On Fri, 2008-05-02 at 19:22 +0200, Marc Rebischke wrote: > I am looking at having a read only box, it will not use a swap > partition. > Any recommendations? I built a diskless, CD-based firewall some time ago which works fine. Of course you still need some writable directories, i.e. /var/run, /var/lock, /var/lib/dhcpd, /var/named, /tmp, /var/empty/sshd/etc and /var/net-snmp. This can be achieved by using layered filesystems and a ramdisk. If you want to follow that path, I'd recommend using aufs, see http://aufs.sourceforge.net > Well, i tried two possibilities years ago.. > 1.) : > There are SCSI-Disks with jumpers for > "Write Protect" , so you have a real > Hardware write-protection. which would work as good as using a CD. > 2.) : > Have a look at (Open)BSD's "Immutable Flag"-Feature. (Well, i hope you all love > OpenBSD?) ;-) But....don't get nervous while setting up the box... There is an immutable flag for ext2/3 (see setfattr(1)), but it can easily be removed once root access is gained, so I'd not recommend it. Host-based intrusion detection systems (integrit, aide, tripwire) can help you discover any manipulations, but I'd go for a CD or write-protected disks to be on the safe side. Regards, Torsten