ip Services

The ip all service is provided for backward compatibility with previous SunScreen products. You can achieve better performance by using either the ip forward (for IP traffic in one direction) or the ip tunnel (for IP traffic in both directions) services instead.

Example of the old method using ip all:

"ip all" host1 host2 allow
"ip all" host2 host1 allow

Example of the new method using ip tunnel:

 "ip tunnel" host1 host2 allow

The ip mobile service is provided for use with mobile, remote clients. Like the ip tunnel service, ip mobile passes all IP traffic between a pair of addresses. Unlike the ip tunnel service, however, a rule specifying ip mobile forces the first connection to be made from the mobile client (a system with one of the addresses in Source Address).

Generally, ip mobile is used for SKIP-encrypted connections with the SKIP identity providing the authentication and access control. For example:

"ip mobile" Internet Mailhost SKIP-VERSION2

SunScreen can filter IP packets by IP protocol type alone. This is useful in special situations such as passing non-TCP/UDP protocols or when data are being encrypted.

If you want a Screen to pass IP packets by protocol type, you define a new service using either the ip, ip tunnel, ip mobile, or ip fwd state engine. Specify the protocol of the packets you wish to pass in decimal notation. If you specify * for the protocol, the service will pass all IP packets regardless of protocol type.

There are several predefined services included, such as skip (IP protocols 79 and 57), ip tunnel, ip mobile, and ip fwd.

Using one of the state engines with a protocol specification of * (any protocol), can be dangerous, because any traffic would be allowable. State engines should only be used in special cases or if the data are part of an encrypted tunnel.

The predefined IP services do not pass broadcast traffic. To pass broadcast traffic, you must define a new service or add broadcast to the predefined service.