Thanks for the replies and ideas.
I was introduced to OpenBSD after an acquaintance had their home router compromised in 2016 and I started looking into network hardening/security. In my research trying to find the best firewall that didn't require purchasing commercial hardware/licensing I found PF and OpenBSD so I started learning. My reasoning behind NOT installing the X, Comp and Game sets have little to do with saving space, although I am using an 8GB SSD. I learned in my research that one of the most fundamental ways to improve network/system security is to minimize the attack surface by not installing unneeded software. If it isn't installed, any potential vulnerabilities, known or not, are irrelevant. My router is headless. I have never run into an issue where I have needed anything from the X sets, and don't compile anything from source so I don't need that, and I certainly don't play games on it so I don't need that either. Therefore it seems like sound logic to not have those bits and bytes present on the system so any mis-configurations/bugs/vulnerabilities cannot impact my network security. I am running a couple of OpenVPN servers which some friends and family rely on, using DNSCrypt-Proxy, experimenting with Wireguard, playing around with certificates and authentication, and since I use a variety of automation/embedded devices which have dubious or no security of their own I rely on my firewall to prevent them from "phoning home" if they come or become compromised. I've slowly built my pf.conf, tables and anchors to a point I'm pretty happy with. I also have experimented with running OpenBSD with a read-only filesystem as just another layer of defense and annoyance for any potential invader although I'm not currently doing so. I'm sure with my limited although always expanding knowledge that there are still many ways my network could be compromised but I'm doing my best to at least plug the easily filled holes and adding any unused stuff feels like a step backwards. My router is not unbootable but I am not sure how secure it is anymore because on boot I get several failures related to being "Out of space" and also the kernel relink fails, which I understand is a significant part of what makes OpenBSD more secure. All of my partitions have at least 75% free space, except /usr which after the sysupgrade is listed by df as being filled to 104% capacity. I'm not even sure how that's possible. This is just a personal system and if I screw it up no one is harmed except me and my users, and anyone else who might be attacked by my compromised system I guess, but it took me a long time to get it set up this way and I don't particularly look forward to having to rebuild it from scratch or how long it will be before I find the time to do so. That being said, I realize there is plenty I do not know, and as a rule I experiment with making changes on a VM and observing the results until I feel like I have a solid grasp on what will occur before pushing anything to my live system, which sometimes takes months due to life, work and family, but reading the sysupgrade manpage there is nothing which even hints that any software which was explicitly rejected during the original install will be installed anyway by this tool. In the interest of protecting others from the same mistake I hope that a simple sentence explaining that it also installs any previously rejected sets could be added there. It looks like my best chance to be certain I have the router in the state I think I do will be to do a fresh install and then use sysupgrade using a variation of the script Leo mentioned in his email on 7/9/19: #!/bin/sh sysupgrade -n rm /home/_sysupgrade/x* rm /home/_sysupgrade/game* reboot Thanks again, Judah > Marcus MERIGHI writes: >> please do *not* copy/paste/run this command! >> something along these lines for the sets you did not want: >> >> $ ftp -MVo- $(</etc/installurl)/snapshots/amd64/xserv66.tgz | tar \ >> tzf - | xargs rm >> >> you are aware that it is recommended to run with all sets? > Despite previous posts requesting assistance with not doing so, I second > this recommendation to anyone not able to construct that ftp/tar/rm > command from first principles (and with a clear need to do so). > > Patronisation aside, your computer's storage is a lot cheaper than the > mental effort required to deal with a system that's non-standard but > only by having a few bits wasted by their _complete lack of use_. > > Filesystem Used Mounted on > > The system proper is tiny: > > /dev/sd0a 148M / > /dev/sd0e 860M /usr > /dev/sd0h 203M /usr/X11R6 > /dev/sd0g 70.9M /var > > The user/development environment is little bigger: > > /dev/sd0i 4.7G /usr/local > /dev/sd0m 1.1G /usr/obj > /dev/sd0l 685M /usr/ports > /dev/sd0j 1.0G /usr/src > /dev/sd0k 688M /usr/xenocara > /dev/sd0n 2.0K /usr/xobj > > Putting part-built binaries and /usr/local aside, that's only > 1.2GB. 4.7GB is large for /usr/local but that's because this is my > "throw everything at it" system. Even with this fully-packed system and > the full source code the total is just a shade over 8GB. Despite space > earmarked for growth it's difficult to stretch the base system to 16GB. > > I don't know about anyone else but I can't even find storage media that > small any more. I'm all for minimising waste but effort where it's due. > > But see also https://twitter.com/rob_pike/status/966896123548872705 > > Matthew > > ps. FWIW where my systems were concerned I was looking at minimising > waste through repetition of many VMs but there are other, in ways > better, methods of doing that. Any which involve me thinking about it > have a priori failed. > > pps. Reinstalling is not actually that big a deal. Partition, install > boot sector, extract sets, install packages and finally site-specific > files to /etc, /home, /var and possibly /srv or something. The installer > can be easily configured to do all of this without human interaction > prior to the first live boot. >
