FreeBSD Firewall
Creating a bootable FreeBSD CD-ROM
The following output was generated from a
script
designed to copy user configurations into an image
directory and then create a bootable ISO image
for burning onto CD-ROM.
Script Output
<![CDATA[
Script started on Wed Mar 20 08:33:41 2002
root@ultana:/build> ls
4.5-RELEASE/ mkfirewall.sh* mkimage.txt zamaz/
root@ultana:/build> ls zamaz
bind-conf.tar ipnat.rules rc.conf
boot.catalog kernel* rc.early
boot.flp loader.rc tar-exclude
dhcpd.conf mkisofs-1.14.tgz*
ipf.rules namedb/
root@ultana:/build> ./mkfirewall.sh
Creating bootable CD-ROM image
Localized configuration path /build/zamaz
FreeBSD source tree path /build/4.5-RELEASE
Generated ISO image source tree path /build/zamaz-image
Creating image directory
/build/zamaz-image
Copying FreeBSD source from /build/4.5-RELEASE to /build/zamaz-image
Installing localized config files
/build/zamaz/rc.early -> /build/zamaz-image/etc/rc.early
/build/zamaz/rc.conf -> /build/zamaz-image/etc/rc.conf
/build/zamaz/ipnat.rules -> /build/zamaz-image/etc/ipnat.rules
/build/zamaz/ipf.rules -> /build/zamaz-image/etc/ipf.rules
Installing /build/zamaz/namedb to /build/zamaz-image/etc
/build/zamaz/namedb -> /build/zamaz-image/etc/namedb
/build/zamaz/namedb/named.SOA -> /build/zamaz-image/etc/namedb/named.SOA
/build/zamaz/namedb/db.127.0.0 -> /build/zamaz-image/etc/namedb/db.127.0.0
/build/zamaz/namedb/db.63.225.106 -> /build/zamaz-image/etc/namedb/db.63.225.106
/build/zamaz/namedb/db.63.225.106.rev -> /build/zamaz-image/etc/namedb/db.63.225.106.rev
/build/zamaz/namedb/db.zamaz.com -> /build/zamaz-image/etc/namedb/db.zamaz.com
/build/zamaz/namedb/named.conf -> /build/zamaz-image/etc/namedb/named.conf
Clearing /etc/fstab
Creating static etc directory /build/zamaz-image/conf/default
/build/zamaz-image/conf
/build/zamaz-image/conf/default
Copying /build/zamaz-image/etc to /build/zamaz-image/conf/default
Removing /build/zamaz-image/kernel.GENERIC
/build/zamaz-image/kernel.GENERIC
Creating /var
/build/zamaz-image/var
Installing boot images
/build/zamaz/boot.flp -> /build/zamaz-image/boot.flp
/build/zamaz/boot.catalog -> /build/zamaz-image/boot.catalog
Opening /build/zamaz-image/boot.flp
/dev/vn0: flags now=00000001
/dev/vn0: 0 bytes on /build/zamaz-image/boot.flp
/dev/vn0: flags now=00000001
Installing compressed kernel into /build/zamaz-image/boot.flp
Installing boot configuration files into /build/zamaz-image/boot.flp
/build/zamaz/loader.rc -> /mnt/boot/loader.rc
/build/zamaz-image/boot/boot0 -> /mnt/boot/boot0
/build/zamaz-image/boot/loader.4th -> /mnt/boot/loader.4th
Removing mfsroot.gz (sysinstall loader) from /build/zamaz-image/boot.flp
/mnt/mfsroot.gz
Closing /build/zamaz-image/boot.flp
Creating ISO image
Warning: creating filesystem that does not conform to ISO-9660.
