Standard Services
SunScreen is shipped with a number of predefined network services. TABLE C-1 lists the services in SunScreen, along with the state engine and discriminator (port, RPC program number, or type) for each service. Parameters (state engine modifiers, such as time-outs) and BROADCAST are indicated where applicable.
Table C-1 SunScreen Services|
Service |
State Engine (forward filtering) |
Discriminator |
State Engine (reverse filtering) |
Discriminator |
|---|---|---|---|---|
|
echo |
tcp |
port 7 |
|
|
|
discard |
tcp |
port 9 |
|
|
|
systat |
tcp |
port 11 |
|
|
|
daytime |
tcp |
port 13 |
|
|
|
quote |
tcp |
port 17 |
|
|
|
chargen |
tcp |
port 19 |
|
|
|
ftp |
ftp |
port 21 |
|
|
|
telnet |
tcp |
port 23 |
|
|
|
smtp |
tcp |
port 25 |
|
|
|
time |
tcp |
port 37 |
|
|
|
whois |
tcp |
port 43 |
|
|
|
nicname |
tcp |
port 43 |
|
|
|
dns |
tcp |
port 53 |
|
|
|
|
dns |
port 53 |
|
|
|
tftp |
udp |
port 69 parameters (60 -1 7) |
|
|
|
gopher |
tcp |
port 70 |
|
|
|
finger |
tcp |
port 79 |
|
|
|
www |
tcp |
port 80 |
|
|
|
pop |
tcp |
ports 109-110 |
|
|
|
auth |
tcp |
port 113 |
|
|
|
ntp |
udp |
port 123 |
|
|
|
nntp |
tcp |
port 119 |
|
|
|
snmp |
tcp |
port 161 |
|
|
|
|
udp |
port 161 |
|
|
|
snmp traps |
udp_datagram |
port 162 |
|
|
|
rlogin |
tcp |
port 513 |
|
|
|
rsh |
rsh |
port 514 |
|
|
|
syslog |
udp_datagram |
port 514 |
|
|
|
printer |
tcp |
port 515 |
|
|
|
rip |
udp_datagram |
port 520 port 520 (BROADCAST) |
|
|
|
sqlnet |
sqlnet |
port 1521 |
|
|
|
archie |
udp |
port 1525 parameters (360 -1 0) |
|
|
|
certificate discovery |
udp |
port 1640 parameters (60 1 1) |
|
|
|
remote administration |
tcp |
ports 3852-3853 |
|
|
|
SecurID PIN |
tcp |
port 3855 |
|
|
|
HA administration |
tcp |
port 3856 |
|
|
|
HA heartbeat |
ping |
port 8 |
|
|
|
HA |
tcp |
port 3856 |
|
|
|
securid |
udp |
port 5500 |
|
|
|
securidprop |
tcp |
port 5510 |
|
|
|
real audio |
realaudio |
port 7070 |
|
|
|
traceroute |
udp_datagram |
ports 33430-34000 |
|
|
|
|
|
|
icmp |
type 11 |
|
|
|
|
icmp |
type 3 |
|
icmp echo-reply |
icmp |
type 0 |
|
|
|
icmp unreach |
icmp |
type 3 |
|
|
|
icmp quench |
icmp |
type 4 |
|
|
|
icmp redirect |
icmp |
type 5 |
|
|
|
icmp echo-request |
icmp |
type 8 |
|
|
|
router announcement |
icmp |
type 9 type 9 (BROADCAST) |
|
|
|
router solicitation |
icmp |
type 10 type 10 (BROADCAST) |
|
|
|
icmp exceeded |
icmp |
type 11 |
|
|
|
icmp params |
icmp |
type 12 |
|
|
|
icmp info |
icmp |
types 13 14 15 16 17 18 |
|
|
|
ping |
ping |
port 8 |
|
|
|
router discovery |
icmp |
type 10 |
|
|
|
|
|
type 10 (BROADCAST) |
icmp |
type 9 type 9 (BROADCAST) |
|
rstat |
rpc_udp |
program no. 100001 |
|
|
|
|
pmap_udp |
program no. 100001 |
|
|
|
rusers |
rpc_udp |
program no. 100002 |
|
|
|
|
pmap_udp |
program no. 100002 |
|
|
|
nfs prog |
pmap_udp |
program no. 100003 |
|
|
|
|
udp |
port 2049 |
|
|
|
|
tcp |
port 2049 |
|
|
|
nfs readonly prog |
pmap_udp |
