SunScreen EFS Release 3.0 Reference Manual

Standard Services

SunScreen EFS 3.0 is shipped with a number of predefined network services. The following table lists the services in SunScreen EFS 3.0, along with the state engine and discriminator (port, RPC program number, or type) for each service. Parameters (state engine modifiers, such as timeouts) and BROADCAST are indicated where applicable.

Service information is stored in the common object registry. See "add service" command in the configuration editor.

Service 

State Engine (forward filtering) 

Discriminator 

State Engine (reverse filtering) 

Discriminator 

echo

tcp

port 7 

 

 

discard

tcp

port 9 

 

 

systat

tcp

port 11 

 

 

daytime

tcp

port 13 

 

 

quote

tcp

port 17 

 

 

chargen

tcp

port 19 

 

 

ftp

ftp

port 21 

 

 

telnet

tcp

port 23 

 

 

smtp

tcp

port 25 

 

 

time

tcp

port 37 

 

 

whois

tcp

port 43 

 

 

nicname

tcp

port 43 

 

 

dns

tcp

port 53  

 

 

 

dns

port 53 

 

 

tftp

udp

port 69 parameters (60 -1 7) 

 

 

gopher

tcp

port 70 

 

 

finger

tcp

port 79 

 

 

www

tcp

port 80 

 

 

pop

tcp

ports 109-110 

 

 

auth

tcp

port 113 

 

 

ntp

udp

port 123 

 

 

nntp

tcp

port 119 

 

 

snmp

tcp

port 161  

 

 

 

udp

port 161 

 

 

snmp traps

udp_datagram

port 162 

 

 

rlogin

tcp

port 513 

 

 

rsh

rsh

port 514 

 

 

syslog

udp_datagram

port 514 

 

 

printer

tcp

port 515 

 

 

rip

udp_datagram

port 520 port 520 (BROADCAST) 

 

 

sqlnet 

sqlnet 

port 1521 

 

 

archie

udp

port 1525 parameters (360 -1 0) 

 

 

certificate discovery

udp

port 1640 parameters (60 1 1) 

 

 

remote administration

tcp

ports 3852-3853 

 

 

SecurID PIN

tcp

port 3855 

 

 

HA administration

tcp

port 3856 

 

 

HA heartbeat

ping

port 8 

 

 

HA

tcp

port 3856  

 

 

securid

udp

port 5500 

 

 

securidprop

tcp

port 5510 

 

 

real audio

realaudio

port 7070 

 

 

traceroute

udp_datagram

ports 33430-34000 

 

 

 

 

 

icmp

type 11 

 

 

icmp

type 3 

icmp echo-reply

icmp

type 0 

 

 

icmp unreach

icmp

type 3 

 

 

icmp quench

icmp

type 4 

 

 

icmp redirect

icmp

type 5 

 

 

icmp echo-request

icmp

type 8 

 

 

router announcement

icmp

type 9 type 9 (BROADCAST) 

 

 

router solicitation

icmp

type 10 type 10 (BROADCAST) 

 

 

icmp exceeded

icmp 

type 11 

 

 

icmp params

icmp 

type 12 

 

 

icmp info 

icmp 

types 13 14 15 16 17 18 

 

 

Servic 

State Engine (forward filtering 

Discriminato 

State Engine (reverse filtering 

Discriinator 

ping

ping

port 8 

 

 

router discovery

icmp

type 10 

 

 

 

 

type 10 (BROADCAST) 

icmp

type 9 type 9 (BROADCAST) 

rstat

rpc_udp

prgm no. 100001 

 

 

 

pmap_udp

prgm no. 100001 

 

 

rusers

rpc_udp

prgm no. 100002 

 

 

 

pmap_udp

prgm no. 100002 

 

 

nfs prog

pmap_udp

prgm no. 100003 

 

 

 

udp

port 2049 

 

 

 

tcp

port 2049 

 

 

nfs readonly prog

pmap_udp

prgm no. 100003 

 

 

 

nfsro

port 2049 

 

 

ypserv

nis

port 100004 

 

 

 

pmap_nis

prgm no. 100004 

 

 

 

pmap_nis

prgm no. 100004 (BROADCAST) 

 

 

mountd

rpc_udp

prgm no. 100005  

 

 

 

pmap_udp

prgm no. 100005 

 

 

ypbind

rpc_udp

prgm no. 100007 

 

 

 

pmap_udp

prgm no. 100007 

 

 

wall

rpc_udp

prgm no. 100008 

 

 

 

pmap_udp

prgm no. 100008 

 

 

yppasswd

rpc_udp

prgm no. 100009 

 

 

 

pmap_udp

prgm no. 100009 

 

 

rquota

rpc_udp

prgm no. 100011 

 

 

 

pmap_udp

prgm no. 100011 

 

