The Sentry Firewall CD configuration scripts are run shortly after the rootdisk is mounted as root(/). The first objective of these scripts is to look for and parse a configuration file called 'sentry.conf'. The scripts will first try to find the file on a floppy disk - which, if found, will be mounted on "/floppy". If a sentry.conf file is not found in "/floppy", then a default configuration will be used.
In order to configure the Linux system for use in any particular environment the user must have the ability to replace the system default files with his/her own copies. The 'sentry.conf' file basically tells the configuration scripts which files it should replace and where those files are.
The main configuration file for the system is called 'sentry.conf'. The file accepts several configuration directives, many of which will be discussed below. It may also be a good idea to take a look at the default sentry.conf file which is available on the ISO in the "<CDROM>/SENTRY/scripts/cd-config/" directory, on the disk images(discussed later), oron the project website. This file containsall the currently supported directives for the particular branch it was designed for, as wellas a bunch of useful comments inline.
The configuration scripts will attempt to mount several devices in its attempt to locate the sentry.conf file.
A basic configuration file looks like the following (everything after a '#' sign is interpreted as a comment):
----snip---- ## Basic Sentry Firewall CD config file(sentry.conf) rc.local = /floppy/config1/rc.local fstab = /floppy/config1/fstab passwd = /floppy/config1/passwd shadow = /floppy/config1/shadow # EOF # ----snip----
The syntax is pretty simple, the default 'rc.local' file will be replaced with the user defined 'rc.local' file located in the '/floppy/config1/' directory. Same goes for 'fstab', 'passwd', and the 'shadow' file. But it is important to remember, the first place the sentry.conf file will be looked for is on /dev/fd0 or /dev/sda1(USB device),which if found, will be mounted on /floppy. This is why all these files appear to be locatedin the /floppy directory, it is simply the mount point for the floppy disk or the USB device. NOTE: As of version 1.3.0, a user may now omit the `/floppy' prefix. So, for example a line in sentry.conf that says the following:
shadow = config1/shadow
Will be assumed to mean(in most cases) the following:
shadow = /floppy/config1/shadowAs long as the directory config1/shadow exists on the configuration floppy.
Unfortunately, you cannot arbitrarily replace files, for example the following will likely not be parsed correctly:
foo.conf = /floppy/config1/foo.conf
The configuration scripts only recognize a certain number of configuration files, so it probably won't know what to do with "foo.conf". There are other very easy ways to copy unknown configuration files into their proper location, however. These methods will be discussed below.
As of version 1.0.5, a new syntax for the configuration directives are recognized; those with an "http://" or "ftp://" prefix. This basically means that the following syntax is now supported:
inetd.conf = ftp://[user:pass@]123.123.123.123/config1/inetd.conf
hosts = http://[user:pass@]123.123.123.123/config1/hosts
As of version 1.3.0, "https://", "scp://", and "sftp://" URLs are also supported. For example:
shadow = scp://<user>:<pass>@123.123.123.123/dir/shadow
passwd = sftp://<user>:<pass>@123.123.123.123/dir/passwd
fstab = https://[user:pass@]123.123.123.123/dir/fstab
NOTE: The username and password fields are required when retrieving files via scp or sftp. Empty passwords are not permitted.
In order to accomplish this, the configuration scripts need to have the
ability to set up an ethernet interface, as well as obtain nameserver
information from the sentry.conf file. We use the 'device' directive to
set up an interface for network configuration support.
