Greetings list members,
I am reasonably new to SunScreen, however I am highly experienced in
a number of other commercial firewall products.
I have come to both like and hate SunScreen, and would like some input as to
how to deal with the points I don't like.
There are two things that I dislike about the product, and several things
that I really appreciate.
1) Does anyone know of a GUI other than the Java thing?
[While this GUI is fully functional, it is really pretty limited when
dealing with large or complex rulesets. The columns are not resizable, nor
are the rules searchable. I am often finding that I have to fight the GUI
into doing something approximately like what I wanted it to....]
(That said, I do appreciate how difficult it can be to write a GUI, and I
think it has succeeded 90-95% of the way.)
2) Is there a way of viewing the logs in real-time (not a 5 second refresh,
but the logdump preferably)?
[Having provided technical support for firewall solutions across the lenght
and breadth of Australia for the last 6 years, I have come to really
appreciate the power of real-time logging in the fault resolution cycle. (As
things stand with SunScreen, I would rather (and do) snoop the interfaces
than try and get "ssadm log get | ssadm logdump -i -" to give me output in
any reasonable timeframe.)]
I regularly sit in front of firewalls with 2 snoop sessions (to see the
interfaces), a tty logviewer (to see the firewall processes), and a tail -f
or two of /var/log/... so that I can tell the client that the problem is
"Not the firewall, you router is pooched sir."
I have been unable to find a way of viewing the logs in real-time, and this
is starting to annoy me :-(
On the good side, I have found sunscreen to be (arguably) the strongest
firewall product I have yet dealt with. To all of my tests so far, it has
done exactly what the ruleset said it would, and there was not a bunch of
easily recognisable services open regardless of what I said I wanted :-)
The logging and packet response options also far outweigh that available
from the two market leaders.
For these two reasons, I am very impressed, however, "I want a new GUI
please". I have resorted to munging the CLI, (as you can see in the code
below, in order to do relatively simple, but recursive tasks.)
Regards,
Crispin Harris
Senior Security Consultant, Sydney
========
Well,
having finally decided that I was fed-up with the Java interface to
sunscreen, I decided I had better spend a bit of time with the CLI.
Unfortunately, the CLI is almost as annoying as the GUI. Fortunately, it
_IS_POSSIBLE_ to script some things.
My primary task:
rename the system from "firewallss" to "penfold".
This means:
1) Changing the name in /etc/hostname.hme0
2) Changing the name in /etc/opt/SUNWicg/SunScreen/name
3) Changing the name as reported by "uname -n"
4) Changing all references to "firewallss" in all objects of type: 'rule',
'address', interface, 'service', 'time', 'authuser', 'nat', 'accesslocal',
'accessremote'.
There does not appear to be an easy way of performing this change. What I
finally managed to do was:
(PART 1, creating new identical objects)
List all objects of the required type
ssadm edit <ACTIVE> -c "list <TYPE>"
search for lines needing changing
grep <search>
parse to replace the difficult references (so we can create new, identical,
objects)
(Group these two commands or otherwise, all is in vain, because ssadm will
exit without saving!!!!)
(sed -e 's/SCREEN "<search>/add <TYPE> SCREEN "<new_value>/' ;
echo save )
pass back into ssadm
ssadm edit <ACTIVE>
(PART 2, deleting the, now, unnesessary objects)
List all objects of the required type
ssadm edit <ACTIVE> -c "list <TYPE>"
search for lines needing changing
grep <search>
parse to replace the difficult references (so we can create new, identical,
objects)
(the "\^M" allows you to avoid the "(sed ...; echo)" shown above).
awk '{print "del address", $1, $2, $3}\
END {print "save"}'
Finally we need to pass this back into ssadm again:
ssadm edit <ACTIVE>
What I actually ended up with was:
(for I in address service
do
ssadm edit Active -c "list $I" | grep "firewallss" | (sed -e
's/SCREEN "firewallss/add $I SCREEN "penfold/' ; echo save ) | ssadm edit
Active
ssadm edit Active -c "list $I" | grep "firewallss" | awk '{print
"del address", $1, $2, $3}
done
echo save ) | ssadm edit Active
(I then later improved it to:
ssadm edit Active -c "list $I" | grep firewallss | nawk T=$I '{print "del",
T, $1, $2, $3; $2="\"penfold\""; print "add", T, $0}; END {print "save"}' |
ssadm edit Active
Regards,
Crispin Harris
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
