Sentry Firewall CD HOWTO
Stephen A. Zarkos, Obsid@Sentry.net <mailto:Obsid@Sen
try.net>
v1.3.1, 2003-08-18
This document is designed as an introduction on how the Sentry Fire
wall CDROM <http://www.SentryFirewall.com/> works and how to get
started using the system.
______________________________________________________________________
Table of Contents
1. Introduction
1.1 What is the Sentry Firewall CD?
1.2 Why would I use a CD-based firewall or server?
1.3 I'm a Linux newbie, will the Sentry Firewall CD be a good choice for me?
1.4 What's with all these branches(SENTRYCD/SENTRYCD-RH/SENTRYCD-xxx)? What's the difference between the branches?
1.5 Minimum Requirements
1.6 Copyrights and Disclaimer
2. How the CD Works (Overview)
2.1 The Boot Process
2.2 ISOLINUX
2.3 The CD Configuration Scripts
3. Obtaining the CDROM
3.1 Downloading
3.2 Purchasing
3.3 Burning the CDROM
4. Using the Sentry Firewall CDROM
4.1 Introduction
4.2 The sentry.conf file
4.2.1 Example
4.3 Network Configuration
4.3.1 Example
4.4 Other Useful Configuration Directives
4.5 Putting it all together, managing multiple nodes from a single location.
4.6 Example sentry.conf and disk images
5. Overview of Available Configuration Directives
5.1 Replacing rc/config files
5.2 'device' directive support
5.3 'nameserver' directive
5.4 Proxy Support Directives
5.5 Passive FTP Support
5.6 'include' directive
5.7 Copying files (|=)
5.8 Making Symlinks (=>)
5.9 'cdrom' directive
5.10 'cron' directive
5.11 hostname
5.12 Other SENTRY-{RH,DEB} Specific Directives
5.12.1 Start/Stop a Service or Daemon
6. Setting Up a Firewall
6.1 Starting the Firewall
6.2 Using FWBuilder with the Sentry Firewall CD
6.3 Using Webmin with the Sentry Firewall CD
6.4 Other Sample Firewall Scripts and Tools
6.5 Links to Other Firewall Resources
7. Troubleshooting
7.1 Booting Problems
7.2 Configuration Problems
7.3 Frequently Asked Questions
7.4 Mailing List
8. Building a Custom Sentry CD
8.1 Introduction
8.2 The development system(How I do it)
8.3 The RAMdisk Image
8.4 Making the ISO Image
9. More About the Sentry Firewall Project
9.1 Goals
9.2 Supporting the Project
9.3 About the Author
9.4 Contacting the Author
______________________________________________________________________
1. Introduction
This is the long-overdue Sentry Firewall CDROM howto. I hope this
document helps get you started using the Sentry Firewall CD and
answers any questions you might have regarding how the system works.
The most current version of this howto can be obtained at the
following URL: <http://www.SentryFirewall.com/files/howto/>.
If you would like to add anything to this document, or if you have any
questions or comments please feel free to email me, Obsid@Sentry.net
<mailto:Obsid@Sentry.net?subject=HOWTO>.
1.1. What is the Sentry Firewall CD?
The Sentry Firewall CD is a Linux-based bootable CDROM suitable for
use in a variety of different operating environments. The system is
designed to be configured dynamically via a floppy disk or over a
network. This allows one to configure the system dynamically, eventho
much of the actual system is on read-only(CDROM) media.
1.2. Why would I use a CD-based firewall or server?
There are several advantages of using a CDROM based system in various
security related environments. The main system is centered around the
ramdisk; a compressed file system image which is loaded into RAM at
boot time. Any changes to the ramdisk image are temporary, and will
be undone upon the next reboot. Furthermore, the ramdisk, kernel,
binaries, etc, related to the operating system are kept on read-only
media(CDROM). This means that if the security of a box running a
CDROM based system is ever compromised the attacker can at best own
the box until the next reboot. So there is no real threat of having
to go through the tedious task of rebuilding and hardening the system
after a successful attack is discovered.
1.3. I'm a Linux newbie, will the Sentry Firewall CD be a good choice
for me?
At the moment, there are at least a couple variations of the Sentry
Firewall CD that are based on various Linux distributions. You should
first choose the Linux distribution you are most familiar with. More
information on the different types can be found on the web site -
http://www.SentryFirewall.com/.
Basically, the Sentry Firewall CD is meant to be configured just like
a normal Slackware or Redhat or whatever Linux system. There are no
GUIs, no scripts to do it for you. The idea behind the configuration
of the CD is that you are able to reconfigure the system by replacing
the startup scripts and the various configuration files normally
present on the system at boot time. Most of these are simply text
files and shell scripts that you need to edit by hand in order
configure properly. There are, however, usually plenty of resources
available to assist you in configuring a specific service or
daemon(HOWTOs on linux.org, for example).
1.4. What's with all these branches(SENTRYCD/SENTRYCD-RH/SENTRYCD-
xxx)? What's the difference between the branches?
First, let me explain briefly how the Sentry Firewall CD works.
Basically, there is the "host" system, a Linux system that is based on
one of several Linux distributions. Then there are the configuration
scripts, written in perl, that run after the kernel boots and help
configure the system on the fly. In general, it is possible to create
a Sentry Firewall CD system based on nearly any Linux distribution
while only modifying one of the five perl scripts.
