- 论坛徽章:
- 0
|
升级OpenBSD防火墙
原文出处请访问 http://www.zmoon.org
文章地址http://202.100.98.115:8080/blog/ ... d=a_20050122_124923
防火墙一直使用Openbsd,但是一直没有做过任何升级,根据http://www.openbsd.org/errata.html 中的内容,Openbsd 3.6版本已经有10个patch需要打了,最严重的是最新发现的010号,内容如下:
010: RELIABILITY FIX: January 11, 2005
A bug in the tcp(4) stack allows an invalid argument to be used in calculating the TCP retransmit timeout. By sending packets with specific values in the TCP timestamp option, an attacker can cause a system panic.
可以让你的系统panic ,很严重的问题,所以必须升级,先是去单独下载了这10个patch,分别patch,然后编译内核,但是编译失败,只好通过cvs升级src到stable再编译来升级系统。
升级过程:
按照OpenBSD官方的Faq 有3种方法更新你的系统,上面用的就是第3种方法,失败了,所以用第二种方法。
There are three ways to update your system with patched code:
Upgrade your system to -current. As all fixes are applied to the -current code base, updating your system to the latest snapshot is a very good way to apply fixed code. However, running -current is not for everyone.
Update your system to -stable. This is done fetching or updating your source tree using the appropriate -stable branch, and recompiling the kernel and userland. Overall, this is probably the easiest way, though it takes longer (as the entire system gets recompiled) and a complete source checkout can take a long time if you have limited bandwidth available.
Patch, compile and install individual impacted files. This is what we will look at here. While this requires less bandwidth and typically less time than an entire cvs(1) checkout/update and compile, this is sometimes the most difficult option, as there is no one universal set of instructions to follow. Sometimes you must patch, recompile and install one application, other times, you might have to recompile entire sections of the tree if the problem is in a library file.
首先保证你的系统在 /usr/src/sys有源代码,这样cvs升级不需要下载所有源代码,速度会快一些,然后再下载安装cvsup ,因为编译cvsup很麻烦,所以推荐使用已经编译好的,可以在 ftp://ftp.usa.openbsd.org:21/pub/OpenBSD/3.6/packages/i386/cvsup-16.1g-no_x11.tgz 下载到no x11的版本,防火墙上一般都没有xwindows 所以必须使用no x11版本,
以root身份或者su成root身份进入系统,安装下载到的cvsup
#pkg_add cvsup-16.1g-no_x11.tgz
安装好的cvsup程序在/usr/local/bin/下
写一个supfile文件,内容如下
#*default tag=. # OpenBSD current branch
*default tag=OPENBSD_3_6 # OpenBSD 3.6-stable branch
#*default tag=OPENBSD_3_6_BASE # OpenBSD 3.6-release
#*default host=cvsup.uk.OpenBSD.org
*default host=openbsd.csie.nctu.edu.tw
*default prefix=/usr
*default base=/usr
*default release=cvs delete use-rel-suffix compress
#OpenBSD-all # -all: retrieve all below
OpenBSD-src # -src: src/ only
#OpenBSD-www # -www: www/ only
#OpenBSD-ports # -ports: ports/ only
OpenBSD-ports tag=.
#OpenBSD-x11 # -X11: X11/ only
#OpenBSD-xf4 # -XF4: XF4/ only
按如上配置,即把源代码src升级到OpenBSD 3.6-stable,同时也把ports升级到最新 ,
用cvsup在后台同步源代码,
#cvsup -g -L 2 /etc/supfile >; /root/up.0 &
用tail -f /root/up.0 看同步过程
Parsing supfile "/etc/supfile"
Connecting to openbsd.csie.nctu.edu.tw
Connected to openbsd.csie.nctu.edu.tw
Server software version: SNAP_16_1h
Negotiating file attribute support
Exchanging collection information
Establishing multiplexed-mode data connection
Running
Updating collection OpenBSD-src/cvs
Edit src/sys/conf/newvers.sh
Add delta 1.64.2.1 2004.11.01.03.36.00 brad
Checkout src/sys/dev/ic/xl.c
..................
..................
..................
Add delta 1.3 2005.01.05.17.54.27 naddy
Checkout ports/x11/xwrits/pkg/PLIST
Edit ports/x11/xzoom/Makefile
Add delta 1.13 2004.12.17.15.03.19 alek
Edit ports/x11/xzoom/distinfo
Add delta 1.2 2005.01.05.17.54.27 naddy
Edit ports/x11/xzoom/pkg/PLIST
Add delta 1.3 2004.09.15.19.26.35 espie
Shutting down connection to server
Finished successfully
然后,用新的src编译内核
#cd /usr/src/sys/arch/i386/conf
用以前的内核配置文件进行配置编译
#config fw
#cd ../compile/fw
#make depend
#make
#cp bsd /bsd
#reboot
等系统启动完成
dmesg & more
OpenBSD 3.6-stable (fw) #0: Sat Jan 22 11:24:00 CST 2005
root@gw.nxedu.local:/sys/arch/i386/compile/fw
大工告成
补充:关于使用代理进行cvsup
我这边使用的是socks5代理
下载socks5-v1.0r11.tar.gz
#tar xzvf socks5-v1.0r11.tar.gz
#cd socks5-v1.0r11
#./configure
#make
#make install
#cd /usr/local/etc
编辑一个新的socks5客户端的文件
#vi libsocks5.conf
内容就一行
socks5 - - - - 202.*.*.*:1080
#cd ../bin
#./runsocks cvsup -g -L 2 /etc/supfile 就行了
网上有人说用PKG方式安装的cvsup 不能使用socks5代理,但我这边是可以的,可能是系统版本不一样的缘故 |
|
免费注册
发表于 2005-01-24 16:28
