test

SunScreen 3.2 Administration Guide

Writing and Editing Policy Rules for Proxies

Policy Rules are strictly ordered; they take effect in the order in which they are listed. You may either define policy rules in the order in which you want them to take effect or rearrange them after they are defined.

Basic Steps for Writing Policy Rules for Proxies

  1. Choose the policy Initial in the Policies List page.

    Graphic

  2. Click the Edit button.

    The Policy Rules page appears.

    Graphic

  3. Select the Packet Filtering tab in the Policy Rules area.

    Proxies are defined in the Packet Filtering page.

  4. Click the Add New Rule button in the Packet Filtering area.

    The Rule Definition dialog box for that policy is displayed.

    Graphic

    In the Rule Definition dialog box, the Rule Index field is filled with the next available rule index.

  5. (Optional) If a rule is valid only for a particular Screen, select that Screen only in the Common Objects area.

    The default is for the rule to be valid for all Screens.

  6. In the Services box in the panel, select one of the services that is valid for proxies, for example:

    • ftp

    • www

    • smtp

    • telnet

  7. Select the source and destination address that you want for the Source and Destination Address fields.

    Be sure you have defined these addresses on the Policy Rules page.

  8. For a proxy rule, select ALLOW or DENY in the Action field.

    These are the only valid actions for proxies. The Encrypt or VPN action to not apply to proxies.

    • LOG

    • SNMP

    • PROXY

    When you select ALLOW, a new dialog box appears:

    Graphic

    When you select DENY, a new dialog box appears:

    • LOG

    • SNMP

    • ICMP Reject

    • PROXY

    Graphic
To Write Policy Rules for the Proxies

  1. Execute the steps in "Basic Steps for Writing Policy Rules for Proxies".

  2. From the Proxy list, select the information that you want to put into the LOG and SNMP fields.

    There are five items in the Proxy list:

    • NONE

    • PROXY_HTTP

    • PROXY_FTP

    • PROXY_SMTP

    • PROXY_Telnet

  3. Select the name of the proxy service for which you are writing this policy rule for the Service field.

    If you plan to use proxies, you must select the appropriate proxy service:

    Table 6-2 Proxies and Services
     Choose This Service For This Proxy
    ftpPROXY_FTP
    wwwPROXY_HTTP
    smtpPROXY_SMTP
    telnetPROXY_TELNET

    Each choice requires slightly different steps, which are listed below under the four proxy types.

To Define PROXY_FTP

  1. Execute the steps in "Basic Steps for Writing Policy Rules for Proxies".

  2. Select PROXY_FTP as the proxy

    The Rule Definition Dialog Box for PROXY_FTP appears

    Graphic

  3. Select PROXY_FTP from the Proxy list and eight fields appear below the Proxy field in the dialog box:

    • GET

    • PUT

    • CHDIR

    • MKDIR

    • RENAME

    • REMOVE

    • DELETE

    • Proxy User

  4. Select an action for each field (GET, PUT, CHDIR, MKDIR, RENAME, REMOVE, and DELETE) or accept the default values. You can either allow (Allow) or disallow (Deny) use of these FTP commands based on the settings you choose.

  5. Select the name of a defined proxy user in the PROXY USERS field.

  6. Click the OK button in the dialog box.

  7. Click the Save Changes button.

To Define PROXY_HTTP

  1. Execute the steps in "Basic Steps for Writing Policy Rules for Proxies".

  2. Select PROXY_HTTP as the proxy, click that name to put it into the Proxy field.

    Graphic

    Five fields then appear below the Proxy field:

    • Cookies

    • ActiveX

    • Java

    • SSL

    • Proxy User

  3. Set the action for each item.

    1. For Cookies, ActiveX, and SSL, choose an action or accept the default under Proxy Details. You can either allow (Allow) or disallow (Deny) the use of cookies, ActiveX, or SSL based on the settings you choose for each field.

    2. For the Java field, choose among the following under Proxy Details:

      • Allow all Java

      • Block all Java

      • Allow Java with signed Jars, with the signature in the Jar Signature database

      • Allow Java, with the Jar hash in the Jar Hash database

      • Allow both signed Jar signature and Jar Hash

        Note -

        If you select Jar Signature or Jar Hash, they must be defined in the Common Objects area of the Policy Rules page.

  4. (Optionally) Select a proxy user or group to be allowed through the proxy.

  5. Click the OK button in the dialog box.

  6. Click the Save Changes button.

To Define PROXY_SMTP

  1. Execute the steps in "Basic Steps for Writing Policy Rules for Proxies".

  2. Select PROXY_SMTP as the proxy.

    the Relay field appears below the Proxy field in the dialog box.

    Note -

    For more information on relay control, see "SMTP Proxy" in SunScreen 3.2 Administrator's Overview.

    Graphic

  3. Determine whether you want to allow relaying of mail messages through the proxy in the Proxy Details area.

  4. If you want to allow all relaying, select the RELAY: ALLOW setting.

  5. If you want to restrict the relaying, define the local domain name for the Screen or create a list of valid relay (domain) targets as described in the following 2 substeps and select the RELAY: RESTRICT setting.

    1. Define the Local Domain Name

      Create or edit the /etc/defaultdomain file to contain the domain suffix for the Screen.

      Note -

      For this default domain to become active, you must either shut down and reboot the Screen or run the following command:


      # domainname 'cat /etc/defaultdomain'

    2. Create a List of Valid Relay Targets

      Use the mail_relay feature of the ssadm command to create a list of valid relay (domain) targets (see "SMTP Proxy" in SunScreen 3.2 Administrator's Overview).

      Note -

      The destination address in this rule should be the address of the SMTP server or servers that will spool and/or deliver email after it is restricted and filtered by the screen.

  6. Click the OK button in the dialog box.

  7. Click the Save Changes button.

To Define PROXY_Telnet

  1. Execute the steps in "Basic Steps for Writing Policy Rules for Proxies".

  2. Select PROXY_Telnet as the proxy.

    The Proxy Users field appears below the Proxy field on the right side of the Rule Definition dialog box.

    Graphic

  3. Select the proxy user or group that is allowed through the proxy.

  4. Click the OK button in the dialog box.

  5. Click the Save Changes button.