[ale] Replacing HD with a CF card for firewall box

Warren Myers volcimaster at gmail.com
Mon May 14 11:26:28 EDT 2007


Have you looked at the FreeBSD-based m0n0wall (http://m0n0.ch/wall)?

On 5/14/07, Chris Woodfield <rekoil at semihuman.com> wrote:
>
> So I'm about to convert my firewall (running a bare-bones Debian
> distro) from a HD over to a CF card connected to an IDE adapter.
> While I've been told that the higher write cycle limitations of
> today's CF cards should allow this to be done with no problems, I
> would like to take steps to limit the write activity to the card.
>
> I've looked at many of the pre-built linux firewall distros designed
> to be booted from LiveCD or flash, but so far every one I've seen has
> some limitation or missing feature that would probably give me
> trouble. I'd much rather just use a "real" linux distro with only the
> barebones packages I need for the box to do its job.
>
> If I'm understanding things properly, the directories where the most
> "ephemeral" write activity takes place are /var and /tmp, both of
> which I could theoretically mount onto a ramdisk. /tmp is obviously
> not an issue, but a couple questions/issues come from the idea of
> putting /var there:
>
> 1. Is there anything in /var that the system needs to be persistent?
> What could/would break if /var was an empty directory every time the
> system boots?
> 2. What about the directory structure - would the system get angry if
> certain directories (/var/run, /var/lock, etc) were not present at
> boot time? Could a solution here be to specify an image file as the
> mount "source" for the ramdisk, or would it be necessary to dd in an
> image file at mount time?
> 3. If the answer to #1 is yes, could another solution be a cron'ed
> rsync of the ramdisk to a directory on the flash, to be rsync'ed in
> the other direction at boot time?
> 4. What about /var/log? Can syslog be set up to not log anything to
> disk and send it all to a remote host, or is it necessary to store
> some logs locally?


Yes, you can forward all syslog info to a different host - make sure it's
listening on port 514, and there's a change you need to make in your
sysklogd configs

5. Are there any side effects, beyond the obvious "brick wall" effect
> when memory runs out, of not having a swapfile on a system that I
> should be aware of?


if you run out of real RAM, you probably have less than 64M in the system. A
firewall/router shouldn't need gobs of memory, so 128 or 256 shouldn't ever
run out.
For that matter, I almost never hit swap when running my desktop installs
unless VMware Server is running and active.

And are there any other landmines I should know about when it comes
> to setting something like this up?
>
> Thanks,
>
> -Chris
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>



-- 
http://warrenmyers.com
"God may not play dice with the universe, but something strange is going on
with the prime numbers." --Paul Erd?s
"It's not possible. We are the type of people who have everything in our
favor going against us." --Ben Jarhvi, Short Circuit 2
-------------- next part --------------
An HTML attachment was scrubbed...




More information about the Ale mailing list