Darren Reed wrote:
FWIW, this version is zone-friendly for Solaris/OpenSolaris, unlike 4.1.* is.
I have several installations where I have done a two level firewall arrangement using Ipfilter where an external facing hosts runs a web server/FTP/mail/NAT, etc. Connected via crossover to another host running Ipfilter that functions as the internal mail/DNS/Web/NFS/CIFS server, etc. With the cost of computing power going down, and electricity going up, it would be nice to put these two layers of security on to one system. My original thought was to run the external host in an xVM environment. I would think this would provide the most separation possible on a single box. But I am also wondering if a zone would provide the same isolation? This would save the overhead of running xVM and maintaining two separate copies of an OS (which of course has advantages as well).
So, how do others feel about the isolation of zones in OpenSolaris? Are they strong enough? If I were to dedicate an interface to a zone to communicate the the big Internet, could I use Ipfilter to firewall that, then use Ipfilter again to isolate between a local and a global zone?
Is it possible to create a virtual network between a global and a local zone and firewall it?
Thanks for any comments...
