Glenn Brunette wrote: > Can someone please explain to me what I am doing wrong here. If I > specify a specific host address (for e1000g0 or disable IP Filter) I > can SSH out of the global zone, but if I use the default host address > specification 0/32, I can't. The configuration that I am working on > is based upon this diagram (if you are interested): > > http://www.flickr.com/photos/gbrunett/3237220412/ > > Any feedback would be appreciated! > > Thanks in advance, > Glenn > > > ************************************************************ > *** Here are the interfaces: > ************************************************************ > > isc...@isc-model-1:~$ ifconfig -a > lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu > 8232 index 1 > inet 127.0.0.1 netmask ff000000 > e1000g0: > flags=201104843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,ROUTER,IPv4,CoS> mtu > 1500 index 2 > inet 192.168.2.6 netmask ffffff00 broadcast 192.168.2.255 > global_int_0: > flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS> mtu 9000 > index 3 > inet 192.168.0.254 netmask ffffff00 broadcast 192.168.0.255 > lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu > 8252 index 1 > inet6 ::1/128 > > > ************************************************************ > *** Here is the IPF configuration: > ************************************************************ > > # > # ipf.conf > # > # IP Filter rules to be loaded during startup > # > # See ipf(4) manpage for more information on > # IP Filter rules syntax. > > # > # Allow the global zone to initiate any outbound communications (for now) > # > pass out log quick from 0.0.0.0/32 to any keep state keep frags > > # > # Allow DHCP for the global zone. > # > pass in log quick proto udp from any port = 67 to any port = 68 keep state > > # > # Allow world to communicate with web zone for TCP 80/443 > # > pass in log quick proto tcp from any to 0/32 port = 80 keep state > pass in log quick proto tcp from any to 0/32 port = 443 keep state >
With ipnat, 0/32 refers to the primary address on that NIC. For IPv4, in ipf.conf you can achieve that with: pass in log first quick on e1000g0 proto tcp from any to e1000g0/32 port = 80 keep state ...unless you want to log _every_ packet of the web session, I suspect that you really just want the first packet that creates the session. Darren _______________________________________________ networking-discuss mailing list [email protected]
