SUMMARY: Solaris 10 and ipfilter

Wed, 27 Jul 2005 13:02:34 -0700 

I have come up with a work around that I thought I would share.

The following ifconfig options will configure an interface on the Global
zone without allowing traffic to the global zone and allow ipfilter to
work on the local zones. This is the best option I could come up with.

Bring up the interface with nolocal and noxmit options on the global
zone

Ifconfig ce1 plumb
Ifconfig ce1 -local -xmit up

This produces the following

ce1:
flags=201030843<UP,BROADCAST,RUNNING,MULTICAST,NOXMIT,NOLOCAL,IPv4,CoS>
mtu 1500 index 3
        inet subnet 0.0.0.0/8 netmask ff000000

Yet the interface for the local zone it configured correctly.

Now ipfilter will work on this interface.

Hope is that this will help someone else before a true fix is found.

Thanks
<mike>


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Demarco
Sent: Monday, July 25, 2005 7:43 AM
To: Chris Ross; Darren Reed
Cc: [EMAIL PROTECTED]; [email protected]
Subject: RE: Solaris 10 and ipfilter

Yes Chris, Exactly. The interface that is plumbed but not assigned a
address on the global zone will not give a error from IPfilter but will
not filter the traffic for the zones that have Addresses configured on
them. 

        I am not looking to filter traffic between zones just to use the
global zone configuration of IPfilter to filter traffic on the local
zones.



-----Original Message-----
From: Chris Ross [mailto:[EMAIL PROTECTED] 
Sent: Friday, July 22, 2005 5:50 PM
To: Darren Reed
Cc: Mike Demarco; [EMAIL PROTECTED];
[email protected]
Subject: Re: Solaris 10 and ipfilter

Darren Reed wrote:
> See:
>
http://blogs.sun.com/roller/page/avalon?entry=using_ipfilter_between_zon
es_for

   I think you're looking at a different aspect of the problem than Mike
was, Darren.

   Correct me if I'm wrong, Mike, but I think he just wants the ability
to protect the zone's (via their wholly owned interfaces, that are
configured in the zone level, not globally) from the outside world.
I don't think he was trying to protect them from each other.

   I read his message to mean that because ipf was coming up in the
global zone, it wasn't able to understand/filter properly on the
interfaces that were assigned no address in the global zone, but
assigned an address in the "local" zones...

                         - Chris

Reply via email to