State Engines

SunScreen EFS 3.0 includes a number of state engines, which act as a protocol checker for services. For example, the ftp state engine checks port numbers when the ftp service is being used.

You cannot define new state engines, and you should not change which state engine is used by a predefined service. However, if you define a new service, you must specify the state engine the newly-defined service will use.

Characteristics of State Engines

State engines have the following characteristics:

• Connection management - Each state engine understands the connection management of a particular protocol or set of protocols. State engines can be general, such as the tcp state engine, which allows a simple TCP connection, or specific, such as the ftp state engine, which understands the FTP protocol and parses FTP PORT and PASV commands.

• Precedence level - Each state engine has a precedence level. A service with multiple state engines (that is, a service group) is internally ordered by state engine. This order is given by the order in the ss_stateengine default list.

• Discriminator value - Each state engine has a discriminator value. This value is used to bind the state engine to a particular service. Examples are a port number for TCP and UDP services, an RPC program number for RPC services, or an icmp type for ICMP services.

• Parameters - Each state engine has a set of parameters. These parameters have a default value that can be overridden when the service is defined to modify the behavior of the state engine.

dns State Engine

The dns state engine is used for UDP DNS sessions. It looks inside the DNS responses and verifies that they have the same DNS ID as the request. The predefined service dns uses this state engine and is normally the only service to use this state engine. Note that since the DNS service also uses the TCP protocol, the predefined service dns also has a second entry using the tcp state engine.

The discriminator for the dns state engine is the UDP port number of the DNS service. This is normally 53.

The dns state engine has one parameter:

• Response timeout in second - Specifies the time to wait for DNS responses. Default is 60 seconds.

ftp State Engine

The ftp state engine is used for FTP sessions. This state engine understands the control protocol used by FTP sessions including parsing PORT commands. It supports both traditional and PASV modes. The ftp service is typically the only service that uses this state engine.

The discriminator for the ftp state engine is the port number of the control connection, which is normally 21. The port number of the data session is always one less than the control connection unless this is overridden by the parameters below.

The ftp state engine has the following parameters:

• Lifetime of idle control session in seconds. This parameter specifies the lifetime of an idle control session. (Default = 600 seconds)

• Lifetime of idle data session in seconds. This parameter specifies the lifetime of an idle data session. (Default = 600 seconds)

• Flag value. Flag value is a set of bits. If bit 0x01 is set, non PASV data sessions are allowed to originate from a port other than one less than the control port. This feature is sometimes needed to communicate with FTP servers that incorrectly implement the FTP protocol so they do not need to run the data connection as root. (Default = 0)

icmp State Engine

The icmp state engine is used for ICMP protocols. It allows one-direction ICMP traffic to flow.

The discriminator for the icmp state engine is the ICMP type of the packet.

The icmp state engine has no parameters.

ip State Engine

The ip state engine is a stateless filter that passes uni-directional IP traffic of a particular IP type. The data can only flow in the forward direction (From to To address). This state engine is supplied to provide backwards compatibility with the ip state engine in the SunScreen SPF-100. New service definitions should use either the ipfwd, iptunnel, or ipmobile state engines.

The discriminator for the ip state engine is the IP packet type.

The ip state engine has no parameters.

ipfwd State Engine

The ipfwd state engine allows uni-directional IP traffic of a certain IP type. The data can only flow in the forward direction (From to To address).

The discriminator for the ipfwd state engine is the IP packet type.

The ipfwd state engine has the following parameters:

• Cache timeout in seconds - Specifies the amount of time before the system forgets about IP traffic between a pair of hosts. Default is 60 seconds.

• Flag value - Must be 1.

ipmobile State Engine

The ipmobile state engine allows bidirectional IP traffic of a certain IP type. The first connection must be initiated by the From address in the rule. Subsequent connections can be initiated from either side as long as the cache entry has not timed out.

The discriminator for the ipmobile state engine is the IP packet type.

The ipmobile state engine has the following parameters:

• Cache timeout in seconds - Specifies the amount of time before the system forgets about IP traffic between a pair of hosts. Default is 3600 seconds (1 hour).

• Flag value - Must be 0 (zero).

iptunnel State Engine

The iptunnel state engine allows bidirectional IP traffic of a certain IP type. Either side of the connection can initiate connections.

The discriminator for the iptunnel state engine is the IP packet type.

The iptunnel state engine has the following parameters:

• Cache timeout in seconds - Specifies the amount of time before the system forgets about IP traffic between a pair of hosts. Default is 60 seconds.

• Flag value - Must be 0 (zero).

nis State Engine

The nis state engine is used to define services that are NIS UDP sessions. The predefined service ypserv uses the nis state engine and is normally the only service definition that uses this state engine.

The discriminator for this state engine is the RPC program number of the service. Normally, this is always 100004, the RPC program number for NIS.

