Whole document tree
4. Using the Sentry Firewall CDROM
4.1 Introduction
The configuration scripts which are run from /etc/rc.d/rc.S first look for a configuration file called 'sentry.conf' on a floppy disk which, if present, will be mounted on /floppy. In order to configure the Linux system for use in any particular environment the user must have the ability to replace the system default files with his/her own copies. The 'sentry.conf' file basically tells the configuration scripts which files it should replace and where those files are.
A good example of a sentry.conf file can be found on the Sentry Firewall CD in the directory /SENTRY/scripts/cd-config/. Configuration floppy disk images(1.44M) can also be found in /SENTRY/images/ on the CD.
4.2 The sentry.conf file
The main configuration file for the system is called 'sentry.conf'. It will first be looked for on a floppy disk(/dev/fd0). The file accepts several configuration directives, many of which will be discussed below.
Example
A basic configuration file looks like the following (everything after a '#' sign is interpreted as a comment):
----snip---- ## Basic Sentry Firewall CD config file(sentry.conf) rc.M = /floppy/config1/rc.M rc.inet1 = /floppy/config1/rc.inet1 passwd = /floppy/config1/passwd shadow = /floppy/config1/shadow # EOF # ----snip----
The syntax is pretty simple, the default 'rc.M' file will be replaced with the user defined 'rc.M' file located in the '/floppy/config1/' directory. Same goes for 'rc.inet1', 'passwd', and the 'shadow' file. But it is imortant to remember, the first place the sentry.conf file will be looked for is on /dev/fd0, which if found, will be mounted on /floppy. This is why all these files appear to be located in the /floppy directory, it is simply the mount point for the floppy disk.
Unfortunately, you cannot arbitrarily replace files, for example the following will likely not be parsed correctly:
foo.conf = /floppy/config1/foo.conf
The configuration scripts only recognize a certain number of configuration files. There are other very easy ways to replace files that are not supported by default, however. These will be discussed below.
4.3 Network Configuration
As of version 1.0.5, a new syntax for the configuration directives are recognized; those with an "http://" or "ftp://" prefix. This basically means that the following syntax is now supported:
inetd.conf = ftp://user:pass@123.123.123.123/config1/inetd.conf
In order to accomplish this the configuration scripts need to have the ability to set up an ethernet interface, as well as obtain nameserver information from the sentry.conf file. The syntax to accomplish this is the following:
device{1..10} = <device>:<driver>:<IP address>[|Gateway_IP]
or..
device{1..10} = <device>:<driver>:dhcp[|Hostname]
And to set up a nameserver:
nameserver = <IP_ADDRESS>
So, for example to set up an interface called "eth0", which uses the "tulip" driver and can obtain its ip address from a DHCP server, we can use the following line:
device1 = eth0:tulip:dhcp
As you can see, a total of 10 devices are allowed. Let's say we now want to set up an interface "eth1" that uses an "rtl8139" chip, and has a static IP(192.168.1.2) and a default gateway(192.168.1.1):
device2 = eth1:8139too:192.168.1.2|192.168.1.1
NOTE: It is important to keep in mind that whatever devices you set up during the configuration process will be promptly taken down after the configuration is complete. This setup is only used so you can retrieve configuration files over the network, via http and ftp. For more permanant network configuration, please use the rc.inet1 file.
Example
----snip---- ## Basic Sentry Firewall CD config file to retrieve files via http or ftp. device1 = eth0:tulip:192.168.1.2|192.168.1.1 nameserver = <MY_DNS_IP> rc.M = ftp://user:pass@config.sentry.net/node1/rc.M rc.inet1 = http://user:pass@config.sentry.net/all_nodes/rc.inet1 passwd = http://user:pass@config.sentry.net/all_nodes/passwd shadow = ftp://user:pass@config.sentry.net/node1/shadow # EOF # ----snip----
4.4 Other Useful Configuration Directives
Copy file /floppy/someconfig.conf to /etc/someconfig.conf -
/floppy/someconfig.conf |= /etc/someconfig.conf
OR, this does the same thing.
/etc/someconfig.conf = /floppy/someconfig.conf
Make a symlink called /etc/someconfig.conf that points to /etc/otherconfig.conf -
/etc/someconfig.conf => /etc/otherconfig.conf
The include directive. Grabs another sentry.conf file either from another location -
include = ftp://user:pass@config.sentry.net/node1/sentry.conf
Keep in mind, however, that the include directive is one of the first directives to be parsed. Any configuration directives parsed from the included sentry.conf file that conflict with directives in the previously parsed sentry.conf files will clobber the old ones.
4.5 Putting it all together, managing multiple nodes from a single location.
In order to manage multiple nodes at a single location, you can use a bare sentry.conf file located on a floppy disk, and then grab files from your ftp or http servers.
----snip---- ## Basic Sentry Firewall CD config file. device1 = eth0:tulip:dhcp nameserver = <DNS_IP> include = ftp://user:pass@config.sentry.net/node1/sentry.conf ----snip----
The included sentry.conf file will then be parsed, and files replaced via http or ftp if you like. You can now edit your sentry.conf and configuration files at a central location.
4.6 Example sentry.conf and disk images
An example configuration disk image is available on the CDROM. The disk is an ext2 formatted disk, and is located in the '/SENTRY/images/' directory on the CD. There is also a very complete sentry.conf file on the disk which may help clarify alot of these directives. Use a command like the following to create the configuration disk:
blah@wherever:~$ dd if=/cdrom/SENTRY/images/ext2-144.img of=/dev/fd0
2880+0 records in
2880+0 records out
Next Previous Contents