[Summary]: sunscreen command line syntax

From: Chris Hoogendyk <hoogendyk_at_bio.umass.edu>
Date: Thu May 12 2005 - 12:15:58 EDT
# ssadm edit Initial
edit> add address "name" GROUP {"add1"} {"add2"}

the first set of braces is addresses to be included

the second set of braces is addresses to be excluded

armed with that information, I searched the online documentation for 
exclude and found an explanation in the section on certificates in which 
it said, "this is just like for addresses". however, where it talked 
about addresses, it said nothing. I had skipped over the section on 
certificates, because I'm not doing remote admin or anything else that 
requires connections to be encrypted by the firewall.

on the second question, sunscreen should recognize an IP change if I do 
a "ssadm activate". If I explicitly defined the address, then I will 
first need to change that and then do the activate.

thanks to 2 who replied:
   Sir Clark Frazier Hale I <xlark@sdf.lonestar.org>
   Roy Culley <rgc@admin.swisscom-mobile.ch>

my original and their replies follow.



---------------

Chris Hoogendyk

-
    O__  ---- Systems Administrator
   c/ /'_ --- Biology Department
  (*) \(*) -- 140 Morrill Science Center
~~~~~~~~~~ - University of Massachusetts, Amherst

<hoogendyk@bio.umass.edu>

---------------




---------------- My Original Message ----------------

Subject: sunscreen command line syntax
Date: Wed, 11 May 2005 17:11:50 -0400
From: Chris Hoogendyk <hoogendyk@bio.umass.edu>
To: Sun Managers List <sunmanagers@sunmanagers.org>

I've spent a couple of days reading through sunscreen documentation
online, playing with "ssadm edit ...", skimming throught various
people's tutorials and guides, ...

I can't help thinking that the documentation never got user tested by
someone who didn't already know it. So, although this sounds elementary,
I just haven't been able to find an explanation of the two sets of curly
braces in the following:


# ssadm edit Initial
edit> add address "name" GROUP { } { }

   or

edit> list addresses
"eri0.net" RANGE 192.168.54.0 - 192.168.55.255
"server7_eri0" GROUP { } { }


with the GROUP form of address there always seems to be two sets of
braces at the end. Sometimes there are values in the left one, sometimes
in the right one, sometimes both, sometimes neither.

neither the man pages (e.g. "man ssadm-edit") nor the online
documentation (even appendix b of the admin overview that addresses the
command line interface) explain what the significance of these are,
whether there is a difference between the first and second, or why I
would need an empty set. It leaves me feeling edgy about jumping in and
activating a firewall on an active server, even though I feel I
understand most of it and am otherwise comfortable with the command line
interface.


---------------


also, I have a server that I had sunscreen running on, then I changed
the server's name and ip address and put it into production. I had to
turn sunscreen off, because it broke my ssh connections after the
identity change and I couldn't find where to change the identity within
sunscreen -- or is the name irrelevent, and all I need to do is change
the address? I just did a "/etc/init.d/sunscreen stop". Next reboot,
I'll have to do it again if I haven't fixed it.




---------------

Chris Hoogendyk

-
    O__  ---- Systems Administrator
   c/ /'_ --- Biology Department
  (*) \(*) -- 140 Morrill Science Center
~~~~~~~~~~ - University of Massachusetts, Amherst

<hoogendyk@bio.umass.edu>

---------------
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers






---------------- First Reply to My Message ----------------

Subject: Re: sunscreen command line syntax
Date: Wed, 11 May 2005 22:12:53 -0400
From: Sir Clark Frazier Hale I <xlark@sdf.lonestar.org>
Organization: Clayton SuperComputing Centre
To: Chris Hoogendyk <hoogendyk@bio.umass.edu>
References: <42827516.4050109@bio.umass.edu>

Hello,

I'm doing this off the top of my head, so you'll have to double verify.

 > edit> list addresses
 > "eri0.net" RANGE 192.168.54.0 - 192.168.55.255
 > "server7_eri0" GROUP { } { }
 >
 >
 > with the GROUP form of address there always seems to be two sets
 > of braces at the end. Sometimes there are values in the left one,
 > sometimes in the right one, sometimes both, sometimes neither.

I think the first bracket is hosts included and the second bracket is
host denied.

Take this for example,

add addresss theInternet { * } { myNetwork }

This defines the object theInternet as everything except what is
contained in myNetwork.

This statement is incredibly useful in the case where one has a dynamic
IP address.

add address self Host 10.0.0.1
add address selfPublic group { "localhost" } { self }

Given that I only have two IP addresses on this box, this assigns to
selfPublic my dynamically acquired address (localhost is a special
object, not 127.0.0.1).

 > also, I have a server that I had sunscreen running on, then I
 > changed the server's name and ip address and put it into production.
 > I had to turn sunscreen off, because it broke my ssh connections
 > after the identity change and I couldn't find where to change the
 > identity within sunscreen -- or is the name irrelevent, and all I
 > need to do is change the address? I just did a
 > "/etc/init.d/sunscreen stop". Next reboot, I'll have to do it again
 > if I haven't fixed it.

IP Address and hostname shouldn't matter unless you have rules that
specifically reference the IP addresss.  In otherwords, if you created
an address object which is the host's old IP address, it needs to be
changed to it's new one.

If that's all sorted, then what _should_ work is running "ssadm activate
Initial" replacing Initial with whatever your policy name is.

I've found that if I don't run ssadm activate... after an IP address
change then SunScreen won't recognize the change and fail.

HTH,

Clark

-- 
Sir Clark Frazier Hale I
xlark@sdf.lonestar.org
For the Snark WAS a bojum, you see.
SDF Public Access UNIX System - http://sdf.lonestar.org
Clayton SuperComputing Centre - http://cscc.homeunix.net






---------------- Second Reply to My Message ----------------

Subject: Re: sunscreen command line syntax
Date: Thu, 12 May 2005 09:31:18 +0200
From: Roy Culley <rgc@admin.swisscom-mobile.ch>
To: Chris Hoogendyk <hoogendyk@bio.umass.edu>

Hi Chris,

 > So, although this sounds elementary,  I just haven't been able to
 > find an explanation of the two sets of curly  braces in the
 > following:
 >
 > # ssadm edit Initial
 > edit> add address "name" GROUP { } { }

The first set of curly braces are for addresses you want in the group
and the second are for those you want excluded. Say you have a subnet
defined as a RANGE address and want to have a group comprised of
that subnet but excluding a host within that subnet:

     add address grp_name GROUP { subnet_range } { exclude_this_host }

You can have multiple entries within each pair of braces:

     add address grp_name GROUP { addr1 addr2 } { addr3 addr4 addr5 }

I only use the CLI when administering Sunscreens as the GUI is just
slow and IMHO horrible.

Regards,
Roy
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Thu May 12 12:22:37 2005

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:46 EST