1 |
On Wed, Sep 07, 2011 at 12:26:15AM +0700, Pandu Poluan wrote |
2 |
> So, can anyone recommend me a filesystem that fulfills my following needs: |
3 |
> |
4 |
> Scenario: vFirewall (virtual Firewall) that is going to be deployed at |
5 |
> my IaaS Cloud Provider. |
6 |
> |
7 |
> Disk I/O Characteristic: Occasional writes during 'normal' usage, |
8 |
> once-a-week eix-sync + emerge -avuD |
9 |
> |
10 |
> Priority: Stable (i.e., less chance of corruption), least CPU usage. |
11 |
> |
12 |
> My Google-Fu seems to indicate either XFS or JFS; what do you think? |
13 |
|
14 |
Try "thinking outside the box". Do you really need more than extfs2? |
15 |
That should be the ultimate in low-overhead writing on the device. |
16 |
Another option is to send the log data out on UDP port 514 to be logged |
17 |
on another machine. A cute trick is to have /etc/conf.d/net as follows |
18 |
|
19 |
config_eth0=" |
20 |
192.168.123.2/24 broadcast 192.168.123.255 |
21 |
routes_eth0=" |
22 |
default via 192.168.123.254 |
23 |
|
24 |
And then send the log data to the broadcast address 192.168.123.255 |
25 |
UDP port 514. Any computer with the same broadcast address can receive |
26 |
the log data. You can even have multiple computers sending out, and |
27 |
multiple computers receiving. One of the first things an attacker does |
28 |
after compromising a machine is to wipe the logs on that machine to |
29 |
cover his tracks. If the log data goes to multiple different machines, |
30 |
it will be much more difficult to wipe. |
31 |
|
32 |
Another strategy, on the paranoid side, is to have the router sending |
33 |
logs to a machine like 192.168.123.45, and also have a machine on a |
34 |
totally different IP address (e.g. 10.0.0.1) with its NIC set to |
35 |
"promiscuous mode", listen for and save the log data. |
36 |
|
37 |
-- |
38 |
Walter Dnes <waltdnes@××××××××.org> |