mirror of https://github.com/tLDP/LDP
updated
This commit is contained in:
parent
2bb56893f9
commit
385c45846c
|
@ -14,6 +14,7 @@
|
|||
<affiliation>
|
||||
<address>
|
||||
<email>saqib@seagate.com</email>
|
||||
<ulink url="http://www.xml-dev.com">Offshore XML/XHTML Development</ulink>
|
||||
</address>
|
||||
</affiliation>
|
||||
</author>
|
||||
|
@ -22,6 +23,15 @@
|
|||
|
||||
<revhistory>
|
||||
|
||||
<revision>
|
||||
<revnumber>v4.0.2</revnumber>
|
||||
<date>2003-08-01</date>
|
||||
<authorinitials>sa</authorinitials>
|
||||
<revremark>
|
||||
Minor updates to the Apache configure cmd line. /dev/random referenced in the SSL section.
|
||||
</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>v4.0.1</revnumber>
|
||||
<date>2003-07-27</date>
|
||||
|
@ -41,24 +51,6 @@
|
|||
</revision>
|
||||
|
||||
|
||||
<revision>
|
||||
<revnumber>v3.4</revnumber>
|
||||
<date>2002-06-29</date>
|
||||
<authorinitials>sa</authorinitials>
|
||||
<revremark>
|
||||
Added the section "How to generate a CSR"
|
||||
</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>v3.3</revnumber>
|
||||
<date>2002-04-14</date>
|
||||
<authorinitials>sa</authorinitials>
|
||||
<revremark>
|
||||
Add the section of DAV server management.
|
||||
</revremark>
|
||||
</revision>
|
||||
|
||||
|
||||
|
||||
</revhistory>
|
||||
|
@ -253,7 +245,7 @@ mysql 3256 3237 0 May29 ? 00:06:58 /usr/local/mysql/bin/mysqld --de
|
|||
<command># gzip -d httpd-2.0.46.tar.gz </command>
|
||||
<command># tar -xvf httpd-2.0.46.tar</command>
|
||||
<command># cd httpd-2.0.46</command>
|
||||
<command>#./configure --enable-so --enable-mods-shared="ldap auth-ldap" --with-ldap --with-auth-ldap --with-ldap-lib=/usr/local/iplanet-ldap-sdk.5/ --with-ldap-include=/usr/local/iplanet-ldap-sdk.5/ --with-ssl --enable-ssl --enable-rewrite --enable-dav</command>
|
||||
<command>#./configure --enable-so --with-ssl --enable-ssl --enable-rewrite --enable-dav</command>
|
||||
</screen>
|
||||
<para>Next run the make command</para>
|
||||
<screen><command># make</command>
|
||||
|
@ -728,6 +720,12 @@ An optional company name []:
|
|||
|
||||
</screen>
|
||||
|
||||
<note><title>"PRNG not seeded"</title><para>If you do not have <filename>/dev/random</filename> on your system you will get a <emphasis>"PRNG not seeded"</emphasis> error message. In that case you can use the following command:</para>
|
||||
|
||||
<screen><command># /usr/local/ssl/bin/openssl req -rand <emphasis>some_file.ext</emphasis> -new -nodes -keyout private.key -out public.csr </command>
|
||||
</screen>
|
||||
<para>Replace some_file.ext with the name of a existing file on your file system. Any file can be specified. Openssl will use that file to generate the seed</para>
|
||||
</note>
|
||||
<para>
|
||||
At this point you will be asked several questions about your server to generate the Certificate Singning Request</para>
|
||||
|
||||
|
|
|
@ -628,7 +628,7 @@ secure a Linux installation from intrusion
|
|||
Sentry-Firewall-CD-HOWTO</ULink>,
|
||||
<CiteTitle>Sentry Firewall CD HOWTO</CiteTitle>
|
||||
</Para><Para>
|
||||
<CiteTitle>Updated: October 2002</CiteTitle>.
|
||||
<CiteTitle>Updated: August 2003</CiteTitle>.
|
||||
An introduction on how the Sentry Firewall CDROM
|
||||
works and how to get started using the system. </Para>
|
||||
</ListItem>
|
||||
|
|
|
@ -885,9 +885,9 @@ M$Frontpage Server Extensions. </Para>
|
|||
<Para>
|
||||
<ULINK URL="../Apache-WebDAV-LDAP-HOWTO/index.html">
|
||||
Apache-WebDAV-LDAP-HOWTO</ULink>,
|
||||
<CiteTitle>Apache WebDAV and LDAP HOWTO</CiteTitle>
|
||||
<CiteTitle>Apache based WebDAV Server with LDAP and SSL HOWTO</CiteTitle>
|
||||
</Para><Para>
|
||||
<CiteTitle>Updated: July 2002</CiteTitle>.
