Loading ...
Sorry, an error occurred while loading the content.

Use of Zones for routing

Expand Messages
  • Laurent Blume
    Hi guys, As I m almost finished rebuilding my home firewall that crashed last week, I ve began wondering about what I ll be able to do when I live upgrade to
    Message 1 of 7 , Mar 1, 2004
    View Source
    • 0 Attachment
      Hi guys,

      As I'm almost finished rebuilding my home firewall that crashed last week, I've
      began wondering about what I'll be able to do when I live upgrade to Solaris
      Express.

      Since this machine is not only a fw/router, but also a small file server (samba
      and NFS), DNS server, proxy, and some other things, my question is:

      is it possible to create a zone that would do the firewalling/routing?

      That would allow to have a minimal amount of daemons in the "exposed" zone (ie,
      no Samba, no NFS there, though of course they are already only available on the
      inside interface).

      Another zone would only have the local network interface up, and the needed
      services running.

      Does that sound like a good idea? Is it possible at all?

      Laurent
      --
      A hundred thousand lemmings can't be wrong!
    • palowoda
      ... week, I ve ... Solaris ... server (samba ... exposed zone (ie, ... available on the ... needed ... Heck a live upgrade to Solaris Express might mean a
      Message 2 of 7 , Mar 1, 2004
      View Source
      • 0 Attachment
        --- In solarisx86@yahoogroups.com, Laurent Blume <laurent@e...> wrote:
        > Hi guys,
        >
        > As I'm almost finished rebuilding my home firewall that crashed last
        week, I've
        > began wondering about what I'll be able to do when I live upgrade to
        Solaris
        > Express.
        >
        > Since this machine is not only a fw/router, but also a small file
        server (samba
        > and NFS), DNS server, proxy, and some other things, my question is:
        >
        > is it possible to create a zone that would do the firewalling/routing?
        >
        > That would allow to have a minimal amount of daemons in the
        "exposed" zone (ie,
        > no Samba, no NFS there, though of course they are already only
        available on the
        > inside interface).
        >
        > Another zone would only have the local network interface up, and the
        needed
        > services running.
        >
        > Does that sound like a good idea? Is it possible at all?
        >

        Heck a live upgrade to Solaris Express might mean a complete
        replacement. If your going to do Solaris Express I would
        suggest a 'initial install' at this point.

        As for firewall/routing in a zone some internal discussions
        have taken place about using IPfilter within a zone but
        nothing conclusive at this point. It's rather an interesting
        topic if the root zone has control over routing and what levels
        of ipqos. You do have multiple machines to experiment with
        Solaris Express releases and the normal Solaris 9 releases right?

        ---Bob
      • John Weekley
        ... As far as I remember, IPFilter doesn t support virtual network interfaces, which is what zones appear to use. This may have changed with the 4.x versions
        Message 3 of 7 , Mar 1, 2004
        View Source
        • 0 Attachment
          palowoda wrote:
          > --- In solarisx86@yahoogroups.com, Laurent Blume <laurent@e...> wrote:
          >
          >>Hi guys,
          >>
          >>As I'm almost finished rebuilding my home firewall that crashed last
          >
          > week, I've
          >
          >>began wondering about what I'll be able to do when I live upgrade to
          >
          > Solaris
          >
          >>Express.
          >>
          >>Since this machine is not only a fw/router, but also a small file
          >
          > server (samba
          >
          >>and NFS), DNS server, proxy, and some other things, my question is:
          >>
          >>is it possible to create a zone that would do the firewalling/routing?
          >>
          >>That would allow to have a minimal amount of daemons in the
          >
          > "exposed" zone (ie,
          >
          >>no Samba, no NFS there, though of course they are already only
          >
          > available on the
          >
          >>inside interface).
          >>
          >>Another zone would only have the local network interface up, and the
          >
          > needed
          >
          >>services running.
          >>
          >>Does that sound like a good idea? Is it possible at all?
          >>
          >
          >
          > Heck a live upgrade to Solaris Express might mean a complete
          > replacement. If your going to do Solaris Express I would
          > suggest a 'initial install' at this point.
          >
          > As for firewall/routing in a zone some internal discussions
          > have taken place about using IPfilter within a zone but
          > nothing conclusive at this point. It's rather an interesting
          > topic if the root zone has control over routing and what levels
          > of ipqos. You do have multiple machines to experiment with
          > Solaris Express releases and the normal Solaris 9 releases right?
          >
          > ---Bob
          >

          As far as I remember, IPFilter doesn't support virtual network
          interfaces, which is what zones appear to use. This may have changed
          with the 4.x versions of IPFilter that Sexpress use.


