SunScreen 3.1 Installation Guide

Firewall Operation Modes

You typically install SunScreen in either routing mode (where the Screen performs routing as well as firewall functions (or stealth mode (where no IP interfaces are exposed to the public or private network). You can also set up your Screen to operate in a "mixed mode" where the interfaces protecting you from the outside network are stealth and the interfaces to your internal network are routing. This configuration is not covered in this manual but you can find an example configuration in the SunScreen Configuration Examples manual.

Routing Mode

Typically, you operate the Screen in routing mode if you need a machine to act both as a router and a firewall. Another reason to choose Routing mode is if you want to use proxies with the firewall. In this mode, you need at least two exposed IP interfaces, and a hop visible to traceroute and other network utilities. In routing mode your firewall is visible and you have a slightly greater exposure to attack than when operating in stealth mode.

Be aware of the following considerations when operating in Routing mode:

Stealth Mode

You can operate SunScreen in stealth mode if you do not need routing functions, or if you want to decrease possibilities for attacks. In stealth mode, SunScreen acts much like a bridge in that no IP interfaces are exposed to the public or private network, and packets are transparently filtered by the Screen. While operating in this mode, the Screen cannot be attacked through any means other than a denial of service attack, and cannot be seen or detected through traceroute or similar network tools.

Be aware of the following considerations when operating in stealth mode: