4. Using the Sentry Firewall CDROM
4.1 Introduction
The configuration scripts which are run from /etc/rc.d/rc.S first look for a configuration file called 'sentry.conf' on a floppy disk which, if present, will be mounted on /floppy. In order to configure the Linux system for use in any particular environment the user must have the ability to replace the system default files with his/her own copies. The 'sentry.conf' file basically tells the configuration scripts which files it should replace and where those files are.
A good example of a sentry.conf file can be found on the Sentry Firewall CD in the directory /SENTRY/scripts/cd-config/. Configuration floppy disk images(1.44M) can also be found in /SENTRY/images/ on the CD. These files are also available on the website, http://www.SentryFirewall.com/
4.2 The sentry.conf file
The main configuration file for the system is called 'sentry.conf'. It will first be looked for on a floppy disk(/dev/fd0). The file accepts several configuration directives, many of which will be discussed below.
Example
A basic configuration file looks like the following (everything after a '#' sign is interpreted as a comment):
----snip---- ## Basic Sentry Firewall CD config file(sentry.conf) rc.local = /floppy/config1/rc.local fstab = /floppy/config1/fstab passwd = /floppy/config1/passwd shadow = /floppy/config1/shadow # EOF # ----snip----
The syntax is pretty simple, the default 'rc.local' file will be replaced with the user defined 'rc.local' file located in the '/floppy/config1/' directory. Same goes for 'fstab', 'passwd', and the 'shadow' file. But it is important to remember, the first place the sentry.conf file will be looked for is on /dev/fd0, which if found, will be mounted on /floppy. This is why all these files appear to be located in the /floppy directory, it is simply the mount point for the floppy disk.
NOTE: As of version 1.3.0, a user may now omit the `/floppy' prefix. So, for example a line in sentry.conf that says the following:
shadow = config1/shadow
Will be assumed to mean(in most cases) the following:
fstab = /floppy/config1/shadowAs long as /floppy/config1/shadow exists.
Unfortunately, you cannot arbitrarily replace files, for example the
following will likely not be parsed correctly:
foo.conf = /floppy/config1/foo.conf
The configuration scripts only recognize a certain number of configuration files, so it probably won't know what to do with "foo.conf". There are other very easy ways to copy configuration files into their proper location, however. These methods will be discussed below.
4.3 Network Configuration
As of version 1.0.5, a new syntax for the configuration directives are recognized; those with an "http://" or "ftp://" prefix. This basically means that the following syntax is now supported:
inetd.conf = ftp://[user:pass@]123.123.123.123/config1/inetd.conf hosts = http://[user:pass@]123.123.123.123/config1/hosts
As of version 1.3.0, "https://", "scp://", and "sftp://" URLs are also supported. For example:
shadow = scp://<user>:<pass>@123.123.123.123/dir/shadow passwd = sftp://<user>:<pass>@123.123.123.123/dir/passwd fstab = https://[user:pass@]123.123.123.123/dir/fstab
NOTE: The username and password fields are required when retrieving files via scp or sftp. Empty passwords are not permitted.
In order to accomplish this the configuration scripts need to have the
ability to set up an ethernet interface, as well as obtain nameserver
information from the sentry.conf file. The syntax to accomplish this is the
following:
device{1..10} = <device>:<driver>:<IP address>[|Gateway_IP] or.. device{1..10} = <device>:<driver>:dhcp[|Hostname]
And to set up a nameserver:
nameserver = <IP_ADDRESS>
Additionally, when retrieving files using "http", "https", or "ftp",
you may also set up a proxy server. The following directives will allow you
to do so (they may not all be required for your setup):
http_proxy = http://<hostname>/ ftp_proxy = http://<hostname>/ proxy-user = <PROXY_USER> proxy-passwd = <PROXY_PASSWORD>
Passive FTP may also be required. If so, use the 'passive-ftp' option, ie:
passive-ftp = <on|off> ## Default == off
So, for example to set up an interface called "eth0", which uses the "tulip"
driver and can obtain its ip address from a DHCP server, we can use the
following line:
device1 = eth0:tulip:dhcp
As you can see, a total of 10 devices are allowed. Let's say we now want to set up an interface "eth1" that uses an "rtl8139" chip, and has a static IP(192.168.1.2) and a default gateway(192.168.1.1):
device2 = eth1:8139too:192.168.1.2|192.168.1.1
NOTE: It is important to keep in mind that whatever devices you set up during the configuration process will be promptly taken down after the configuration is complete. This setup is only used so you can retrieve configuration files over the network, via http(s)/ftp/scp/sftp. For more permanent network configuration, please use the rc.inet1 file.
Example
----snip---- ## Basic Sentry Firewall CD config file to retrieve files via HTTP(s)/FTP/SCP/SFTP. device1 = eth0:tulip:192.168.1.2|192.168.1.1 nameserver = 123.123.123.123 ## This should be the IP of your DNS server. rc.M = ftp://user:pass@config.sentry.net/node1/rc.M rc.inet1 = http://user:pass@config.sentry.net/all_nodes/rc.inet1 passwd = scp://user:pass@config.sentry.net/all_nodes/passwd shadow = sftp://user:pass@config.sentry.net/node1/shadow # EOF # ----snip----
4.4 Other Useful Configuration Directives
Copy file /floppy/someconfig.conf to /etc/someconfig.conf -
/floppy/someconfig.conf |= /etc/someconfig.conf OR, this does the same thing - /etc/someconfig.conf = /floppy/someconfig.conf and this is also possible(v1.3.0) - /etc/someconfig.conf = ftp://<server>/someconfig.conf
Make a symlink called /etc/someconfig.conf that points to /etc/otherconfig.conf -
/etc/someconfig.conf => /etc/otherconfig.conf
The include directive. Grabs another sentry.conf file either from another location -
include = ftp://user:pass@config.sentry.net/node1/sentry.conf
Keep in mind, however, that the include directive is one of the first directives to be parsed. Any configuration directives parsed from the included sentry.conf file that conflict with directives in the previously parsed sentry.conf files will clobber the old ones.
4.5 Putting it all together, managing multiple nodes from a single location.
In order to manage multiple nodes at a single location, you can use a bare sentry.conf file located on a floppy disk, and then grab files from your ftp or http servers.
----snip---- ## Basic Sentry Firewall CD config file. device1 = eth0:tulip:dhcp nameserver = <DNS_IP> include = ftp://user:pass@config.sentry.net/node1/sentry.conf ----snip----
The included sentry.conf file will then be parsed, and files replaced via http or ftp if you like. You can now edit your sentry.conf and configuration files at a central location.
4.6 Example sentry.conf and disk images
An example configuration disk image is available on the CDROM. The disk is an ext2 formatted disk, and is located in the '/SENTRY/images/' directory on the CD. There is also a very complete sentry.conf file on the disk which may help clarify alot of these directives. Use a command like the following to create the configuration disk:
blah@wherever:~$ dd if=/cdrom/SENTRY/images/ext2-144.img of=/dev/fd0
2880+0 records in
2880+0 records out
The disk images and a sample sentry.conf file can also be found on the website, http://www.SentryFirewall.com/
Next Previous Contents