freebsd-update works fine in a jail so long as you symlink the kernel file to /dev/null

Manolis Kiagias wrote:
Guy Marcenac wrote:

I am an old debian user and I am looking at freebsd for security reasons
* I am very interested in the jail concept
* I have to relearn iptables syntax each time I want to add a rule

Don't we all :)

I am testing the system in vmware virtual machine.

There is a point I don't fully understand. There are several ways of
updating the system, from precompiled binaries or by recompiling the
system and the ports (and using csup, portsnap, portupgrade ...).

To update your base system, you can use freebsd-update. This uses
precompiled binaries and also updates the relevant sources (assuming you
have them installed beforehand and you are using the default
freebsd-update configuration - which is recommended). However if you are
going to run jails, this advantage is more less defeated: you will have
to run 'make buildworld' anyway to install the result in the jails.

I would prefer to use the first way because it is really faster, but
it seems to me that when I want to update my jails, there is no other
easy way than recompiling the whole world into my jails.

Yes, unless you can somehow run freebsd-update from inside a jail :)
Don't know if this will work though. It will probably fail trying to
patch the kernel.

If you use freebsd-update you will only 'make installworld' for the
jails, as the 'host' will be taken care of by freebsd-update binary
patching.  You still need the make buildworld step, so you don't really
gain much.

The other point a bit confusing is that I dont know which firewall to
use. My first guess would be to use pf, because it exists also on
openbsd, but it seems that the default would go to ipfw.

I am using pf too. It is a matter of preference and features needed. I
suggest you read the Handbook chapter and decide for yourself.

_______________________________________________ mailing list
To unsubscribe, send any mail to ""
_______________________________________________ mailing list
To unsubscribe, send any mail to ""

Reply via email to