| 1 |
On Wed, Sep 07, 2011 at 12:26:15AM +0700, Pandu Poluan wrote |
| 2 |
> So, can anyone recommend me a filesystem that fulfills my following needs: |
| 3 |
> |
| 4 |
> Scenario: vFirewall (virtual Firewall) that is going to be deployed at |
| 5 |
> my IaaS Cloud Provider. |
| 6 |
> |
| 7 |
> Disk I/O Characteristic: Occasional writes during 'normal' usage, |
| 8 |
> once-a-week eix-sync + emerge -avuD |
| 9 |
> |
| 10 |
> Priority: Stable (i.e., less chance of corruption), least CPU usage. |
| 11 |
> |
| 12 |
> My Google-Fu seems to indicate either XFS or JFS; what do you think? |
| 13 |
|
| 14 |
Try "thinking outside the box". Do you really need more than extfs2? |
| 15 |
That should be the ultimate in low-overhead writing on the device. |
| 16 |
Another option is to send the log data out on UDP port 514 to be logged |
| 17 |
on another machine. A cute trick is to have /etc/conf.d/net as follows |
| 18 |
|
| 19 |
config_eth0=" |
| 20 |
192.168.123.2/24 broadcast 192.168.123.255 |
| 21 |
routes_eth0=" |
| 22 |
default via 192.168.123.254 |
| 23 |
|
| 24 |
And then send the log data to the broadcast address 192.168.123.255 |
| 25 |
UDP port 514. Any computer with the same broadcast address can receive |
| 26 |
the log data. You can even have multiple computers sending out, and |
| 27 |
multiple computers receiving. One of the first things an attacker does |
| 28 |
after compromising a machine is to wipe the logs on that machine to |
| 29 |
cover his tracks. If the log data goes to multiple different machines, |
| 30 |
it will be much more difficult to wipe. |
| 31 |
|
| 32 |
Another strategy, on the paranoid side, is to have the router sending |
| 33 |
logs to a machine like 192.168.123.45, and also have a machine on a |
| 34 |
totally different IP address (e.g. 10.0.0.1) with its NIC set to |
| 35 |
"promiscuous mode", listen for and save the log data. |
| 36 |
|
| 37 |
-- |
| 38 |
Walter Dnes <waltdnes@××××××××.org> |
Archives