Re: best way to install/update software and firewall choice
Thanks to all -- Guy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
best way to install/update software and firewall choice
Hi, I am an old debian user and I am looking at freebsd for security reasons * I am very interested in the jail concept * I have to relearn iptables syntax each time I want to add a rule I am testing the system in vmware virtual machine. There is a point I don't fully understand. There are several ways of updating the system, from precompiled binaries or by recompiling the system and the ports (and using csup, portsnap, portupgrade ...). I would prefer to use the first way because it is really faster, but it seems to me that when I want to update my jails, there is no other easy way than recompiling the whole world into my jails. The other point a bit confusing is that I dont know which firewall to use. My first guess would be to use pf, because it exists also on openbsd, but it seems that the default would go to ipfw. Thanks to support a newby -- Guy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: best way to install/update software and firewall choice
Guy Marcenac wrote: Hi, I am an old debian user and I am looking at freebsd for security reasons * I am very interested in the jail concept * I have to relearn iptables syntax each time I want to add a rule Don't we all :) I am testing the system in vmware virtual machine. There is a point I don't fully understand. There are several ways of updating the system, from precompiled binaries or by recompiling the system and the ports (and using csup, portsnap, portupgrade ...). To update your base system, you can use freebsd-update. This uses precompiled binaries and also updates the relevant sources (assuming you have them installed beforehand and you are using the default freebsd-update configuration - which is recommended). However if you are going to run jails, this advantage is more less defeated: you will have to run 'make buildworld' anyway to install the result in the jails. I would prefer to use the first way because it is really faster, but it seems to me that when I want to update my jails, there is no other easy way than recompiling the whole world into my jails. Yes, unless you can somehow run freebsd-update from inside a jail :) Don't know if this will work though. It will probably fail trying to patch the kernel. If you use freebsd-update you will only 'make installworld' for the jails, as the 'host' will be taken care of by freebsd-update binary patching. You still need the make buildworld step, so you don't really gain much. The other point a bit confusing is that I dont know which firewall to use. My first guess would be to use pf, because it exists also on openbsd, but it seems that the default would go to ipfw. I am using pf too. It is a matter of preference and features needed. I suggest you read the Handbook chapter and decide for yourself. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: best way to install/update software and firewall choice
Guy Marcenac wrote: Hi, I am an old debian user and I am looking at freebsd for security reasons * I am very interested in the jail concept * I have to relearn iptables syntax each time I want to add a rule I am testing the system in vmware virtual machine. There is a point I don't fully understand. There are several ways of updating the system, from precompiled binaries or by recompiling the system and the ports (and using csup, portsnap, portupgrade ...). I would prefer to use the first way because it is really faster, but it seems to me that when I want to update my jails, there is no other easy way than recompiling the whole world into my jails. If you're building world for the base system, then you can install the same updates into your jails without recompiling everything: # cd /usr/src # make buildworld # make installworld## the base system # mergemaster -Ui # make DESTDIR=/jails/jail0.example.com/ ## each different jail # mergemaster -D /jails/jail0.example.com -Ui Alternatively you can nullfs mount /usr/src and /usr/obj into your jails, and then just log in to the jail and install the built world and run mergemaster that way. This is assuming that all your jails are intended to run the same OS version as your base system -- if not, then you are correct: you'll have to update each one separately. Similarly, you can nullfs mount the ports tree into you jails. A good approach is to create a /usr/ports/packages directory and then when installing in the base, make a package of anything you build. You can then install that package in the jail without lots of recompilation. If you're using portupgrade(1), use the -p flag in the base system to cause packages to be built, and the -P flag in your jails to install any available packages. This is functionality that is currently missing from portmaster but portmaster's author is soliciting donations to support himself while he spends some quality time implementing it. The other point a bit confusing is that I dont know which firewall to use. My first guess would be to use pf, because it exists also on openbsd, but it seems that the default would go to ipfw. ipfw(8) is the original FreeBSD firewall, whereas pf is an import from OpenBSD a few major versions back. Featurewise, they have much the same basic capabilities although for some more advanced stuff like HA you'll need pf. Personally I very much prefer pf because the config file is much more readable, and for the very simple reason that ipfw has a nasty tendency to lock you out of the system while you're trying to update the rules. While it is still possible to lock yourself out with pf, you have to try really quite hard to do so. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: best way to install/update software and firewall choice
freebsd-update works fine in a jail so long as you symlink the kernel file to /dev/null Manolis Kiagias wrote: Guy Marcenac wrote: Hi, I am an old debian user and I am looking at freebsd for security reasons * I am very interested in the jail concept * I have to relearn iptables syntax each time I want to add a rule Don't we all :) I am testing the system in vmware virtual machine. There is a point I don't fully understand. There are several ways of updating the system, from precompiled binaries or by recompiling the system and the ports (and using csup, portsnap, portupgrade ...). To update your base system, you can use freebsd-update. This uses precompiled binaries and also updates the relevant sources (assuming you have them installed beforehand and you are using the default freebsd-update configuration - which is recommended). However if you are going to run jails, this advantage is more less defeated: you will have to run 'make buildworld' anyway to install the result in the jails. I would prefer to use the first way because it is really faster, but it seems to me that when I want to update my jails, there is no other easy way than recompiling the whole world into my jails. Yes, unless you can somehow run freebsd-update from inside a jail :) Don't know if this will work though. It will probably fail trying to patch the kernel. If you use freebsd-update you will only 'make installworld' for the jails, as the 'host' will be taken care of by freebsd-update binary patching. You still need the make buildworld step, so you don't really gain much. The other point a bit confusing is that I dont know which firewall to use. My first guess would be to use pf, because it exists also on openbsd, but it seems that the default would go to ipfw. I am using pf too. It is a matter of preference and features needed. I suggest you read the Handbook chapter and decide for yourself. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: best way to install/update software and firewall choice
On 10/31/09, phantomcircuit phantomcirc...@covertinferno.org wrote: freebsd-update works fine in a jail so long as you symlink the kernel file to /dev/null I've never needed to do that. I run lots of jails and i just run freebsd-update like normal. I don't install the kern sets in the jails though, just base. cat base.?? | tar -xzf - -C /jails/jail0.sample ## setup /etc/resolv.conf in the jail ## run freebsd-update from within the jail ## it patches and runs fine. ## this is not the documented way to do it, but I haven't yet had problems with it. ## world for the jails will take about 128MB of disk space, any services you add are on top of that. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org