State Engines

SunScreen includes a number of state engines that act as protocol verifiers for services. For example, the ftp state engine checks port numbers when the ftp service is being used.

You cannot define new state engines, and you should not change which state engine is used by a predefined service. However, if you define a new service, you must specify the state engine the newly defined service will use.

Characteristics of State Engines

State engines have the following characteristics:

• Connection management - Each state engine understands the connection management of a particular protocol or set of protocols. State engines can be general, such as the tcp state engine (which allows a simple TCP connection) or specific, such as the ftp state engine (which understands the FTP protocol and parses FTP PORT and PASV commands).

• Precedence level - Each state engine has a precedence level. A service with multiple state engines (that is, a service group) is internally ordered by state engine. This order is given by the order in the ss_stateengine default list.

• Discriminator value - Each state engine has a discriminator value. This value is used to bind the state engine to a particular service. Examples are a port number for TCP and UDP services, an RPC program number for RPC services, or an icmp type for ICMP services.

• Parameters - Each state engine has a set of parameters. These parameters have a default value that can be overridden when the service is defined to modify the behavior of the state engine.

dns State Engine

The dns state engine is used for UDP DNS sessions. It looks inside the DNS responses and verifies that they have the same DNS ID as the request. The predefined service dns uses this state engine and is normally the only service to use it. Because the DNS service also uses the TCP protocol, the predefined service dns also has a second entry using the tcp state engine.

The discriminator for the dns state engine is the UDP port number of the DNS service. This is normally 53.

The dns state engine has two parameters:

• Response timeout in seconds - Specifies the time to wait for DNS responses. Default is 60 seconds. This can be changed (to 120 seconds, for example) in the configuration editor as follows:

  edit> add service "dns" SINGLE FORWARD "tcp" PORT 53 FORWARD "dns" PORT 53 PARAMETERS 120

• Packet count - the number of response packets the state engine will allow for each outgoing packet. The default is 1; it is recommended that this not be changed.

ether State Engine

SunScreen in stealth mode can pass non-IP Ethernet frames between its interfaces. It cannot filter the frames on their content, but can pass (or drop) frames based on the frame "type." It can also determine which interfaces the frames are allowed to and from.

To pass non-IP traffic you need to define a new service entry using the ether state engine, specifying the type of protocol you wish to pass. The discriminator for the ether state engine is the frame type number in decimal.

The location of the value that you specify in the type field within the Ethernet packet depends on the Ethernet frame type. The following four Novell frame type designations, described below, are in common use:

• Ethernet II -- Common name: Ethernet

• Ethernet 802.3 -- Common name: "Raw" 802.3

• Ethernet 802.2 -- Common name: 802.3

• Ethernet SNAP -- Common name: 802.3/SNAP or 802.3/802.2/SNAP

Ethernet II -- Common name: Ethernet

Ethernet II is the most common frame type and is used for TCP/IP as well as many other protocols. Ethernet type 0x8137 is used by IPX.

Destination Address	SourceAddress	Ethernet Type	Network ProtocolPacket
6 bytes0-5	6 bytes6-11	2 bytes12-13	up to 1500 bytes14-1513

Ethernet 802.3 -- Common name: "Raw" 802.3

Ethernet 802.3 has no protocol ID and can only carry IPX packets. It is distinguishable from Ethernet_802.2 only because the first 2 bytes of all IPX packets carried on Ethernet 802.3 must be all ones, which makes no sense in Ethernet 802.2. "Raw" 802.3 was the default frame type for NetWare software until NetWare v4.0 was released.

Destination Address	SourceAddress	Length	IPX Packet
6 bytes0-5	6 bytes6-11	2 bytes12-13	up to 1500 bytes14-1513; 0xFF 0xFF are the first two bytes

Ethernet 802.2 -- Common name: 802.3

Note that the 802.2 header is implied by the 802.3 standard. Ethernet 802.2 is also known as: 802.3/802.2, to distinguish it from "raw" 802.3. It is used for OSI packets on 802.3 networks. Ethernet 802.2 is the default frame type for the NetWare v4.0 release. Values in parentheses in the table below are the values used by IPX.

