I am looking at having a read only box, it will not use a swap partition. Any recommendations?
Well, i tried two possibilities years ago.. 1.) : There are SCSI-Disks with jumpers for "Write Protect" , so you have a real Hardware write-protection.
2.) : Have a look at (Open)BSD's "Immutable Flag"-Feature. (Well, i hope you all love OpenBSD?) ;-) But....don't get nervous while setting up the box...
Regards Marc Rebischke
On Fri, 2008-05-02 at 19:22 +0200, Marc Rebischke wrote:
I am looking at having a read only box, it will not use a swap partition. Any recommendations?
I built a diskless, CD-based firewall some time ago which works fine. Of course you still need some writable directories, i.e. /var/run, /var/lock, /var/lib/dhcpd, /var/named, /tmp, /var/empty/sshd/etc and /var/net-snmp. This can be achieved by using layered filesystems and a ramdisk. If you want to follow that path, I'd recommend using aufs, see http://aufs.sourceforge.net
Well, i tried two possibilities years ago.. 1.) : There are SCSI-Disks with jumpers for "Write Protect" , so you have a real Hardware write-protection.
which would work as good as using a CD.
2.) : Have a look at (Open)BSD's "Immutable Flag"-Feature. (Well, i hope you all love OpenBSD?) ;-) But....don't get nervous while setting up the box...
There is an immutable flag for ext2/3 (see setfattr(1)), but it can easily be removed once root access is gained, so I'd not recommend it. Host-based intrusion detection systems (integrit, aide, tripwire) can help you discover any manipulations, but I'd go for a CD or write-protected disks to be on the safe side.
Regards, Torsten
-
Marc Rebischke -
Torsten Luettgert