It always seemed like a great idea to create a firewall/router that booted from CD-ROM. Now there is a good distro for it.

It took a few tries to get it right, but the redWall distribution at redwall-firewall.com/tiki-index.php really shines. Even if you don't like CD-based firewalls (if there is something not to like), the inclusion of every version and viewer for Snort, plus a half-dozen other network monitoring systems, postfix, amavis, etc., make it hard to imagine how you could build it yourself in less time.

Besides the basic configuration of all the software, redWall also does a great job at managing configuration. Having worked with another firewall that didn't do a very good job of collecting configs, I've been very impressed that redWall has never lost a setting on me.

You might be wondering how it saves configuration at all,. It goes to a floppy disk or flash memory device. After writing it, you would want to write-protect it, just in case the machine were to be compromised. Having locked both the floppy and given the unwritable nature of the CD, you are left with an impenetrable fortress of security.

It can also be configured to automatically email the configuration to you every time you save it; a backup in case the floppy fails, for instance.

This isn't really a production machine, but when I go to production and have to get a little more paranoid, I'll probably keep a few different configurations around. The first will be the same floppy, just with different passwords. If the machine were compromised, I would just change the floppy to one with the new passwords and reset the box. But in case there was a vulnerability on the CD itself, having a second backup floppy with only the minimal routing necessary would be the next level of escalation. When your box is getting hacked, you don't have time to think about how you are going to react. It has to be something that is ready to go.