[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: recommended partitioning for a obsd firewall
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: recommended partitioning for a obsd firewall
- From: Chuck Yerkes <chuck+obsd_(_at_)_2004_(_dot_)_snew_(_dot_)_com>
- Date: Mon, 28 Jun 2004 14:35:02 -0400
> On Monday 28 June 2004 12:40, Robert Potts wrote:
> > Can anyone share their opinions on how best to partition a dedicated
> > OpenBSD firewall. The hardware is a HP Kayak with a 60 gig hard drive
> > and 512 megs of memory and 2 nic cards with pf running. *All* it will
> > do is be a firewall for a simple private network with 2 windows
> > workstations. I would like to know how to most effectively partition the
> > hard drive. Any links to a better mailing list for this question (if
> > there is one) or URL's to tutorials addressing partitioning with this
> > purpose in mind are greatly appreciated. Responses directly to my
Keep in mind that this can easily be done with a 500MB drive and
that for a small connection (< 10MB/s, not an OC-48), a 586/200
would be bored most of the time.
Quoting Chad Whitten (cwhitten_(_at_)_nexband_(_dot_)_com):
> i usually just create three partitions on machines like this
> one for /
I have 100MB and it uses ~35MB.
> one for /usr
readonly and mine is ~ 1GB (which gives me room for /usr/local
tools to go in. It's using about 400MB on the big machine, 100mb
on a general purpose soekris (more than firewall) booting from
a CF and 20MB on a stripped gateway.
If you're compulsive, you could just boot into a ramdisk setup
and never ever touch the disk. I have doubts about a firewall
needing swap with 1/2 GB of RAM if you're not running stuff on it.
My $200 soekris 4521 runs a little web server, DNS, DHCP and does
home control stuff off a 256MB CF and no swap or writable partitions.
It draws around 8-10 watts and is totally silent.
So keep that in mind as reference. It firewalls perhaps dozen
machines (generally maybe 4-5 live at tops, with guests and talks
to neighborhood wireless and a cable modem (5mb/s and 3mb/s)).
If you only have 2 windows workstations, then you won't have a
productionable firewall, though - there's no support mechanism,
no test/dev box. You'll want some box where you can build a patch
or test a config out. That *could* be your "firewall" if you can
accept that it's a development machine that's just behaving as
a firewall most of the time.
> one for swap
512MB would be plenty.
I'll throw in /var and /tmp out of an MFS. You syslog off the
machine, but having them local can be handy.
If you're clever and make /dev an MFS and populate it just after
singe user mode, you can make / a readonly partition too. (read
write can happen dynamically, but it keeps daemons from writing to
place you don't want things written and forces admins to think before
Visit your host, monkey.org