Destination Address	SourceAddress	Length	DSAP(E0)	SSAP(E0)	Control(03)	Network Packet
6 bytes0-5	6 bytes6-11	2 bytes12-13	1 byte14	1 byte15	1 byte16	up to 1497 bytes17-1513

Ethernet SNAP -- Common name: 802.3/SNAP or 802.3/802.2/SNAP

Ethernet SNAP is an extension to 802.2, indicated by SAP value of hex AA. Ethernet SNAP is used by AppleTalk and is allmost never used for IPX. Values in parentheses in the table below are the values used by IPX.

Dest. Addr.	SourceAddr.	Length	DSAP0xAA	SSAP0xAA	Control0x03	SNAP Header(0,0,0,81,37)	Network Packet
6 bytes0-5	6 bytes6-11	2 bytes12-13	1 byte14	1 byte15	1 byte16	5 bytes17-21	up to 1492 b22-1513

How SunScreen Checks the type Field

SunScreen checks the type field as follows:

• For Ethernet II packets, the type field specifies the value of the Ethernet type field located as offset 12 from the beginning of the packet. Any packet that has its Ethernet type field set to a value greater than 1526 is considered an Ethernet II packet. The range of applicable values for type is 1527 through 65536.

• For other Ethernet packets, the values of the DSAP and SSAP are examined, located at offsets 14 and 15 from the beginning of the packet. If the DSAP and SSAP are both 0xAA, the packet is assumed to be an Ethernet SNAP packet. For SNAP packets, the type field specifies the value of Ethernet type field located in the SNAP header at offset 20 from the beginning of the packet. The range of type values is 0 through 65536

• If the DSAP and SSAP are not 0xAA, the type field specifies the value of the DSAP field, located at offset 14. The range of type values is 0 to 169 and 171 to 255; 170 (0xAA) is not allowed.

Example: Passing IPX Packets Between Host A and Host C

Imagine you want to pass IPX packets between HOST A and HOST C in the figure below:

Figure C-1 Ether State Engine: Passing IPX Packets [NEW GFX NEEDED]

You have decided that the frame types used by these systems are 33079 & 33080 (hex 0x8137 and 0x8138).

1. Create and save new services using the ether state engine for each of these frame types. Create a service group (call it "ipx," for example) containing both of these services.

   ---

   Note -

   The ether state engine takes a decimal value for type.

   ---

2. Pick an IP host on the qe2 interface and an IP host on the qe1 interface and create an address list called "qe1andqe2."

   If you have defined interface objects for qe1 and qe2 (which you should do for anti-spoofing) these could be combined into a list called "qe1andqe2."

3. Define a rule:

   Service: ipxSource: qe1andqe2Destination: qe1andqe2Action: normal

   This rule passes all frames with the specified types between the qe1 and qe2 interfaces. That is, a frame from any host on the network attached to qe2 (Host B, for example) will get passed to the network attached to qe1, if the type matches.

   Note that there is no logging with the ether state engine, even if LOG_DETAIL is in the rule--because all SunScreen logging starts at the IP layer and there is no IP layer here.

ftp State Engine

The ftp state engine is used for FTP sessions. This state engine understands the control protocol used by FTP sessions including parsing PORT commands. It supports both traditional and PASV modes. The ftp service is typically the only service that uses this state engine.

The discriminator for the ftp state engine is the port number of the control connection, which is normally 21. The port number of the data session is always one less than the control connection unless this is overridden by the parameters below.

The ftp state engine has the following parameters:

• Lifetime of idle control session in seconds - Specifies the lifetime of an idle control session (default = 600 seconds)

• Lifetime of idle data session in seconds -Specifies the lifetime of an idle data session (default = 600 seconds)

• Flag value - Flag value is a set of bits. If bit 0x01 is set, non PASV data sessions are allowed to originate from a port other than one less than the control port. This feature is sometimes needed to communicate with FTP servers that incorrectly implement the FTP protocol so they do not need to run the data connection as root (default = 0).

icmp State Engine

The icmp state engine is used for ICMP protocols. It allows one-direction ICMP traffic to flow.

The discriminator for the icmp state engine is the ICMP type of the packet.

The icmp state engine has no parameters.

ip State Engine

The ip state engine is a stateless filter that passes unidirectional IP traffic of a particular IP type. The data can only flow in the forward direction (Source to Destination address) This state engine is supplied to provide backwards compatibility with the ip state engine in the SunScreen SPF-100. New service definitions should use either the ipfwd, iptunnel, or ipmobile state engines.

The discriminator for the ip state engine is the IP packet type.

The ip state engine has no parameters.

ipfwd State Engine

The ipfwd state engine allows unidirectional IP traffic of a certain IP type. The data can only flow in the forward direction (Source to Destination address)

The discriminator for the ipfwd state engine is the IP packet type.

The ipfwd state engine has the following parameters:

• Cache timeout in seconds - Specifies the amount of time before the system forgets about IP traffic between a pair of hosts (default is 60 seconds)

• Flag value - Must be 1

ipmobile State Engine

The ipmobile state engine allows bidirectional IP traffic of a certain IP type. The first connection must be initiated by the From address in the rule. Subsequent connections can be initiated from either side as long as the cache entry has not timed out.

The discriminator for the ipmobile state engine is the IP packet type.

The ipmobile state engine has the following parameters:

• Cache timeout in seconds - Specifies the amount of time before the system forgets about IP traffic between a pair of hosts (default is 3600 seconds or 1 hour).

• Flag value - Must be 0 (zero)

iptunnel State Engine

The iptunnel state engine allows bidirectional IP traffic of a certain IP type. Either side of the connection can initiate connections.

The discriminator for the iptunnel state engine is the IP packet type.

The iptunnel state engine has the following parameters:

• Cache timeout in seconds - Specifies the amount of time before the system forgets about IP traffic between a pair of hosts (default is 60 seconds)

• Flag value - Must be 0 (zero)

nis State Engine

The nis state engine is used to define services that are NIS UDP sessions. The predefined service ypserv uses the nis state engine and is normally the only service definition that uses this state engine.

The discriminator for this state engine is the RPC program number of the service. Normally, this is always 100004, the RPC program number for NIS.

The nis state engine has the following parameters:

• Response timeout in seconds - Specifies the time to wait for NIS responses. -1 specifies the state engine will wait forever (default = 60 seconds).

• Number of expected responses per request - Typically 1, because an NIS server sends only a single response to a request (default = 1).

• Flag value - If this value is set to 2, then the system accepts NIS responses from a different port than the NIS request port. This case occurs when an NIS server is responding to name lookups that is mapping to DNS entries (default = 2).

ntp State Engine

SunScreen contains a state engine to handle the NTP protocol. The source and destination UDP ports numbers are fixed at port 123. To screen NTP traffic, use the ntp service. Broadcast NTP is not supported.

ping State Engine

The ping state engine is used for an ICMP ping exchange. It allows ping requests in the forward direction and ping responses in the reverse direction.

The discriminator of the ping state engine is the ICMP type of the request packet. This is normally set to 8 to match that of an ICMP echo request packet.

The ping state engine has one parameter:

• Response timeout in seconds - Specifies the amount of time to wait for ICMP echo responses (default is 10 seconds).

pmap_nis State Engine

The pmap_nis state engine is used for the portmap protocol used by NIS services. It monitors NIS portmap requests and responses and builds a table of host/port to NIS service mappings. The ypserv service is typically the only service definition that uses the pmap_nis state engine.

The discriminator for the pmap_nis state engine is the RPC program number of the service. This is always 100004, which is the RPC program number for NIS.

The pmap_nis state engine has the following parameters:

• Response timeout in seconds - Specifies the time to wait for NIS portmap responses (default = 60 seconds)

• Lifetime of NIS portmap mapping entries in seconds - -1 specifies an infinite lifetime. Because NIS clients cache portmap information indefinitely at boot time, this value is normally set to -1 (default = -1).

pmap_tcp State Engine

The pmap_tcp state engine is used for the TCP portmap protocol used by TCP RPC services. It monitors the TCP portmap requests and responses and builds a table of hosts and ports to RPC service mappings. Normally, a service definition for a TCP RPC service requires both a pmap_tcp and a rcp_tcp state engine entry. The discriminator for the pmap_tcp state engine is the RPC program number of the service.

The pmap_tcp state engine has the following parameters:

• Response timeout in seconds - Specifies the time to wait for portmap responses. (Default = 60 seconds)

• Lifetime of portmap mapping entries in seconds - -1 specifies an infinite lifetime (default = 3600 seconds).

pmap_udp State Engine

The pmap_udp state engine is used for the UDP portmap protocol used by UDP services. It monitors the UDP portmap requests and responses and builds a table of hosts and ports to RPC service mappings. Normally, a service definition for a UDP RPC service requires both a pmap_udp and a rpc_udp state engine entry. The discriminator for the pmap_udp state engine is the RPC program number of the service.