Usage:
device{1..10} = <device>:<driver>:<IP address>[|Gateway_IP]
OR
device{1..10} = <device>:<driver>:dhcp[|Hostname]
And to set up a nameserver:
Usage:
nameserver = <IP_ADDRESS>
Additionally, when retrieving files using "http", "https", or "ftp",
you may also set up a proxy server. The following directives will allow you
to do so (they may not all be required for your setup):
http_proxy = http://<hostname>/
ftp_proxy = http://<hostname>/
proxy-user = <PROXY_USER>
proxy-passwd = <PROXY_PASSWORD>
Passive FTP may also be required. If so, use the 'passive-ftp' option, ie:
passive-ftp = <on|off> ## Default == off
For example to set up an interface called "eth0", which uses the "tulip"
driver and can obtain its ip address from a DHCP server, we can use the
following line:
device1 = eth0:tulip:dhcp
As you can see, a total of 10 devices are allowed. Let's say we now want to set up an interface "eth1" that uses uses the "8139too" driver, and has a static IP(192.168.1.2) and a default gateway(192.168.1.1):
device2 = eth1:8139too:192.168.1.2|192.168.1.1
IMPORTANT NOTES:
----snip---- ## Basic Sentry Firewall CD config file to retrieve files via HTTP(S)/FTP/SCP/SFTP. device1 = eth0:tulip:192.168.1.2|192.168.1.1 nameserver = 123.123.123.123 ## This should be the IP of your DNS server. rc.M = ftp://user:pass@config.sentry.net/node1/rc.M rc.inet1 = http://user:pass@config.sentry.net/all_nodes/rc.inet1 passwd = scp://user:pass@config.sentry.net/all_nodes/passwd shadow = sftp://user:pass@config.sentry.net/node1/shadow # EOF # ----snip----
The particular files you need to replace depends entirely on your needs as well as the Sentry Firewall CD branch you are working with. Please take a look at the sample sentry.conf file for a list of the available configuration directives for each branch.
Here is a short list of files of particular interest:
Generic Directives(not branch-specific):
SENTRYCD Branch
SENTRYCD-DEB Branch
Please keep in mind that the Sentry Firewall CD is capable of performing a great many tasks in a number of operating environments. Ramdisk space permitting, you may replace and customize as many or as few files as you wish to suit your needs.
It is worthwhile to note, however, that "/usr" on the ramdisk is actually a symlink to "/cdrom/usr", and thus is read-only. Therefore, files in /usr cannot be added or replaced using the sentry.conf file. The only way to manipulate the contents of the /usr directory is to rebuild the ISO image, which will be discussed in later sections.
Copy file '/floppy/someconfig.conf' to '/etc/someconfig.conf'
Usage:
/floppy/someconfig.conf |= /etc/someconfig.conf
OR, this does the same thing -
/etc/someconfig.conf = /floppy/someconfig.conf
and this is also possible -
ftp://<server>/someconfig.conf |= /etc/someconfig.conf
/etc/someconfig.conf = ftp://<server>/someconfig.conf
Make a symlink called '/etc/someconfig.conf' that points to '/etc/otherconfig.conf'.
Usage:
/etc/someconfig.conf => /etc/otherconfig.conf
Note: The 'mkdir' directive is only available with the Sentry Firewall CD versions 1.5.0-rc14 or newer.
Syntax:
mkdir <PATH/DIRECTORY>[:MASK]
Make a directory in the specified location with the specified permissions(MASK). MASK is optional and defaults to 0755(rwxr-xr-x). This directive can be useful if you want to copy files at boot-time to a directory that does not exist on the ramdisk by default.
This directive grabs another sentry.conf file either from another location.
Usage:
include = ftp://user:pass@config.sentry.net/node1/sentry.conf
NOTE: Any configuration directives parsed from the new sentry.conf file will clobber any identical directives that were previously declared.
Note: The 'path<#>' directive is only available with the Sentry Firewall CD versions 1.5.0-rc13 or newer.
Path statements tell the configuration scripts where to look for files. These can specify a path on a local or remote system. The variables "path1" to "path10" are allowed.
Syntax:
path<#> = <PATH>
path<#> = <URI>
NOTE: <URI> should point to a directory on a remote system, NOT just a file.
Examples:
path1 = /floppy/node1/config/
path2 = scp://user:pass@someserver/node123/config/
path3 = http://user:pass@someserver/node123-backup/config/
etc etc...
You may then use the following syntax when declaring a file within your sentry.conf:
Examples:
squid.conf = squid.conf
or
/etc/someconf.conf = someconf.conf
The configuration scripts will first look for "squid.conf" or "someconf.conf" in $m_point, which is usually /floppy. If it isn't found, then the system will try path1..path10 in order until "squid.conf" or "someconf.conf" is found. This not only makes for less typing when creating your sentry.conf, but it also allows you to add some redundancy to the configuration process.
