Hi,
I'm building a linux firewall for my home lan. I use a 400MHz pc with a
128MB compact flash as hard disk and 32 MB of ram. I installed slack 9 and
it's wrking fine.
I need to do one more thing: I can't properly shutdown the system (I have
nothing attached to the system except for the two network cables and the
power cable). At this time I'm using ext2 (ext3 is not good for a CF flash
with a limited number of writes) and I have /usr mounted as loop and
read-only and /var,/tmp,/home and /root as ramdisks (1024 to 2048kb). All
logs are sent to a syslog server.
Is there some guide or some tips to avoid data corruption when the system
loses power ? I'd like to set every partition read-only (I need only a
subdirectory of the /etc to be writeable (rare event, just to modify the
firewall rules).


thanks in advance

giuliano

Giuliano wrote:
> power cable). At this time I'm using ext2 (ext3 is not good for a CF flash
> with a limited number of writes) and I have /usr mounted as loop and
> read-only and /var,/tmp,/home and /root as ramdisks (1024 to 2048kb). All
> logs are sent to a syslog server.
> Is there some guide or some tips to avoid data corruption when the system
> loses power ? I'd like to set every partition read-only (I need only a
> subdirectory of the /etc to be writeable (rare event, just to modify the
> firewall rules).

You can try to mount that particular directory synchronous (sync), that
way metadata is instantly written instead of cached before writing
(async). I haven't tried it in real-life situations, but that is what I
would try first.

With kind regards,
Daniel de Kok

On Sat, 30 Aug 2003 14:47:07 +0000, Jeremy Gray wrote:

> Giuliano <giulianozorzi@katamail.com> wrote:
>>
>> I need to do one more thing: I can't properly shutdown the system (I
>> have nothing attached to the system except for the two network cables
>> and the power cable).
>
> Run sshd on the lan interface so you can login from another lan machine.
> Or get a serial console.

I'd run SSH as well as using a serial-console. It's a bit redundant
in some respects - sure. However ssh/sftp have some nice GUI frontends,
but networking is not up at the BIOS and `lilo' stages of booting...

But you'd want console access to the `lilo' prompt.
Else you'd not be able to feed a kernel extra parameters -
when you need to fix/test stuff.
(Maybe have one handy with `tftp' or `NFS' root).

Here are the relevent parts of one of my (Slack 8.1) boxen:

root@p233:~# grep -A2 serial /etc/lilo.conf
# Lilo serial console
serial = 0,9600n8
# Kernel serial console
append = "console=ttyS0,9600n8"
root@p233:~# grep -A1 serial /etc/inittab
# Local serial lines:
s1:12345:respawn:/sbin/agetty -i -L -h ttyS0 9600 vt102

It's plugged in to another box using a cat5 UTP cable wired as shown here:
<http://hwb.sunsite.dk/menu_Cable.html>
If you use a 3 wire setup then lose the `-h' flag to `agetty'.
(That would be 2-3 3-2 5-5 (or 7-7 for DB25) BTW).

Someone pointed me at the Weazel cart for serial access to the BIOS - as
normally COTS `pc' clone hardware only supports console on KVM :-(.
I do not have a real need for that at the moment, though someone might:
<http://google.nl/groups?selm=slrnbd12c7.5s5.robert%40home.allyourba ss.org>

The Linux kernel can run it's console on a Centronics (paralell) port as
well - AFAIK `lilo' does not support this however.
(Rendering it not so usefull as of jet IMO).

>> Is there some guide or some tips to avoid data corruption when the
>> system loses power?
>
> Find a CD/floppy based linux

Yes, though one that uses the `initrd' (ramdisk) approach.

> (or the slackware install cd) and look at
> how they layout their systems.

That is the way i went about it:
<http://google.nl/groups?selm=pan.2003.04.28.23.48.26.381582%40deskt op.localdomain&rnum=16>

> The problem is understanding all the
> software that the firewall will run and getting it all to use files in
> one throwaway rw directory, like /tmp.

