2002-03-27 13:17:45 +00:00
|
|
|
<!doctype linuxdoc system>
|
|
|
|
<article>
|
|
|
|
<title>Sentry Firewall CD HOWTO
|
|
|
|
<author>Stephen A. Zarkos, <url url="mailto:Obsid@Sentry.net" name="Obsid@Sentry.net">
|
2002-06-28 14:15:50 +00:00
|
|
|
<date>v1.2, 2002-06-11
|
2002-03-27 13:17:45 +00:00
|
|
|
|
|
|
|
<abstract>
|
|
|
|
This document is designed as an introduction on how the Sentry
|
|
|
|
Firewall CDROM works and how to get started using the system.
|
|
|
|
</abstract>
|
|
|
|
|
|
|
|
<toc>
|
|
|
|
|
|
|
|
<!-- BEGIN SECTION 1.0 -->
|
|
|
|
|
|
|
|
<sect> Introduction
|
|
|
|
<p> This is the long-overdue Sentry Firewall CDROM howto. I hope this
|
|
|
|
document helps get you started using the Sentry Firewall CD and answers
|
|
|
|
any questions you might have regarding how the system works. The most
|
|
|
|
current version of this howto can be obtained at the following URL:
|
|
|
|
<url url="http://www.SentryFirewall.com/files/howto/">.
|
|
|
|
|
|
|
|
If you would like to add anything to this document, or if you have any
|
|
|
|
questions or comments please feel free to email me, <url url="mailto:Obsid@Sentry.net?subject=HOWTO"
|
|
|
|
name="Obsid@Sentry.net">.
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> What is the Sentry Firewall CD?
|
|
|
|
<p> The Sentry Firewall CD is a Linux-based bootable CDROM suitable
|
|
|
|
for use in a variety of different operating environments. The system is
|
|
|
|
designed to be configured dynamically via a floppy disk or over a network.
|
|
|
|
This allows one to configure the system dynamically, eventho much of the actual
|
|
|
|
system is on read-only(CDROM) media.
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> Why would I use a CD-based firewall or server?
|
|
|
|
<p> There are several advantages of using a CDROM based system in various
|
|
|
|
security related environments. The main system is centered around the ramdisk;
|
|
|
|
a compressed file system image which is loaded into RAM at boot time. Any
|
|
|
|
changes to the ramdisk image are temporary, and will be undone upon the next
|
|
|
|
reboot. Furthermore, the ramdisk, kernel, binaries, etc, related to the
|
|
|
|
operating system are kept on read-only media(CDROM). This means that if the
|
|
|
|
security of a box running a CDROM based system is ever compromised the attacker
|
|
|
|
can at best own the box until the next reboot. So there is no real threat of
|
|
|
|
having to go through the tedious task of rebuilding and hardening the system
|
|
|
|
after a successful attack is discovered.
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
2002-06-28 14:15:50 +00:00
|
|
|
<sect1> I'm a Linux newbie, will the Sentry Firewall CD be a good choice for me?
|
|
|
|
<p> At the moment, there are at least a couple variations of the Sentry Firewall CD
|
|
|
|
that are based on various Linux distributions. You should first choose the Linux
|
|
|
|
distribution you are most familiar with. More information on the different types can
|
|
|
|
be found on the web site - http://www.SentryFirewall.com/.
|
|
|
|
|
|
|
|
<p>Basically, the Sentry Firewall CD is meant to be configured no more easily than
|
|
|
|
a normal Slackware or Redhat or whatever Linux system. There are no GUIs, no scripts
|
|
|
|
to do it for you. The idea behind the configuration of the CD is that you are able to
|
|
|
|
reconfigure the system by replacing the startup scripts and the various system and
|
|
|
|
configuration files present on the system at boot time. Most of these are simply text
|
|
|
|
files and shell scripts that you need to edit by hand in order to be configured properly.
|
2002-03-27 13:17:45 +00:00
|
|
|
There are, however, usually plenty of resources available to assist you in
|
|
|
|
configuring a specific service or daemon(HOWTOs on linux.org, for example).
|
|
|
|
|
2002-06-28 14:15:50 +00:00
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> What's with this new branch "sentrycd-RH"? What's the difference between the branches?
|
|
|
|
<p> First, let me explain briefly about how the Sentry Firewall CD works. Basically,
|
|
|
|
there is the "host" system, a Linux system that is based on one of several Linux distributions.
|
|
|
|
Then there are the configuration scripts, written in perl, that run after the kernel boots
|
|
|
|
and help configure the system on the fly. In general, it is possible to create a Sentry
|
|
|
|
Firewall CD system based on nearly any Linux distribution while only modifying one of the
|
|
|
|
five perl scripts.
|
|
|
|
|
|
|
|
<p> So, to answer your question, "sentrycd-RH" is based on a different Linux distribution
|
|
|
|
than the original branch "sentrycd". Since I'm a Slackware fan, I used that distribution as
|
|
|
|
the foundation for the original Sentry Firewall CD(the sentrycd branch). It has always been my
|
|
|
|
desire to utilize other Linux distributions for this project, which is why I created the sentrycd-RH
|
|
|
|
branch.
|
|
|
|
|
|
|
|
<p> In any case, all the basic functionality is present in both versions. But since different
|
|
|
|
Linux distributions are configured differently, using different rc files or files in /etc/sysconfig
|
|
|
|
for example, some of the configuration directives(explained below) will vary between the two branches.
|
|
|
|
|
|
|
|
<p> You may be asking yourself, "then what Linux distro is the sentrycd-RH branch based on?" Well,
|
|
|
|
since I'm not about to violate any current
|
|
|
|
<url url="http://www.redhat.com/about/corporate/trademark/guidelines.html" name="trademark guidlines">,
|
|
|
|
I'll leave that as an exercise to the reader. Of course, you can always
|
|
|
|
<url url="http://www.sentryfirewall.com/#download" name="download"> the ISO and find out for yourself :-)
|
|
|
|
|
|
|
|
|
2002-03-27 13:17:45 +00:00
|
|
|
<newline>
|
|
|
|
<sect1> Minumum Requirements
|
|
|
|
<p>
|
|
|
|
<itemize>
|
|
|
|
<item> x86 computer with CD-ROM
|
|
|
|
<item> BIOS that supports the eltorito standard(booting from the cdrom).
|
|
|
|
<item> 32MB RAM(64MB or more recommended)
|
|
|
|
<item> Easy access to coffee/tea/soda or equivalent stimulant.
|
|
|
|
<item> Floppy disk drive(optional)
|
|
|
|
</itemize>
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> Copyrights and Disclaimer
|
|
|
|
<p> The current copyright and disclaimer can be found on the website;
|
|
|
|
<url url="http://www.SentryFirewall.com/files/COPYRIGHT">. It applies to the Sentry
|
|
|
|
Firewall CD, and all the scripts and documentation associated with it.
|
|
|
|
|
|
|
|
<!-- END SECTION 1.0 -->
|
|
|
|
|
|
|
|
<!-- BEGIN SECTION 2.0 -->
|
|
|
|
<newline>
|
|
|
|
<sect> How the CD Works (Overview)
|
|
|
|
<p> This section is just an overview to explain how the Sentry Firewall CD works,
|
|
|
|
that is, from the process of loading the kernel to running the Sentry Firewall
|
|
|
|
CD configuration scripts located on the RAMDisk.
|
|
|
|
|
|
|
|
<newline>
|
2002-06-11 21:06:10 +00:00
|
|
|
<sect1> The Boot Process
|
2002-03-27 13:17:45 +00:00
|
|
|
<p> Booting from the CDROM is a fairly familiar process. The BIOS execs the
|
|
|
|
bootloader(Syslinux) - which then displays a bootprompt and loads the kernel and
|
|
|
|
ramdisk into memory. Once the kernel is running, the ramdisk is then mounted as
|
|
|
|
root(/).
|
|
|
|
|
|
|
|
An obvious necessity for deploying CDROM based systems is the ability to
|
|
|
|
dynamically configure the system for various environments with different
|
|
|
|
configurations, which is what a good majority of this project is dedicated to
|
|
|
|
building. A simple way to do this is to give the user the ability to customize
|
|
|
|
the startup scripts located in /etc/rc.d before they are actually used, as well
|
|
|
|
as the ability to customize other important system configuration files.
|
|
|
|
|
|
|
|
At boot time, the /etc and /etc/rc.d directories are nearly empty. On a
|
|
|
|
Slackware system the first rc file to run is /etc/rc.d/rc.S - and it is from
|
|
|
|
this file where we run the configuration scripts that look for a configuration
|
|
|
|
file(sentry.conf), and place the proper configuration and system files in /etc
|
2002-06-28 14:15:50 +00:00
|
|
|
and various subdirectories under /etc. On other Linux systems, such as RedHat,
|
|
|
|
the configuration scripts would be run from rc.sysinit. If there is not a
|
|
|
|
configuration directive for a specific file, or if a configuration file cannot be
|
|
|
|
found, then the default system files are used - which are located in /etc/default/*
|
|
|
|
on the ramdisk.
|
2002-03-27 13:17:45 +00:00
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> ISOLINUX
|
|
|
|
<p> Early versions of the Sentry Firewall CD utilized the 2.88MB floppy
|
|
|
|
emulation method, along with either lilo or syslinux to boot the kernel and load
|
|
|
|
the ramdisk. This method proved very limiting for two reasons; A) the total
|
|
|
|
size of the compressed ramdisk AND kernel was limited to 2.88MB, and B) it was
|
|
|
|
quite slow compared to the current method.
|
|
|
|
|
|
|
|
The Sentry Firewall CD is currently utilizing the isolinux.bin boot record
|
|
|
|
with no emulation in order to properly boot the CDs. This allows us to use a
|
|
|
|
much larger ramdisk and offer a choice of several kernels to boot at boot time.
|
|
|
|
|
|
|
|
More information about syslinux can be found at <url
|
|
|
|
url="http://syslinux.zytor.com/" name="syslinux.zytor.com">.
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
2002-06-11 21:06:10 +00:00
|
|
|
<sect1> The CD Configuration Scripts
|
2002-06-28 14:15:50 +00:00
|
|
|
<p> As previously mentioned, our configuration scripts which reside in
|
|
|
|
/etc/rc.d/SENTRY/ on the ramdisk are generally run from an rc script in /etc/rc.d/.
|
|
|
|
The first script to run is called 'cd-config.pl', which is essentially the mainline
|
|
|
|
for the entire program. The other scripts that are used are called 'get_config.pl',
|
|
|
|
'process_conf.pl', 'do_config.pl' and 'networking.pl'. These scripts were written
|
|
|
|
specifically for this project, and are essentially the mainstay of the entire
|
|
|
|
configuration process.
|
2002-03-27 13:17:45 +00:00
|
|
|
|
|
|
|
In depth review of these scripts is a little beyond the scope of this
|
|
|
|
document, but is covered a bit in the file called 'DOCUMENTATION' available on
|
|
|
|
the website (<url url="http://www.SentryFirewall.com/">). The files are written
|
|
|
|
in perl, and do several important things; read in and parse the configuration
|
|
|
|
file(sentry.conf), locate and retrieve the important files detailed in the
|
|
|
|
sentry.conf file, and replace the system default files with the ones the user
|
|
|
|
has defined in the configuration file.
|
|
|
|
|
|
|
|
<!-- END SECTION 2.0 -->
|
|
|
|
|
|
|
|
<!-- BEGIN SECTION 3.0 -->
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect> Obtaining the CDROM
|
|
|
|
<sect1> Downloading
|
|
|
|
<p> The CDROM is distributed as a gzip or bzip2 compressed iso image, and is
|
2002-06-28 14:15:50 +00:00
|
|
|
generally between 95-105MB in size. ISO images for the sentyrcd-RH branch are
|
|
|
|
generally much larger, between 150-200MB in size. Available download mirrors
|
|
|
|
are listed on the websites; <url url="http://www.SentryFirewall.com/"> or
|
|
|
|
<url url="http://Sentry.Sourceforge.net/">.
|
2002-03-27 13:17:45 +00:00
|
|
|
|
2002-06-11 21:06:10 +00:00
|
|
|
|
2002-03-27 13:17:45 +00:00
|
|
|
<newline>
|
|
|
|
<sect1> Purchasing
|
2002-06-11 21:06:10 +00:00
|
|
|
<p> Although the iso image is free to use and distribute, copies of the Sentry
|
|
|
|
Firewall CD mailed to you at a minimal cost. Custom versions of the CD and support
|
|
|
|
can also be made available and tailored to a specific network configuration.
|
|
|
|
|
|
|
|
For more information about these services, please
|
|
|
|
<url url="mailto:Obsid@Sentry.net" name="email me">.
|
2002-03-27 13:17:45 +00:00
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> Burning the CDROM
|
|
|
|
<p> This section will attempt a general overview on how to burn the CD iso
|
|
|
|
image once you have obtained it from one of the mirrors. All the commands
|
|
|
|
presume you're working in Linux, if not, then I'm afraid you're on your own.
|
|
|
|
|
|
|
|
First, let's decompress the iso image: <newline>
|
|
|
|
<bf>NOTE:</bf> Make sure you have enough disk space, the decompressed iso image can be
|
|
|
|
somewhere between 250MB and 300MB.
|
|
|
|
|
|
|
|
<tscreen><verb>
|
|
|
|
blah@wherever:˜$ gzip -d sentrycd.iso.gz
|
|
|
|
|
|
|
|
or
|
|
|
|
|
|
|
|
blah@wherever:˜$ bzip2 -d sentrycd.iso.bz2
|
|
|
|
</verb></tscreen>
|
|
|
|
|
|
|
|
Verify the integrity of the iso image,
|
|
|
|
<tscreen><verb>
|
|
|
|
blah@wherever:˜$ md5sum -b sentrycd.iso
|
|
|
|
</verb></tscreen>
|
|
|
|
|
|
|
|
<p> Now, let's try to burn the CD. You'll need the 'cdrecord' utility
|
|
|
|
available, it can be obtained <url
|
|
|
|
url="http://www.fokus.gmd.de/research/cc/glone/employees/joerg.schilling/private/cdrecord.html" name="here">.
|
|
|
|
You will want to run 'cdrecord -scanbus' in order to find the 'dev' value
|
|
|
|
required for the following command. You will also need to know the write speed
|
|
|
|
of your CDRW. Details on how to set this all up are beyond the scope of this
|
|
|
|
document, please refer to the <url url="http://www.linux.org/docs/ldp/howto/CD-Writing-HOWTO.html" name="CD Writing HOWTO">
|
|
|
|
for more details.
|
|
|
|
|
|
|
|
<tscreen><verb>
|
|
|
|
blah@wherever:˜$ DEV="DEV_LINE_HERE" SPEED="SPEED"
|
|
|
|
blah@wherever:˜$ cdrecord -v -data speed=$SPEED dev=$DEV sentrycd.iso
|
|
|
|
</verb></tscreen>
|
|
|
|
|
|
|
|
That's it, you now have a Sentry Firewall CDROM. By the way, you
|
|
|
|
may have to be root to do all this.
|
|
|
|
|
|
|
|
Keep in mind, if you simply want to look at the ISO image without actually
|
|
|
|
burning the CD, you can mount the image on a loopback device;
|
|
|
|
|
|
|
|
<tscreen><verb>
|
|
|
|
blah@wherever:˜$ mount -o loop ./sentrycd.iso /MOUNT_POINT
|
|
|
|
</verb></tscreen>
|
|
|
|
|
|
|
|
Where &dquot;MOUNT_POINT&dquot; is where you would like the CD mounted. You may
|
|
|
|
then 'cd' to the MOUNT_POINT directory and poke around - don't forget to 'umount' the
|
|
|
|
image once you're finished. This assumes you have support in your kernel for
|
|
|
|
the loopback device. You probably do, but once again, recompiling kernels is
|
|
|
|
beyond the scope of this document.
|
|
|
|
|
|
|
|
<!-- END SECTION 3.0 -->
|
|
|
|
|
|
|
|
<!-- BEGIN SECTION 4.0 -->
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect> Using the Sentry Firewall CDROM
|
|
|
|
<sect1> Introduction
|
|
|
|
<p> The configuration scripts which are run from /etc/rc.d/rc.S first look for
|
|
|
|
a configuration file called 'sentry.conf' on a floppy disk which, if present,
|
|
|
|
will be mounted on /floppy. In order to configure the Linux system for use
|
|
|
|
in any particular environment the user must have the ability to replace the
|
|
|
|
system default files with his/her own copies. The 'sentry.conf' file basically
|
|
|
|
tells the configuration scripts which files it should replace and where those
|
|
|
|
files are.
|
|
|
|
|
|
|
|
A good example of a sentry.conf file can be found on the Sentry Firewall CD
|
|
|
|
in the directory /SENTRY/scripts/cd-config/. Configuration floppy disk
|
|
|
|
images(1.44M) can also be found in /SENTRY/images/ on the CD.
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> The sentry.conf file
|
|
|
|
<p> The main configuration file for the system is called 'sentry.conf'. It will
|
|
|
|
first be looked for on a floppy disk(/dev/fd0). The file accepts several
|
|
|
|
configuration directives, many of which will be discussed below.
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect2> Example
|
|
|
|
<p>
|
|
|
|
A basic configuration file looks like the following (everything after a '#'
|
|
|
|
sign is interpreted as a comment):
|
|
|
|
|
|
|
|
<verb>
|
|
|
|
----snip----
|
|
|
|
## Basic Sentry Firewall CD config file(sentry.conf)
|
|
|
|
|
2002-06-28 14:15:50 +00:00
|
|
|
rc.local = /floppy/config1/rc.local
|
|
|
|
fstab = /floppy/config1/fstab
|
2002-03-27 13:17:45 +00:00
|
|
|
|
|
|
|
passwd = /floppy/config1/passwd
|
|
|
|
shadow = /floppy/config1/shadow
|
|
|
|
|
|
|
|
# EOF #
|
|
|
|
----snip----
|
|
|
|
</verb>
|
|
|
|
|
2002-06-28 14:15:50 +00:00
|
|
|
The syntax is pretty simple, the default 'rc.local' file will be replaced with
|
|
|
|
the user defined 'rc.local' file located in the '/floppy/config1/' directory. Same
|
|
|
|
goes for 'fstab', 'passwd', and the 'shadow' file. But it is important to
|
2002-03-27 13:17:45 +00:00
|
|
|
remember, the first place the sentry.conf file will be looked for is on
|
|
|
|
/dev/fd0, which if found, will be mounted on /floppy. This is why all these
|
|
|
|
files appear to be located in the /floppy directory, it is simply the mount
|
|
|
|
point for the floppy disk.
|
|
|
|
|
2002-06-11 21:06:10 +00:00
|
|
|
<bf>NOTE:</bf> As of version 1.3.0, a user may now omit the `/floppy'
|
|
|
|
prefix. So, for example a line in sentry.conf that says the following:
|
|
|
|
|
|
|
|
<verb>
|
|
|
|
shadow = config1/shadow
|
|
|
|
</verb>
|
|
|
|
|
|
|
|
Will be assumed to mean(in most cases) the following:
|
|
|
|
<verb>
|
|
|
|
fstab = /floppy/config1/shadow
|
|
|
|
</verb>
|
|
|
|
As long as /floppy/config1/shadow exists.
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
2002-03-27 13:17:45 +00:00
|
|
|
Unfortunately, you cannot arbitrarily replace files, for example the
|
|
|
|
following will likely not be parsed correctly:
|
|
|
|
<verb>
|
|
|
|
foo.conf = /floppy/config1/foo.conf
|
|
|
|
</verb>
|
|
|
|
|
|
|
|
The configuration scripts only recognize a certain number of configuration
|
2002-06-28 14:15:50 +00:00
|
|
|
files. There are other very easy ways to copy configuration files into their
|
|
|
|
proper location, however. These methods will be discussed below.
|
2002-03-27 13:17:45 +00:00
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> Network Configuration
|
|
|
|
<p> As of version 1.0.5, a new syntax for the configuration directives are
|
|
|
|
recognized; those with an "http://" or "ftp://" prefix. This basically means
|
|
|
|
that the following syntax is now supported:
|
|
|
|
<verb>
|
2002-06-11 21:06:10 +00:00
|
|
|
inetd.conf = ftp://[user:pass@]123.123.123.123/config1/inetd.conf
|
|
|
|
hosts = http://[user:pass@]123.123.123.123/config1/hosts
|
2002-03-27 13:17:45 +00:00
|
|
|
</verb>
|
|
|
|
|
2002-06-11 21:06:10 +00:00
|
|
|
As of version 1.3.0, "https://", "scp://", and "sftp://" URLs are also supported.
|
|
|
|
For example:
|
|
|
|
<verb>
|
|
|
|
shadow = scp://<user>:<pass>@123.123.123.123/dir/shadow
|
|
|
|
passwd = sftp://<user>:<pass>@123.123.123.123/dir/passwd
|
|
|
|
fstab = https://[user:pass@]123.123.123.123/dir/fstab
|
|
|
|
</verb>
|
|
|
|
|
2002-06-28 14:15:50 +00:00
|
|
|
<bf>NOTE:</bf> The username and password fields are required when retrieving files
|
|
|
|
via scp or sftp. Empty passwords are not permitted.
|
|
|
|
|
2002-06-11 21:06:10 +00:00
|
|
|
|
|
|
|
<newline>
|
2002-03-27 13:17:45 +00:00
|
|
|
In order to accomplish this the configuration scripts need to have the
|
|
|
|
ability to set up an ethernet interface, as well as obtain nameserver
|
|
|
|
information from the sentry.conf file. The syntax to accomplish this is the
|
|
|
|
following:
|
|
|
|
<verb>
|
|
|
|
device{1..10} = <device>:<driver>:<IP address>[|Gateway_IP]
|
|
|
|
|
|
|
|
or..
