Next Previous Contents

2. How the CD Works (Overview)

This section is just an overview to explain how the Sentry Firewall CD works, that is, from the process of loading the kernel to running the Sentry Firewall CD configuration scripts located on the RAMDisk.

2.1 The Boot Process

Booting from the CDROM is a fairly familiar process. The BIOS execs the bootloader(Syslinux) which then displays a boot prompt and loads the kernel and ramdisk into memory. Once the kernel is running the ramdisk is then mounted as root(/) and then "init" is run which then starts running the startup scripts.

As of version 1.5.0-rc11 the Sentry Firewall CD utilizes a tmpfs file system for its root partition. The tmpfs file system, also known as "virtual memory file system" or "shm fs", provides two major advantages:

As a result of this development, the boot sequence of the Sentry Firewall CD has changed to the following(roughly):


Early versions of the Sentry Firewall CD utilized the 2.88MB floppy emulation method, along with either lilo or syslinux to boot the kernel and load the ramdisk. This method proved very limiting for two reasons; A) the total size of the compressed ramdisk AND kernel was limited to 2.88MB, and B) it was quite slow compared to the current method.

The Sentry Firewall CD is currently utilizing the isolinux.bin boot record with no emulation in order to properly boot the CDs. This allows us to use a much larger ramdisk and offer a choice of several kernels to boot at boot-time.

More information about syslinux can be found at

2.3 The CD Configuration Scripts

An obvious necessity for deploying CDROM based systems is the ability to dynamically configure the system for various environments with different configurations - which is what a good majority of this project is dedicated to building. A simple way to do this is to give the user the ability to customize the startup scripts and files located in /etc before they are actually used.

At boot time, the "/etc" directory and subdirectories are nearly empty. On many Linux systems, the first startup script to run is /etc/rc.d/rc.S, /etc/init.d/rcS, /etc/rc.d/rc.sysinit or something similar - the /etc/inittab file is actually responsible for defining this. It is from this startup script where we run the configuration scripts that look for a configuration file, called "sentry.conf", and place the proper configuration and system files in /etc and various subdirectories under /etc.

The sentry.conf file tells the configuration scripts where to go to obtain current copies of files that should be replaced. These files will often be configuration or startup files and will mainly reside in /etc, although they could be placed anywhere on the system the user prefers. If a configuration directive for a specific file is not found in the sentry.conf file, or if a configuration file cannot be found at all, then the default system files are used - which are located in /etc/default/* on the ramdisk.

As previously mentioned, our configuration scripts are generally run from an init script located in /etc/{rc.d,init.d}/. The first of our configuration scripts to run is called '', which is essentially the mainline for the entire program. The other scripts that are used are called '', '', '' and ''. These scripts were written specifically for this project, and are essentially the mainstay of the entire configuration process.

In depth review of these scripts is a little beyond the scope of this document, but is covered a bit in the Sentry Firewall CD Reference Guide available on the website ( The files are written in perl and are actually responsible for much of the overall configuration of the system. In short, however, they perform the following tasks:

Next Previous Contents