The pmap_udp state engine has the following parameters:

• Response timeout in seconds - This parameter specifies the time to wait for portmap responses (default = 60 seconds)

• Lifetime of portmap mapping entries in seconds - -1 specifies an infinite lifetime (default = 3600 seconds or 1 hour)

realaudio State Engine

The realaudio state engine is used for RealAudio sessions. This state engine understands the control protocol used by these sessions including enabling the UDP ports used for the audio traffic. The realaudio service is typically the only service that uses this state engine. The discriminator for the realaudio state engine is the port number of the TCP control connection, which is normally 7070.

The realaudio state engine has one parameter:

• Lifetime of an idle control session in seconds - Specifies the lifetime of an idle control session (default = 3600 seconds)

rpc_tcp State Engine

The rpc_tcp state engine is used for RPC protocols that use the TCP protocol. Normally, a service definition for such a protocol requires both an rpc_tcp and pmap_tcp state engine entry. The discriminator for the rpc_tcp state engine is the RPC program number for the service.

The rpc_tcp state engine has one parameter:

• Idle session lifetime in seconds - Specifies the lifetime of an idle TCP RCP session in seconds (default = 86400 seconds or 24 hours)

rpc_udp State Engine

The rpc_udp state engine is used for RPC protocols that use the UDP protocol. Normally, a service definition for such a protocol requires both an rpc_udp and pmap_udp state engine entry. The discriminator for the rpc_udp state engine is the RPC program number for the service.

The rpc_udp state engine has the following parameters:

• Response timeout in seconds - Specifies the time to wait for RPC responses. -1 specifies to wait forever (default = 60 seconds)

• Number of expected responses per request (default is 1)

• Flag value - Specifies whether RPC responses must come from the same host or port that the RPC request specified. If the 0x01 bit is set, RPC responses from a different host than the request are allowed. If the 0x02 bit is set, RPC responses from a different port than the request port are allowed (default = 0)

rsh State Engine

The rsh state engine is used for remote shell (rsh) sessions. This state engine understands the control protocol used by these sessions, including the enabling of the TCP connection used for stderr messages. The rsh service is typically the only service that uses this state engine. The discriminator for the rsh state engine is the port number of the RSH server. This is normally 514.

The rsh state engine has one parameter:

• Lifetime of idle session in seconds - Specifies the lifetime of an idle session (default = 86400 seconds or 24 hours)

sqlnet State Engine

The sqlnet state engine is used for Oracle SQL*Net sessions.

It understands the network protocol used by SQL*Net, including redirected sessions (see "sqlnet Service"). The sqlnet service is typically the only service using the sqlnet state engine. Its discriminator is the port number of the Oracle listener, which is normally TCP port 1521.

The sqlnet service is typically the only service using this state engine.

tcp State Engine

The tcp state engine is used for TCP sessions. This state engine allows simple TCP connections. It cannot handle protocols such as FTP or RSH that have more complicated connection management protocols, especially if they open connections in the reverse direction. In those cases, the appropriate, more specific state engine should be used.

The discriminator for the tcp state engine is the port number of the TCP service.

The tcp state engine has one parameter:

• Lifetime of idle connection in seconds - Specifies the lifetime of an idle connection (default = 86400 seconds or 24 hours)

tcp_keepalive State Engine

The tcp_keepalive state engine is for use with protocols that spend long periods in an idle mode (telnet, for example). This state engine prevents the statetable entry from timing out if no packets are sent for a long time. Some SunScreen services (telnet, rlogin, ssh, X11) use tcp_keepalive by default. tcp_keepalive should be used for any TCP-based service that by its nature can include long periods of idle time.

tcp_keepalive causes the Screen to emit a "fake" keepalive packet to the session's source host, claiming to have been sent by the session's destination host. The keepalive packet is sent a few minutes before the Screen normally would drop the session. If the source host is still alive, it responds with an ACK, which causes the Screen to rejuvenate the session lifetime. The ACK is forwarded to the destination host, which responds if it is still alive. If either host has reset or timed out its end of the connection, it will respond with an RST, which causes the Screen to discard the session.

The tcp_keepalive state engine definition specifies that the first keepalive probe be sent 15 minutes before the session expires. If there is no response, multiple probes are sent, rapidly at first, then slowing: 900, 880, 860, 820, 740, 580, and 260 seconds before the session expires.

