From owner-freebsd-questions@FreeBSD.ORG Thu Oct 20 12:21:01 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 746C216A41F for ; Thu, 20 Oct 2005 12:21:01 +0000 (GMT) (envelope-from lists@stringsutils.com) Received: from zoraida.natserv.net (p65-147.acedsl.com [66.114.65.147]) by mx1.FreeBSD.org (Postfix) with ESMTP id E59D843D5A for ; Thu, 20 Oct 2005 12:21:00 +0000 (GMT) (envelope-from lists@stringsutils.com) Received: from [127.0.0.1] (localhost.natserv.net [127.0.0.1]) by zoraida.natserv.net (Postfix) with ESMTP id EF46A7DEB; Thu, 20 Oct 2005 08:20:59 -0400 (EDT) Message-ID: <43578BAB.2010605@stringsutils.com> Date: Thu, 20 Oct 2005 08:20:59 -0400 From: Francisco Reyes User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050911) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Daniel Pittman References: <87br1kk72v.fsf@rimspace.net> In-Reply-To: <87br1kk72v.fsf@rimspace.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Basic FreeBSD firewall and patching questions. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Oct 2005 12:21:01 -0000 Daniel Pittman wrote: >It looks to me like either ipf or ipfilter are equally good, and have >about the same capabilities, > While you are getting started and to test rules you could use /etc/hosts.allow also. You may already be familiar with it from other OSs.. We use to keep a list of what IPs can ssh into our machines. Biggest drawback.. only works with apps that support it. > >I have, at the moment, 5.4-RELEASE #0 according to uname. I suspect >that means the very first release of 5.4, correct? In which case, I >need to update the FreeBSD core. > > > You want to use cvsup to update the source. >So: how can I bring this up to the latest stable release in the 5.4 >series? > > > My advice is to get cvsup installed, get latest source, recompile all. Specially now that you are not in production. Should have all the info, but whatever aspects are not clear you can ask here in the list. >Once that is done, is there any equivalent to the 'portaudit' tool to >check the system and warn me if there are outstanding changes on the >release branch? > > There are several audit tools in the ports. I am not familiar with any, but until you find one you like you can use mtree. Also for machines that you have physical access to or have remote kvm you could also look at the security profiles. Basically you can set rights such that a number of changes can only be done in single user mode. I have never used it, but I think it could possibly help to make a machine more tamper resistant.