Using MAIL000.;1 for zamaz-image/usr/bin/Mail (mail)
Using CC000.;1 for zamaz-image/usr/bin/CC (cc)
Using POD000 for zamaz-image/usr/libdata/perl/5.00503/pod (Pod)
Using GMT_0000.;1 for zamaz-image/usr/share/zoneinfo/Etc/GMT+0 (GMT-0)
Using GMT_1000.;1 for zamaz-image/usr/share/zoneinfo/Etc/GMT+1 (GMT-1)
Using GMT_2000.;1 for zamaz-image/usr/share/zoneinfo/Etc/GMT+2 (GMT-2)
Using GMT_3000.;1 for zamaz-image/usr/share/zoneinfo/Etc/GMT+3 (GMT-3)
Using GMT_4000.;1 for zamaz-image/usr/share/zoneinfo/Etc/GMT+4 (GMT-4)
Using GMT_5000.;1 for zamaz-image/usr/share/zoneinfo/Etc/GMT+5 (GMT-5)
Using GMT_6000.;1 for zamaz-image/usr/share/zoneinfo/Etc/GMT+6 (GMT-6)
Using GMT_7000.;1 for zamaz-image/usr/share/zoneinfo/Etc/GMT+7 (GMT-7)
Using GMT_8000.;1 for zamaz-image/usr/share/zoneinfo/Etc/GMT+8 (GMT-8)
Using GMT_9000.;1 for zamaz-image/usr/share/zoneinfo/Etc/GMT+9 (GMT-9)
Using GMT_10000.;1 for zamaz-image/usr/share/zoneinfo/Etc/GMT+10 (GMT-10)
Using GMT_11000.;1 for zamaz-image/usr/share/zoneinfo/Etc/GMT+11 (GMT-11)
Using GMT_12000.;1 for zamaz-image/usr/share/zoneinfo/Etc/GMT+12 (GMT-12)
Size of boot image is 5760 sectors -> Emulating a 2.88 meg floppy
10.25% done, estimate finish Wed Mar 20 08:38:04 2002
20.53% done, estimate finish Wed Mar 20 08:38:14 2002
30.78% done, estimate finish Wed Mar 20 08:38:17 2002
41.02% done, estimate finish Wed Mar 20 08:38:21 2002
51.27% done, estimate finish Wed Mar 20 08:38:18 2002
61.52% done, estimate finish Wed Mar 20 08:38:24 2002
71.78% done, estimate finish Wed Mar 20 08:38:24 2002
82.03% done, estimate finish Wed Mar 20 08:38:21 2002
92.28% done, estimate finish Wed Mar 20 08:38:27 2002
Total translation table size: 2048
Total rockridge attributes bytes: 689050
Total directory bytes: 2064384
Path table size(bytes): 11170
Max brk space used 49c000
48768 extents written (95 Mb)
