test

SunScreen 3.1 Reference Manual

Interface

The interface common object defines interfaces and specifies the actions a Screen should take when a packet that is received on that interface is rejected.

FIGURE 5-27 shows the Interface Definition dialog box.

Figure 5-27 Interface Definition Dialog Box

Graphic

TABLE 5-27 describes the controls for the Interface Definition dialog box.

Table 5-27 Controls for the Interface Definition Dialog Box

Control 

Description 

Interface 

Specifies the interface. 

Type 

Specifies the type of interface. The options are: 

  • ROUTING

  • ADMIN

  • DISABLED

  • HA

  • STEALTH

Screen 

Specifies the Screen on which this interface physically resides. If you are using centralized management, you must complete this field. 

Address Group 

Specifies the source IP addresses for this interface.  

Logging 

Identifies the disposition of a packet, when a packet received on the interface does not match any rule. The options are: 

  • NONE - Do not log packets.

  • SUMMARY - Record the first 40 bytes of the packet in the log.

  • DETAIL - Record the complete packet in the log.

If a packet matches a rule, it is disposed of according to the action for the rule it matches. 

SNMP Alerts 

Specifies whether the Screen should issue an SNMP alert message when a packet received on an interface does not match a rule. The options are: 

  • SNMP_NONE - Do not send an SNMP alert message. (This is the default.)

  • SNMP - Send an SNMP alert message when a packet received on this interface is rejected.

If a packet matches a rule, it is disposed of according to the action for the rule it matches. 

ICMP Action 

Identifies the ICMP rejection message that is issued if a packet received on the interface is rejected. In most cases, the Screen rejects packets by sending an ICMP Destination Unreachable packet with the reject code set as specified in the ICMP action on the interface. 

The one exception is the PORT_UNREACHABLE ICMP action. In this case, the Screen rejects TCP packets by sending a TCP RESET packet and other packets by sending an ICMP Destination Unreachable (Port Unreachable) message. 

The options for the actions are: 

  • NONE

  • NET_UNREACHABLE

  • HOST_UNREACHABLE

  • PORT_UNREACHABLE

  • NET_FORBIDDEN

  • HOST_FORBBIDEN.

If a packet matches a rule, it is disposed of according to the action for the rule it matches. 

Comment 

(Optional) Provides a descriptive note about the Interface object. 

Router IP Address 

(Optional) Specifies the router's IP address when the type of interface is STEALTH. This allows packets that have had their destination address changed, for example NAT or tunnelling, to be sent to a router. You can specify as many as five router IP addresses. If you have stealth interfaces, define the router that does the routing for the subnet for at least one of them. 

OK Button 

Stores the new or changed information and makes the Save Changes command button active. 

Cancel Button 

Cancels any new or changed information. 

Help Button 

Calls up the page of online help for this common object.