get proper support for (base/kernel itself). Also, I don't know of anybody using clang from ports yet. A newer clang can surely be used there, but it needs test coverage, discussion and knowledge that I do not possess.
Logged
interfaSys
Full Member
Posts: 165
Karma: 13
Re: [SOLVED] Compile ports from source
«
Reply #7 on:
January 28, 2016, 10:45:18 am »
OK. I definitely think base/kernel should use the default compiler, but I'll experiment with clang from ports for ports
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
[SOLVED] Compile ports from source