Created ISO image zamaz.iso
root@ultana:/build> ls
4.5-RELEASE/ mkimage.txt zamaz-image/
mkfirewall.sh* zamaz/ zamaz.iso
root@ultana:/build> ls 4.5-RELEASE
.cshrc dev/ lib/ modules/ sys@
.profile etc/ libdata/ proc/ tmp/
COPYRIGHT include/ libexec/ root/ usr/
bin/ info/ man/ sbin/ var/
boot/ kernel.GENERIC* mnt/ share/
root@ultana:/build> ls zamaz-image
.cshrc boot.flp lib/ proc/ usr/
.profile conf/ libdata/ root/ var/
COPYRIGHT dev/ libexec/ sbin/
bin/ etc/ man/ share/
boot/ include/ mnt/ sys@
boot.catalog info/ modules/ tmp/
root@ultana:/build>
root@ultana:/build> cat ./mkfirewall.sh
#!/bin/sh
##############################################################################
#
# This script generates a bootable ISO image named ${LOCAL_NAME}.iso
# for burning to CD-ROM. It copies site-specific configuration information
# from the specified directory into the image working directory before the
# ISO image itself is created. It also handles the process of making the
# ISO image bootable.
#
#
# READ THIS SECTION BEFORE RUNNING THIS SCRIPT.
#
#
# User configurable settings:
#
# LOCAL_SRC - FreeBSD source tree directory name
# LOCAL_NAME - Machine/network name
# IMAGE_NAME - Localized temp working directory name based upon LOCAL_NAME
# IMAGE_ROOT - Build directory containing IMAGE_SRC, IMAGE_DST, IMAGE_CFG
#
# LOCAL_SRC contains the FreeBSD source tree installed from sysinstall
# and will be used as the 'master' to create new localized trees to be
# burned as ISO images to CD-ROM.
# LOCAL_NAME is the directory name, usually of the machine or network
# for which this CD-ROM is being created where the site specific
# configuration is stored. For example if a machine named 'firewall' is
# being setup as a bootable CD-ROM all of it's /etc/rc.* scripts will be
# placed here. Prior to running this script the user must create and
# populate this directory.
# IMAGE_NAME is the working directory containing the ISO image source.
# Machine specific configuration files copied from LOCAL_NAME will end
# put being placed here before the ISO image is created.
# IMAGE_NAME is created and populated by this script.
# IMAGE_ROOT is where LOCAL_SRC, LOCAL_NAME, and IMAGE_NAME reside.
#
# These are generally NOT user configurable:
# IMAGE_CFG, IMAGE_SRC, IMAGE_DST
#
# Examples:
# LOCAL_SRC = 4.5-RELEASE
# LOCAL_NAME = firewall
# IMAGE_NAME = firewall-image
# IMAGE_ROOT = /build
# IMAGE_CFG = /build/firewall
# IMAGE_SRC = /build/4.5-RELEASE
# IMAGE_DST = /build/firewall-image
#
#
# The following steps are REQUIRED before running this script.
#
# mkisofs is required to create an ISO image, install it from /usr/ports
#
# The kernel of the machine this script is running on must have been
# compiled with the following option enabled:
# pseudo-device vn # Vnode driver (turns a file into a device)
#
# After rebuilding the kernel reboot.
#
# Build the bootable CD-ROM kernel with the MFS and NULLFS options.
# Do not run 'make install', instead copy the new kernel into your
# IMAGE_CFG directory.
# MFS, NULLFS are the only requirements for booting from CD-ROM.
# The other options are for IPSec and IPFilter (ipf & ipnat) support.
# options CD9660 #ISO 9660 Filesystem
# options CD9660_ROOT #CD-ROM usable as root, CD9660 required
# options ROOTDEVNAME=\"cd9660:acd0c\"
# options MFS # Memory File System
# options NULLFS # nullfs to map /var/tmp to /tmp
# options IPFILTER #ipfilter support
# options IPFILTER_LOG #ipfilter logging
# options IPFILTER_DEFAULT_BLOCK #block all packets by default
# options IPSEC #IP security
# options IPSEC_ESP #IP security (crypto; define w/ IPSEC)
#
# Retrieve the following files from the FreeBSD distribution CD and place
# them into the IMAGE_CFG directory:
# /dist/floppies/boot.flp
# /dist/floppies/boot.catalog
# Example:
# $ mount_cd9660 -r /dev/acd0c /dist
# $ cp /dist/floppies/boot.flp $IMAGE_CFG
# $ cp /dist/floppies/boot.catalog $IMAGE_CFG
# $ umount /dist
#
# In the IMAGE_CFG directory create a file named 'loader.rc' containing:
# echo \007\007
# autoboot 0
#
# (This prevents sysinstall from running at boot time, and will boot without
# prompting for a kernel)
#
# In the IMAGE_CFG directory create a file named 'tar-exclude' containing:
# usr/games
# usr/include
# usr/obj
# usr/ports
# usr/share/man
# usr/src
# var
#
# (This prevents the copy from IMAGE_SRC to IMAGE_DST from copying the
# above unnecessary directories)
#
# Copy IMAGE_SRC/etc/rc.diskless1 to the IMAGE_CFG directory renaming it to
# be rc.early (this has the effect of using /etc/rc to setup /var and
# /etc in a very similiar (if not exact) manner to how it is done in
# the BOOTP scenario).
#
# Add any other config files to the IMAGE_CFG directory as required for
# your distribution
#
# For example IMAGE_CFG contains the following files before this script
# is invoked.
# boot.catalog
# boot.flp
# ipf.rules
# ipnat.rules
# loader.rc
# rc.conf
# rc.early
# tar-exclude
#
# Now run this script. You should end up with an ISO image ready for
# burning onto CD-ROM.
#
##############################################################################
