[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: attn: Chuck Yerks

kronic_bsd <kronic_bsd_(_at_)_fastmail_(_dot_)_fm> writes:
> Date: Wed, 6 Aug 2003 02:18:13 -0500
> From: kronic_bsd <kronic_bsd_(_at_)_fastmail_(_dot_)_fm>
> To: misc_(_at_)_openbsd_(_dot_)_org
> Subject: attn: Chuck Yerks
> Did you ever publish "webify" The following:
> http://www.monkey.org/openbsd/archive/misc/0306/msg00035.html
> I am revisiting this "tiny openbsd" idea and was wondering if you had any info about creating small versions for firewalling and routing etc...
> I just installed a test box for openbsd 3.3 "without X" and was wondering what can be safely deleted from the base install? The goal is to have a small as possible version for firewalling + IPSEC VPN and routing. Going off the latter and previous suggestions as mentioned @ the url above..... i thought deleting the following might be alright also.
> /usr/include
> /usr/lib or just lib*.a
> /usr/local
> /usr/share  ....except termcap info in misc
> /usr/obj
> /usr/lkm
> /usr/libdata and /usr/libexec
> I am sure there are a bunch of binaries in /bin /sbin /usr/bin /usr/sbin .....that could be safely deleted but i am not sure as to the extent of what can and cant be removed here, and have a functional firewall. 
> anyways just wanted to see if you had a webpage and maybe this info there.
> thanks,
> Bartholomew simpson

You'll break things if you just delete /usr/lib willy-nilly.

Firewall means so many different things to so many people.

It's hard to buy drives small enough today that spending time
figuring out which files to delete is going to help.

But if you want to go about this more scientifically, you might
try this:
	install and setup systems that do what you want.
	Leave them running for a week.  Reboot a couple times too.
	Now use "find / -atime -6 -print" to identify files that
	were accessed recently.  Save those.  Make sure you include
	/boot - the bootblock code doesn't update atime.

	Now use "find / -ctime +5" to identify
	files not accessed recently.  Remove /boot.  Study the
	rest to decide which you don't need.  Beware; there are
	programs like fsck that you do need even if they aren't
	accessed every boot.  But as you have no doubt divined,
	you probably don't need /usr/lib/lib*.a /usr/obj /usr/include
	on a machine on which you don't intend to compile.

If you really want to (say) fit this on a floppy there is another
formula: look at the install floppy images to see how they're
constructed.  Decide which pieces you don't need because you aren't
installing code, and which pieces you want because you want a "firewall".
Assuming you are just thinking of network stuff this might not be too
much.  Grab the boot floppy build environment from /usr/src/distrib and
go at it to remove what you don't want and add what you do want.  Also
you'll want to build a non-generic kernel - you can remove all the
devices you don't have or don't need which means more floppy to store
other things.  You almost certainly don't need sound support,
for instance (unless you want to harvest ambient white noise from
a microphone for random number logic.)

				-Marcus Watts