Appendix B Command-Line Reference
This appendix describes the command line user interface for SunScreen and the options available for each command.
The top-level programs that you run directly from a UNIX shell prompt or shell script are available if the /opt/SUNWicg/SunScreen/bin directory is included in your $PATH.
Other sections in this appendix describe the commands of the two major SunScreen subsystems that interpret commands: the ssadm subcommands and the configuration editor. There is also a section on unstable commands that are obsolete or otherwise not guaranteed to exist in future releases of this product.
The following sections describe:
-
The command line?
-
UNIX (shell) commands
-
ssadm command
-
Unsupported commands
-
Configuration editor
-
Network monitoring and maintenance
Note -If you are familiar with the UNIX shell and SunScreen concepts and terms the command line is appropriate. If you are new to SunScreen, use the administration graphical user interface (GUI) to enter network settings.
What Is the Command Line?
All the functionality of SunScreen that is available through the administration GUI is also available through a command. Administering your Screens through the command line is useful if you do not want to use the browser or if you want to edit something quickly.
You can obtain access to a Screen using the command line from its own keyboard when the Screen is administered locally. You have superuser (root) access. You can gain access to a Screen using the command line from an Administration Station, when the Screen is administered remotely and requires that you use SKIP encryption and an administration user name and password.
You maintain user-controlled data--such as common objects like address and policy entries like rules and NAT --using the edit subcommand of ssadm.
When using the configuration editor, you must save any changes before quitting.
You invoke the configuration editor with the edit command, which is a subcommand of ssadm, and the name of your policy, such as Initial. Once it is running, the prompt becomes: edit>.
For a locally administered Screen, type:
# ssadm edit policy_name |
For a remotely administered Screen, type:
# ssadm -r Screen_name edit policy_name |
UNIX (shell) Commands
The following UNIX (shell) commands are available at your shell prompt when /opt/SUNWicg/SunScreen/bin is included in your $PATH.
-
ss_install
-
ssadm
-
ss_client
Note -Command equivalents used for the skiptool GUI can be found in the SunScreen SKIP 1.5.1 User's Guide.
TABLE B-1 lists the SunScreen UNIX (shell) commands and their descriptions. Many of these commands duplicate administration GUI functions, while others provide a context for other commands.
Table B-1 Summary of Screen EFS 3.0 UNIX (shell) Commands|
UNIX Command |
Description |
|---|---|
|
ss_install |
Runs the text-based utility for creating the Initial SunScreen configuration. When combined with pkgadd, it is equivalent to using the installation-wizard graphical user interface. |
|
ss_client |
Provides communication between an Administration Station and a Screen that is running an earlier SunScreen firewall product release. ss_client is provided only for the purpose of remotely administering such products using the SunScreen system as a remote Administration Station. |
|
ssadm |
The primary command-line tool for SunScreen administration. ssadm subcommands perform various operations such as editing and activating a SunScreen configuration, and examining the status of a Screen. |
ss_install Command
ss_install is a text-based command-line utility that runs during SunScreen installation to create an initial configuration. ss_install, combined with pkgadd, is the command-line equivalent to the installation-wizard graphical user interface on the CD-ROM.
ss_install interactively queries you with various configuration options, creates a configuration, stores it under the policy name Initial, and activates it.
After ss_install is complete, the Screen is ready to be administered using the administration GUI or the command-line configuration editor and other tools.
ssadm Command
ssadm is the primary command-line tool for SunScreen administration. ssadm has a number of subcommands that perform various operations such as editing and activating a configuration, and examining the status of a Screen.
The UNIX command ssadm provides character-set translation between embedded strings and the local character set of the Solaris system on which it runs.
ssadm runs directly on a locally administered Screen, or indirectly from a remote Administration Station that is using SunScreen SKIP to encrypt IP network communications passing between them. See the SunScreen SKIP User's Guide for more information regarding SKIP encryption.
Usage:
ssadm [-b] [-n] subcommand [parameters...]
ssadm [-b] [-n] -r remotehost [-F ticketfile] subcommand [parameters...]
TABLE B-2 describes the options for this command.
Table B-2 Options for ssadm Command|
Options |
Description |
|---|---|
|
-b |
Produces binary data (instead of text) in standard input and output. |
|
-n |
Does not read any input from standard input. |
|
-r remotehost |
Provides access to a remote Screen using an address or a hostname remotehost. |
|
-F ticketfile |
Use authorization ticket stored in ticketfile. |
The -b option is normally not needed because the commands that process binary data automatically enable the binary mode. For example, ssadm backup, ssadm restore, ssadm log, ssadm logdump, and ssadm patch handle binary data even if -b is not specified.
The available ssadm subcommands are each described in the ssadm subcommand section of this document.
When ssadm is executed locally on the Screen (that is, without the -r option) no login or authentication is required, but you must be superuser to have any effect.
When ssadm is used with the -r option to access a remote Screen, login authentication is required. You must use the ssadm login command to get a ticket that is used by subsequent invocations of ssadm to allow access to the remote Screen. Normally, the ticket is stored in a ticketfile, the name of which can be specified using the -F option, or through the SSADM_TICKET_FILE environment variable. See the ssadm login command for information about ticket files and remote administration using ssadm.
Executing an ssadm Command From a Local Screen
You can configure a local Screen by typing the commands listed in this appendix using the Screen's keyboard. For example, to activate a policy Initial, you would type:
# ssadm activate Initial |
where ssadm is the command you want to execute, activate is the name of the ssadm subcommand, and Initial is the name of the policy you want to activate.
The ssadm command resides in the /opt/SUNWicg/SunScreen/bin directory. Include this directory in your directory search path to have access to the commands on the local Screen.
Executing an ssadm -r Command on a Remote Administration Station
You can configure a Screen from a remote Administration Station by preceding the commands listed in this appendix with ssadm -r and the name of the Screen you want to administer. For example, to activate the policy Initial on a remote Screen called SunScreen1, you would type:
# ssadm -r SunScreen1 activate Initial |
where ssadm -r indicates that you want to execute a command on a remote Screen called SunScreen1, activate is the name of the ssadm subcommand, and Initial is the name of the policy you want to activate.
Note -
A local ssadm command can be turned into a remote ssadm command by adding -r remote_screen_name immediately after ssadm.
When ssadm is used with the -r option to access a remote Screen, the name of the ticketfile can be specified using the -F option, or through the SSADM_TICKET_FILE environment.
ssadm Subcommands
The following commands, which can be used as the subcommand argument to the ssadm command, are described in this section.
-
activate
-
active
-
algorithm
-
backup
-
debug_level
-
edit
-
ha
-
lock
-
log
-
logdump
-
login
-
logout
-
logstats
-
patch
-
policy
-
product
-
restore
-
sys_info
-
traffic_stats
ssadm Subcommand Summary
TABLE B-3 lists the SunScreen ssadm subcommands and their descriptions. Many ssadm subcommands duplicate the functions of the administration graphical user interface, while others provide a context for other subcommands.
