LDP/LDP/howto/linuxdoc/Sentry-Firewall-CD-HOWTO.sgml

<!doctype linuxdoc system>
<article>
<title>Sentry Firewall CD HOWTO
<author>Stephen A. Zarkos, <url url="mailto:Obsid@Sentry.net" name="Obsid@Sentry.net">
<date>v1.2, 2002-06-11

<abstract>
This document is designed as an introduction on how the Sentry
Firewall CDROM works and how to get started using the system.
</abstract>

<toc>

<!-- BEGIN SECTION 1.0 -->

<sect> Introduction
<p> This is the long-overdue Sentry Firewall CDROM howto.  I hope this
document helps get you started using the Sentry Firewall CD and answers
any questions you might have regarding how the system works.  The most
current version of this howto can be obtained at the following URL:
<url url="http://www.SentryFirewall.com/files/howto/">.

If you would like to add anything to this document, or if you have any
questions or comments please feel free to email me, <url url="mailto:Obsid@Sentry.net?subject=HOWTO" 
name="Obsid@Sentry.net">.


<newline>
<sect1> What is the Sentry Firewall CD?
<p> The Sentry Firewall CD is a Linux-based bootable CDROM suitable
for use in a variety of different operating environments.  The system is
designed to be configured dynamically via a floppy disk or over a network.
This allows one to configure the system dynamically, eventho much of the actual
system is on read-only(CDROM) media.


<newline>
<sect1> Why would I use a CD-based firewall or server?
<p> There are several advantages of using a CDROM based system in various
security related environments.  The main system is centered around the ramdisk;
a compressed file system image which is loaded into RAM at boot time.  Any
changes to the ramdisk image are temporary, and will be undone upon the next
reboot. Furthermore, the ramdisk, kernel, binaries, etc,  related to the
operating system are kept on read-only media(CDROM).  This means that if the
security of a box running a CDROM based system is ever compromised the attacker
can at best own the box until the next reboot.  So there is no real threat of
having to go through the tedious task of rebuilding and hardening the system
after a successful attack is discovered.


<newline>
<sect1> I'm a Linux newbie, will the Sentry Firewall CD be a good choice for me?
<p> At the moment, there are at least a couple variations of the Sentry Firewall CD
that are based on various Linux distributions.  You should first choose the Linux
distribution you are most familiar with.  More information on the different types can
be found on the web site - http://www.SentryFirewall.com/.

<p>Basically, the Sentry Firewall CD is meant to be configured no more easily than
a normal Slackware or Redhat or whatever Linux system. There are no GUIs, no scripts
to do it for you.  The idea behind the configuration of the CD is that you are able to
reconfigure the system by replacing the startup scripts and the various system and
configuration files present on the system at boot time.  Most of these are simply text
files and shell scripts that you need to edit by hand in order to be configured properly.
There are, however, usually plenty of resources available to assist you in
configuring a specific service or daemon(HOWTOs on linux.org, for example).


<newline>
<sect1> What's with this new branch "sentrycd-RH"?  What's the difference between the branches?
<p> First, let me explain briefly about how the Sentry Firewall CD works.  Basically,
there is the "host" system, a Linux system that is based on one of several Linux distributions.
Then there are the configuration scripts, written in perl, that run after the kernel boots
and help configure the system on the fly.  In general, it is possible to create a Sentry
Firewall CD system based on nearly any Linux distribution while only modifying one of the
five perl scripts.

<p> So, to answer your question, "sentrycd-RH" is based on a different Linux distribution
than the original branch "sentrycd".  Since I'm a Slackware fan, I used that distribution as
the foundation for the original Sentry Firewall CD(the sentrycd branch).  It has always been my
desire to utilize other Linux distributions for this project, which is why I created the sentrycd-RH
branch.

<p> In any case, all the basic functionality is present in both versions.  But since different
Linux distributions are configured differently, using different rc files or files in /etc/sysconfig
for example, some of the configuration directives(explained below) will vary between the two branches.

<p> You may be asking yourself, "then what Linux distro is the sentrycd-RH branch based on?"  Well,
since I'm not about to violate any current
<url url="http://www.redhat.com/about/corporate/trademark/guidelines.html" name="trademark guidlines">,
I'll leave that as an exercise to the reader.  Of course, you can always 
<url url="http://www.sentryfirewall.com/#download" name="download"> the ISO and find out for yourself :-)


<newline>
<sect1> Minumum Requirements
<p>
<itemize>
  <item> x86 computer with CD-ROM
  <item> BIOS that supports the eltorito standard(booting from the cdrom).
  <item> 32MB RAM(64MB or more recommended)
  <item> Easy access to coffee/tea/soda or equivalent stimulant.
  <item> Floppy disk drive(optional)
</itemize>

<newline>
<sect1> Copyrights and Disclaimer
<p> The current copyright and disclaimer can be found on the website;
<url url="http://www.SentryFirewall.com/files/COPYRIGHT">.  It applies to the Sentry
Firewall CD, and all the scripts and documentation associated with it.

