Service Group

A service group comprises a collection of single services and/or other groups of services. You can group network services together to apply a single rule to multiple network services. "SunScreen Network Service Groups" in Appendix C, Services and State Engines, shows the predefined service groups in SunScreen and the services each includes. Note that not every service is included in a service group.

The predefined common service group, for example, contains the following services: tcp, all, udp all, syslog, dns, rpc all, nfs, prog, icmp all, rip, ftp, rsh, real audio, pmap, udp all, pmap, and tcp all. You can create additional service groups using any combination of the individual network services. A useful group to define might be an "internet services group," consisting of public services such as FTP, email, and WWW.

State engines that you use in describing services come in distinct classes and each class has subclasses. The subclasses form an order for choosing state engines when a rule includes a service group. Table 4-1 below shows state engines in order of preference--the greater the class/subclass number, the higher the preference. If you have a rule that uses a group of state engines, the one with the higher preference is matched.

A state engine that is followed by an asterisk(*) may conflict with another state engine because another state engine is in the same class and subclass.

Table 4-1 State Engine Class and Subclass

State Engine Name	Class	Subclass
nfsro	11	0
nis	10	0
pmap_nis	9	0
pmap_udp	8	0
pmtp_tcp	7	0
realaudio*	4	1
rpc_tcp	6	0
rpc_udp	5	0
rsh*	4	1
sqlnet*	4	1
ftp*	4	1
tcpall	4	0
dns*	3	2
ntp*	3	2
udp_stateless*	3	1
udp_datagram*	3	1
udp*	3	1
udpall	3	0
ping	2	1
icmp	2	0
ipmobile	1	3
iptunnel	1	2
ipfwd	1	1
ip	1	0
ether	0	0

A given service that you have defined manually to contain multiple state engines or in a service group that includes multiple services, can only contain a single state engine in a particular class or subclass for a particular port.