Table B-3 Summary of SunScreen ssadm Subcommands|
ssadm Subcommand |
Description |
|---|---|
|
activate |
Activates a Screen policy. |
|
active |
Lists information about the currently active policy. |
|
algorithm |
Lists algorithms supported by SKIP. |
|
backup |
Writes a SunScreen backup file to standard output. |
|
debug_level |
Sets or clears the level of debugging output generated by a Screen. |
|
edit |
Runs the SunScreen configuration editor. See "Configuration Editor". |
|
ha |
Configures the features of a high availability (HA) Screen. |
|
lock |
Examines or removes the protection lock that the configuration editor places on a policy file. |
|
log |
Maintains the Screen log file. |
|
logdump |
Filters or displays log records, as retrieved by ssadm log get. |
|
login |
Authenticates a user for administrative access through ssadm to a Screen from a remote Administration Station. |
|
logmacro |
Expands a SunScreen logmacro object. |
|
logout |
Terminates the session created by ssadm login. |
|
logstats |
Prints information about the SunScreen log. |
|
patch |
Installs patch, as needed. |
|
policy |
Creates, deletes, lists and renames Screen policies. |
|
product |
Prints single line of descriptive SunScreen use. |
|
restore |
Reads a backup file from standard input. |
|
sys_info |
Prints a description of running SunScreen software. |
|
traffic_stats |
Reports summary information about the traffic flowing through the SunScreen, classified by interface. |
activate Subcommand
ssadm activate causes the Screen to begin "executing" a particular configuration that is formed when the named policy is combined with the common objects. After activation, the configuration controls the behavior of packet filtering, encryption and decryption, proxies, logging, and administrative access.
Syntax:
ssadm activate [-n] [-l] policy
TABLE B-4 describes the options for this command.
Table B-4 Options for activate Subcommand|
Options |
Description |
|---|---|
|
-n |
Does not actually make the configuration active, just verifies that it is valid. |
|
-l |
Does not send the configuration to other Screens in the centralized management group, only activates it on the local Screen. |
The named policy is combined with the common objects to form a configuration.
Note -
If you omit the policy argument, ssadm activate reads a configuration file from standard input. Since the format of a configuration file is undocumented and private to the SunScreen internal software, using ssadm activate in this way is not supported.
active Subcommand
ssadm active prints out a description of the configuration that is currently being executed by the Screen. When run with the -x option, the actual configuration file is extracted from the running system and can be saved for later examination.
Usage:
ssadm active
ssadm active -x policy
Without the -x option, ssadm active describes the active configuration with two lines of text. The first line lists the name of the Screen on which the configuration was originally stored, the name of the internal database in which it was stored (this name is always default), and the name of the policy, including its version number. The second line lists the date and time when the configuration was activated, and the user (either a UNIX user or SunScreen administration authorized user) who caused it to be activated.
For example:
# ssadm active Active configuration: greatwall default Initial.3 Activated by admin on 03/09/1999 02:58:36 PM PST |
In this example, the Screen is currently running a configuration that came from the Screen named greatwall (which might be the current Screen or, if the Screen is a member of a centralized management group, the primary Screen of the centralized administration group). The configuration includes version 3 of the policy Initial.
With the -x option, ssadm active saves the active configuration into the named policy that can be examined using the edit command. The named policy must not already exist; ssadm active creates the policy. The saved policy contains a full set of common objects in addition to the policy rules. The -x option is different from a normal policy that contains only policy rules and is meant to be combined with the currently defined common objects.
Note -
If the -x option is specified and the policy argument is omitted, ssadm active writes a configuration file to standard output. Since the format of a configuration file is undocumented and private to the SunScreen internal software, using ssadm active in this way is not supported.
algorithm Subcommand
ssadm algorithm lists the SKIP algorithms that are available for a specified algorithm type.
Usage:
ssadm algorithm type [skipversion]
where type must be one of "key", "data", "mac", or "compression". skipversion, if supplied, must be either "SKIP_VERSION_1" or "SKIP_VERSION_2".
backup Subcommand
ssadm backup writes a Screen backup file to standard output.
Usage:
ssadm backup [-v] > file
The backup file contains the complete configuration of SKIP, plus all currently defined common objects, policies, and, if the -v option is specified, all of the saved versions of the policies.
The backup file can be restored at a later time using the ssadm restore command.
Caution - SECURITY WARNING. The file created by ssadm backup contains sensitive information (SKIP secret keys) that must be stored and disposed of appropriately to protect the integrity of the Screen.
debug_level Subcommand
ssadm debug_level controls the output of internal debugging information from the SunScreen kernel.
Usage:
ssadm debug_level [newlevel]
ssadm debug_level ?
With no arguments, ssadm debug_level prints out the current debug level in hexadecimal. With the newlevel argument, ssadm debug_level sets the debug level to newlevel. With the question mark argument (may need to be quoted in the UNIX shell) ssadm debug_level prints out a list of bit values and their meanings.
The debugging information, when enabled, is written through the kernel message mechanism and typically ends up on the system console or the kernel message logs. The format of the messages is not documented and is only used by Sun support personnel.
edit Subcommand
ssadm edit runs the SunScreen configuration editor.
Usage:
ssadm edit policy
ssadm edit policy < file
ssadm edit policy -c commandstring
See "Configuration Editor" for information regarding commands supported by ssadm edit. The configuration editor can be used in any of three modes: interactive, batch, or "-c" mode. In interactive mode, the editor prints a prompt (edit>) before each command is read from your terminal. In batch mode, the editor silently reads commands from standard input. Commands are read until the editor receives end-of-file or a quit command.
If ssadm edit is run on an interactive terminal and its input and output are not redirected; it automatically enters interactive mode. If standard input is a pipe or a file, the configuration editor runs in batch mode.
If ssadm edit is run with the -c option, it executes the commandstring and then exits without reading any other commands. commandstring must be a single argument to the program, so in the UNIX shell it usually has to be quoted with single or double quotes.
ha Subcommand
ssadm ha performs operations on a Screen in a high availability (HA) cluster.
Usage:
ssadm ha function parameters...
TABLE B-5 describes the function parameters for this command.
