[ale] Replacing HD with a CF card for firewall box
Chris Woodfield
rekoil at semihuman.com
Mon May 14 10:28:32 EDT 2007
So I'm about to convert my firewall (running a bare-bones Debian
distro) from a HD over to a CF card connected to an IDE adapter.
While I've been told that the higher write cycle limitations of
today's CF cards should allow this to be done with no problems, I
would like to take steps to limit the write activity to the card.
I've looked at many of the pre-built linux firewall distros designed
to be booted from LiveCD or flash, but so far every one I've seen has
some limitation or missing feature that would probably give me
trouble. I'd much rather just use a "real" linux distro with only the
barebones packages I need for the box to do its job.
If I'm understanding things properly, the directories where the most
"ephemeral" write activity takes place are /var and /tmp, both of
which I could theoretically mount onto a ramdisk. /tmp is obviously
not an issue, but a couple questions/issues come from the idea of
putting /var there:
1. Is there anything in /var that the system needs to be persistent?
What could/would break if /var was an empty directory every time the
system boots?
2. What about the directory structure - would the system get angry if
certain directories (/var/run, /var/lock, etc) were not present at
boot time? Could a solution here be to specify an image file as the
mount "source" for the ramdisk, or would it be necessary to dd in an
image file at mount time?
3. If the answer to #1 is yes, could another solution be a cron'ed
rsync of the ramdisk to a directory on the flash, to be rsync'ed in
the other direction at boot time?
4. What about /var/log? Can syslog be set up to not log anything to
disk and send it all to a remote host, or is it necessary to store
some logs locally?
5. Are there any side effects, beyond the obvious "brick wall" effect
when memory runs out, of not having a swapfile on a system that I
should be aware of?
And are there any other landmines I should know about when it comes
to setting something like this up?
Thanks,
-Chris
More information about the Ale
mailing list