Basic FreeBSD firewall and patching questions.

Erik Norgaard norgaard at math.ku.dk
Thu Oct 20 01:21:12 PDT 2005


On Thu, 20 Oct 2005, Daniel Pittman wrote:

> It looks to me like either ipf or ipfilter are equally good, and have
> about the same capabilities, as well as being provided as part of the
> base system.  Is there any good, technical reason why I should prefer
> one to the other?

ipfilter is simpler less featured and may at first be easier to 
maintain, but they share much the same syntax.

The most significant thing you don't find in pf is groups. groups 
are conceptually like chains or tables under linux. So in pf you 
have to be more carefull keeping things in order.

OTOH, pf has queing and enables you to set priorities or reserve 
bandwidth to certain types of traffic.

If you need traffic accounting, then I have yet to see something 
that works for pf, while with ipfilter it's fairly easy.

> My second question is about updating the firewall rules: under Linux,
> I use a helper program that loads the firewall rules into the kernel,
> then waits for me to confirm that it worked.

ipfilter maintains two rulesets, an active and an inactive and you 
can swap them.

So to do that you'd:

# ipf -FI && ipf -I -f <rulefile> && ipf -S && sleep 60 &&
      ipf -S && ipf -FI

Which will flush the inactive ruleset (just to be sure it's 
empty), load your rules into it, swap, sleep 60 seconds to let you 
test you can get back in, swap again and flush the inactive 
ruleset to clear up.

In pf there is no such thing, you will have to keep a backup of 
the old ruleset, then:

# pfctl -n -f <newrules> && pfctl -FA && pfctl -f <newrules> &&
      sleep 60 && pfctl -FA && pfctl -f <oldrules>

The first command just parses the rules, this will catch syntax 
errors, but won't catch syntactically correct typos.

Also, with ipfilter you can fairly easy delete a specific rule or 
insert a rule a specific place in the ruleset. With pf this is 
more dificult.

> I have, at the moment, 5.4-RELEASE #0 according to uname.  I suspect
> that means the very first release of 5.4, correct?  In which case, I
> need to update the FreeBSD core.

Yes, 5.4 was released almost a year ago. There have been security 
updated in both kernel and userland.

> The handbook really isn't clear on this, and previous discussion on this
> list about the virtues of 'make world' vs patches, etc, didn't really
> clear things up for me.

Well, right know you wan't to cvsup your src - it's the fastest 
way to get everything up to date. I think patching should be done 
for smaller updates and security patches. You might try that next 
time.

> So: how can I bring this up to the latest stable release in the 5.4
> series?

Check the handbook Chp 20. For production servers, in particular 
if they are critical like firewalls, you want to go with the 
stable branch.

> Once that is done, is there any equivalent to the 'portaudit' tool to
> check the system and warn me if there are outstanding changes on the
> release branch?

Security advisories are sent to:

     * FreeBSD-security-notifications at FreeBSD.org
     * FreeBSD-security at FreeBSD.org
     * FreeBSD-announce at FreeBSD.org

Cheers, Erik


More information about the freebsd-questions mailing list