The nis state engine has the following parameters:

• Response timeout in seconds - Specifies the time to wait for NIS responses. -1 specifies the state engine will wait forever. (Default = 60 seconds)

• Number of expected responses per request - Typically 1, since an NIS server sends only a single response to a request. (Default = 1)

• Flag value - If this value is set to 2, then the system accepts NIS responses from a different port than the NIS request port. This case occurs when an NIS server is responding to name lookups it is mapping to DNS entries. (Default = 2)

ping State Engine

The ping state engine is used for an ICMP ping exchange. It allows ping requests in the forward direction and ping responses in the reverse direction.

The discriminator of the ping state engine is the ICMP type of the request packet. This is normally set to 8 to match that of an ICMP echo request packet.

The ping state engine has one parameter:

• Response timeout in seconds - Specifies the amount of time to wait for ICMP echo responses. Default is 10 seconds.

pmap_nis State Engine

The pmap_nis state engine is used for the portmap protocol used by NIS services. It monitors NIS portmap requests and responses and builds a table of host/port to NIS service mappings. The ypserv service is typically the only service definition that uses the pmap_nis state engine.

The discriminator for the pmap_nis state engine is the RPC program number of the service. Normally, this is always 100004, which is the RPC program number for NIS.

The pmap_nis state engine has the following parameters:

• Response timeout in seconds - Specifies the time to wait for NIS portmap responses. (Default = 60 seconds)

• Lifetime of NIS portmap mapping entries in seconds - -1 specifies an infinite lifetime. Since NIS clients cache portmap information indefinitely at boot time, this value is normally set to -1. (Default = -1)

pmap_tcp State Engine

The pmap_tcp state engine is used for the TCP portmap protocol used by TCP RPC services. It monitors the TCP portmap requests and responses and builds a table of hosts and ports to RPC service mappings. Normally, a service definition for a TCP RPC service requires both a pmap_tcp and a rcp_tcp state engine entry. The discriminator for the pmap_tcp state engine is the RPC program number of the service.

The pmap_tcp state engine has the following parameters:

• Response timeout in seconds - Specifies the time to wait for portmap responses. (Default = 60 seconds)

• Lifetime of portmap mapping entries in seconds - -1 specifies an infinite lifetime. (Default = 3600 seconds)

pmap_udp State Engine

The pmap_udp state engine is used for the UDP portmap protocol used by UDP services. It monitors the UDP portmap requests and responses and builds a table of hosts and ports to RPC service mappings. Normally, a service definition for a UDP RPC service requires both a pmap_udp and a rpc_udp state engine entry. The discriminator for the pmap_udp state engine is the RPC program number of the service.

The pmap_udp state engine has the following parameters:

• Response timeout in seconds - This parameter specifies the time to wait for portmap responses. (Default = 60 seconds)

• Lifetime of portmap mapping entries in seconds - -1 specifies an infinite lifetime. (Default = 3600 seconds or 1 hour)

realaudio State Engine

The realaudio state engine is used for RealAudio(TM) sessions. This state engine understands the control protocol used by these sessions including enabling the UDP ports used for the audio traffic. The realaudio service is typically the only service that uses this state engine. The discriminator for the realaudio state engine is the port number of the TCP control connection, which is normally 7070.

The realaudio state engine has one parameter:

• Lifetime of an idle control session in seconds - Specifies the lifetime of an idle control session; default = 3600 seconds.

rpc_tcp State Engine

The rpc_tcp state engine is used for RPC protocols that use the TCP protocol. Normally, a service definition for such a protocol requires both an rpc_tcp and pmap_tcp state engine entry. The discriminator for the rpc_tcp state engine is the RPC program number for the service.

The rpc_tcp state engine has one parameter:

• Idle session lifetime in seconds - Specifies the lifetime of an idle TCP RCP session in seconds. (Default = 86400 seconds or 24 hours)

rpc_udp State Engine

The rpc_udp state engine is used for RPC protocols that use the UDP protocol. Normally, a service definition for such a protocol requires both an rpc_udp and pmap_udp state engine entry. The discriminator for the rpc_udp state engine is the RPC program number for the service.

The rpc_udp state engine has the following parameters:

• Response timeout in seconds - Specifies the time to wait for RPC responses. -1 specifies to wait forever. (Default = 60 seconds)

• Number of expected responses per request - Default is 1.

• Flag value - Specifies whether RPC responses must come from the same host or port that the RPC request specified. If the 0x01 bit is set, RPC responses from a different host than the request are allowed. If the 0x02 bit is set, RPC responses from a different port than the request port are allowed. (Default = 0)

rsh State Engine

The rsh state engine is used for remote shell (rsh) sessions. This state engine understands the control protocol used by these sessions, including the enabling of the TCP connection used for stderr messages. The rsh service is typically the only service that uses this state engine. The discriminator for the rsh state engine is the port number of the RSH server. This is normally 514.