<!-- END SECTION 1.0 -->

<!-- BEGIN SECTION 2.0 -->
<newline>
<sect> How the CD Works (Overview)
<p> This section is just an overview to explain how the Sentry Firewall CD works,
that is, from the process of loading the kernel to running the Sentry Firewall
CD configuration scripts located on the RAMDisk.

<newline>
<sect1> The Boot Process
<p> Booting from the CDROM is a fairly familiar process. The BIOS execs the
bootloader(Syslinux) - which then displays a bootprompt and loads the kernel and
ramdisk into memory.  Once the kernel is running, the ramdisk is then mounted as
root(/).

An obvious necessity for deploying CDROM based systems is the ability to
dynamically configure the system for various environments with different
configurations, which is what a good majority of this project is dedicated to
building.  A simple way to do this is to give the user the ability to customize
the startup scripts located in /etc/rc.d before they are actually used, as well
as the ability to customize other important system configuration files.

At boot time, the /etc and /etc/rc.d directories are nearly empty.  On a
Slackware system the first rc file to run is /etc/rc.d/rc.S - and it is from
this file where we run the configuration scripts that look for a configuration
file(sentry.conf), and place the proper configuration and system files in /etc
and various subdirectories under /etc.  On other Linux systems, such as RedHat,
the configuration scripts would be run from rc.sysinit.  If there is not a
configuration directive for a specific file, or if a configuration file cannot be
found, then the default system files are used - which are located in /etc/default/*
on the ramdisk.


<newline>
<sect1> ISOLINUX
<p> Early versions of the Sentry Firewall CD utilized the 2.88MB floppy
emulation method, along with either lilo or syslinux to boot the kernel and load
the ramdisk.  This method proved very limiting for two reasons; A) the total
size of the compressed ramdisk AND kernel was limited to 2.88MB, and B) it was
quite slow compared to the current method.

The Sentry Firewall CD is currently utilizing the isolinux.bin boot record
with no emulation in order to properly boot the CDs.  This allows us to use a
much larger ramdisk and offer a choice of several kernels to boot at boot time.

More information about syslinux can be found at <url
url="http://syslinux.zytor.com/" name="syslinux.zytor.com">.


<newline>
<sect1> The CD Configuration Scripts
<p> As previously mentioned, our configuration scripts which reside in
/etc/rc.d/SENTRY/ on the ramdisk are generally run from an rc script in /etc/rc.d/.
The first script to run is called 'cd-config.pl', which is essentially the mainline
for the entire program.  The other scripts that are used are called 'get_config.pl',
'process_conf.pl', 'do_config.pl' and 'networking.pl'.  These scripts were written
specifically for this project, and are essentially the mainstay of the entire
configuration process.

In depth review of these scripts is a little beyond the scope of this
document, but is covered a bit in the file called 'DOCUMENTATION' available on
the website (<url url="http://www.SentryFirewall.com/">).  The files are written
in perl, and do several important things; read in and parse the configuration
file(sentry.conf), locate and retrieve the important files detailed in the
sentry.conf file, and replace the system default files with the ones the user
has defined in the configuration file.

<!-- END SECTION 2.0 -->

<!-- BEGIN SECTION 3.0 -->

<newline>
<sect> Obtaining the CDROM
<sect1> Downloading
<p> The CDROM is distributed as a gzip or bzip2 compressed iso image, and is
generally between 95-105MB in size.  ISO images for the sentyrcd-RH branch are
generally much larger, between 150-200MB in size.  Available download mirrors 
are listed on the websites; <url url="http://www.SentryFirewall.com/"> or
<url url="http://Sentry.Sourceforge.net/">.


<newline>
<sect1> Purchasing
<p> Although the iso image is free to use and distribute, copies of the Sentry
Firewall CD mailed to you at a minimal cost.  Custom versions of the CD and support
can also be made available and tailored to a specific network configuration.

For more information about these services, please
<url url="mailto:Obsid@Sentry.net" name="email me">.


<newline>
<sect1> Burning the CDROM
<p> This section will attempt a general overview on how to burn the CD iso
image once you have obtained it from one of the mirrors.  All the commands
presume you're working in Linux, if not, then I'm afraid you're on your own.

First, let's decompress the iso image: <newline>
<bf>NOTE:</bf> Make sure you have enough disk space, the decompressed iso image can be
somewhere between 250MB and 300MB.

<tscreen><verb>
blah@wherever:&tilde;&dollar; gzip -d sentrycd.iso.gz

or

blah@wherever:&tilde;&dollar; bzip2 -d sentrycd.iso.bz2
</verb></tscreen>

Verify the integrity of the iso image,
<tscreen><verb>
blah@wherever:&tilde;&dollar; md5sum -b sentrycd.iso
</verb></tscreen>

<p> Now, let's try to burn the CD.  You'll need the 'cdrecord' utility
available, it can be obtained <url
url="http://www.fokus.gmd.de/research/cc/glone/employees/joerg.schilling/private/cdrecord.html" name="here">.
You will want to run 'cdrecord -scanbus' in order to find the 'dev' value
required for the following command.  You will also need to know the write speed
of your CDRW.  Details on how to set this all up are beyond the scope of this
document, please refer to the <url url="http://www.linux.org/docs/ldp/howto/CD-Writing-HOWTO.html" name="CD Writing HOWTO">
for more details.

<tscreen><verb>
blah@wherever:&tilde;&dollar; DEV="DEV_LINE_HERE" SPEED="SPEED"
blah@wherever:&tilde;&dollar; cdrecord -v -data speed=$SPEED dev=$DEV sentrycd.iso
</verb></tscreen>

That's it, you now have a Sentry Firewall CDROM.  By the way, you
may have to be root to do all this.

Keep in mind, if you simply want to look at the ISO image without actually
burning the CD, you can mount the image on a loopback device;

<tscreen><verb>
blah@wherever:&tilde;&dollar; mount -o loop ./sentrycd.iso /MOUNT_POINT
</verb></tscreen>

Where &dquot;MOUNT_POINT&dquot; is where you would like the CD mounted.  You may
then 'cd' to the MOUNT_POINT directory and poke around - don't forget to 'umount' the
image once you're finished.  This assumes you have support in your kernel for
the loopback device.  You probably do, but once again, recompiling kernels is
beyond the scope of this document.

<!-- END SECTION 3.0 -->

<!-- BEGIN SECTION 4.0 -->

<newline>
<sect> Using the Sentry Firewall CDROM
<sect1> Introduction
<p> The configuration scripts which are run from /etc/rc.d/rc.S first look for
a configuration file called 'sentry.conf' on a floppy disk which, if present,
will be mounted on /floppy.  In order to configure the Linux system for use
in any particular environment the user must have the ability to replace the
system default files with his/her own copies.  The 'sentry.conf' file basically
tells the configuration scripts which files it should replace and where those
files are.

A good example of a sentry.conf file can be found on the Sentry Firewall CD
in the directory /SENTRY/scripts/cd-config/.  Configuration floppy disk
images(1.44M) can also be found in /SENTRY/images/ on the CD.

<newline>
<sect1> The sentry.conf file
<p> The main configuration file for the system is called 'sentry.conf'.  It will
first be looked for on a floppy disk(/dev/fd0).  The file accepts several
configuration directives, many of which will be discussed below.

<newline>
<sect2> Example
<p>
A basic configuration file looks like the following (everything after a '&num;'
sign is interpreted as a comment):

<verb>
----snip----
&num;&num; Basic Sentry Firewall CD config file(sentry.conf)

rc.local = /floppy/config1/rc.local
fstab = /floppy/config1/fstab

passwd = /floppy/config1/passwd
shadow = /floppy/config1/shadow

&num; EOF &num;
----snip----
</verb>

The syntax is pretty simple, the default 'rc.local' file will be replaced with
the user defined 'rc.local' file located in the '/floppy/config1/' directory.  Same
goes for 'fstab', 'passwd', and the 'shadow' file.   But it is important to
remember, the first place the sentry.conf file will be looked for is on
/dev/fd0, which if found, will be mounted on /floppy.  This is why all these
files appear to be located in the /floppy directory, it is simply the mount
point for the floppy disk.

<bf>NOTE:</bf> As of version 1.3.0, a user may now omit the `/floppy'
prefix.  So, for example a line in sentry.conf that says the following:

<verb>
   shadow = config1/shadow
</verb>

Will be assumed to mean(in most cases) the following:
<verb>
   fstab = /floppy/config1/shadow
</verb>
As long as /floppy/config1/shadow exists.


<newline>
Unfortunately, you cannot arbitrarily replace files, for example the
following will likely not be parsed correctly:
<verb>
     foo.conf = /floppy/config1/foo.conf
</verb>

The configuration scripts only recognize a certain number of configuration
files.  There are other very easy ways to copy configuration files into their
proper location, however.  These methods will be discussed below.


<newline>
<sect1> Network Configuration
<p> As of version 1.0.5, a new syntax for the configuration directives are
recognized; those with an "http://" or "ftp://" prefix.  This basically means
that the following syntax is now supported:
<verb>
     inetd.conf = ftp://[user:pass@]123.123.123.123/config1/inetd.conf
     hosts = http://[user:pass@]123.123.123.123/config1/hosts
</verb>

As of version 1.3.0, "https://", "scp://", and "sftp://" URLs are also supported.
For example:
<verb>
     shadow = scp://&lt;user&gt;:&lt;pass&gt;@123.123.123.123/dir/shadow
     passwd = sftp://&lt;user&gt;:&lt;pass&gt;@123.123.123.123/dir/passwd
     fstab = https://[user:pass@]123.123.123.123/dir/fstab
</verb>

<bf>NOTE:</bf> The username and password fields are required when retrieving files
via scp or sftp.  Empty passwords are not permitted.


<newline>
In order to accomplish this the configuration scripts need to have the
ability to set up an ethernet interface, as well as obtain nameserver
information from the sentry.conf file.  The syntax to accomplish this is the
following:
<verb>
     device{1..10} = &lt;device&gt;:&lt;driver&gt;:&lt;IP address&gt;[|Gateway_IP]

     or..

     device{1..10} = &lt;device&gt;:&lt;driver&gt;:dhcp[|Hostname]
</verb>

And to set up a nameserver:
<verb>
     nameserver = &lt;IP_ADDRESS&gt;
</verb>


<newline>
Additionally, when retrieving files using "http", "https", or "ftp",
you may also set up a proxy server.  The following directives will allow you
to do so (they may not all be required for your setup):
<verb>
     http_proxy = http://&lt;hostname&gt;/
     ftp_proxy = http://&lt;hostname&gt;/
     proxy-user = &lt;PROXY_USER&gt;
     proxy-passwd = &lt;PROXY_PASSWORD&gt;
</verb>


Passive FTP may also be required.  If so, use the 'passive-ftp' option, ie:
<verb>
     passive-ftp = <on|off>  ## Default == off
</verb>


<newline>
So, for example to set up an interface called "eth0", which uses the "tulip"
driver and can obtain its ip address from a DHCP server, we can use the
following line:
<verb>
     device1 = eth0:tulip:dhcp
</verb>

<p> As you can see, a total of 10 devices are allowed.  Let's say we now want to
set up an interface "eth1" that uses an "rtl8139" chip, and has a static
IP(192.168.1.2) and a default gateway(192.168.1.1):
<verb>
     device2 = eth1:8139too:192.168.1.2|192.168.1.1
</verb>

<bf>NOTE:</bf> It is important to keep in mind that whatever devices you set up during the
configuration process will be promptly taken down after the configuration is
complete.  This setup is only used so you can retrieve configuration files over
the network, via http and ftp.  For more permanent network configuration, please
use the rc.inet1 file.


<newline>
<sect2> Example
<p>
<verb>
----snip----
&num;&num; Basic Sentry Firewall CD config file to retrieve files via HTTP(s)/FTP/SCP/SFTP.

device1 = eth0:tulip:192.168.1.2|192.168.1.1
nameserver = &lt;MY_DNS_IP&gt;

rc.M = ftp://user:pass@config.sentry.net/node1/rc.M
rc.inet1 = http://user:pass@config.sentry.net/all_nodes/rc.inet1

passwd = scp://user:pass@config.sentry.net/all_nodes/passwd
shadow = sftp://user:pass@config.sentry.net/node1/shadow

&num; EOF &num;
----snip----

</verb>

<newline>
<sect1> Other Useful Configuration Directives
<p> Copy file /floppy/someconfig.conf to /etc/someconfig.conf -
<verb>
     /floppy/someconfig.conf |= /etc/someconfig.conf

     OR, this does the same thing -

     /etc/someconfig.conf = /floppy/someconfig.conf

     and this is also possible(v1.3.0) -

     /etc/someconfig.conf = ftp://<server>/someconfig.conf
</verb>

Make a symlink called /etc/someconfig.conf that points to
/etc/otherconfig.conf -

<verb>
     /etc/someconfig.conf => /etc/otherconfig.conf

</verb>

The include directive.  Grabs another sentry.conf file either from another
location -
<verb>
     include = ftp://user:pass@config.sentry.net/node1/sentry.conf

</verb>

Keep in mind, however, that the include directive is one of the first directives
to be parsed.  Any configuration directives parsed from the included sentry.conf
file that conflict with directives in the previously parsed sentry.conf files
will clobber the old ones.


<newline>
<sect1> Putting it all together, managing multiple nodes from a single location.
<p> In order to manage multiple nodes at a single location, you can use a bare
sentry.conf file located on a floppy disk, and then grab files from your ftp or
http servers.

<verb>
----snip----
&num;&num; Basic Sentry Firewall CD config file.

device1 = eth0:tulip:dhcp
nameserver = &lt;DNS_IP&gt;
include = ftp://user:pass@config.sentry.net/node1/sentry.conf

----snip----
</verb>

The included sentry.conf file will then be parsed, and files replaced via http
or ftp if you like.  You can now edit your sentry.conf and configuration files
at a central location.


<newline>
<sect1> Example sentry.conf and disk images
<p> An example configuration disk image is available on the CDROM.  The disk is
an ext2 formatted disk, and is located in the '/SENTRY/images/' directory on the
CD.  There is also a very complete sentry.conf file on the disk which may help
clarify alot of these directives.  Use a command like the following to create
the configuration disk:

<tscreen><verb>
blah@wherever:&tilde;&dollar; dd if=/cdrom/SENTRY/images/ext2-144.img of=/dev/fd0
2880+0 records in
2880+0 records out
</verb></tscreen>

The disk images and a sample sentry.conf file can also be found on the website at
the following locations:
<itemize>
 <item><bf>sentry.conf</bf> - <url url="http://www.SentryFirewall.com/files/scripts/cd-config/" name="http://www.SentryFirewall.com/files/scripts/cd-config/">
 <item><bf>Disk Images</bf> - <url url="http://www.SentryFirewall.com/files/images/" name="http://www.SentryFirewall.com/files/images/">
</itemize>


<!-- END SECTION 4.0 -->

<!-- BEGIN SECTION 5.0 -->

<newline>
<sect> Overview of Available Configuration Directives
<sect1> Replacing rc/config files
<p> To replace a file that is supported by the configuration scripts, you may
use the following syntax:
<verb>
     filename_directive = /location/of/filename
</verb>

Where "filename_directive is one of the directives listed below, and the location
of the file is often '/floppy/filename'.  The file location can also be a URL.
The supported prefixed include "http://", "https://", "ftp://", "sftp://", and "scp://".

As previously mentioned, there are at least two Sentry Firewall CD branches with varying
names like "sentrycd" and "sentrycd-RH".  The only difference between these branches is
the "host" Linux distribution that is utilized.  And since Linux distributions utilize
different files during bootup, the accepted directives for the two branches vary.  For example,
a Slackware system utilizes files such as "rc.S" and "rc.M" to boot into single and multi-user
modes.  Other Linux distributions, such as Red Hat, utilize different files such as
"rc.sysinit" and various files located in /etc/rc.d/init.d/.  Therefore, when running
a sentrycd-RH system, which is not Slackware based, it would be pointless to have a
directive that states the following:
<verb>
rc.M = /floppy/rc.M
</verb>
Since a non-Slackware system wouldn't know to do with a file called "rc.M". In any case, it
is for this reason that the configuration directives vary a bit between branches.

<newline>
Branch: <bf>sentrycd</bf>  <newline>
The following rc/config files are currently supported:

<tscreen><verb>
rc.M
rc.netdevice
rc.inet1
rc.inet2
rc.local
rc.modules
rc.firewall
rc.firewall.nat
fstab
passwd
shadow
group
shells
profile
resolv.conf
hosts
ftpusers
hostname
newsyslog.conf
openssl.cnf
syslog.conf
syslog-ng.conf
inetd.conf
modules.conf
proftpd.conf
squid.conf
httpd.conf
smb.conf
snort.conf
pptpd.conf
pppoe.conf
gated.conf
zebra.conf
hosts.equiv
shosts.equiv
ssh_config
sshd_config
ssh_host_key
ssh_host_key.pub
ssh_host_dsa_key
ssh_host_dsa_key.pub
ssh_host_rsa_key
ssh_host_rsa_key.pub
ssh_known_hosts
ssh_known_hosts2
</verb></tscreen>

<newline>
Branch: <bf>sentrycd-RH</bf> <newline>
The following rc/config files are currently supported:
 
<tscreen><verb>
rc.local
rc.news
rc.firewall
rc.firewall.nat
fstab
ftpusers
group
hosts.equiv
hostname
hosts
openssl.cnf
passwd
profile
resolv.conf
shadow
shells
gated.conf
httpd.conf
named.conf
pppoe.conf
proftpd.conf
pptpd.conf
smb.conf
snort.conf
squid.conf
syslog-ng.conf
syslog.conf
xinetd.conf
zebra.conf

sysconf_dir **
xinetd_dir **
</verb></tscreen> 

** The "sysconf_dir" and "xinetd_dir" are unique to the "sentrycd-RH" branch.  Unlike
the other directives, these are used to replace the files located in the /etc/xinetd.d/
and the /etc/sysconfig/ directories.  The /etc/sysconfig/ directory contains most of the
configuration files used by the init scripts(in /etc/rc.d/init.d/) on systems such as
Red Hat systems.

Example:
<verb>
   sysconf_dir = /floppy/sysconfig
   or
   sysconf_dir = ftp://123.123.123.123/node1234/sysconfig
</verb>
Please note that "/floppy/sysconfig" and "/node1234/sysconfig" are <it>directories</it>
that contain files you want placed in /etc/sysconfig/.  The "xinetd_dir" directive is
used in the same way.


<newline>
<bf>NOTE:</bf> To replace files not supported by the configuration scripts, use the
'|=' file copy directive discussed below.


<newline>
<sect1> 'device' directive support
<p> Set up an ethernet device to use during configuration.

<verb>
     device[&num;] = [device_name]:[driver_name]:[IP_Address]<|gateway>
     device[&num;] = [device_name]:[driver_name]:dhcp<|hostname>

     NOTE: 1) &lt;hostname&gt; and &lt;gateway&gt; are optional, but sometimes required.
           2) Most ethernet devices are supported.  If you find one that isn't
              and you think it should be, please let me know.
           3) "device1" to "device10" are supported.

Examples:
     device1 = eth0:tulip:192.168.1.50|192.168.1.1
     device2 = eth1:via-rhine:dhcp

</verb>


<newline>
<sect1> 'nameserver' directive
<p> Set up a nameserver to use during configuration.

<verb>
     nameserver = &lt;DNS_IP&gt;
</verb>


<newline>
<sect1> Proxy Support Directives
<p> Set up a proxy for pulling files via http(s), or ftp.
<verb>
     http_proxy = http://&lt;hostname&gt;/
     ftp_proxy = http://&lt;hostname&gt;/
     proxy-user = &lt;PROXY_USER&gt;
     proxy-passwd = &lt;PROXY_PASSWORD&gt;
</verb>


<newline>
<sect1> Passive FTP Support
<p> Use passive ftp instead of active ftp to retrieve files.
<verb>
     passive-ftp = <on|off>  ## Default == off
</verb>


<newline>
<sect1> 'include' directive
<p> Retrieve and parse another 'sentry.conf' file.

<verb>
     include = &lt;/location/of/sentry.conf&gt;

     Or, with network support -

     include = &lt;ftp|http&gt;://[&lt;user&gt;:&lt;pass&gt;@]&lt;SERVER_IP&gt;&lt;/path/to/sentry.conf&gt;
</verb>


<newline>
<sect1> Copying files (|=)
<p> Copy file from one location to the other.

<verb>
     Syntax: source_file |= dest_file, OR
             dest_file = source_file

Example:  Copy file /floppy/daemon.conf to /etc/daemon.conf

          /floppy/daemon.conf |= /etc/daemon.conf
          or
          /etc/daemon.conf = /floppy/daemon.conf
          or
          /etc/daemon.conf = scp://<user>:<pass>@<server>/config/daemon.conf
</verb>
<bf>NOTE:</bf> http(s)/(s)ftp/scp support is only available with Sentry Firewall CD
versions >= 1.3.0.


<newline>
<sect1> Making Symlinks (=>)
<p> Create a symlink

<verb>
     Syntax: dest_file => source_file(where the symlink points to)

Example:
     Make symlink called /etc/somefile.conf that points to /etc/otherfile.conf
     /etc/somefile.conf => /etc/otherfile.conf

</verb>


<newline>
<sect1> 'cdrom' directive
<p> Defines which device the CDROM is.  Most of the time the CDROM is detected
and mounted using the /etc/rc.d/rc.cdrom script.  But this makes the process
less error-prone.

<verb>
     Syntax: cdrom = &lt;DEVICE&gt;

Example:
     cdrom = /dev/hdc

</verb>


<newline>
<sect1> 'cron' directive
<p> Replace a user's crontab file(located in /var/spool/cron/crontabs/).

<verb>
Syntax: cron:&lt;USERNAME&gt; = &lt;/LOCATION/OF/CRONTAB_FILE&gt;

</verb>


<newline>
<sect1> hostname
<p> Defines the hostname of the local machine.  This directive can be used to
either point to a file containing the hostname of the local machine, or to
define the hostname itself.

<verb>
     Syntax: hostname = &lt;/path/to/file&gt;
             or
             hostname = MYHOSTNAME
</verb>


<newline>
<sect1> Other sentrycd-RH Specific Directives
<p> Besides the "xinetd_dir" and "sysconf_dir" directives, mentioned above,
there is another directive that is unique to the sentrycd-RH branch.

<newline>
<sect2> Start/Stop a Service or Daemon
<p> This directive gives you the ability to start or stop a service at bootup.
The syntax looks like the following:

<verb>
     service:[start|stop] = &lt;path/to/service_init_file&gt;
</verb>
For example:
<verb>
     httpd:stop
     or
     httpd:start = /floppy/config/httpd
</verb>

In the above example, we are telling the Sentry Firewall CD to either start or stop
the http daemon at bootup.  The optional argument "&lt;path/to/service_init_file&gt;" is
usually not necessary, but is used to actually replace the startup script located in
/etc/rc.d/init.d/, in case you ever wanted to do so.

To get a better idea of how this works, please take a look at the sample "sentry.conf"
file located either on the CD or online at
<url url="http://www.SentryFirewall.com/files/scripts/cd-config/sentrycd-rh/sentry.conf"
name="http://www.SentryFirewall.com/files/scripts/cd-config/sentrycd-rh/sentry.conf">


<!-- END SECTION 5.0 -->

<!-- BEGIN SECTION 6.0 -->

<newline>
<sect> Troubleshooting
<sect1> Booting Problems
<p> Booting problems are generally rare, and generally only occur on old and buggy,
or somehow non-compliant hardware.  Booting problems can be associated with a number
of problems, depending upon at what point during the boot process the failure occurs.
The following are possible causes of failure when booting from a CD.

<itemize>
  <item> Old or buggy BIOSes that do not fully support the eltorito standard.  System
         may fail to load the isolinux bootloader or the kernel.
  <item> Problematic CDROM drives can cause various problems when booting the CD.
         CD may or may not boot, and will generally have trouble accessing files
         on the CD.
  <item> Damaged CD, obviously can cause a number of problems, similar symptoms as
         above.
  <item> Insufficient hardware resources.  Please see the "Minumum Requirements"
         section of this howto for more information on what is required to boot
         the CD.
  <item> In the case of booting the Sentry Firewall CD, old or buggy floppy disk
         drives or damaged floppy disks can also result in serious problems, including
         curruption of the data on the floppy disk.  The inability for the configuration
         scripts to read and parse files contained on the floppy disk can seriously inhibit
         the capability of the system to configure itself properly.
</itemize>

In general, hardware issues cause the majority of problems during the boot process
of the Sentry Firewall CD, and may not always be easy to diagnose.  Generally, the
first step in debugging a general boot problem is to try and boot another CD in the
same machine to attempt to rule out a hardware problem.  And then attempt to boot
the Sentry Firewall CD in another machine to attempt to rule out damage to the CD.
If both these tests produce no negative results, then perhaps swap out the CDROM drives
in the two machines, if possible, and do the test again.  Then perhaps check out the
general mailing list(mentioned below) for further assistance.


<newline>
<sect1> Configuration Problems
<p> This section deals with configuration problems with the "sentry.conf" file.
The sentry.conf configuration file, as mentioned in previous sections, tells the
configuration scripts what to do during boot time to configure the running system.
Syntax errors in the script can cause a file to be misplaced, or for the directive
to not be parsed at all.

Error messages during the boot process of the Sentry Firewall CD can help greatly
in diagnosing potential syntax or other types of errors.  So watch the CD boot and
write down any error messages that may pop up.  Also, during bootup a logfile
detailing the configuration process is created at /var/log/SENTRY_LOG.  If
you can log in to the system after it has booted, then take a look at this file for
any obvious error messages.


<newline>
<sect1> Frequently Asked Questions
<p> A FAQ is currently being maintained on the Sentry Firewall website, it can be
accessed via the following URL: <url url="http://Sentry.SourceForge.net/files/FAQ">.


<newline>
<sect1> Mailing List
<p> Thanks to <url url="http://www.SourceForge.net/" name="SourceForge.net">, there are mailing
lists available for the Sentry CD.  You can look through the archives, or subscribe to the general
mailing list to ask questions or make comments.  The following are links for the general
Sentry-Users mailing list.  Other mailing lists are listed at
<url url="http://www.SentryFirewall.com/" name="SentryFirewall.com">.

<itemize>
 <item> <url url="http://lists.sourceforge.net/lists/listinfo/sentry-users" name="Subscribe to Sentry-Users">
 <item> <url url="http://www.geocrawler.com/redir-sf.php3?list=sentry-users" name="Sentry-Users Archives">
</itemize>


<!-- END SECTION 6.0 -->

<!-- BEGIN SECTION 7.0 -->

<newline>
<sect> Building a Custom Sentry CD
<sect1> Introduction
<p> This section will attempt to describe how to create a custom Sentry Firewall
CDROM.  Unfortunately, I do not have time to go into every detail.  But at
the very least I will try and provide for you an overview of the CD creation
process.


<newline>
<sect1> The development system(How I do it)
<p> My development system consists of two separate Linux installations of the
same distribution, depending on what branch I'm working on. First, I have a
very complete &lt;insert Linux distro here&gt; installation on my main hard
drive(/dev/hda).  I then have /dev/hdb1, upon which I have another, bare bones,
installation - this installation generally has no compiling tools or X stuff.

I usually have /dev/hdb1 mounted on /mnt, that's not a critical element,
but I thought I'd mention it since I will refer to /mnt alot from now on.  I
then have a directory called /CD-FW on the /dev/hdb1 installation, that is, if
/dev/hdb1 is mounted on /mnt, then the directory would be called /mnt/CD-FW/.
Throughout this entire process, the installation on /dev/hda is the live running
system, and it is from here that I compile the needed tools, kernels, etc and
basically run everything.

To make this easy for you, the Sentry Firewall CD ISO is basically an exact
copy of what's in /mnt/CD-FW/ on my hard drive.  All I did was use the 'mkisofs'
utility on /mnt/CD-FW.

