Monday, July 21, 2008

Cheap solid state router using Endian Firewall

I wanted to run Endian Firewall on compact flash, something which is not explicitly supported, apparently. I had 1.5GB of RAM, and Endian runs in 512 with no problem, so I figured I could use tmpfs to do /var and /tmp, helping prevent the card wearing out. I could not get Endian to install to a USB device, but a $12 CF-IDE adapter allowed me to install it on a 2GB flash card with no problem. It will disable swap automatically. You can either pop it out after you install, or you can boot off a Knoppix CD next so that you can make some modifications to your installation. If you are using the CF card via USB (I could not get Endian to install on a USB connected CF card, but I imagine I could get it to boot and run, once I installed it over IDE. After you perfect the installation, you can just dd the boot sector and each partition so that you can clone your install to new media), mount /dev/sdb3 to /mnt to access the root directory (/). Once you mount the / partition for editing, change the etc/fstab file on the CF card to read something like this:

/dev/hdb1 /boot ext3 nodev,nosuid,noatime 1 2
/dev/hdb3 / ext3 noatime 1 1
/dev/hdb4 /varperm ext3 noatime,mand 1 1
none /var tmpfs noatime,mand 0 0
none /tmp tmpfs defaults 0 0
none /home tmpfs defaults 0 0
none /proc proc defaults 0 0
none /dev/pts devpts gid=5,mode=620 0 0
/dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0

Note that I moved /var to /varperm and /home to /homeperm. You can mkdir those directories under your root partition which has been mounted to /mnt.
Next, edit the etc/rc.d/rc.sysinit file. Locate the line which reads

mount -a

Add three lines immediately below it:

######copy stuff to the tmpfs filesystems
/usr/bin/rsync -a /varperm/ /var/
/usr/bin/rsync -a /homeperm/ /home/

I also added /etc/cron.d/syncflash to /etc/rc.d/rc.halt, right after the "Shutting down" line at the top of the file so that I flush to flash whenever I shut down.

This will get the necessary directories and files on boot from the flash to RAM so that scripts start correctly. That's all which is actually required! You can (and probably should) add a cron job (under /etc/cron.{minutely|hourly|daily} to periodically rsync stuff from /var to /varperm to keep historical logs. This is in /etc/cron.d/syncflash on my system:

#!/bin/sh
/usr/bin/rsync -a /var/ /varperm/
/usr/bin/rsync -a /home/ /homeperm/

I'd probably exclude the gzipped stuff, myself, but that depends on the amount of space you have. Since tmpfs allocates half your RAM by default, we effectively have a 750MB combined /tmp and /var filesystem. This is plenty, really. We can even enable the proxy and ntop, so long as we set the limits to something reasonable. I may hack it further to keep longer logs on flash and continually flush tmpfs, but what I have works for now. I think this may be a really good solution for a dedicated router box, maybe using something like a Fit PC. Addendum: Fit PC does not have enough memory for this application. But an old laptop and a PC Card CF reader might do the trick. I also had to change the options from defaults in the /var line to enable mandatory locks. Havp would not start without this setting, which kept squid from working correctly.