Whole document tree

Whole document tree

Sentry Firewall CD HOWTO: Building a Custom Sentry CD Next Previous Contents

6. Building a Custom Sentry CD

6.1 Introduction

This section will attempt to describe how to create a custom Sentry Firewall CDROM. Unfortunately, I do not have to time to go into every detail. But at the very least I will try and provide for you an overview of the CD creation process.

6.2 The development system(How I do it)

My development system consists of 2 separate Slackware installations. First, I have a very complete Slackware installation on my main hard drive(/dev/hda). I then have /dev/hdb1, upon which I have another, bare bones, Slackware installation. This installation generally has no compiling tools or X stuff. I usually have /dev/hdb1 mounted on /mnt, that's not a critical element, but I thought I'd mention it since I will refer to /mnt alot from now on. I then have a folder called /CD-FW on the /dev/hdb1 installation. Throughout this entire process, the Slackware installation on /dev/hda is the live running system, and it is from here that I compile the needed tools, kernels, etc and basically run everything.

I begin by copying nearly all the files from /mnt to /mnt/CD-FW in order to produce what will be the next Sentry Firewall CD. For example, I have a script that does something like the following:

        ## This usually spits out alot of errors, usually crap about
        ## hard links and such, but they are all ignorable.

        cp -Rdp /mnt/bin /mnt/CD-FW/
        cp -Rdp /mnt/sbin /mnt/CD-FW/
        cp -Rdp /mnt/lib /mnt/CD-FW/
        cp -Rdp /mnt/usr/bin /mnt/CD-FW/usr/
        cp -Rdp /mnt/usr/sbin /mnt/CD-FW/usr/
        cp -Rdp /mnt/usr/local/bin /mnt/CD-FW/usr/local/
        cp -Rdp /mnt/usr/lib /mnt/CD-FW/usr/
        cp -Rdp /mnt/usr/libexec /mnt/CD-FW/usr/
        cp -Rdp /mnt/usr/share /mnt/CD-FW/usr/
        cp -Rdp /mnt/usr/man /mnt/CD-FW/usr/

I then need to create alot of other folders and files in /mnt/CD-FW in order to get a fairly complete system. Things in /mnt/CD-FW/var for instance will often have to be created by hand in order to avoid copying alot of crap I don't need. Notice, however, that I don't copy any /dev files, since these files will be on the ramdisk(when I get around to creating it).

Ok, so now we have /mnt/CD-FW. To make this easy for you, this is essentially the exact same thing that's present on the Sentry Firewall CDROM. All I did was use the 'mkisofs' utility on /mnt/CD-FW. So the stuff on the CD is actually a copy of what's in the /mnt/CD-FW directory on my hard drive.

Having a separate, but unused Slackware system on /dev/hdb1 makes it easy for me to install and upgrade packages as I need them. For example, if I want to use the upgradepkg utility to upgrade a package I get from ftp.slackware.com, I can simply do something like the following:

root@mybox:~# cp /tmp/zlib.tar.gz /mnt
root@mybox:~# cd /mnt; chroot /mnt
root@mybox:/# upgradepkg zlib.tar.gz; exit

Then, all I need to do is re-run the script mentioned above, the one that copies all those files, to update the /mnt/CD-FW directory.

6.3 The RAMdisk Image

That's all nifty, but now comes the hard part... making the ramdisk. If you take a look at the /isolinux directory on the CDROM, you will see a bunch of files, one of them is called 'initrd.img' - there are several others as well, such as isolinux.cfg, message.txt, and isolinux.bin. These files are required by isolinux in order to work properly. Take a look at those files and the documentation that comes with syslinux to get a better idea of what all that does. In any case, the 'initrd.img' file is, in fact, the compressed ramdisk image.

To take a look at the image, do something like the following:

blah@wherever:~$ cp /cdrom/isolinux/initrd.img /tmp/initrd.img.gz
blah@wherever:~$ gzip -d /tmp/initrd.img.gz
blah@wherever:~$ mount -o loop /tmp/initrd.img /MOUNT_POINT

In a nutshell, I use the file '/SENTRY/scripts/MK-CD/mkrootdsk.sh' to create the rootdisk. Please read that file and the disclaimer before you decide to use it. It runs perfectly on my system, but may not run well at all on yours. It basically attempts to create a rootdisk image to use with the Sentry CD, but it is very long and may be somewhat difficult to comprehend at times. This is what happens when I start a project and fail to utilize proper child safety restraints.

6.4 Making the ISO Image

The next file I use is called 'mkiso.sh'. The script generally just declares a few variables and runs the 'mkisofs' utility. The command I normally run looks like the following:

root@mybox:~# cd /mnt/CD-FW
root@mybox:/mnt/CD-FW# mkisofs -o sentrycd.iso -R -V "Sentry Firewall CD [v1.2.0]" -v \
   -T -d -D -N \
   -b isolinux/isolinux.bin \
   -c isolinux/eltorito.cat \
   -no-emul-boot -boot-load-size 4 -boot-info-table \
   -A "Sentry Firewall v1.2.0 (Slackware 8.0)"

And that's it, I burn the CD and test it. For reference, the following files are available on the CDROM:

  • /SENTRY/scripts/MK-CD/mkrootdsk.sh (builds the rootdisk)
  • /SENTRY/scripts/MK-CD/mkiso.sh (builds final ISO image)
  • /SENTRY/scripts/MK-CD/record-cd.sh (burns the ISO to a CD)

Next Previous Contents