|
|
|
|
|
|
|
|
device{1..10} = <device>:<driver>:dhcp[|Hostname]
|
|
|
|
</verb>
|
|
|
|
|
|
|
|
And to set up a nameserver:
|
|
|
|
<verb>
|
|
|
|
nameserver = <IP_ADDRESS>
|
|
|
|
</verb>
|
|
|
|
|
2002-06-11 21:06:10 +00:00
|
|
|
|
|
|
|
<newline>
|
|
|
|
Additionally, when retrieving files using "http", "https", or "ftp",
|
|
|
|
you may also set up a proxy server. The following directives will allow you
|
|
|
|
to do so (they may not all be required for your setup):
|
|
|
|
<verb>
|
|
|
|
http_proxy = http://<hostname>/
|
|
|
|
ftp_proxy = http://<hostname>/
|
|
|
|
proxy-user = <PROXY_USER>
|
|
|
|
proxy-passwd = <PROXY_PASSWORD>
|
|
|
|
</verb>
|
|
|
|
|
|
|
|
|
|
|
|
Passive FTP may also be required. If so, use the 'passive-ftp' option, ie:
|
|
|
|
<verb>
|
|
|
|
passive-ftp = <on|off> ## Default == off
|
|
|
|
</verb>
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
2002-03-27 13:17:45 +00:00
|
|
|
So, for example to set up an interface called "eth0", which uses the "tulip"
|
|
|
|
driver and can obtain its ip address from a DHCP server, we can use the
|
|
|
|
following line:
|
|
|
|
<verb>
|
|
|
|
device1 = eth0:tulip:dhcp
|
|
|
|
</verb>
|
|
|
|
|
|
|
|
<p> As you can see, a total of 10 devices are allowed. Let's say we now want to
|
|
|
|
set up an interface "eth1" that uses an "rtl8139" chip, and has a static
|
|
|
|
IP(192.168.1.2) and a default gateway(192.168.1.1):
|
|
|
|
<verb>
|
|
|
|
device2 = eth1:8139too:192.168.1.2|192.168.1.1
|
|
|
|
</verb>
|
|
|
|
|
2002-06-11 21:06:10 +00:00
|
|
|
<bf>NOTE:</bf> It is important to keep in mind that whatever devices you set up during the
|
2002-03-27 13:17:45 +00:00
|
|
|
configuration process will be promptly taken down after the configuration is
|
|
|
|
complete. This setup is only used so you can retrieve configuration files over
|
2002-06-11 21:06:10 +00:00
|
|
|
the network, via http and ftp. For more permanent network configuration, please
|
2002-03-27 13:17:45 +00:00
|
|
|
use the rc.inet1 file.
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect2> Example
|
|
|
|
<p>
|
|
|
|
<verb>
|
|
|
|
----snip----
|
2002-06-11 21:06:10 +00:00
|
|
|
## Basic Sentry Firewall CD config file to retrieve files via HTTP(s)/FTP/SCP/SFTP.
|
2002-03-27 13:17:45 +00:00
|
|
|
|
|
|
|
device1 = eth0:tulip:192.168.1.2|192.168.1.1
|
|
|
|
nameserver = <MY_DNS_IP>
|
|
|
|
|
|
|
|
rc.M = ftp://user:pass@config.sentry.net/node1/rc.M
|
|
|
|
rc.inet1 = http://user:pass@config.sentry.net/all_nodes/rc.inet1
|
|
|
|
|
2002-06-11 21:06:10 +00:00
|
|
|
passwd = scp://user:pass@config.sentry.net/all_nodes/passwd
|
|
|
|
shadow = sftp://user:pass@config.sentry.net/node1/shadow
|
2002-03-27 13:17:45 +00:00
|
|
|
|
|
|
|
# EOF #
|
|
|
|
----snip----
|
|
|
|
|
|
|
|
</verb>
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> Other Useful Configuration Directives
|
|
|
|
<p> Copy file /floppy/someconfig.conf to /etc/someconfig.conf -
|
|
|
|
<verb>
|
|
|
|
/floppy/someconfig.conf |= /etc/someconfig.conf
|
|
|
|
|
2002-06-11 21:06:10 +00:00
|
|
|
OR, this does the same thing -
|
2002-03-27 13:17:45 +00:00
|
|
|
|
|
|
|
/etc/someconfig.conf = /floppy/someconfig.conf
|
2002-06-11 21:06:10 +00:00
|
|
|
|
|
|
|
and this is also possible(v1.3.0) -
|
|
|
|
|
|
|
|
/etc/someconfig.conf = ftp://<server>/someconfig.conf
|
2002-03-27 13:17:45 +00:00
|
|
|
</verb>
|
|
|
|
|
|
|
|
Make a symlink called /etc/someconfig.conf that points to
|
|
|
|
/etc/otherconfig.conf -
|
|
|
|
|
|
|
|
<verb>
|
|
|
|
/etc/someconfig.conf => /etc/otherconfig.conf
|
|
|
|
|
|
|
|
</verb>
|
|
|
|
|
|
|
|
The include directive. Grabs another sentry.conf file either from another
|
|
|
|
location -
|
|
|
|
<verb>
|
|
|
|
include = ftp://user:pass@config.sentry.net/node1/sentry.conf
|
|
|
|
|
|
|
|
</verb>
|
|
|
|
|
|
|
|
Keep in mind, however, that the include directive is one of the first directives
|
|
|
|
to be parsed. Any configuration directives parsed from the included sentry.conf
|
|
|
|
file that conflict with directives in the previously parsed sentry.conf files
|
|
|
|
will clobber the old ones.
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> Putting it all together, managing multiple nodes from a single location.
|
|
|
|
<p> In order to manage multiple nodes at a single location, you can use a bare
|
|
|
|
sentry.conf file located on a floppy disk, and then grab files from your ftp or
|
|
|
|
http servers.
|
|
|
|
|
|
|
|
<verb>
|
|
|
|
----snip----
|
|
|
|
## Basic Sentry Firewall CD config file.
|
|
|
|
|
|
|
|
device1 = eth0:tulip:dhcp
|
|
|
|
nameserver = <DNS_IP>
|
|
|
|
include = ftp://user:pass@config.sentry.net/node1/sentry.conf
|
|
|
|
|
|
|
|
----snip----
|
|
|
|
</verb>
|
|
|
|
|
|
|
|
The included sentry.conf file will then be parsed, and files replaced via http
|
|
|
|
or ftp if you like. You can now edit your sentry.conf and configuration files
|
|
|
|
at a central location.
