SunScreen command-line reference

This is a quick page for people who want/need to administrator a sunscreen firewall from the command line, rather than using the slow, buggy java interface. SunScreen (lite version) comes with Solaris 8 media these days, so everyone has it available. It's on CD 2 of 2, under Products/EA/

It's up to you to set it up initially. It's not that difficult: just running the installer will pretty much do everything you need. Just dont pick the "permissive" option, when it asks you how secure you want the firewall to start with.

This page only addresses filtering. It does not address NAT control on the command line, at this time.

Preparation

The first thing you will want to do is adjust your PATH and MANPATH appropriately:

PATH=$PATH:/opt/SUNWicg/SunScreen/bin
MANPATH=$MANPATH:/opt/SUNWicg/SunScreen/man

You should now be able to do "man ssadm", which will essentially walk you through everything covered here, if you read enough of the sub-pages. But this webpage serves as a quick reference.

Firewall policies

A 'policy' is a named set of filtering rules. You can have different policies for different occasions. For example, if you need to switch to pure "outbound-only" access on a regular basis, you can have a policy called "outboundonly". You can then enable that policy with the command

# ssadm activate outboundonly

To check which policy is currently active, use

# ssadm active

Your main interface to SunScreen will be a specific command:

# ssadm edit policyname

This will put you into a special command-line tool for adjusting policies.

In the policy "editor"

Once you are at the edit< prompt, the basic commands you will use are:

LIST something
ADD SOMETYPE [variable syntax string here]
DELETE SOMETYPE [variable syntax string here]

Sample output from listing the rules:


edit> list rules
1 "common" "localhost" "*" ALLOW COMMENT firewall access out
2 "ssh" "iprb0.net" "mybox_iprb0" ALLOW

The format for rule table output is predictable:

Rule line number Service Source Dest Action Comment

1 "common" "localhost" "*" ALLOW COMMENT "firewall access out"

2 "ssh" "iprb0.net" "mybox_iprb0" ALLOW

Rule line number	Service	Source	Dest	Action	Comment
1	"common"	"localhost"	"*"	ALLOW	COMMENT "firewall access out"
2	"ssh"	"iprb0.net"	"mybox_iprb0"	ALLOW

You can also use the "list" command to get more details on any object, as long as you preface it with the object type.

edit> list service www "www" SINGLE FORWARD "tcp" PORT 80 edit> list address iprb0.net "iprb0.net" RANGE 10.1.1.0 10.1.1.255 edit> list address mybox_iprb0 "mybox_iprb0" GROUP { } { }

Note that the "iprb0.net" address type was created automatically. When you install it, SunScreen automatically sets up NIC and network objects. mybox_iprb0 refers to the ethernet adaptor on mybox, and iprb0.net refers to the network range for that adaptor.

Note that if you change the network mask of a network adaptor on a SunScreen box, you may have to adjust the appropriate network object(s) in the SunScreen config by hand. However, the NIC object is special. It has no address specifically given in the object. SunScreen knows to adjust it to whatever the address on the NIC happens to be. Similarly, "localhost" is NOT the 'localhost' entry in /etc/hosts

To allow for this auto-addressing to work properly, it is therefore best to have separate physical NIC interfaces for every network address on the SunScreen box.

Address GROUPS

One of the advantages of SunScreen over ipfilter is that you can define an address group, and then define rules on that group.
Practical example:


edit> add address "web1" 10.1.1.5
edit> add address "web2" 10.1.1.10
edit> add address "web3" 10.1.1.25
edit> add address "webservers" { web1 web2 web3 }
edit> list address webservers
"webservers" GROUP { "web1" "web2" "web3" } { }

edit> add rule "www" "*" "webservers" ALLOW COMMENT "our webservers"
edit> list rules
1 "common" "localhost" "*" ALLOW
2 "ssh" "iprb0.net" "mybox_iprb0" ALLOW
3 "www" "*" "webservers" ALLOW COMMENT "our webservers"

More fun with rules

There are, of course, many more things you can do in a rule than just 'ALLOW'. You can also 'DENY'.

Additionally, whether you choose to ALLOW or DENY a packet, you can log the fact that it arrived at your firewall.

edit> add rule telnet "*" "*" DENY LOG SUMMARY COMMENT "simple log check" edit> add rule rlogin "*" "*" DENY LOG DETAIL COMMENT "log rlogin in detail"

Cleaning up your server

Once you are confident with the command line, you can kill the memory-hogging java serverside configuration demon. One way of doing this is to edit /etc/init.d/sunscreen, and making the following changes:

Comment out the efshttpd line, since you wont need it any more
adding $SS_LIBDIR/ssadmserver stop as the last thing in the 'start' section.

For Solaris 9, you will instead have to edit /usr/lib/sunscreen/lib/ss_boot to not start that stuff. Comment out the run_httpd and ssadmserver lines there.

I personally am more comfortable with editing init.d startup scripts, while leaving core package files untouched, which is why I recommend the first approach for solaris 8.

Alternatively, copy ss_boot to a new file, like ss_slimboot, edit the copy, and adjust /etc/init.d/sunscreen to call the alternative script.

Final notes

Sun has a "blueprint"doc on how to set up SunScreen. It covers everthing from setup, to administration of the box from the command line, in more detail. It is 24 pages, PDF format.

Author: Philip Brown Site: http://www.bolthole.com/solaris/