Table B-5 Function Parameters for ha Subcommand|
Functions |
Descriptions |
|---|---|
|
status |
Displays status of the HA cluster. |
|
active_mode |
Puts the Screen in active mode. |
|
passive_mode |
Puts the Screen in passive mode. |
|
init_primary interface |
Turns a standalone (non-HA) Screen into an HA primary Screen, thereby creating a new HA cluster containing one Screen. interface is the interface to be used for the HA heartbeat and synchronization. primaryIP is the IP address (on the HA network) of the primary machine in the cluster. |
|
init_secondary interface primaryIP |
Turns a standalone (non-HA) Screen into an HA secondary screen ready to join an existing HA cluster. Where interface is used for the HA heartbeat and synchronization, and primaryIP is the IP address (on the HA network) of the primary machine in the cluster. |
|
add_secondary secondaryIP |
Adds an initialized HA secondary Screen (see init_secondary above) into an existing HA cluster. This command is executed on the primary Screen in the HA cluster. secondaryIP is the IP address (on the HA network) of the secondary machine to be added. |
lock Subcommand
ssadm lock manipulates the lock that protects a policy from simultaneous modification by multiple administrators.
Usage:
ssadm lock -w policy
ssadm lock -c policy
ssadm lock -w prints a line of text describing the status of the lock.
ssadm lock -c forcibly breaks the lock and attempts to terminate (with a SIGHUP signal) the previous holder of the lock.
For example:
# ssadm lock -w Initial Lock held by admin@198.41.0.6 process id:8977 # ssadm lock -c Initial # ssadm lock -w Initial Lock available |
log Subcommand
ssadm log retrieves and clears the SunScreen log.
Usage:
ssadm log get filter_args...
ssadm log get_and_clear filter_args...
ssadm log clear
logdump Subcommand
ssadm logdump is used to filter or display log records, as retrieved by ssadm log get.
Usage:
ssadm logdump parameters...
login Subcommand
ssadm login authenticates a user for administrative access through ssadm to a Screen from a remote Administration Station.
Usage:
ssadm -r remotehost login username password
ssadm login creates a session on the remote Screen and provides a ticket that allows subsequent invocations of the ssadm command to access the remote Screen without using a password.
ssadm login is only available with the -r remotehost option.
The ticket is written to standard output. If a ticketfile is specified using the -F option to ssadm or the SSADM_TICKET_FILE environment variable, then ssadm login automatically stores the ticket in ticketfile in addition to writing it to standard output.
For example:
# SSADM_TICKET_FILE=$HOME/.ssadmticket # export SSADM_TICKET_FILE # touch $SSADM_TICKET_FILE # chmod go= $SSADM_TICKET_FILE # chmod go= $SSADM_TICKET_FILE # ssadm -r greatwall login admin password WRITE access <E23B344150C702EC> # ssadm -r greatwall activate Initial Configuration activated successfully on greatwall. # ssadm -r greatwall active Active configuration: greatwall default Initial.3 Activated by admin on 03/09/1999 02:58:36 PM PST # ssadm -r greatwall logout |
The above example is for sh or ksh; other shells may require different commands. ssadm login is only available with the -r remotehost option.
When using the ssadm login command on multiuser Administration Stations, any other user can snoop the admin user and password using ps, then (because SKIP is enabled from that host) access the Screen as that user.
Do not have a general-use Solaris system act as a remote Administration Station. Additionally, never use the ssadm login command on a Solaris system while other users are logged in
Caution - Screen administration is discouraged from non-Solaris platforms. Serious security holes with other operating systems can readily be exploited to compromise the network security infrastructure.
See the ssadm-login(1M) man page for more information on the login command.
logout Subcommand
ssadm logout terminates the session created by ssadm login.
Usage:
ssadm -r remotehost logout
ssadm logout is only available with the -r remotehost option.
logmacro Subcommand
ssadm logmacro expands a SunScreen logmacro object.
Usage:
ssadm logmacro expand macroname
logmacro add macrokey macrovalue
logmacro delete macrokey
logmacro print[,sortopt] [ macrokey ]
logmacro names[,sortopt]
where macrokey is of the form [ SYS=scrnname ] NAME=name macrovalue is of the form VALUE=macrobody sortopt is one of asc, desc, iasc
(For example, desc specifies a plaintext description string desc to be associated with the object.
logstats Subcommand
ssadm logstats prints information about the SunScreen log.
Usage:
ssadm logstats
patch Subcommand
ssadm patch installs a patch, as needed.
Usage:
For stealth-mode Screens from Remote Administration Stations, use:
ssadm [-r screen_name] patch Install [NOREBOOT] < patch.tar.Z
ssadm [-r screen_name] patch Backout [NOREBOOT] patchID
On routing-mode Screens, the standard Solaris patchadd and patchrm commands can be used.
If a SunScreen software patch is needed, detailed instructions are provided with the patch.
policy Subcommand
ssadm policy creates, deletes, renames, or lists the defined policies.
Usage:
ssadm policy -a policies...
ssadm policy -c oldname newname
ssadm policy -d [-v] policies...
ssadm policy -l [-v] [policies...]
ssadm policy -r oldname newname
TABLE B-6 describes the options for this command.
Table B-6 Options for policy Subcommand|
Options |
Description |
|---|---|
|
-a |
Creates policies with the specified names. The newly created policies contain no rules and references the currently defined common objects. |
|
-c |
Creates a policy named newname as a copy of the existing policy named oldname. |
|
-d |
Deletes the named policies. The specified policies can be either generic policy names, such as Initial, or specific versions, such as "Initial.3". When a generic policy name is specified and the -v option is specified, ssadm policy -d deletes all of the versions of the policy. When a specific version is specified, only that version is deleted. |
|
-l |
Lists the named policies (or all policies available if no policies are given). The -v option also lists all of the saved versions of the policies. |
|
-r |
Renames the existing policy oldname to newname. |
product Subcommand
ssadm product prints out a single line of text describing the SunScreen product in use.
Usage:
ssadm product
restore Subcommand
ssadm restore reads a backup file from standard input. The backup file must have been created using the backup command.
Usage:
ssadm restore < file
spf2efs Subcommand
ssadm spf2efs converts a set of configuration data saved from a SunScreen SPF-2000 Screen into SunScreen format.
Usage:
ssadm spf2efs < file
sys_info Subcommand
ssadm sys_info prints a description of the running SunScreen software.
Usage:
ssadm sys_info
For example:
# ssadm sys_info Product: SunScreen System Boot Time: 03/15/1999 03:51 PST SunScreen Boot Time: Mon Mar 13 03:51:56 PST 200 Version: Release 3.1, March 10 2000(v0310991418) |
traffic_stats Subcommand
ssadm traffic_stats reports summary information about the traffic flowing through the Screen, classified by interface.
Usage:
ssadm traffic_stats [interfaces...]
Unsupported Commands
Commands listed in this section are only used for abnormal maintenance or customer support functions, or as a temporary work around to limitations of the current software.
These commands are "unstable," which means that they may not be provided in future SunScreen product releases, or in versions for other operating systems.
ssadm lib/screeninfo Command
ssadm lib/statetables -f Command
ssadm lib/support Command
ssadm SKIP Commands
ssadm lib/screeninfo Command
ssadm lib/screeninfo runs in sequence several of the functions of the ssadm lib/support command, printing out a large set of information about the Screen and its current configuration.
