TCP Services
SunScreen EFS 3.0 screens TCP services by TCP destination port. Most common TCP services have been predefined in the services entries supplied with SunScreen EFS 3.0.
If you need to define a new TCP service, define a new service entry specifying the tcp filter state machine. Specify the well-known destination TCP port(s) of the service you wish to pass. If you specify "*" for the port, this means to pass all TCP services regardless of port. Note that some services such as FTP and RSH cannot be passed in this way since they are not simple TCP protocols because they make additional connections made in the reverse direction. They must be specified as separate services if you wish to pass them.
The TCP state engine times out unused and silent connections. Currently, this time-out is set to five hours after a connection has been established. Since some systems repeatedly retransmit until receiving some sort of error on terminated TCP connections, you might wish to enable sending ICMP rejects on illegal TCP connections, especially on your internal interfaces.
The above rule allows telnet connections to be made from Inside machines to Outside machines.
- © 2010, Oracle Corporation and/or its affiliates