On Thu, Jan 09, 2003 at 09:42:35AM -0500, Small, Jim wrote:
How does everyone maintain their firewalls when patching them? Do you use
cvs or a manual patch? Or do you compile things on a separate system and do
binary patch on the firewall?
It would seem that CVS (tracking -stable) is the best way. The problem with
this though is you have to put the compiler on the firewall. Ideally you
want your firewall stripped down. But since you need to compile patches, it
seems hard to avoid.
I usually have a separate system that tracks -stable and when there is a
patch that will affect the firewall, I create a release[1] and simply
untar the files on the firewall[2] using the proper arguments. Of
course, I take extra care when dealing with etc32.tgz. If there any
changes to /etc, I do them by hand if there are a few of them.
Otherwise, I just backup my few local etc files (pf.conf, rc.conf,
rc.local, master.passwd, ...etc), untar the new etc32.tgz and restore
back my local files. After rebooting, the firewall will have the
necessary patches installed.
hth.
--
[1] man release(8)
[2] either via a NFS mount or by burning a cd-rw that I will use on
other, offsite systems. Of course, you can also scp/sftp them over
etc.
--
Saad Kadhi -- [[EMAIL PROTECTED]] [[EMAIL PROTECTED]]
[pgp keyid: 35592A6D http://pgp.mit.edu]
[pgp fingerprint: BF7D D73E 1FCF 4B4F AF63 65EB 34F1 DBBF 3559 2A6D]
---