From owner-freebsd-questions@FreeBSD.ORG Sat Oct 31 12:08:21 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C3A71065698 for ; Sat, 31 Oct 2009 12:08:21 +0000 (UTC) (envelope-from sonicy@otenet.gr) Received: from kane.otenet.gr (kane.otenet.gr [83.235.67.31]) by mx1.freebsd.org (Postfix) with ESMTP id 996F48FC1D for ; Sat, 31 Oct 2009 12:08:20 +0000 (UTC) Received: from pulstar.local (athedsl-4492455.home.otenet.gr [94.71.88.175]) by kane.otenet.gr (8.13.8/8.13.8/Debian-3) with ESMTP id n9VC8IU3007009; Sat, 31 Oct 2009 14:08:18 +0200 Message-ID: <4AEC28B1.5050103@otenet.gr> Date: Sat, 31 Oct 2009 14:08:17 +0200 From: Manolis Kiagias User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Guy Marcenac References: <4AEC1729.6000307@posteurs.com> In-Reply-To: <4AEC1729.6000307@posteurs.com> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: best way to install/update software and firewall choice X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Oct 2009 12:08:21 -0000 Guy Marcenac wrote: > Hi, > > I am an old debian user and I am looking at freebsd for security reasons > * I am very interested in the jail concept > * I have to relearn iptables syntax each time I want to add a rule Don't we all :) > > I am testing the system in vmware virtual machine. > > There is a point I don't fully understand. There are several ways of > updating the system, from precompiled binaries or by recompiling the > system and the ports (and using csup, portsnap, portupgrade ...). To update your base system, you can use freebsd-update. This uses precompiled binaries and also updates the relevant sources (assuming you have them installed beforehand and you are using the default freebsd-update configuration - which is recommended). However if you are going to run jails, this advantage is more less defeated: you will have to run 'make buildworld' anyway to install the result in the jails. > I would prefer to use the first way because it is really faster, but > it seems to me that when I want to update my jails, there is no other > easy way than recompiling the whole world into my jails. > Yes, unless you can somehow run freebsd-update from inside a jail :) Don't know if this will work though. It will probably fail trying to patch the kernel. If you use freebsd-update you will only 'make installworld' for the jails, as the 'host' will be taken care of by freebsd-update binary patching. You still need the make buildworld step, so you don't really gain much. > The other point a bit confusing is that I dont know which firewall to > use. My first guess would be to use pf, because it exists also on > openbsd, but it seems that the default would go to ipfw. > I am using pf too. It is a matter of preference and features needed. I suggest you read the Handbook chapter and decide for yourself.