9. Building a Custom Sentry CD

9.1 Introduction

This section will attempt to describe how to create a custom Sentry Firewall CDROM. I may not be able to go into every detail, but at the very least I will try and provide a thorough overview of the CD creation process.

9.2 The development system(How I do it)

My development system consists of two separate Linux installations of the same distribution; Slackware/Redhat/Debian, depending on what branch I'm working on. My environment looks something like the following:

• / (root)
  Contains the running development system. This is often a pretty full featured Linux installation where I can compile and work on stuff. You can install as much, or as little, as you like on this main system.
• /SENTRYCD-DIR
  This directory contains another Linux installation of the same distribution as the main system. This installation generally has far fewer packages installed - no X stuff or compiling tools. Many of the programs and files contained within this system will end up on the Sentry Firewall CD.
• /SENTRYCD-DIR/CD-FW
  This directory contains those files and directories that will become the actual Sentry Firewall CD ISO image. Much of the files in this directory are pulled from the /SENTRYCD-DIR directory, by hand at first, and then later with a script when updates are required.

So the Sentry Firewall CD ISO is basically an exact copy of the contents of the /SENTRYCD-DIR/CD-FW directory. I use the 'mkisofs' utility to create the ISO image. There is also a script available on the CD called mkiso.sh that can assist you in creating a working CD image.

Unfortunately, it is not currently possible to edit an iso9660 image directly. So, if you simply want to modify the contents of the CDROM and create a new image you can try doing the following:

• Mount the Sentry Firewall CD somewhere, let's say on /cdrom.
  For example: mount /dev/scd0 /cdrom
• Make a directory to store the contents of the CDROM.
  For example: mkdir /CD-FW
• Copy the contents of the CDROM to the new directory.
  cp -Rdp /cdrom/* /CD-FW/
• Now we need to remove those 'TRANS.TBL' files, these were created by the mkisofs program when the ISO was created.
  find /CD-FW -name 'TRANS.TBL' -type f -print | xargs rm -f
• Unmount the CDROM.
• You may now customize the contents of the /CD-FW directory. Then use the mkiso.sh script to create a new ISO image. More information on creating an ISO image can be found later on in this chapter.

9.3 The RAMDisk Image

That's all nifty, but now comes the hard part - making the ramdisk. If you take a look at the /isolinux directory on the CDROM, you will see a bunch of files -

• initrd.img - This is the gzip compressed ramdisk image.
• isolinux.bin - This file acts as a boot record for the CD(important).
• isolinux.cfg - This is the configuration file for isolinux.
• message.txt - This contains the message displayed at boot time.

There is also a directory in /isolinux called "kernels". This is where the Linux kernel(s) reside for the Sentry Firewall CD. You can add your own custom kernel(s) or replace the default ones. If you do so you may also need to customize the isolinux.cfg file to declare your new kernels and options. More information about configuring and using isolinux can be found at http://syslinux.zytor.com/.

• Note: Syslinux is a DOS-based bootloader, which means you're stuck with the 8.3 naming scheme when naming your kernel and isolinux configuration files.

To look at and modify the initrd.img image, do something like the following:

blah@wherever:~$ cp /cdrom/isolinux/initrd.img /tmp/initrd.img.gz
blah@wherever:~$ gzip -d /tmp/initrd.img.gz
blah@wherever:~$ mount -o loop /tmp/initrd.img /MOUNT_POINT

You may then cd to /MOUNT_POINT and edit the files on the rootdisk. Once you are finished you can then unmount and gzip the initrd.img file and place it back in the isolinux directory.

mkrootdsk.sh

Although the above method will allow you to customize the rootdisk to your liking, this is not the method I use to create the rootdisk. I use a script called 'mkrootdsk.sh'. This is a bash shell script that formats/mounts the disk image, and then creates or copies the files to the disk image as needed.

If you would like to attempt to use the mkrootdsk.sh script please be sure to read through it first, as it tends to be a bit hacky at times. It runs perfectly on my development system, but may not run well at all on yours. The output from the script should look something like the following:

   Sentry Firewall CD-ROM: mkrootdsk.sh
   Copyright (C) Stephen A. Zarkos, Obsid@Sentry.net
   Ok, let's get to it...

   [+] Creating /root/rootdisk/root... Done.
   [+] Ok, starting to copy stuff to the rootdisk...
   [+] Making directories: root dev proc etc sbin bin lib mnt mnt1 mnt2 mnt3 mnt4 opt 
cdrom floppy tmp    tmp/drivers var initrd... Done.
   [+] Copying /dev files... Done.
   [+] Working in /var... Done.
   [+] Working in /home... Done.
   [+] Working in /bin... Done.
   [+] Working in /sbin... Done.
   [+] Working in /lib... Done.
   [+] Working in /etc... Done.
   [+] Building drivers-2.4.tar.gz(network config support).
       [+] Using /cdrom/lib/modules/2.4.25GENERIC.
   [+] Tar/Gzipping /root/rootdisk/root... Done.
   [+] Zeroing out file: /root/rootdisk/initrd.img... Done.
   [+] Creating ext2 file system on /root/rootdisk/initrd.img... Done.
   [+] Mounting initrd.img on /root/rootdisk/mnt... Done.
   [+] Copying files to rootdisk... Done.

   [+] /root/rootdisk/initrd.img is still mounted, do you want me
       to unmount it? (y/n) y
       [+] Unmounting /root/rootdisk/mnt... Done.
       [+] Gzipping /root/rootdisk/initrd.img... Done.

   Location of new rootdisk --> /root/rootdisk/initrd.img

9.4 Making the ISO Image

I use called 'mkiso.sh' to create the ISO image. The script simply declares a few variables and runs the 'mkisofs' utility. The command I normally run looks like the following:

me@mybox:~# cd /SENTRYCD-DIR/CD-FW
me@mybox:/mnt/CD-FW# mkisofs -o sentrycd.iso -R -V "Sentry Firewall CD [v1.x.x]" -v \
   -T -d -D -N \
   -b isolinux/isolinux.bin \
   -c isolinux/eltorito.cat \
   -no-emul-boot -boot-load-size 4 -boot-info-table \
   -A "Sentry Firewall CD v1.x.x" .
... <lots of output> ...

And that's it, I burn the ISO to a CD and test it. For reference, the following files are available on the CDROM and online at http://www.SentryFirewall.com/

• /SENTRY/scripts/MK-CD/mkrootdsk.sh (builds the rootdisk)
• /SENTRY/scripts/MK-CD/mkiso.sh (builds final ISO image)
• /SENTRY/scripts/MK-CD/record-cd.sh (burns the ISO to a CD)