 

spray

rpc_udp

prgm no. 100012 

 

 

 

pmap_udp

prgm no. 100012 

 

 

rex

rpc_udp

prgm no. 100017 

 

 

 

pmap_udp

prgm no. 100017 

 

 

klm

rpc_udp

prgm no. 100020 

 

 

 

pmap_udp

prgm no. 100020 

 

 

nlm

rpc_udp

prgm no. 100021 

 

 

 

pmap_udp

prgm no. 100021 

 

 

 

 

 

rpc_udp

prgm no. 100021 

 

 

pmap_udp

prgm no. 100021 

status

rpc_udp

prgm no. 100024 

 

 

 

pmap_udp

prgm no. 100024 

 

 

ypupdate

rpc_udp

prgm no. 100028 

 

 

 

pmap_udp

prgm no. 100028 

 

 

nfs acl

rpc_udp

prgm no. 100227 

 

 

 

pmap_udp

prgm no. 100227 

 

 

ospf

ip

type 89 (BROADCAST) 

 

 

skip

iptunnel

type 57 

 

 

 

 

type 79 

 

 

icmp all

icmp

 

 

 

 

* (BROADCAST) 

 

 

ip all

ip

 

 

ip mobile

ipmobile

 

 

ip tunnel3

iptunnel

 

 

ip forward

ipfwd

 

 

udp all

udpall

 

 

tcp all

tcpall

ports 0-3850 

 

 

 

 

ports 3854-65535 

 

 

rpc all

rpc_udp

 

 

Service 

State Engine (forward filtering) 

Discriminator 

State Engine (reverse filtering) 

Discriminator 

rpc tcp all

rpc_tcp 

 

 

pmap udp all 

pmap_udp 

* (BROADCAST) 

 

 

pmap tcp all 

pmap_tcp 

 

 

X11 

tcp 

ports 6000-6063 

 

 

pcnfsd

pmap_tcp pmap_udp rpc_tcp rpc_udp

prgm no. 150001 prgm no. 150001 prgm no. 150001 prgm no. 150001 

 

 

automount

pmap_tcp pmap_udp rpc_tcp rpc_udp

prgm no. 300019 prgm no. 300019 prgm no. 300019 prgm no. 300019 

 

 

ypxfrd

pmap_tcp

prgm no. 100069 

 

 

 

pmap_udp

prgm no. 100069 

 

 

 

rpc_tcp

prgm no. 100069 

 

 

 

rpc_udp

prgm no. 100069 

 

 

exec

tcp

prgm no. 512 

 

 

wais

tcp

port 210 

 

 

uucp

tcp

port 540 

 

 

irc

tcp

port 6670 

 

 

 

tcp

port 6680  

 

 

VDOLive

tcp tcp

port 7000 port 7010 

 

 

 

 

 

udp

port 32649 

CU See Me

udp_datagram

ports 7648-7652 

 

 

Vosaic

tcp

port 1235 

 

 

 

 

 

udp_datagram udp_datagram

ports 61801-61820 ports 20000-20020 

StreamWorks

udp_datagram

port 1558 

 

 

 

 

 

udp_datagram

port 1558  

CoolTalk

tcp udp_datagram

ports 6499-6500 port 13000 

udp_datagram

port 13000 

Backweb

udp

port 370 parameters (60 0 3) 

 

radius

udp

port 1645 

 

 

ssl

tcp

port 443 

 

 

who

udp_datagram

port 513 (BROADCAST) 

 

 

netstat

tcp

Port 15 

 

 

biff

udp_datagram

port 512 (BROADCAST) 

 

 

bootp

udp

port 67 (BROADCAST) parameters (60 0 3)  

 

 

kerberos

udp

port 88 

 

 

ntp-tcp

tco

port 123 

 

 

netbios name

udp

port 137 

 

 

netbios datagram

udp_datagram

port 138 

 

 

netbios session

tcp

port 139 

 

 

lpd

tcp

port 2766 

 

 

echo-udp

udp

port 7 

 

 

discard-udp

udp

port 9 

 

 

time-udp

udp

port 37 

 

 

daytime-udp

udp

port 13 

 

 

tcp-high-ports

tcp

ports 1024-65535 

 

 

udp-high-ports

udp

ports 1024-65535 

 

 

ftp Service

The File Transfer Protocol (FTP) is used to copy files from one system to another. FTP is designed to work between hosts using different file structures and character sets.

SunScreen EFS 3.0 contains an ftp state engine to screen the FTP data connection. You specify the number for the FTP control port; the number for the FTP data port is one less than the FTP control port number. The predefined FTP service definition, ftp, uses the standard FTP control port number (21) and data connection port number (20).

