8. The Sentry Firewall Configuration Scripts

This section is designed as a technical outline of the configuration scripts built for the Sentry Firewall CD. These configuration are responsible for finding and parsing the sentry.conf file and the directives contained therein.

As of version 1.5.0-rc14 there are six configuration scripts overall on the system. These are kept in the "/etc/rc.d/SENTRY/" or the "/etc/init.d/SENTRY/" directory on the rootdisk. They are also available on the CD in the "<CDROM>/SENTRY/scripts/cd-config/" directory or online. The configuration scripts are called `cd-config.pl', `do_config.pl', `file_functions.pl', `get_config.pl', `networking.pl', and `process_conf.pl'. The details of these files are outlined below.

8.1 cd-config.pl

This is the first perl script to run. It is usually called from the rc.S or rcS file, depending on the branch. This file contains the following:

• Mainline
  Starts by calling 'get_config()', then 'process_conf()' to process the config file and place the directives into the global %prefs hash. Then calls 'do_config()' to start the configuration process.
  • Input: STDIN (yes|no), not always used.
  • Returns: Nothing.
  
  
• do_log()
  Takes as input a single string that will be written to a logfile($logfile). $logfile is '/var/log/SENTRY_LOG' by default.
  • Input: $_[0] = string to print to log file.
  • Returns: 0 == fail, 1 == success.

8.2 get_config.pl

This file contains the following:

• get_config()
  This function attempts to mount /dev/fd0 on /floppy, and if that fails it tries mounting /dev/hda1 on /mnt. If one of these succeeds it then looks for a configuration file(sentry.conf) and puts that in a global array called @conf.
  • Input: $_[0] = name of configuration file.
  • Returns: 0 == fail, 1 == success.
  
  
• do_command()
  This function accepts a string that will be passed to the system to run as a command and a timeout(seconds) as input. It then attempts to run the command and timeout the operation once the "$timeout" has expired to avoid blocking. If a timeout value is not passed to the function "$timeout" is set to 10 seconds. Because of some of the oddities of this function, it may mangle "$_". If calling do_command() from a loop, try and use temporary variables instead of relying on $_.
  • Input: $_[0] = Command to run, $_[1] = timeout(seconds).
  • Returns: 0 == fail, 1 == success, 2 == attempt timed out.

8.3 process_conf.pl

This file contains the following:

• process_conf()
  This function parses the global array "@conf" and places it into global hash %prefs. It will also implement the "=>" and "|=" directives.
  • Input: Nothing.
  • Returns: 0 == fail, 1 == success
  
  
• do_include()
  This function will attempt to retrieve file specified in the "include" configuration directive and shove it into "@conf". It will then call 'process_conf()' to take and parse the file. This process will continue until there are no more 'include' directives to parse.
  • Input: Nothing.
  • Returns: 0 == fail, 1 == success

8.4 do_config.pl

In general, this is the only configuration file you would need to modify if you would like to create a Sentry Firewall CD for any Linux distribution. This file contains the following:

• do_config()
  Parses configuration contained in @conf. Copies files specified in the configuration file and makes necessary symlinks in /etc. There are also a number of special configuration directives handled in this function such as `nameserver', `cdrom', `start_webmin', `add_swap', `root_size', etc.
  
  %etc_vars replaces @etc_vars, @ssh_vars, and %specdir used in earlier versions of the configuration scripts. This hash contains all the files that are supported within sentry.conf, as well as their locations. For example, configuration directive `squid.conf' has a value of `/etc/squid'. Adding a new element to this list effectively adds a new directive that can be used within sentry.conf.
  • Input: Nothing.
  • Returns: 0 == fail, 1 == success
  
  
• mount_cdrom()
  This function will attempt to mount the Sentry Firewall CD on /cdrom. Uses either what was defined with the "cdrom" directive in sentry.conf, or the information from `dmesg`. This was dealt with in rc.cdrom in older versions of the Sentry Firewall CD.
  • Input: Nothing.
  • Returns: 0 == fail, 1 == success
  
  
• fix_modules()
  This function copies or symlinks the contents of "/cdrom/lib/modules/$kversion" to "/lib/modules/$kversion" unless the filename is 'TRANS.TBL'. 'TRANS.TBL' files are created when the ISO image was made and generally causes annoying errors with depmod.
  • Input: Nothing.
  • Returns: 0 == fail, 1 == success
  
  
• recurse_dirs()
  This function recurses through /etc/default and fills @dirs with directory names. This can be an expensive operation, but it is useful when we start making symlinks from /etc/{dir} to /etc/default/{dir}.
  • Input: $_[0] = Base path to start recursion. $_[1] = Base directory to start recursion.
  • Returns: Nothing.
  
  
• add_swap()
  This function initializes and adds a swap partition based on the 'add_swap' directive in the sentry.conf file.
  • Input: Nothing
  • Returns: 0 == fail, 1 == success
  
  
• root_size()
  This function remounts root to change its size based on the 'root_size' directive in the sentry.conf file.
  • Input: Nothing
  • Returns: 0 == fail, 1 == success
  
  
• nameserver()
  This function contains a block of code that was previously contained within do_config(), and was moved to its own function to make do_config() a bit easier to read. $prefs{'nameserver'} should contain an IP address for a DNS server which is written to /etc/resolv.conf. This directive is used primarily for network configuration support.
  • Input: Nothing
  • Returns: 0 == fail, 1 == success
  
