This section provides a general overview of the directives that are supported by all the Sentry Firewall CD branches. Since the "host" distribution varies with each branch, the configuration and initialization files used by each branch will vary. The branch-specific directives will be covered in later sections.
To replace a file that is supported by the configuration scripts, you may use the following syntax:
filename_directive = /location/of/filename
Where "filename_directive" is one of the directives supported by the configuration scripts. The file location can reference a file on a floppy disk(ie. /floppy/config/filename) or can also be in a URI format. The supported prefixed include "http://", "https://", "ftp://", "sftp://",and "scp://". For example:
snort.conf = /floppy/snort.conf
<or>
snort.conf = scp://user:pass@<server>/config/snort.conf
The current 'sentry.conf' file for each branch is available in the "/SENTRY/scripts/cd-config/" directory on the ISO, or on the website. The default sentry.conf file for each branch should contain all the directives currently supported.
To replace files not supported by the configuration scripts, use the '|=' file copy directive.
Syntax: source_file |= dest_file, OR
dest_file = source_file
Example: Copy file /floppy/daemon.conf to /etc/daemon.conf
/floppy/daemon.conf |= /etc/daemon.conf
<or>
/etc/daemon.conf = /floppy/daemon.conf
<or>
/etc/daemon.conf = scp://<user>:<pass>@<server>/config/daemon.conf
<or>
scp://<user>:<pass>@<server>/config/daemon.conf |= /etc/daemon.conf
Create a symlink
Syntax: dest_file => source_file(where the symlink points to)
Example:
## Make symlink called /etc/somefile.conf that points to /etc/otherfile.conf
/etc/somefile.conf => /etc/otherfile.conf
Note: The 'mkdir' directive is only available with the Sentry Firewall CD versions 1.5.0-rc14 or newer.
Syntax:
mkdir <PATH/DIRECTORY>[:MASK]
Make a directory in the specified location with the specified permissions(MASK). MASK is optional and defaults to 0755(rwxr-xr-x). This directive can be useful if you want to copy files at boot-time to a directory that does not exist on the ramdisk by default.
Set up an ethernet device to use during configuration. This device will only be used during configuration to grab files via http(s)/ftp/sftp/scp and is taken down after configuration is complete.
device[1..10] = [device_name]:[driver_name]:[IP_Address]<|gateway>
device[1..10] = [device_name]:[driver_name]:dhcp<|hostname>
NOTES: 1) <hostname> and <gateway> are optional, but sometimes required.
2) Only one <gateway> can be declared, that is, you cannot set
up more than one default gateway.
*3) Devices set up with the 'device{1..10}' directive are TEMPORARY
and are taken down after the configuration process is complete.
See rc.inet1{.conf} for more permanent network setup.
4) Please see file: /SENTRY/scripts/cd-config/networking.pl for
list of supported devices. Most 10/100BaseT ethernet devices
should be supported.
Examples:
device1 = eth0:tulip:192.168.1.50|192.168.1.1
device2 = eth1:via-rhine:dhcp
Set up a nameserver to use during configuration.
Syntax: nameserver = <DNS_IP>
Set up a proxy for pulling files via http(s), or ftp.
Syntax:
http_proxy = http://<hostname>/
ftp_proxy = http://<hostname>/
proxy-user = <PROXY_USER>
proxy-passwd = <PROXY_PASSWORD>
Use passive ftp instead of active ftp to retrieve files via ftp.
Syntax:
passive-ftp = <on|off> ## Default == off
Retrieve and parse another 'sentry.conf' file.
Syntax:
include = </location/of/sentry.conf>
Or, with network support -
include=<ftp|http>://[<user>:<pass>@]<SERVER_IP></path/to/sentry.conf>
Note: The 'path<#>' directive is only available with the Sentry Firewall CD versions 1.5.0-rc13 or newer.
Path statements tell the configuration scripts where to look for files. These can specify a path on a local or remote system. The variables "path1" to "path10" are allowed.
Syntax:
path<#> = <PATH>
path<#> = <URI>
NOTE: <URI> should point to a directory on a remote system, NOT just a file.
Examples:
path1 = /floppy/node1/config/
path2 = scp://user:pass@someserver/node123/config/
path3 = http://user:pass@someserver/node123-backup/config/
etc etc...
You may then use the following syntax when declaring a file within your sentry.conf:
Examples:
squid.conf = squid.conf
or
/etc/someconf.conf = someconf.conf
The configuration scripts will first look for "squid.conf" or "someconf.conf" in $m_point, which is usually /floppy. If it isn't found, then the system will try path1..path10 in order until "squid.conf" or "someconf.conf" is found. This not only makes for less typing when creating your sentry.conf, but it also allows you to add some redundancy to the configuration process.
Defines which device the CDROM is. If not declared the configuration scripts will still try to probe for and mount the CD. But declaring this is much easier/faster/safer.
Syntax:
cdrom = <DEVICE>
Example:
cdrom = /dev/hdc
Replace a user's crontab file.
Syntax:
cron:<USERNAME> = </LOCATION/OF/CRONTAB_FILE>
Defines the hostname of the local machine. This directive can be used to either point to a file containing the hostname of the local machine, or to simply define the hostname itself.
Syntax:
hostname = </path/to/file>
<or>
hostname = MYHOSTNAME
Note: The 'add_swap' directive is only available with the Sentry Firewall CD versions 1.5.0-rc11 or newer.
The 'add_swap' directive tells the configuration scripts to add a swap partition at configuration time. If the ":format" option is appended to the variable, then the configuration scripts will also format the partition before activating it.
Warning: An improper setting of this variable could cause serious damage to data.
Usage:
add_swap = /dev/hda1
add_swap = /dev/hda1:format
Note: The 'root_size' directive is only available with the Sentry Firewall CD versions 1.5.0-rc11 or newer.
The 'root_size' directive allows one to change size of root(/) at configuration time(before any other files are copied). By default the root filesystem is around 18MB in size. This option allows you to change the size of the root filesystem if you need more/less space. Also - since root is mounted on a tmpfs filesystem - this area can be swapped out as needed. The suffix g, m, or k is accepted for binary kilo, mega and giga. If no suffix is added, a size in megabytes is presumed.
Usage:
root_size = "18M"
The size of the root file system can also be changed after configuration by simply remounting it, ie "mount -oremount,size=24M /"