Guy Marcenac wrote:
Hi,I am an old debian user and I am looking at freebsd for security reasons * I am very interested in the jail concept * I have to relearn iptables syntax each time I want to add a rule I am testing the system in vmware virtual machine.There is a point I don't fully understand. There are several ways of updating the system, from precompiled binaries or by recompiling the system and the ports (and using csup, portsnap, portupgrade ...). I would prefer to use the first way because it is really faster, but it seems to me that when I want to update my jails, there is no other easy way than recompiling the whole world into my jails.
If you're building world for the base system, then you can install the same updates into your jails without recompiling everything: # cd /usr/src # make buildworld # make installworld ## the base system # mergemaster -Ui # make DESTDIR=/jails/jail0.example.com/ ## each different jail # mergemaster -D /jails/jail0.example.com -Ui Alternatively you can nullfs mount /usr/src and /usr/obj into your jails, and then just log in to the jail and install the built world and run mergemaster that way. This is assuming that all your jails are intended to run the same OS version as your base system -- if not, then you are correct: you'll have to update each one separately. Similarly, you can nullfs mount the ports tree into you jails. A good approach is to create a /usr/ports/packages directory and then when installing in the base, make a package of anything you build. You can then install that package in the jail without lots of recompilation. If you're using portupgrade(1), use the -p flag in the base system to cause packages to be built, and the -P flag in your jails to install any available packages. This is functionality that is currently missing from portmaster but portmaster's author is soliciting donations to support himself while he spends some quality time implementing it.
The other point a bit confusing is that I dont know which firewall to use. My first guess would be to use pf, because it exists also on openbsd, but it seems that the default would go to ipfw.
ipfw(8) is the original FreeBSD firewall, whereas pf is an import from OpenBSD a few major versions back. Featurewise, they have much the same basic capabilities although for some more advanced stuff like HA you'll need pf. Personally I very much prefer pf because the config file is much more readable, and for the very simple reason that ipfw has a nasty tendencyto lock you out of the system while you're trying to update the rules. While it is still possible to lock yourself out with pf, you have to try
really quite hard to do so.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