FTP control connections time out after a period of inactivity. The FTP server typically closes the connect before this inactivity timeout occurs; however, if the timeout period elapses, the quit command can take 60 seconds or more to complete. During this time, FTP packets may be logged.

The ftp service supports both PASV and standard FTP connections. By default, ftp service verifies that the FTP data port is 20 for standard FTP connections. To communicate with FTP servers that do not use port 20 for the data port, modify the ftp service definition to set its three parameters to: 600 600 1. The first parameter is the control session timeout (600 seconds). The second parameter is the data session timeout (600 seconds). The third parameter is a flag; a value of 1 specifies that the system will not verify that the FTP data port is 20.

Note that this does not affect PASV FTP sessions, because they never use port 20 for the data connection.

traceroute Service

The traceroute service entry assumes that the UDP ports being used for traceroute are in the range of 33430-34000. If implementations of traceroute at your site use other ports, modify the port range as appropriate.

ip Services

The ip all service is provided for backward compatibility with previous SunScreen products. You can achieve better performance by using either the ip forward (for IP traffic in one direction) or the ip tunnel (for IP traffic in both directions) services instead. For example:


(old way using ip all)
"ip all" host1 host2
allow
"ip all" host2 host1
allow
(new way using ip tunnel)
"ip tunnel" host1
host2 allow

The ip mobile service is provided for use with mobile, remote clients. Like the ip tunnel service, ip mobile passes all IP traffic between a pair of addresses. Unlike the ip tunnel service, however, a rule specifying ip mobile forces the first connection to be made from the mobile client (a system with one of the addresses in Source Address).

Generally, ip mobile is used for SKIP-encrypted connections with the SKIP identity providing the authentication and access control. For example:


"ip mobile" Internet
Mailhost SKIP-VERSION2

SunScreen EFS 3.0 can filter IP packets by IP protocol type alone. This is useful in special situations such as passing non-TCP/UDP protocols or when data are being encrypted.

If you want a Screen to pass IP packets by protocol type, you define a new service using either the ip, ip tunnel, ip mobile, or ip fwd state engine. Specify the protocol of the packets you wish to pass in decimal notation. If you specify "*" for the protocol, the service will pass all IP packets regardless of protocol type.

There are several predefined services included, such as skip (IP protocols 79 and 57), ip tunnel, ip mobile, and ip fwd


Caution - Caution -

Using one of the state engines with a protocol specification of "*" (any protocol), can be dangerous, since any traffic would be allowable. State engines should only be used in special cases or if the data are part of an encrypted tunnel.


Note that the predefined IP services do not pass broadcast traffic. If you want to pass broadcast traffic, you must define a new service or add broadcast to the predefined service.

VDOLive Service

The VDOLive service definition requires that the VDOLive clients be set to use a fixed port, which is port 32649 by default. You can modify the service definitions so that VDOLive will use another port.

CoolTalk Service

The CoolTalk service definition allows calls to be initiated but does not allow calls to be received. To receive calls, define a second rule with the addresses reversed. For example:


CoolTalk joe sam allow
CoolTalk sam joe allow

nfs readonly Service

The nfs readonly service allows read-only access to the NFSv3.0 file system. Read-related functions, such as lookup, read, and access, are allowed. Functions that are not read-related, such as rename and write, are blocked; traffic is not permitted to pass under the nfs readonly rule.

smtp (Electronic Mail) Service

Simple Mail Transfer Protocol (SMTP) is used to send electronic mail between two message transfer agents using TCP. SunScreen EFS 3.0 includes a predefined service definition, smtp, to send and receive SMTP mail on TCP port 25.

www (World-Wide-Web Access) Service

The World Wide Web provides a graphical user interface that lets users browse a global network of services and documents. SunScreen EFS 3.0 contains a predefined service definition for WWW that passes TCP connections on port 80.

Not all WWW services on the Internet use port 80; many reside on ports with other numbers, such as 8000 or 8080. If you only allow outbound WWW access under the www service entry, users will not be able to connect to all WWW resources. To compensate, you can define a new TCP service that enumerates additional nonstandard WWW ports you want to allow, or you can allow TCP access to all ports outbound using the default service.


Caution - Caution -

Do not use the tcp all service to enable inbound www access to your public Web servers. This opens up a large security hole and allows outside users access to any TCP service on your machines. Instead, since you know which port your Web server uses (generally 80), you should use a more restrictive service rule, such as the www service definition.


dns Service

DNS traffic consists of both UDP and TCP traffic. SunScreen EFS 3.0 includes a state engine to handle the UDP DNS protocol. TCP DNS is handled through the normal TCP state engine. To screen DNS traffic, use the predefined dns service.

rip Service

The Routing Information Protocol (RIP) is a dynamic routing protocol commonly used by Internet routers. RIP messages are carried in UDP datagrams. SunScreen EFS 3.0 includes a predefined service (rip) for passing RIP packets using the udp-datagram state engine with broadcast enabled. This means that a rule allows RIP packets (including broadcasts) from source to destination.