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> Example sentry.conf and disk images
|
|
|
|
<p> An example configuration disk image is available on the CDROM. The disk is
|
|
|
|
an ext2 formatted disk, and is located in the '/SENTRY/images/' directory on the
|
|
|
|
CD. There is also a very complete sentry.conf file on the disk which may help
|
|
|
|
clarify alot of these directives. Use a command like the following to create
|
|
|
|
the configuration disk:
|
|
|
|
|
|
|
|
<tscreen><verb>
|
|
|
|
blah@wherever:˜$ dd if=/cdrom/SENTRY/images/ext2-144.img of=/dev/fd0
|
|
|
|
2880+0 records in
|
|
|
|
2880+0 records out
|
|
|
|
</verb></tscreen>
|
|
|
|
|
2002-06-28 14:15:50 +00:00
|
|
|
The disk images and a sample sentry.conf file can also be found on the website at
|
|
|
|
the following locations:
|
|
|
|
<itemize>
|
|
|
|
<item><bf>sentry.conf</bf> - <url url="http://www.SentryFirewall.com/files/scripts/cd-config/" name="http://www.SentryFirewall.com/files/scripts/cd-config/">
|
|
|
|
<item><bf>Disk Images</bf> - <url url="http://www.SentryFirewall.com/files/images/" name="http://www.SentryFirewall.com/files/images/">
|
|
|
|
</itemize>
|
|
|
|
|
|
|
|
|
2002-03-27 13:17:45 +00:00
|
|
|
<!-- END SECTION 4.0 -->
|
|
|
|
|
|
|
|
<!-- BEGIN SECTION 5.0 -->
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect> Overview of Available Configuration Directives
|
|
|
|
<sect1> Replacing rc/config files
|
|
|
|
<p> To replace a file that is supported by the configuration scripts, you may
|
|
|
|
use the following syntax:
|
|
|
|
<verb>
|
2002-06-11 21:06:10 +00:00
|
|
|
filename_directive = /location/of/filename
|
2002-03-27 13:17:45 +00:00
|
|
|
</verb>
|
2002-06-28 14:15:50 +00:00
|
|
|
|
2002-06-11 21:06:10 +00:00
|
|
|
Where "filename_directive is one of the directives listed below, and the location
|
2002-06-28 14:15:50 +00:00
|
|
|
of the file is often '/floppy/filename'. The file location can also be a URL.
|
|
|
|
The supported prefixed include "http://", "https://", "ftp://", "sftp://", and "scp://".
|
|
|
|
|
|
|
|
As previously mentioned, there are at least two Sentry Firewall CD branches with varying
|
|
|
|
names like "sentrycd" and "sentrycd-RH". The only difference between these branches is
|
|
|
|
the "host" Linux distribution that is utilized. And since Linux distributions utilize
|
|
|
|
different files during bootup, the accepted directives for the two branches vary. For example,
|
|
|
|
a Slackware system utilizes files such as "rc.S" and "rc.M" to boot into single and multi-user
|
|
|
|
modes. Other Linux distributions, such as Red Hat, utilize different files such as
|
|
|
|
"rc.sysinit" and various files located in /etc/rc.d/init.d/. Therefore, when running
|
|
|
|
a sentrycd-RH system, which is not Slackware based, it would be pointless to have a
|
|
|
|
directive that states the following:
|
|
|
|
<verb>
|
|
|
|
rc.M = /floppy/rc.M
|
|
|
|
</verb>
|
|
|
|
Since a non-Slackware system wouldn't know to do with a file called "rc.M". In any case, it
|
|
|
|
is for this reason that the configuration directives vary a bit between branches.
|
2002-03-27 13:17:45 +00:00
|
|
|
|
2002-06-28 14:15:50 +00:00
|
|
|
<newline>
|
|
|
|
Branch: <bf>sentrycd</bf> <newline>
|
2002-06-11 21:06:10 +00:00
|
|
|
The following rc/config files are currently supported:
|
2002-03-27 13:17:45 +00:00
|
|
|
|
|
|
|
<tscreen><verb>
|
|
|
|
rc.M
|
|
|
|
rc.netdevice
|
|
|
|
rc.inet1
|
|
|
|
rc.inet2
|
|
|
|
rc.local
|
|
|
|
rc.modules
|
|
|
|
rc.firewall
|
|
|
|
rc.firewall.nat
|
|
|
|
fstab
|
|
|
|
passwd
|
|
|
|
shadow
|
|
|
|
group
|
|
|
|
shells
|
|
|
|
profile
|
|
|
|
resolv.conf
|
|
|
|
hosts
|
|
|
|
ftpusers
|
|
|
|
hostname
|
|
|
|
newsyslog.conf
|
|
|
|
openssl.cnf
|
|
|
|
syslog.conf
|
|
|
|
syslog-ng.conf
|
|
|
|
inetd.conf
|
2002-06-28 14:15:50 +00:00
|
|
|
modules.conf
|
2002-03-27 13:17:45 +00:00
|
|
|
proftpd.conf
|
|
|
|
squid.conf
|
|
|
|
httpd.conf
|
|
|
|
smb.conf
|
|
|
|
snort.conf
|
|
|
|
pptpd.conf
|
|
|
|
pppoe.conf
|
|
|
|
gated.conf
|
|
|
|
zebra.conf
|
|
|
|
hosts.equiv
|
|
|
|
shosts.equiv
|
|
|
|
ssh_config
|
|
|
|
sshd_config
|
|
|
|
ssh_host_key
|
|
|
|
ssh_host_key.pub
|
|
|
|
ssh_host_dsa_key
|
|
|
|
ssh_host_dsa_key.pub
|
|
|
|
ssh_host_rsa_key
|
|
|
|
ssh_host_rsa_key.pub
|
|
|
|
ssh_known_hosts
|
|
|
|
ssh_known_hosts2
|
|
|
|
</verb></tscreen>
|
|
|
|
|
2002-06-28 14:15:50 +00:00
|
|
|
<newline>
|
|
|
|
Branch: <bf>sentrycd-RH</bf> <newline>
|
|
|
|
The following rc/config files are currently supported:
|
|
|
|
|
|
|
|
<tscreen><verb>
|
|
|
|
rc.local
|
|
|
|
rc.news
|
|
|
|
rc.firewall
|
|
|
|
rc.firewall.nat
|
|
|
|
fstab
|
|
|
|
ftpusers
|
|
|
|
group
|
|
|
|
hosts.equiv
|
|
|
|
hostname
|
|
|
|
hosts
|
|
|
|
openssl.cnf
|
|
|
|
passwd
|
|
|
|
profile
|
|
|
|
resolv.conf
|
|
|
|
shadow
|
|
|
|
shells
|
|
|
|
gated.conf
|
|
|
|
httpd.conf
|
|
|
|
named.conf
|
|
|
|
pppoe.conf
|
|
|
|
proftpd.conf
|
|
|
|
pptpd.conf
|
|
|
|
smb.conf
|
|
|
|
snort.conf
|
|
|
|
squid.conf
|
|
|
|
syslog-ng.conf
|
|
|
|
syslog.conf
|
|
|
|
xinetd.conf
|
|
|
|
zebra.conf
|
|
|
|
|
|
|
|
sysconf_dir **
|
|
|
|
xinetd_dir **
|
|
|
|
</verb></tscreen>
|
|
|
|
|
|
|
|
** The "sysconf_dir" and "xinetd_dir" are unique to the "sentrycd-RH" branch. Unlike
|
|
|
|
the other directives, these are used to replace the files located in the /etc/xinetd.d/
|
|
|
|
and the /etc/sysconfig/ directories. The /etc/sysconfig/ directory contains most of the
|
|
|
|
configuration files used by the init scripts(in /etc/rc.d/init.d/) on systems such as
|
|
|
|
Red Hat systems.
|
|
|
|
|
|
|
|
Example:
|
|
|
|
<verb>
|
|
|
|
sysconf_dir = /floppy/sysconfig
|
|
|
|
or
|
|
|
|
sysconf_dir = ftp://123.123.123.123/node1234/sysconfig
|
|
|
|
</verb>
|
|
|
|
Please note that "/floppy/sysconfig" and "/node1234/sysconfig" are <it>directories</it>
|
|
|
|
that contain files you want placed in /etc/sysconfig/. The "xinetd_dir" directive is
|
|
|
|
used in the same way.
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
2002-06-11 21:06:10 +00:00
|
|
|
<bf>NOTE:</bf> To replace files not supported by the configuration scripts, use the
|
2002-03-27 13:17:45 +00:00
|
|
|
'|=' file copy directive discussed below.
