Basic FreeBSD firewall and patching questions.

Daniel Pittman daniel at rimspace.net
Wed Oct 19 23:59:00 PDT 2005 

G'day.  I am quite new with supporting FreeBSD, although well
experienced with Unix and Linux in general, so I hope these questions
are not too silly.

My first question is about firewalls: I have read the FreeBSD handbook
and browsed the ports database, etc, to find out about firewalling.

It looks to me like either ipf or ipfilter are equally good, and have
about the same capabilities, as well as being provided as part of the
base system.  Is there any good, technical reason why I should prefer
one to the other?

My second question is about updating the firewall rules: under Linux, 
I use a helper program that loads the firewall rules into the kernel,
then waits for me to confirm that it worked.

If I don't confirm within 30 seconds it reloads the previous firewall
configuration.  This makes updating firewall rules remotely much
safer,[1] since I can't accidentally lock out my SSH session or
anything.

Is there anything under FreeBSD that can provide an equivalent sort of
service for me?  Nothing in the ports collection looked hopeful.

I don't care about any sort of higher level rules language or anything
like that, but I would put up with one in return for that level of
safety.  I really don't want a GUI tool, though.

Finally, I seem to be having a dense day, and don't feel comfortable
that I understand all the security monitoring and updating I need to for
FreeBSD - especially starting from whatever the hosting company
delivered to me.

I have, at the moment, 5.4-RELEASE #0 according to uname.  I suspect
that means the very first release of 5.4, correct?  In which case, I
need to update the FreeBSD core.

The handbook really isn't clear on this, and previous discussion on this
list about the virtues of 'make world' vs patches, etc, didn't really
clear things up for me.

So: how can I bring this up to the latest stable release in the 5.4
series?  

Once that is done, is there any equivalent to the 'portaudit' tool to
check the system and warn me if there are outstanding changes on the
release branch?

Thanks,
        Daniel

Footnotes: 
[1]  I work as a consultant, and most of my clients can't (or won't)
     provide serial console access to their servers for one reason or
     another.  So, firewall manipulation via TCP/IP it is. :/

More information about the freebsd-questions mailing list