Usage:
ssadm lib/screeninfo
The output of this command can be redirected to a file and may be requested by Sun's Support services if you encounter problems with your Screen.
ssadm lib/statetables -f Command
ssadm lib/statetables -f causes the Screen to flush (discard) all of its connection state information. This causes all previously active connections through the Screen to be effectively disconnected.
This command is often useful after activating a modified policy that disallows some traffic that was previously allowed. Without running ssadm lib/statetables -f, you allow any previously existing connections to remain active even if the new policy does not allow them. By running ssadm lib/statetables -f, you cause all previously existing connections to be disconnected and the active policy will apply to any subsequent connections.
ssadm lib/support Command
ssadm lib/support provides various diagnostic and status information that can be useful when requesting customer support for the SunScreen product.
Usage:
ssadm lib/support function parameters...
This information may be requested by Enterprise Services if you encounter problems with your Screen.
Note -
If you have any support issues, call your authorized service provider. For further information about support, use the following URL to contact Sun's Support services: http://www.sun.com/service/support/index.html.
The major functions are shown in TABLE B-7
Table B-7 Support Command Functions|
Functions |
Description |
|---|---|
|
config |
Bring over configuration files for the active policy |
|
date |
Set and get current time/date (SET DATE WITH CAUTION!) |
|
disks |
Check disk space (df -k) |
|
eeprom |
Check eeprom settings |
|
findcore |
Check if a core file exists |
|
help |
Prints a listing of functions available for this command |
|
last |
Check boot history (last) |
|
packages |
Check pkginfo and patch history |
|
procs |
Check processes (ps -elf) |
|
skip |
Check contents of /etc/skip/ directory |
|
stats |
Check the kernel networking statistics (netstat -k) |
|
streams |
Check the STREAMS statistics (netstat -m) |
|
versions |
Bring over version information on major SunScreen components |
ss_client Command
ss_client is equivalent to the command of the same name provided with earlier SunScreen firewall products, such as SunScreen EFS, Release 2.0, or SunScreen SPF-200. ss_client is provided only for the purpose of remotely administering such products using the SunScreen system as a remote Administration Station.
Usage: ss_client hostname command
For information on how to use ss_client to administer an earlier SunScreen firewall product, see the documentation for that product.
ssadm SKIP Commands
ssadm lib/skipca
ssadm lib/skipd_restart
ssadm lib/skipdb
ssadm lib/skiplocal
ssadm lib/skipstat
These commands provide access to the command-line administration tools of the SunScreen SKIP software. They are primarily useful when a Screen is not physically accessible or does not allow logging in over the network and you want to configure SKIP using the ssadm command with the -r option from a remote Administration Station.
See the corresponding commands in the SunScreen SKIP 1.5.1 User's Guide for information on the parameters.
Configuration Editor
The configuration editor is the primary command-line tool for creating and manipulating the objects that control the operation of a Screen.
Configuration Editor Data Model
TABLE B-8 lists the data types that compose the Data Model as maintained by the configuration editor (ssadm edit) and the ssadm policy command.
Table B-8 Configuration Editor Object Type Name Summary|
Object Type Name |
Storage |
Access Method |
Description |
|---|---|---|---|
|
address |
common |
named |
Describe addresses of network elements |
|
screen |
common |
named |
Describe Screen objects and their relationships |
|
state engine |
common (read only) |
named |
Describe filtering capabilities of packet filter engine. |
|
service |
common |
named |
Define network services that can be filtered |
|
interface |
common |
named |
Describe network interfaces of a Screen. |
|
certificate |
common |
named |
Refer to certificate used for SKIP connections |
|
time |
common |
named |
Define time intervals for time-dependent rules |
|
authuser |
external |
named |
Describe users for administration and/or proxy access |
|
proxyuser |
external |
named |
Describe users for proxy access |
|
jar_hash |
external |
named |
Describe Java archive hash (for HTTP proxy applet filtering) |
|
jar_sig |
external |
named |
Describe Java archive signature (for HTTP proxy applet filtering) |
|
logmacro |
external |
named |
Define macro files |
|
mail_relay |
external |
named |
Describe mail relays (for SMTP proxy mail filtering) |
|
mail_spam |
external |
named |
Describe spam domains (for SMTP proxy mail filtering) |
|
policy |
policy list |
named |
Provide multiple, named polices for storing different configurations |
|
filter rule |
policy |
ordered |
Describe network traffic flow policy |
|
nat rule |
policy |
ordered |
Describe NAT translations |
|
local access rule |
policy |
ordered |
Describe who can access the Screen for local administration and what they can do. |
|
remote access rule |
policy |
ordered |
Describe who can access the Screen for remote administration and what they can do. |
|
VPN gateway |
policy |
ordered |
Describe how VPN hosts are protected behind certificates and tunnels |
|
VPN |
policy |
ordered |
Virtual object representing a collection of VPN gateways |
Object types marked as having common storage in the table are normally stored in the common objects registry that is not part of any particular policy. These objects are used by all policies, so changes to the common objects can affect the behavior of multiple policies. To edit the common objects, it is necessary to specify a policy name when starting the configuration editor even if you are not modifying any policy objects.
Object types marked as having policy storage in the table are stored as part of a policy. Policy objects often refer to common objects and, therefore, can have different meaning depending on the value of common objects. For example, a policy can contain a rule object that allows address A to communicate with address B. The address objects A and B are defined in the common objects.
Object types marked as having external storage in the table are almost equivalent to common objects, but they are stored in a separate database that is not affected by the quit, reload, or save commands. Changes to these objects are always immediate, and persist even if the save command is not used.
Object types marked as having policy list storage in the table represents the names of the policies themselves. Minimal capabilities are provided by the configuration editor to manage the policy. A policy currently being edited can be saved or cloned (or portions of it) into a new policy. Other policy requests, such as add, delete, and rename are provided by the ssadm policy command.
Configuration Editor Commands
The ssadm edit commands are used when running the configuration editor, which is responsible for maintaining the SunScreen configuration database.
TABLE B-9 lists the SunScreen configuration editor ssadm edit subcommands and their descriptions. Many subcommands duplicate administration GUI functions, while others provide a context for other subcommands.
