Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th September 2009
Timmy66 Timmy66 is offline
Port Guard
Join Date: Sep 2008
Posts: 12
Default partitioning scheme for a firewall?

hi all,

i'm currently planing on building a new firewall and started to think about the partitioning. What would be the ultimate partitioning scheme for a firewall?
Reply With Quote
  #2   (View Single Post)  
Old 19th September 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 7,063

Partitioning is for file systems, Tim. A "firewall" doesn't use its filesystem(s) except for configuration and logging, and logging may not need a filesystem at all, syslog may be configured so that output is sent over a network instead of written to /var/log. Of course, the definition of a "firewall" may vary.


Why are multiple partitions of a single drive used? Here are some, but not all, very good reasons:
  1. Access controls, for multi-user security (e.g. nodev, nosuid)
  2. External filesystems for data sharing on multibooting systems
  3. Swap space
  4. Permit (perhaps) some operations to continue in the event of a filesystem-full problem caused by abnormal behavior of an application
Because of the way OpenBSD's install scripts work, most newbies over-think partition sizing. But they don't necessarily consider the reasons for partitioning in the first place.

And after they've made initial partition decisions, they often discover they've either made a mistake, due to lack of experience or understanding, or perhaps they made incorrect assumptions. Or, they change their minds about application mix, or other usage requirements they had.

But the result is that many find themselves with partitions that are too large, wasting storage, or too small, and require reconfiguration.

Because of this, I recommend that when a new system is first configured, that a single large partition be used for the OS and it's subsystems, and a second partition for swap space. When the new system is finally ready to be placed into production, the admin will have a very good idea what partition sizings to use.

So, as you create your "firewall" -- whatever that means to you, -- I recommend you start with a large wd0a/sd0a, and start with a wd0b/sd0b for swap that is twice the size of your firewall's RAM.

Once configuration is complete, you will be able to determine how best to lay out your filesystems.


For 4.6, the install script has an automatic mode for filesystem creation. It will set up a suite of typical filesystems with filesystem sizes based on the size of the OpenBSD MBR partition. Most newbies will use that, I suppose, though they will likely end up eventually needing to reconfigure filesystem structures anyway.
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
AMD64 - Hard Drive Partitioning Turquoise88 General software and network 8 11th September 2009 05:58 AM
PF firewall bsdnewbie999 OpenBSD General 3 28th April 2009 12:35 PM
Firewall on (A)DSL modems JMJ_coder General software and network 10 30th January 2009 12:31 AM
Is partitioning still important in installation? Mantazz FreeBSD Installation and Upgrading 14 16th January 2009 08:35 AM
Web GUI for firewall ? giga FreeBSD General 6 8th May 2008 05:10 AM

All times are GMT. The time now is 04:12 PM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick