What's with all these branches(SENTRYCD/SENTRYCD-RH/SENTRYCD-xxx)? What's the difference between the branches?
- So, to answer your question, "sentrycd-RH" is based on a different Linux distribution
-than the original branch "sentrycd". Since I'm a Slackware fan, I used that distribution as
-the foundation for the original Sentry Firewall CD(the sentrycd branch). It has always been my
-desire to utilize other Linux distributions for this project, which is why I created the sentrycd-RH
-branch.
+
First, let me explain briefly how the Sentry Firewall CD works. Basically, there is the
+"host" system, a Linux system that is based on one of several Linux distributions. Then there
+are the configuration scripts, written in perl, that run after the kernel boots and help
+configure the system on the fly. In general, it is possible to create a Sentry Firewall CD
+system based on nearly any Linux distribution while only modifying one of the five perl scripts.
-
In any case, all the basic functionality is present in both versions. But since different
+
So, to answer your question, each Sentry Firewall CD branch utilizes similar configuration
+methods, but are simply based on different Linux distributions. Since I'm a Slackware fan, I used
+that distribution as the foundation for the original Sentry Firewall CD(the "SENTRYCD" branch).
+It has always been my desire to utilize other Linux distributions for this project, which is why
+I created the "SENTRYCD-RH" branche. There will no doubt eventually be other branches and
+variations.
+
+
+Sentry Firewall CD Development Branches:
+
+ - SENTRYCD - Slackware-like Sentry Firewall CD.
+
- SENTRYCD-DEB - Debian-like Sentry Firewall CD. (In Development)
+
- SENTRYCD-RH - RedHat-like Sentry Firewall CD. (Deprecated)
+
+
+
In any case, all the basic functionality is present in each branch. But since different
Linux distributions are configured differently, using different rc files or files in /etc/sysconfig
for example, some of the configuration directives(explained below) will vary between the two branches.
-
You may be asking yourself, "then what Linux distro is the sentrycd-RH branch based on?" Well,
-since I'm not about to violate any current
-,
-I'll leave that as an exercise to the reader. Of course, you can always
- the ISO and find out for yourself :-)
-
Minimum Requirements
@@ -109,6 +112,7 @@ I'll leave that as an exercise to the reader. Of course, you can always
. It applies to the Sentry
Firewall CD, and all the scripts and documentation associated with it.
+
@@ -186,7 +190,7 @@ has defined in the configuration file.
Downloading
The CDROM is distributed as a gzip or bzip2 compressed iso image, and is
generally between 95-105MB in size. ISO images for the sentyrcd-RH branch are
-generally much larger, between 150-200MB in size. Available download mirrors
+generally much larger, between 150-200MB in size. Available download mirrors
are listed on the websites; or
.
@@ -205,7 +209,9 @@ For more information about these services, please
Burning the CDROM
This section will attempt a general overview on how to burn the CD iso
image once you have obtained it from one of the mirrors. All the commands
-presume you're working in Linux, if not, then I'm afraid you're on your own.
+presume you're working in Linux. Buring ISO images in Windows is not covered
+in this howto. If you are using windows then check out the
+
First, let's decompress the iso image:
NOTE: Make sure you have enough disk space, the decompressed iso image can be
@@ -239,7 +245,7 @@ blah@wherever:˜$ cdrecord -v -data speed=$SPEED dev=$DEV sentrycd.i
That's it, you now have a Sentry Firewall CDROM. By the way, you
-may have to be root to do all this.
+may have to be 'root' to do all this.
Keep in mind, if you simply want to look at the ISO image without actually
burning the CD, you can mount the image on a loopback device;
@@ -271,7 +277,9 @@ files are.
A good example of a sentry.conf file can be found on the Sentry Firewall CD
in the directory /SENTRY/scripts/cd-config/. Configuration floppy disk
-images(1.44M) can also be found in /SENTRY/images/ on the CD.
+images(1.44M) can also be found in /SENTRY/images/ on the CD. These files are also
+available on the website,
+
The sentry.conf file
@@ -329,8 +337,9 @@ following will likely not be parsed correctly:
The configuration scripts only recognize a certain number of configuration
-files. There are other very easy ways to copy configuration files into their
-proper location, however. These methods will be discussed below.
+files, so it probably won't know what to do with "foo.conf". There are other
+very easy ways to copy configuration files into their proper location, however.
+These methods will be discussed below.
@@ -410,7 +419,7 @@ IP(192.168.1.2) and a default gateway(192.168.1.1):
NOTE: It is important to keep in mind that whatever devices you set up during the
configuration process will be promptly taken down after the configuration is
complete. This setup is only used so you can retrieve configuration files over
-the network, via http and ftp. For more permanent network configuration, please
+the network, via http(s)/ftp/scp/sftp. For more permanent network configuration, please
use the rc.inet1 file.
@@ -422,7 +431,7 @@ use the rc.inet1 file.
## Basic Sentry Firewall CD config file to retrieve files via HTTP(s)/FTP/SCP/SFTP.
device1 = eth0:tulip:192.168.1.2|192.168.1.1
-nameserver = <MY_DNS_IP>
+nameserver = 123.123.123.123 ## This should be the IP of your DNS server.
rc.M = ftp://user:pass@config.sentry.net/node1/rc.M
rc.inet1 = http://user:pass@config.sentry.net/all_nodes/rc.inet1
@@ -507,18 +516,15 @@ blah@wherever:˜$ dd if=/cdrom/SENTRY/images/ext2-144.img of=/dev/fd
2880+0 records out
-The disk images and a sample sentry.conf file can also be found on the website at
-the following locations:
-
- - sentry.conf -
-
- Disk Images -
-
+The disk images and a sample sentry.conf file can also be found on the website,
+
+
Overview of Available Configuration Directives
Replacing rc/config files
@@ -533,7 +539,7 @@ of the file is often '/floppy/filename'. The file location can also be a URL.
The supported prefixed include "http://", "https://", "ftp://", "sftp://", and "scp://".
As previously mentioned, there are at least two Sentry Firewall CD branches with varying
-names like "sentrycd" and "sentrycd-RH". The only difference between these branches is
+names like "SENTRYCD" and "SENTRY-RH". The only difference between these branches is
the "host" Linux distribution that is utilized. And since Linux distributions utilize
different files during bootup, the accepted directives for the two branches vary. For example,
a Slackware system utilizes files such as "rc.S" and "rc.M" to boot into single and multi-user
@@ -544,112 +550,13 @@ directive that states the following:
rc.M = /floppy/rc.M
-Since a non-Slackware system wouldn't know to do with a file called "rc.M". In any case, it
-is for this reason that the configuration directives vary a bit between branches.
+since a non-Slackware system wouldn't know to do with a file called "rc.M". In any case, it
+is for this reason that the configuration directives vary a bit between branches. The
+directives that are available can be found in the sentry.conf file in the SENTRY/scripts/cd-config/
+directory, or on the website.
-Branch: sentrycd
-The following rc/config files are currently supported:
-
-
-rc.M
-rc.netdevice
-rc.inet1
-rc.inet2
-rc.local
-rc.modules
-rc.firewall
-rc.firewall.nat
-fstab
-passwd
-shadow
-group
-shells
-profile
-resolv.conf
-hosts
-ftpusers
-hostname
-newsyslog.conf
-openssl.cnf
-syslog.conf
-syslog-ng.conf
-inetd.conf
-modules.conf
-proftpd.conf
-squid.conf
-httpd.conf
-smb.conf
-snort.conf
-pptpd.conf
-pppoe.conf
-gated.conf
-zebra.conf
-hosts.equiv
-shosts.equiv
-ssh_config
-sshd_config
-ssh_host_key
-ssh_host_key.pub
-ssh_host_dsa_key
-ssh_host_dsa_key.pub
-ssh_host_rsa_key
-ssh_host_rsa_key.pub
-ssh_known_hosts
-ssh_known_hosts2
-
-
-
-Branch: sentrycd-RH
-The following rc/config files are currently supported:
-
-
-rc.local
-rc.news
-rc.firewall
-rc.firewall.nat
-fstab
-ftpusers
-group
-hosts.equiv
-hostname
-hosts
-openssl.cnf
-passwd
-profile
-resolv.conf
-shadow
-shells
-gated.conf
-httpd.conf
-named.conf
-pppoe.conf
-proftpd.conf
-pptpd.conf
-smb.conf
-snort.conf
-squid.conf
-syslog-ng.conf
-syslog.conf
-xinetd.conf
-zebra.conf
-shosts.equiv
-ssh_config
-sshd_config
-ssh_host_key
-ssh_host_key.pub
-ssh_host_dsa_key
-ssh_host_dsa_key.pub
-ssh_host_rsa_key
-ssh_host_rsa_key.pub
-ssh_known_hosts
-ssh_known_hosts2
-
-sysconf_dir **
-xinetd_dir **
-
-
-** The "sysconf_dir" and "xinetd_dir" are unique to the "sentrycd-RH" branch. Unlike
+The "sysconf_dir" and "xinetd_dir" are unique to the "SENTRYCD-RH" branch. Unlike
the other directives, these are used to replace the files located in the /etc/xinetd.d/
and the /etc/sysconfig/ directories. The /etc/sysconfig/ directory contains most of the
configuration files used by the init scripts(in /etc/rc.d/init.d/) on systems such as
@@ -805,7 +712,7 @@ define the hostname itself.
- Other sentrycd-RH Specific Directives
+ Other SENTRY-{RH,DEB} Specific Directives
Besides the "xinetd_dir" and "sysconf_dir" directives, mentioned above,
there is another directive that is unique to the sentrycd-RH branch.
@@ -831,14 +738,158 @@ usually not necessary, but is used to actually replace the startup script locate
To get a better idea of how this works, please take a look at the sample "sentry.conf"
file located either on the CD or online at
-
+
+
+
+ Setting Up a Firewall
+ Starting the Firewall
+
+Ok, so the project is called the Sentry *Firewall* CD. So where's the firewall?
+Well, it's important to note that this system is capable of quite a bit more than your
+standard bootable floppy or CD firewall. In fact it is a pretty complete Linux system
+on a CD, and as with any Linux system the "firewall" is set up using scripts and various
+userland utilities such as ipchains or iptables.
+
+IPChains or IPTables firewall scripts generally take the form of shell scripts
+that are customized by the user and run at boot-time. If you already have a
+ruleset for your firewall simply edit the "rc.firewall" directive in your
+"sentry.conf" file to point to your firewall script on your floppy or on a
+remote HTTP(S)/FTP/SCP/SFTP server as explained above. The firewall will
+then be run at boot time.
+
+
+
+ Using FWBuilder with the Sentry Firewall CD
+
+FWBuilder(http://www.FWBuilder.org/) is a firewall configuration and management
+system. The advantage to this application is that it provides a graphical user
+interface to develop and modify firewall rulesets on various platforms using
+various utilities. The Firewall rulesets that are created with FWBuilder are
+completely compatible with the Sentry Firewall CD, and with just about any Linux
+firewall.
+
+As with most Linux firewalls there are no X11 binaries or libraries on the Sentry
+Firewall CD, so you will need to develop the firewall ruleset on a separate workstation
+using fwbuilder and then upload the ruleset to the various firewalls/routers/nodes
+on the network. The following are the basic steps required to get your new fwbuilder
+ruleset running on the Sentry CD:
+
+
+ - Configure your new firewall to your liking with fwbuilder(duh).
+
- Save your firewall. Choose File->Save As, and choose an appropriate name.
+ The file will normally be saved as "whatever.xml".
+
- Compile the firewall. Choose Rules->Compile. The ruleset will be compiled
+ and turned into a shell script called "whatever.fw".
+
- You will then want to copy "whatever.fw" to your configuration floppy and use
+ the "rc.firewall" configuration directive in your sentry.conf file to point to
+ your new firewall script. The firewall script will be copied to
+ /etc/rc.d/rc.firewall during the configuration process and run at boot-time.
+
+
+
+Please note that it is not necessary to reboot the Sentry Firewall CD every time
+you update your firewall script. You may simply upload the new script to the
+Sentry Firewall and run it. But just make sure that you copy the final draft of
+your script to the configuration floppy so that it will be run at boot-time.
+
+
+
+ Using Webmin with the Sentry Firewall CD
+
+As of version 1.5.0-rc3 Webmin(http://www.webmin.com/) is available on the CD.
+Among many of the other default modules available with webmin - of which not all
+have been fully tested - Webmin includes two modules for generating and managing
+your firewall setup. These modules are located in the "Networking" section of the
+webmin interface. In this section you will see the "Linux Firewall" and "Shorewall
+Firewall" modules, either of which are available for your use.
+
+The addition of Webmin also adds four new configuration directives -
+
+ start_webmin = ## enable|disable webmin. Default == disable.
+ webmin_config = ## Main webmin config(/etc/webmin/config).
+ miniserv.conf = ## Config file for webmin http(s) daemon.
+ miniserv.pem = ## SSL cert for webmin http(s) daemon.
+ ## An SSL cert will be created by rc.webmin if
+ ## one is not specified.
+ miniserv.users = ## Password file used for webmin.
+ ## Default user:pass is sentry:SENTRY.
+ ## NOTE: If this file is not replaced webmin
+ ## will NOT start!
+
+
+
+Note: The modifications made by these web interface tools are, of course, not
+permanent. Any files altered will need to be placed on a floppy or on a remote server and
+declared in your sentry.conf file as explained in previous sections.
+
+
+Many of these web interface tools do not simply generate a firewall script, but rather
+set up a firewall and use the 'iptables-save' and 'iptables-restore' utilities to dump and
+load the firewall. The file created by 'iptables-save' must be loaded using 'iptables-restore',
+it cannot be run like a shell script. By default this file is placed in "/etc/rc.d/rc.firewall.save".
+Once you configure your firewall to your liking you will need to place the rc.firewall.save file on a
+floppy or a remote server and declare its location using the "rc.firewall.save" directive in the
+sentry.conf file. With the sentrycd and sentyrcd-devel branches, the rc.firewall and rc.firewall.save
+files are normally run automatically at boot-time from rc.inet2.
+
+
+As of verions 1.5.0-rc3 the Shorewall(http://www.shorewall.net/) firewall scripts are available on
+the Sentry Firewall CD. Webmin also comes with a module to configure and set up Shorewall, although
+Shorewall can be configured manually as well. Shorewall utilizes a number of configuration files
+located in /etc/shorewall. The sentry.conf file recognizes the "shorewall.conf" configuration directive,
+but if any of the other configuration files in /etc/shorewall need to be replaced you will need to do
+so manually using the "|=" configuration directive.
+
+
+
+ Other Sample Firewall Scripts and Tools
+ Sample firewall scripts can be found in the /SENTRY/scripts/firewall
+directory on the CD. These are just a few firewall scripts I found on the
+Internet and have put here for your convenience. If you do a search on
+
+or
+
+you will probably find several others pretty easily.
+
+
+I have also added "Easy Firewall Generator" (http://easyfwgen.morizot.net/) and
+"IPTables Script Generator" (http://iptables.linux.dk/) to the CD. These are PHP
+scripts that can assist you in creating a ruleset for your Sentry Firewall CD system.
+In order to view these you will need to start the Apache web server on a running Sentry
+Firewall CD system, and then direct your browser to the IP address of your Sentry
+Firewall. The scripts should be available in the "firewall" directory.
+
+
+Please note that these web-based scripts will often generate a script for you, but you
+will still need to take that generated script and place at on a floppy or on a remote
+server and edit the "rc.firewall" directive in the sentry.conf file to point to your
+new script.
+
+
+
+ Links to Other Firewall Resources
+
+
+
+
+
+
+If there are any other resources you think I should add to this section, please email me at
+.
+
+
+
+
+
+
+
Troubleshooting
Booting Problems
@@ -911,9 +962,9 @@ Sentry-Users mailing list. Other mailing lists are listed at
-
+
-
+
Building a Custom Sentry CD
@@ -941,8 +992,8 @@ system, and it is from here that I compile the needed tools, kernels, etc and
basically run everything.
To make this easy for you, the Sentry Firewall CD ISO is basically an exact
-copy of what's in /mnt/CD-FW/ on my hard drive. All I did was use the 'mkisofs'
-utility on /mnt/CD-FW.
+copy of what's in /mnt/CD-FW/ on my hard drive. I simply use the 'mkisofs'
+utility on /mnt/CD-FW to create the ISO image.
If you simply want to get started, perhaps try the following steps:
@@ -968,7 +1019,7 @@ If you simply want to get started, perhaps try the following steps:
cp -Rdp /mnt/usr/man /mnt/CD-FW/usr/
-
+
NOTE: The above commands may spit out errors when working with certain
files(ie. hard links). These errors are annoying, but they're not critical at all.
@@ -1013,7 +1064,7 @@ the rootdisk. Please read that file and the disclaimer before you decide to
use it. It runs perfectly on my system, but may not run well at all on yours.
It basically attempts to create a rootdisk image to use with the Sentry CD, but
it is very long and may be somewhat difficult to comprehend at times. This is
-what happens when I start a project and fail to utilize proper child safety
+what happens when I start hacking around and fail to utilize proper child safety
restraints.
@@ -1035,8 +1086,8 @@ root@mybox:/mnt/CD-FW# mkisofs -o sentrycd.iso -R -V "Sentry Firewall CD [v1.x.x
And that's it, I burn the CD and test it. For reference, the following
-files are available on the CDROM and online at
-
+files are available on the CDROM and online at
+
- /SENTRY/scripts/MK-CD/mkrootdsk.sh (builds the rootdisk)
- /SENTRY/scripts/MK-CD/mkiso.sh (builds final ISO image)
@@ -1045,10 +1096,10 @@ files are available on the CDROM and online at
-
+
-
+
More About the Sentry Firewall Project
@@ -1071,7 +1122,7 @@ utilize the system in a test or production environment and send me suggestions,
feedback. For those interested in assisting with the enhancement of any of the Sentry Firewall CD
branches, please check out the TODO file located in /SENTRY/docs/TODO on the CD image, or online at
-or
+or
.
I do, on occasion, make the Sentry Firewall CD available for purchase. I also accept donations including hardware,
@@ -1087,7 +1138,7 @@ I began work on the project around April of 2000, probably ruining 200 CD-Rs bef
Sentry Firewall CD. And for the last two years I have been continuing to develop, enhance and maintain the project -
give or take a few months here and there while I took a short hiatus(marriage, education, etc).
-From the beginning, this project has proven to be quite popular, and has received a great deal of support
+From the beginning, this project has proven to be quite popular, and has received a great deal of support
and feedback from its loyal users. This kind of support has proven invaluable, and has kept me motivated
to continue to develop this project. There is nothing I would rather do right now than work on and enhance
this system, however since I do not get paid to develop this project, it is only a part-time endeavor.
@@ -1106,7 +1157,7 @@ Bellevue, WA 98008
Email:
-
+