From: Daniel Baldoni (dbaldoni@iinet.net.au)
Date: Tue Apr 02 2002 - 22:53:59 EST
G'day folks,
I have a client who has the misfortune of running SunScreen 2.0 (under
Solaris 2.6) - a configuration I've not seen in over 3 years. Until now, the
setup has basically worked for them but now they require some changes. Their
network setup is (as you might expect):
+-----+ +-----+
LAN <--->hme0| SUN |hme1 <---->|Cisco| a.b.c.f <---> ISP
(192.168.1.0) +-----+ +-----+
The hme0 interface on the SUN is 192.168.1.1, the hme is a.b.c.246, the
router is a.b.c.245.
Until now, the client has never had any "through" services working (i.e. no
pings, telnets, anything) from LAN workstations (which is what they wanted).
Now, however, they have a piece of custom software which needs to talk to a
remote service on a tcp high port (6080). Here are the steps I went through
to try and get it working:
1. Defined the service as:
ss_service default add <svc> SINGLE { { tcp { { 6080 } } } }
2. Defined the remote address:
ss_address default add <addr> HOST w.x.y.z "<comment>"
3. Added a rule:
ss_rule default <config> add <svc> <add1> <addr> ALLOW \(
LOG_SUMMARY SNMP_NONE \)
<add1> was already defined as their local LAN network (i.e.
192.168.1.0)
4. Compiled and activated the new policy:
ss_compile_and_activate default <config>
The result was a series of "Denied or no pass rule" entries in the log
whenever we tried to establish a connection. A rule allowing the same service
from the firewall to the remote server works flawlessly.
I believe my first mistake was in not adding NAT to the equation. As
the connection is "direct" between the workstations and the big bad Internet,
RFC1918 addresses are a no-no. So, I tried adding a NAT rule dynamically
allocating a.b.c.244 to the internal LAN with appropriate changes to the
<add1> value in the rule at step 2 above. The result of this was "Logged
passed packet" entries in the log, but apparently broadcast packets coming
back from the remote server being blocked (they used the appropriate source
and destination ports but with a destination address of 255.255.255.255).
For the life of me, I can't see what's wrong with the current setup. Has
anybody out there got any serious experience with SunScreen 2.0? If so, can
you please shed some light on what I may have missed and/or misconfigured?
Any help would be much appreciated - thanks for your time. Ciao.
-- -------------------------------------------------------+--------------------- Daniel Baldoni BAppSc, PGradDipCompSci | Technical Director require 'std/disclaimer.pl' | LcdS Pty. Ltd. -------------------------------------------------------+ 856B Canning Hwy Phone/FAX: +61-8-9364-8171 | Applecross Mobile: 041-888-9794 | WA 6153 URL: http://www.lcds.com.au/ | Australia -------------------------------------------------------+--------------------- "Any time there's something so ridiculous that no rational systems programmer would even consider trying it, they send for me."; paraphrased from "King Of The Murgos" by David Eddings. (I'm not good, just crazy) _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:24:10 EDT