Using Sunscreen as a host firewall

These are some notes on installing SunScreen Lite for Solaris 8. For Solaris 9, here are instructions for installing and configuration SunScreen on Solaris 9. For Solaris 9, you may still want to look at the configuration examples near the end of this page, but otherwise you probably won't find this page useful. Solaris 10 has its own firewall software, which generally is easier to use than Sunscreen. See Solaris 10 at Rutgers for an introduction to the Solaris 10 firewall software.

I assume you want to use it as a host-based firewall. That is, I assume your goal is just to protect the machine it's install on. It's pretty easy to set up for that. It can do a lot more. For information on that, you'll need to read the manuals yourself. A copy for download, and documentation, is available on http://www.sun.com/software/security.

Note that this only works for Solaris 8 (and presumably later versions). These notes apply to Solaris 8, with differences for Solaris 9 noted. They haven't been checked for Solaris 10.

You'll need to look at the installation manual fairly carefully. In the administration manual, you'll need the sections on changing your password and working with the configuration editor. As far as configuration, you'll probably just need the section on creating objects and creating/editing rules.

• There are instructions in the manual on how to install using both a GUI and command line. The command line instructions mostly work, except that the list of package numbers used is slightly wrong. It ends in 21, whereas there are only 20 packages. Use 20 instead of 21. While you can install just fine using the command line, I wouldn't want to try to administer it without the GUI.

• I had to remove the Sun web server that came with Sol 8. It was version 1. Sunscreen wanted to install version 2, but couldn't upgrade. It placed an error message in the log file telling me what packages to remove.

• Some files couldn't be accessed because I used Gnu tar to untar the .tar.gz distribution file. This produced error messages in the detailed log file, but the GUI installer claimed the install had succeeded, even though in fact it had not. If I hadn't looked at the detailed logs, I wouldn't have known what was going on until the thing failed mysteriously.

  gunzip <file | /usr/bin/tar xf -

  or some similar command. To verify that you have untar'ed the distribution properly, look at the directory. It should look like this:

  3.1_install_lite.pdf	TS/	sparc/
  Copyright	installer*
  README	javaplugins/

  If it has a bunch of .class and .html files in it, your installation WILL fail. Try again with /usr/bin/tar.

• If something goes wrong and you need to reinstall, you must remove all 3 Sunscreen packages at least (SUNWicgSA, SUNWicgSM, SUNWicgSS), as pkgadd won't reinstall these if there are existing copies. Once having removed them, you must rm -rf /etc/opt/SUNWicg. This is where the config files are. Uninstall doesn't get rid of it, and if the configurations weren't properly initialized, reinstalling won't help, because the setup process will see that old config files exist and use them, even though they are wrong.

• You'll need to reboot after the software is installed.

• Once the thing is up, point your browser to http://localhost:3852. You'll need a browser with the version of Java that they supply. The installation instructures tell you how to set that up.

• The GUI is sensitive to your window manager. Under twm the box used to create new rules isn't big enough, and there's no way to get out of it. CDE's window manager works fine.

• Make sure you change the administrative password. The instructions are in the manual. It's far from obvious how to do it. As far as I know, it can only be done using the GUI.

• The manuals give you instructions for all sorts of odd configurations. It's not obvious at first glance that by default it sets itself up as a host-based firewall. So basically you just do a default install and you've got what you need. All you should need to do is (1) change the admin password, and (2) create whatever rules you are going to need.

  Creating rules is fairly straightforward. However they don't give any useful examples, so it can take a while to get the hang of it. In the policies section, here's how my rules look:

  rule	screen	service	source	destination
  1	*	common	localhost	*	ALLOW
  2	*	common	special	localhost	ALLOW
  3	*	incoming OK	*	localhost	ALLOW
  4	*	*	*	*	REJECT

  Rules are interpreted in order. So this says

  allow anything outgoing
  allow anything incoming from my special host(s)
  allow a controlled list of services from anywhere
  reject everything else
  

  "localhost" means the local host, not just 127.0.0.1, but also its local IP addresses. "Common" is more or less "everything reasonable", but see below.

  Rules can only refer to "objects". There are predefined objects for common protocols and groups of protocols, and for the local host and subnet. If you need to mention anything else you have to create an object for it. These rules use two objects I created:

  special:	This is a host that I want to be able to have access to everything on my machine. I created it as a single address, but you might use a range of addresses or a group.
  incoming OK:	This is a group of services (i.e. protocols) that I want to allow from everywhere. In my case telnet, ftp and www.

  Note that a protocol is more than just a port number. It's a state machine that handles the protocol properly. So the FTP service includes the machinery needed to allow the incoming data channels. They have defined services for just about anything you would want, including many of the RPC-based services. I strongly recommend using their definition if there is one. Also, to allow anything I'd use "common". This is their catch-all group. You can also use something like "any TCP." However if you do that, you lose the special handling for protocols like FTP.

• When editing the configuration, you'll be asked to choose which configuration to edit. Unless you've done something, there will be two: "currently active", and "Initial". You want to edit Initial. On the page where you make changes, once you have things the way you like them, do "save changes". That will bring up a box asking whether you want to install the changes. Presumably you do. It will do some validity checking, and then install the changes. At that point they take effect. There's another button that just does the validity checks ("verify policy"). It brings up the same box asking whether you want to install the changes. However I've found that the changes don't always take effect when done from the verify command. You want to use the save command to make them take effect.

• Make sure you know how to save your configuration, in case you mess up. The GUI is supposed to let you create a backup file, but I couldn't make it work. I used the command line

  /opt/SUNWicg/SunScreen/bin/ssadm backup >FILENAME