So, to answer your question, each Sentry Firewall CD branch utilizes
similar configuration methods, but are simply based on different Linux
distributions. Since I'm a Slackware fan, I used that distribution as
the foundation for the original Sentry Firewall CD(the "SENTRYCD"
branch). It has always been my desire to utilize other Linux
distributions for this project, which is why I created the "SENTRYCD-
RH" branche. There will no doubt eventually be other branches and
variations.
Sentry Firewall CD Development Branches:
· SENTRYCD - Slackware-like Sentry Firewall CD.
· SENTRYCD-DEB - Debian-like Sentry Firewall CD. (In Development)
· SENTRYCD-RH - RedHat-like Sentry Firewall CD. (Deprecated)
In any case, all the basic functionality is present in each branch.
But since different Linux distributions are configured differently,
using different rc files or files in /etc/sysconfig for example, some
of the configuration directives(explained below) will vary between the
two branches.
1.5. Minimum Requirements
· x86 computer with CD-ROM
· BIOS that supports the eltorito standard(booting from the cdrom).
· 32MB RAM(64MB or more recommended)
· Easy access to coffee/tea/soda or equivalent stimulant.
· Floppy disk drive(optional)
1.6. Copyrights and Disclaimer
The current copyright and disclaimer can be found on the website;
<http://www.SentryFirewall.com/files/COPYRIGHT>. It applies to the
Sentry Firewall CD, and all the scripts and documentation associated
with it.
2. How the CD Works (Overview)
This section is just an overview to explain how the Sentry Firewall CD
works, that is, from the process of loading the kernel to running the
Sentry Firewall CD configuration scripts located on the RAMDisk.
2.1. The Boot Process
Booting from the CDROM is a fairly familiar process. The BIOS execs
the bootloader(Syslinux) - which then displays a bootprompt and loads
the kernel and ramdisk into memory. Once the kernel is running, the
ramdisk is then mounted as root(/).
An obvious necessity for deploying CDROM based systems is the ability
to dynamically configure the system for various environments with
different configurations, which is what a good majority of this
project is dedicated to building. A simple way to do this is to give
the user the ability to customize the startup scripts located in
/etc/rc.d before they are actually used, as well as the ability to
customize other important system configuration files.
At boot time, the /etc and /etc/rc.d directories are nearly empty. On
a Slackware system the first rc file to run is /etc/rc.d/rc.S - and it
is from this file where we run the configuration scripts that look for
a configuration file(sentry.conf), and place the proper configuration
and system files in /etc and various subdirectories under /etc. On
other Linux systems, such as RedHat, the configuration scripts would
be run from rc.sysinit. If there is not a configuration directive for
a specific file, or if a configuration file cannot be found, then the
default system files are used - which are located in /etc/default/* on
the ramdisk.
2.2. ISOLINUX
Early versions of the Sentry Firewall CD utilized the 2.88MB floppy
emulation method, along with either lilo or syslinux to boot the
kernel and load the ramdisk. This method proved very limiting for two
reasons; A) the total size of the compressed ramdisk AND kernel was
limited to 2.88MB, and B) it was quite slow compared to the current
method.
The Sentry Firewall CD is currently utilizing the isolinux.bin boot
record with no emulation in order to properly boot the CDs. This
allows us to use a much larger ramdisk and offer a choice of several
kernels to boot at boot time.
More information about syslinux can be found at syslinux.zytor.com
<http://syslinux.zytor.com/>.
2.3. The CD Configuration Scripts
As previously mentioned, our configuration scripts which reside in
/etc/rc.d/SENTRY/ on the ramdisk are generally run from an rc script
in /etc/rc.d/. The first script to run is called 'cd-config.pl',
which is essentially the mainline for the entire program. The other
scripts that are used are called 'get_config.pl', specifically for
this project, and are essentially the mainstay of the entire
configuration process.
In depth review of these scripts is a little beyond the scope of this
document, but is covered a bit in the file called 'DOCUMENTATION'
available on the website ( <http://www.SentryFirewall.com/>). The
files are written in perl, and do several important things; read in
and parse the configuration file(sentry.conf), locate and retrieve the
important files detailed in the sentry.conf file, and replace the
system default files with the ones the user has defined in the
configuration file.
3. Obtaining the CDROM
3.1. Downloading
The CDROM is distributed as a gzip or bzip2 compressed iso image, and
is generally between 95-105MB in size. ISO images for the sentyrcd-RH
branch are generally much larger, between 150-200MB in size.
Available download mirrors are listed on the websites;
<http://www.SentryFirewall.com/> or <http://Sentry.Sourceforge.net/>.
3.2. Purchasing
Although the iso image is free to use and distribute, copies of the
Sentry Firewall CD mailed to you at a minimal cost. Custom versions
of the CD and support can also be made available and tailored to a
specific network configuration.
For more information about these services, please email me
<mailto:Obsid@Sentry.net>.
3.3. Burning the CDROM
This section will attempt a general overview on how to burn the CD iso
image once you have obtained it from one of the mirrors. All the
commands presume you're working in Linux. Buring ISO images in
Windows is not covered in this howto. If you are using windows then
check out the CD Burning Howto <http://www.e-
smith.org/docs/howto/CD_burning_howto.php3>
First, let's decompress the iso image:
NOTE: Make sure you have enough disk space, the decompressed iso image
can be somewhere between 250MB and 400MB.
blah@wherever:~$ gzip -d sentrycd.iso.gz
or
blah@wherever:~$ bzip2 -d sentrycd.iso.bz2
Verify the integrity of the iso image,
blah@wherever:~$ md5sum -b sentrycd.iso
Now, let's try to burn the CD. You'll need the 'cdrecord' utility
available, it can be obtained here
<http://www.fokus.gmd.de/research/cc/glone/employees/joerg.schilling/private/cdrecord.html>.
