Re: recommended partitioning for a obsd firewall

[Chuck Yerkes <chuck+obsd_(_at_)_2004_(_dot_)_snew_(_dot_)_com>]

> On Monday 28 June 2004 12:40, Robert Potts wrote:
> > Can anyone share their opinions on how best to partition a dedicated
> > OpenBSD firewall.  The hardware is a HP Kayak with a 60 gig hard drive
> > and 512 megs of memory and 2 nic cards with pf running.  *All* it will
> > do is be a firewall for a simple private network with 2 windows
> > workstations. I would like to know how to most effectively partition the
> > hard drive.  Any links to a better mailing list for this question (if
> > there is one) or URL's to tutorials addressing partitioning with this
> > purpose in mind are greatly appreciated. Responses directly to my

Keep in mind that this can easily be done with a 500MB drive and
that for a small connection (< 10MB/s, not an OC-48), a 586/200
would be bored most of the time.

Quoting Chad Whitten (cwhitten_(_at_)_nexband_(_dot_)_com):
> i usually just create three partitions on machines like this

> one for /
I have 100MB and it uses ~35MB.

> one for /usr
readonly and mine is ~ 1GB (which gives me room for /usr/local
   tools to go in.  It's using about 400MB on the big machine, 100mb
   on a general purpose soekris (more than firewall) booting from
   a CF and 20MB on a stripped gateway.

If you're compulsive, you could just boot into a ramdisk setup
and never ever touch the disk.  I have doubts about a firewall
needing swap with 1/2 GB of RAM if you're not running stuff on it.

My $200 soekris 4521 runs a little web server, DNS, DHCP and does
home control stuff off a 256MB CF and no swap or writable partitions.
It draws around 8-10 watts and is totally silent.

So keep that in mind as reference.  It firewalls perhaps dozen
machines (generally maybe 4-5 live at tops, with guests and talks
to neighborhood wireless and a cable modem (5mb/s and 3mb/s)).

If you only have 2 windows workstations, then you won't have a
productionable firewall, though - there's no support mechanism,
no test/dev box. You'll want some box where you can build a patch
or test a config out.  That *could* be your "firewall" if you can
accept that it's a development machine that's just behaving as
a firewall most of the time.

> one for swap
512MB would be plenty.

I'll throw in /var and /tmp out of an MFS.  You syslog off the
machine, but having them local can be handy.

If you're clever and make /dev an MFS and populate it just after
singe user mode, you can make / a readonly partition too.  (read
write can happen dynamically, but it keeps daemons from writing to
place you don't want things written and forces admins to think before
writing something.