Thread: partitioning scheme for a firewall?
View Single Post
  #2   (View Single Post)  
Old 19th September 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
  
Join Date: May 2008
Location: USA
Posts: 7,983
Default
Partitioning is for file systems, Tim. A "firewall" doesn't use its filesystem(s) except for configuration and logging, and logging may not need a filesystem at all, syslog may be configured so that output is sent over a network instead of written to /var/log. Of course, the definition of a "firewall" may vary.

---------------------

Why are multiple partitions of a single drive used? Here are some, but not all, very good reasons:
  1. Access controls, for multi-user security (e.g. nodev, nosuid)
  2. External filesystems for data sharing on multibooting systems
  3. Swap space
  4. Permit (perhaps) some operations to continue in the event of a filesystem-full problem caused by abnormal behavior of an application
Because of the way OpenBSD's install scripts work, most newbies over-think partition sizing. But they don't necessarily consider the reasons for partitioning in the first place.

And after they've made initial partition decisions, they often discover they've either made a mistake, due to lack of experience or understanding, or perhaps they made incorrect assumptions. Or, they change their minds about application mix, or other usage requirements they had.

But the result is that many find themselves with partitions that are too large, wasting storage, or too small, and require reconfiguration.

Because of this, I recommend that when a new system is first configured, that a single large partition be used for the OS and it's subsystems, and a second partition for swap space. When the new system is finally ready to be placed into production, the admin will have a very good idea what partition sizings to use.

So, as you create your "firewall" -- whatever that means to you, -- I recommend you start with a large wd0a/sd0a, and start with a wd0b/sd0b for swap that is twice the size of your firewall's RAM.

Once configuration is complete, you will be able to determine how best to lay out your filesystems.

---------------------------

For 4.6, the install script has an automatic mode for filesystem creation. It will set up a suite of typical filesystems with filesystem sizes based on the size of the OpenBSD MBR partition. Most newbies will use that, I suppose, though they will likely end up eventually needing to reconfigure filesystem structures anyway.
Reply With Quote