The 'cdrom' directive defines which device the CDROM is. Most of the time the CDROM is detected and mounted using the /etc/rc.d/rc.cdrom script. But this makes the process less error-prone.
Usage:
cdrom = <DEVICE>
Example:
cdrom = /dev/hdc
The 'cron' directive replaces a user's crontab file.
Usage:
cron:<USERNAME> = </LOCATION/OF/CRONTAB_FILE>
Where <USERNAME> is a valid username on a running Sentry Firewall system.
The 'hostname' directive defines the hostname of the local machine. This directive can be used to either point to a file containing the hostname of the local machine, or to define the hostname itself.
Usage:
hostname = </path/to/file>
or
hostname = MYHOSTNAME
Note: The 'add_swap' directive is only available with the Sentry Firewall CD versions 1.5.0-rc11 or newer.
The 'add_swap' directive tells the configuration scripts to add a swap partition at configuration time. If the ":format" option is appended to the variable, then the configuration scripts will also format the partition before activating it.
Warning: An improper setting of this variable could cause serious damage to data.
Usage:
add_swap = /dev/hda1
add_swap = /dev/hda1:format
Note: The 'root_size' directive is only available with the Sentry Firewall CD versions 1.5.0-rc11 or newer.
The 'root_size' directive allows one to change size of root(/) at configuration time(before any other files are copied). By default the root filesystem is around 18MB in size. This option allows you to change the size of the root filesystem if you need more/less space. Also - since root is mounted on a tmpfs filesystem - this area can be swapped out as needed. The suffix g, m, or k is accepted for binary kilo, mega and giga. If no suffix is added, a size in megabytes is presumed.
Usage:
root_size = "18M"
The size of the root file system can also be changed after configuration by simply remounting it, ie "mount -oremount,size=24M /"
Set the timezone from your sentry.conf file.
Example:
/etc/localtime => /usr/share/zoneinfo/GMT
/etc/hardwareclock = hardwareclock
"/etc/hardwareclock" either contains a line with "localtime" or "UTC". Usually for PCs the clock is set to local time, therefore put "localtime" into the file.
There are more than a thousand timezones under "/usr/share/zoneinfo/" to select from. Under slackware this can also be done interactively with the command "timeconfig".
In order to manage multiple nodes at a single location, you can use a bare sentry.conf file located on a floppy disk, and then grab files from your ftp or http servers.
----snip---- ## Basic Sentry Firewall CD config file. device1 = eth0:tulip:dhcp nameserver = <DNS_IP> include = ftp://user:pass@config.sentry.net/node1/sentry.conf ----snip----
The included sentry.conf file will then be parsed, and files replaced via http or ftp if you like. You can now edit your sentry.conf and configuration files at a central server instead of on each individual floppy.
An example configuration disk image is available on the CDROM. The disk is an ext2 formatted disk, and is located in the "/SENTRY/images/" directory on the CD. Use a command like the following to create the configuration disk:
blah@wherever:~$ dd if=/cdrom/SENTRY/images/ext2-144.img of=/dev/fd0
2880+0 records in
2880+0 records out
The disk images and a sample sentry.conf file can also be found on the website, http://www.SentryFirewall.com/
Once you have booted into your new Sentry Firewall system and have configured it to yourneeds, you will need to create a configuration floppy with a sentry.conf file and the files you will want to replace at boot time. One way to do this is to utilize the sample diskimage(see above) to create a disk image, copy the altered files, and edit the sample sentry.conffile by hand. This is not as cumbersome of a task as one might think, and can give you a greatamount of control over how the system is configured.
Another option is to utilize the /sbin/mkconfig script on the Sentry Firewall system.This is a perl script that uses a dialog(1) based gui that can assist you in identifying thechanged files in /etc, create a sentry.conf file, and copy the changed files to a floppy diskor floppy disk image. Simply run "/sbin/mkconfig" and follow the prompts. This software isstill considered BETA, and its functionality is highly subject to change. Please send anypatches/bugs to Obsid@Sentry.net.
NOTE: The 'mkconfig' script has only recently become somewhat stable, as of version 0.3-BETA that is included with the Sentry Firewall CD version 1.5.0-rc11. Older versions of the mkconfig script(prior to 0.3-BETA) were not nearly as functional and should probably not be used.