Sentry CD – A different firewall approach

If you want to set up a Linux-based firewall, there’s no need to run a bloated distribution that installs everything but the kitchen sink. If you are not afraid to get your hands dirty, and like having total control over your system, then Sentry Firewall CD (SFCD) is just what you need. It is a highly configurable, bootable CD that takes a minimalist approach to firewalling.

The hardware requirements for SFCD are minimal: a 486 or better processor, a BIOS that can boot from a CD-ROM, and a minimum of 32MB RAM, with 64MB recommended if you plan to run a firewall/router/DNS server. If your box meets those stringent requirements, head over to the SFCD Web site, download the latest ISO image, and burn the ISO file to a CD.

With SFCD, you have the option of using your own custom configuration files, including files common to all Linux systems (like resolve.conf and hostname) as well as SFCD’s init scripts. If the concept of custom init scripts scares you, relax. SFCD is based on Slackware, a distribution known for the simplicity of its init scripts.

The key to setting up SFCD is the file sentry.conf. SFCD reads Sentry.conf to learn where the custom configuration files are located. For a complete list of files that you can customize, take a look at the sample sentry.conf included on the CD in the directory SENTRY/scripts/cd-config. It may be a good idea to check out this file even before burning the CD. To do so, mount the ISO image with:

mount -o loop -t iso9660

Creating a customized configuration diskette is the easiest way to quickly set up your own configuration files. Customizing these files is not as difficult as it might appear. There are two ways to easily create your own diskette. The first is to use the sample diskette image included on the CD. You can copy this image to a floppy after booting the CD or mounting the ISO image with:

dd if=SENTRY/images/ext2-144.img of=/dev/fd0

You can then modify the contents of the diskette to suit your environment.

The second way to create a diskette is to boot the CD without your own version of sentry.conf. You can then edit the configuration files, and the saved versions will be stored in RAM. To save them to a diskette, use the/sbin/mkconfig program included on the Sentry CD to launch a graphical application that walks you through the creation of a custom sentry.conf.

SFCD does not require configuration files to be stored on a diskette. Sentry.conf itself may be stored on a floppy, hard drive, or USB drive; SFCD searches for sentry.conf on those devices in that order. All other configuration files can be accessed from a network resource via HTTP, HTTPS, FTP, SFTP, or SCP. Passwords are required for SFTP and SCP. The ability to store and modify these files from a network resource comes in particularly handy when physical access to the firewall is inconvenient.

An example entry in sentry.conf that retrieves resolv.conf using SCP would look like:

resolv.conf = scp://:@192.168.1.1/configdirectory/resolve.conf

You can also use a password-protected HTTP directory — just specify the username and password as in the above example.

But where’s the firewall?

Right about now you’re probably wondering where the firewall is. SFCD loads its firewall from the file rc.firewall. If you already have an existing iptables firewall script, just copy and paste it into this file.

If you need to set up a firewall from scratch, SFCD provides some tools to get you up and running. A number of sample firewall scripts are provided in the directory/SENTRY/scripts/firewall. There are plain text iptables scripts that you can customize for your environment and Web-based PHP-driven firewall generators included on the CD.

Webmin is also included on SFCD but not enabled by default. To enable it, modify the start webmin parameter in sentry.conf to enable. Then use the Linux Firewall or Shorewall Firewall modules to generate your script.

SFCD also contains many popular networking programs, such as Apache, Bind, Nmap, Sendmail, Squid, and Snort. You can specify the location of the configuration files for these programs in sentry.conf. They can be stored on a network resource just like SFCD’s own configuration files.

A final interesting feature of SFCD is the ability to create your own custom CD. How difficult is it to do this? That depends on whether you just want to use your own configuration files or whether you want to use a custom kernel as well.

Creating a CD with the same functionality as SFCD with custom configuration files is easy. Just copy the entire CD to a directory on your hard drive and edit the files of your choosing. Then edit the script SENTRY/scripts/MK-CD/mkiso.sh and change the root_dir parameter to match the directory that you copied the CD to. Now run the script to create a custom sentry.iso file. Burn it to a disk and enjoy your own customized firewall CD.

To use a custom kernel, you need to modify the RAMDISK image located in the isolinux directory. Modifying the RAMDISK adds a layer of complexity to creating a custom CD, but it provides for the ultimate in customization. You can either mount and modify the file initrd.img.gz, or you can use the mkrootdisk.sh script located in the MK-CD directory. If you decide to go this route, be sure to get all the details from the RAMDISK section of the FAQ.

As you can see, SFCD is more than just a firewall on CD. It is a customizable distribution that you can tailor to your exact needs.