Some notes on Solaris 9's Sunscreen IP filtering package

I spent today reading up on Sunscreen, the Solaris 9 bundled IP filtering system. It's been interesting, partly because Sunscreen's built around a different packet matching model than I'm used to, and uses a great deal of different terminology (for example, what I think of as 'transparent bridging' is called 'stealth mode').

Sunscreen doesn't actually match packets as such. Instead you define 'services', for which you specify some combination of destination and/or source ports (called 'forward' and 'reverse' ports in Sunscreen terminology), and a 'state engine' that knows enough about that service's protocol. State engines range from things like ip and tcp up through nfsro (read only NFS traffic, which actively filters out NFS write actions).

This is a significantly different way of thinking about all of this for me, and Sun's documentation doesn't do a good job of explaining the actual guts of the model. In general I'm not happy with the documentation; too much of it is pictures of dialogs, the pieces are confusingly named (eg, the Administrator's Overview book in official Sun documentation is the core technical documentation), and typos in documentation that is at least four years old do not thrill me. (This is petty, but quality does matter because it creates confidence that your documentation is actually accurate.)

Helpful decoding tips that I have gathered so far:

• a great deal of configuration information is found in /etc/sunscreen/.active, especially in the Configuration file. You aren't supposed to edit it by hand, but you can at least look at it. Apparently renaming this directory to something else and rebooting will totally turn off Sunscreen.
• 'ifconfig hme0 modlist' will include efs if Sunscreen is installed. (Or substitute an appropriate physical interface.)
• contrary to what some documentation still says, you don't need a custom $MANPATH or $PATH in Solaris 9; all of the manpages and programs are in standard places now.
• many state engines take 'parameters' that influence their behavior above and beyond just matching packets. This is only really covered in Appendix C of the Administrator's Overview, which also has the only really good detailed discussion of state engines themselves.

• it's depressing how slowly the Java GUI interface runs in Netscape 4 on an Ultra 10. (It wasn't even displaying locally; I had it forwarded over ssh to my workstation.)

• the documentation talks about a harden_os script that you can run. This actually works from /usr/lib/sunscreen/admin/jass; the Finish subdirectory has the scripts that do things, and the Driver subdirectory has the frameworks that determine which scripts get run.

I'm not sure I'd trust harden_os, but certainly the scripts can be mined for ideas of prudent things to do (or what it takes to activate various features).

The alternative to Suncreen is Darren Reed's IPfilter (the FAQ site has pointers to prebuilt Solaris 9 packages), which Sun themselves liked enough to adopt wholesale in Solaris 10. The prepackaged versions are only for IPfilter 3.x instead of the current 4.x series (and building my own will be a moderate pain), but I have to say it's tempting.

(I usually like to use the vendor's supplied packages. Usually.)