Re: Basic FreeBSD firewall and patching questions.
Daniel Pittman wrote: It looks to me like either ipf or ipfilter are equally good, and have about the same capabilities, While you are getting started and to test rules you could use /etc/hosts.allow also. You may already be familiar with it from other OSs.. We use to keep a list of what IPs can ssh into our machines. Biggest drawback.. only works with apps that support it. I have, at the moment, 5.4-RELEASE #0 according to uname. I suspect that means the very first release of 5.4, correct? In which case, I need to update the FreeBSD core. You want to use cvsup to update the source. So: how can I bring this up to the latest stable release in the 5.4 series? My advice is to get cvsup installed, get latest source, recompile all. Specially now that you are not in production. Should have all the info, but whatever aspects are not clear you can ask here in the list. Once that is done, is there any equivalent to the 'portaudit' tool to check the system and warn me if there are outstanding changes on the release branch? There are several audit tools in the ports. I am not familiar with any, but until you find one you like you can use mtree. Also for machines that you have physical access to or have remote kvm you could also look at the security profiles. Basically you can set rights such that a number of changes can only be done in single user mode. I have never used it, but I think it could possibly help to make a machine more tamper resistant. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Basic FreeBSD firewall and patching questions.
On Thu, 20 Oct 2005, Foo Ji-Haw wrote: Thanks for the brief breakdown on ipf and ipfilter. But what about ipfw? I like the 'auto-swap ruleset' feature, as well as account. Does ipfw do them as well? Thanks. No idea, never used it and I donĀ“t plan to. I'm using pf now, it does what I need although I miss the two mentioned features, and I see no reason to change. I asked on the openbsd list for the ability to have an inactive ruleset and swap for the very same reasons you want it, and got flamed: "why would you ever want that?", "you can keep a backup in a file", "why wouldn't you want to have 10 or 100 rulesets?", "you can check your ruleset with pfctl -n", "it won't load if there are errors". They didn't get that the checks catches only syntactically incorrect errors, not those typos that can lock you out while strictly correct - like 10.0.0.0/2 instead of 10.0.0.0/24. So don't request it. Same thing for groups. Cheers, Erik___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Basic FreeBSD firewall and patching questions.
On Thu, 20 Oct 2005, Daniel Pittman wrote: It looks to me like either ipf or ipfilter are equally good, and have about the same capabilities, as well as being provided as part of the base system. Is there any good, technical reason why I should prefer one to the other? ipfilter is simpler less featured and may at first be easier to maintain, but they share much the same syntax. The most significant thing you don't find in pf is groups. groups are conceptually like chains or tables under linux. So in pf you have to be more carefull keeping things in order. OTOH, pf has queing and enables you to set priorities or reserve bandwidth to certain types of traffic. If you need traffic accounting, then I have yet to see something that works for pf, while with ipfilter it's fairly easy. My second question is about updating the firewall rules: under Linux, I use a helper program that loads the firewall rules into the kernel, then waits for me to confirm that it worked. ipfilter maintains two rulesets, an active and an inactive and you can swap them. So to do that you'd: # ipf -FI && ipf -I -f && ipf -S && sleep 60 && ipf -S && ipf -FI Which will flush the inactive ruleset (just to be sure it's empty), load your rules into it, swap, sleep 60 seconds to let you test you can get back in, swap again and flush the inactive ruleset to clear up. In pf there is no such thing, you will have to keep a backup of the old ruleset, then: # pfctl -n -f && pfctl -FA && pfctl -f && sleep 60 && pfctl -FA && pfctl -f The first command just parses the rules, this will catch syntax errors, but won't catch syntactically correct typos. Also, with ipfilter you can fairly easy delete a specific rule or insert a rule a specific place in the ruleset. With pf this is more dificult. I have, at the moment, 5.4-RELEASE #0 according to uname. I suspect that means the very first release of 5.4, correct? In which case, I need to update the FreeBSD core. Yes, 5.4 was released almost a year ago. There have been security updated in both kernel and userland. The handbook really isn't clear on this, and previous discussion on this list about the virtues of 'make world' vs patches, etc, didn't really clear things up for me. Well, right know you wan't to cvsup your src - it's the fastest way to get everything up to date. I think patching should be done for smaller updates and security patches. You might try that next time. So: how can I bring this up to the latest stable release in the 5.4 series? Check the handbook Chp 20. For production servers, in particular if they are critical like firewalls, you want to go with the stable branch. Once that is done, is there any equivalent to the 'portaudit' tool to check the system and warn me if there are outstanding changes on the release branch? Security advisories are sent to: * [EMAIL PROTECTED] * FreeBSD-security@FreeBSD.org * FreeBSD-announce@FreeBSD.org Cheers, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Basic FreeBSD firewall and patching questions.
G'day. I am quite new with supporting FreeBSD, although well experienced with Unix and Linux in general, so I hope these questions are not too silly. My first question is about firewalls: I have read the FreeBSD handbook and browsed the ports database, etc, to find out about firewalling. It looks to me like either ipf or ipfilter are equally good, and have about the same capabilities, as well as being provided as part of the base system. Is there any good, technical reason why I should prefer one to the other? My second question is about updating the firewall rules: under Linux, I use a helper program that loads the firewall rules into the kernel, then waits for me to confirm that it worked. If I don't confirm within 30 seconds it reloads the previous firewall configuration. This makes updating firewall rules remotely much safer,[1] since I can't accidentally lock out my SSH session or anything. Is there anything under FreeBSD that can provide an equivalent sort of service for me? Nothing in the ports collection looked hopeful. I don't care about any sort of higher level rules language or anything like that, but I would put up with one in return for that level of safety. I really don't want a GUI tool, though. Finally, I seem to be having a dense day, and don't feel comfortable that I understand all the security monitoring and updating I need to for FreeBSD - especially starting from whatever the hosting company delivered to me. I have, at the moment, 5.4-RELEASE #0 according to uname. I suspect that means the very first release of 5.4, correct? In which case, I need to update the FreeBSD core. The handbook really isn't clear on this, and previous discussion on this list about the virtues of 'make world' vs patches, etc, didn't really clear things up for me. So: how can I bring this up to the latest stable release in the 5.4 series? Once that is done, is there any equivalent to the 'portaudit' tool to check the system and warn me if there are outstanding changes on the release branch? Thanks, Daniel Footnotes: [1] I work as a consultant, and most of my clients can't (or won't) provide serial console access to their servers for one reason or another. So, firewall manipulation via TCP/IP it is. :/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"