You will want to run 'cdrecord -scanbus' in order to find the 'dev'
value required for the following command. You will also need to know
the write speed of your CDRW. Details on how to set this all up are
beyond the scope of this document, please refer to the CD Writing
HOWTO <http://www.linux.org/docs/ldp/howto/CD-Writing-HOWTO.html> for
more details.
blah@wherever:~$ DEV="DEV_LINE_HERE" SPEED="SPEED"
blah@wherever:~$ cdrecord -v -data speed=$SPEED dev=$DEV sentrycd.iso
That's it, you now have a Sentry Firewall CDROM. By the way, you may
have to be 'root' to do all this.
Keep in mind, if you simply want to look at the ISO image without
actually burning the CD, you can mount the image on a loopback device;
blah@wherever:~$ mount -o loop ./sentrycd.iso /MOUNT_POINT
Where "MOUNT_POINT" is where you would like the CD mounted. You may
then 'cd' to the MOUNT_POINT directory and poke around - don't forget
to 'umount' the image once you're finished. This assumes you have
support in your kernel for the loopback device. You probably do, but
once again, recompiling kernels is beyond the scope of this document.
4. Using the Sentry Firewall CDROM
4.1. Introduction
The configuration scripts which are run from /etc/rc.d/rc.S first look
for a configuration file called 'sentry.conf' on a floppy disk which,
if present, will be mounted on /floppy. In order to configure the
Linux system for use in any particular environment the user must have
the ability to replace the system default files with his/her own
copies. The 'sentry.conf' file basically tells the configuration
scripts which files it should replace and where those files are.
A good example of a sentry.conf file can be found on the Sentry
Firewall CD in the directory /SENTRY/scripts/cd-config/.
Configuration floppy disk images(1.44M) can also be found in
/SENTRY/images/ on the CD. These files are also available on the
website, http://www.SentryFirewall.com/
<http://www.SentryFirewall.com/>
4.2. The sentry.conf file
The main configuration file for the system is called 'sentry.conf'.
It will first be looked for on a floppy disk(/dev/fd0). The file
accepts several configuration directives, many of which will be
discussed below.
4.2.1. Example
A basic configuration file looks like the following (everything after
a '#' sign is interpreted as a comment):
----snip----
## Basic Sentry Firewall CD config file(sentry.conf)
rc.local = /floppy/config1/rc.local
fstab = /floppy/config1/fstab
passwd = /floppy/config1/passwd
shadow = /floppy/config1/shadow
# EOF #
----snip----
The syntax is pretty simple, the default 'rc.local' file will be
replaced with the user defined 'rc.local' file located in the
'/floppy/config1/' directory. Same goes for 'fstab', 'passwd', and
the 'shadow' file. But it is important to remember, the first place
the sentry.conf file will be looked for is on /dev/fd0, which if
found, will be mounted on /floppy. This is why all these files appear
to be located in the /floppy directory, it is simply the mount point
for the floppy disk.
NOTE: As of version 1.3.0, a user may now omit the `/floppy' prefix.
So, for example a line in sentry.conf that says the following:
shadow = config1/shadow
Will be assumed to mean(in most cases) the following:
fstab = /floppy/config1/shadow
As long as /floppy/config1/shadow exists.
following will likely not be parsed correctly:
foo.conf = /floppy/config1/foo.conf
The configuration scripts only recognize a certain number of
configuration files, so it probably won't know what to do with
"foo.conf". There are other very easy ways to copy configuration
files into their proper location, however. These methods will be
discussed below.
4.3. Network Configuration
As of version 1.0.5, a new syntax for the configuration directives are
recognized; those with an "http://" or "ftp://" prefix. This
basically means that the following syntax is now supported:
inetd.conf = ftp://[user:pass@]123.123.123.123/config1/inetd.conf
hosts = http://[user:pass@]123.123.123.123/config1/hosts
As of version 1.3.0, "https://", "scp://", and "sftp://" URLs are also
supported. For example:
shadow = scp://<user>:<pass>@123.123.123.123/dir/shadow
passwd = sftp://<user>:<pass>@123.123.123.123/dir/passwd
fstab = https://[user:pass@]123.123.123.123/dir/fstab
NOTE: The username and password fields are required when retrieving
files via scp or sftp. Empty passwords are not permitted.
ability to set up an ethernet interface, as well as obtain nameserver
information from the sentry.conf file. The syntax to accomplish this
is the following:
device{1..10} = <device>:<driver>:<IP address>[|Gateway_IP]
or..
device{1..10} = <device>:<driver>:dhcp[|Hostname]
And to set up a nameserver:
nameserver = <IP_ADDRESS>
you may also set up a proxy server. The following directives will
allow you to do so (they may not all be required for your setup):
http_proxy = http://<hostname>/
ftp_proxy = http://<hostname>/
proxy-user = <PROXY_USER>
proxy-passwd = <PROXY_PASSWORD>
Passive FTP may also be required. If so, use the 'passive-ftp'
option, ie:
passive-ftp = <on|off> ## Default == off
driver and can obtain its ip address from a DHCP server, we can use
the following line:
device1 = eth0:tulip:dhcp
As you can see, a total of 10 devices are allowed. Let's say we now
want to set up an interface "eth1" that uses an "rtl8139" chip, and
has a static IP(192.168.1.2) and a default gateway(192.168.1.1):
device2 = eth1:8139too:192.168.1.2|192.168.1.1
NOTE: It is important to keep in mind that whatever devices you set up
during the configuration process will be promptly taken down after the
configuration is complete. This setup is only used so you can
retrieve configuration files over the network, via
http(s)/ftp/scp/sftp. For more permanent network configuration,
please use the rc.inet1 file.