|
||||
<CiteTitle>Updated: August 2003</CiteTitle>.
|
||||
A HOWTO on implementing WebDAV services using Apache - with LDAP for
|
||||
authentication and SSL for ensuring security of the DAV stores. </Para>
|
||||
</ListItem>
|
||||
|
|
|
@ -260,9 +260,9 @@ MS Frontpage Server Extensions. </Para>
|
|||
<Para>
|
||||
<ULINK URL="../Apache-WebDAV-LDAP-HOWTO/index.html">
|
||||
Apache-WebDAV-LDAP-HOWTO</ULink>,
|
||||
<CiteTitle>Apache WebDAV and LDAP HOWTO</CiteTitle>
|
||||
<CiteTitle>Apache based WebDAV Server with LDAP and SSL HOWTO</CiteTitle>
|
||||
</Para><Para>
|
||||
<CiteTitle>Updated: July 2002</CiteTitle>.
|
||||
<CiteTitle>Updated: August 2003</CiteTitle>.
|
||||
A HOWTO on implementing WebDAV services using Apache - with LDAP for
|
||||
authentication and SSL for ensuring security of the DAV stores. </Para>
|
||||
</ListItem>
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
<article>
|
||||
<title>Sentry Firewall CD HOWTO
|
||||
<author>Stephen A. Zarkos, <url url="mailto:Obsid@Sentry.net" name="Obsid@Sentry.net">
|
||||
<date>v1.2.3, 2002-10-22
|
||||
<date>v1.3.1, 2003-08-18
|
||||
|
||||
<abstract>
|
||||
This document is designed as an introduction on how the
|
||||
|
@ -56,41 +56,44 @@ that are based on various Linux distributions. You should first choose the Linu
|
|||
distribution you are most familiar with. More information on the different types can
|
||||
be found on the web site - http://www.SentryFirewall.com/.
|
||||
|
||||
<p>Basically, the Sentry Firewall CD is meant to be configured no more easily than
|
||||
a normal Slackware or Redhat or whatever Linux system. There are no GUIs, no scripts
|
||||
to do it for you. The idea behind the configuration of the CD is that you are able to
|
||||
reconfigure the system by replacing the startup scripts and the various system and
|
||||
configuration files present on the system at boot time. Most of these are simply text
|
||||
files and shell scripts that you need to edit by hand in order to be configured properly.
|
||||
<p> Basically, the Sentry Firewall CD is meant to be configured just like a normal
|
||||
Slackware or Redhat or whatever Linux system. There are no GUIs, no scripts to do it
|
||||
for you. The idea behind the configuration of the CD is that you are able to
|
||||
reconfigure the system by replacing the startup scripts and the various configuration
|
||||
files normally present on the system at boot time. Most of these are simply text
|
||||
files and shell scripts that you need to edit by hand in order configure properly.
|
||||
There are, however, usually plenty of resources available to assist you in
|
||||
configuring a specific service or daemon(HOWTOs on linux.org, for example).
|
||||
|
||||
|
||||
<newline>
|
||||
<sect1> What's with this new branch "sentrycd-RH"? What's the difference between the branches?
|
||||
<p> First, let me explain briefly about how the Sentry Firewall CD works. Basically,
|
||||
there is the "host" system, a Linux system that is based on one of several Linux distributions.
|
||||
Then there are the configuration scripts, written in perl, that run after the kernel boots
|
||||
and help configure the system on the fly. In general, it is possible to create a Sentry
|
||||
Firewall CD system based on nearly any Linux distribution while only modifying one of the
|
||||
five perl scripts.
|
||||
<sect1> What's with all these branches(SENTRYCD/SENTRYCD-RH/SENTRYCD-xxx)? What's the difference between the branches?
|
||||
|
||||
<p> So, to answer your question, "sentrycd-RH" is based on a different Linux distribution
|
||||
than the original branch "sentrycd". Since I'm a Slackware fan, I used that distribution as
|
||||
the foundation for the original Sentry Firewall CD(the sentrycd branch). It has always been my
|
||||
desire to utilize other Linux distributions for this project, which is why I created the sentrycd-RH
|
||||
branch.
