From owner-freebsd-questions@FreeBSD.ORG  Sat Oct 31 12:20:26 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 573FA106566B
	for <freebsd-questions@freebsd.org>;
	Sat, 31 Oct 2009 12:20:26 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id E4D518FC27
	for <freebsd-questions@freebsd.org>;
	Sat, 31 Oct 2009 12:20:25 +0000 (UTC)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	(authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id
	n9VCKElL015046; Sat, 31 Oct 2009 12:20:20 GMT
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk n9VCKElL015046
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
	d=infracaninophile.co.uk; s=200708; t=1256991620;
	bh=YUdjBIoKqq9hHYgMVy/Nz6AzSvHvYFJdaF8FWNSqzRM=;
	h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References:
	In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To:
	Message-ID:Mime-Version:References:To;
	z=Message-ID:=20<4AEC2B78.5000909@infracaninophile.co.uk>|Date:=20S
	at,=2031=20Oct=202009=2012:20:08=20+0000|From:=20Matthew=20Seaman=
	20<m.seaman@infracaninophile.co.uk>|Organization:=20Infracaninophi
	le|User-Agent:=20Thunderbird=202.0.0.23=20(X11/20090823)|MIME-Vers
	ion:=201.0|To:=20Guy=20Marcenac=20<guy@posteurs.com>|CC:=20freebsd
	-questions@freebsd.org|Subject:=20Re:=20best=20way=20to=20install/
	update=20software=20and=20firewall=20choice|References:=20<4AEC172
	9.6000307@posteurs.com>|In-Reply-To:=20<4AEC1729.6000307@posteurs.
	com>|X-Enigmail-Version:=200.95.6|Content-Type:=20multipart/signed
	=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"application/pgp-s
	ignature"=3B=0D=0A=20boundary=3D"------------enig787C386A7C5282C29
	CF6C718";
	b=KN+1vSKDuSUKu7jXomo6vidHY5AD2TPrx4kCpwBTHWvCj7kFOxNQhBSOwIvSdiwD+
	UHCFLg7L+zvybg1GOrlx2TjL7zjluWgDSEQHaCabYZxvmHrXXp52fWDb0G/4eNnE4r
	hO4eiZHBLix59Ym+L5b4l3GkTDSnNcn86wPhboqE=
X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host
	localhost [IPv6:::1] claimed to be
	happy-idiot-talk.infracaninophile.co.uk
Message-ID: <4AEC2B78.5000909@infracaninophile.co.uk>
Date: Sat, 31 Oct 2009 12:20:08 +0000
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 2.0.0.23 (X11/20090823)
MIME-Version: 1.0
To: Guy Marcenac <guy@posteurs.com>
References: <4AEC1729.6000307@posteurs.com>
In-Reply-To: <4AEC1729.6000307@posteurs.com>
X-Enigmail-Version: 0.95.6
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="------------enig787C386A7C5282C29CF6C718"
X-Virus-Scanned: clamav-milter 0.95.3 at
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	happy-idiot-talk.infracaninophile.co.uk
Cc: freebsd-questions@freebsd.org
Subject: Re: best way to install/update software and firewall choice
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Oct 2009 12:20:26 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig787C386A7C5282C29CF6C718
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Guy Marcenac wrote:
> Hi,
>=20
> I am an old debian user and I am looking at freebsd for security reason=
s
> * I am very interested in the jail concept
> * I have to relearn iptables syntax each time I want to add a rule
>=20
> I am testing the system in vmware virtual machine.
>=20
> There is a point I don't fully understand. There are several ways of=20
> updating the system, from precompiled binaries or by recompiling the=20
> system and the ports (and using csup, portsnap, portupgrade ...).
> I would prefer to use the first way because it is really faster, but it=
=20
> seems to me that when I want to update my jails, there is no other easy=
=20
> way than recompiling the whole world into my jails.

If you're building world for the base system, then you can install the sa=
me
updates into your jails without recompiling everything:

   # cd /usr/src
   # make buildworld
   # make installworld                        ## the base system
   # mergemaster -Ui
   # make DESTDIR=3D/jails/jail0.example.com/   ## each different jail
   # mergemaster -D /jails/jail0.example.com -Ui

Alternatively you can nullfs mount /usr/src and /usr/obj into your jails,=

and then just log in to the jail and install the built world and run
mergemaster  that way.  This is assuming that all your jails are intended=

to run the same OS version as your base system -- if not, then you are
correct: you'll have to update each one separately.

Similarly, you can nullfs mount the ports tree into you jails.  A good
approach is to create a /usr/ports/packages directory and then when
installing in the base, make a package of anything you build.  You can
then install that package in the jail without lots of recompilation.
If you're using portupgrade(1), use the -p flag in the base system to cau=
se packages to be built, and the -P flag in your jails to install any ava=
ilable packages.  This is functionality that is currently missing from po=
rtmaster
but portmaster's author is soliciting donations to support himself while
he spends some quality time implementing it.

> The other point a bit confusing is that I dont know which firewall to=20
> use. My first guess would be to use pf, because it exists also on=20
> openbsd, but it seems that the default would go to ipfw.

ipfw(8) is the original FreeBSD firewall, whereas pf is an import from
OpenBSD a few major versions back.  Featurewise, they have much the same
basic capabilities although for some more advanced stuff like HA you'll
need pf.

Personally I very much prefer pf because the  config file is much more
readable, and for the very simple reason that ipfw has a nasty tendency
to lock you out of the system while you're trying to update the rules.=20
While it is still possible to lock yourself out with pf, you have to try
really quite hard to do so.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


--------------enig787C386A7C5282C29CF6C718
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkrsK34ACgkQ8Mjk52CukIycTwCeNR53F6pVbErUgl4idnl8K1iG
9TwAn2/FwpU3bKxQk3rbfNn/1ZuUqnsB
=amHr
-----END PGP SIGNATURE-----

--------------enig787C386A7C5282C29CF6C718--