TCP Services
SunScreen screens TCP services by destination port numbers. Most common TCP services are already defined in the service entries supplied with SunScreen.
To define a new TCP service, define a new service entry specifying the tcp filter state system. Specify the destination TCP port or ports of the service you wish to pass. If you specify * for the port, the service will pass all TCP services regardless of port. Note that some services, such as FTP and RSH, cannot be passed in this way. They are not simple TCP protocols. They make additional connections in the reverse direction. These services must be specified as separate services if you wish to pass them.
The tcp state engine times out unused and silent connections five hours after a connection has been established. Some systems repeatedly retransmit until they receive an error about a terminated TCP connection. To send an ICMP rejection message, therefore, configure a rule using the tcp service, especially on your internal interfaces.
For example, the following rule allows telnet connections to be made from Inside systems to Outside systems.
|
Service |
Source |
Destination |
Action |
|---|---|---|---|
|
telnet |
Inside |
Outside |
allow |
- © 2010, Oracle Corporation and/or its affiliates