|
||||
<p> First, let me explain briefly how the Sentry Firewall CD works. Basically, there is the
|
||||
"host" system, a Linux system that is based on one of several Linux distributions. Then there
|
||||
are the configuration scripts, written in perl, that run after the kernel boots and help
|
||||
configure the system on the fly. In general, it is possible to create a Sentry Firewall CD
|
||||
system based on nearly any Linux distribution while only modifying one of the five perl scripts.
|
||||
|
||||
<p> In any case, all the basic functionality is present in both versions. But since different
|
||||
<p> So, to answer your question, each Sentry Firewall CD branch utilizes similar configuration
|
||||
methods, but are simply based on different Linux distributions. Since I'm a Slackware fan, I used
|
||||
that distribution as the foundation for the original Sentry Firewall CD(the "SENTRYCD" branch).
|
||||
It has always been my desire to utilize other Linux distributions for this project, which is why
|
||||
I created the "SENTRYCD-RH" branche. There will no doubt eventually be other branches and
|
||||
variations.
|
||||
|
||||
<P>
|
||||
<bf>Sentry Firewall CD Development Branches:</bf>
|
||||
<itemize>
|
||||
<item> <bf>SENTRYCD</bf> - Slackware-like Sentry Firewall CD.
|
||||
<item> <bf>SENTRYCD-DEB</bf> - Debian-like Sentry Firewall CD. (In Development)
|
||||
<item> <bf>SENTRYCD-RH</bf> - RedHat-like Sentry Firewall CD. (Deprecated)
|
||||
</itemize>
|
||||
|
||||
<p> In any case, all the basic functionality is present in each branch. But since different
|
||||
Linux distributions are configured differently, using different rc files or files in /etc/sysconfig
|
||||
for example, some of the configuration directives(explained below) will vary between the two branches.
|
||||
|
||||
<p> You may be asking yourself, "then what Linux distro is the sentrycd-RH branch based on?" Well,
|
||||
since I'm not about to violate any current
|
||||
<url url="http://www.redhat.com/about/corporate/trademark/guidelines.html" name="trademark guidlines">,
|
||||
I'll leave that as an exercise to the reader. Of course, you can always
|
||||
<url url="http://www.sentryfirewall.com/#download" name="download"> the ISO and find out for yourself :-)
|
||||
|
||||
|
||||
<newline>
|
||||
<sect1> Minimum Requirements
|
||||
|
@ -109,6 +112,7 @@ I'll leave that as an exercise to the reader. Of course, you can always
|
|||
<url url="http://www.SentryFirewall.com/files/COPYRIGHT">. It applies to the Sentry
|
||||
Firewall CD, and all the scripts and documentation associated with it.
|
||||
|
||||
|
||||
<!-- END SECTION 1.0 -->
|
||||
|
||||
<!-- BEGIN SECTION 2.0 -->
|
||||
|
@ -205,7 +209,9 @@ For more information about these services, please
|
|||
<sect1> Burning the CDROM
|
||||
<p> This section will attempt a general overview on how to burn the CD iso
|
||||
image once you have obtained it from one of the mirrors. All the commands
|
||||
presume you're working in Linux, if not, then I'm afraid you're on your own.
|
||||
presume you're working in Linux. Buring ISO images in Windows is not covered
|
||||
in this howto. If you are using windows then check out the
|
||||
<url url="http://www.e-smith.org/docs/howto/CD_burning_howto.php3" name="CD Burning Howto">
|
||||
|
||||
First, let's decompress the iso image: <newline>
|
||||
<bf>NOTE:</bf> Make sure you have enough disk space, the decompressed iso image can be
|
||||
|
@ -239,7 +245,7 @@ blah@wherever:˜$ cdrecord -v -data speed=$SPEED dev=$DEV sentrycd.i
|
|||
</verb></tscreen>
|
||||
|
||||
That's it, you now have a Sentry Firewall CDROM. By the way, you
|
||||
may have to be root to do all this.
|
||||
may have to be 'root' to do all this.
|
||||
|
||||
Keep in mind, if you simply want to look at the ISO image without actually
|
||||
burning the CD, you can mount the image on a loopback device;
|
||||
|
@ -271,7 +277,9 @@ files are.
|
|||
|
||||
A good example of a sentry.conf file can be found on the Sentry Firewall CD
|
||||
in the directory /SENTRY/scripts/cd-config/. Configuration floppy disk
|
||||
images(1.44M) can also be found in /SENTRY/images/ on the CD.
