From owner-freebsd-questions@FreeBSD.ORG Thu Oct 20 06:58:59 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C6A1516A41F for ; Thu, 20 Oct 2005 06:58:59 +0000 (GMT) (envelope-from daniel@rimspace.net) Received: from anu.rimspace.net (203-217-29-35.perm.iinet.net.au [203.217.29.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id A765443D5A for ; Thu, 20 Oct 2005 06:58:58 +0000 (GMT) (envelope-from daniel@rimspace.net) Received: by anu.rimspace.net (Postfix, from userid 10) id 623A1AFE01; Thu, 20 Oct 2005 16:58:57 +1000 (EST) Received: by enki.rimspace.net (Postfix, from userid 1000) id 5F560BB54FBF; Thu, 20 Oct 2005 16:58:48 +1000 (EST) From: Daniel Pittman To: freebsd-questions@freebsd.org Date: Thu, 20 Oct 2005 16:58:48 +1000 Message-ID: <87br1kk72v.fsf@rimspace.net> User-Agent: Gnus/5.110004 (No Gnus v0.4) XEmacs/21.5-b21 (corn, linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Basic FreeBSD firewall and patching questions. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Oct 2005 06:59:00 -0000 G'day. I am quite new with supporting FreeBSD, although well experienced with Unix and Linux in general, so I hope these questions are not too silly. My first question is about firewalls: I have read the FreeBSD handbook and browsed the ports database, etc, to find out about firewalling. It looks to me like either ipf or ipfilter are equally good, and have about the same capabilities, as well as being provided as part of the base system. Is there any good, technical reason why I should prefer one to the other? My second question is about updating the firewall rules: under Linux, I use a helper program that loads the firewall rules into the kernel, then waits for me to confirm that it worked. If I don't confirm within 30 seconds it reloads the previous firewall configuration. This makes updating firewall rules remotely much safer,[1] since I can't accidentally lock out my SSH session or anything. Is there anything under FreeBSD that can provide an equivalent sort of service for me? Nothing in the ports collection looked hopeful. I don't care about any sort of higher level rules language or anything like that, but I would put up with one in return for that level of safety. I really don't want a GUI tool, though. Finally, I seem to be having a dense day, and don't feel comfortable that I understand all the security monitoring and updating I need to for FreeBSD - especially starting from whatever the hosting company delivered to me. I have, at the moment, 5.4-RELEASE #0 according to uname. I suspect that means the very first release of 5.4, correct? In which case, I need to update the FreeBSD core. The handbook really isn't clear on this, and previous discussion on this list about the virtues of 'make world' vs patches, etc, didn't really clear things up for me. So: how can I bring this up to the latest stable release in the 5.4 series? Once that is done, is there any equivalent to the 'portaudit' tool to check the system and warn me if there are outstanding changes on the release branch? Thanks, Daniel Footnotes: [1] I work as a consultant, and most of my clients can't (or won't) provide serial console access to their servers for one reason or another. So, firewall manipulation via TCP/IP it is. :/