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> 'device' directive support
|
|
|
|
<p> Set up an ethernet device to use during configuration.
|
|
|
|
|
|
|
|
<verb>
|
|
|
|
device[#] = [device_name]:[driver_name]:[IP_Address]<|gateway>
|
|
|
|
device[#] = [device_name]:[driver_name]:dhcp<|hostname>
|
|
|
|
|
|
|
|
NOTE: 1) <hostname> and <gateway> are optional, but sometimes required.
|
|
|
|
2) Most ethernet devices are supported. If you find one that isn't
|
|
|
|
and you think it should be, please let me know.
|
|
|
|
3) "device1" to "device10" are supported.
|
|
|
|
|
|
|
|
Examples:
|
|
|
|
device1 = eth0:tulip:192.168.1.50|192.168.1.1
|
|
|
|
device2 = eth1:via-rhine:dhcp
|
|
|
|
|
|
|
|
</verb>
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> 'nameserver' directive
|
|
|
|
<p> Set up a nameserver to use during configuration.
|
|
|
|
|
|
|
|
<verb>
|
|
|
|
nameserver = <DNS_IP>
|
|
|
|
</verb>
|
|
|
|
|
|
|
|
|
2002-06-11 21:06:10 +00:00
|
|
|
<newline>
|
|
|
|
<sect1> Proxy Support Directives
|
|
|
|
<p> Set up a proxy for pulling files via http(s), or ftp.
|
|
|
|
<verb>
|
|
|
|
http_proxy = http://<hostname>/
|
|
|
|
ftp_proxy = http://<hostname>/
|
|
|
|
proxy-user = <PROXY_USER>
|
|
|
|
proxy-passwd = <PROXY_PASSWORD>
|
|
|
|
</verb>
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> Passive FTP Support
|
|
|
|
<p> Use passive ftp instead of active ftp to retrieve files.
|
|
|
|
<verb>
|
|
|
|
passive-ftp = <on|off> ## Default == off
|
|
|
|
</verb>
|
|
|
|
|
|
|
|
|
2002-03-27 13:17:45 +00:00
|
|
|
<newline>
|
|
|
|
<sect1> 'include' directive
|
|
|
|
<p> Retrieve and parse another 'sentry.conf' file.
|
|
|
|
|
|
|
|
<verb>
|
|
|
|
include = </location/of/sentry.conf>
|
|
|
|
|
|
|
|
Or, with network support -
|
|
|
|
|
|
|
|
include = <ftp|http>://[<user>:<pass>@]<SERVER_IP></path/to/sentry.conf>
|
|
|
|
</verb>
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> Copying files (|=)
|
|
|
|
<p> Copy file from one location to the other.
|
|
|
|
|
|
|
|
<verb>
|
2002-06-11 21:06:10 +00:00
|
|
|
Syntax: source_file |= dest_file, OR
|
|
|
|
dest_file = source_file
|
2002-03-27 13:17:45 +00:00
|
|
|
|
2002-06-11 21:06:10 +00:00
|
|
|
Example: Copy file /floppy/daemon.conf to /etc/daemon.conf
|
2002-03-27 13:17:45 +00:00
|
|
|
|
2002-06-28 14:15:50 +00:00
|
|
|
/floppy/daemon.conf |= /etc/daemon.conf
|
|
|
|
or
|
2002-06-11 21:06:10 +00:00
|
|
|
/etc/daemon.conf = /floppy/daemon.conf
|
2002-06-28 14:15:50 +00:00
|
|
|
or
|
|
|
|
/etc/daemon.conf = scp://<user>:<pass>@<server>/config/daemon.conf
|
2002-03-27 13:17:45 +00:00
|
|
|
</verb>
|
2002-06-28 14:15:50 +00:00
|
|
|
<bf>NOTE:</bf> http(s)/(s)ftp/scp support is only available with Sentry Firewall CD
|
|
|
|
versions >= 1.3.0.
|
2002-03-27 13:17:45 +00:00
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> Making Symlinks (=>)
|
|
|
|
<p> Create a symlink
|
|
|
|
|
|
|
|
<verb>
|
|
|
|
Syntax: dest_file => source_file(where the symlink points to)
|
|
|
|
|
|
|
|
Example:
|
|
|
|
Make symlink called /etc/somefile.conf that points to /etc/otherfile.conf
|
|
|
|
/etc/somefile.conf => /etc/otherfile.conf
|
|
|
|
|
|
|
|
</verb>
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> 'cdrom' directive
|
|
|
|
<p> Defines which device the CDROM is. Most of the time the CDROM is detected
|
|
|
|
and mounted using the /etc/rc.d/rc.cdrom script. But this makes the process
|
|
|
|
less error-prone.
|
|
|
|
|
|
|
|
<verb>
|
|
|
|
Syntax: cdrom = <DEVICE>
|
|
|
|
|
|
|
|
Example:
|
|
|
|
cdrom = /dev/hdc
|
|
|
|
|
|
|
|
</verb>
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> 'cron' directive
|
|
|
|
<p> Replace a user's crontab file(located in /var/spool/cron/crontabs/).
|
|
|
|
|
|
|
|
<verb>
|
|
|
|
Syntax: cron:<USERNAME> = </LOCATION/OF/CRONTAB_FILE>
|
|
|
|
|
|
|
|
</verb>
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> hostname
|
|
|
|
<p> Defines the hostname of the local machine. This directive can be used to
|
|
|
|
either point to a file containing the hostname of the local machine, or to
|
|
|
|
define the hostname itself.
|
|
|
|
|
|
|
|
<verb>
|
|
|
|
Syntax: hostname = </path/to/file>
|
|
|
|
or
|
|
|
|
hostname = MYHOSTNAME
|
|
|
|
</verb>
|
|
|
|
|
2002-06-28 14:15:50 +00:00
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> Other sentrycd-RH Specific Directives
|
|
|
|
<p> Besides the "xinetd_dir" and "sysconf_dir" directives, mentioned above,
|
|
|
|
there is another directive that is unique to the sentrycd-RH branch.
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect2> Start/Stop a Service or Daemon
|
|
|
|
<p> This directive gives you the ability to start or stop a service at bootup.
|
|
|
|
The syntax looks like the following:
|
|
|
|
|
|
|
|
<verb>
|
|
|
|
service:[start|stop] = <path/to/service_init_file>
|
|
|
|
</verb>
|
|
|
|
For example:
|
|
|
|
<verb>
|
|
|
|
httpd:stop
|
|
|
|
or
|
|
|
|
httpd:start = /floppy/config/httpd
|
|
|
|
</verb>
|
|
|
|
|
|
|
|
In the above example, we are telling the Sentry Firewall CD to either start or stop
|
|
|
|
the http daemon at bootup. The optional argument "<path/to/service_init_file>" is
|
|
|
|
usually not necessary, but is used to actually replace the startup script located in
|
|
|
|
/etc/rc.d/init.d/, in case you ever wanted to do so.
