Basic FreeBSD firewall and patching questions.

Francisco Reyes lists at
Thu Oct 20 05:21:01 PDT 2005

Daniel Pittman wrote:

>It looks to me like either ipf or ipfilter are equally good, and have
>about the same capabilities,

While you are getting started and to test rules you could use 
/etc/hosts.allow also.
You may already be familiar with it from other OSs.. We use to keep a 
list of what IPs can ssh into our machines. Biggest drawback.. only 
works with apps that support it.

>I have, at the moment, 5.4-RELEASE #0 according to uname.  I suspect
>that means the very first release of 5.4, correct?  In which case, I
>need to update the FreeBSD core.
You want to use cvsup to update the source.

>So: how can I bring this up to the latest stable release in the 5.4
My advice is to get cvsup installed, get latest source, recompile all. 
Specially now that you are not in production. Should have all the info, 
but whatever aspects are not clear you can ask here in the list.

>Once that is done, is there any equivalent to the 'portaudit' tool to
>check the system and warn me if there are outstanding changes on the
>release branch?

There are several audit tools in the ports. I am not familiar with any, 
but until you find one you like you can use mtree.

Also for machines that you have physical access to or have remote kvm 
you could also look at the security profiles. Basically you can set 
rights such that a number of changes can only be done in single user 
mode. I have never used it, but I think it could possibly help to make a 
machine more tamper resistant.

More information about the freebsd-questions mailing list