On Fri, 2008-05-02 at 19:22 +0200, Marc Rebischke wrote:> I am looking at having a read only box, it will not use a swap
> partition.
> Any recommendations?
I built a diskless, CD-based firewall some time ago which works fine.
Of course you still need some writable directories, i.e.
/var/run, /var/lock, /var/lib/dhcpd, /var/named, /tmp,
/var/empty/sshd/etc and /var/net-snmp. This can be achieved by using
layered filesystems and a ramdisk. If you want to follow that path, I'd
recommend using aufs, see http://aufs.sourceforge.net
> Well, i tried two possibilities years ago..
> 1.) :
> There are SCSI-Disks with jumpers for
> "Write Protect" , so you have a real
> Hardware write-protection.
which would work as good as using a CD.
> 2.) :
> Have a look at (Open)BSD's "Immutable Flag"-Feature. (Well, i
hope you all love
> OpenBSD?) ;-) But....don't get nervous while setting up the box...
There is an immutable flag for ext2/3 (see setfattr(1)), but it can
easily be removed once root access is gained, so I'd not recommend it.
Host-based intrusion detection systems (integrit, aide, tripwire) can
help you discover any manipulations, but I'd go for a CD or
write-protected disks to be on the safe side.
Regards,
Torsten