Home > Articles

  • Print
  • + Share This
Like this article? We recommend

Sample SunScreen Software Configuration File

The following sample illustrates the SunScreen 3.1 software configuration we used to test the recommendations and processes covered in this article.

CODE EXAMPLE 1 Master SunScreen Software Configuration File

# Master SunScreen configuration file (used on ssp_a only)
# SSP host network interface definitions
add address "ssp_a-hme0" HOST 192.168.151.113
add address "ssp_a-qfe0" HOST 192.168.152.113
add address "ssp_a-qfe1" HOST 192.168.153.113 
add address "ssp_a-qfe2" HOST 192.168.154.113 
add address "ssp_a-qfe3" HOST 192.168.96.121
add address "ssp_b-hme0" HOST 192.168.151.114 
add address "ssp_b-qfe0" HOST 192.168.152.114
add address "ssp_b-qfe1" HOST 192.168.153.114 
add address "ssp_b-qfe2" HOST 192.168.154.114 
add address "ssp_b-qfe3" HOST 192.168.96.115 
add address "cb0" HOST 192.168.151.123 
add address "cb1" HOST 192.168.152.123 
# UE10000 domain host definitions
add address "domain_a" HOST 192.168.153.115
add address "domain_b" HOST 192.168.154.115
# group definitions
add address "all-domains" GROUP { "domain_a" "domain_b" } 
add address "all-cbs" GROUP { "cb0" "cb1" } 
add address "all-ssp_a-cbs" GROUP { "ssp_a-hme0" "ssp_a-qfe0" } 
add address "all-ssp_a-domains" GROUP { "ssp_a-qfe1" "ssp_a-qfe2" } 
add address "all_ssp_b-cbs" GROUP { "ssp_b-hme0" "ssp_b-qfe0" }
# Service definition
add service "cmd-term" GROUP "ssh" COMMENT "Command Terminal Services"
add service "cb-ssp" GROUP "tcp all" "udp all" COMMENT "service
 for tcp/udp traffic between SSP and CB"
add service "netcon" SINGLE FORWARD "tcp" PORT 442 COMMENT "service for tcp
 port 442: cvc_hostd"
add service "rpc-ssp" GROUP "pmap tcp all" "pmap udp all" "rpc 
all" "rpc tcp all" COMMENT "RPC calls between SSP and domain for AP and DR"
#-- Rule 1-2 allows all traffic between SSPs and CBs 
add rule "ip all" "all-ssp_a-cbs" "all-cbs" ALLOW 
add rule "ip all" "all-cbs" "all-ssp_a-cbs" ALLOW 
#-- Rule 3-4 allows all traffic between SSPs over two CB networks
add rule ip all "all-ssp_a-cbs" "ssp_b-cbs" ALLOW 
add rule ip all "all-ssp_b-cbs" "ssp_a-cbs" ALLOW 
# -- Rule 5-6 allows rpc and portmapper traffic from domains to/from ssp_a
add rule "rpc-ssp" "all-domains" "all-ssp_a-domains" ALLOW
add rule "rpc-ssp" "all-ssp_a-domains" "all-domains" ALLOW
#-- Rule 7
add rule "netcon" "all-ssp_a-domains" "all-domains" ALLOW 
#-- Rule 8
add rule "syslog" "all-domains" "all-ssp_a-domains" ALLOW 
#-- Rule 9
add rule "cmd-term" * "ssp_a-qfe3" ALLOW 
#-- Rule 10-11(allow ssp_a to ping any system and for ssp_a to be pinged from domains)
add rule "ping" "ssp_a" * ALLOW
add rule "ping" "all-domains" "ssp_a" ALLOW 

  • + Share This
  • 🔖 Save To Your Account