Sentry CD – a fresh look at the firewall

If you suddenly have a desire to build a firewall based on Linux, then it is not necessary to contact large distributions, which do not include a nail file. If you are not afraid of manual work and strive to gain full control over your system, then you should get acquainted with Sentry Firewall CD (SFCD).

He lives at . This is a flexibly configurable bootable CD that demonstrates, so to speak, a minimalistic approach to building a firewall.

The SFCD system requirements are also minimal: a processor from the 486, a BIOS with the ability to boot from a compact, 32 megabytes of RAM (64MB if you plan to run a firewall/router/DNS server). If your match meets these truly brutal requirements, feel free to go to the SFCD website, download a fresher ISO and drive it to CD.

You have the opportunity to use both your own configuration files for Sentry Firewall CD (including the usual resolve.conf and hostname for Linux systems) and the initialization scripts of SFCD itself. If the concept of specific scripts doesn’t inspire you, relax – Sentry Firewall CD is based on Slackware, known for its boot-simple scripts.

The key SFCD file for operation is sentry.conf. By reading this file, SFCD gets information about the location of other configuration files. A complete list of these files can be found in the example sfcd.conf, which is located on CD in the SENTRY/scripts/cd-config directory. It would be even better to look at this file before burning the disc. To do this, mount the ISO image:

mount -o loop -t iso9660

The easiest way to quickly get your own configuration files during installation is to take care of creating a configuration floppy disk in advance.

There are two ways to create such a floppy disk. The first is to use the image that is on the CD. You can use it to create a floppy disk after you boot from the disk or mount the ISO with the command

Now you can edit the contents of the floppy disk based on the specifics of your environment. Editing Sentry Firewall CD configs is not such a complicated thing as it may seem at first glance.

The second way is to simply boot from the CD and edit the configuration files. The saved versions will be in RAM. To burn them to a floppy disk, use the included SFCD program /sbin/mkconfig. This utility is a wizard that will give step-by-step instructions on how to create your own sentry.conf file.

No one forces you to store configuration files on a floppy disk. Flash drive, hard drive, etc. – anything will do. SFCD will search for sentry.conf in the following order: FDD – HDD – USB. All other configuration files can be taken from the network via HTTP, HTTPS, FTP, SFTP or SCP. Passwords will be required for SFTP and SCP. The ability to download configuration files over the network will be very useful if physical access to the firewall is difficult.

Here is an example of an sfcd.conf entry that calls resolv.conf using SCP:

It is allowed to use a password-protected HTTP directory – just specify the username and password.

so where is the firewall?

You are probably wondering: when will the author deign to tell you about the promised firewall? Sentry Firewall CD loads its own firewall using the rc.firewall file. If you already have a working firewall based on iptables, then you can simply copy the contents of its script to the named file.

If you plan to set up a firewall from scratch, then some built-in Sentry CD tools will help you in this noble deed. In the /SENTRY/scripts/firewall directory, you can find a good selection of ready-made scripts for different occasions. In fact, these are ordinary iptables scripts that you can edit based on your own realities. In addition, the CD contains script generators written in PHP.

The SFCD also includes Webmin, which is deactivated by default. If you set the start webmin enable value in the sentry.conf file, then you can generate scripts using the Linux Firewall or Shorewall Firewall modules.

Sentry CD contains a lot of popular network programs, including apache, bind, nmap, sendmail, squid and snort. The location of their configuration files is registered in sentry.conf. Like the SFCD files themselves, they can also be stored on an accessible network resource. Another interesting feature of Sentry Firewall CD is the ability to create your own CDs.

It is not difficult to make a CD with SFCD functionality and your own configuration files. Just copy the entire CD to a directory on your hard drive and edit the files for which you deem it necessary. Then make edits to the script SENTRY/scripts/MK-CD/ and change the path in the root_dir parameter to the one leading to your directory where you copied the CD. Now run the script to create your own file sentry.iso . Write down the blank and enjoy the result.

If you want to use a different kernel, then you will need to change the RAMDISK image, which is located in the isolinux directory. Modification of RAMDISK complicates the process of creating your own CD, but the possibilities for adapting the product to your needs in this case become simply limitless. You can mount and edit the file initrd.img.gz or use the script located in the MK-CD directory . If you decide to play with the kernel in this way, first be sure to read the RAMDISK section in the FAQ.

As you can see, Sentry Firewall CD is not just a firewall on CD. This is a flexible distribution that you can customize to your individual needs.