On the second day playing with ipfire, I can gladly congratulate the team behind it for a quite simple and intuitive project!
Installation and first setup steps were straightforward and simple (as long as one uses a proper client, that is ).
I am however still not convinced of the installer not considering the underlying medium. It creates a useful and logical layout on the harddisk. Alas, not considering the disk itself: Here, on my preferred flash, it created a swap partition (which is crazy). I had earlier discussed the log files as well.
First thing therefore, comment out the swap in /etc/fstab.
Second thing, add into /etc/fstab a mount of /var/log into ramdisk.
Thirdly, move the swap partition to an ext4 partition and mount it to /mnt/archive.
Fourth, logrotate to move the log from the ramdisk to /mnt/archive at comparatively infrequent intervals using fcron.
Works, though not perfectly okay: At boot, it misses some subfolders under /var/log; like rrd and httpd. Obvious: these were created at installation time in /var/log, but can’t pop up on the ramdisk at boot.
I’d love to read comments on this. Is there any serious mistake in my thoughts? Especially, I’d like to hear on clever ideas for the problem of missing subdirs in /var/log at boot.
In principle, like this I ought to be able to go back to a ro attribute (even better: mechanical slider) to all but the /mnt/archive partitions, right? That would make me very happy, security-wise!
Next, I’ll start exploring the actual firewalling features, and I am looking forward to do so!
thanks for investigating the system thoroughly.
Some thoughts to your interesting ideas.
My CF systems doesn’t use swap. So I think there is a decision on install about this. I didn’t search in the sources on git where this done and how the decision is made. Maybe this can be improved.
Not all systems can implement a big ram disk for the logs. It isn’t trivial to decide in 24/7 system about a good moment for saving to disk, also. Further the period should be big enough to minimize write operations ( which is your main impact ), but short enough not loose too much information in case of unexpected power losses.
Why there are some subf Colders of /var/log missing, I have no idea. I never experienced such an issue. Could you just list them?
Setting most of the system to ro isn’t a good idea in practice, IMO. Many of the new or improved features are developed and tested in working systems, especially the modifications to the WUI. So a write inhibit would hinder this process. Two types of systems ( production with RO, development with RW ) isn’t really efficient. This would mean developers must do two tests ( without and with write protection ) of the same patch.
Regarding the health of storage media, I remember a process in the days of floppy disks ;). The system we implemented at that time was storing its actual data on a floppy disk. These data were transferred to the main system when a task was finished. Knowing about the limited life time of the disks, we implemented a process to transfer the data to a new floppy. This process was started manually at an appropriate time ( for the production process ) within the period of high probability of health of the floppy.
This process can also defined for an IPFire system on a media with very limited life time. Just copy the whole disk to a new one, using dd.
For starters: You want swap space. If your storage isn’t good enough to survive writing onto it, I would trust it with any other data either. Modern SSD storage should not at all be impacted in its lifetime by this.
Logs are there for a reason. You want a record of what went wrong in case something goes wrong. Storing log files in memory is not storing them and you will lose everything in case the system crashes.
Thanks for your replies. I have gone further with my experiments, and still like ipfire pretty much. (Maybe with the exception, that some try to tell me how to actually configure and use my hardware despite of my >20 years on *nix and being sysadmin … . Thanks, but please don’t.)
Okay, I don’t remember ever having decided for swap during install. I think that the user should be given this option at install. The argument given applies to swap space just as well, btw. Out of space is out of space.
With the logs, I had actually planned to cron a script checking for space on /var/log and logrotate to hard disk only once space got filled up. And, of course, before any intentional shutdown.
I wouldn’t trust local logs in any case. More than 10 years ago I had someone taking one of my boxes and remove the logs. Since then I only trust remote logging anyway.
On the longer run, I don’t know yet where I’ll actually apply this box. As very frontend to the ugly outside worls, of course one will look at updates, graphs, logs, on a regular base. A tad further inside, I prefer the method that my mail servers running OpenBSD offered to me: forgetting that I administrated any, except at twice yearly updates. Same with my earlier deployments of m0n0wall on the inside: on ro flash, and happily forgetting they existed. Except when a new version came out, alas that happened in 2014 for the last time.
Two more items under the original subject. Minor, though still suggested for consideration:
The GUI doesn’t show the firewall time at any prominent place (header, footer). Maybe that’s only me, though it doesn’t give me the best of all feelings not to know the time that machine thinks it had.
The dropdown list ‘Status’ isn’t very logical. ‘System’ and ‘Hardware Graphs’: which belongs where? And ‘Hardware Graphs’ are just ‘Temperature Graphs’ here. Does Hradware not belong to ‘Systems’?
Plus: any Graph pops up with a daily graph. I’d prefer to see hourly graphs by default. And the one showing CPU frequency is totally white without speed-step CPUs.
Some more configurability would be welcome here.
There is no option in the installer for this. The entire partition layout will be calculated on the fly during installation. You can of course use tools to edit it afterwards.
This is a different thing. I was talking about forensics only.
m0n0wall was a different design to modern operating systems like IPFire is.
The entire menu isn’t very logical. We have played around with it a couple of times and moved things and they then don’t fit for other reasons. There are probably a hundred different ways and we went with this one.