Table B-9 SunScreen Configuration Editor ssadm edit Subcommand Summary|
edit Subcommand |
Description |
|---|---|
|
add |
Create or redefine an entry. |
|
add_member |
Add member to an Address, Certificate, or Service group. |
|
authuser |
Manipulate the list of authorized users. |
|
del[ete] |
Delete the specified entry of the given TYPE. |
|
del[ete]_member |
Delete member from an Address, Certificate, or Service group. |
|
insert |
Insert a new object of one of the ordered (indexed) types in a specified position in the corresponding list. |
|
jar_hash |
Manipulate the list of JAR hashes used by the HTTP proxy. |
|
jar_sig |
Manipulate the list of JAR signatures used by the HTTP proxy. |
|
list |
Display all data for all entries or a specific entry of a given TYPE. |
|
list_name |
Display the set of unique basenames and subtype of all of a given TYPE. |
|
load |
Load a policy into the configuration editor. |
|
lock |
Lock the Registry and policy in anticipation of performing edits. |
|
lock_status |
Return the status of the lock relative to this editor. |
|
mail_relay |
Manipulate the list of mail relays used by the SMTP proxy. |
|
mail_spam |
Manipulate the list of spam domains used by the SMTP proxy. |
|
move |
Move an indexed entry from its current location in the ordered list to the new location. |
|
proxyuser |
Manipulate the list of proxy users. |
|
refer |
Determine if a named object of a given TYPE is referred to in the Registry or the current policy. |
|
referlist |
Display a list of all entries in the Registry or the current policy that refer to a specified named-object of a given TYPE. |
|
reload |
Discard any and all edits, if made, and reload the data into the editor from the database. |
|
rename |
Rename a specified named-object of a given TYPE. |
|
renamereference |
Rename all references to a specified named-object of a given TYPE. |
|
replace |
Replace an object at a specified index. |
|
save |
Save all current edits to the Registry and policy. |
|
saveas |
Saves the data currently in the editor under new name. |
|
search |
Search the Registry for objects that match specified criteria. |
|
vars |
Manipulates variables used for RADIUS configuration. |
|
verify |
Takes no arguments and verifies the currently loaded policy. |
|
quit |
Cause the editor to terminate if there are no unsaved changes. |
|
QUIT |
Cause the editor to terminate even if there are unsaved changes. |
In the following command descriptions, when the name of an object of a particular TYPE is required, it is indicated by name_TYPE. If an index is needed, it is indicated by #. A keyword that was required in previous SunScreen releases but is now optional, is indicated by KEYWORD.
add Subcommand
Creates or redefines an entry.
Usage:
add TYPE parameters...
If a named-type is specified and an entry with that name already exists, it is replaced with the new entry. If it does not exist, one is created with the new name. All of the following have a similar request of add_nocheck, which does not perform consistency checking.
add address Subcommand
add address "name_ADDRESS" <HOST> #.#.#.#
add address "name_ADDRESS" <RANGE> #.#.#.# #.#.#.#
add address "name_ADDRESS" <GROUP> { "name_ADDRESS" ... } { "name_ADDRESS" ... }
The following fields are optional and can be specified in any order after the address keyword:
SCREEN "name_SCREEN"
COMMENT "comment string"
Note -
The addresses * and localhost are reserved and cannot be edited.
add screen Subcommand
add screen "name_SCREEN"
The following fields are optional and can be specified in any order after the screen keyword:
MASTER "name_SCREEN"
HA_PRIMARY
HA_SECONDARY
TIMEOUT #
SNMP #.#.#.# ... (list can be empty; not output if empty list)
SNMP_TIMER # (if SNMP is set)
CDP {"on" if present, "off" otherwise}
RIP {"on" if present, "off" otherwise}
DNS {"on" if present, "off" otherwise}
NIS {"on" if present, "off" otherwise}
LOGSIZE # {default is 100 MBytes if not present}
STEALTH_NET #.#.#.# #.#.#.# {Network and Netmask for stealth type Interfaces}
HA_IP #.#.#.# (required if HA_PRIMARY is set)
HA_ETHER xx:xx:xx:xx:xx:xx (required if HA_PRIMARY is set)
COMMENT "comment string"
If the Screen is to be a part of an HA cluster, and administered remotely, then the following fields must be specified as well. They can be specified in any order after the screen keyword:
ADMIN_IP #.#.#.# or name_ADDRESS
ADMIN_CERTIFICATE "name_CERTIFICATE"
KEY "name_KEY_ALGORITHM"
DATA "name_DATA_ALGORITHM"
MAC "name_MAC_ALGORITHM"
COMPRESSION "name_COMPRESSION_ALGORITHM"
TUNNEL "name_ADDRESS"
The screen * is reserved and cannot be edited.
add service Subcommand
add service "name_SERVICE" <SINGLE> filter ...
add service "name_SERVICE" GROUP "name_SERVICE" ...
For SINGLE services, a list of Filters follows the SINGLE keyword. The list must not be empty. Each Discriminator list also must not be empty. A Filter is of the form:
FORWARD "name_STATEENGINE" discriminator ...
REVERSE "name_STATEENGINE" discriminator ...
An individual discriminator is as follows:
PORT #
PORT #-# (Note, no space is allowed before or after the - character)
BROADCAST #
BROADCAST #-#
An optional parameter for discriminators, which appears immediately after the number or range it modifies, is:
PARAMETERS space-separated list of #
For GROUP services, a space-separated list of "name_SERVICE" entries follows the GROUP keyword.
The following fields are optional and can be specified in any order after the service keyword:
SCREEN "name_SCREEN"
COMMENT "comment string"
add interface Subcommand
add interface "name_INTERFACE" type "name_ADDRESS"
type must be one of ADMIN, DISABLED, ROUTING, HA, or STEALTH.
The following fields are optional for stealth interface types and can be specified in any order after the interface keyword. Up to 5 ROUTERs per stealth interface can be specified. More can be specified, but only 5 (no guarantee in which order) are used by the system.
ROUTER #.#.#.#
The following fields are optional for all interface types and can be specified in any order after the "interface" keyword:
SCREEN "name_SCREEN"
COMMENT "comment string"
The following fields are optional for all interface types except DISABLED and can be specified in any order after the interface keyword.
LOG NONE {default if no LOG is specified}
LOG SUMMARY LOG DETAILED
ICMP NONE
ICMP NET_UNREACHABLE
ICMP HOST_UNREACHABLE
ICMP PORT_UNREACHABLE
ICMP NET_FORBIDDEN
ICMP HOST_FORBIDDEN
SNMP {"on" if present, "off" otherwise}
add certificate Subcommand
add certificate "name_CERTIFICATE" SINGLE NSID # MKID "#"
add certificate "name_CERTIFICATE" GROUP "name_CERTIFICATE" ...
For GROUP certificates, a space-separated list of name_CERTIFICATE entries follows the GROUP keyword.
The following fields are optional for SINGLE entries and may be specified in any order after the certificate keyword:
G #
P #
KEY_LENGTH #
LOCAL "name_SCREEN"
The following fields are optional and can be specified in any order after the "certificate" keyword:
SCREEN "name_SCREEN"
COMMENT "comment string"
add time Subcommand
add time "name_TIME"
The following fields are optional and can be specified in any order after the time keyword:
EVERYDAY
SUNDAY
MONDAY
TUESDAY
WEDNESDAY
THURSDAY
FRIDAY
SATURDAY
SCREEN "name_SCREEN"
COMMENT "comment string"
The time object * cannot be modified.
