As I learn from the Handbook, there are many alternatives (pf, ipfw and ipfilter). After a good round of investigation I decided to invest my time on OpenBSD's pf(4), for two reasons:
This is what the famous pfSense firewall runs, therefore someone clearly invested a lot already. It doesn't say much, but it might be a good indicator.
Even though its essentially a fork of OpenBSD's pf, learning it might result in a more expendable knowledge, covering both systems.
Ideas for filesystems
As mentioned last time, the raspberry uses a micro-SD card that I don't want to wear off. After some thinking, and given the fact that I own got quite a number of (expendable) USB flash disks my /etc/fstab looks like this:
root@simple:~ # more /etc/fstab | column -t
/dev/ufs/rootfs / ufs ro 1 1
/dev/msdosfs/MSDOSBOOT /boot/msdos msdosfs rw,noatime 0 0
tmpfs /tmp tmpfs rw,mode=1777,size=50m 0 0
/etc/pkg /var/db/pkg nullfs rw 0 0
/dev/ufs/rwdisk /mnt/ ufs rw 0 0
/mnt/home /home unionfs rw 0 0
/mnt/etc /etc unionfs rw 0 0
/is mounted read-only.
/var/is mounted in ram, but
/var/db/pkgmust survive reboots, the latter is actually a nullfs-mount (so basically a
--rbind, in Linux terms) to
an external USB drive is labeled
rwdisk, and gets mounted in
by strategically mounting overlays (by means of
unionfs), I allow myself to experiment with configuration. As result,
/home/are given by the overlay of the read-only part on
/and the read-write part on
/mnt/. Writes go on the thumb drive.
…this setup has still some rough edge. For example, the
/etc/pf.conf file (filrewall configuration) seems not to
be loaded properly at boot. It is most probably a matter of
service startup order.