|
||||
images(1.44M) can also be found in /SENTRY/images/ on the CD. These files are also
|
||||
available on the website, <url url="http://www.SentryFirewall.com/" name="http://www.SentryFirewall.com/">
|
||||
|
||||
|
||||
<newline>
|
||||
<sect1> The sentry.conf file
|
||||
|
@ -329,8 +337,9 @@ following will likely not be parsed correctly:
|
|||
</verb>
|
||||
|
||||
The configuration scripts only recognize a certain number of configuration
|
||||
files. There are other very easy ways to copy configuration files into their
|
||||
proper location, however. These methods will be discussed below.
|
||||
files, so it probably won't know what to do with "foo.conf". There are other
|
||||
very easy ways to copy configuration files into their proper location, however.
|
||||
These methods will be discussed below.
|
||||
|
||||
|
||||
<newline>
|
||||
|
@ -410,7 +419,7 @@ IP(192.168.1.2) and a default gateway(192.168.1.1):
|
|||
<bf>NOTE:</bf> It is important to keep in mind that whatever devices you set up during the
|
||||
configuration process will be promptly taken down after the configuration is
|
||||
complete. This setup is only used so you can retrieve configuration files over
|
||||
the network, via http and ftp. For more permanent network configuration, please
|
||||
the network, via http(s)/ftp/scp/sftp. For more permanent network configuration, please
|
||||
use the rc.inet1 file.
|
||||
|
||||
|
||||
|
@ -422,7 +431,7 @@ use the rc.inet1 file.
|
|||
## Basic Sentry Firewall CD config file to retrieve files via HTTP(s)/FTP/SCP/SFTP.
|
||||
|
||||
device1 = eth0:tulip:192.168.1.2|192.168.1.1
|
||||
nameserver = <MY_DNS_IP>
|
||||
nameserver = 123.123.123.123 ## This should be the IP of your DNS server.
|
||||
|
||||
rc.M = ftp://user:pass@config.sentry.net/node1/rc.M
|
||||
rc.inet1 = http://user:pass@config.sentry.net/all_nodes/rc.inet1
|
||||
|
@ -507,18 +516,15 @@ blah@wherever:˜$ dd if=/cdrom/SENTRY/images/ext2-144.img of=/dev/fd
|
|||
2880+0 records out
|
||||
</verb></tscreen>
|
||||
|
||||
The disk images and a sample sentry.conf file can also be found on the website at
|
||||
the following locations:
|
||||
<itemize>
|
||||
<item><bf>sentry.conf</bf> - <url url="http://www.SentryFirewall.com/files/scripts/cd-config/" name="http://www.SentryFirewall.com/files/scripts/cd-config/">
|
||||
<item><bf>Disk Images</bf> - <url url="http://www.SentryFirewall.com/files/images/" name="http://www.SentryFirewall.com/files/images/">
|
||||
</itemize>
|
||||
The disk images and a sample sentry.conf file can also be found on the website,
|
||||
<url url="http://www.SentryFirewall.com/" name="http://www.SentryFirewall.com/">
|
||||
|
||||
|
||||
<!-- END SECTION 4.0 -->
|
||||
|
||||
<!-- BEGIN SECTION 5.0 -->
|
||||
|
||||
|
||||
<newline>
|
||||
<sect> Overview of Available Configuration Directives
|
||||
<sect1> Replacing rc/config files
|
||||
|
@ -533,7 +539,7 @@ of the file is often '/floppy/filename'. The file location can also be a URL.
|
|||
The supported prefixed include "http://", "https://", "ftp://", "sftp://", and "scp://".
|
||||
|
||||
As previously mentioned, there are at least two Sentry Firewall CD branches with varying
|
||||
names like "sentrycd" and "sentrycd-RH". The only difference between these branches is
|
||||
names like "SENTRYCD" and "SENTRY-RH". The only difference between these branches is
|
||||
the "host" Linux distribution that is utilized. And since Linux distributions utilize
|
||||
different files during bootup, the accepted directives for the two branches vary. For example,
|
||||
a Slackware system utilizes files such as "rc.S" and "rc.M" to boot into single and multi-user
|
||||
|
@ -544,112 +550,13 @@ directive that states the following:
|
|||
<verb>
|
||||
rc.M = /floppy/rc.M
|
||||
</verb>
|
||||
Since a non-Slackware system wouldn't know to do with a file called "rc.M". In any case, it
|
||||
is for this reason that the configuration directives vary a bit between branches.
