Guy Marcenac wrote:

I am an old debian user and I am looking at freebsd for security reasons
* I am very interested in the jail concept
* I have to relearn iptables syntax each time I want to add a rule

I am testing the system in vmware virtual machine.

There is a point I don't fully understand. There are several ways of updating the system, from precompiled binaries or by recompiling the system and the ports (and using csup, portsnap, portupgrade ...). I would prefer to use the first way because it is really faster, but it seems to me that when I want to update my jails, there is no other easy way than recompiling the whole world into my jails.

If you're building world for the base system, then you can install the same
updates into your jails without recompiling everything:

  # cd /usr/src
  # make buildworld
  # make installworld                        ## the base system
  # mergemaster -Ui
  # make DESTDIR=/jails/   ## each different jail
  # mergemaster -D /jails/ -Ui

Alternatively you can nullfs mount /usr/src and /usr/obj into your jails,
and then just log in to the jail and install the built world and run
mergemaster  that way.  This is assuming that all your jails are intended
to run the same OS version as your base system -- if not, then you are
correct: you'll have to update each one separately.

Similarly, you can nullfs mount the ports tree into you jails.  A good
approach is to create a /usr/ports/packages directory and then when
installing in the base, make a package of anything you build.  You can
then install that package in the jail without lots of recompilation.
If you're using portupgrade(1), use the -p flag in the base system to cause 
packages to be built, and the -P flag in your jails to install any available 
packages.  This is functionality that is currently missing from portmaster
but portmaster's author is soliciting donations to support himself while
he spends some quality time implementing it.

The other point a bit confusing is that I dont know which firewall to use. My first guess would be to use pf, because it exists also on openbsd, but it seems that the default would go to ipfw.

ipfw(8) is the original FreeBSD firewall, whereas pf is an import from
OpenBSD a few major versions back.  Featurewise, they have much the same
basic capabilities although for some more advanced stuff like HA you'll
need pf.

Personally I very much prefer pf because the  config file is much more
readable, and for the very simple reason that ipfw has a nasty tendency
to lock you out of the system while you're trying to update the rules. While it is still possible to lock yourself out with pf, you have to try
really quite hard to do so.



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                 Flat 3
PGP:     Ramsgate
                                                 Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to