4.3.1. Example
----snip----
## Basic Sentry Firewall CD config file to retrieve files via HTTP(s)/FTP/SCP/SFTP.
device1 = eth0:tulip:192.168.1.2|192.168.1.1
nameserver = 123.123.123.123 ## This should be the IP of your DNS server.
rc.M = ftp://user:pass@config.sentry.net/node1/rc.M
rc.inet1 = http://user:pass@config.sentry.net/all_nodes/rc.inet1
passwd = scp://user:pass@config.sentry.net/all_nodes/passwd
shadow = sftp://user:pass@config.sentry.net/node1/shadow
# EOF #
----snip----
4.4. Other Useful Configuration Directives
Copy file /floppy/someconfig.conf to /etc/someconfig.conf -
/floppy/someconfig.conf |= /etc/someconfig.conf
OR, this does the same thing -
/etc/someconfig.conf = /floppy/someconfig.conf
and this is also possible(v1.3.0) -
/etc/someconfig.conf = ftp://<server>/someconfig.conf
Make a symlink called /etc/someconfig.conf that points to
/etc/otherconfig.conf -
/etc/someconfig.conf => /etc/otherconfig.conf
The include directive. Grabs another sentry.conf file either from
another location -
include = ftp://user:pass@config.sentry.net/node1/sentry.conf
Keep in mind, however, that the include directive is one of the first
directives to be parsed. Any configuration directives parsed from the
included sentry.conf file that conflict with directives in the
previously parsed sentry.conf files will clobber the old ones.
4.5. Putting it all together, managing multiple nodes from a single
location.
In order to manage multiple nodes at a single location, you can use a
bare sentry.conf file located on a floppy disk, and then grab files
from your ftp or http servers.
----snip----
## Basic Sentry Firewall CD config file.
device1 = eth0:tulip:dhcp
nameserver = <DNS_IP>
include = ftp://user:pass@config.sentry.net/node1/sentry.conf
----snip----
The included sentry.conf file will then be parsed, and files replaced
via http or ftp if you like. You can now edit your sentry.conf and
configuration files at a central location.
4.6. Example sentry.conf and disk images
An example configuration disk image is available on the CDROM. The
disk is an ext2 formatted disk, and is located in the
'/SENTRY/images/' directory on the CD. There is also a very complete
sentry.conf file on the disk which may help clarify alot of these
directives. Use a command like the following to create the
configuration disk:
blah@wherever:~$ dd if=/cdrom/SENTRY/images/ext2-144.img of=/dev/fd0
2880+0 records in
2880+0 records out
The disk images and a sample sentry.conf file can also be found on the
website, http://www.SentryFirewall.com/
<http://www.SentryFirewall.com/>
5. Overview of Available Configuration Directives
5.1. Replacing rc/config files
To replace a file that is supported by the configuration scripts, you
may use the following syntax:
filename_directive = /location/of/filename
Where "filename_directive is one of the directives listed below, and
the location of the file is often '/floppy/filename'. The file
location can also be a URL. The supported prefixed include "http://",
"https://", "ftp://", "sftp://", and "scp://".
As previously mentioned, there are at least two Sentry Firewall CD
branches with varying names like "SENTRYCD" and "SENTRY-RH". The only
difference between these branches is the "host" Linux distribution
that is utilized. And since Linux distributions utilize different
files during bootup, the accepted directives for the two branches
vary. For example, a Slackware system utilizes files such as "rc.S"
and "rc.M" to boot into single and multi-user modes. Other Linux
distributions, such as Red Hat, utilize different files such as
"rc.sysinit" and various files located in /etc/rc.d/init.d/.
Therefore, when running a sentrycd-RH system, which is not Slackware
based, it would be pointless to have a directive that states the
following:
rc.M = /floppy/rc.M
since a non-Slackware system wouldn't know to do with a file called
"rc.M". In any case, it is for this reason that the configuration
directives vary a bit between branches. The directives that are
available can be found in the sentry.conf file in the SEN
TRY/scripts/cd-config/ directory, or on the website.
the other directives, these are used to replace the files located in
the /etc/xinetd.d/ and the /etc/sysconfig/ directories. The
/etc/sysconfig/ directory contains most of the configuration files
used by the init scripts(in /etc/rc.d/init.d/) on systems such as Red
Hat systems.
Example:
sysconf_dir = /floppy/sysconfig
or
sysconf_dir = ftp://123.123.123.123/node1234/sysconfig
Please note that "/floppy/sysconfig" and "/node1234/sysconfig" are
directories that contain files you want placed in /etc/sysconfig/.
