Ok, so the project is called the Sentry *Firewall* CD. So where's the firewall? Well, it's important to note that this system is capable of quite a bit more than your standard bootable floppy or CD firewall. In fact it is a pretty complete Linux system on a CD, and as with any Linux system the "firewall" is set up using scripts and various userland utilities such as ipchains or iptables.
IPChains or IPTables firewall scripts generally take the form of shell scripts that are customized by the user and run at boot-time. If you already have a ruleset for your firewall simply edit the "rc.firewall" directive in your "sentry.conf" file to point to your firewall script on your floppy or on a remote HTTP(S)/FTP/SCP/SFTP server as explained above. The firewall will then be run at boot time.
It is also important to note that many of the firewall building tools available - includingsome that are mentioned in later sections - do not simply generate a firewall shell script, butrather set up a running firewall and use the 'iptables-save' and 'iptables-restore' utilities todump/load the firewall configuration to/from a file. A file created by 'iptables-save' must be loaded using 'iptables-restore', it cannot simply be executed like a shell script. Therefore ifyou want to load your firewall from a file that was created by iptables-save, then you may savethe file on your configuration floppy and declare its location using the "rc.firewall.save"directive in the sentry.conf file, instead of using the "rc.firewall" directive.
FWBuilder(http://www.FWBuilder.org/) is a firewall configuration and management system. The advantage to this application is that it provides a graphical user interface to develop and modify firewall rulesets on various platforms using various utilities. The Firewall rulesets that are created with FWBuilder are completely compatible with the Sentry Firewall CD, and with just about any Linux firewall.
As with most Linux firewalls there are no X11 binaries or libraries on the Sentry Firewall CD, so you will need to develop the firewall ruleset on a separate workstation using fwbuilder and then upload the ruleset to the various firewalls/routers/nodes on the network. The following are the basic steps required to get your new fwbuilder ruleset running on the Sentry CD:
Please note that it is not necessary to reboot the Sentry Firewall CD every time you update your firewall script. You may simply upload the new script to the Sentry Firewall and run it. But just make sure that you copy the final draft of your script to your configuration floppy so that it will be copied to the ramdisk and run at boot-time.
As of version 1.5.0-rc3 Webmin(http://www.webmin.com/) is available on the CD. Among many of the other default modules available with Webmin - of which not all have been fully tested - Webmin includes two modules for generating and managing your firewall setup. These modules are located in the "Networking" section of the Webmin interface. In this section you will see the "Linux Firewall" and "Shorewall Firewall" modules, either of which are available for your use.
The addition of Webmin also adds four new configuration directives for your sentry.conf file -
start_webmin = <enable | disable> ## enable|disable webmin. Default ==
disable. webmin_config = <path/to/config> ## Main webmin
config(/etc/webmin/config). miniserv.conf = <path/to/miniserv.conf> ## Config file
for webmin http(s) daemon. miniserv.pem = <path/to/miniserv.pem> ## SSL cert. for
webmin http(s) daemon. ## An SSL cert. will
be created by rc.webmin if ## one is not
specified. miniserv.users = <path/to/miniserv.users> ## Password file used for
webmin. ## Default user:pass is
sentry:SENTRY. ## NOTE: If this file is not
replaced webmin ## will NOT start!
Note1: By default the miniserv HTTP daemon listens on port 11111 on the loopback interface. You will need to edit the miniserv.conf file to change this behavior.
Note2: The modifications made by these web interface tools are, of course, not permanent. Any files altered will need to be placed on a floppy or on a remote server and declared in your sentry.conf file as explained in previous sections.
As of version 1.5.0-rc3 the Shorewall(http://www.shorewall.net/) firewall scripts are available on the Sentry Firewall CD. Webmin also comes with a module to configure and set up Shorewall, although Shorewall can be configured manually as well. Shorewall utilizes a number of configuration files located in "/etc/shorewall". The sentry.conf file recognizes the "shorewall.conf" configuration directive, but if any of the other configuration files in "/etc/shorewall" need to be replaced you will need to do so manually using the "|=" copy directive.
Sample firewall scripts can be found in the "/SENTRY/scripts/firewall" directory on the CD. These are just a few firewall scripts I found on the Internet and have put here for your convenience. If you do a search on google or freshmeat.net you will probably find several others pretty easily.
I have also added "Easy Firewall Generator" (http://easyfwgen.morizot.net/) and "IPTables Script Generator" (http://iptables.linux.dk/) to the CD. These are PHP scripts that can assist you in creating a ruleset for your Sentry Firewall CD system. In order to view these you will need to start the Apache web server on a running Sentry Firewall CD system, and then direct your browser to the IP address of your Sentry Firewall. The scripts should be available in the "firewall" directory.
Please note that these web-based scripts will often generate a script for you, but you will still need to take that generated script and place at on a floppy or on a remote server and edit the "rc.firewall" directive in the sentry.conf file to point to your new script.
Netfilter HOWTO
Netfilter FAQ
Netfilter Tutorials
If there are any other resources you think I should add to this section, please email me at Obsid@Sentry.net.