Have a look at `tmpfs' for that.
<http://lwn.net/2001/1206/a/tmpfs.php3>

Also use a swap "file" inside the ramdisk instad of using a partition on
the phsicall disk - this should save you some more read/writes to disk.
I don't know wat will happen if you omit swap-space at all - so i'd create
a 4 or 8 MB file for it - atleast.

>> I'd like to set every partition read-only (I need only a subdirectory
>> of the /etc to be writeable (rare event, just to modify the firewall
>> rules).
>
> That doesn't mean that /etc needs to be mounted rw. It just means that
> you need to remount it rw, make your changes, and then remount it ro.

I use a litte script for this HTH:

#!/bin/bash
#
# Enable/disable read-only mode on the filesystem.

# Define the PARTition
PART="/usr"

# Remount the filesystem in read-write mode
mount_read_write () {
echo "Remounting ${PART} with read-write enabled."
mount -w -v -o remount "${PART}"
if [ $? -gt 0 ] ; then
echo "Attempt to remount $PART as read-write failed!"
fi
}

# Remount the filesystem in read-only mode
mount_read_only () {
echo "Remounting ${PART} in read-only mode."
mount -r -v -o remount "${PART}"
if [ $? -gt 0 ] ; then
echo "Attempt to remount ${PART} as read-only failed!"
fi
}

# List the current operating status
current_status () {
grep "${PART}" /etc/mtab
if [ $? -ne 0 ]; then
echo "$0: ${PART} not mounted"
fi
}

case "$1" in
'rw')
mount_read_write
;;
'ro')
mount_read_only
;;
'status')
current_status
;;
*)
echo "usage: $0 rw|ro|status"
esac

--
-Menno.

In article <pan.2003.09.01.11.25.25.908105@desktop.local>, Menno Duursma wrote:
> Also use a swap "file" inside the ramdisk instad of using a partition on
> the phsicall disk - this should save you some more read/writes to disk.
> I don't know wat will happen if you omit swap-space at all - so i'd create
> a 4 or 8 MB file for it - atleast.

I don't understand the logic of putting a swap file inside your
ram-disk, unless you just want to say I've got swap. The purpose of
swap is to give your computer some place to put memory it needs to
access again when it runs ot of RAM. Having it put this right back into
RAM is counter-productive to swap's intended use, and I would imagine
dangerous as well. What you suggest reeks of stack overflow errors to
me.

On Tue, 02 Sep 2003 11:22:30 -0500, Alan Hicks wrote:

> In article <pan.2003.09.01.11.25.25.908105@desktop.local>, Menno Duursma wrote:
>> Also use a swap "file" inside the ramdisk instad of using a partition on
>> the phsicall disk - this should save you some more read/writes to disk.
>> I don't know wat will happen if you omit swap-space at all - so i'd create
>> a 4 or 8 MB file for it - atleast.
>
> I don't understand the logic of putting a swap file inside your
> ram-disk, unless you just want to say I've got swap. The purpose of
> swap is to give your computer some place to put memory it needs to
> access again when it runs ot of RAM.

Yes. However i have read odd things happening on boxen with on swap at
all, though maybe patching the kernel to not run `kswapd' fixes that.
<http://groups.google.com/groups?selm=200112220117.fBM1HLM00755%40mysql.sash anet.com&rnum=8>

> Having it put this right back into
> RAM is counter-productive to swap's intended use, and I would imagine
> dangerous as well.

Counter-productive, yes - but you wouldn't want it to swap at all.
Dangerous, i wouldn't think so - the `ramdisk' is allocated statically and
mounted as a normal filesystem. Meaning you can not use that same memory
for program heap or stack anymore.

> What you suggest reeks of stack overflow errors to me.

I wouldn't think so. Maybe odd things will happen if you where to run out
of core memory - idunno.

--
-Menno.