Some notes on Solaris 9's Sunscreen IP filtering package
I spent today reading up on Sunscreen, the Solaris 9 bundled IP filtering system. It's been interesting, partly because Sunscreen's built around a different packet matching model than I'm used to, and uses a great deal of different terminology (for example, what I think of as 'transparent bridging' is called 'stealth mode').
Sunscreen doesn't actually match packets as such. Instead you define
'services', for which you specify some combination of destination
and/or source ports (called 'forward' and 'reverse' ports in Sunscreen
terminology), and a 'state engine' that knows enough about that
service's protocol. State engines range from things like
tcp up through
nfsro (read only NFS traffic, which actively
filters out NFS write actions).
This is a significantly different way of thinking about all of this for me, and Sun's documentation doesn't do a good job of explaining the actual guts of the model. In general I'm not happy with the documentation; too much of it is pictures of dialogs, the pieces are confusingly named (eg, the Administrator's Overview book in official Sun documentation is the core technical documentation), and typos in documentation that is at least four years old do not thrill me. (This is petty, but quality does matter because it creates confidence that your documentation is actually accurate.)
Helpful decoding tips that I have gathered so far:
- a great deal of configuration information is found in
/etc/sunscreen/.active, especially in the
Configurationfile. You aren't supposed to edit it by hand, but you can at least look at it. Apparently renaming this directory to something else and rebooting will totally turn off Sunscreen.
ifconfig hme0 modlist' will include
efsif Sunscreen is installed. (Or substitute an appropriate physical interface.)
- contrary to what some documentation still says, you don't need a
$PATHin Solaris 9; all of the manpages and programs are in standard places now.
- many state engines take 'parameters' that influence their behavior
above and beyond just matching packets. This is only really covered
in Appendix C of the Administrator's Overview, which also has the
only really good detailed discussion of state engines themselves.
- it's depressing how slowly the Java GUI interface runs in Netscape 4
on an Ultra 10. (It wasn't even displaying locally; I had it
forwarded over ssh to my workstation.)
- the documentation talks about a
harden_osscript that you can run. This actually works from
Finishsubdirectory has the scripts that do things, and the
Driversubdirectory has the frameworks that determine which scripts get run.
I'm not sure I'd trust
harden_os, but certainly the scripts can be
mined for ideas of prudent things to do (or what it takes to activate
The alternative to Suncreen is Darren Reed's IPfilter (the FAQ site has pointers to prebuilt Solaris 9 packages), which Sun themselves liked enough to adopt wholesale in Solaris 10. The prepackaged versions are only for IPfilter 3.x instead of the current 4.x series (and building my own will be a moderate pain), but I have to say it's tempting.
(I usually like to use the vendor's supplied packages. Usually.)