Following any of the *DAY keywords can be a time of day specification in the form {timespec ...} . timespec is a time range in the form:
Start Hour:Start Minute Stop Hour:Stop Minute
Examples are: { 1:00 2:30 } and { 1:00 2:30 4:00 6:00 }. Twenty-four-hour time format is used, so the valid times are 0:00 (starting at midnight) through 24:00 (ending at midnight).
add rule Subcommand
add rule "name_SERVICE" name_ADDRESS
Appends the rule to the end of the list of rules in the policy. insert rule should be used to position a new rule into an existing policy.
The following fields are optional and can be specified in any order after the rule keyword:
ALLOW {default if no ACTION specified}
DENY
LOG NONE {also LOG_NONE, default if no LOG is specified}
LOG SUMMARY {also LOG_SUMMARY}
LOG DETAILED {also LOG_DETAILED}
LOG SESSION {also LOG_SESSION, only valid for ALLOW rules, will be error for DENY}
SNMP {"on" if present, "off" otherwise}
USER "name_USER" {only used if PROXY_FTP or PROXY_Telnet set below }
TIME "name_TIME"
SCREEN "name_SCREEN"
COMMENT "comment string"
The following combo-field is optional and only valid in a rule that has ALLOW specified. It can be specified anywhere after the rule keyword:
SKIP_VERSION_1 "name_CERTIFICATE" "name_CERTIFICATE" "name_KEY_ALGORITHM" "name_DATA_ALGORITHM"
SKIP_VERSION_2 "name_CERTIFICATE" "name_CERTIFICATE" "name_KEY_ALGORITHM" "name_DATA_ALGORITHM" "name_MAC_ALGORITHM" "name_COMPRESSION_ALGORITHM"
The following fields are optional and only valid within a SKIP_VERSION_1 or SKIP_VERSION_2 combo-field. They can be specified in any order after the SKIP_VERSION_# keyword:
SOURCE_TUNNEL "name_ADDRESS"
DESTINATION_TUNNEL "name_ADDRESS"
The following field is optional and only valid in a rule that has DENY specified. It can be specified anywhere after the rule keyword:
ICMP NONE {also ICMP_NONE, default if nothing is specified}
ICMP NET_UNREACHABLE {also ICMP_NET_UNREACHABLE}
ICMP HOST_UNREACHABLE {also ICMP_HOST_UNREACHABLE}
ICMP PORT_UNREACHABLE {also ICMP_PORT_UNREACHABLE}
ICMP NET_FORBIDDEN {also ICMP_NET_FORBIDDEN}
ICMP HOST_FORBIDDEN {also ICMP_HOST_FORBIDDEN}
The following field is optional and only valid in a rule that has ALLOW specified and NO SKIP information. It can be specified anywhere after the rule keyword:
VPN "name_VPN"
The following fields are optional and only valid in a rule that has not specified any SKIP information and no VPN. They can be specified anywhere after the rule keyword. Only one of them can be specified in a given rule.
PROXY_FTP
PROXY_HTTP
PROXY_SMTP
PROXY_Telnet
The following fields are optional and only valid in a rule that has specified PROXY_FTP. They can be specified anywhere after the PROXY_FTP keyword:
FTP_GET
NO_FTP_GET {default if FTP_GET not specified}
FTP_PUT
NO_FTP_PUT (default if FTP_PUT not specified}
FTP_CHDIR
NO_FTP_CHDIR {default if FTP_CHDIR not specified}
FTP_MKDIR
NO_FTP_MKDIR {default if FTP_MKDIR not specified}
FTP_RENAME
NO_FTP_RENAME {default if FTP_RENAME not specified}
FTP_REMOVE_DIR
NO_FTP_REMOVE_DIR {default if FTP_REMOVE_DIR not specified}
FTP_DELETE
NO_FTP_DELETE {default if FTP_DELETE not specified}
The following fields are optional and only valid in a rule that has specified PROXY_HTTP. They can be specified anywhere after the PROXY_HTTP keyword:
COOKIES
NO_COOKIES {default if COOKIES not specified}
ACTIVE_X
NO_ACTIVE_X {default if ACTIVE_X not specified}
SSL
NO_SSL {default if SSL not specified}
JAVA_SIGNATURE
JAVA_HASH
JAVA_SIGNATURE_HASH
JAVA
NO_JAVA {default if no other JAVA setting is specified}
The following fields are optional and only valid in a rule that has specified PROXY_SMTP. They can be specified anywhere after the PROXY_SMTP keyword: RELAY
NO_RELAY {default if RELAY not specified}
add nat Subcommand
add nat STATIC "name_ADDRESS" "name_ADDRESS" "name_ADDRESS" "name_ADDRESS"
add nat DYNAMIC "name_ADDRESS" "name_ADDRESS" "name_ADDRESS" "name_ADDRESS"
The following fields are optional and can be specified in any order after the nat keyword:
SCREEN "name_SCREEN"
COMMENT "comment string"
add accesslocal Subcommand
add accesslocal USER "name_USER"
The following fields are optional and can be specified in any order after the accesslocal keyword:
SCREEN "name_SCREEN"
COMMENT "comment string"
add accessremote Subcommand
add accessremote USER "name_USER" "name_ADDRESS" SKIP_VERSION_1 "name_CERTIFICATE" "name_KEY_ALGORITHM" "name_DATA_ALGORITHM"
add accessremote USER "name_USER" "name_ADDRESS" SKIP_VERSION_2 "name_CERTIFICATE" "name_KEY_ALGORITHM" "name_DATA_ALGORITHM" "name_MAC_ALGORITHM" "name_COMPRESSION_ALGORITHM"
The following field is optional for accessremote entries. It can be specified in any order after the accessremote keyword:
TUNNEL "name_ADDRESS" { if the remote machine is using tunneling }
The following fields are optional and can be specified in any order after the accesslocal/accessremote keyword:
PERMISSION ALL
PERMISSION WRITE
PERMISSION READ
PERMISSION STATUS
PERMISSION NONE { default if no PERMISSION is specified }
SCREEN "name_SCREEN"
COMMENT "comment string"
add vpngateway Subcommand
add vpngateway "name_VPN" "name_ADDRESS" SKIP "name_CERTIFICATE"
The following fields are required and can be specified in any order after the vpngateway keyword:
KEY "name_KEY_ALGORITHM"
DATA "name_DATA_ALGORITHM"
MAC "name_MAC_ALGORITHM"
COMPRESSION "name_COMPRESSION_ALGORITHM"
The following fields are optional and can be specified in any order after the "vpngateway" keyword:
TUNNEL "name_ADDRESS"
COMMENT "comment string"
add_member Subcommand
Adds a member to a group or list.