The "xinetd_dir" directive is used in the same way.
5.2.
Set up an ethernet device to use during configuration.
device[#] = [device_name]:[driver_name]:[IP_Address]<|gateway>
device[#] = [device_name]:[driver_name]:dhcp<|hostname>
NOTE: 1) <hostname> and <gateway> are optional, but sometimes required.
2) Most ethernet devices are supported. If you find one that isn't
and you think it should be, please let me know.
3) "device1" to "device10" are supported.
Examples:
device1 = eth0:tulip:192.168.1.50|192.168.1.1
device2 = eth1:via-rhine:dhcp
5.3.
Set up a nameserver to use during configuration.
nameserver = <DNS_IP>
5.4. Proxy Support Directives
Set up a proxy for pulling files via http(s), or ftp.
http_proxy = http://<hostname>/
ftp_proxy = http://<hostname>/
proxy-user = <PROXY_USER>
proxy-passwd = <PROXY_PASSWORD>
5.5. Passive FTP Support
Use passive ftp instead of active ftp to retrieve files.
passive-ftp = <on|off> ## Default == off
5.6.
Retrieve and parse another 'sentry.conf' file.
include = </location/of/sentry.conf>
Or, with network support -
include = <ftp|http>://[<user>:<pass>@]<SERVER_IP></path/to/sentry.conf>
5.7. Copying files (|=)
Copy file from one location to the other.
Syntax: source_file |= dest_file, OR
dest_file = source_file
Example: Copy file /floppy/daemon.conf to /etc/daemon.conf
/floppy/daemon.conf |= /etc/daemon.conf
or
/etc/daemon.conf = /floppy/daemon.conf
or
/etc/daemon.conf = scp://<user>:<pass>@<server>/config/daemon.conf
NOTE: http(s)/(s)ftp/scp support is only available with Sentry Fire
wall CD versions >= 1.3.0.
5.8. Making Symlinks (=>)
Create a symlink
Syntax: dest_file => source_file(where the symlink points to)
Example:
Make symlink called /etc/somefile.conf that points to /etc/otherfile.conf
/etc/somefile.conf => /etc/otherfile.conf
5.9.
Defines which device the CDROM is. Most of the time the CDROM is
detected and mounted using the /etc/rc.d/rc.cdrom script. But this
makes the process less error-prone.
Syntax: cdrom = <DEVICE>
Example:
cdrom = /dev/hdc
5.10.
Replace a user's crontab file(located in /var/spool/cron/crontabs/).
Syntax: cron:<USERNAME> = </LOCATION/OF/CRONTAB_FILE>
5.11. hostname
Defines the hostname of the local machine. This directive can be used
to either point to a file containing the hostname of the local
machine, or to define the hostname itself.
Syntax: hostname = </path/to/file>
or
hostname = MYHOSTNAME
5.12. Other SENTRY-{RH,DEB} Specific Directives
Besides the "xinetd_dir" and "sysconf_dir" directives, mentioned
above, there is another directive that is unique to the sentrycd-RH
branch.
5.12.1. Start/Stop a Service or Daemon
This directive gives you the ability to start or stop a service at
bootup. The syntax looks like the following:
service:[start|stop] = <path/to/service_init_file>
For example:
httpd:stop
or
httpd:start = /floppy/config/httpd
In the above example, we are telling the Sentry Firewall CD to either
start or stop the http daemon at bootup. The optional argument
"<path/to/service_init_file>" is usually not necessary, but is used to
actually replace the startup script located in /etc/rc.d/init.d/, in
case you ever wanted to do so.
To get a better idea of how this works, please take a look at the
sample "sentry.conf" file located either on the CD or online at
http://www.sentryfirewall.com/files/sentrycd-rh-devel/scripts/cd-
config/sentry.conf <http://www.sentryfirewall.com/files/sentrycd-rh-
devel/scripts/cd-config/sentry.conf>
6. Setting Up a Firewall
6.1. Starting the Firewall
Ok, so the project is called the Sentry *Firewall* CD. So where's the
firewall? Well, it's important to note that this system is capable of
quite a bit more than your standard bootable floppy or CD firewall.
In fact it is a pretty complete Linux system on a CD, and as with any
Linux system the "firewall" is set up using scripts and various
userland utilities such as ipchains or iptables.
IPChains or IPTables firewall scripts generally take the form of shell
scripts that are customized by the user and run at boot-time. If you
already have a ruleset for your firewall simply edit the "rc.firewall"
directive in your "sentry.conf" file to point to your firewall script
on your floppy or on a remote HTTP(S)/FTP/SCP/SFTP server as explained
above. The firewall will then be run at boot time.
6.2. Using FWBuilder with the Sentry Firewall CD
FWBuilder(http://www.FWBuilder.org/) is a firewall configuration and
management system. The advantage to this application is that it
provides a graphical user interface to develop and modify firewall
rulesets on various platforms using various utilities. The Firewall
rulesets that are created with FWBuilder are completely compatible
with the Sentry Firewall CD, and with just about any Linux firewall.
As with most Linux firewalls there are no X11 binaries or libraries on
the Sentry Firewall CD, so you will need to develop the firewall
ruleset on a separate workstation using fwbuilder and then upload the
ruleset to the various firewalls/routers/nodes on the network. The
following are the basic steps required to get your new fwbuilder
ruleset running on the Sentry CD:
· Configure your new firewall to your liking with fwbuilder(duh).
