Standard Services
SunScreen EFS 3.0 is shipped with a number of predefined network services. The following table lists the services in SunScreen EFS 3.0, along with the state engine and discriminator (port, RPC program number, or type) for each service. Parameters (state engine modifiers, such as timeouts) and BROADCAST are indicated where applicable.
Service information is stored in the common object registry. See "add service" command in the configuration editor.
|
Service |
State Engine (forward filtering) |
Discriminator |
State Engine (reverse filtering) |
Discriminator |
|---|---|---|---|---|
|
echo |
tcp |
port 7 |
|
|
|
discard |
tcp |
port 9 |
|
|
|
systat |
tcp |
port 11 |
|
|
|
daytime |
tcp |
port 13 |
|
|
|
quote |
tcp |
port 17 |
|
|
|
chargen |
tcp |
port 19 |
|
|
|
ftp |
ftp |
port 21 |
|
|
|
telnet |
tcp |
port 23 |
|
|
|
smtp |
tcp |
port 25 |
|
|
|
time |
tcp |
port 37 |
|
|
|
whois |
tcp |
port 43 |
|
|
|
nicname |
tcp |
port 43 |
|
|
|
dns |
tcp |
port 53 |
|
|
|
|
dns |
port 53 |
|
|
|
tftp |
udp |
port 69 parameters (60 -1 7) |
|
|
|
gopher |
tcp |
port 70 |
|
|
|
finger |
tcp |
port 79 |
|
|
|
www |
tcp |
port 80 |
|
|
|
pop |
tcp |
ports 109-110 |
|
|
|
auth |
tcp |
port 113 |
|
|
|
ntp |
udp |
port 123 |
|
|
|
nntp |
tcp |
port 119 |
|
|
|
snmp |
tcp |
port 161 |
|
|
|
|
udp |
port 161 |
|
|
|
snmp traps |
udp_datagram |
port 162 |
|
|
|
rlogin |
tcp |
port 513 |
|
|
|
rsh |
rsh |
port 514 |
|
|
|
syslog |
udp_datagram |
port 514 |
|
|
|
printer |
tcp |
port 515 |
|
|
|
rip |
udp_datagram |
port 520 port 520 (BROADCAST) |
|
|
|
sqlnet |
sqlnet |
port 1521 |
|
|
|
archie |
udp |
port 1525 parameters (360 -1 0) |
|
|
|
certificate discovery |
udp |
port 1640 parameters (60 1 1) |
|
|
|
remote administration |
tcp |
ports 3852-3853 |
|
|
|
SecurID PIN |
tcp |
port 3855 |
|
|
|
HA administration |
tcp |
port 3856 |
|
|
|
HA heartbeat |
ping |
port 8 |
|
|
|
HA |
tcp |
port 3856 |
|
|
|
securid |
udp |
port 5500 |
|
|
|
securidprop |
tcp |
port 5510 |
|
|
|
real audio |
realaudio |
port 7070 |
|
|
|
traceroute |
udp_datagram |
ports 33430-34000 |
|
|
|
|
|
|
icmp |
type 11 |
|
|
|
|
icmp |
type 3 |
|
icmp echo-reply |
icmp |
type 0 |
|
|
|
icmp unreach |
icmp |
type 3 |
|
|
|
icmp quench |
icmp |
type 4 |
|
|
|
icmp redirect |
icmp |
type 5 |
|
|
|
icmp echo-request |
icmp |
type 8 |
|
|
|
router announcement |
icmp |
type 9 type 9 (BROADCAST) |
|
|
|
router solicitation |
icmp |
type 10 type 10 (BROADCAST) |
|
|
|
icmp exceeded |
icmp |
type 11 |
|
|
|
icmp params |
icmp |
type 12 |
|
|
|
icmp info |
icmp |
types 13 14 15 16 17 18 |
|
|
|
Servic |
State Engine (forward filtering |
Discriminato |
State Engine (reverse filtering |
Discriinator |
|---|---|---|---|---|
|
ping |
ping |
port 8 |
|
|
|
router discovery |
icmp |
type 10 |
|
|
|
|
|
type 10 (BROADCAST) |
icmp |
type 9 type 9 (BROADCAST) |
|
rstat |
rpc_udp |
prgm no. 100001 |
|
|
|
|
pmap_udp |
prgm no. 100001 |
|
|
|
rusers |
rpc_udp |
prgm no. 100002 |
|
|
|
|
pmap_udp |
prgm no. 100002 |
|
|
|
nfs prog |
pmap_udp |
prgm no. 100003 |
|
|
|
|