The rsh state engine has one parameter:

• Lifetime of idle session in seconds - Specifies the lifetime of an idle session. (Default = 86400 seconds or 24 hours)

sqlnet State Engine

The sqlnet state engine is used for Oracle SQL*Net sessions.

It understands the network protocol used by SQL*Net, including redirected sessions (see sqlnet Service). The sqlnet service is typically the only service using the sqlnet state engine. Its discriminator is the port number of the Oracle listener, which is normally TCP port 1521.

The sqlnet service is typically the only service using this state engine. The discriminator for the sqlnet state engine is the port number of the Oracle listener, which is normally TCP port 1521.

tcp State Engine

The tcp state engine is used for TCP sessions. This state engine allows simple TCP connections. It cannot handle protocols, such as FTP or RSH, that have more complicated connection management protocols, especially if they open connections in the reverse direction. In those cases, the appropriate, more specific state engine should be used.

The discriminator for the tcp state engine is the port number of the TCP service.

The tcp state engine has one parameter:

• Lifetime of idle connection in seconds - Specifies the lifetime of an idle connection; default = 86400 seconds or 24 hours.

tcpall State Engine

The tcpall state engine is used for TCP service definitions that specify a large range of ports such as the predefined service tcp all. Since it has a lower precedence than tcp, ftp, rsh, or realaudio, it does not override any of those services. Normally, this state engine is only used for the predefined service tcp all.

The discriminator for the tcpall state engine is the port number of the TCP service.

The tcpall state engine has the following parameter:

• Lifetime of idle connection in seconds - Specifies the lifetime of an idle connection; default = 86400 seconds or 24 hours.

udp State Engine

The udp state engine is used for UDP services. It allows one or more responses to a UDP request. The requests are validated to make sure they come from the correct address and port and are sent to the correct address and port. The response source address and port checking can be modified using the parameters below.

The discriminator for the udp state engine is the port number of the UDP service.

The udp state engine has the following parameters:

• Response timeout in seconds - Specifies the amount of time to wait for UDP responses. -1 specifies an infinite response timeout. (Default = 60 seconds).

• Number of responses per request - Specifies the number of expected responses for each request. If the number of response specified is 0, any number of responses can be received and the session terminates only after an idle period when no responses have been received. Never specify both a response time of -1 and 0 for the number of responses per request.

• Flag value - Specifies valid sources for UDP responses.

  • If bit 0x01 is set, the UDP response can come from a different host than the request, which is useful for UDP services on multihomed servers that respond using a different address.

  • If bit 0x02 is set, the UDP response can come from a different port than the request.

  • If both bit 0x02 and bit 0x04 are set, then requests can come from a different port than the request, and subsequent requests can also use that new port. This is useful for handling TFTP servers that sometimes switch ports mid-session.

udpall State Engine

The udpall state engine is used for UDP services where a large number of ports are specified. It has a lower precedence than the dns and udp state engines and does not override services defined with those state engines. It allows one or more responses to a UDP request. The requests are validated to make sure they come from the correct address and port and are sent to the correct address and port. The response source address and port checking can be modified using the parameters below.

The discriminator for the udpall state engine is the port number of the UDP service.

The udpall state engine has the following parameters:

• Response timeout in seconds - Specifies the amount of time to wait for UDP responses. -1 specifies an infinite response timeout. (Default = 60 seconds).

• Number of responses per request - Specifies the number of expected responses for each request. If the number of response specified is 0, any number of responses can be received and the session terminates only after an idle period when no responses have been received. Never specify both a response time of -1 and 0 for the number of responses per request.

• Flag value - Specifies valid sources for UDP responses.

  • If bit 0x01 is set, the UDP response can come from a different host than the request, which is useful for UDP services on multihomed servers that respond using a different address.

  • If bit 0x02 is set, the UDP response can come from a different port than the request.

  • If both bit 0x02 and bit 0x04 are set, then requests can come from a different port than the request, and subsequent requests can also use that new port. This is useful for handling TFTP servers that sometimes switch ports mid-session.

udp_datagram State Engine

The udp_datagram state engine is used for one-way UDP protocols. It allows UDP packets to pass in the forward direction only. It is used for services that send UDP packets in one direction, such as syslog.

The discriminator for the udp_datagram state engine is the port number of the UDP service.

The udp_datagram state engine has no parameters.

udp_stateless State Engine

The udp_stateless state engine is used for stateless UDP session filtering. This engine is included for backwards compatibility with older SunScreen products, but has been replaced in most cases with stateful UDP filtering. Note that since it is stateless UDP packet filtering, services defined using this engine cannot safely validate that the responses go to the same port as the request.

The discriminator for the udp_stateless state engine is the port number of the UDP service.

The udp_stateless state engine has no parameters.