TCP Services

SunScreen EFS 3.0 screens TCP services by destination port numbers. Most common TCP services are already defined in the service entries supplied with SunScreen EFS 3.0.

If you need to define a new TCP service, define a new service entry specifying the tcp filter state machine. Specify the destination TCP port or ports of the service you wish to pass. If you specify "*" for the port, the service will pass all TCP services regardless of port. Note that some services, such as FTP and RSH, cannot be passed in this way since they are not simple TCP protocols; they make additional connections made in the reverse direction. These services must be specified as separate services if you wish to pass them.

The tcp state engine times out unused and silent connections five hours after a connection has been established. Since some systems repeatedly retransmit until they receive an error about a terminated TCP connection, you should configure a rule using the tcp service to send an ICMP rejection message, especially on your internal interfaces.

For example, the following rule allows telnet connections to be made from Inside machines to Outside machines.

Service
Source
Destination
Action
telnetInside
Outside
allow