[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Sizing swap space on an OpenBSD firewall

Posted on 2008-06-18
3
Medium Priority
?
611 Views
Last Modified: 2013-12-09
I'm configuring an OpenBSD (version 4.3) as a dedicated firewall.  I have 1 gig in RAM and a 4 gig compact flash card.  I want to store 31 days worth of logs.  "Building Firewalls with OpenBSD and PF, 2nd ed" says that the swap space should be at least 2x the amount of RAM, which would mean 2 gigs for swap space.  Some other people say that it's being used as a dedicated firewall and it should never use the swap space, so we should allocate as little swap space as possible.

Which side is right (and why)?
0
Comment
Question by:sfjacobs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 2000 total points
ID: 21842507
You can build custom kernel without swap code at all. If you do not add "b" partition on your flash card it will happily work without swap and crash dump ability.

There are two recipes for swap:
If you have one disk it is twice the RAM
If they are many RAM-sized swap on each.
Flash card is unsuitable for swapping as it wears off after some 10000 rewrites.

PF writes logs in tcpdump format, and flash media is not the best for multiple rewrites.

Log sizes greatly depends on what you log. In very worst case assumption (full bandwidth traffic dump) that is more bandwidth than your CF can handle.
PF does not write syslog, so it will be a bit of challenge to get logs to external dedicated magnetic-disk system.

I'd suggest looking into pfflowd or adding an extra disk just for logs.

There is NetBSD with ipf that logs to syslog and can be exported.
Linux has better flash filesystems.
FreeBSD's m0n0wall reincarnation is worth looking at too..
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question