SUMMARY: SunScreen 3.1 Lite interfaces

From: Peter Ondruska <>
Date: Fri Nov 23 2001 - 05:50:07 EST

Sorry for very long delay but I was trying to test this myself before 
posting summary. Due to lack of time I gave up (maybe later).

Original question was:

SunScreen 3.1 Lite documentation mentions differences between "full" and 
"Lite" version. Among others Lite version works only with 2 interfaces. Does 
it mean:
a. are iprb0, iprb1 interfaces? (so I can use iprb0:0 and iprb0:1 for 
internal addresses and iprb1 for external) or:
b. are iprb0:0, iprb1:0 interfaces?
Which one (a.) or (b.) is true?

And the answers from you fellows did not put more light into this. Therefore 
I decided I have to test this myself.

Ismaeel Abdur-Rasheed:
In answer to your specific question, 'interface' is defined as an IP address 
(as firewalll rules are IP based), and overloading IP addresses on a single 
NIC would constitute additional 'interfaces'.

Aaron Kramer:
Sunscreen doesn't have any understanding of virtual interfaces so the 
sunscreen-lite limitation is on 2 physical interfaces. You can have as many 
virtual interfaces on those 2 physical interfaces as you want, so (a.)
Also, The Lite version only allows you to have 2 interfaces enabled *in the 
SunScreen configuration*.  Since virtual interfaces are not enabled in the 
SunScreen config, you could protect both physical interfaces in this 
example.  All rules applied to a physical interface are also applied to the 
virtual one, so define your rules and "valid addresses" for each interface 
SunScreen does understand virtual interfaces (and will also use the IP 
addresses associated with virtual interfaces when calculating the value of 
"localhost"), it's just you do not need to plumb SunScreen onto the virtual 
interfaces.  Only the physical interface needs to have SunScreen configured 
on it, then the associated virtual interfaces will additionally be 

Thanks to those who responded.


Received on Fri Nov 23 04:52:18 2001

