IP Packets
SunScreen can filter IP packets by IP protocol type alone. This is useful in special situations such as passing non-TCP/UDP protocols or when data are being encrypted.
To pass IP packets by protocol type, you need to define a new service using either the ip, ip tunnel, ip mobile, or ip fwd state engine. Specify the protocol of the packets you wish to pass. Note that protocol is always specified in decimal notation. If you specify * for the protocol, this means to pass all IP packets regardless of protocol type.
There are several predefined services included, such as skip (IP protocols 79 and 57), ip tunnel, ip mobile, and ip fwd.
Caution - Using one of the above state engines, especially with protocol specified as * (any protocol), is very dangerous. They should only be used in special cases or if the data are part of an encrypted tunnel.
The predefined IP services do not pass broadcast traffic. If you wish to pass broadcast traffic, you must define a new service or add broadcast to the predefined service.
|
Service |
Source |
Destination |
Action |
|---|---|---|---|
|
ping |
Inside |
Outside |
accept |
|
icmp-unreach |
Outside |
Inside |
accept |
The above rules allow Inside machines to ping Outside machines, but not vice versa. It also allows ICMP unreachable packets to be sent from Outside machines to Inside machines. Note that the ping service allows packets in two directions (ping-request packets from Source to Destination and ping-response packets from Destination to Source) while the icmp-unreach service only allows packets to flow in one direction (from Source to Destination).
- © 2010, Oracle Corporation and/or its affiliates