##############################################################################
# Site specific user-configurable configuration
##############################################################################
#
# LOCAL_SRC - FreeBSD source tree directory name
# LOCAL_NAME - Machine/network name
# IMAGE_NAME - Localized temp working directory name based upon LOCAL_NAME
# IMAGE_ROOT - Build directory containing IMAGE_SRC, IMAGE_DST, IMAGE_CFG
#
LOCAL_SRC="4.5-RELEASE"
LOCAL_NAME="zamaz"
IMAGE_NAME="$LOCAL_NAME-image"
IMAGE_ROOT="/build"
##############################################################################
# Should not need to change anything below this line
##############################################################################
#
# IMAGE_CFG - Localized configuration path (to be installed into IMAGE_DST)
# IMAGE_SRC - FreeBSD source tree path
# IMAGE_DST - Generated ISO image source tree path
#
IMAGE_CFG="$IMAGE_ROOT/$LOCAL_NAME"
IMAGE_SRC="$IMAGE_ROOT/$LOCAL_SRC"
IMAGE_DST="$IMAGE_ROOT/$IMAGE_NAME"
echo ""
echo "Creating bootable CD-ROM image"
echo " Localized configuration path $IMAGE_CFG"
echo " FreeBSD source tree path $IMAGE_SRC"
echo " Generated ISO image source tree path $IMAGE_DST"
echo ""
# Create the image directory and populate it with a clean distribution tree
if [ ! -d $IMAGE_DST ]; then
echo "Creating image directory"
mkdir -v -p $IMAGE_DST
echo ""
echo "Copying FreeBSD source from $IMAGE_SRC to $IMAGE_DST"
tar -X $IMAGE_CFG/tar-exclude -cf - -C $IMAGE_SRC . | tar xpf - -C $IMAGE_DST
else
echo "Preserving image directory $IMAGE_DST"
fi
echo ""
# Copy localized /etc configuration files to the new image
echo "Installing localized config files"
cp -v $IMAGE_CFG/rc.* $IMAGE_DST/etc
cp -v $IMAGE_CFG/*.rules $IMAGE_DST/etc
echo ""
echo "Installing $IMAGE_CFG/namedb to $IMAGE_DST/etc"
cp -R -p -v $IMAGE_CFG/namedb $IMAGE_DST/etc
echo ""
# Create an empty /etc/fstab so filesystems are not mounted on boot
echo "Clearing /etc/fstab"
rm -f $IMAGE_DST/etc/fstab
touch $IMAGE_DST/etc/fstab
echo ""
# Create static /etc source in /conf/default/etc
# rc.diskless1 will overwrite /etc/* with /conf/default/etc/* on boot
STATIC_ETC="$IMAGE_DST/conf/default"
if [ ! -d $IMAGE_DST/$STATIC_ETC ]; then
echo "Creating static etc directory $STATIC_ETC"
mkdir -v -p $STATIC_ETC
echo ""
echo "Copying $IMAGE_DST/etc to $STATIC_ETC"
cp -R -p $IMAGE_DST/etc $STATIC_ETC
else
echo "Preserving default etc directory $STATIC_ETC"
fi
echo ""
# Remove unused /kernel.GENERIC from the new image
echo "Removing $IMAGE_DST/kernel.GENERIC"
rm -v $IMAGE_DST/kernel.GENERIC
echo ""
# Create a mount point for /etc/mtree/BSD.var.dist to unpack to
# after /var is mounted as a memory filesystem
echo "Creating /var"
mkdir -v $IMAGE_DST/var
chmod 755 $IMAGE_DST/var
chown root:wheel $IMAGE_DST/var
echo ""
# Copy boot.flp and boot.catalog to / on the new image
echo "Installing boot images"
cp -v $IMAGE_CFG/boot.flp $IMAGE_DST
cp -v $IMAGE_CFG/boot.catalog $IMAGE_DST
echo ""
# Mount boot.flp and install a new kernel and boot configuation
echo "Opening $IMAGE_DST/boot.flp"
vnconfig -v -s labels -c vn0 $IMAGE_DST/boot.flp
mount /dev/vn0 /mnt
echo ""
# Copy a gzipped kernel into boot.flp
echo "Installing compressed kernel into $IMAGE_DST/boot.flp"
if [ ! -f $IMAGE_CFG/kernel ]; then
echo ""
echo "Copy custom compiled CD-ROM kernel to $IMAGE_DST"
exit 1
else
cat $IMAGE_CFG/kernel | gzip -9 > /mnt/kernel.gz
fi
echo ""
# Copy a new loader configuration into boot.flp
echo "Installing boot configuration files into $IMAGE_DST/boot.flp"
cp -v $IMAGE_CFG/loader.rc /mnt/boot/loader.rc
cp -v $IMAGE_DST/boot/boot0 /mnt/boot
cp -v $IMAGE_DST/boot/loader.4th /mnt/boot
echo ""
# Remove mfsroot.gz to prevent /stand/sysinstall from running at boot time
echo "Removing mfsroot.gz (sysinstall loader) from $IMAGE_DST/boot.flp"
rm -v /mnt/mfsroot.gz
echo ""
# Done modifying boot.flp, close it
echo "Closing $IMAGE_DST/boot.flp"
umount /mnt
vnconfig -u vn0
echo ""
# Create the ISO image itself
echo "Creating ISO image"
mkisofs -l -r -L -o ${LOCAL_NAME}.iso -b boot.flp -c boot.catalog $IMAGE_NAME
echo ""
echo ""
echo "Created ISO image ${LOCAL_NAME}.iso"
echo ""
root@ultana:/build> ls
4.5-RELEASE/ mkimage.txt zamaz-image/
mkfirewall.sh* zamaz/ zamaz.iso
root@ultana:/build> exit
Script done on Wed Mar 20 08:41:46 2002
</PLAINTEXT>
<!-- These are bonus tags, provided at no extra charge, for users of special browsers -->
</BODY>
</HTML>
]]></plaintext></body>