|
|
|
|
|
|
|
|
To get a better idea of how this works, please take a look at the sample "sentry.conf"
|
|
|
|
file located either on the CD or online at
|
|
|
|
<url url="http://www.SentryFirewall.com/files/scripts/cd-config/sentrycd-rh/sentry.conf"
|
|
|
|
name="http://www.SentryFirewall.com/files/scripts/cd-config/sentrycd-rh/sentry.conf">
|
|
|
|
|
|
|
|
|
2002-03-27 13:17:45 +00:00
|
|
|
<!-- END SECTION 5.0 -->
|
|
|
|
|
|
|
|
<!-- BEGIN SECTION 6.0 -->
|
|
|
|
|
2002-06-11 21:06:10 +00:00
|
|
|
<newline>
|
|
|
|
<sect> Troubleshooting
|
|
|
|
<sect1> Booting Problems
|
|
|
|
<p> Booting problems are generally rare, and generally only occur on old and buggy,
|
|
|
|
or somehow non-compliant hardware. Booting problems can be associated with a number
|
|
|
|
of problems, depending upon at what point during the boot process the failure occurs.
|
|
|
|
The following are possible causes of failure when booting from a CD.
|
|
|
|
|
|
|
|
<itemize>
|
|
|
|
<item> Old or buggy BIOSes that do not fully support the eltorito standard. System
|
|
|
|
may fail to load the isolinux bootloader or the kernel.
|
|
|
|
<item> Problematic CDROM drives can cause various problems when booting the CD.
|
|
|
|
CD may or may not boot, and will generally have trouble accessing files
|
|
|
|
on the CD.
|
|
|
|
<item> Damaged CD, obviously can cause a number of problems, similar symptoms as
|
|
|
|
above.
|
|
|
|
<item> Insufficient hardware resources. Please see the "Minumum Requirements"
|
|
|
|
section of this howto for more information on what is required to boot
|
|
|
|
the CD.
|
|
|
|
<item> In the case of booting the Sentry Firewall CD, old or buggy floppy disk
|
|
|
|
drives or damaged floppy disks can also result in serious problems, including
|
|
|
|
curruption of the data on the floppy disk. The inability for the configuration
|
|
|
|
scripts to read and parse files contained on the floppy disk can seriously inhibit
|
|
|
|
the capability of the system to configure itself properly.
|
|
|
|
</itemize>
|
|
|
|
|
|
|
|
In general, hardware issues cause the majority of problems during the boot process
|
|
|
|
of the Sentry Firewall CD, and may not always be easy to diagnose. Generally, the
|
|
|
|
first step in debugging a general boot problem is to try and boot another CD in the
|
|
|
|
same machine to attempt to rule out a hardware problem. And then attempt to boot
|
|
|
|
the Sentry Firewall CD in another machine to attempt to rule out damage to the CD.
|
|
|
|
If both these tests produce no negative results, then perhaps swap out the CDROM drives
|
|
|
|
in the two machines, if possible, and do the test again. Then perhaps check out the
|
|
|
|
general mailing list(mentioned below) for further assistance.
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> Configuration Problems
|
|
|
|
<p> This section deals with configuration problems with the "sentry.conf" file.
|
|
|
|
The sentry.conf configuration file, as mentioned in previous sections, tells the
|
|
|
|
configuration scripts what to do during boot time to configure the running system.
|
|
|
|
Syntax errors in the script can cause a file to be misplaced, or for the directive
|
|
|
|
to not be parsed at all.
|
|
|
|
|
|
|
|
Error messages during the boot process of the Sentry Firewall CD can help greatly
|
|
|
|
in diagnosing potential syntax or other types of errors. So watch the CD boot and
|
|
|
|
write down any error messages that may pop up. Also, during bootup a logfile
|
|
|
|
detailing the configuration process is created at /var/log/SENTRY_LOG. If
|
|
|
|
you can log in to the system after it has booted, then take a look at this file for
|
|
|
|
any obvious error messages.
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> Frequently Asked Questions
|
|
|
|
<p> A FAQ is currently being maintained on the Sentry Firewall website, it can be
|
|
|
|
accessed via the following URL: <url url="http://Sentry.SourceForge.net/files/FAQ">.
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> Mailing List
|
|
|
|
<p> Thanks to <url url="http://www.SourceForge.net/" name="SourceForge.net">, there are mailing
|
|
|
|
lists available for the Sentry CD. You can look through the archives, or subscribe to the general
|
|
|
|
mailing list to ask questions or make comments. The following are links for the general
|
|
|
|
Sentry-Users mailing list. Other mailing lists are listed at
|
|
|
|
<url url="http://www.SentryFirewall.com/" name="SentryFirewall.com">.
|
|
|
|
|
|
|
|
<itemize>
|
|
|
|
<item> <url url="http://lists.sourceforge.net/lists/listinfo/sentry-users" name="Subscribe to Sentry-Users">
|
|
|
|
<item> <url url="http://www.geocrawler.com/redir-sf.php3?list=sentry-users" name="Sentry-Users Archives">
|
|
|
|
</itemize>
|
|
|
|
|
|
|
|
|
|
|
|
<!-- END SECTION 6.0 -->
|
|
|
|
|
|
|
|
<!-- BEGIN SECTION 7.0 -->
|
|
|
|
|
2002-03-27 13:17:45 +00:00
|
|
|
<newline>
|
|
|
|
<sect> Building a Custom Sentry CD
|
|
|
|
<sect1> Introduction
|
|
|
|
<p> This section will attempt to describe how to create a custom Sentry Firewall
|
2002-06-11 21:06:10 +00:00
|
|
|
CDROM. Unfortunately, I do not have time to go into every detail. But at
|
2002-03-27 13:17:45 +00:00
|
|
|
the very least I will try and provide for you an overview of the CD creation
|
|
|
|
process.
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> The development system(How I do it)
|
2002-06-28 14:15:50 +00:00
|
|
|
<p> My development system consists of two separate Linux installations of the
|
|
|
|
same distribution, depending on what branch I'm working on. First, I have a
|
|
|
|
very complete <insert Linux distro here> installation on my main hard
|
2002-03-27 13:17:45 +00:00
|
|
|
drive(/dev/hda). I then have /dev/hdb1, upon which I have another, bare bones,
|
2002-06-28 14:15:50 +00:00
|
|
|
installation - this installation generally has no compiling tools or X stuff.
|
|
|
|
|
|
|
|
I usually have /dev/hdb1 mounted on /mnt, that's not a critical element,
|
2002-03-27 13:17:45 +00:00
|
|
|
but I thought I'd mention it since I will refer to /mnt alot from now on. I
|
2002-06-28 14:15:50 +00:00
|
|
|
then have a directory called /CD-FW on the /dev/hdb1 installation, that is, if
|
|
|
|
/dev/hdb1 is mounted on /mnt, then the directory would be called /mnt/CD-FW/.
|
|
|
|
Throughout this entire process, the installation on /dev/hda is the live running
|
2002-03-27 13:17:45 +00:00
|
|
|
system, and it is from here that I compile the needed tools, kernels, etc and
|
|
|
|
basically run everything.
|
|
|
|
|
2002-06-28 14:15:50 +00:00
|
|
|
To make this easy for you, the Sentry Firewall CD ISO is basically an exact
|
|
|
|
copy of what's in /mnt/CD-FW/ on my hard drive. All I did was use the 'mkisofs'
|
|
|
|
utility on /mnt/CD-FW.
|
2002-03-27 13:17:45 +00:00
|
|
|
|
2002-06-28 14:15:50 +00:00
|
|
|
If you simply want to get started, perhaps try the following steps:
|
|
|
|
<itemize>
|
|
|
|
<item> Install a basic slackware system on some other partition, /dev/hdb1 perhaps.
|
|
|
|
<item> Reboot into your normal(linux) system and mount this new partition, let's say on /mnt.
