best way to install/update software and firewall choice

[Manolis Kiagias]

Guy Marcenac wrote:
> Hi,
>
> I am an old debian user and I am looking at freebsd for security reasons
> * I am very interested in the jail concept
> * I have to relearn iptables syntax each time I want to add a rule

Don't we all :)

>
> I am testing the system in vmware virtual machine.
>
> There is a point I don't fully understand. There are several ways of
> updating the system, from precompiled binaries or by recompiling the
> system and the ports (and using csup, portsnap, portupgrade ...).

To update your base system, you can use freebsd-update. This uses
precompiled binaries and also updates the relevant sources (assuming you
have them installed beforehand and you are using the default
freebsd-update configuration - which is recommended). However if you are
going to run jails, this advantage is more less defeated: you will have
to run 'make buildworld' anyway to install the result in the jails.

> I would prefer to use the first way because it is really faster, but
> it seems to me that when I want to update my jails, there is no other
> easy way than recompiling the whole world into my jails.
>
Yes, unless you can somehow run freebsd-update from inside a jail :)
Don't know if this will work though. It will probably fail trying to
patch the kernel.

If you use freebsd-update you will only 'make installworld' for the
jails, as the 'host' will be taken care of by freebsd-update binary
patching.  You still need the make buildworld step, so you don't really
gain much.

> The other point a bit confusing is that I dont know which firewall to
> use. My first guess would be to use pf, because it exists also on
> openbsd, but it seems that the default would go to ipfw.
>

I am using pf too. It is a matter of preference and features needed. I
suggest you read the Handbook chapter and decide for yourself.