- Home -

- News -

- Overview -

- Documentation -

- FAQ -

- HOWTO -

- Download -

- Mailing Lists -

- Contact -



Sentry Firewall CD TM   [ www.SentryFirewall.com | Sentry.SourceForge.net ]
CDROM-Based Firewall/Server/IDS(Intrusion Detection System)

Frequently Asked Questions:

GENERAL

USAGE

BUG RELATED



GENERAL

Q: What is the Sentry Firewall CD?

A: The Sentry Firewall CD is a Linux-based bootable CDROM suitable for use in a variety of different operating environments. The system is designed to be configured via a floppy disk or over a network. This allows one to configure the system dynamically, eventhough much of the actual system is on read-only media.

Q: Why use a CD-ROM based system?

A: There are several advantages to using a CDROM based system in various security related environments. The main system is centered around the ramdisk; a compressed file system image which is loaded at boot time. Any changes to the ramdisk image are temporary, and will be undone upon the next reboot. Furthermore the ramdisk, kernel, binaries, etc, related to the operating system are kept on read-only media(CDROM). This means that if the security of a machine running a CDROM based system is ever compromised the attacker can at best maintain control of the machine until the next reboot. So there is no real threat of having to go through the tedious task of rebuilding and hardening the system after a successful attack is discovered. The bug can be fixed, and a new ISO and CD made with relative ease.

Q: What's with all these branches(SENTRYCD/SENTRYCD-RH/SENTRYCD-xxx)?

A: First, let me explain briefly about how the Sentry Firewall CD works. Basically, there is the "host" system, a Linux system that is based on one of several Linux distributions. Then there are the configuration scripts, written in perl, that run after the kernel boots and help configure the system on the fly. In general, it is possible to create a Sentry Firewall CD system based on nearly any Linux distribution while only modifying one of the five perl scripts.

So, to answer your question, each Sentry Firewall CD branch utilizes similar configuration methods, but are simply based on different Linux distributions. Since I'm a Slackware fan, I used that distribution as the foundation for the original Sentry Firewall CD(the "SENTRYCD" branch). It has always been my desire to utilize other Linux distributions for this project, which is why I created the "SENTRYCD-RH" branch. There will no doubt eventually be other branches and variations.

Current Sentry Firewall CD Branches:

Q: I'm a Linux newbie, will the Sentry Firewall CD be a good choice for me?

A: At the moment, there are at least a couple variations of the Sentry Firewall CD that are based on various Linux distributions. You should first choose the Linux distribution you are most familiar with. More information on the different types can be found on the web site -
www.SentryFirewall.com.

Basically, the Sentry Firewall CD is meant to be configured just like a normal Slackware or Redhat or whatever Linux system. There are no GUIs, no scripts to do it for you. The idea behind the configuration of the CD is that you are able to reconfigure the system by replacing the startup scripts and the various configuration files normally present on the system at boot time. Most of these are simply text files and shell scripts that you need to edit by hand in order configure properly. There are, however, usually plenty of resources available to assist you in configuring a specific service or daemon(HOWTOs on linux.org, for example).

Q: What kind of things can the Sentry Firewall CD do?

A: Tons of things!
The Sentry Firewall CD is capable of operating in a large number of environments, and do a large number of tasks - such as advanced routing, queuing, firewalling, NATing, bridging(+firewalling), as well as perform well as a server or intrusion detection system. Please try it out. If you find that the CD is lacking something you need, I may be able to add it for you.
Email me with your feedback and I'll do my best to help out.

Q: Why not add this/that to the cdrom?

A: If you have any feedback or suggestions for the Sentry Firewall CD-ROM please send them to
Obsid@Sentry.net.

Q: Is there a mailing list for this project?

A: Yes, please visit
http://lists.sourceforge.net/lists/listinfo/sentry-users



USAGE


Q: Are there any default accounts that I can use to login the first time?

A: You can log into a system running the Sentry Firewall CD with one of two default accounts. The first account is an unprivileged user named "sentry" with a default password of "SENTRY". The other is user "root" with a default password of "sentry".

Note: If the system is in the default state you will only be able to log in locally.

Q: I cannot ssh or telnet to the firewall, I thought I saw sshd start at bootup?

A: From the README file:

     "As of version 1.0.5, if the user does not replace the /etc/shadow file with his/her
     own copy, the configuration scripts will refuse to utilize the user's inetd.conf and
     sshd_config files. If the user did declare these they will be copied to inetd.conf.user
     and sshd_config.user. Instead, the script will display a warning and symlink these two
     configuration files to more restrictive files located in /etc/default and /etc/default/ssh.
     Sorry if this catches folks by surprise or irritates people in any way, but I think these
     simple steps are useful to prevent an 'insecure by default' configuration for the CD-ROM."
  
So you probably didn't replace /etc/shadow. The fact is that sshd is actually running, but only listening on the loopback interface. See the /etc/ssh/sshd_config file.

Q: Can I use FWBuilder(http://www.fwbuilder.org/) with the Sentry Firewall CD?

