Date: Thu, 20 Oct 2005 10:21:08 +0200 (CEST) From: Erik Norgaard <norgaard@math.ku.dk> To: Daniel Pittman <daniel@rimspace.net> Cc: freebsd-questions@freebsd.org Subject: Re: Basic FreeBSD firewall and patching questions. Message-ID: <Pine.LNX.4.64.0510200951350.16151@shannon.math.ku.dk> In-Reply-To: <87br1kk72v.fsf@rimspace.net> References: <87br1kk72v.fsf@rimspace.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 20 Oct 2005, Daniel Pittman wrote:
> It looks to me like either ipf or ipfilter are equally good, and have
> about the same capabilities, as well as being provided as part of the
> base system. Is there any good, technical reason why I should prefer
> one to the other?
ipfilter is simpler less featured and may at first be easier to
maintain, but they share much the same syntax.
The most significant thing you don't find in pf is groups. groups
are conceptually like chains or tables under linux. So in pf you
have to be more carefull keeping things in order.
OTOH, pf has queing and enables you to set priorities or reserve
bandwidth to certain types of traffic.
If you need traffic accounting, then I have yet to see something
that works for pf, while with ipfilter it's fairly easy.
> My second question is about updating the firewall rules: under Linux,
> I use a helper program that loads the firewall rules into the kernel,
> then waits for me to confirm that it worked.
ipfilter maintains two rulesets, an active and an inactive and you
can swap them.
So to do that you'd:
# ipf -FI && ipf -I -f <rulefile> && ipf -S && sleep 60 &&
ipf -S && ipf -FI
Which will flush the inactive ruleset (just to be sure it's
empty), load your rules into it, swap, sleep 60 seconds to let you
test you can get back in, swap again and flush the inactive
ruleset to clear up.
In pf there is no such thing, you will have to keep a backup of
the old ruleset, then:
# pfctl -n -f <newrules> && pfctl -FA && pfctl -f <newrules> &&
sleep 60 && pfctl -FA && pfctl -f <oldrules>
The first command just parses the rules, this will catch syntax
errors, but won't catch syntactically correct typos.
Also, with ipfilter you can fairly easy delete a specific rule or
insert a rule a specific place in the ruleset. With pf this is
more dificult.
> I have, at the moment, 5.4-RELEASE #0 according to uname. I suspect
> that means the very first release of 5.4, correct? In which case, I
> need to update the FreeBSD core.
Yes, 5.4 was released almost a year ago. There have been security
updated in both kernel and userland.
> The handbook really isn't clear on this, and previous discussion on this
> list about the virtues of 'make world' vs patches, etc, didn't really
> clear things up for me.
Well, right know you wan't to cvsup your src - it's the fastest
way to get everything up to date. I think patching should be done
for smaller updates and security patches. You might try that next
time.
> So: how can I bring this up to the latest stable release in the 5.4
> series?
Check the handbook Chp 20. For production servers, in particular
if they are critical like firewalls, you want to go with the
stable branch.
> Once that is done, is there any equivalent to the 'portaudit' tool to
> check the system and warn me if there are outstanding changes on the
> release branch?
Security advisories are sent to:
* FreeBSD-security-notifications@FreeBSD.org
* FreeBSD-security@FreeBSD.org
* FreeBSD-announce@FreeBSD.org
Cheers, Erik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.64.0510200951350.16151>