Usage:
add_member address "name_ADDRESS" "name_ADDRESS"* { add to include list }
add_member address "name_ADDRESS" EXCLUDE "name_ADDRESS"* { add to exclude list }
add_member service "name_SERVICE" "name_SERVICE"*
add_member certificate "name_CERTIFICATE" "name_CERTIFICATE"*
Note -
* denotes that multiple space-separated names can be specified in a single request.
The following field may be necessary to uniquely identify an entry. If so, it can be specified after the TYPE keyword:
SCREEN "name_SCREEN"
authuser Subcommand
Manipulates the list of authorized users.
Usage:
authuser add name parameters...
authuser delete name
authuser print
delete Subcommand
Deletes the specified entry of the given TYPE.
Usage:
del[ete] address "name_ADDRESS"
*del[ete] screen "name_SUNSCREEN"
del[ete] service "name_SERVICE"
del[ete] interface "name_INTERFACE"
del[ete] certificate "name_CERTIFICATE"
del[ete] time "name_TIME"
*del[ete] rule #
*del[ete] nat #
*del[ete] accesslocal #
*del[ete] accessremote #
*del[ete] vpngateway #
The following field may be necessary to uniquely identify an entry. If so it can be specified after the TYPE keyword, except for the entries preceded by an * above:
SCREEN "name_SCREEN"
delete_member Subcommand
Deletes a member from a group or list.
Usage:
del[ete]_member address "name_ADDRESS" "name_ADDRESS"* { from include list }
del[ete]_member address "name_ADDRESS" EXCLUDE "name_ADDRESS"* { from exclude list }
del[ete]_member service "name_SERVICE" "name_SERVICE"*
del[ete]_member certificate "name_CERTIFICATE" "name_CERTIFICATE"*
Note -
* denotes that multiple space-separated names can be specified in a single request.
The following field may be necessary to uniquely identify an entry. If so it can be specified after the TYPE keyword:
SCREEN "name_SCREEN"
insert Subcommand
Inserts a new object of one of the ordered (indexed) types in a specified position in the corresponding list.
Usage:
insert rule # parameters...
insert nat # parameters...
insert accesslocal # parameters...
insert accessremote # parameters...
insert vpngateway # parameters...
Index indicates the position the new entry holds in the list after it is inserted. The same syntax used for add is used for insert, with the index coming immediately after the TYPE keyword.
jar_hash Subcommand
Manipulates the list of JAR hashes used by the HTTP proxy.
Usage:
jar_hash add name hash
jar_hash delete name
jar_hash rename oldname newname
jar_hash list
jar_hash list_names
TABLE B-10 describes the functions for this command.
Table B-10 Functions for jar_hash Subcommand|
Functions |
Description |
|---|---|
|
add |
Adds an entry to the jar_hash database. |
|
del |
Deletes an entry from the jar_hash database. |
|
list |
Lists the entries in the jar_hash database. |
|
list_names |
Lists the names of the entries in the jar_hash database. |
|
rename |
Rename an entry in the jar_hash database. |
jar_sig Subcommand
Manipulates the list of JAR signatures used by the HTTP proxy.
Usage:
jar_sig add name sig-hash
jar_sig delete name
jar_sig rename oldname newname
jar_sig list
jar_sig list_names
TABLE B-11 describes the functions for this command.
Table B-11 Functions for jar_sig Subcommand|
Functions |
Description |
|---|---|
|
add |
Adds an entry to the jar_sig database. |
|
del |
Deletes an entry from the jar_sig database. |
|
list |
Lists the entries in the jar_sig database. |
|
list_names |
Lists the names of the entries in the jar_sig database. |
|
rename |
Renames an entry in the jar_sig database. |
list Subcommand
Displays all data for all entries or a specific entry of a given TYPE. The format of the output is the same as the syntax of the corresponding Add TYPE request.
Usage:
*list address
list address "name_ADDRESS"
*list screen
*list screen "name_SCREEN"
*list service
list service "name_SERVICE"
*list stateengine
*list stateengine "name_STATEENGINE"
*list interface
list interface "name_INTERFACE"
*list certificate
list certificate "name_CERTIFICATE"
*list time
list time "name_TIME"
*list rule
*list rule #
*list nat
*list nat #
*list accesslocal
*list accesslocal #
*list accessremote
*list accessremote #
*list vpngateway
*list vpngateway #
The following field is optional and can be specified after the TYPE keyword in any of the above requests except those that are preceded by an * .
SCREEN "name_SCREEN"
If no SCREEN option is present, only entries not associated with a specific SCREEN are listed. If the SCREEN option value is * , then all entries that otherwise match are displayed. Requests that do not specify a name always display all entries of the given type.
list_name Subcommand
Displays the set of unique basenames and subtype of all of a given TYPE. These are the values that can be used when another object refers to an object of the specified TYPE.
Usage:
list_name TYPE
TYPE can be any of address, screen, service, state engine, interface, certificate, time, or vpn.
load Subcommand
Loads a policy into the configuration editor.
Usage:
load "name_POLICY"
Any edits to the current policy must be saved or discarded before this operation will succeed.
lock Subcommand
ssadm lock manipulates the lock that protects a policy from simultaneous modification by multiple administrators.
Usage:
ssadm lock -w policy
ssadm lock -c policy
ssadm lock -w prints a line of text describing the status of the lock.
ssadm lock -c forcibly breaks the lock and attempts to terminate (with a SIGHUP signal) the previous holder of the lock.
For example:
# ssadm lock -w Initial Lock held by admin@198.41.0.6 process id:8977 # ssadm lock -c Initial # ssadm lock -w Initial Lock available |
lock_status Subcommand
Returns the status of the Lock relative to this editor. If this editor holds a lock, the type of lock is returned. If it does not hold a lock, another process acquired a WRITE lock, in which case, if that WRITE lock is still in effect, information about that WRITER is presented. If that WRITE lock is no longer in effect, then Lock available is returned.
Usage:
lock_status
search Subcommand
Searches the Registry for objects that match specified criteria.
Usage:
search TYPE [SCREEN "name_SCREEN"] [ SUBTYPE subtype ] <EXACT> Substring...
TYPE can be any of address, screen, service, stateengine, interface, certificate, or time. SUBTYPE values depend upon the TYPE being searched according to TABLE B-12.
Table B-12 Search TYPE|
TYPE |
SUBTYPE |
|---|---|
|
address |
HOST, RANGE, GROUP |
|
certificate |
SINGLE, GROUP |
|
interface |
ADMIN, DISABLED, ROUTING, HA, STEALTH |
|
screen |
|
|
service |
SINGLE, GROUP |
|
stateengine |
|
|
time |
|
The EXACT keyword requires a substring be specified and will on match entries whose name is an exact match.
move Subcommand
Moves an indexed entry from its current location in the ordered list to the new location.
