SunScreen in stealth mode can pass non-IP Ethernet frames between its interfaces. It cannot filter the frames on their content, but can pass (or drop) frames based on the frame "type." It can also determine which interfaces the frames are allowed to and from.
To pass non-IP traffic you need to define a new service entry using the ether state engine, specifying the type of protocol you wish to pass. The discriminator for the ether state engine is the frame type number in decimal.
The location of the value that you specify in the type field within the Ethernet packet depends on the Ethernet frame type. The following four Novell frame type designations, described below, are in common use:
Ethernet II -- Common name: Ethernet
Ethernet 802.3 -- Common name: "Raw" 802.3
Ethernet 802.2 -- Common name: 802.3
Ethernet SNAP -- Common name: 802.3/SNAP or 802.3/802.2/SNAP
Ethernet II is the most common frame type and is used for TCP/IP as well as many other protocols. Ethernet type 0x8137 is used by IPX.
Destination Address |
SourceAddress |
Ethernet Type |
Network ProtocolPacket |
---|---|---|---|
6 bytes0-5 |
6 bytes6-11 |
2 bytes12-13 |
up to 1500 bytes14-1513 |
Ethernet 802.3 has no protocol ID and can only carry IPX packets. It is distinguishable from Ethernet_802.2 only because the first 2 bytes of all IPX packets carried on Ethernet 802.3 must be all ones, which makes no sense in Ethernet 802.2. "Raw" 802.3 was the default frame type for NetWare software until NetWare v4.0 was released.
Destination Address |
SourceAddress |
Length |
IPX Packet |
---|---|---|---|
6 bytes0-5 |
6 bytes6-11 |
2 bytes12-13 |
up to 1500 bytes14-1513; 0xFF 0xFF are the first two bytes |
Note that the 802.2 header is implied by the 802.3 standard. Ethernet 802.2 is also known as: 802.3/802.2, to distinguish it from "raw" 802.3. It is used for OSI packets on 802.3 networks. Ethernet 802.2 is the default frame type for the NetWare v4.0 release. Values in parentheses in the table below are the values used by IPX.
Destination Address |
SourceAddress |
Length |
DSAP(E0) |
SSAP(E0) |
Control(03) |
Network Packet |
---|---|---|---|---|---|---|
6 bytes0-5 |
6 bytes6-11 |
2 bytes12-13 |
1 byte14 |
1 byte15 |
1 byte16 |
up to 1497 bytes17-1513 |
Ethernet SNAP is an extension to 802.2, indicated by SAP value of hex AA. Ethernet SNAP is used by AppleTalk and is allmost never used for IPX. Values in parentheses in the table below are the values used by IPX.
Dest. Addr. |
SourceAddr. |
Length |
DSAP0xAA |
SSAP0xAA |
Control0x03 |
SNAP Header(0,0,0,81,37) |
Network Packet |
---|---|---|---|---|---|---|---|
6 bytes0-5 |
6 bytes6-11 |
2 bytes12-13 |
1 byte14 |
1 byte15 |
1 byte16 |
5 bytes17-21 |
up to 1492 b22-1513 |
SunScreen checks the type field as follows:
For Ethernet II packets, the type field specifies the value of the Ethernet type field located as offset 12 from the beginning of the packet. Any packet that has its Ethernet type field set to a value greater than 1526 is considered an Ethernet II packet. The range of applicable values for type is 1527 through 65536.
For other Ethernet packets, the values of the DSAP and SSAP are examined, located at offsets 14 and 15 from the beginning of the packet. If the DSAP and SSAP are both 0xAA, the packet is assumed to be an Ethernet SNAP packet. For SNAP packets, the type field specifies the value of Ethernet type field located in the SNAP header at offset 20 from the beginning of the packet. The range of type values is 0 through 65536
If the DSAP and SSAP are not 0xAA, the type field specifies the value of the DSAP field, located at offset 14. The range of type values is 0 to 169 and 171 to 255; 170 (0xAA) is not allowed.
Imagine you want to pass IPX packets between HOST A and HOST C in the figure below:
You have decided that the frame types used by these systems are 33079 & 33080 (hex 0x8137 and 0x8138).
Create and save new services using the ether state engine for each of these frame types. Create a service group (call it "ipx," for example) containing both of these services.
The ether state engine takes a decimal value for type.
Pick an IP host on the qe2 interface and an IP host on the qe1 interface and create an address list called "qe1andqe2."
If you have defined interface objects for qe1 and qe2 (which you should do for anti-spoofing) these could be combined into a list called "qe1andqe2."
Define a rule:
Service: ipxSource: qe1andqe2Destination: qe1andqe2Action: normal
This rule passes all frames with the specified types between the qe1 and qe2 interfaces. That is, a frame from any host on the network attached to qe2 (Host B, for example) will get passed to the network attached to qe1, if the type matches.
Note that there is no logging with the ether state engine, even if LOG_DETAIL is in the rule--because all SunScreen logging starts at the IP layer and there is no IP layer here.