Date: Sat, 31 Oct 2009 12:20:08 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Guy Marcenac <guy@posteurs.com> Cc: freebsd-questions@freebsd.org Subject: Re: best way to install/update software and firewall choice Message-ID: <4AEC2B78.5000909@infracaninophile.co.uk> In-Reply-To: <4AEC1729.6000307@posteurs.com> References: <4AEC1729.6000307@posteurs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig787C386A7C5282C29CF6C718
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Guy Marcenac wrote:
> Hi,
>=20
> I am an old debian user and I am looking at freebsd for security reason=
s
> * I am very interested in the jail concept
> * I have to relearn iptables syntax each time I want to add a rule
>=20
> I am testing the system in vmware virtual machine.
>=20
> There is a point I don't fully understand. There are several ways of=20
> updating the system, from precompiled binaries or by recompiling the=20
> system and the ports (and using csup, portsnap, portupgrade ...).
> I would prefer to use the first way because it is really faster, but it=
=20
> seems to me that when I want to update my jails, there is no other easy=
=20
> way than recompiling the whole world into my jails.
If you're building world for the base system, then you can install the sa=
me
updates into your jails without recompiling everything:
# cd /usr/src
# make buildworld
# make installworld ## the base system
# mergemaster -Ui
# make DESTDIR=3D/jails/jail0.example.com/ ## each different jail
# mergemaster -D /jails/jail0.example.com -Ui
Alternatively you can nullfs mount /usr/src and /usr/obj into your jails,=
and then just log in to the jail and install the built world and run
mergemaster that way. This is assuming that all your jails are intended=
to run the same OS version as your base system -- if not, then you are
correct: you'll have to update each one separately.
Similarly, you can nullfs mount the ports tree into you jails. A good
approach is to create a /usr/ports/packages directory and then when
installing in the base, make a package of anything you build. You can
then install that package in the jail without lots of recompilation.
If you're using portupgrade(1), use the -p flag in the base system to cau=
se packages to be built, and the -P flag in your jails to install any ava=
ilable packages. This is functionality that is currently missing from po=
rtmaster
but portmaster's author is soliciting donations to support himself while
he spends some quality time implementing it.
> The other point a bit confusing is that I dont know which firewall to=20
> use. My first guess would be to use pf, because it exists also on=20
> openbsd, but it seems that the default would go to ipfw.
ipfw(8) is the original FreeBSD firewall, whereas pf is an import from
OpenBSD a few major versions back. Featurewise, they have much the same
basic capabilities although for some more advanced stuff like HA you'll
need pf.
Personally I very much prefer pf because the config file is much more
readable, and for the very simple reason that ipfw has a nasty tendency
to lock you out of the system while you're trying to update the rules.=20
While it is still possible to lock yourself out with pf, you have to try
really quite hard to do so.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig787C386A7C5282C29CF6C718
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkrsK34ACgkQ8Mjk52CukIycTwCeNR53F6pVbErUgl4idnl8K1iG
9TwAn2/FwpU3bKxQk3rbfNn/1ZuUqnsB
=amHr
-----END PGP SIGNATURE-----
--------------enig787C386A7C5282C29CF6C718--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AEC2B78.5000909>