udp |
port 2049 |
|
|
|
|
tcp |
port 2049 |
|
|
|
nfs readonly prog |
pmap_udp |
prgm no. 100003 |
|
|
|
|
nfsro |
port 2049 |
|
|
|
ypserv |
nis |
port 100004 |
|
|
|
|
pmap_nis |
prgm no. 100004 |
|
|
|
|
pmap_nis |
prgm no. 100004 (BROADCAST) |
|
|
|
mountd |
rpc_udp |
prgm no. 100005 |
|
|
|
|
pmap_udp |
prgm no. 100005 |
|
|
|
ypbind |
rpc_udp |
prgm no. 100007 |
|
|
|
|
pmap_udp |
prgm no. 100007 |
|
|
|
wall |
rpc_udp |
prgm no. 100008 |
|
|
|
|
pmap_udp |
prgm no. 100008 |
|
|
|
yppasswd |
rpc_udp |
prgm no. 100009 |
|
|
|
|
pmap_udp |
prgm no. 100009 |
|
|
|
rquota |
rpc_udp |
prgm no. 100011 |
|
|
|
|
pmap_udp |
prgm no. 100011 |
|
|
|
spray |
rpc_udp |
prgm no. 100012 |
|
|
|
|
pmap_udp |
prgm no. 100012 |
|
|
|
rex |
rpc_udp |
prgm no. 100017 |
|
|
|
|
pmap_udp |
prgm no. 100017 |
|
|
|
klm |
rpc_udp |
prgm no. 100020 |
|
|
|
|
pmap_udp |
prgm no. 100020 |
|
|
|
nlm |
rpc_udp |
prgm no. 100021 |
|
|
|
|
pmap_udp |
prgm no. 100021 |
|
|
|
|
|
|
rpc_udp |
prgm no. 100021 |
|
|
|
|
pmap_udp |
prgm no. 100021 |
|
status |
rpc_udp |
prgm no. 100024 |
|
|
|
|
pmap_udp |
prgm no. 100024 |
|
|
|
ypupdate |
rpc_udp |
prgm no. 100028 |
|
|
|
|
pmap_udp |
prgm no. 100028 |
|
|
|
nfs acl |
rpc_udp |
prgm no. 100227 |
|
|
|
|
pmap_udp |
prgm no. 100227 |
|
|
|
ospf |
ip |
type 89 (BROADCAST) |
|
|
|
skip |
iptunnel |
type 57 |
|
|
|
|
|
type 79 |
|
|
|
icmp all |
icmp |
* |
|
|
|
|
|
* (BROADCAST) |
|
|
|
ip all |
ip |
* |
|
|
|
ip mobile |
ipmobile |
* |
|
|
|
ip tunnel3 |
iptunnel |
* |
|
|
|
ip forward |
ipfwd |
* |
|
|
|
udp all |
udpall |
* |
|
|
|
tcp all |
tcpall |
ports 0-3850 |
|
|
|
|
|
ports 3854-65535 |
|
|
|
rpc all |
rpc_udp |
* |
|
|
|
Service |
State Engine (forward filtering) |
Discriminator |
State Engine (reverse filtering) |
Discriminator |
|---|---|---|---|---|
|
rpc tcp all |
rpc_tcp |
* |
|
|
|
pmap udp all |
pmap_udp |
* (BROADCAST) |
|
|
|
pmap tcp all |
pmap_tcp |
* |
|
|
|
X11 |
tcp |
ports 6000-6063 |
|
|
|
pcnfsd |
pmap_tcp pmap_udp rpc_tcp rpc_udp |
prgm no. 150001 prgm no. 150001 prgm no. 150001 prgm no. 150001 |
|
|
|
automount |
pmap_tcp pmap_udp rpc_tcp rpc_udp |
prgm no. 300019 prgm no. 300019 prgm no. 300019 prgm no. 300019 |
|
|
|
ypxfrd |
pmap_tcp |
prgm no. 100069 |
|
|
|
|
pmap_udp |
prgm no. 100069 |
|
|
|
|
rpc_tcp |
prgm no. 100069 |
|
|
|
|
rpc_udp |
prgm no. 100069 |
|
|
|
exec |
tcp |
prgm no. 512 |
|
|
|
wais |
tcp |
port 210 |
|
|
|
uucp |
tcp |
port 540 |
|
|
|
irc |
tcp |
port 6670 |
|
|
|
|
tcp |
port 6680 |
|
|
|
VDOLive |
tcp tcp |
port 7000 port 7010 |
|
|
|
|
|
|
udp |
port 32649 |
|
CU See Me |
udp_datagram |
ports 7648-7652 |
|
|
|
Vosaic |
tcp |
port 1235 |
|
|
|
|
|
|
udp_datagram udp_datagram |
ports 61801-61820 ports 20000-20020 |
|
StreamWorks |
udp_datagram |
port 1558 |
|
|
|
|
|
|
udp_datagram |
port 1558 |
|
CoolTalk |
tcp udp_datagram |
ports 6499-6500 port 13000 |
udp_datagram |
port 13000 |
|
Backweb |
udp |
port 370 parameters (60 0 3) |
|
; |
|
radius |
udp |
port 1645 |
|
|
|
ssl |
tcp |
port 443 |
|
|
|
who |
udp_datagram |
port 513 (BROADCAST) |
|
|
|
