Packet Filtering Rules

To Modify Rules

1. Choose a policy in the Policies List page.

   

2. Click the Edit button.

   The Policy Rules page appears.

   

   To display the controls on a tab, click the tab header. The following table describes the tabs that are available from the Policy Rules panel.

   Table 3-2 Policy Rules Panel Tabs

   Tab	Description
   Packet Filtering	Shows the packet filtering rule or rules.
   Administration Access	Defines access rules for local administration and remote Administration Stations through the administration GUI or the command line (see Chapter 10, Using the Command Line Interface).
   NAT (Network Address Translation)	Maps private network addresses to public network addresses.
   VPN (Virtual Private Network)	Maps name, address, certificate, issued certificate (key) algorithm, data algorithm, MAC algorithm, tunnel address, and description.

To View and Edit the Details of an Object

Execute the steps in "To Modify Rules".

In the packet filtering table, click on the cell that contains the object you want to view or edit.

The dialog box for the chosen object appears.



---

Note -

The packet filtering table does not allow you to click and get a popup menu; you get a pulldpwn where you can select another value.

---

To Edit a Rule

1. Execute the steps in "To Modify Rules".

2. Click the Packet Filtering tab in the Policy Rules area.

3. Select the rule to edit.

4. Click the Edit button.

   The Rule Definition dialog box for the selected policy appears.

   

5. Edit each field by clicking the down arrow to display the list.

   You can add a new address, range of addresses, or list of addresses for both the Source and Destination addresses.

   Rule Index

   Assigns a number to a rule. When editing or adding a new rule, by default, this field displays a number one greater than the last rule (indicating this rule will be placed at the bottom of the list). If you type a lower number, the new rule is inserted into the specified position in the list, and the rules currently in the configuration are renumbered.

   Screen

   (Optional) Specifies the Screen for which you want the rule to apply. Select a specific Screen name in this field if you use centralized management and want a rule to apply to a specific Screen.

   Service

   Identifies the network service or service group to which this rule applies.

   Source

   The value to which the source address of a packet is compared. If an asterisk (*) appears, any source address meets the criteria of the rule.

   Destination

   The value to which the destination address of a packet is compared to determine whether the rule should apply. If an asterisk (*) appears, any destination address meets the criteria of the rule.

   Action

   Displays the action for the rule and permits setting the logging behavior. The options are ALLOW, DENY, ENCRYPT, and VPN.

   Time

   Specifies the time object which restricts the applicability of the rule. If an asterisk (*) appears, the rule applies at all times.

   Description

   (Optional) Provides a brief description of the Administrative Access rule.

6. Click the OK button in the Rule Definition dialog box when you have finished editing the rule.

7. (Optional) Click the Verify Policy button at the top of the Policy Rules page to ensure that you have created a valid policy.

8. Click the Save Changes button to be sure the changes are saved.

   ---

   Note -

   Each Save creates a version.

   ---

If a filtering rule fails to detect any issued certificate (key) encryption algorithms, it may display the following error message:

An error occurred in detecting the Encryption algorithms. 
Please check if skipd process is running.

If this occurs, restart the SKIP daemon process with the skipd_restart command. See the "Configuration Editor Reference" in SunScreen 3.2 Administrator's Overview for more information on the skipd_restart command.

To Add a New Rule

1. Execute the steps in "To Modify Rules".

2. Click the Add New Rule button in the Policy Rules area.

   The Rule Definition dialog box for the selected policy appears.

   

3. Edit each field by clicking the down arrow to display the list.

4. Click the OK button in the Rule Definition dialog box when you have finished editing the rule.

5. (Optional) Click the Verify Policy button at the top of the Policy Rules page to ensure that you have created a valid policy.

To Move a Rule

1. Execute the steps in "To Modify Rules".

2. Select the policy rule to be moved.

3. Click the Move button.

   The Move Rule dialog box appears.

   

4. Type the number of the rule that you want to move in the From Rule Index field.

5. Type the number of the position to which you want to move the rule in the To Rule Index field.

6. Click the OK button.

   The rules reorder themselves to reflect the change you made. You must move each rule whose position you want to change.

7. (Optional) Click the Verify Policy button at the top of the Policy Rules page to ensure that you have created a valid policy.

Edits do not affect the behavior of the Screen, nor of established connections with state entries, until you activate the policy.

To Delete a Rule

Do not delete all the packet filtering rules or you may lose complete access to the Screen.

1. Execute the steps in "To Modify Rules".

2. Select the rule you want to delete from the table in the Packet Filtering area.

3. Click the Delete button.

   The Delete Rule dialog box appears.

   

4. Click the Yes button.