On 2014-02-19, Marko Cupać <marko.cu...@mimar.rs> wrote: > Hi, > > I need to deploy a number of openbsd firewalls based on alix2d13 > hardware. The goal is to separate industrial network from LAN, in order > to protect unpatched systems on industrial network from potential > malware on LAN, while providing some level of access (mostly > low-traffic VNC from LAN to industrial and sql in the opposite > direction). > > The problem is that we have very unstable power grid, resulting in > unclean shutdnowns of devices. I cannot UPS them all.
Remember you don't need a traditional UPS with an inverter for such a system, just a simple battery-backup unit. Have you considered something like these? http://www.mini-box.com/picoUPS-100-12V-DC-micro-UPS-system-battery-backup-system http://www.mini-box.com/picoUPS-120-12V-DC-micro-UPS-battery-backup > How can I configure firewalls so they are resistant to those power > failures (ie do not need fsck)? How should I partition? Which partitions > should be mount read-only? Which should be mount as memory disks? Which > size shoud I allocate for memory disks (RAM is a constraint here as I > have only 256Mb)? Any other advices? > > Thank you in advance, For this type of system, I do one of two things: 1. Run a flashboot- or flashrd-based system running everything from ramdisk. Note that these are not "straight" OpenBSD, if you have problems with them which look like they may be OS-related, you will be expected to re-test under a standard OpenBSD system to make sure the problem isn't specific to the non-standard installation. 2. Mount filesystems read-only. As well as needing ro flags in fstab, you'll also need to be aware of the "mount -uw" line in /etc/rc, and will need to provide memory-based filesystems for /dev and (at least parts of) /var. I use -P to populate from a "template" directory, swap /dev mfs rw,nosuid,-s=4096,-i=1024,-P=/dev_src 0 0 swap /var mfs rw,async,nodev,nosuid,-s=32000,-P=/var_src 0 0 I typically use memory buffers for syslog on these systems and disable file logging, see syslogc(8), syslogd(8) -s option, syslog.conf(5).