netstat |
tcp |
Port 15 |
|
|
|
biff |
udp_datagram |
port 512 (BROADCAST) |
|
|
|
bootp |
udp |
port 67 (BROADCAST) parameters (60 0 3) |
|
|
|
kerberos |
udp |
port 88 |
|
|
|
ntp-tcp |
tco |
port 123 |
|
|
|
netbios name |
udp |
port 137 |
|
|
|
netbios datagram |
udp_datagram |
port 138 |
|
|
|
netbios session |
tcp |
port 139 |
|
|
|
lpd |
tcp |
port 2766 |
|
|
|
echo-udp |
udp |
port 7 |
|
|
|
discard-udp |
udp |
port 9 |
|
|
|
time-udp |
udp |
port 37 |
|
|
|
daytime-udp |
udp |
port 13 |
|
|
|
tcp-high-ports |
tcp |
ports 1024-65535 |
|
|
|
udp-high-ports |
udp |
ports 1024-65535 |
|
|
ftp Service
The File Transfer Protocol (FTP) is used to copy files from one system to another. FTP is designed to work between hosts using different file structures and character sets.
SunScreen EFS 3.0 contains an ftp state engine to screen the FTP data connection. You specify the number for the FTP control port; the number for the FTP data port is one less than the FTP control port number. The predefined FTP service definition, ftp, uses the standard FTP control port number (21) and data connection port number (20).
FTP control connections time out after a period of inactivity. The FTP server typically closes the connect before this inactivity timeout occurs; however, if the timeout period elapses, the quit command can take 60 seconds or more to complete. During this time, FTP packets may be logged.
The ftp service supports both PASV and standard FTP connections. By default, ftp service verifies that the FTP data port is 20 for standard FTP connections. To communicate with FTP servers that do not use port 20 for the data port, modify the ftp service definition to set its three parameters to: 600 600 1. The first parameter is the control session timeout (600 seconds). The second parameter is the data session timeout (600 seconds). The third parameter is a flag; a value of 1 specifies that the system will not verify that the FTP data port is 20.
Note that this does not affect PASV FTP sessions, because they never use port 20 for the data connection.
traceroute Service
The traceroute service entry assumes that the UDP ports being used for traceroute are in the range of 33430-34000. If implementations of traceroute at your site use other ports, modify the port range as appropriate.
ip Services
The ip all service is provided for backward compatibility with previous SunScreen products. You can achieve better performance by using either the ip forward (for IP traffic in one direction) or the ip tunnel (for IP traffic in both directions) services instead. For example:
(old way using ip all) "ip all" host1 host2 allow "ip all" host2 host1 allow (new way using ip tunnel) "ip tunnel" host1 host2 allow |
The ip mobile service is provided for use with mobile, remote clients. Like the ip tunnel service, ip mobile passes all IP traffic between a pair of addresses. Unlike the ip tunnel service, however, a rule specifying ip mobile forces the first connection to be made from the mobile client (a system with one of the addresses in Source Address).
