From owner-freebsd-questions@FreeBSD.ORG Sat Oct 31 12:20:52 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1DF3E10656A7 for ; Sat, 31 Oct 2009 12:20:52 +0000 (UTC) (envelope-from phantomcircuit@covertinferno.org) Received: from mail.covertinferno.org (adsl-99-157-74-167.dsl.pltn13.sbcglobal.net [99.157.74.167]) by mx1.freebsd.org (Postfix) with ESMTP id 8833B8FC40 for ; Sat, 31 Oct 2009 12:20:51 +0000 (UTC) Received: from [192.168.1.121] (unknown [192.168.1.1]) by mail.covertinferno.org (Postfix) with ESMTPSA id 1A22C19737D for ; Sat, 31 Oct 2009 12:20:10 +0000 (UTC) Message-ID: <4AEC2B73.3020505@covertinferno.org> Date: Sat, 31 Oct 2009 05:20:03 -0700 From: phantomcircuit User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <4AEC1729.6000307@posteurs.com> <4AEC28B1.5050103@otenet.gr> In-Reply-To: <4AEC28B1.5050103@otenet.gr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: best way to install/update software and firewall choice X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Oct 2009 12:20:52 -0000 freebsd-update works fine in a jail so long as you symlink the kernel file to /dev/null Manolis Kiagias wrote: > Guy Marcenac wrote: > >> Hi, >> >> I am an old debian user and I am looking at freebsd for security reasons >> * I am very interested in the jail concept >> * I have to relearn iptables syntax each time I want to add a rule >> > > Don't we all :) > > >> I am testing the system in vmware virtual machine. >> >> There is a point I don't fully understand. There are several ways of >> updating the system, from precompiled binaries or by recompiling the >> system and the ports (and using csup, portsnap, portupgrade ...). >> > > To update your base system, you can use freebsd-update. This uses > precompiled binaries and also updates the relevant sources (assuming you > have them installed beforehand and you are using the default > freebsd-update configuration - which is recommended). However if you are > going to run jails, this advantage is more less defeated: you will have > to run 'make buildworld' anyway to install the result in the jails. > > >> I would prefer to use the first way because it is really faster, but >> it seems to me that when I want to update my jails, there is no other >> easy way than recompiling the whole world into my jails. >> >> > Yes, unless you can somehow run freebsd-update from inside a jail :) > Don't know if this will work though. It will probably fail trying to > patch the kernel. > > If you use freebsd-update you will only 'make installworld' for the > jails, as the 'host' will be taken care of by freebsd-update binary > patching. You still need the make buildworld step, so you don't really > gain much. > > >> The other point a bit confusing is that I dont know which firewall to >> use. My first guess would be to use pf, because it exists also on >> openbsd, but it seems that the default would go to ipfw. >> >> > > I am using pf too. It is a matter of preference and features needed. I > suggest you read the Handbook chapter and decide for yourself. > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >