Here's a brief overview of what I did. If it's not what you are looking
for, let me know (or we can take a more detailed discussion off-list).
I don't claim to be an expert in this. I did a lot of Googling/reading,
and cobbled together my "strategy" from several sources. Even then, I
think I'm going to change it a bit with the next snapshot I load.
I installed the snapshot onto a 8GB CF card mounted as a raw disk in Sun
VirtualBox PUEL. I'm sure you could do it all on the Soekris as well,
but VirtualBox on my Core i7 workstation is faster than the Soekris :/
I then dd'ed the image to a raw disk file and worked from it to set most
everything up, then dd'ed it back to the CF, popped it in the Soekris,
and there did the final config and testing.
I have /tmp, /dev, and /var in MFS, and everything else mounted
read-only, so that I can unplug the thing with impunity. From what I
read that's really the only reason to put things in MFS, because a
modern CF card will last years even used as a hard disk, and doing the
MFS thing is definitely extra effort. If it's your home router and you
are willing to treat it like a "regular" computer, it's easier to just
use the CF like any other hard disk and install in the normal manner.
My one big change I'll make is actually having some swap space. I have
a very small amount now to support the MFS, but based on discussion on
this list in the last month or so there's no reason not to have a normal
amount of swap with a 4GB or more CF.
The Soekris makes a fine home firewall, but I'm not sure how it would
perform under heavier loads. The VIA vr network interfaces are not
known as the most efficient (though there is a PCI slot to add something
different if you desire), and I don't know how the Geode CPU would
handle a lot of encryption, say, several simultaneous IPSec or ssh
users. I'm looking at mini-ITX Atom boards as the basis for a
multipurpose, CF-booting platform (firewall, X-terminal, NAS/backup
server) I want to use at work. Each machine would do only one thing in
that list, but I could keep one spare for all and just swap out CF cards
to change their "role". The Atom boards probably don't have much more
horsepower than the Soekris, but some have better network interfaces
(Intel em), and they can be had with dual video interfaces too.
stan wrote:
On Sun, Nov 08, 2009 at 10:32:07PM -0600, Cor wrote:
I'm running a late-October post-4.6 snapshot on a new Soekris firewall,
and noticed something peculiar after setting up the rules per the new
pf.conf(5) man page. I had a few lesser-known websites just hang and
eventually time out (the "majors" still work fine), but thought little
of it until I went to the ISA web site (www.isa.org) to renew my
membership there and noticed the same effect.
I need to build a couple of those.
Which methodolgy are you using to build these?
