From owner-freebsd-questions Sun May 28 9:12:58 2000 Delivered-To: freebsd-questions@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 01FAC37BA9A; Sun, 28 May 2000 09:12:51 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id MAA55838; Sun, 28 May 2000 12:12:48 -0400 (EDT) (envelope-from cjc) Date: Sun, 28 May 2000 12:12:48 -0400 From: "Crist J. Clark" To: John Daniels Cc: freebsd-questions@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: 4.0-RELEASE to 4.0-STABLE upgrade Message-ID: <20000528121248.C55597@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <20000528035005.32721.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000528035005.32721.qmail@hotmail.com>; from jmd526@hotmail.com on Sat, May 27, 2000 at 11:50:05PM -0400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, May 27, 2000 at 11:50:05PM -0400, John Daniels wrote: > Hi: > > I just did an upgrade to STABLE. I just wanted to check what I did was OK. > > First, the handbook says to do the following order: > 1. backup > 2. CVsup > 3. check /etc/make.conf and /etc/group > 4. drop to single-user mode > 5. remove /usr/obj > 6. make world (or make buildworld and make installworld) > 7. update /etc, /dev, (and optionally /stand) > 8. compile and install a new kernel > 9. reboot (with fastboot) > > ****** WHAT I DID DIFFERENTLY ******** > 1. I used mergemaster for updating /etc. Good. > 2. www.freebsddiary.com has description of going from 4.0-RELEASE to STABLE > and provides a script for doing so. The description and script shows that > compiling and installing a new kernel (#8 above) comes *AFTER* make world > (#6 above) - and *BEFORE* updating /etc. Thus, according to them, #8 comes > before #7 in the above list. Not a big deal. > 3. Oops! I removed /usr/obj *AFTER* the make world, not before. I tried to > redo make world but after a few messages (which seemed unimportant) it told > me that the proc tables were full. I then compiled and installed a new > kernel without any noticeable problems. If you'd never made world before, there probably was nothing in /usr/obj to delete before you got started. > 4. NOTE: For me, /etc/make.conf has only one line: "USA_RESIDENT=YES". > Apparantly /etc/defaults/make.conf is what needs to be edited (after being > copied to /etc.) Since I had not figured this out beforehand, I was unable > to uncomment out CFLAGS and NOPROFILE as instructed in the Handbook. Do NOT edit /etc/defaults/make.conf. Instead, put entries like, CFLAGS=-O -pipe NOPROFILE=true In /etc/make.conf. > I have booted into, and am writing to you from, STABLE. Whatever I may have > done wrong, so far I have not seen any (noticeable) problems. > > QUESTION: > Will my system be OK? Will any of the above cause any problems (especially > removing /usr/obj before making and installing the kernel) If you made the kernel after _installing_ the world (after a 'make world' or 'make installworld'), the presence of /usr/obj makes no difference. > FOLLOWUP: > Now that I have gone through the process of upgrading, I am looking into > security. What is the easiest, most obvious (as in "duh!, why didn't you > ...") steps to take to guard security. My setup is very simple: my home PC > connected to a router with DSL service. I am the only user. > > I would like to use this machine as a web server and mail server, but I > don't have anyone ftp-ing in (but I need to ftp out to retrieve files from > time to time), logging in remotely, telnet-ing in, etc. Do I just modify > inet.conf and/or hosts.allow to deny those services? How difficult is it to > add a firewall like IPfilter? See, http://www.freebsd.org/security.html For some starting links. First thing, disable (comment out) any services, like the ones you mention, from inetd.conf. Then send inetd a SIGHUP to re-read the file. Use hosts.allow for restricitng services to certain hosts, but if you are not using a service at all, best to turn it off completely. As for firewalls, setting up the machine to do firewalling is quite easy... figuring out how to make a useful ruleset is non-trivial. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message