[ale] Replacing HD with a CF card for firewall box

Chris Woodfield rekoil at semihuman.com
Mon May 14 10:28:32 EDT 2007 

So I'm about to convert my firewall (running a bare-bones Debian  
distro) from a HD over to a CF card connected to an IDE adapter.  
While I've been told that the higher write cycle limitations of  
today's CF cards should allow this to be done with no problems, I  
would like to take steps to limit the write activity to the card.

I've looked at many of the pre-built linux firewall distros designed  
to be booted from LiveCD or flash, but so far every one I've seen has  
some limitation or missing feature that would probably give me  
trouble. I'd much rather just use a "real" linux distro with only the  
barebones packages I need for the box to do its job.

If I'm understanding things properly, the directories where the most  
"ephemeral" write activity takes place are /var and /tmp, both of  
which I could theoretically mount onto a ramdisk. /tmp is obviously  
not an issue, but a couple questions/issues come from the idea of  
putting /var there:

1. Is there anything in /var that the system needs to be persistent?  
What could/would break if /var was an empty directory every time the  
system boots?
2. What about the directory structure - would the system get angry if  
certain directories (/var/run, /var/lock, etc) were not present at  
boot time? Could a solution here be to specify an image file as the  
mount "source" for the ramdisk, or would it be necessary to dd in an  
image file at mount time?
3. If the answer to #1 is yes, could another solution be a cron'ed  
rsync of the ramdisk to a directory on the flash, to be rsync'ed in  
the other direction at boot time?
4. What about /var/log? Can syslog be set up to not log anything to  
disk and send it all to a remote host, or is it necessary to store  
some logs locally?
5. Are there any side effects, beyond the obvious "brick wall" effect  
when memory runs out, of not having a swapfile on a system that I  
should be aware of?

And are there any other landmines I should know about when it comes  
to setting something like this up?

Thanks,

-Chris

More information about the Ale mailing list