  
• no_shadow()
  no_shadow() contains a block of code that was previously contained within do_config(), and was moved to its own function to make do_config() a bit easier to read. This function deals specifically with $prefs{'shadow'}. If the `shadow' directive is not declared within sentry.conf, or if the file is not readable, then `/etc/ssh/sshd_config' and `/etc/inetd.conf' is replaced with a more strict default - essentially making it impossible to log in remotely with a default password.
  • Input: Nothing
  • Returns: 0 == fail, 1 == success
  
  
• start_webmin()
  This function reads $prefs{'start_webmin'} to determine if it should allow webmin to start at boot time via rc.webmin. start_webmin() also checks to make sure the `miniserv.users' file was declared and is readable. If it is not readable, webmin will not be allowed to start, regardless of the value of $prefs{'start_webmin'}. Webmin can, of course, still be started manually later on.
  • Input: Nothing
  • Returns: 0 == fail, 1 == success
  
  
• merge_fstab()
  This function contains the block of code that was previously contained within do_config(), and was moved to its own function to make do_config() a bit easier to read. Actually, it was originally called fix_fstab(), and then renamed and mostly rewritten as merge_fstab(). This function basically just checks the user-defined fstab file and makes sure it has at least the entries that are contained in `/etc/default/fstab'.
  • Input: Nothing
  • Returns: 0 == fail, 1 == success
  
  
• merge_passwd()
  This function deals with the `shadow', `passwd', and `group' directives to make sure the user-defined files contain at least those that are contained within the system default.
  • Input: $_[0] = `shadow', `passwd', or `group'.
  • Returns: 0 == fail, 1 == success

8.5 file_functions.pl

This script contains a number of general functions that are used throughout the other configuration scripts. Most of the functions are related to working with files and directories. Some of these were contained in do_config.pl in earlier versions of the CD.

• create_dir()
  This function creates a specified directory. create_dir() is mainly utilized with the `mkdir' directive.
  • Input: $_[0] = <PATH/DIRECTORY>[:MASK].
  • Returns: 0 == fail, 1 == success.
  
  
• vrfy_file()
  vrfy_file() takes in one variable; a hash key name($var). This function verifies the existence of a file. If the path/filename exists as stated in the sentry.conf file, then the function returns 1. Otherwise vrfy_file() tries to find the file using the $m_point path and then passes $var onto locate_file() to try and locate the file using the $path{1..10} variables.
  • Input: $_[0] = hash key name($var).
  • Returns: 0 == fail, 1 == success, 2 == syntax or misc. error.
  
  
• locate_file()
  locate_file() takes in one variable; a hash key name($var). This function attempts to locate the file using the $path{1..10} variables declared in sentry.conf.
  • Input: $_[0] = hash key name($var).
  • Returns: 0 == fail, 1 == success.
  
  
• retr_file_net()
  Attempts to retrieve file if destination looks like a http(s)/(s)ftp/scp URI. Currently, only the `NOERR' option is supported which prevents retr_file_net() from logging errors.
  • Input: $_[0] = URI/FILENAME to retrieve. $_[1] = Options.
  • Returns: 0 == fail, 1 == success.
  
  
• vrfy_path()
  Ensure the directory to the passed file exists. This function is often called before attempting to copy a file.
  • Input: $_[0] = PATH/FILENAME
  • Returns: 0 == success.
  
  
• pcopy()
  Copies $src to $trg and creates target directory if needed. Options that can be passed to this function include `PERM', `LINK', `RECURS' which simply translate to the `-p', `-dp', and `-Rdp' options that are passed to `/bin/cp'. The default behavior is to pass no options to `/bin/cp'.
  • Input: $_[0] = source file. $_[1] = destination file. $_[2] = options.
  • Returns: 0 == fail, 1 == success.
  
  
• do_log()
  Takes as input a single string that will be written to a logfile($logfile). $logfile is '/var/log/SENTRY_LOG' by default.
  • Input: $_[0] = string to print to log file.
  • Returns: 0 == fail, 1 == success.

8.6 networking.pl

This file contains the following:

• networking()
  This function utilizes the "device{1..10}" configuration directive to set up or take down an ethernet interface and set up a default gateway if necessary.
  • Input: $_[0] = 1|NET_UP or 2|NET_DOWN, set up or take down networking.
  • Returns: 0 == fail, 1 == success, 2 == failed to initialize device or assign an IP address.
  
  
• retr_file()
  This function attempts to retrieve a file via http(s)/ftp/scp/sftp using wget or scp/sftp.
  • Input: $_[0] = Filename to retrieve, $_[1] = Location of file(URI).
  • Returns: Returns 0 on failure, otherwise returns the local path/filename of the retrieved file.
  
  
• mk_batch()
  Function to create a batch file for use with sftp. Since sftp doesn't have a recursive -r option, we need to create a batch file to tell sftp to manually grab the stuff in the subdirectories under /etc/sysconfig. This is only used when dealing with the sysconf_dir directive, which is not valid in the "sentrycd" branch, but useful in other branches such as "sentrycd-rh" and may be useful in other Sentry Firewall based Linux distributions.
  • Input: $_[0] = Remote path from where files should be retrieved.
  • Returns: 0 == fail, 1 == success
  
  
• remove_mods()
  This function uses 'rmmod' to remove any previously loaded ethernet driver modules for network configuration. Use the hash "%depend" to remove the module and its dependencies in the proper order.
  • Input: $_[0] = Name of ethernet driver to remove.
  • Returns: 0 == fail, 1 == success
  
  
• load_mods()
  This function uses 'modprobe' to load ethernet driver modules for network configuration support. Uses the hash "%depend" to load the module and its dependencies in the proper order.
  • Input: $_[0] = Name of ethernet driver to load.
  • Returns: 0 == fail, 1 == success