Generally, ip mobile is used for SKIP-encrypted connections with the SKIP identity providing the authentication and access control. For example:
"ip mobile" Internet Mailhost SKIP-VERSION2 |
SunScreen EFS 3.0 can filter IP packets by IP protocol type alone. This is useful in special situations such as passing non-TCP/UDP protocols or when data are being encrypted.
If you want a Screen to pass IP packets by protocol type, you define a new service using either the ip, ip tunnel, ip mobile, or ip fwd state engine. Specify the protocol of the packets you wish to pass in decimal notation. If you specify "*" for the protocol, the service will pass all IP packets regardless of protocol type.
There are several predefined services included, such as skip (IP protocols 79 and 57), ip tunnel, ip mobile, and ip fwd
Caution - Using one of the state engines with a protocol specification of "*" (any protocol), can be dangerous, since any traffic would be allowable. State engines should only be used in special cases or if the data are part of an encrypted tunnel.
Note that the predefined IP services do not pass broadcast traffic. If you want to pass broadcast traffic, you must define a new service or add broadcast to the predefined service.
VDOLive Service
The VDOLive service definition requires that the VDOLive clients be set to use a fixed port, which is port 32649 by default. You can modify the service definitions so that VDOLive will use another port.
CoolTalk Service
The CoolTalk service definition allows calls to be initiated but does not allow calls to be received. To receive calls, define a second rule with the addresses reversed. For example:
CoolTalk joe sam allow CoolTalk sam joe allow |
nfs readonly Service
The nfs readonly service allows read-only access to the NFSv3.0 file system. Read-related functions, such as lookup, read, and access, are allowed. Functions that are not read-related, such as rename and write, are blocked; traffic is not permitted to pass under the nfs readonly rule.
smtp (Electronic Mail) Service
Simple Mail Transfer Protocol (SMTP) is used to send electronic mail between two message transfer agents using TCP. SunScreen EFS 3.0 includes a predefined service definition, smtp, to send and receive SMTP mail on TCP port 25.
www (World-Wide-Web Access) Service
The World Wide Web provides a graphical user interface that lets users browse a global network of services and documents. SunScreen EFS 3.0 contains a predefined service definition for WWW that passes TCP connections on port 80.
Not all WWW services on the Internet use port 80; many reside on ports with other numbers, such as 8000 or 8080. If you only allow outbound WWW access under the www service entry, users will not be able to connect to all WWW resources. To compensate, you can define a new TCP service that enumerates additional nonstandard WWW ports you want to allow, or you can allow TCP access to all ports outbound using the default service.
Caution - Do not use the tcp all service to enable inbound www access to your public Web servers. This opens up a large security hole and allows outside users access to any TCP service on your machines. Instead, since you know which port your Web server uses (generally 80), you should use a more restrictive service rule, such as the www service definition.
dns Service
DNS traffic consists of both UDP and TCP traffic. SunScreen EFS 3.0 includes a state engine to handle the UDP DNS protocol. TCP DNS is handled through the normal TCP state engine. To screen DNS traffic, use the predefined dns service.
rip Service
The Routing Information Protocol (RIP) is a dynamic routing protocol commonly used by Internet routers. RIP messages are carried in UDP datagrams. SunScreen EFS 3.0 includes a predefined service (rip) for passing RIP packets using the udp-datagram state engine with broadcast enabled. This means that a rule allows RIP packets (including broadcasts) from source to destination.
It is usually sufficient to enable RIP in the default rule that passes RIP from the routers to all other addresses. This lets the SunScreen EFS 3.0 send and receive RIP packets without restriction. If you want to restrict RIP traffic, do not enable RIP using the default access rules; instead, define rules for RIP based on your security policy.
Service Source Destination Action route routers* allow route * routersallow |
sqlnet Services
SunScreen EFS 3.0 contains an sqlnet state engine to screen Oracle SQL*Net protocol. SQL*Net is Oracle's remote data access protocol that enables client-server and server-server communications across networks.
An Oracle client connects to the server using the port address of the listener, which is normally defined as TCP port 1521 during Oracle installation. sqlnet service is defined as using TCP port 1521. If Oracle is installed using a different port for the listener, you can modify the service definition for sqlnet service accordingly.