· Save your firewall. Choose File->Save As, and choose an
appropriate name. The file will normally be saved as
"whatever.xml".
· Compile the firewall. Choose Rules->Compile. The ruleset will be
compiled and turned into a shell script called "whatever.fw".
· You will then want to copy "whatever.fw" to your configuration
floppy and use the "rc.firewall" configuration directive in your
sentry.conf file to point to your new firewall script. The
firewall script will be copied to /etc/rc.d/rc.firewall during the
configuration process and run at boot-time.
Please note that it is not necessary to reboot the Sentry Firewall CD
every time you update your firewall script. You may simply upload the
new script to the Sentry Firewall and run it. But just make sure that
you copy the final draft of your script to the configuration floppy so
that it will be run at boot-time.
6.3. Using Webmin with the Sentry Firewall CD
As of version 1.5.0-rc3 Webmin(http://www.webmin.com/) is available on
the CD. Among many of the other default modules available with webmin
- of which not all have been fully tested - Webmin includes two
modules for generating and managing your firewall setup. These
modules are located in the "Networking" section of the webmin
interface. In this section you will see the "Linux Firewall" and
"Shorewall Firewall" modules, either of which are available for your
use.
The addition of Webmin also adds four new configuration directives -
start_webmin = <enable | disable> ## enable|disable webmin. Default == disable.
webmin_config = <path/to/config> ## Main webmin config(/etc/webmin/config).
miniserv.conf = <path/to/miniserv.conf> ## Config file for webmin http(s) daemon.
miniserv.pem = <path/to/miniserv.pem> ## SSL cert for webmin http(s) daemon.
## An SSL cert will be created by rc.webmin if
## one is not specified.
miniserv.users = <path/to/miniserv.users> ## Password file used for webmin.
## Default user:pass is sentry:SENTRY.
## NOTE: If this file is not replaced webmin
## will NOT start!
Note: The modifications made by these web interface tools are, of
course, not permanent. Any files altered will need to be placed on a
floppy or on a remote server and declared in your sentry.conf file as
explained in previous sections.
Many of these web interface tools do not simply generate a firewall
script, but rather set up a firewall and use the 'iptables-save' and
'iptables-restore' utilities to dump and load the firewall. The file
created by 'iptables-save' must be loaded using 'iptables-restore', it
cannot be run like a shell script. By default this file is placed in
"/etc/rc.d/rc.firewall.save". Once you configure your firewall to
your liking you will need to place the rc.firewall.save file on a
floppy or a remote server and declare its location using the
"rc.firewall.save" directive in the sentry.conf file. With the
sentrycd and sentyrcd-devel branches, the rc.firewall and
rc.firewall.save files are normally run automatically at boot-time
from rc.inet2.
As of verions 1.5.0-rc3 the Shorewall(http://www.shorewall.net/)
firewall scripts are available on the Sentry Firewall CD. Webmin also
comes with a module to configure and set up Shorewall, although
Shorewall can be configured manually as well. Shorewall utilizes a
number of configuration files located in /etc/shorewall. The
sentry.conf file recognizes the "shorewall.conf" configuration
directive, but if any of the other configuration files in
/etc/shorewall need to be replaced you will need to do so manually
using the "|=" configuration directive.
6.4. Other Sample Firewall Scripts and Tools
Sample firewall scripts can be found in the /SENTRY/scripts/firewall
directory on the CD. These are just a few firewall scripts I found on
the Internet and have put here for your convenience. If you do a
search on google <http://www.google.com/> or freshmeat.net
<http://www.freshmeat.net/> you will probably find several others
pretty easily.
I have also added "Easy Firewall Generator"
(http://easyfwgen.morizot.net/) and "IPTables Script Generator"
(http://iptables.linux.dk/) to the CD. These are PHP scripts that can
assist you in creating a ruleset for your Sentry Firewall CD system.
In order to view these you will need to start the Apache web server on
a running Sentry Firewall CD system, and then direct your browser to
the IP address of your Sentry Firewall. The scripts should be
available in the "firewall" directory.
Please note that these web-based scripts will often generate a script
for you, but you will still need to take that generated script and
place at on a floppy or on a remote server and edit the "rc.firewall"
directive in the sentry.conf file to point to your new script.
6.5. Links to Other Firewall Resources
Netfilter HOWTO
<http://www.netfilter.org/documentation/index.html#HOWTO>
Netfilter FAQ <http://www.netfilter.org/documentation/index.html#FAQ>
Netfilter Tutorials
<http://www.netfilter.org/documentation/index.html#tutorials>
If there are any other resources you think I should add to this
section, please email me at Obsid@Sentry.net
<mailto:Obsid@Sentry.net>.
7. Troubleshooting
7.1. Booting Problems
Booting problems are generally rare, and generally only occur on old
and buggy, or somehow non-compliant hardware. Booting problems can be
associated with a number of problems, depending upon at what point
during the boot process the failure occurs. The following are
possible causes of failure when booting from a CD.
· Old or buggy BIOSes that do not fully support the eltorito
standard. System may fail to load the isolinux bootloader or the
kernel.
· Problematic CDROM drives can cause various problems when booting
the CD. CD may or may not boot, and will generally have trouble
accessing files on the CD.
· Damaged CD, obviously can cause a number of problems, similar
symptoms as above.
