Using Sunscreen as a host firewall
These are some notes on installing SunScreen Lite for Solaris 8. For Solaris 9, here are instructions for installing and configuration SunScreen on Solaris 9. For Solaris 9, you may still want to look at the configuration examples near the end of this page, but otherwise you probably won't find this page useful. Solaris 10 has its own firewall software, which generally is easier to use than Sunscreen. See Solaris 10 at Rutgers for an introduction to the Solaris 10 firewall software.
I assume you want to use it as a host-based firewall. That is, I assume your goal is just to protect the machine it's install on. It's pretty easy to set up for that. It can do a lot more. For information on that, you'll need to read the manuals yourself. A copy for download, and documentation, is available on http://www.sun.com/software/security.
Note that this only works for Solaris 8 (and presumably later versions). These notes apply to Solaris 8, with differences for Solaris 9 noted. They haven't been checked for Solaris 10.
You'll need to look at the installation manual fairly carefully. In the administration manual, you'll need the sections on changing your password and working with the configuration editor. As far as configuration, you'll probably just need the section on creating objects and creating/editing rules.
- There are instructions in the manual on how to install using both a
GUI and command line. The command line instructions mostly work,
except that the list of package numbers used is slightly wrong. It
ends in 21, whereas there are only 20 packages. Use 20 instead of 21.
While you can install just fine using the command line, I wouldn't
want to try to administer it without the GUI.
- I had to remove the Sun web server that came with Sol 8. It was
version 1. Sunscreen wanted to install version 2, but couldn't
upgrade. It placed an error message in the log file telling me what
packages to remove.
- Some files couldn't be accessed because I used Gnu tar to untar the
.tar.gz distribution file. This produced error messages in the
detailed log file, but the GUI installer claimed the install had
succeeded, even though in fact it had not. If I hadn't looked at
the detailed logs, I wouldn't have known what was going on until
the thing failed mysteriously.
gunzip <file | /usr/bin/tar xf -or some similar command. To verify that you have untar'ed the distribution properly, look at the directory. It should look like this:
3.1_install_lite.pdf TS/ sparc/ Copyright installer* README javaplugins/
If it has a bunch of .class and .html files in it, your installation WILL fail. Try again with /usr/bin/tar.
- If something goes wrong and you need to reinstall, you must remove
all 3 Sunscreen packages at least (SUNWicgSA, SUNWicgSM, SUNWicgSS),
as pkgadd won't reinstall these if there are existing copies. Once
having removed them, you must rm -rf /etc/opt/SUNWicg. This is where
the config files are. Uninstall doesn't get rid of it, and if the
configurations weren't properly initialized, reinstalling won't help,
because the setup process will see that old config files exist and
use them, even though they are wrong.
- You'll need to reboot after the software is installed.
- Once the thing is up, point your browser to http://localhost:3852.
You'll need a browser with the version of Java that they supply.
The installation instructures tell you how to set that up.
- The GUI is sensitive to your window manager. Under twm the box
used to create new rules isn't big enough, and there's no way to get
out of it. CDE's window manager works fine.
- Make sure you change the administrative password. The instructions
are in the manual. It's far from obvious how to do it. As far as I
know, it can only be done using the GUI.
- The manuals give you instructions for all sorts of odd
configurations. It's not obvious at first glance that by default it
sets itself up as a host-based firewall. So basically you just do a
default install and you've got what you need. All you should need to
do is (1) change the admin password, and (2) create whatever rules you
are going to need.
Creating rules is fairly straightforward. However they don't give any useful examples, so it can take a while to get the hang of it. In the policies section, here's how my rules look:
rule screen service source destination 1 * common localhost * ALLOW 2 * common special localhost ALLOW 3 * incoming OK * localhost ALLOW 4 * * * * REJECT
Rules are interpreted in order. So this says
allow anything outgoing"localhost" means the local host, not just 127.0.0.1, but also its local IP addresses. "Common" is more or less "everything reasonable", but see below.
allow anything incoming from my special host(s)
allow a controlled list of services from anywhere
reject everything else
Rules can only refer to "objects". There are predefined objects for common protocols and groups of protocols, and for the local host and subnet. If you need to mention anything else you have to create an object for it. These rules use two objects I created:
special: This is a host that I want to be able to have access to everything on my machine. I created it as a single address, but you might use a range of addresses or a group. incoming OK: This is a group of services (i.e. protocols) that I want to allow from everywhere. In my case telnet, ftp and www.
Note that a protocol is more than just a port number. It's a state machine that handles the protocol properly. So the FTP service includes the machinery needed to allow the incoming data channels. They have defined services for just about anything you would want, including many of the RPC-based services. I strongly recommend using their definition if there is one. Also, to allow anything I'd use "common". This is their catch-all group. You can also use something like "any TCP." However if you do that, you lose the special handling for protocols like FTP.
When editing the configuration, you'll be asked to choose which
configuration to edit. Unless you've done something, there will be
two: "currently active", and "Initial". You want to edit Initial.
On the page where you make changes, once you have things the way you
like them, do "save changes". That will bring up a box asking whether
you want to install the changes. Presumably you do. It will do some
validity checking, and then install the changes. At that point they
take effect. There's another button that just does the validity
checks ("verify policy"). It brings up the same box asking whether
you want to install the changes. However I've found that the changes
don't always take effect when done from the verify command.
You want to use the save command to make them take effect.
- Make sure you know how to save your configuration, in case you
mess up. The GUI is supposed to let you create a backup file, but
I couldn't make it work. I used the command line
/opt/SUNWicg/SunScreen/bin/ssadm backup >FILENAME
For more information, contact
Last updated: Tuesday, 13-Jun-2006 11:27:53 EDT
© 2006 Rutgers, The State University of New Jersey. All rights reserved.