SunScreen EFS Release 3.0 Reference Manual

More Details About Creating New Services

In most cases, the predefined SunScreen EFS 3.0 services provide all of the service definitions needed to create the rules. However, your particular version may need to define a new Single Service for your environment. A new single service can be easily defined using the list of protocol engines provided.

A brief description of other services you may need to add or to modify for your environment follows:

IP Packets

SunScreen EFS 3.0 can filter IP packets by IP protocol type alone. This is useful in special situations such as passing non-TCP/UDP protocols or when data are being encrypted.

To pass IP packets by protocol type, you need to define a new service using either the ip, ip tunnel, ip mobile, or ip fwd state engine. Specify the protocol of the packets you wish to pass. Note that protocol is always specified in decimal notation. If you specify "*" for the protocol, this means to pass all IP packets regardless of protocol type.

There are several predefined services included, such as skip (IP protocols 79 and 57), ip tunnel, ip mobile, and ip fwd.


Caution - Caution -

Using one of the above state engines, especially with protocol specified as "*" (any protocol), is very dangerous. They should only be used in special cases or if the data are part of an encrypted tunnel.



Note -

The predefined IP services do not pass broadcast traffic. If you wish to pass broadcast traffic, you must define a new service or add broadcast to the predefined service.


ICMP Packets

SunScreen EFS 3.0 provides predefined services for screening ICMP packets including ping.

These services are built upon the icmp state engine and allow ICMP ping request-and-response exchange to occur between a Source and Destination system. Use the predefined service ping if you want to provide ping access.

The icmp state engine can also be used to create other services to pass ICMP messages of a specific type. Most of the common ICMP packets have entries in the predefined services.

  1. Example:

    Service 

    Source 

    Destination 

    Action 

    ping

    Inside 

    Outside 

    accept 

    icmp-unreach

    Outside 

    Inside 

    accept 

The above rules allow Inside machines to ping Outside machines, but not vice versa. It also allows ICMP unreachable packets to be sent from Outside machines to Inside machines. Note that the ping service allows packets in two directions (ping-request packets from Source to Destination and ping-response packets from Destination to Source) while the icmp-unreach service only allows packets to flow in one direction (from Source to Destination).

TCP Services

SunScreen EFS 3.0 screens TCP services by TCP destination port. Most common TCP services have been predefined in the services entries supplied with SunScreen EFS 3.0.

If you need to define a new TCP service, define a new service entry specifying the tcp filter state machine. Specify the well-known destination TCP port(s) of the service you wish to pass. If you specify "*" for the port, this means to pass all TCP services regardless of port. Note that some services such as FTP and RSH cannot be passed in this way since they are not simple TCP protocols because they make additional connections made in the reverse direction. They must be specified as separate services if you wish to pass them.

The TCP state engine times out unused and silent connections. Currently, this time-out is set to five hours after a connection has been established. Since some systems repeatedly retransmit until receiving some sort of error on terminated TCP connections, you might wish to enable sending ICMP rejects on illegal TCP connections, especially on your internal interfaces.

  1. Example:

    Service 

    Source 

    Destination 

    Action 

    telnet

    Inside 

    Outside 

    normal 

The above rule allows telnet connections to be made from Inside machines to Outside machines.

UDP Protocols

SunScreen EFS 3.0 contains several state engines to handle UDP protocols. They are:

With all of the UDP engines, you define a new service entry specifying the well-known destination, UDP port. Specifying port "*" passes all UDP traffic.

NTP Traffic

SunScreen EFS 3.0 contains a state engine to handle the NTP protocol. The source and destination UDP ports numbers are fixed at port 123. To screen NTP traffic, use the predefined service ntp.

Broadcast NTP is not supported.

Archie Traffic

SunScreen EFS 3.0 contains a service definition to handle the Archie UDP protocol. To screen Archie traffic, use the predefined service archie.

RPC Traffic

SunScreen EFS 3.0 contains a state engine to handle the RPC protocols. This can safely screen RPC protocols as long as they use the portmapper and do not use dynamic RPC program values.

If you need to define a new RPC service, define a new service entry using both the rpc_udp and pmap_udp state engines. You specify the well-known RPC program of the RPC service you wish to pass. If you specify "*" for the RPC program, this means it passes all RPC services regardless of program.

Several well-known RPC services such as NFS and NIS have been defined to include all the RPC and non-RPC protocols that these systems require.

Some NFS clients use the lock manager. Since a lock manager makes connections in both directions (to NFS server and from NFS server) you m ay need to use the "nlm" service when you allow NFS access.

  1. Example:

    Service 

    Source 

    Destination 

    Action 

    nfs

    Inside 

    DM 

    accept 

    nlm 

    DMZ 

    Inside 

    accept 

Broadcast port mapping (NIS) is not supported for encrypted connections.