program no. 100003 |
|
|
|
|
nfsro |
port 2049 |
|
|
|
ypserv |
nis |
port 100004 |
|
|
|
|
pmap_nis |
program no. 100004 |
|
|
|
|
pmap_nis |
program no. 100004 (BROADCAST) |
|
|
|
mountd |
rpc_udp |
program no. 100005 |
|
|
|
|
pmap_udp |
program no. 100005 |
|
|
|
ypbind |
rpc_udp |
program no. 100007 |
|
|
|
|
pmap_udp |
program no. 100007 |
|
|
|
wall |
rpc_udp |
program no. 100008 |
|
|
|
|
pmap_udp |
program no. 100008 |
|
|
|
yppasswd |
rpc_udp |
program no. 100009 |
|
|
|
|
pmap_udp |
program no. 100009 |
|
|
|
rquota |
rpc_udp |
program no. 100011 |
|
|
|
|
pmap_udp |
program no. 100011 |
|
|
|
spray |
rpc_udp |
program no. 100012 |
|
|
|
|
pmap_udp |
program no. 100012 |
|
|
|
rex |
rpc_udp |
program no. 100017 |
|
|
|
|
pmap_udp |
program no. 100017 |
|
|
|
klm |
rpc_udp |
program no. 100020 |
|
|
|
|
pmap_udp |
program no. 100020 |
|
|
|
nlm |
rpc_udp |
program no. 100021 |
|
|
|
|
pmap_udp |
program no. 100021 |
|
|
|
|
|
|
rpc_udp |
program no. 100021 |
|
|
|
|
pmap_udp |
program no. 100021 |
|
status |
rpc_udp |
program no. 100024 |
|
|
|
|
pmap_udp |
program no. 100024 |
|
|
|
ypupdate |
rpc_udp |
program no. 100028 |
|
|
|
|
pmap_udp |
program no. 100028 |
|
|
|
nfs acl |
rpc_udp |
program no. 100227 |
|
|
|
|
pmap_udp |
program no. 100227 |
|
|
|
ospf |
ip |
type 89 (BROADCAST) |
|
|
|
skip |
iptunnel |
type 57 |
|
|
|
|
|
type 79 |
|
|
|
icmp all |
icmp |
* |
|
|
|
|
|
* (BROADCAST) |
|
|
|
ip all |
ip |
* |
|
|
|
ip mobile |
ipmobile |
* |
|
|
|
ip tunnel3 |
iptunnel |
* |
|
|
|
ip forward |
ipfwd |
* |
|
|
|
udp all |
udpall |
* |
|
|
|
tcp all |
tcpall |
ports 0-3850 |
|
|
|
|
|
ports 3854-65535 |
|
|
|
rpc all |
rpc_udp |
* |
|
|
|
rpc tcp all |
rpc_tcp |
* |
|
|
|
pmap udp all |
pmap_udp |
* (BROADCAST) |
|
|
|
pmap tcp all |
pmap_tcp |
* |
|
|
|
X11 |
tcp |
ports 6000-6063 |
|
|
|
pcnfsd |
pmap_tcp pmap_udp rpc_tcp rpc_udp |
program no. 150001 program no. 150001 program no. 150001 program no. 150001 |
|
|
|
automount |
pmap_tcp pmap_udp rpc_tcp rpc_udp |
program no. 300019 program no. 300019 program no. 300019 program no. 300019 |
|
|
|
ypxfrd |
pmap_tcp |
program no. 100069 |
|
|
|
|
pmap_udp |
program no. 100069 |
|
|
|
|
rpc_tcp |
program no. 100069 |
|
|
|
|
rpc_udp |
program no. 100069 |
|
|
|
exec |
tcp |
program no. 512 |
|
|
|
wais |
tcp |
port 210 |
|
|
|
uucp |
tcp |
port 540 |
|
|
|
irc |
tcp |
port 6670 |
|
|
|
|
tcp |
port 6680 |
|
|
|
VDOLive |
tcp tcp |
port 7000 port 7010 |
|
|
|
|
|
|
udp |
port 32649 |
|
CU See Me |
udp_datagram |
ports 7648-7652 |
|
|
|
Vosaic |
tcp |
port 1235 |
|
|
|
|
|
|
udp_datagram udp_datagram |
ports 61801-61820 ports 20000-20020 |
|
StreamWorks |
udp_datagram |
port 1558 |
|
|
|
|
|
|
udp_datagram |
port 1558 |
|
CoolTalk |
tcp udp_datagram |
ports 6499-6500 port 13000 |
udp_datagram |
port 13000 |
|
Backweb |
udp |
port 370 parameters (60 0 3) |
|
; |
|
radius |
udp |
port 1645 |
|
|
|
ssl |
tcp |