|
||||
since a non-Slackware system wouldn't know to do with a file called "rc.M". In any case, it
|
||||
is for this reason that the configuration directives vary a bit between branches. The
|
||||
directives that are available can be found in the sentry.conf file in the SENTRY/scripts/cd-config/
|
||||
directory, or on the website.
|
||||
|
||||
<newline>
|
||||
Branch: <bf>sentrycd</bf> <newline>
|
||||
The following rc/config files are currently supported:
|
||||
|
||||
<tscreen><verb>
|
||||
rc.M
|
||||
rc.netdevice
|
||||
rc.inet1
|
||||
rc.inet2
|
||||
rc.local
|
||||
rc.modules
|
||||
rc.firewall
|
||||
rc.firewall.nat
|
||||
fstab
|
||||
passwd
|
||||
shadow
|
||||
group
|
||||
shells
|
||||
profile
|
||||
resolv.conf
|
||||
hosts
|
||||
ftpusers
|
||||
hostname
|
||||
newsyslog.conf
|
||||
openssl.cnf
|
||||
syslog.conf
|
||||
syslog-ng.conf
|
||||
inetd.conf
|
||||
modules.conf
|
||||
proftpd.conf
|
||||
squid.conf
|
||||
httpd.conf
|
||||
smb.conf
|
||||
snort.conf
|
||||
pptpd.conf
|
||||
pppoe.conf
|
||||
gated.conf
|
||||
zebra.conf
|
||||
hosts.equiv
|
||||
shosts.equiv
|
||||
ssh_config
|
||||
sshd_config
|
||||
ssh_host_key
|
||||
ssh_host_key.pub
|
||||
ssh_host_dsa_key
|
||||
ssh_host_dsa_key.pub
|
||||
ssh_host_rsa_key
|
||||
ssh_host_rsa_key.pub
|
||||
ssh_known_hosts
|
||||
ssh_known_hosts2
|
||||
</verb></tscreen>
|
||||
|
||||
<newline>
|
||||
Branch: <bf>sentrycd-RH</bf> <newline>
|
||||
The following rc/config files are currently supported:
|
||||
|
||||
<tscreen><verb>
|
||||
rc.local
|
||||
rc.news
|
||||
rc.firewall
|
||||
rc.firewall.nat
|
||||
fstab
|
||||
ftpusers
|
||||
group
|
||||
hosts.equiv
|
||||
hostname
|
||||
hosts
|
||||
openssl.cnf
|
||||
passwd
|
||||
profile
|
||||
resolv.conf
|
||||
shadow
|
||||
shells
|
||||
gated.conf
|
||||
httpd.conf
|
||||
named.conf
|
||||
pppoe.conf
|
||||
proftpd.conf
|
||||
pptpd.conf
|
||||
smb.conf
|
||||
snort.conf
|
||||
squid.conf
|
||||
syslog-ng.conf
|
||||
syslog.conf
|
||||
xinetd.conf
|
||||
zebra.conf
|
||||
shosts.equiv
|
||||
ssh_config
|
||||
sshd_config
|
||||
ssh_host_key
|
||||
ssh_host_key.pub
|
||||
ssh_host_dsa_key
|
||||
ssh_host_dsa_key.pub
|
||||
ssh_host_rsa_key
|
||||
ssh_host_rsa_key.pub
|
||||
ssh_known_hosts
|
||||
ssh_known_hosts2
|
||||
|
||||
sysconf_dir **
|
||||
xinetd_dir **
|
||||
</verb></tscreen>
|
||||
|
||||
** The "sysconf_dir" and "xinetd_dir" are unique to the "sentrycd-RH" branch. Unlike
|
||||
The "sysconf_dir" and "xinetd_dir" are unique to the "SENTRYCD-RH" branch. Unlike
|
||||
the other directives, these are used to replace the files located in the /etc/xinetd.d/
|
||||
and the /etc/sysconfig/ directories. The /etc/sysconfig/ directory contains most of the
|
||||
configuration files used by the init scripts(in /etc/rc.d/init.d/) on systems such as
|
||||
|
@ -805,7 +712,7 @@ define the hostname itself.
|
|||
|
||||
|
||||
<newline>
|
||||
<sect1> Other sentrycd-RH Specific Directives
|
||||
<sect1> Other SENTRY-{RH,DEB} Specific Directives
|
||||
<p> Besides the "xinetd_dir" and "sysconf_dir" directives, mentioned above,
|
||||
there is another directive that is unique to the sentrycd-RH branch.