A: Yes, you can. There is detailed information in the HOWTO to assist you in using FWBuilder.

Q: Apache/Squid dies with an error about my hostname.

A: Apache and Squid may die with a message similar to "Unable to resolve fully qualified hostname..." Apache and Squid need to be able to resolve the hostname of the machine they are running on. The hostname of the machine is set with the
hostname command, and can be declared using the "hostname" directive in the sentry.conf file. The easiest way to solve this is to put an entry in the /etc/hosts file that assigns an IP address to the hostname of the machine. If you have control of your DNS servers then you can also set up a DNS record to do the same thing. You would then need to edit the resolv.conf file and add the IP address of your DNS server.

Note: If you end up editing either /etc/hosts or /etc/resolv.conf don't forget to add them to your floppy and declare their location using their corresponding entries in the sentry.conf file.

Q: Is it possible to disable kernel module (un)loading for security purposes?

A: Yes. As of version 1.5.0-rc3 the GENERIC kernel on the CD includes the ability for one to disable any further kernel module loading or unloading until the next reboot. Use the following command to disable kernel module loading: "echo off > /proc/modules".

Note: Given the modular nature of the Sentry Firewall kernel, please be sure to test this option thoroughly before deploying it on a production system.

Q: How do I "patch" the ISO image to update to the latest release?

A: There is a
section in the Sentry Firewall CD HOWTO that explains how to use the xdelta utility to update the ISO image.

Q: Is it possible to increase the size of the root(/) partition?

A: Yes. With the Sentry Firewall CD version 1.5.0-rc11 or newer, you can resize the ramdisk at configuration time with the 'root_size' configuration directive in your sentry.conf. Please see the
HOWTO for more information.

NOTE: You may also resize the ramdisk after configuration by simply remounting root(/), ie "mount -oremount,size=24M /"

Q: What is this "mkconfig" script?

A: The /sbin/mkconfig script is a perl script that uses a dialog(1) based gui that can assist you in identifying the changed files in /etc, create a sentry.conf file, and copy the changed files to a floppy disk or floppy disk image. Simply run "/sbin/mkconfig" and follow the prompts. This software is still considered BETA, and its functionality is highly subject to change. Please send any patches/bugs to
Obsid@Sentry.net.

NOTE: The 'mkconfig' script has only recently become somewhat stable, as of version 0.3-BETA that is included with the Sentry Firewall CD version 1.5.0-rc11. Older versions of the mkconfig script(prior to 0.3-BETA) were not nearly as functional and should probably not be used.


BUG RELATED

Q: The mkrootdsk.sh script spits out errors when attempting to build a rootdisk, why?

A: A number of problems may occur when running this script. To begin with, make sure the variables have been set properly at the top of the script. Also, in order to use alot of the variables by default, the Sentry Firewall CD-ROM should probably be mounted on /cdrom. The
mailing list is a great place to ask questions regarding these scripts, or any other aspect of the Sentry Firewall.

It is also important to understand that these scripts tend to be kinda hackish, and were not designed with user friendliness as their primary goal. They were designed to be used by developers who would like to build and test their own Sentry Firewall systems. They work well in general, but they still may require a bit of customization to work properly in your development environment. And, as always, please read the disclaimer.

Q: I get an error at boot time about a problem mounting the CDROM, but when I log in the CDROM appears to be mounted properly.

A: If there's a problem mounting the CDROM at boot time, you will see the following error on the screen and in the /var/log/SENTRY_LOG file:

     ERROR: CRITICAL - Unable to locate and mount a Sentry Firewall CDROM.  Will try to proceed anyway.
  
If the CDROM is never mounted at boot time, then the configuration process will likely fail - leaving the Sentry Firewall system in an unconfigured state. An error like this would indicate a hardware failure or possibly just a damaged CDROM. This situation is uncommon.

On the other hand, there have been instances where this error appears on the screen, but the configuration completes properly and the system usually appears to function normally. In these instances the CDROM appears to have been mounted properly at boot time despite the error displayed.

The cause of this error is usually a flakey or failing CDROM drive. Those who encounter this situation should inspect the /var/log/syslog file on the Sentry Firewall system. Errors associated with this issue usually look something like the following:
     hdc: DMA interrupt recovery
     hdc: lost interrupt
     hdc: status timeout: status=0xd0 { Busy }
     hdc: status timeout: error=0x00
     hdc: drive not ready for command
     hdc: ATAPI reset complete
  
Basically, what often occurs is the CDROM does get mounted properly, but because of this error the "mount" command returns something other than success - so an error will be displayed. In this case, this error is not considered fatal and the system will probably boot and operate normally. To prevent further troubles, however, I would suggest replacing the CDROM drive and then testing further.

Q: Where to send bugs, suggestions, problems?

A: You may send email to me,
Obsid@Sentry.net, or subscribe to the "sentry-users" mailing list, http://lists.sourceforge.net/lists/listinfo/sentry-users






Sentry Firewall CD
Copyright © 2001-2004. All rights reserved.
Please send your questions or comments to the Webmaster.