          John Weekley
        • Alan DuBoff
          ... Laurent, I forwarded your message to the Zones team, and they should provide you with some type of response shortly. -- Alan DuBoff Software Orchestration,
          Message 4 of 7 , Mar 1, 2004
          View Source
          • 0 Attachment
            On Monday 01 March 2004 05:03, Laurent Blume wrote:
            > is it possible to create a zone that would do the firewalling/routing?

            Laurent,

            I forwarded your message to the Zones team, and they should provide you with
            some type of response shortly.

            --

            Alan DuBoff
            Software Orchestration, Inc.
            GPG: 1024D/B7A9EBEE 5E00 57CD 5336 5E0B 288B 4126 0D49 0D99 B7A9 EBEE
          • Alan DuBoff
            ... Here s the response I got back: -- Alan DuBoff Software Orchestration, Inc. GPG: 1024D/B7A9EBEE 5E00 57CD 5336 5E0B 288B 4126 0D49 0D99 B7A9 EBEE ...
            Message 5 of 7 , Mar 1, 2004
            View Source
            • 0 Attachment
              On Monday 01 March 2004 05:03, Laurent Blume wrote:
              > is it possible to create a zone that would do the firewalling/routing?

              Here's the response I got back:

              --

              Alan DuBoff
              Software Orchestration, Inc.
              GPG: 1024D/B7A9EBEE 5E00 57CD 5336 5E0B 288B 4126 0D49 0D99 B7A9 EBEE

              ---------- Forwarded Message ----------

              Subject: Re: Fwd: [solarisx86] Use of Zones for routing
              Date: Monday 01 March 2004 10:03 am
              From: James Carlson
              To: Alan DuBoff

              Alan DuBoff writes:
              > is it possible to create a zone that would do the firewalling/routing?

              Only if that zone happens to be the global zone.

              Firewalling and routing are things that are handled in the global zone
              alone. In particular, there's no way for any non-global zone to
              "route" anything.

              --
              James Carlson, IP Systems Group
              Sun Microsystems / 1 Network Drive 71.234W Vox +1 781 442 2084
              MS UBUR02-212 / Burlington MA 01803-2757 42.497N Fax +1 781 442 1677

              -------------------------------------------------------
            • Laurent Blume
              ... Thanks for the information, Alan. Maybe in Solaris 11? ... Anyway, I m sure I ll find some way to play with Zones. Laurent -- A hundred thousand lemmings
              Message 6 of 7 , Mar 1, 2004
              View Source
              • 0 Attachment
                Alan DuBoff wrote:
                > Here's the response I got back:

                Thanks for the information, Alan.

                Maybe in Solaris 11?
                :-)

                Anyway, I'm sure I'll find some way to play with Zones.

                Laurent
                --
                A hundred thousand lemmings can't be wrong!
              • David.Comay@Eng.Sun.COM
                ... Does IP Filter support the ability to firewall based on IP address? If that s the case, then you should be able to configure IP Filter from *within* the
                Message 7 of 7 , Mar 1, 2004
                View Source
                • 0 Attachment
                  > As far as I remember, IPFilter doesn't support virtual network
                  > interfaces, which is what zones appear to use. This may have changed
                  > with the 4.x versions of IPFilter that Sexpress use.

                  Does IP Filter support the ability to firewall based on IP address? If
                  that's the case, then you should be able to configure IP Filter from
                  *within* the global zone for a particular zone(s).

                  What IP Filter definitely won't allow at the moment is filtering the
                  traffic that takes place on the loopback "device" which is what's used
                  for inter-zone communication. That means that you cannot set up a
                  firewall between zones on the same system but you should be able to set
                  up firewalls between the outside world and a particular zone by setting
                  it up from within the global zone.

                  dsc
                Your message has been successfully submitted and would be delivered to recipients shortly.