|
||||
|
||||
|
@ -831,14 +738,158 @@ usually not necessary, but is used to actually replace the startup script locate
|
|||
|
||||
To get a better idea of how this works, please take a look at the sample "sentry.conf"
|
||||
file located either on the CD or online at
|
||||
<url url="http://www.SentryFirewall.com/files/scripts/cd-config/sentrycd-rh/sentry.conf"
|
||||
name="http://www.SentryFirewall.com/files/scripts/cd-config/sentrycd-rh/sentry.conf">
|
||||
<url url="http://www.sentryfirewall.com/files/sentrycd-rh-devel/scripts/cd-config/sentry.conf"
|
||||
name="http://www.sentryfirewall.com/files/sentrycd-rh-devel/scripts/cd-config/sentry.conf">
|
||||
|
||||
|
||||
<!-- END SECTION 5.0 -->
|
||||
|
||||
|
||||
<!-- BEGIN SECTION 6.0 -->
|
||||
|
||||
<newline>
|
||||
<sect> Setting Up a Firewall
|
||||
<sect1> Starting the Firewall
|
||||
<P>
|
||||
Ok, so the project is called the Sentry *Firewall* CD. So where's the firewall?
|
||||
Well, it's important to note that this system is capable of quite a bit more than your
|
||||
standard bootable floppy or CD firewall. In fact it is a pretty complete Linux system
|
||||
on a CD, and as with any Linux system the "firewall" is set up using scripts and various
|
||||
userland utilities such as ipchains or iptables.
|
||||
|
||||
IPChains or IPTables firewall scripts generally take the form of shell scripts
|
||||
that are customized by the user and run at boot-time. If you already have a
|
||||
ruleset for your firewall simply edit the "rc.firewall" directive in your
|
||||
"sentry.conf" file to point to your firewall script on your floppy or on a
|
||||
remote HTTP(S)/FTP/SCP/SFTP server as explained above. The firewall will
|
||||
then be run at boot time.
|
||||
|
||||
|
||||
<newline>
|
||||
<sect1> Using FWBuilder with the Sentry Firewall CD
|
||||
<p>
|
||||
FWBuilder(http://www.FWBuilder.org/) is a firewall configuration and management
|
||||
system. The advantage to this application is that it provides a graphical user
|
||||
interface to develop and modify firewall rulesets on various platforms using
|
||||
various utilities. The Firewall rulesets that are created with FWBuilder are
|
||||
completely compatible with the Sentry Firewall CD, and with just about any Linux
|
||||
firewall.
|
||||
|
||||
As with most Linux firewalls there are no X11 binaries or libraries on the Sentry
|
||||
Firewall CD, so you will need to develop the firewall ruleset on a separate workstation
|
||||
using fwbuilder and then upload the ruleset to the various firewalls/routers/nodes
|
||||
on the network. The following are the basic steps required to get your new fwbuilder
|
||||
ruleset running on the Sentry CD:
|
||||
|
||||
<itemize>
|
||||
<item> Configure your new firewall to your liking with fwbuilder(duh).
|
||||
<item> Save your firewall. Choose File->Save As, and choose an appropriate name.
|
||||
The file will normally be saved as "whatever.xml".
|
||||
<item> Compile the firewall. Choose Rules->Compile. The ruleset will be compiled
|
||||
and turned into a shell script called "whatever.fw".
|
||||
<item> You will then want to copy "whatever.fw" to your configuration floppy and use
|
||||
the "rc.firewall" configuration directive in your sentry.conf file to point to
|
||||
your new firewall script. The firewall script will be copied to
|
||||
/etc/rc.d/rc.firewall during the configuration process and run at boot-time.
|
||||
</itemize>
|
||||
|
||||
<p>
|
||||
Please note that it is not necessary to reboot the Sentry Firewall CD every time
|
||||
you update your firewall script. You may simply upload the new script to the
|
||||
Sentry Firewall and run it. But just make sure that you copy the final draft of
|
||||
your script to the configuration floppy so that it will be run at boot-time.
|
||||
|
||||
|
||||
<newline>
|
||||
<sect1> Using Webmin with the Sentry Firewall CD
|
||||
<p>
|
||||
As of version 1.5.0-rc3 Webmin(http://www.webmin.com/) is available on the CD.
