Sunscreen 3.2 / Stateful UDP

  • Permalink
  • submit to reddit
  • Email
  • Follow


I'm running Sunscreen 3.2 (routing mode) on Solaris 9 with only one
public IP address (using hme0). I've got a local network
192.168.1.0/27 (using znb0).  I also have one DMZ
192.168.1.224/27 (using znb1). Since Sunscreen doesn't support
port forwarding I've statically NAT'd the external IP to DMZ host
and have two packet filter rules that allow SMTP in/out for that
host.  Currently the internal net is being NAT'd using Dynamic mode on the
Screen. This works fine and all TCP traffic is tracked via the statetable.
But, UDP is not. For example, I have a Cisco VPN client machine on the
internal net and when using UDP for encapsulation of ESP packets none
of the returning UDP packets are passed back to the Cisco VPN host (using
a hub and sniffer in front of the Screen's hme0 interface).  Although both
'ssadm lib/statetables' and ssadm lib/nattables' have the communication
properly listed; nothing is even logged as being passed or dropped on hme0
interface. Detailed logging is enabled for everything except broadcast &
NetBIOS type traffic.  If I switch the Cisco VPN client to use TCP for esp
encapsulation everything works.  I tried other udp communications like
ntp, but no luck. The only UDP that's works is DNS. Anyone have similar
experiences with Sunscreen? Maybe know the cause here and/or even a
solution?

Thanks in advance.

0
Reply Techniq 10/11/2003 9:02:34 PM

See related articles to this posting
comp.sys.sun.admin 3729 articles. 4 followers. Post

0 Replies
164 Views

Similar Articles

[PageSpeed] 18

Reply:

Similar Artilces:

sunscreen 3.2 difficulties
Hello, Since installing SunScreen 3.2 on solaris9 sparc, network connectivity has been dismal. The rules are configured with minimal logging and it isn't creating a noticeable load on the system, which is barely in use now as it is. Since the install of SunScreen, SSH connections to the machine are constantly interrupted by long pauses at random intervals, and they last random periods of time, from 2 to 60 seconds. I have connected to this machine from different networks, and I get the same result. When I connect via the RSC card, there is no lag. It has been working fine for years - ...

SunScreen 3.2 +snmp
Hello! I'm trying to get snmp info from SunScreen 3.2 Lite firewall, but with no result. Anybody knows any good documentation about it. In admin manuals from docs.sun.com there is just configuring snmp receivers. I installed Net-snmpd, and trying to use for that. I'm running Solaris 9 in a sparc machine. -- Thanks, Timo Leppiniemi ...

Sunscreen 3.2 or Ipfilter
Hi, I have been reading all the threads concerning firewalls for Solaris and for the most part they are all dealing with NAT and more complicated issues. I have one Solaris 9 box hooked up to a static (public IP) DSL line - all I need to do is block all but http & SSH, which product would be recomended in this situation? Chris HI, Chris Wall wrote: > Hi, > I have been reading all the threads concerning firewalls for Solaris and for > the most part they are all dealing with NAT and more complicated issues. I > have one Solaris 9 box hooked up to a static (public IP) DSL li...

firewall, SunScreen 3.2 Solaris9 and dhcp
Im i right Sunscreen 3.2 does not support dhcp. when i connect to my isp i do "ssadm activate Initial.XX" via a script. and sunscreen compiles/reloads the adresses for the dhcp interface and the firewall are working ok. my question is, are there something automagic for dhcp one can do ? /J�rgen ...

Solaris 9 and Sunscreen 3.2 Stealth Mode
Hi, I've got a Sun V100 running Solaris 9 08/03 which I would like to run Sunscreen 3.2 on. I've updated the system, installed all of the Sunscreen pre-requisite patches etc and the Sunscreen software. I would like to run this in stealth mode, where dmfe0 will be the interface pointing to the outside world, and dmfe1 will point to the inside. Currently, I only have dmfe1 configured with an IP for administrative purposes (as required). For dmfe0, is it sufficient to simply have a blank /etc/hostname.dmfe0? I don't want the firewall to have an IP address. Afterwards I assume its po...

duplicate Interface error when activating policy in SunScreen 3.2
Hi all, I have a Solaris 9 box with 2 network interface on connected to different networks. SunScreen 3.2 was installed with local admin and basic firewall config set to Routing mode. WHen I tried to start the policy I get an error "duplicate interface rf0". Does anyone knows how to resolve this? Thanks Ldd ...

[ANN] SMC
SMC - The State Machine Compiler v. 3.1.2 Requires: Java 1.4.1 SE (Standard Edition) or better. Download: http://sourceforge.net/projects/smc Home Page: http://smc.sourceforge.net ================================================================= What's New? ================================================================= (No new features.) ================================================================= Bug fixes ================================================================= + (-csharp) Incorrectly placed a state's entry actions where the exit actions should have been....

[ANN] SMC
SMC - The State Machine Compiler v. 3.2.0 Requires: Java 1.4.1 SE (Standard Edition) or better. Download: http://sourceforge.net/projects/smc Home Page: http://smc.sourceforge.net ================================================================= What's New? ================================================================= + Added -graph option which generates a Graphviz/DOT representation of the .sm finite state machine. ================================================================= Bug fixes ================================================================= + (Ant examples) C...

Re: BIND 9.3.0
> Hello Mark, > Sorry for replying late. > > Mark Andrews wrote: > > > Hey all, > > > Thankfully, i got this solved. This was happening becuase my OS > does > > > not support sending/recieving control messages (CMSG*) via > sendmsg() > > > and recvmsg() calls. > > > > > > Thus a call to recvmsg() in the code was returning EINVAL. > > > > > > If you ever face this problem then undefine "USE_CMSG" (i.e. #undef > > > USE_CMSG) in the file lib/isc/unix/socket.c. This will d...