SQL*Net connections are established in two ways. An Oracle client connects to the listener using TCP port 1521, and the connection is established with the listener process. With Oracle multi-threaded servers and pre-spawned server processes, the client connects to the listener on TCP port 1521. The listener issues a redirect message back to the client containing an IP address and port number, and the client connects to this redirected IP address and port.
SunScreen EFS 3.0 supports both types of SQL*Net connections.
realaudio Services
SunScreen EFS 3.0 contains a service definition to handle RealAudio(TM) sessions. To screen RealAudio traffic, use the realaudio service.
icmp Services
SunScreen EFS 3.0 includes predefined services for screening ICMP packets such as ping. These services use the icmp state engine and allow ICMP ping request-and-response exchanges between a Source and Destination system. Use the predefined service ping if you want to provide ping access.
You can use the icmp state engine to create other services to pass ICMP messages of a specific type. Most of the common ICMP packets have entries in the predefined services, as shown in the following table:
Service Source Destination Action ping Inside Outside allow icmp-unreachOutside Inside allow |
The above rules allow Inside machines to ping Outside machines, but block Outside machines from sending ping messages to Inside machines. It also allows ICMP unreachable packets to be sent from Outside machines to Inside machines. Note that the ping service allows packets in two directions (ping-request packets from Source to Destination and ping-response packets from Destination to Source), while the icmp-unreach service only allows packets to flow in one direction (from Source to Destination).
TCP Services
SunScreen EFS 3.0 screens TCP services by destination port numbers. Most common TCP services are already defined in the service entries supplied with SunScreen EFS 3.0.
If you need to define a new TCP service, define a new service entry specifying the tcp filter state machine. Specify the destination TCP port or ports of the service you wish to pass. If you specify "*" for the port, the service will pass all TCP services regardless of port. Note that some services, such as FTP and RSH, cannot be passed in this way since they are not simple TCP protocols; they make additional connections made in the reverse direction. These services must be specified as separate services if you wish to pass them.
The tcp state engine times out unused and silent connections five hours after a connection has been established. Since some systems repeatedly retransmit until they receive an error about a terminated TCP connection, you should configure a rule using the tcp service to send an ICMP rejection message, especially on your internal interfaces.
For example, the following rule allows telnet connections to be made from Inside machines to Outside machines.
Service Source Destination Action telnetInside Outside allow |
UDP Services
SunScreen EFS 3.0 contains several state engines to handle UDP protocols:
-
udp - provides stateful UDP packet filtering. Allows a single request-and-response exchange between source and destination. State entries time out in 20 seconds if no response is received.
-
udpall - Identical to udp. It is useful for avoiding conflicts while defining service groups containing many services.
-
udp_datagram - Passes UDP packets from source to destination. You can specify that broadcast packets should be passed.
-
udp_stateless - Allows UDP packets to be sent between source and destination. The UDP Port(s) field specifies the list of destination UDP ports that are allowed. The source UDP port must be a unreserved port. Note that this is a two-way exchange of UDP packets. Because some services use unreserved port numbers, use of this state engine can open up security holes. Its use is not recommended.
For all UDP engines, you define a new service entry specifying the well-known destination, UDP port. Specifying port "*" passes all UDP traffic.
ntp Service
SunScreen EFS 3.0 contains a state engine to handle the NTP protocol. The source and destination UDP ports numbers are fixed at port 123. To screen NTP traffic, use the ntp service. Broadcast NTP is not supported.
archie Service
SunScreen EFS 3.0 contains a service definition to handle the Archie UDP protocol. To screen Archie traffic, use the archie service.
rpc Service
SunScreen EFS 3.0 contains a state engine to handle the RPC protocols. This can safely screen RPC protocols, as long as they use the portmapper and do not use dynamic RPC program values.
To define a new RPC service, add a new service entry using both the rpc_udp and pmap_udp state engines. You specify the well-known RPC program of the RPC service you wish to pass. If you specify "*" for the RPC program, the service entry passes all RPC services, regardless of program.
Several well-known RPC services, such as NFS and NIS, have been defined to include all the RPC and non-RPC protocols that these systems require.
Some NFS clients use the lock manager. Since a lock manager makes connections in both directions (to NFS server and from NFS server) you may need to use the nlm service when you allow NFS access.
Service Source Destination Action nfsInside DMZ allow nlmDMZ Inside allow |
Broadcast port mapping (NIS) is not supported for encrypted connections.
- © 2010, Oracle Corporation and/or its affiliates