|
||||
Among many of the other default modules available with webmin - of which not all
|
||||
have been fully tested - Webmin includes two modules for generating and managing
|
||||
your firewall setup. These modules are located in the "Networking" section of the
|
||||
webmin interface. In this section you will see the "Linux Firewall" and "Shorewall
|
||||
Firewall" modules, either of which are available for your use.
|
||||
|
||||
The addition of Webmin also adds four new configuration directives -
|
||||
<verb>
|
||||
start_webmin = <enable | disable> ## enable|disable webmin. Default == disable.
|
||||
webmin_config = <path/to/config> ## Main webmin config(/etc/webmin/config).
|
||||
miniserv.conf = <path/to/miniserv.conf> ## Config file for webmin http(s) daemon.
|
||||
miniserv.pem = <path/to/miniserv.pem> ## SSL cert for webmin http(s) daemon.
|
||||
## An SSL cert will be created by rc.webmin if
|
||||
## one is not specified.
|
||||
miniserv.users = <path/to/miniserv.users> ## Password file used for webmin.
|
||||
## Default user:pass is sentry:SENTRY.
|
||||
## NOTE: If this file is not replaced webmin
|
||||
## will NOT start!
|
||||
</verb>
|
||||
|
||||
<p>
|
||||
<bf>Note:</bf> The modifications made by these web interface tools are, of course, not
|
||||
permanent. Any files altered will need to be placed on a floppy or on a remote server and
|
||||
declared in your sentry.conf file as explained in previous sections.
|
||||
|
||||
<p>
|
||||
Many of these web interface tools do not simply generate a firewall script, but rather
|
||||
set up a firewall and use the 'iptables-save' and 'iptables-restore' utilities to dump and
|
||||
load the firewall. The file created by 'iptables-save' must be loaded using 'iptables-restore',
|
||||
it cannot be run like a shell script. By default this file is placed in "/etc/rc.d/rc.firewall.save".
|
||||
Once you configure your firewall to your liking you will need to place the rc.firewall.save file on a
|
||||
floppy or a remote server and declare its location using the "rc.firewall.save" directive in the
|
||||
sentry.conf file. With the sentrycd and sentyrcd-devel branches, the rc.firewall and rc.firewall.save
|
||||
files are normally run automatically at boot-time from rc.inet2.
|
||||
|
||||
<p>
|
||||
As of verions 1.5.0-rc3 the Shorewall(http://www.shorewall.net/) firewall scripts are available on
|
||||
the Sentry Firewall CD. Webmin also comes with a module to configure and set up Shorewall, although
|
||||
Shorewall can be configured manually as well. Shorewall utilizes a number of configuration files
|
||||
located in /etc/shorewall. The sentry.conf file recognizes the "shorewall.conf" configuration directive,
|
||||
but if any of the other configuration files in /etc/shorewall need to be replaced you will need to do
|
||||
so manually using the "|=" configuration directive.
|
||||
|
||||
|
||||
<newline>
|
||||
<sect1> Other Sample Firewall Scripts and Tools
|
||||
<p> Sample firewall scripts can be found in the /SENTRY/scripts/firewall
|
||||
directory on the CD. These are just a few firewall scripts I found on the
|
||||
Internet and have put here for your convenience. If you do a search on
|
||||
<url url="http://www.google.com/" name="google">
|
||||
or
|
||||
<url url="http://www.freshmeat.net/" name="freshmeat.net">
|
||||
you will probably find several others pretty easily.
|
||||
|
||||
<p>
|
||||
I have also added "Easy Firewall Generator" (http://easyfwgen.morizot.net/) and
|
||||
"IPTables Script Generator" (http://iptables.linux.dk/) to the CD. These are PHP
|
||||
scripts that can assist you in creating a ruleset for your Sentry Firewall CD system.
|
||||
In order to view these you will need to start the Apache web server on a running Sentry
|
||||
Firewall CD system, and then direct your browser to the IP address of your Sentry
|
||||
Firewall. The scripts should be available in the "firewall" directory.
|
||||
|
||||
<p>
|
||||
Please note that these web-based scripts will often generate a script for you, but you
|
||||
will still need to take that generated script and place at on a floppy or on a remote
|
||||
server and edit the "rc.firewall" directive in the sentry.conf file to point to your
|
||||
new script.
