On Fri, 14 Mar 2003, Adrian Head wrote: > I've been looking at replacing it with a Gentoo machine for quite a while; > however, whats stopping me is the fact that to keep things up-to-date you > either have to have gcc on the firewall! or go the precompiled binary package > route. ... > My next thought was to have a chrooted environment on the server that would > allow the base system to be updated where appropriate. The disadvantage is > that the image couldn't be tested until it is moved to the firewall machine. > > Has anyone attempted this before? How have you dealt with the updating of the > firewall and keeping the system secure and locked down? Has anyone been able > to automate the process? How is the system tested upon every upgrade? Has > anyone worked out how to roll-back an upgrade if something happens?
I keep a chroot duplicate of the firewall on another computer and use rsync to keep them in sync. Both systems are Gentoo, but the rsync scripts keep the portage stuff off of the real firewall system. When I first set it up, the intent was to use the chroot'ed system to build a bootable CD image for the firewall, which would pretty much make it impossible for anybody to do lasting harm to it. I started out using rsync to the firewall instead to test the system, and found it so convenient I never went to CD's. Rsync will tell me if anybody changes anything on the firewall, which is even better than stopping them, from my point of view. As far as testing it goes, I don't do any real testing, but I don't run any packages on the firewall I haven't already used elsewhere, so that's sort of like testing. As far as rolling back goes, you can always back up the system before you make changes. If I go to CD's, the backup part is trivial, just don't throw away the old CD. -- Craig West Ph: (416) 567-1491 | It's not a bug, [EMAIL PROTECTED] | It's a feature... -- [EMAIL PROTECTED] mailing list
