Can anyone suggest some reasonable-but-cheap hardware solution for an openbsd firewall "appliance"? I've been using old PCs for years but they are not really cheap when you consider the power consumption.
Soekris hardware is often suggested, but they are not so cheap.
If you want something router-like, PC Engines apu1d and apu1d4 at $124 and $145 USD are good options, as is the older (but slower, i386-only) alix2d3 at $103.
There are also plenty of micro ATX or all-in-one fanless PCs with dual-NICs in a similar price range. Or dual-NIC Intel NUCs, as well (not fanless).
This seems like something that would be great for putting together a secure router. It seems that most router manufacturers that use an open source OS use Linux. I have yet to see an OpenBSD based commercial offering.
This has been the modus operandi of many unix sysadmins for custom router/firewall setups. I did my first setup like this in 1999(?) for a museum office's router/firewall based on FreeBSD:
* standard install, strip down kernel to bare minimum, configure everything
* mount everything read only (/var memory backed)
* set kern.securelevel to 3 (to disallow raw writes to disks, modifications to the firewall or un-/loading of kernel modules)
* ignore the on-site admin when he begs for ssh access (because you of course disabled sshd)
The system was first rebooted in, IIRC, 2004 when I had to change the ppp-config after they changed providers.
Overall costs: about $100 for old hardware and about 1h of my time.
Probably many others, but if you mean store bought consumer devices no idea but would be trivial to abstract away the OBSD complexity and offer secure remote updates if a company wanted. Why they don't, maybe it's cheaper or easier to find GNU/Linux engineers.
I feel like OpenBSD-based Firewall price is ridiculous compared with FreeBSD-based (i.e. pfSense). Honestly, what make OpenBSD-based fw more expensive like that? Or am I missing something?
TL;DR: Resflash has some really useful features for real-world embedded use-cases.
Having done embedded development (industrial packet radios), having an embedded firmward loader and fail-safe ROM are definitely major pluses for less brickable products. The having two versions is a similar approach.
Also handy is a dev board w/ actual hardware watchdog and some industrial NVRAM.
> Resflash exclusively uses read-only and memory-backed filesystems, and because the partitions are only written to during system upgrades (or as otherwise configured), filesystems are not subject to corruption or fsck due to power loss
How do I proceed about configuring Linux this way?
Soekris hardware is often suggested, but they are not so cheap.