|
|
|
|
<item> Mount the Sentry CD somewhere, let's say on /mnt2
|
|
|
|
<item> <bf>type:</bf> mkdir /mnt/CD-FW
|
|
|
|
<item> <bf>type:</bf> cp -Rdp /mnt2/* /mnt/CD-FW/
|
|
|
|
<item> <bf>type:</bf> find /mnt/CD-FW/ -name 'TRANS.TBL' -type f -print | xargs rm -f <newline>
|
|
|
|
This removes those 'TRANS.TBL' files that are created by mkisofs.
|
|
|
|
<item> Unmount /mnt2
|
|
|
|
<item> Run the following commands(in a script if you like) to update the /mnt/CD-FW/ directory:
|
2002-03-27 13:17:45 +00:00
|
|
|
<verb>
|
2002-06-28 14:15:50 +00:00
|
|
|
cp -Rdp /mnt/bin /mnt/CD-FW/
|
|
|
|
cp -Rdp /mnt/sbin /mnt/CD-FW/
|
|
|
|
cp -Rdp /mnt/lib /mnt/CD-FW/
|
|
|
|
cp -Rdp /mnt/usr/bin /mnt/CD-FW/usr/
|
|
|
|
cp -Rdp /mnt/usr/sbin /mnt/CD-FW/usr/
|
|
|
|
cp -Rdp /mnt/usr/local/bin /mnt/CD-FW/usr/local/
|
|
|
|
cp -Rdp /mnt/usr/lib /mnt/CD-FW/usr/
|
|
|
|
cp -Rdp /mnt/usr/libexec /mnt/CD-FW/usr/
|
|
|
|
cp -Rdp /mnt/usr/share /mnt/CD-FW/usr/
|
|
|
|
cp -Rdp /mnt/usr/man /mnt/CD-FW/usr/
|
2002-03-27 13:17:45 +00:00
|
|
|
</verb>
|
2002-06-28 14:15:50 +00:00
|
|
|
</itemize>
|
|
|
|
|
|
|
|
<bf>NOTE:</bf> The above commands may spit out errors when working with certain
|
|
|
|
files(ie. hard links). These errors are annoying, but they're not critical at all.
|
2002-03-27 13:17:45 +00:00
|
|
|
|
2002-06-28 14:15:50 +00:00
|
|
|
You now have a development system like, or similar to, my own :-)
|
2002-03-27 13:17:45 +00:00
|
|
|
|
2002-06-28 14:15:50 +00:00
|
|
|
Now, if you ever want to install an rpm update or a Slackware package update(with
|
|
|
|
upgradpkg), you can do the following:
|
2002-03-27 13:17:45 +00:00
|
|
|
<tscreen><verb>
|
2002-06-11 21:06:10 +00:00
|
|
|
root@mybox:~# cd /mnt; chroot /mnt
|
2002-06-28 14:15:50 +00:00
|
|
|
|
|
|
|
root@mybox:/# upgradepkg update.tgz
|
|
|
|
or
|
|
|
|
root@mybox:/# rpm --upgrade update.rpm
|
|
|
|
|
|
|
|
$ exit
|
2002-03-27 13:17:45 +00:00
|
|
|
</verb></tscreen>
|
|
|
|
|
|
|
|
Then, all I need to do is re-run the script mentioned above, the one that
|
|
|
|
copies all those files, to update the /mnt/CD-FW directory.
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> The RAMdisk Image
|
|
|
|
<p> That's all nifty, but now comes the hard part... making the ramdisk. If you
|
|
|
|
take a look at the /isolinux directory on the CDROM, you will see a bunch of
|
|
|
|
files, one of them is called 'initrd.img' - there are several others as well,
|
|
|
|
such as isolinux.cfg, message.txt, and isolinux.bin. These files are required
|
|
|
|
by isolinux in order to work properly. Take a look at those files and the
|
|
|
|
documentation that comes with syslinux to get a better idea of what all that
|
|
|
|
does. In any case, the 'initrd.img' file is, in fact, the compressed ramdisk
|
|
|
|
image.
|
|
|
|
|
|
|
|
To take a look at the image, do something like the following:
|
|
|
|
<tscreen><verb>
|
2002-06-11 21:06:10 +00:00
|
|
|
blah@wherever:~$ cp /cdrom/isolinux/initrd.img /tmp/initrd.img.gz
|
|
|
|
blah@wherever:~$ gzip -d /tmp/initrd.img.gz
|
|
|
|
blah@wherever:~$ mount -o loop /tmp/initrd.img /MOUNT_POINT
|
2002-03-27 13:17:45 +00:00
|
|
|
</verb></tscreen>
|
|
|
|
|
|
|
|
In a nutshell, I use the file '/SENTRY/scripts/MK-CD/mkrootdsk.sh' to create
|
|
|
|
the rootdisk. Please read that file and the disclaimer before you decide to
|
|
|
|
use it. It runs perfectly on my system, but may not run well at all on yours.
|
|
|
|
It basically attempts to create a rootdisk image to use with the Sentry CD, but
|
|
|
|
it is very long and may be somewhat difficult to comprehend at times. This is
|
|
|
|
what happens when I start a project and fail to utilize proper child safety
|
|
|
|
restraints.
|
|
|
|
|
|
|
|
|
|
|
|
<newline>
|
|
|
|
<sect1> Making the ISO Image
|
|
|
|
<p> The next file I use is called 'mkiso.sh'. The script generally just
|
|
|
|
declares a few variables and runs the 'mkisofs' utility. The command I normally
|
|
|
|
run looks like the following:
|
|
|
|
|
|
|
|
<tscreen><verb>
|
2002-06-11 21:06:10 +00:00
|
|
|
root@mybox:~# cd /mnt/CD-FW
|
|
|
|
root@mybox:/mnt/CD-FW# mkisofs -o sentrycd.iso -R -V "Sentry Firewall CD [v1.x.x]" -v \
|
2002-03-27 13:17:45 +00:00
|
|
|
-T -d -D -N \
|
|
|
|
-b isolinux/isolinux.bin \
|
|
|
|
-c isolinux/eltorito.cat \
|
|
|
|
-no-emul-boot -boot-load-size 4 -boot-info-table \
|
2002-06-28 14:15:50 +00:00
|
|
|
-A "Sentry Firewall CD v1.x.x" .
|
2002-03-27 13:17:45 +00:00
|
|
|
........
|
|
|
|
</verb></tscreen>
|
|
|
|
|
|
|
|
And that's it, I burn the CD and test it. For reference, the following
|
2002-06-28 14:15:50 +00:00
|
|
|
files are available on the CDROM and online at
|
|
|
|
<url url="http://www.SentryFirewall.com/files/scripts/MK-CD/" name="http://www.SentryFirewall.com/files/scripts/MK-CD/">
|
2002-03-27 13:17:45 +00:00
|
|
|
<itemize>
|
|
|
|
<item> /SENTRY/scripts/MK-CD/mkrootdsk.sh (builds the rootdisk)
|
|
|
|
<item> /SENTRY/scripts/MK-CD/mkiso.sh (builds final ISO image)
|
|
|
|
<item> /SENTRY/scripts/MK-CD/record-cd.sh (burns the ISO to a CD)
|
|
|
|
</itemize>
|
|
|
|
|
2002-06-28 14:15:50 +00:00
|
|
|
|
|
|
|
|
2002-03-27 13:17:45 +00:00
|
|
|
<!-- END SECTION 7.0 -->
|
|
|
|
|
|
|
|
</article>
|