My router's partition table looks like:
32 megs on swap
92 megs on /
There's ~50 megabytes of immutable (chattr +i) files on the disk, the
rest is space for logs.
If you have a fairly stable router configuration, you may choose to lock it
down by splitting '/' into two partitions: one read-write (/) and one
read-only (/boot, /usr). You can also get creative with RAM disks here
if you don't want even /etc and /dev to be modified on the disk. This has
the nice feature that if your disks or disk controller starts to die, it
has that much less probability of clobbering the disks with misplaced writes
and destroying all your security tools.
I speak from experience--there's nothing like watching a firewall
"forget" to run /etc/rc.d/init.d/firewall-setup when you're miles away
from it and there's not enough of the system running to shut it down
remotely. Fortunately, this system also "forgot" to run the parts of
its configuration that set up IP forwarding, so my network was safe at
the time, but that was pure luck :-/. This is why I put firewalls behind
sacrificial bastion hosts, instead of beside them--it provides another
machine that can be shut down to take a rogue firewall off the net.
-- Zygo Blaxell, Linux Engineer, Corel Corporation. zygob@corel.ca (work) or zblaxell@furryterror.org (play). Opinions above are my own, not Corel's. Size of 'diff -Nurw [...] winehq corel' as of Thu Jun 3 13:14:00 EDT 1999 Lines/files: In 20094 / 98, Out 17319 / 152, Both 12093 / 142 - To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.rutgers.edu