port 443 |
|
|
|
who |
udp_datagram |
port 513 (BROADCAST) |
|
|
|
netstat |
tcp |
Port 15 |
|
|
|
biff |
udp_datagram |
port 512 (BROADCAST) |
|
|
|
bootp |
udp |
port 67 (BROADCAST) parameters (60 0 3) |
|
|
|
kerberos |
udp |
port 88 |
|
|
|
ntp-tcp |
tco |
port 123 |
|
|
|
netbios name |
udp |
port 137 |
|
|
|
netbios datagram |
udp_datagram |
port 138 |
|
|
|
netbios session |
tcp |
port 139 |
|
|
|
lpd |
tcp |
port 2766 |
|
|
|
echo-udp |
udp |
port 7 |
|
|
|
discard-udp |
udp |
port 9 |
|
|
|
time-udp |
udp |
port 37 |
|
|
|
daytime-udp |
udp |
port 13 |
|
|
|
tcp-high-ports |
tcp |
ports 1024-65535 |
|
|
|
udp-high-ports |
udp |
ports 1024-65535 |
|
|
|
esp |
iptunnel |
IP protocol 50 |
|
|
|
ah |
iptunnel |
IP protocol 51 |
|
|
|
isakmp |
udp |
port 500 |
|
|
|
ipv6 tunnel |
iptunnel |
IP protocol 41 |
|
|
Service information is stored in the common object registry. See "add service Subcommand" in Appendix B, Command-Line Reference.
ftp Service
The File Transfer Protocol (FTP) is used to copy files from one system to another. FTP is designed to work between hosts using different file structures and character sets.
SunScreen contains an ftp state engine to screen the FTP data connection. You specify the number for the FTP control port; the number for the FTP data port is one less than the FTP control port number. The predefined FTP service definition, ftp, uses the standard FTP control port number (21) and data connection port number (20).
FTP control connections time out after a period of inactivity. The FTP server typically closes the connect before this inactivity timeout occurs; however, if the timeout period elapses, the quit command can take 60 seconds or more to complete. During this time, FTP packets may be logged.
The ftp service supports both PASV and standard FTP connections. By default, ftp service verifies that the FTP data port is 20 for standard FTP connections. To communicate with FTP servers that do not use port 20 for the data port, modify the ftp service definition to set its three parameters to: 600 600 1. The first parameter is the control session timeout (600 seconds). The second parameter is the data session timeout (600 seconds). The third parameter is a flag; a value of 1 specifies that the system will not verify that the FTP data port is 20.
Note that this does not affect PASV FTP sessions, because they never use port 20 for the data connection.
traceroute Service
The traceroute service entry assumes that the UDP ports being used for traceroute are in the range of 33430-34000. If implementations of traceroute at your site use other ports, modify the port range as appropriate.
ip Services
The ip all service is provided for backward compatibility with previous SunScreen products. You can achieve better performance by using either the ip forward (for IP traffic in one direction) or the ip tunnel (for IP traffic in both directions) services instead.
