I have an anecdote when it comes to disk in a firewall. My good old
trusty sparc64 firewall's disk had died. At first I didn't notice it
because the packets kept flowing but after a while I noticed some
strange behavior so I decided to login to it and see what was wrong.
Hmmm no login, *sigh* alright I'll go drag a monitor into my computer
closet (not serial attached due to serial cable shortage at the
time). Ha, hundreds of failed reads and writes.
I replaced the sparc64 with my previous firewall box that had been
collecting dust since it retired (pentium pro 200) and packets flowed
again. Fixed up the sparc64 with a brand-spanking-old 4G IDE disk,
installed whatever was current and copied /etc back from backup. The
whole operation didn't take more than 30 mins and I had even less
downtime. All that I lost were logs and a very old disk (hangs on my
wall now).
The moral of the story is that you don't need much disk for a
firewall. Besides you said "no moving parts", RAID by definition
adds more moving parts of the kind that fail most often.
FWIW :-)
On Nov 29, 2005, at 7:44 AM, Bob Beck wrote:
Actually, when I am in a position to use carp and pfsync
I often do not bother with embedded, unless I have power concerns.
If you want embedded buy the comell box suggested earlier, but if
you really have no budget, dont bother with raid or other such
nonsense.
go find two cheap garage-a-tronics or used i386 boxes with two NICs,
rig up carp and pfsync between them, and be done with it.
I love raid, and use it where I have *DATA* that matters.
if it's just systems and gateways, etc, multiple cheap systems
set up with carp between them work better and cheaper than one system
with dual power supplies, raid controller, etc. etc. etc.
-Bob
The biggest reason I was choosing to go embedded is that I wanted a
system that did not have moving parts. This was to hopefully
extend the
life of the machine and increase uptime by eliminating the hard
drives
and power supplies with moving parts. I am not paying for power so I
can say that I am not concerned about consumption at this point.
This
is only due to the fact that $ is finite at the present time and
cannot
weigh heavily on the list of importance.
The alternative is to use a dual P3 that we have but I am still
interested in optimum availibility. Do I implement RAID 1 with two
drives.....OR does this create more problems that it is worth by
introducing more parts to fail(two drives. Do I implement a Flash
card
reader and install OpenBSD/pf on a compact flash drive? I am not
sure
where I should be drawing the line...I mean do I pay attention to
drive
redundency or power redundency....or even actual firewall redundency?
What is the most bang for the buck in terms of availibility short
of a
hot standby firewall configuration?
--
| | | The ASCII Fork Campaign
\|/ against gratuitous use of threads.
|