test

SunScreen 3.2 Administrator's Overview

Policy Rule Matching

Each proxy is interposed in the middle of rules that reference it by the rule compilation process. In proxy rules, as in other Screen rules, you refer to originating client and destination (or backend) server address objects, not the Screen itself.

Note -

The Screen rule compilation process actually produces two subrules for each proxy-use rule; one that allows client access to the proxy server program, and one that allows the proxy server program access to the backend servers. These rules are hidden. They effect a similar kernel-based stateful filtering mechanism to other rules for the Screen. The proxies themselves employ the original proxy-use rules for their own, more detailed, access control mechanisms.

In addition to stateful packet filtering within the Screen kernel, each proxy performs additional rule processing to control access. The additional checking enforces end-to-end (client-to-server) address and service matching, as well as user authentication, command restriction.

The general flow of tests that each proxy applies to gain access to requests is described below:

  1. For FTP, Telnet, and (optionally) HTTP proxies: Has the user been properly authenticated?

    Note -

    User authentication occurs only once, regardless of the number of rules configured. Authentication is based upon the user identity and accompanying passwords (if any) supplied by interaction with the client host. See Chapter 9, Authentication.

  2. For each rule configured for a particular proxy: Is the requested service port one that is handled by the proxy?

The proxy only receives connection requests for the ports on which it has been configured to listen.

  1. Is the address of the client contained in the set of source addresses for the policy rule?

  2. Is the address of the backend server (if applicable) in the set of destination addresses for the policy rule?

  3. For HTTP URL references with specific port numbers: Is the target service port allowed by the proxy?

  4. For FTP, Telnet, and (optionally) HTTP proxies: Is the authenticated user a member of the GROUP proxy user specified in the rule?

As with other Screen rules, these tests are performed in the order in which they appear within the policy. The first rule that matches all tested criteria takes effect with respect to any incoming request for a proxy-provided service. If no rule is found that matches all (applicable) criteria, the requested access is denied.