Example of the old way using ip all:
"ip all" host1 host2 allow "ip all" host2 host1 allow |
Example of the new way using ip tunnel:
"ip tunnel" host1 host2 allow |
The ip mobile service is provided for use with mobile, remote clients. Like the ip tunnel service, ip mobile passes all IP traffic between a pair of addresses. Unlike the ip tunnel service, however, a rule specifying ip mobile forces the first connection to be made from the mobile client (a system with one of the addresses in Source Address).
Generally, ip mobile is used for SKIP-encrypted connections with the SKIP identity providing the authentication and access control. For example:
"ip mobile" Internet Mailhost SKIP-VERSION2 |
SunScreen can filter IP packets by IP protocol type alone. This is useful in special situations such as passing non-TCP/UDP protocols or when data are being encrypted.
If you want a Screen to pass IP packets by protocol type, you define a new service using either the ip, ip tunnel, ip mobile, or ip fwd state engine. Specify the protocol of the packets you wish to pass in decimal notation. If you specify * for the protocol, the service will pass all IP packets regardless of protocol type.
There are several predefined services included, such as skip (IP protocols 79 and 57), ip tunnel, ip mobile, and ip fwd.
Caution - Using one of the state engines with a protocol specification of * (any protocol), can be dangerous, since any traffic would be allowable. State engines should only be used in special cases or if the data are part of an encrypted tunnel.
The predefined IP services do not pass broadcast traffic. If you want to pass broadcast traffic, you must define a new service or add broadcast to the predefined service.
VDOLive Service
The VDOLive service definition requires that the VDOLive clients be set to use a fixed port, which is port 32649 by default. You can modify the service definitions so that VDOLive will use another port.
CoolTalk Service
The CoolTalk service definition allows calls to be initiated but does not allow calls to be received. To receive calls, define a second rule with the addresses reversed. For example:
CoolTalk joe sam allow CoolTalk sam joe allow |
nfs readonly Service
The nfs readonly service allows read-only access to the NFSv3.0 file system. Read-related functions, such as lookup, read, and access, are allowed. Functions that are not read-related, such as rename and write, are blocked; traffic is not permitted to pass under the nfs readonly rule.
smtp (Electronic Mail) Service
Simple Mail Transfer Protocol (SMTP) is used to send electronic mail between two message transfer agents using TCP. SunScreen includes a predefined service definition, smtp, to send and receive SMTP mail on TCP port 25.
www (World-Wide-Web Access) Service
The World Wide Web provides a graphical user interface that enables users to browse a global network of services and documents. SunScreen contains a predefined service definition for WWW that passes TCP connections on port 80.
Not all WWW services on the Internet use port 80; many reside on ports with other numbers, such as 8000 or 8080. If you only allow outbound WWW access under the www service entry, users will not be able to connect to all WWW resources. To compensate, you can define a new TCP service that enumerates additional nonstandard WWW ports you want to allow, or you can allow TCP access to all ports outbound using the default service.
Caution - Do not use the tcp all service to enable inbound www access to your public Web servers. This opens up a large security hole and allows outside users access to any TCP service on your machines. Instead, since you know which port your Web server uses (generally 80), you should use a more restrictive service rule, such as the www service definition.
dns Service
DNS traffic consists of both UDP and TCP traffic. SunScreen includes a state engine to handle the UDP DNS protocol. TCP DNS is handled through the normal TCP state engine. To screen DNS traffic, use the predefined dns service.
rip Service
The Routing Information Protocol (RIP) is a dynamic routing protocol commonly used by Internet routers. RIP messages are carried in UDP datagrams. SunScreen includes a predefined service (rip) for passing RIP packets using the udp-datagram state engine with broadcast enabled. This means that a rule allows RIP packets (including broadcasts) from source to destination.