Usage:
move rule # #
move nat # #
move accesslocal # #
move accessremote # #
move vpngateway # #
replace Subcommand
Replaces an object at a specified index.
Usage:
replace rule # parameters...
replace nat # parameters...
replace accesslocal # parameters...
replace accessremote # parameters...
replace vpngateway # parameters...
replace is similar to insert, except it replaces the entry at the specified index. It is shorthand for an insert n / del n+1 pair of requests. The same syntax used for add is used for replace, with the index coming immediately after the TYPE keyword.
refer Subcommand
Determines if a named objects of a given TYPE is referred to in the common data or the current policy.
Usage:
refer address "name_ADDRESS"
refer screen "name_SCREEN"
refer service "name_SERVICE"
refer stateengine "name_STATEENGINE"
refer certificate "name_CERTIFICATE"
refer time "name_TIME"
refer vpn "name_VPN"
referlist Subcommand
Displays a list of all entries in the common objects and/or the current policy that refer to a specified named-object of a given TYPE.
Usage:
referlist address "name_ADDRESS"
referlist screen "name_SCREEN"
referlist screen "name_SCREEN"
referlist service "name_SERVICE"
referlist stateengine "name_STATEENGINE"
referlist certificate "name_CERTIFICATE"
referlist time "name_TIME"
referlist vpn "name_VPN"
rename Subcommand
Renames a specified named-object of a given TYPE.
Usage:
rename address "name_ADDRESS" "name_ADDRESS"
*rename screen "name_SCREEN" "name_SCREEN"
rename service "name_SERVICE" "name_SERVICE"
rename interface "name_INTERFACE" "name_INTERFACE"
rename certificate "name_CERTIFICATE" "name_CERTIFICATE"
rename time "name_TIME" "name_TIME"
The following field may be necessary to uniquely identify an entry. If so it can be specified after the TYPE keyword except for the entries preceded by an * above:
SCREEN "name_SCREEN"
If an entry already exists with the new name, it is replaced by this operation.
renamereference Subcommand
Renames all references to a specified named-object of a given TYPE.
Usage:
renamereference address "name_ADDRESS" "name_ADDRESS"
renamereference screen "name_SCREEN" "name_SCREEN"
renamereference service "name_SERVICE" "name_SERVICE"
renamereference certificate "name_CERTIFICATE" "name_CERTIFICATE"
renamereference time "name_TIME" "name_TIME"
renamereference vpn "name_VPN" "name_VPN"
save Subcommand
Saves any current edits. It also creates a new version of the policy.
Usage:
save
save "name_POLICY"
If a name is specified, then the current policy is written to the new name, but the old policy remains the policy in the editor.
saveas Subcommand
Saves the data currently in the editor under a new name.
Usage:
saveas
saveas policy "name_POLICY"
saveas policy "name_POLICY" registry Registry
saveas policy "name_POLICY" registry "name_POLICY"
saveas policy registry Registry
These are the only supported legal requests. The first saves the current policy data under the new name with a reference to the current common objects. The second saves the policy data under the new name and overwrites the current common objects with whatever is currently in the editor. This may affect other policies and should be done with caution. The third saves the contents of the editor, policy objects and common objects, into a single self-contained policy file of the specified name. The last saves the common objects currently in the editor as the current common objects and may impact other policies and should be done with caution.
reload Subcommand
Discards any and all edits (if any were made) and reloads the data into the editor from the database. If another process has performed edits and saved them since the current editor process loaded its data, and the current editor process wants to perform edits, it must perform a reload first, to reacquire its read lock and ensure that no saved edits are lost.
Usage:
reload
verify Subcommand
Takes no arguments and verifies the currently loaded policy.
Usage:
verify
mail_relay Subcommand
Manipulates the list of mail relays used by the SMTP proxy.
Usage:
mail_relay parameters
mail_spam Subcommand
Manipulates the list of spam domains used by the SMTP proxy.
Usage:
mail_spam add domain-string
mail_spam del domain-string
mail_spam list
proxyuser Subcommand
Manipulates the list of proxy users.
Usage:
proxyuser add name parameters...
proxyuser delete name
proxyuser print
vars Subcommand
Manipulates variables used for RADIUS configuration.
Usage:
vars add variables
quit Subcommand
Causes the editor to terminate if there are no unsaved changes.
Usage:
quit
When the editor is used interactively, typing quit twice consecutively causes the editor to terminate even if there are unsaved changes.
QUIT Subcommand
QUIT (typed in upper case) causes the editor to terminate even if there are unsaved changes.
Usage:
QUIT
Network Monitoring and Maintenance
The following describes how to monitor and maintain your SunScreen.
Using the ssadm logdump Command
ssadm logdump is based on the Solaris snoop program and has similar characteristics. In addition to the packet information available with snoop, ssadm logdump also adds additional information such as the interface on which the packet was received and the reason that the packet was logged.
For details on the ssadm logdump command, refer to the ssadm-logdump man page.
To run ssadm logdump and display packets in the log.
# ssadm logdump -i logfile |
Where log_file is a log file that is downloaded from the Screen.
Using the ssadm debug_level Command
If you have access to the console on your SunScreen (through a serial line or directly connected CRT), you can use the ssadm debug_level command to control the printing of command debugging information from the SunScreen kernel.
If you type ssadm debug_level with no arguments, it displays the current debug-level mask. By default, this mask is 1, which means it only reports significant errors.
If you specify a hex number as an argument for ssadm debug_level, it sets the kernel debugging mask to that level. To get a list of debugging bit choices type:
# ssadm debug_level ? |
You select a ssadm debug_level mask by setting all of the debugging bits in which you are interested.
Probably the most useful of the ssadm debug_level debugging bit is DEFAULT_DROP. For example, if you type:
# ssadm debug_level 1001 |
any packets being dropped by SunScreen because they do not match any rule are reported. This is a quick way to see if the SunScreen is passing packets that you expect it to pass. You can also achieve this same result by setting the default action on the interface to LOG_SUMMARY or LOG_DETAIL and examine the logs.
Another useful debugging bit to set is STATE_CHANGE. This causes the kernel to report any additions or deletions from its internal state tables.
Some of the debugging bits produce a very large amount of output on a production Screen and should be used with caution. An example is ACTION, which reports execution of any PFL action.
Gathering Information From Your System to Report Support Issues
If you have any support issues, call your authorized service provider. For further information about support, use the following URL to contact Enterprise Services: http://www.sun.com/service/support/index.html.
It is helpful to first gather information describing your configuration. This information can be collected by saving the output of the following SunScreen support command. You invoke these commands for information that is useful in troubleshooting through the ssadm lib/support command.
The support command has the form: ssadm [ -r Screen_Name ] lib/support function parameters...
- © 2010, Oracle Corporation and/or its affiliates