Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Sizing swap space on an OpenBSD firewall

Posted on 2008-06-18
3
597 Views
Last Modified: 2013-12-09
I'm configuring an OpenBSD (version 4.3) as a dedicated firewall.  I have 1 gig in RAM and a 4 gig compact flash card.  I want to store 31 days worth of logs.  "Building Firewalls with OpenBSD and PF, 2nd ed" says that the swap space should be at least 2x the amount of RAM, which would mean 2 gigs for swap space.  Some other people say that it's being used as a dedicated firewall and it should never use the swap space, so we should allocate as little swap space as possible.

Which side is right (and why)?
0
Comment
Question by:sfjacobs
3 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 21842507
You can build custom kernel without swap code at all. If you do not add "b" partition on your flash card it will happily work without swap and crash dump ability.

There are two recipes for swap:
If you have one disk it is twice the RAM
If they are many RAM-sized swap on each.
Flash card is unsuitable for swapping as it wears off after some 10000 rewrites.

PF writes logs in tcpdump format, and flash media is not the best for multiple rewrites.

Log sizes greatly depends on what you log. In very worst case assumption (full bandwidth traffic dump) that is more bandwidth than your CF can handle.
PF does not write syslog, so it will be a bit of challenge to get logs to external dedicated magnetic-disk system.

I'd suggest looking into pfflowd or adding an extra disk just for logs.

There is NetBSD with ipf that logs to syslog and can be exported.
Linux has better flash filesystems.
FreeBSD's m0n0wall reincarnation is worth looking at too..
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question