It is usually sufficient to enable RIP in the default rule that passes RIP from the routers to all other addresses. This lets the SunScreen send and receive RIP packets without restriction. If you want to restrict RIP traffic, do not enable RIP using the default access rules; instead, define rules for RIP based on your security policy.
|
Service |
Source |
Destination |
Action |
|---|---|---|---|
| route | routers | * | allow |
| route | * | routers | allow |
sqlnet Services
SunScreen contains an sqlnet state engine to screen Oracle SQL*Net protocol. SQL*Net is Oracle's remote data access protocol that enables client-server and server-server communications across networks.
An Oracle client connects to the server using the port address of the listener, which is normally defined as TCP port 1521 during Oracle installation. sqlnet service is defined as using TCP port 1521. If Oracle is installed using a different port for the listener, you can modify the service definition for sqlnet service accordingly.
SQL*Net connections are established in two ways. An Oracle client connects to the listener using TCP port 1521, and the connection is established with the listener process. With Oracle multithreaded servers and prespawned server processes, the client connects to the listener on TCP port 1521. The listener issues a redirect message back to the client containing an IP address and port number, and the client connects to this redirected IP address and port.
SunScreen supports both types of SQL*Net connections.
realaudio Services
SunScreen contains a service definition to handle RealAudio sessions. To screen RealAudio traffic, use the realaudio service.
icmp Services
SunScreen includes predefined services for screening ICMP packets such as ping. These services use the icmp state engine and allow ICMP ping request-and-response exchanges between a Source and Destination system. Use the predefined service ping if you want to provide ping access.
You can use the icmp state engine to create other services to pass ICMP messages of a specific type. Most of the common ICMP packets have entries in the predefined services, as shown in the following table:
|
Service |
Source |
Destination |
Action |
|---|---|---|---|
| ping | Inside | Outside | allow |
| icmp-unreach | Outside | Inside | allow |
The above rules allow Inside machines to ping Outside machines, but block Outside machines from sending ping messages to Inside machines. It also allows ICMP unreachable packets to be sent from Outside machines to Inside machines. Note that the ping service allows packets in two directions (ping-request packets from Source to Destination and ping-response packets from Destination to Source), while the icmp-unreach service only allows packets to flow in one direction (from Source to Destination).
esp Services
IPsec Encapsulating Security Payload (esp) uses IP protocol 50 and is used for traffic that has been encrypted or authenticated using IPsec.
ah Services
IPsec Authentication Header (ah) uses IP protocol 51 and is used for traffic that has been authenticated using IPsec.
isakmp Services
Internet Security Association and Key Management Protocol provides communication between security processes such as IKE key negotiation.
ipv6 tunnel Services
ipv6 uses IP protocol 41 and carries encapsulated IPv6 packets over an IPv4 link such as the Internet.
ipsec
IPsec is a service group that comprises the three packet types that are used in IPsec secure communication.
IP Packets
SunScreen can filter IP packets by IP protocol type alone. This is useful in special situations such as passing non-TCP/UDP protocols or when data are being encrypted.
To pass IP packets by protocol type, you need to define a new service using either the ip, ip tunnel, ip mobile, or ip fwd state engine. Specify the protocol of the packets you wish to pass. Note that protocol is always specified in decimal notation. If you specify * for the protocol, this means to pass all IP packets regardless of protocol type.
There are several predefined services included, such as skip (IP protocols 79 and 57), ip tunnel, ip mobile, and ip fwd.
Caution - Using one of the above state engines, especially with protocol specified as * (any protocol), is very dangerous. They should only be used in special cases or if the data are part of an encrypted tunnel.
The predefined IP services do not pass broadcast traffic. If you wish to pass broadcast traffic, you must define a new service or add broadcast to the predefined service.
|
Service |
Source |
Destination |
Action |
|---|---|---|---|
|
ping |
Inside |
Outside |
accept |
|
icmp-unreach |
Outside |
Inside |
accept |
The above rules allow Inside machines to ping Outside machines, but not vice versa. It also allows ICMP unreachable packets to be sent from Outside machines to Inside machines. Note that the ping service allows packets in two directions (ping-request packets from Source to Destination and ping-response packets from Destination to Source) while the icmp-unreach service only allows packets to flow in one direction (from Source to Destination).
ICMP Packets
SunScreen provides predefined services for screening ICMP packets including ping.
These services are built upon the icmp state engine and allow ICMP ping request-and-response exchange to occur between a Source and Destination system. Use the predefined service ping if you want to provide ping access.
The icmp state engine can also be used to create other services to pass ICMP messages of a specific type. Most of the common ICMP packets have entries in the predefined services.
Example:
The above rules allow Inside machines to ping Outside machines, but not vice versa. They also allow ICMP unreachable packets to be sent from Outside machines to Inside machines. Note that the ping service allows packets in two directions (ping-request packets from Source to Destination and ping-response packets from Destination to Source) while the icmp-unreach service only allows packets to flow in one direction (from Source to Destination).
TCP Services
SunScreen screens TCP services by destination port numbers. Most common TCP services are already defined in the service entries supplied with SunScreen.
If you need to define a new TCP service, define a new service entry specifying the tcp filter state machine. Specify the destination TCP port or ports of the service you wish to pass. If you specify * for the port, the service will pass all TCP services regardless of port. Note that some services, such as FTP and RSH, cannot be passed in this way. They are not simple TCP protocols. They make additional connections made in the reverse direction. These services must be specified as separate services if you wish to pass them.
The tcp state engine times out unused and silent connections five hours after a connection has been established. Since some systems repeatedly retransmit until they receive an error about a terminated TCP connection, you should configure a rule using the tcp service to send an ICMP rejection message, especially on your internal interfaces.
For example, the following rule allows telnet connections to be made from Inside machines to Outside machines.
|
Service |
Source |
Destination |
Action |
|---|---|---|---|
|
telnet |
Inside |
Outside |
allow |
UDP Services
SunScreen contains several state engines to handle UDP protocols:
-
udp - Provides stateful UDP packet filtering. Allows a single request-and-response exchange between source and destination. State entries time out in 20 seconds if no response is received.
-
udpall - Identical to udp. It is useful for avoiding conflicts while defining service groups containing many services.
-
udp_datagram - Passes UDP packets from source to destination. You can specify that broadcast packets should be passed.
-
udp_stateless - Allows UDP packets to be sent between source and destination. The UDP Port(s) field specifies the list of destination UDP ports that are allowed. The source UDP port must be a unreserved port. Note that this is a two-way exchange of UDP packets.
Caution - Because some services use unreserved port numbers, use of this state engine can open up security holes. Its use is not recommended.
For all UDP engines, you define a new service entry specifying the well-known destination, UDP port. Specifying port * passes all UDP traffic.
ntp Service
SunScreen contains a state engine to handle the NTP protocol. The source and destination UDP ports numbers are fixed at port 123. To screen NTP traffic, use the ntp service. Broadcast NTP is not supported.
archie Service
SunScreen contains a service definition to handle the Archie UDP protocol. To screen Archie traffic, use the archie service.
rpc Service
SunScreen contains a state engine to handle the RPC protocols. This can safely screen RPC protocol as long as they use the portmapper and do not use dynamic RPC program values.
To define a new RPC service, add a new service entry using both the rpc_udp and pmap_udp state engines. You specify the well-known RPC program of the RPC service you wish to pass. If you specify * for the RPC program, the service entry passes all RPC services, regardless of program.
Several well-known RPC services, such as NFS and NIS, have been defined to include all the RPC and non-RPC protocols that these systems require.
Some NFS clients use the lock manager. Since a lock manager makes connections in both directions (to NFS server and from NFS server) you may need to use the nlm service when you allow NFS access.
|
Service |
Source |
Destination |
Action |
|---|---|---|---|
| nfs | Inside | DMZ | allow |
| nlm | DMZ | Inside | allow |
Broadcast port mapping (NIS) is not supported for encrypted connections.
- © 2010, Oracle Corporation and/or its affiliates