Slashdot Mirror

"I've been able to patch boxes running or 4.x for quite a while now, but jumping from 4 to 5, or in this case from 5 to 6 requires a complete reinstall."

It's very hard for me to believe that you've been running FreeBSD servers for years, and don't know that version to version upgrades can be done with minimal pain. Upgrades from one version of FreeBSD to another *do not* require complete reinstalls.

Yes, a 4.x to 5.x upgrade has the potential to be tricky, due to the major changes involved, but upgrading from 5.x to 6.x will not be a nearly as hairy.

Take a look at this email from one of the FreeBSD developers, in response to a question just like yours.

I linked to the FreeBSD Handbook, that is the user documentation. But for more general info about the FreeBSD project you might want to have a look at the FAQ first
http://www.freebsd.org/doc/en_US.ISO8859-1/books/f aq/index.html

I also forgot: this is a very nice place to find competent and informative answers to BSD and Unix related issues
http://bsdforums.org/forums

Btw, one little thing that the forum above has, and IMHO Slashdot is missing *badly*, is the ability to edit comments to add things you forgot (damn it).
--
Requiem for the FUD

If you want to give FreeBSD a spin, wait a few days for 5.4-RELEASE. As to pf, I have written this a few months ago - a quicky about how to set up pf. If you don't need anything complex (like applying different queue algorythms for traffic shaping from different hosts behind the firewall) you just kldload pf, enable it in rc.conf and write a simple rule file like the one a described there :) Also, you don't need natd to do nat like with ipfw/ipfw2, it is as simple as:

# macros, lists
ext_if="vr0" # replace with actual external interface name i.e., dc0
int_if="ed0"
internal_net="192.168.0.1/16"
external_addr="172.17.141.160"

# options
set block-policy drop
set loginterface ed0

# Scrub[1] options [2]
scrub on ed0 all reassemble tcp

#nat
nat on $ext_if from $internal_net to any -> ($ext_if)

pass quick on lo0 all

#default policy
block all

# allow outgoing and return traffic
pass out quick on $ext_if proto tcp all modulate state
pass out quick on $ext_if proto { udp, icmp } all keep state

# filter rule to allow traffic through nat
pass in quick on $int_if from $internal_net to any keep state
pass out quick on $int_if from any to $internal_net keep state

#example for a service - samba (the most complex, a webserver is just a one-liner
pass in on $ext_if proto udp to port { 137, 138 } keep state
pass out on $ext_if proto udp to port { 137, 138 } keep state
pass in on $ext_if proto tcp to port 139 modulate state

• Neither side of the connection is allowed to reduce their IP TTL. This is done to protect against an attacker sending a packet such that it reaches the firewall, affects the held state information for the connection, and expires before reaching the destination host. The TTL of all packets is raised to the highest value seen for the connection.
• Modulate RFC1323 timestamps in TCP packet headers with a random number. This can prevent an observer from deducing the uptime of the host or from guessing how many hosts are behind a NAT gateway. (from pf's faq I linked to on openbsd.org)

--
Being able to read *other people's* source code is a nice thing, not a 'fundamental freedom'.

Checkout bsdforums.org
There are many users there who can help you out.

Yep, this has been mentioned before, either here or at bsd forums
The FreeBSD team dropped the tripple dot format when they branched to 3.0 (and switched from AOUT to ELF binaries).
They still use them from time to time but only for, in my experience, quick bug splatterage. 5.2.1 was released because alot of people found 5.2 increadibly unstable, and the fixes didn't really warrent the label 5.3, the same I beleive is true of 3.5.1.

www.bsdforums.org

Screaming Electron
BSD Hound
BSD Forums
etc.

You could try Google BSD

Yes, maybe it should have been news. Security announcment is on FreeBSD.org and bsdforums as well though - along with a patch :))

Read the announcment + the workaround/fixes here. These guys are fast :))

of what has been reported broken in 5.2 and MFC'd to 5.2.1 can be found here

I just hope I can use my USB mouse with out needing a PS/2 mouse plugged in and my sound works again!

Right, here's a link.

The Slashdot story said, "... are pleased to announce the release of version 1.3.29 of the Apache HTTP Server ("Apache")."

However, that link references only a copy of the release info on a commercial bulletin board, BSDForums.org, that has plenty of advertisements.

The Slashdot story could have said, "... are pleased to announce the release of version 1.3.29 of the Apache HTTP Server ("Apache")", which is the official announcement on the apache.org site.

I've followed OpenBSD long enough to be vaguely familiar with systrace and the custom versions of apache and bind (bind 9 is in 3.3, right?)

As to the KSH comment: I used a version on solaris many years ago, and was entirely unimpressed. I don't know which version it was, though.

Make democracy work. Let your feelings be known!

Click Here to protest the war

Click Here to support the war

There is a thread on BSDForums, where people are discussing the possibility of either creating a script that would automate the creation of a "MiniBSD installation" or possibly creating a new BSD altogether, using the MiniBSD philosophy and FreeBSD base.

There is a thread on BSDForums, where people are discussing the possibility of either creating a script that would automate the creation of a "MiniBSD installation" or possibly creating a new BSD altogether, using the MiniBSD philosophy and FreeBSD base.

Here's a great place: bsdforums

That was the nerdiest thing I've read all week.

But it's no match for these