---

Caution -

If you use this state engine for a service, it could lead to a connection being left open through the firewall for an extended period of time. Imagine, for example, someone telnets through the firewall, leaves the connection sitting at a prompt, and then goes on vacation for two weeks. Keepalive probes will continue to be successfully sent and the connection will stay open for two weeks.

It is up to the security administrator of the site to determine if use of this state engine is appropriate. Use of this state engine coupled with an inactivity timeout on login sessions would prevent such a situation from occurring and would make the firewall much more transparent to users, as there would be no "hung" sessions. Careful consideration should be given to the tradeoff between risk and convenience.

---

The tcp_keepalive state engine has two parameters:

• Lifetime of idle connection in seconds - Specifies the lifetime of an idle connection (default = 86400 seconds or 24 hours)

• Number of seconds before timeout that keepalive probes start

tcpall State Engine

The tcpall state engine is used for TCP service definitions that specify a large range of ports such as the predefined service tcp all. because it has a lower precedence than tcp, ftp, rsh, or realaudio, it does not override any of those services. Normally, this state engine is only used for the predefined service tcp all.

The discriminator for the tcpall state engine is the port number of the TCP service.

The tcpall state engine has the following parameter:

• Lifetime of idle connection in seconds - Specifies the lifetime of an idle connection (default = 86400 seconds or 24 hours)

udp State Engine

The udp state engine is used for UDP services. It allows one or more responses to a UDP request. The requests are validated to make sure they come from the correct address and port and are sent to the correct address and port. The response source address and port checking can be modified using the parameters below.

The discriminator for the udp state engine is the port number of the UDP service.

The udp state engine has the following parameters:

• Response timeout in seconds - Specifies the amount of time to wait for UDP responses. -1 specifies an infinite response timeout. (Default = 60 seconds).

• Number of responses per request - Specifies the number of expected responses for each request. If the number of response specified is 0, any number of responses can be received and the session terminates only after an idle period when no responses have been received. Never specify both a response time of -1 and 0 for the number of responses per request.

• Flag value - Specifies valid sources for UDP responses.

  • If bit 0x01 is set, the UDP response can come from a different host than the request, which is useful for UDP services on multihomed servers that respond using a different address.

  • If bit 0x02 is set, the UDP response can come from a different port than the request.

  • If both bit 0x02 and bit 0x04 are set, then requests can come from a different port than the request, and subsequent requests can also use that new port. This is useful for handling TFTP servers that sometimes switch ports in mid-session.

udpall State Engine

The udpall state engine is used for UDP services where a large number of ports are specified. It has a lower precedence than the dns and udp state engines and does not override services defined with those state engines. It allows one or more responses to a UDP request. The requests are validated to make sure they come from the correct address and port and are sent to the correct address and port. The response source address and port checking can be modified using the parameters below.

The discriminator for the udpall state engine is the port number of the UDP service.

The udpall state engine has the following parameters:

• Response timeout in seconds - Specifies the amount of time to wait for UDP responses. -1 specifies an infinite response timeout (default = 60 seconds).

• Number of responses per request - Specifies the number of expected responses for each request. If the number of response specified is 0, any number of responses can be received and the session terminates only after an idle period when no responses have been received. Never specify both a response time of -1 and 0 for the number of responses per request.

• Flag value - Specifies valid sources for UDP responses.

  • If bit 0x01 is set, the UDP response can come from a different host than the request, which is useful for UDP services on multihomed servers that respond using a different address.

  • If bit 0x02 is set, the UDP response can come from a different port than the request.

  • If both bit 0x02 and bit 0x04 are set, then requests can come from a different port than the request, and subsequent requests can also use that new port. This is useful for handling TFTP servers that sometimes switch ports in mid-session.

udp_datagram State Engine

The udp_datagram state engine is used for one-way UDP protocols. It allows UDP packets to pass in the forward direction only. It is used for services that send UDP packets in one direction, such as syslog.

The discriminator for the udp_datagram state engine is the port number of the UDP service.

The udp_datagram state engine has no parameters.

udp_stateless State Engine

The udp_stateless state engine is used for stateless UDP session filtering. This engine is included for backwards compatibility with older SunScreen products. It has been replaced in most cases with stateful UDP filtering. Because this engine is stateless UDP packet filtering, services defined using it cannot safely validate that the responses go to the same port as the request.

The discriminator for the udp_stateless state engine is the port number of the UDP service.

The udp_stateless state engine has no parameters.