test

SunScreen 3.2 Administration Guide

Working With Policy Rules

Policy Rules are ordered, that is, they are executed in the order in which they are listed. You can define them in the order in which you want them to take effect or you can reorder your policy rules after you have defined them.

To Create a Packet Filtering Rule

  1. Type the following to add a new rule at the end of a policy with the attributes listed below: 


    edit> add Rule ping * * ALLOW SKIP_VERSION_2 cert-1 cert-2 
DES-CBC RC2-40 MD5 NONE LOG SUMMARY

    Service

    ping

    Source Address

    *

    Destination Address

    *

    Encryption

    SKIP Version 2

    Encryption Details:

    • Siource Certificate is cert-1

    • Destination Certificate is cert-2

    • Key algorithm is DES-CBC

    • Data algorithm is RC2-40

    • MAC algorithm is MD5

    • NONE for the compression (This is the only possible value, at present.)

    Action

    ALLOW

    Action Details

    ALLOW

    Compression

    NONE

    Note -

    All other options assume default values unless specified (for example, SNMP is off).

  2. Type the following to add a new rule at a particular position, for example, 1 to add it at the beginning of the policy:


    edit> insert Rule 1 ping * * ALLOW SKIP_VERSION_2 cert-1 cert-2 
DES-CBC RC2-40 MD5 NONE LOG SUMMARY

Note -

If a filtering rule fails to detect any issued certificate (key) encryption algorithms, it may display the following error message:

An error occurred in detecting the Encryption algorithms. 
Please check if skipd process is running.

If this occurs, restart the skipd process with the skipd_restart command.

To Reorder the Rules

  1. Use the list subcommand to produce an ordered list of rules for the policy:


    edit> list rule

    An ordered list of policy rules is displayed, as shown in this example.


    1 "www" "*" "*" ALLOW 
2 "finger" "*" "*" ALLOW
3 "ftp" "*" "localhost" USER "admin"
ALLOW LOG DETAIL PROXY_FTP 
FTP_GET FTP_CHDIR FTP_RENAME FTP_DELETE 
4 "daytime" "localhost "*" ALLOW 
5 "telnet" "*" "*" ALLOW
6 "echo" "localhost" "*" ALLOW

  2. Use the move subcommand to move a policy rule to a new position, for example, from fourth to fifth position:


    edit> move rule 4 5

    The list of policy rules now shows the change in the order of the rules.


    1 "www" "*" "*" ALLOW 
2 "finger" "*" "*" ALLOW
3 "ftp" "*" "localhost" USER "admin"
ALLOW LOG DETAIL PROXY_FTP 
FTP_GET FTP_CHDIR FTP_RENAME FTP_DELETE 
4 "telnet" "*" "*" ALLOW
5 "daytime" "localhost "*" ALLOW 
6 "echo" "localhost" "*" ALLOW

To Delete a Rule

  1. Use the del subcommand to delete policy rule 5:


    edit> del rule 5

  2. Generate the ordered list of policy rules:


    edit> list rule

    The new list of policy rules reflects the deletion of rule 5; the former rule 6 now occupies the fifth position.displayed.


    1 "www" "*" "*" ALLOW 
2 "finger" "*" "*" ALLOW
3 "ftp" "*" "localhost" USER "admin"
ALLOW LOG DETAIL PROXY_FTP 
FTP_GET FTP_CHDIR FTP_RENAME FTP_DELETE 
4 "telnet" "*" "*" ALLOW
5 "echo" "localhost" "*" ALLOW

To Edit Any Part of a Rule

You can edit a component or the components of a policy rule by using the following procedure. The example shows how to modify the action.

  1. List all the rules in the policy:


    edit> list rule

    An ordered list of policy rules is displayed.


    1 "www" "*" "*" ALLOW 
2 "finger" "*" "*" ALLOW
3 "ftp" "*" "localhost" USER "admin"
ALLOW LOG DETAIL PROXY_FTP FTP_GET FTP_CHDIR FTP_RENAME FTP_DELETE 
4 "telnet" "*" "*" ALLOW
5 "echo" "localhost" "*" ALLOW

  2. Use the replace subcommand to edit the policy. For example, to change the action of policy rule 4 from ALLOW to DENY, insert a new policy rule with the action changed:


    edit> replace rule 4 telnet * * DENY LOG DETAIL

  3. List the rules for the policy:


    edit> list rule

    The list of policy rules is displayed, showing the rule with the new values replaces the old rule.


    1 "www" "*" "*" ALLOW 
2 "finger" "*" "*" ALLOW
3 "ftp" "*" "localhost" USER "admin"
ALLOW LOG DETAIL PROXY_FTP 
FTP_GET FTP_CHDIR FTP_RENAME FTP_DELETE 
4 "telnet" "*" "*"  DENY LOG DETAIL
5 "echo" "localhost" "*" ALLOW

    The changes take effect when you activate the policy whose rules you have edited.

Modifying Access Rules for GUI Local Administration

To Add an Access Rule for GUI Local Administration

    Use the add subcommand with the accesslocal argument to add an administrative access rule for local administration.

    For example:


    edit> add accesslocal USER admin3 PERMISSION ALL

To Edit an Access Rule for GUI Local Administration

  1. List the administrative access rules for local administration:


    edit> list AccessLocal

    By default, an admin user is created during installation.

    The following approximates the output that is displayed:


    1 USER "admin" PERMISSION ALL
2 USER "admin3" PERMISSION ALL

  2. Use the replace subcommand to replace an administrative access rule with a new value for a particular user for local administration:


    edit> replace AccessLocal 2 USER "admin3" PERMISSION STATUS

To Delete an Access Rule for GUI Local Administration
Note -

Do not delete all the administrative access rules.

    Use the del subcommand to delete the administrative access rule for local administration.

    For example, to delete rule 2, type:


    edit> del AccessLocal 2

Modifying Access Rules for Remote Administration

To Add an Access Rule for Remote Administration

    Use the add subcommand with the accessremote argument to add an administrative access rule for remote administration:


    edit> add accessremote USER admin3 * SKIP_VERSION_2 admin-group
DES-CBC DES-CBC MD5 NONE

    This administrative access rule allows the access level ALL for the admin 3 user at a remote Administration Station on the Internet to use the GUI and command line to administer the Screen.

    Note -

    Make a note of the encryption parameters if you change them, because they have to match the encryption parameters on the remote Administration Station.

To Edit an Access Rule for Remote Administration

  1. List the administrative access rules for remote administration, for example:


    edit> list accessremote

    The following approximates the output that is displayed:


    1 USER "admin" "*" SKIP_VERSION_2 "admin-group" "DES-CBC" 
"DES-CBC" "NONE" "NONE" PERMISSION
ALL
2 USER "admin3" "*" SKIP_VERSION_2 "admin-group" "DES-CBC" 
"DES-CBC" "NONE" "NONE" PERMISSION
ALL

    Note -

    Make a note of the encryption parameters if you change them, because they have to match the encryption parameters on the remote Administration Station.

  2. Use the replace subcommand to replace an administrative access rule with the value or values for a particular user for remote administration with a new value (for example, STATUS, for the access level):


    edit> replace accessremote USER admin3 * SKIP_VERSION_2 admin-group
DES-CBC DES-CBC NONE NONE PERMISSION STATUS

    This administrative access rule changes the access level for admin3 at a remote Administration Station on the Internet to STATUS.

To Delete an Access Rule for Remote Administration
Note -

Do not delete all the administrative access rules.

    Use the del subcommand to delete an administrative access rule for remote administration:


    edit> del accessremote 2

    Where 2 is the number, in the ordered rules, that you want to delete.