· Insufficient hardware resources. Please see the "Minumum
Requirements" section of this howto for more information on what is
required to boot the CD.
· In the case of booting the Sentry Firewall CD, old or buggy floppy
disk drives or damaged floppy disks can also result in serious
problems, including curruption of the data on the floppy disk. The
inability for the configuration scripts to read and parse files
contained on the floppy disk can seriously inhibit the capability
of the system to configure itself properly.
In general, hardware issues cause the majority of problems during the
boot process of the Sentry Firewall CD, and may not always be easy to
diagnose. Generally, the first step in debugging a general boot
problem is to try and boot another CD in the same machine to attempt
to rule out a hardware problem. And then attempt to boot the Sentry
Firewall CD in another machine to attempt to rule out damage to the
CD. If both these tests produce no negative results, then perhaps
swap out the CDROM drives in the two machines, if possible, and do the
test again. Then perhaps check out the general mailing list(mentioned
below) for further assistance.
7.2. Configuration Problems
This section deals with configuration problems with the "sentry.conf"
file. The sentry.conf configuration file, as mentioned in previous
sections, tells the configuration scripts what to do during boot time
to configure the running system. Syntax errors in the script can
cause a file to be misplaced, or for the directive to not be parsed at
all.
Error messages during the boot process of the Sentry Firewall CD can
help greatly in diagnosing potential syntax or other types of errors.
So watch the CD boot and write down any error messages that may pop
up. Also, during bootup a logfile detailing the configuration process
is created at /var/log/SENTRY_LOG. If you can log in to the system
after it has booted, then take a look at this file for any obvious
error messages.
7.3. Frequently Asked Questions
A FAQ is currently being maintained on the Sentry Firewall website, it
can be accessed via the following URL:
<http://Sentry.SourceForge.net/files/FAQ>.
7.4. Mailing List
Thanks to SourceForge.net <http://www.SourceForge.net/>, there are
mailing lists available for the Sentry CD. You can look through the
archives, or subscribe to the general mailing list to ask questions or
make comments. The following are links for the general Sentry-Users
mailing list. Other mailing lists are listed at SentryFirewall.com
<http://www.SentryFirewall.com/>.
· Subscribe to Sentry-Users
<http://lists.sourceforge.net/lists/listinfo/sentry-users>
· Sentry-Users Archives <http://www.geocrawler.com/redir-
sf.php3?list=sentry-users>
8. Building a Custom Sentry CD
8.1. Introduction
This section will attempt to describe how to create a custom Sentry
Firewall CDROM. Unfortunately, I do not have time to go into every
detail. But at the very least I will try and provide for you an
overview of the CD creation process.
8.2. The development system(How I do it)
My development system consists of two separate Linux installations of
the same distribution, depending on what branch I'm working on. First,
I have a very complete <insert Linux distro here> installation on my
main hard drive(/dev/hda). I then have /dev/hdb1, upon which I have
another, bare bones, installation - this installation generally has no
compiling tools or X stuff.
I usually have /dev/hdb1 mounted on /mnt, that's not a critical
element, but I thought I'd mention it since I will refer to /mnt alot
from now on. I then have a directory called /CD-FW on the /dev/hdb1
installation, that is, if /dev/hdb1 is mounted on /mnt, then the
directory would be called /mnt/CD-FW/. Throughout this entire
process, the installation on /dev/hda is the live running system, and
it is from here that I compile the needed tools, kernels, etc and
basically run everything.
To make this easy for you, the Sentry Firewall CD ISO is basically an
exact copy of what's in /mnt/CD-FW/ on my hard drive. I simply use
the 'mkisofs' utility on /mnt/CD-FW to create the ISO image.
If you simply want to get started, perhaps try the following steps:
· Install a basic slackware system on some other partition, /dev/hdb1
perhaps.
· Reboot into your normal(linux) system and mount this new partition,
let's say on /mnt.
· Mount the Sentry CD somewhere, let's say on /mnt2
· type: mkdir /mnt/CD-FW
· type: cp -Rdp /mnt2/* /mnt/CD-FW/
· type: find /mnt/CD-FW/ -name 'TRANS.TBL' -type f -print | xargs rm
-f
This removes those 'TRANS.TBL' files that are created by mkisofs.
· Unmount /mnt2
· Run the following commands(in a script if you like) to update the
/mnt/CD-FW/ directory:
cp -Rdp /mnt/bin /mnt/CD-FW/
cp -Rdp /mnt/sbin /mnt/CD-FW/
cp -Rdp /mnt/lib /mnt/CD-FW/
cp -Rdp /mnt/usr/bin /mnt/CD-FW/usr/
cp -Rdp /mnt/usr/sbin /mnt/CD-FW/usr/
cp -Rdp /mnt/usr/local/bin /mnt/CD-FW/usr/local/
cp -Rdp /mnt/usr/lib /mnt/CD-FW/usr/
cp -Rdp /mnt/usr/libexec /mnt/CD-FW/usr/
cp -Rdp /mnt/usr/share /mnt/CD-FW/usr/
cp -Rdp /mnt/usr/man /mnt/CD-FW/usr/
NOTE: The above commands may spit out errors when working with certain
files(ie. hard links). These errors are annoying, but they're not
critical at all.
