add rule
add rule "name_SERVICE" name_ADDRESS
Appends the rule to the end of the list of rules in the policy. insert rule should be used to position a new rule into an existing policy.
The following fields are optional and can be specified in any order after the rule keyword:
ALLOW {default if no ACTION specified}
DENY
LOG NONE {also LOG_NONE, default if no LOG is specified}
LOG SUMMARY {also LOG_SUMMARY}
LOG DETAIL {also LOG_DETAIL}
LOG SESSION {also LOG_SESSION, only valid for ALLOW rules, will be error for DENY}
SNMP {"on" if present, "off" otherwise}
USER "name_USER" {required only if PROXY_FTP or PROXY_Telnet set below; optional if 'PROXY_HTTP' set below; otherwise not allowed}
TIME "name_TIME"
SCREEN "name_SCREEN"
COMMENT "comment string"
Any one of the following combo-fields is optional and only valid in a rule that has ALLOW specified. It can be specified anywhere after the rule keyword:
SKIP_VERSION_1 "name_CERTIFICATE" "name_CERTIFICATE" "name_KEY_ALGORITHM" "name_DATA_ALGORITHM"
SKIP_VERSION_2 "name_CERTIFICATE" "name_CERTIFICATE" "name_KEY_ALGORITHM" "name_DATA_ALGORITHM" "name_MAC_ALGORITHM" "name_COMPRESSION_ALGORITHM"
IPSEC SYMMETRIC AH(ah_spi_value, "name_AUTHENTICATION_ALGORITHM", "name_KEY")
IPSEC SYMMETRIC AH(ah_spi_value "name_AUTHENTICATION_ALGORITHM", "name_KEY") ESP( esp_spi_value, "name_ENCRYPTION_ALGORITHM", "name_KEY")
IPSEC SYMMETRIC ESP(esp_spi_value, "name_ENCRYPTION_ALGORITHM", "name_KEY",name_AUTHENTICATION_ALGORITHM", "name_KEY")
IPSEC FORWARD AH(ah_spi_value, "name_AUTHENTICATION_ALGORITHM", "name_KEY") ESP( esp_spi_value, "name_ENCRYPTION_ALGORITHM", "name_KEY") REVERSE AH(ah_spi_value, "name_AUTHENTICATION_ALGORITHM", "name_KEY") ESP( esp_spi_value, "name_ENCRYPTION_ALGORITHM", "name_KEY")
IPSEC IKE( "name_ENCRYPTION_ALGORITHM", name_AUTHENTICATION_ALGORITHM", OAKLEY_GROUP, "name_AUTHENTICATION_METHOD", "name_CERTIFICATE", name_CERTIFICATE")
IPSEC IKE( "name_ENCRYPTION_ALGORITHM", name_AUTHENTICATION_ALGORITHM", OAKLEY_GROUP, PRE-SHARED, "name_KEY")
The first three IPsec symmetric forms (those with SPI values) specify manual keying. The asymmetric manual key form uses forward and reverse directions with AH and ESP specified separately for each direction. The last two IPsec forms utilize Internet Key Exchange (IKE) keying. Of those, the first form uses certificates, the last uses pre-shared keying. For either of the IKE forms, one of the following three data security parameter options (phase 2 transforms) must be specified. It may be issued after the IPSEC keyword:
AH( "name_AUTHENTICATION_ALGORITHM" )
AH( "name_AUTHENTICATION_ALGORITHM" ) ESP( "name_ENCRYPTION_ALGORITHM" )
ESP( "name_ENCRYPTION_ALGORITHM",name_AUTHENTICATION_ALGORITHM" )
The following fields are optional and only valid within a SKIP_VERSION_1, SKIP_VERSION_2, or IPSEC combo-field. They can be specified in any order after the combo-field:
SOURCE_TUNNEL "name_ADDRESS"
DESTINATION_TUNNEL "name_ADDRESS"
One or both of the following fields must be specified in conjunction with either IPsec manual keying or IKE pre-shared keying. They indicate to the SunScreen compiler the (encryption) role being played by a given Screen. They can be specified in any order after the IPSEC combo-field. Tip: when in doubt, completely specify both Screen roles:
SOURCE_SCREEN name_SCREEN
DESTINATION_SCREEN name_SCREEN
For IKE with certified keying material, the Screen roles are determined automatically, by determining which certificate (source or destination) is local to the Screen for which a policy is being compiled. If both source and destination certificates are (or contain) local entities, the *_SCREEN option may be used to disambiguate roles.
The following field is optional and only valid in a rule that has DENY specified. It can be specified anywhere after the rule keyword:
ICMP NONE {also ICMP_NONE, default if nothing is specified}
ICMP NET_UNREACHABLE {also ICMP_NET_UNREACHABLE}
ICMP HOST_UNREACHABLE {also ICMP_HOST_UNREACHABLE}
ICMP PORT_UNREACHABLE {also ICMP_PORT_UNREACHABLE}
ICMP NET_FORBIDDEN {also ICMP_NET_FORBIDDEN}
ICMP HOST_FORBIDDEN {also ICMP_HOST_FORBIDDEN}
The following field is optional and only valid in a rule that has ALLOW specified and no SKIP, IKE, IPsec, or proxy information. It can be specified anywhere after the rule keyword:
VPN "name_VPN"
The following fields are optional and only valid in a rule that has not specified any SKIP, IKE, or IPsec information and no VPN. They can be specified anywhere after the rule keyword. Only one of them can be specified in a given rule.
PROXY_FTP
PROXY_HTTP
PROXY_SMTP
PROXY_Telnet
The following fields are optional and only valid in a rule that has specified PROXY_FTP. They can be specified anywhere after the PROXY_FTP keyword:
FTP_GET
NO_FTP_GET {default if FTP_GET not specified}
FTP_PUT
NO_FTP_PUT (default if FTP_PUT not specified}
FTP_CHDIR
NO_FTP_CHDIR {default if FTP_CHDIR not specified}
FTP_MKDIR
NO_FTP_MKDIR {default if FTP_MKDIR not specified}
FTP_RENAME
NO_FTP_RENAME {default if FTP_RENAME not specified}
FTP_REMOVE_DIR
NO_FTP_REMOVE_DIR {default if FTP_REMOVE_DIR not specified}
FTP_DELETE
NO_FTP_DELETE {default if FTP_DELETE not specified}
FTP_ALL {same as FTP_GET FTP_PUT FTP_CHDIR FTP_MKDIR FTP_RENAME FTP_REMOVE_DIR FTP_DELETE}
NO_FTP_ALL {default if no FTP options are present}
The following fields are optional and only valid in a rule that has specified PROXY_HTTP. They can be specified anywhere after the PROXY_HTTP keyword:
COOKIES
NO_COOKIES {default if COOKIES not specified}
ACTIVE_X
NO_ACTIVE_X {default if ACTIVE_X not specified}
SSL
NO_SSL {default if SSL not specified}
JAVA_SIGNATURE
JAVA_HASH
JAVA_SIGNATURE_HASH
JAVA
NO_JAVA {default if no other JAVA setting is specified}
HTTP_ALL {same as ACTIVE_X COOKIES JAVA SSL}
NO_HTTP_ALL {default if no HTTP options are present}
The following fields are optional and only valid in a rule that has specified PROXY_SMTP. They can be specified anywhere after the PROXY_SMTP keyword: RELAY
NO_RELAY {default if RELAY not specified}
- © 2010, Oracle Corporation and/or its affiliates