Routing and Stealth Modes

SunScreen EFS 3.0 includes stealth-mode capabilities and routing-mode capabilities.

Routing Mode

Routing-mode interfaces have IP addresses and perform IP routing. Routing mode requires that you connect each interface to a different network with its own network number.

All proxies are accessed through the transmission control protocol (TCP), and therefore can only run on systems configured in routing mode.

Stealth Mode

Stealth-mode offers optional hardening of the OS, which removes packages and files from the Solaris operating system that are not used by SunScreen EFS 3.0. Stealth-mode requires the Screen to partition a single network.

Stealth mode firewall partitions an existing network and, consequently, does not require you to sub-net the network. Stealth-mode interfaces do not have IP addresses, and do MAC-layer bridging.

In stealth mode, SunScreen EFS 3.0 is similar to the SunScreen SPF-200 product; however, it differs from it in the following ways:

• It is a layered product instead of a dedicated installation.

• It no longer boots from the CD-ROM.

• It no longer requires an installation diskette.

• (Optional) Hardening of the operating system (OS) is equal to SunScreen SPF-200 when the minimum required OS packages are installed with the minimum required patches.

If you configure a network interface that you later set to Stealth mode, the Screen will hang upon activation. If this happens, you must reboot the Screen in single-user mode, then remove the /etc/hostname.interface_name file (which unconfigures that interface), and reboot the Screen again.

If you accidentally misconfigure the system in this way, here is the procedure for restoring proper operation:

1. Type control-C a few times to break out and send your machine into single-user mode.

2. After typing your root password, you must type the following to remount the root partition read-write:

   # mount -o remount /# ls /etc/hostname*/etc/hostname.hme0 /etc/hostname.qfe2

The qfe2 interface is the admin interface in this example.

Do not disturb your admin interface, as it must be the only hostname interface file in the /etc directory.

As the example shows, the problem is the existence of a hme0 interface file.

1. To rename or remove the problem hostname interface file, type:

   # mv /etc/hostname.hme0 /etc/hostname.hme0.old

2. Reboot the machine.

   Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 270MHz), No Keyboard OpenBoot 3.11, 128 MB memory installed, Serial #10411258. Ethernet address 8:0:20:9e:dc:fa, Host ID: 809edcfa. Rebooting with command: boot Boot device: disk:a File and args: kadb kadb: kernel/sparcv9/unix Size: 314284+93248+121472 Bytes /platform/sun4u/kernel/sparcv9/unix loaded - 0xca000 bytes used SunOS Release 5.7 Version Generic 64-bit [UNIX(R) System V Release 4.0] Copyright (c) 1983-1998, Sun Microsystems, Inc. plumbing SunScreen network interfaces:^C INIT: Cannot create /var/adm/utmp or /var/adm/utmpx INIT: failed write of utmpx entry:" " INIT: failed write of utmpx entry:" " INIT: SINGLE USER MODE Type Ctrl-d to proceed with normal startup, (or give root password for system maintenance): Entering System Maintenance Mode May 5 17:10:04 su: 'su root' succeeded for root on /dev/syscon Sun Microsystems Inc. SunOS 5.7 Generic October 1998 # mount -o remount / # ls /etc/hostname* /etc/hostname.hme0 /etc/hostname.qfe2 # mv /etc/hostname.hme0 /etc/hostname.hme0.old # ls /etc/hostname* /etc/hostname.hme0.old /etc/hostname.qfe2 # reboot