SunScreen Logs and Not Blocking Broadcasts

From: Crist Clark (crist.clark@globalstar.com)
Date: Tue Mar 01 2005 - 19:05:56 EST


I've got SunScreen 3.2 installed on a Solaris 9 system and configured
(the SUMMARY for that is pending while I see if this actually works).
But it doesn't seem to be working. The logs are not helping me.

Here's a peek at my very simple ruleset,

   edit> list rule
   1 "*" "harbor-internal" "*" ALLOW LOG SUMMARY COMMENT "open internal interface out"
   2 "*" "*" "harbor-internal" ALLOW LOG SUMMARY COMMENT "open internal interface in"
   3 "backup-out" "harbor-backup" "backup-net" ALLOW LOG SUMMARY COMMENT "out to backup clients"
   4 "netbackup-in" "backup-net" "harbor-backup" ALLOW LOG SUMMARY COMMENT "in from backup clients"
   5 "*" "*" "*" DENY LOG SUMMARY COMMENT "log drops"
   edit> list address
   "backup-net" RANGE 10.16.18.0/24 COMMENT "backup network"
   "harbor-backup" HOST 10.16.18.1 COMMENT "harbor backup-net interface"
   "harbor-internal" HOST 10.16.17.141 COMMENT "harbor GOCC interface"
   "harbor_hme0" GROUP { } { }
   "hme0.net" RANGE 10.16.17.128 - 10.16.17.191
   edit>

This should allow everything in and out of the "internal" interface,
hme0 that is sent to or from the internal IP address. However, this
does not seem to work.

Here's a glance at the logs,

   4 hme0 (pass) 26.93106 10.16.17.46 -> 10.16.17.191 UDP D=9002 S=9002 LEN=287
   5 hme0 (pass) 26.94462 10.16.17.46 -> 10.16.17.191 UDP D=9002 S=9002 LEN=342
   6 hme0 (pass) 27.34981 10.16.17.46 -> 10.16.17.191 UDP D=9002 S=9002 LEN=32
   7 hme0 (pass) 27.48981 10.16.17.46 -> 10.16.17.191 UDP D=9002 S=9002 LEN=287
   8 hme0 (pass) 27.90958 10.16.17.46 -> 10.16.17.191 UDP D=9002 S=9002 LEN=32
   9 hme0 (pass) 27.93024 10.16.17.46 -> 10.16.17.191 UDP D=9002 S=9002 LEN=287
  10 hme0 (pass) 27.94366 10.16.17.46 -> 10.16.17.191 UDP D=9002 S=9002 LEN=342
  11 hme0 (pass) 27.95025 10.16.17.46 -> 10.16.17.191 UDP D=9002 S=9002 LEN=341

Why are these being passed? They do not match any pass rule. Is there
really no way to figure out which rule triggered a log entry? The rule
number does not appear in the verbose output either. It would be helpful
in figuring out what is going on if I knew which rule the system thought
those matched.

-- 
Crist J. Clark                               crist.clark@globalstar.com
Globalstar Communications                                (408) 933-4387
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited.  If you have
received this e-mail in error, please contact postmaster@globalstar.com
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers


This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:30:14 EDT