You now have a development system like, or similar to, my own :-)
Now, if you ever want to install an rpm update or a Slackware package
update(with upgradpkg), you can do the following:
root@mybox:~# cd /mnt; chroot /mnt
root@mybox:/# upgradepkg update.tgz
or
root@mybox:/# rpm --upgrade update.rpm
$ exit
Then, all I need to do is re-run the script mentioned above, the one
that copies all those files, to update the /mnt/CD-FW directory.
8.3. The RAMdisk Image
That's all nifty, but now comes the hard part... making the ramdisk.
If you take a look at the /isolinux directory on the CDROM, you will
see a bunch of files, one of them is called 'initrd.img' - there are
several others as well, such as isolinux.cfg, message.txt, and
isolinux.bin. These files are required by isolinux in order to work
properly. Take a look at those files and the documentation that comes
with syslinux to get a better idea of what all that does. In any
case, the 'initrd.img' file is, in fact, the compressed ramdisk image.
To take a look at the image, do something like the following:
blah@wherever:~$ cp /cdrom/isolinux/initrd.img /tmp/initrd.img.gz
blah@wherever:~$ gzip -d /tmp/initrd.img.gz
blah@wherever:~$ mount -o loop /tmp/initrd.img /MOUNT_POINT
In a nutshell, I use the file '/SENTRY/scripts/MK-CD/mkrootdsk.sh' to
create the rootdisk. Please read that file and the disclaimer before
you decide to use it. It runs perfectly on my system, but may not run
well at all on yours. It basically attempts to create a rootdisk
image to use with the Sentry CD, but it is very long and may be
somewhat difficult to comprehend at times. This is what happens when
I start hacking around and fail to utilize proper child safety
restraints.
8.4. Making the ISO Image
The next file I use is called 'mkiso.sh'. The script generally just
declares a few variables and runs the 'mkisofs' utility. The command
I normally run looks like the following:
root@mybox:~# cd /mnt/CD-FW
root@mybox:/mnt/CD-FW# mkisofs -o sentrycd.iso -R -V "Sentry Firewall CD [v1.x.x]" -v \
-T -d -D -N \
-b isolinux/isolinux.bin \
-c isolinux/eltorito.cat \
-no-emul-boot -boot-load-size 4 -boot-info-table \
-A "Sentry Firewall CD v1.x.x" .
........
And that's it, I burn the CD and test it. For reference, the
following files are available on the CDROM and online at
http://www.SentryFirewall.com/ <http://www.SentryFirewall.com/>
· /SENTRY/scripts/MK-CD/mkrootdsk.sh (builds the rootdisk)
· /SENTRY/scripts/MK-CD/mkiso.sh (builds final ISO image)
· /SENTRY/scripts/MK-CD/record-cd.sh (burns the ISO to a CD)
9. More About the Sentry Firewall Project
9.1. Goals
The general goal of this project is mentioned several times within the
documentation. That is simply, to build a bootable CDROM-based system
that can be easily and dynamically configured. In the end, I wanted
the configuration to rival that of any commercial router that utilizes
configuration files(ie. Cisco). I also wanted the system to be
simple, secure, and highly functional in a large number of operating
environments - not just as a firewall. This, of course, has proven to
be a difficult balance to maintain.
At the present time, the basic goals have been fulfilled. However, I
believe there is still a great deal of development that can and needs
to be done in order for the Sentry Firewall to be a truly diverse
Linux distribution.
9.2. Supporting the Project
There are various ways one can support this project. The easiest and
most common way is to simply utilize the system in a test or
production environment and send me suggestions, bugs, or other such
feedback. For those interested in assisting with the enhancement of
any of the Sentry Firewall CD branches, please check out the TODO file
located in /SENTRY/docs/TODO on the CD image, or online at
http://www.SentryFirewall.com/files/sentrycd/docs/TODO
<http://www.SentryFirewall.com/files/sentrycd/docs/TODO> or
http://www.SentryFirewall.com/files/sentrycd-rh/docs/TODO
<http://www.SentryFirewall.com/files/sentrycd-rh/docs/TODO>.
I do, on occasion, make the Sentry Firewall CD available for purchase.
I also accept donations including hardware, software, currency, or
anything else that you feel can help. Revenues from such donations or
CD sales will help support the continued development of the project.
If you are interested in supporting this project please feel free to
contact me at the information provided below, or email me at
Obsid@Sentry.net <mailto:Obsid@Sentry.net>.
9.3. About the Author
The Sentry Firewall project has only ever had a single developer,
Stephen Zarkos(me) of Bellevue, Washington(USA). I began work on the
project around April of 2000, probably ruining 200 CD-Rs before I got
my first stable Sentry Firewall CD. And for the last two years I have
been continuing to develop, enhance and maintain the project - give or
take a few months here and there while I took a short hiatus(marriage,
education, etc).
From the beginning, this project has proven to be quite popular, and
has received a great deal of support and feedback from its loyal
users. This kind of support has proven invaluable, and has kept me
motivated to continue to develop this project. There is nothing I
would rather do right now than work on and enhance this system,
however since I do not get paid to develop this project, it is only a
part-time endeavor. Even so, the positive comments and feedback I
receive has without a doubt made this the most enjoyable project I
have ever been a part of.
9.4. Contacting the Author
Mailing Address:
Sentry Firewall CD Project
C/O Stephen A. Zarkos
P.O. Box 6133
Bellevue, WA 98008
Email: Obsid@Sentry.net <mailto:Obsid@Sentry.net>