|
||||
|
||||
|
||||
<newline>
|
||||
<sect1> Links to Other Firewall Resources
|
||||
<p>
|
||||
<url url="http://www.netfilter.org/documentation/index.html#HOWTO" name="Netfilter HOWTO"><newline>
|
||||
<url url="http://www.netfilter.org/documentation/index.html#FAQ" name="Netfilter FAQ"><newline>
|
||||
<url url="http://www.netfilter.org/documentation/index.html#tutorials" name="Netfilter Tutorials">
|
||||
|
||||
<p>
|
||||
If there are any other resources you think I should add to this section, please email me at
|
||||
<url url="mailto:Obsid@Sentry.net" name="Obsid@Sentry.net">.
|
||||
|
||||
|
||||
<!-- END SECTION 6.0 -->
|
||||
|
||||
|
||||
<!-- BEGIN SECTION 7.0 -->
|
||||
|
||||
<newline>
|
||||
<sect> Troubleshooting
|
||||
<sect1> Booting Problems
|
||||
|
@ -911,9 +962,9 @@ Sentry-Users mailing list. Other mailing lists are listed at
|
|||
</itemize>
|
||||
|
||||
|
||||
<!-- END SECTION 6.0 -->
|
||||
<!-- END SECTION 7.0 -->
|
||||
|
||||
<!-- BEGIN SECTION 7.0 -->
|
||||
<!-- BEGIN SECTION 8.0 -->
|
||||
|
||||
<newline>
|
||||
<sect> Building a Custom Sentry CD
|
||||
|
@ -941,8 +992,8 @@ system, and it is from here that I compile the needed tools, kernels, etc and
|
|||
basically run everything.
|
||||
|
||||
To make this easy for you, the Sentry Firewall CD ISO is basically an exact
|
||||
copy of what's in /mnt/CD-FW/ on my hard drive. All I did was use the 'mkisofs'
|
||||
utility on /mnt/CD-FW.
|
||||
copy of what's in /mnt/CD-FW/ on my hard drive. I simply use the 'mkisofs'
|
||||
utility on /mnt/CD-FW to create the ISO image.
|
||||
|
||||
If you simply want to get started, perhaps try the following steps:
|
||||
<itemize>
|
||||
|
@ -1013,7 +1064,7 @@ the rootdisk. Please read that file and the disclaimer before you decide to
|
|||
use it. It runs perfectly on my system, but may not run well at all on yours.
|
||||
It basically attempts to create a rootdisk image to use with the Sentry CD, but
|
||||
it is very long and may be somewhat difficult to comprehend at times. This is
|
||||
what happens when I start a project and fail to utilize proper child safety
|
||||
what happens when I start hacking around and fail to utilize proper child safety
|
||||
restraints.
|
||||
|
||||
|
||||
|
@ -1036,7 +1087,7 @@ root@mybox:/mnt/CD-FW# mkisofs -o sentrycd.iso -R -V "Sentry Firewall CD [v1.x.x
|
|||
|
||||
And that's it, I burn the CD and test it. For reference, the following
|
||||
files are available on the CDROM and online at
|
||||
<url url="http://www.SentryFirewall.com/files/scripts/MK-CD/" name="http://www.SentryFirewall.com/files/scripts/MK-CD/">
|
||||
<url url="http://www.SentryFirewall.com/" name="http://www.SentryFirewall.com/">
|
||||
<itemize>
|
||||
<item> /SENTRY/scripts/MK-CD/mkrootdsk.sh (builds the rootdisk)
|
||||
<item> /SENTRY/scripts/MK-CD/mkiso.sh (builds final ISO image)
|
||||
|
@ -1045,10 +1096,10 @@ files are available on the CDROM and online at
|
|||
|
||||
|
||||
|
||||
<!-- END SECTION 7.0 -->
|
||||
<!-- END SECTION 8.0 -->
|
||||
|
||||
|
||||
<!-- BEGIN SECTION 8.0 -->
|
||||
<!-- BEGIN SECTION 9.0 -->
|
||||
|
||||
<newline>
|
||||
<sect> More About the Sentry Firewall Project
|
||||
|
@ -1106,7 +1157,7 @@ Bellevue, WA 98008 <newline>
|
|||
<bf>Email:</bf> <url url="mailto:Obsid@Sentry.net" name="Obsid@Sentry.net">
|
||||
|
||||
|
||||
<!-- END SECTION 8.0 -->
|
||||
<!-- END SECTION 9.0 -->
|
||||
|
||||
|
||||
</article>
|
||||
|
|
Loading…
Reference in New Issue