It is usually sufficient to enable RIP in the default rule that passes RIP from the routers to all other addresses. This lets the SunScreen EFS 3.0 send and receive RIP packets without restriction. If you want to restrict RIP traffic, do not enable RIP using the default access rules; instead, define rules for RIP based on your security policy.


Service
Source
Destination
Action
route
routers*
allow
route
*
routersallow

sqlnet Services

SunScreen EFS 3.0 contains an sqlnet state engine to screen Oracle SQL*Net protocol. SQL*Net is Oracle's remote data access protocol that enables client-server and server-server communications across networks.

An Oracle client connects to the server using the port address of the listener, which is normally defined as TCP port 1521 during Oracle installation. sqlnet service is defined as using TCP port 1521. If Oracle is installed using a different port for the listener, you can modify the service definition for sqlnet service accordingly.

SQL*Net connections are established in two ways. An Oracle client connects to the listener using TCP port 1521, and the connection is established with the listener process. With Oracle multi-threaded servers and pre-spawned server processes, the client connects to the listener on TCP port 1521. The listener issues a redirect message back to the client containing an IP address and port number, and the client connects to this redirected IP address and port.

SunScreen EFS 3.0 supports both types of SQL*Net connections.

realaudio Services

SunScreen EFS 3.0 contains a service definition to handle RealAudio(TM) sessions. To screen RealAudio traffic, use the realaudio service.

icmp Services

SunScreen EFS 3.0 includes predefined services for screening ICMP packets such as ping. These services use the icmp state engine and allow ICMP ping request-and-response exchanges between a Source and Destination system. Use the predefined service ping if you want to provide ping access.

You can use the icmp state engine to create other services to pass ICMP messages of a specific type. Most of the common ICMP packets have entries in the predefined services, as shown in the following table:


Service
Source
Destination
Action
ping
Inside
Outside
allow
icmp-unreachOutside
Inside
allow

The above rules allow Inside machines to ping Outside machines, but block Outside machines from sending ping messages to Inside machines. It also allows ICMP unreachable packets to be sent from Outside machines to Inside machines. Note that the ping service allows packets in two directions (ping-request packets from Source to Destination and ping-response packets from Destination to Source), while the icmp-unreach service only allows packets to flow in one direction (from Source to Destination).

TCP Services

SunScreen EFS 3.0 screens TCP services by destination port numbers. Most common TCP services are already defined in the service entries supplied with SunScreen EFS 3.0.

If you need to define a new TCP service, define a new service entry specifying the tcp filter state machine. Specify the destination TCP port or ports of the service you wish to pass. If you specify "*" for the port, the service will pass all TCP services regardless of port. Note that some services, such as FTP and RSH, cannot be passed in this way since they are not simple TCP protocols; they make additional connections made in the reverse direction. These services must be specified as separate services if you wish to pass them.

The tcp state engine times out unused and silent connections five hours after a connection has been established. Since some systems repeatedly retransmit until they receive an error about a terminated TCP connection, you should configure a rule using the tcp service to send an ICMP rejection message, especially on your internal interfaces.

For example, the following rule allows telnet connections to be made from Inside machines to Outside machines.


Service
Source
Destination
Action
telnetInside
Outside
allow

UDP Services

SunScreen EFS 3.0 contains several state engines to handle UDP protocols:

For all UDP engines, you define a new service entry specifying the well-known destination, UDP port. Specifying port "*" passes all UDP traffic.

ntp Service

SunScreen EFS 3.0 contains a state engine to handle the NTP protocol. The source and destination UDP ports numbers are fixed at port 123. To screen NTP traffic, use the ntp service. Broadcast NTP is not supported.

archie Service

SunScreen EFS 3.0 contains a service definition to handle the Archie UDP protocol. To screen Archie traffic, use the archie service.

rpc Service

SunScreen EFS 3.0 contains a state engine to handle the RPC protocols. This can safely screen RPC protocols, as long as they use the portmapper and do not use dynamic RPC program values.

To define a new RPC service, add a new service entry using both the rpc_udp and pmap_udp state engines. You specify the well-known RPC program of the RPC service you wish to pass. If you specify "*" for the RPC program, the service entry passes all RPC services, regardless of program.

Several well-known RPC services, such as NFS and NIS, have been defined to include all the RPC and non-RPC protocols that these systems require.

Some NFS clients use the lock manager. Since a lock manager makes connections in both directions (to NFS server and from NFS server) you may need to use the nlm service when you allow NFS access.


Service
Source
Destination
Action
nfsInside
DMZ
allow
nlmDMZ
Inside
allow

Broadcast port mapping (NIS) is not supported for encrypted connections.