If you simply want to get started, perhaps try the following steps:
<itemize>
<item> Install a basic slackware system on some other partition, /dev/hdb1 perhaps.
<item> Reboot into your normal(linux) system and mount this new partition, let's say on /mnt.
<item> Mount the Sentry CD somewhere, let's say on /mnt2
<item> <bf>type:</bf> mkdir /mnt/CD-FW
<item> <bf>type:</bf> cp -Rdp /mnt2/* /mnt/CD-FW/
<item> <bf>type:</bf> find /mnt/CD-FW/ -name 'TRANS.TBL' -type f -print | xargs rm -f <newline>
       This removes those 'TRANS.TBL' files that are created by mkisofs.
<item> Unmount /mnt2
<item> Run the following commands(in a script if you like) to update the /mnt/CD-FW/ directory:
<verb>
  cp -Rdp /mnt/bin /mnt/CD-FW/
  cp -Rdp /mnt/sbin /mnt/CD-FW/
  cp -Rdp /mnt/lib /mnt/CD-FW/
  cp -Rdp /mnt/usr/bin /mnt/CD-FW/usr/
  cp -Rdp /mnt/usr/sbin /mnt/CD-FW/usr/
  cp -Rdp /mnt/usr/local/bin /mnt/CD-FW/usr/local/
  cp -Rdp /mnt/usr/lib /mnt/CD-FW/usr/
  cp -Rdp /mnt/usr/libexec /mnt/CD-FW/usr/
  cp -Rdp /mnt/usr/share /mnt/CD-FW/usr/
  cp -Rdp /mnt/usr/man /mnt/CD-FW/usr/
</verb>
</itemize>
 
<bf>NOTE:</bf> The above commands may spit out errors when working with certain
files(ie. hard links).  These errors are annoying, but they're not critical at all.

You now have a development system like, or similar to, my own :-)

Now, if you ever want to install an rpm update or a Slackware package update(with
upgradpkg), you can do the following:
<tscreen><verb>
root@mybox:~# cd /mnt; chroot /mnt

root@mybox:/# upgradepkg update.tgz
or
root@mybox:/# rpm --upgrade update.rpm

$ exit
</verb></tscreen>

Then, all I need to do is re-run the script mentioned above, the one that
copies all those files, to update the /mnt/CD-FW directory.


<newline>
<sect1> The RAMdisk Image
<p> That's all nifty, but now comes the hard part... making the ramdisk.  If you
take a look at the /isolinux directory on the CDROM, you will see a bunch of
files, one of them is called 'initrd.img' - there are several others as well,
such as isolinux.cfg, message.txt, and isolinux.bin.  These files are required
by isolinux in order to work properly.  Take a look at those files and the
documentation that comes with syslinux to get a better idea of what all that
does.  In any case, the 'initrd.img' file is, in fact, the compressed ramdisk
image.

To take a look at the image, do something like the following:
<tscreen><verb>
blah@wherever:~$ cp /cdrom/isolinux/initrd.img /tmp/initrd.img.gz
blah@wherever:~$ gzip -d /tmp/initrd.img.gz
blah@wherever:~$ mount -o loop /tmp/initrd.img /MOUNT_POINT
</verb></tscreen>

In a nutshell, I use the file '/SENTRY/scripts/MK-CD/mkrootdsk.sh' to create
the rootdisk.  Please read that file and the disclaimer before you decide to
use it.  It runs perfectly on my system, but may not run well at all on yours.
It basically attempts to create a rootdisk image to use with the Sentry CD, but
it is very long and may be somewhat difficult to comprehend at times.  This is
what happens when I start a project and fail to utilize proper child safety
restraints.


<newline>
<sect1> Making the ISO Image
<p> The next file I use is called 'mkiso.sh'.  The script generally just
declares a few variables and runs the 'mkisofs' utility.  The command I normally
run looks like the following:

<tscreen><verb>
root@mybox:~# cd /mnt/CD-FW
root@mybox:/mnt/CD-FW# mkisofs -o sentrycd.iso -R -V "Sentry Firewall CD [v1.x.x]" -v \
   -T -d -D -N \
   -b isolinux/isolinux.bin \
   -c isolinux/eltorito.cat \
   -no-emul-boot -boot-load-size 4 -boot-info-table \
   -A "Sentry Firewall CD v1.x.x" .
........
</verb></tscreen>

And that's it, I burn the CD and test it.  For reference, the following
files are available on the CDROM and online at 
<url url="http://www.SentryFirewall.com/files/scripts/MK-CD/" name="http://www.SentryFirewall.com/files/scripts/MK-CD/">
<itemize>
 <item> /SENTRY/scripts/MK-CD/mkrootdsk.sh (builds the rootdisk)
 <item> /SENTRY/scripts/MK-CD/mkiso.sh     (builds final ISO image)
 <item> /SENTRY/scripts/MK-CD/record-cd.sh (burns the ISO to a CD)
</itemize>



<!-- END SECTION 7.0 -->

</article>