From owner-freebsd-questions Thu Nov 23 22: 4:40 2000 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-65-26-235-186.mmcable.com [65.26.235.186]) by hub.freebsd.org (Postfix) with SMTP id A5C7937B4C5 for ; Thu, 23 Nov 2000 22:04:37 -0800 (PST) Received: (qmail 11673 invoked by uid 100); 24 Nov 2000 06:04:36 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14878.1268.383566.580911@guru.mired.org> Date: Fri, 24 Nov 2000 00:04:36 -0600 (CST) To: Tim McMillen Cc: questions@freebsd.org Subject: Re: partitions and a new install In-Reply-To: <65535877@toto.iv> X-Mailer: VM 6.75 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Tim McMillen types: > On Wed, 22 Nov 2000, Nathan Vidican wrote: > > Peter Brezny wrote: > > > For a production firewall machine, is it important to create separate > > > partitions (slices) for different labels. > > > For example, is it a good idea to put > > > / > > > /var > > > /usr > > > /home > > > on separate partitions to help keep the possibility of file system > > > corruption from taking out more than one of these areas at a time? > Yes, I really think so. That way if one of them gets hosed you're > still able to get somewhere. I don't agree - at least not if we're talking about modern BSD systems. Other systems I wouldn't trust, because either my experience indicates their file system code isn't sufficiently crash-resistant, or because I don't have experience indicating otherwise. > > Personally, on a firewall machine I try to put them all on one > > partition, < 100Megs total, and mount it read-only; if at all possible, > then where do you send your logs? You need two partitions - / and /var. The logs and queues are on /var. Home directories for the admin are there as well (/home is a symlink to /var/home), but they should have almost nothing on them. I regularly configure network servers that way, but I haven't worked all the kinks out of the r/o part of the setup. Does anyone have a How-To for doing r/o root file systems? If you don't, I'd appreciate a description of the process. In return, I'll turn it into a FAQ entry for FreeBSD. > > make the bios write-protect it as well. Makes for easy/quick backup, and > > by write-protecting it assures better security. > Yes good point. RO is good. The easy quick backup for multiple > partitions could still be accomplished with a shell script. But how many > backups do you need to take fro a firewall? It shouldn't change much, so > once you get a few backups, you're fine. Cd's blanks are cheap enough - and the data for a server is small enough - that you can probably put it all on a new CD on a regular basis. Making it bootable might be an interesting exercise as well. > Didn't I see something about an append only filesystem for logs? > Where even root cannot delete from it? Is that possible on FreeBSD? That would be a nice idea as well. You might check the other BSD web sites, and possibly Linux.