James,
Thanks for the reply. More details below.
James Carlson wrote:
> Glenn Brunette writes:
>> Can someone please explain to me what I am doing wrong here. If I
>> specify a specific host address (for e1000g0 or disable IP Filter) I
>> can SSH out of the global zone, but if I use the default host address
>> specification 0/32, I can't.
>
> "0/32" means "all packets that have IP address exactly equal to zero."
>
> That's not the same as "0/0", which means "any IP address", and which
> should be equivalent to the keyword "any" in ipf.conf.
>
> There is a special case for the hostname any, which is taken
> to be 0.0.0.0/0 (mask syntax is discussed below) and matches
> all IP addresses. Only the presence of any has an implied
> mask. In all other situations, a hostname must be accom-
> panied by a mask. It is possible to give any a hostmask, but
> in the context of this language, it would accomplish noth-
> ing.
>
>> pass out log quick from 0.0.0.0/32 to any keep state keep frags
>
> Not clear what you're trying to do here. Except for a couple of
> initial DHCP messages, we don't send much that has the source address
> set exactly to 0.0.0.0.
First, I think I am confusing IPnat and IPF syntax which may be
part of my problem. Changing my entry from 0.0.0.0/32 to any
certainly works. Let me explain a bit more:
1. Global Zone
- has two IP addresses:
* public address obtained via DHCP (e1000g0)
* private (crossbow) address (192.168.0.254)
2. Web Zone
- has 1 private address 192.168.0.100
3. Memcached Zone
- has 1 private address 192.168.0.101
4. DB (MySQL) Zone
- has 1 private address 192.168.0.102
All of the private addresses are associated with a single etherstub.
Ultimately, this is what I would like:
1. Global zone is unrestricted in communicating with public network.
2. Public network can connect to the global zone (for SSH only).
3. Public network (via NAT) connects to the web zone for HTTP/S.
4. Memcached and DB zones can only communicate on the private net.
The configuration in my last message does this. The only thing
that I had wanted to do was tighten the IPF rule associated with
#1 above (for the Global Zone). Since this is a DHCP issued
address, I would like a keyword to use that will be substituted
like (0/32 is in ipnat.conf).
Any suggestions would be appreciated. I just hate having "any"
entries if I can find a way of tightening things up such that
only those that have a need will be permitted.
g
_______________________________________________
networking-discuss mailing list
[email protected]
