subject:"Re\: \[zones\-discuss\] ipfilter in local zones"

Re: [zones-discuss] ipfilter in local zones

2007-10-05 Thread Dan Gubber

Here's my feedback.

We are running a fare number of solaris containers, across a series of 
supported subnets. As of the Solaris 10 R3 release ( release 11/06 ) it was not 
possible to use ipfilter for the loopback packets between zones.

With R4 ( Release 08/07 ) you now can by having the first non-commented line in 
the ipf.conf file on the global zone as follows:

set intercept_loopback true;

Also, I need to clarify a definition so to speak. The difference between 
trunking and tagging can be a bit misleading, especially if you're old school 
like myself having done this job now for coming on 30 years.

The term trunking, in the old days, meant the extension of the physical network 
to the server in question, ie, no defined VLAN on the switch ports. SUN's use 
of trunking actually defines the method of device aggregation for HA network 
connectivity. Last I looked, dladm is the utility to define device aggreagtion.

Tagging defines a "virtual NIC" on the Solaris server, which passes a VID to a 
"tagged" port on your network switch determining which VLAN the packet is to be 
sent on.

quick config can be achieved with something like

ifconfig e1000g1001 10.0.1.1 netmask 255.255.255.0 broadcast 10.0.1.255 plumb
ifconfig e1000g1001 up
ifconfig e1000g2001 10.0.2.1 netmask 255.255.255.0 broadcast 10.0.2.255 plumb
ifconfig e1000g2001 up

or you can create /etc/hostname.e100g1001 and /etc/hostname.e100g2001
with the associated addresses in them.
 
The new ability to set the zone's ip-type to exclusive does in fact create a 
much better security model as far as looped back packets on the same global 
zone is concerned, but as mentioned, at a cost. Even if the physical NIC is set 
as a tagged NIC ( ie a VNIC ), it can only be used by a single Solaris 
container. This obviously can become problematic if you are deploying a larger 
number of containers on a single global zone.

I have tested isolation capabilites at the global zone layer using a series of 
rules in the global zone's ipf.conf with very good results. Entries similiar to

block in quick proto tcp/udp from x.x.1.0/24 to x.x.2.0/24 keep state
block out dup-to e1000g1002 quick proto tcp/udp from x.x.1.0/24 to x.x.2.0/24 
keep state

will achieve isolation between subnets and/or containers at least on the same 
global zone, and if a infrastructure firewall is in place as well, the 
duplicate packet will be forced out the NIC/VNIC defined.

Other options like "route add   -interface -reject" can 
also be used at the global zone, but this command would have to be initiated 
after zoneA and zoneB are already booted so that the global zone's IP-Stack has 
record of the IP addresses in use. this also would require a series of entries 
to add the "rejection" for any combination of activity based on the local zones 
installed.

As for the raw use of VNIC's, it works great. Our environment currently 
supports 8 VLAN's on each global zone, and we are able to dynamically add new 
ones when required.

Regards,
Dan G
 
 
This message posted from opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org

Re: [zones-discuss] ipfilter in local zones

2007-06-07 Thread James Carlson

Jason Bradfield writes:
> > set intercept_loopback true;
> I tried this... This doesn't allow non global zones to maintain their 
> own ipf.conf and run ipfilter.

I think that'd be fairly complex and a pretty serious security problem
if we allowed it.

For shared-stack zones, there's only one TCP/IP stack.  If we allowed
ipfilter to be configured inside the zone, then the user of the
non-global zone could do all sorts of nefarious things -- such as
redirecting packets out other interfaces, dropping packets intended
for other zones, and creating rewriting or NAT rules to impersonate
someone else.

What you have inside the zone is really an address, not a physical
interface.  It's not a separate machine -- it's a machine with shared
resources that relies on an independently managed infrastructure.  If
you want a separate machine, with its own kernel and own resources, I
think the right answer is to go with some VM-like solution, such as
Xen, LDOMS, Domains, or VMware.

> All this allows is filtering between zones the global zones ipf rules..

Yes; that's what the loopback intercept is for.

-- 
James Carlson, Solaris Networking  <[EMAIL PROTECTED]>
Sun Microsystems / 1 Network Drive 71.232W   Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757   42.496N   Fax +1 781 442 1677
___
zones-discuss mailing list
zones-discuss@opensolaris.org

Re: [zones-discuss] ipfilter in local zones

2007-06-06 Thread Jason Bradfield


Jeff Victor wrote:

Jerry Jelinek wrote:

Jason Bradfield wrote:
I have read in several blogs that ipfilter(within a non global zone) 
has been possible since early this year.. Then when I looked at our 
zone and the ipf.conf and the ipfilter smf were available then I 
thought I could use it..My stupid assumption.


I have only just realized this only works if the non global zone has 
exclusive access to the nic, which was introduced as exclusive IP 
instancesI see this rather pointless in most situations as there 
is usually far less nics on a server than the number of zones you 
will want to create


Jason,

The information you found about using ipfilter within a zone is correct.
To reiterate, you do need to use the new exclusive IP stack with the 
zone
in order to do this. 


pfhooks won't help here?


From 
http://opensolaris.org/os/community/networking/files/pfhooks-2006-05-10.pdf 



Background

"...with the aim of facilitating packet filtering between zones."



4.2.5.

Changes in IPFilter To bring IPFilter into line with this project,we 
need to replace all of the private interfaces it was using from the 
pfil module.These changes do not result in any loss or change of 
functionality in IPFilter. IPFilter will use the physical-in 
(input)and physical-out (output)filter taps for controlling packet 
flow into and out of a computer running Solaris. To enable filtering 
of loopback traffic it is necessary to tell IPFilter this in its 
configuration file.This setting must be placed before other comma d 
line.The syntax of this line is:


set intercept_loopback true;
I tried this... This doesn't allow non global zones to maintain their 
own ipf.conf and run ipfilter.

All this allows is filtering between zones the global zones ipf rules..




-- 

Jeff VICTOR  Sun Microsystemsjeff.victor @ 
sun.com

OS AmbassadorSr. Technical Specialist
Solaris 10 Zones FAQ:
http://www.opensolaris.org/os/community/zones/faq
-- 







___
zones-discuss mailing list
zones-discuss@opensolaris.org

Re: [zones-discuss] ipfilter in local zones

2007-06-06 Thread Jeff Victor


Jerry Jelinek wrote:

Jason Bradfield wrote:
I have read in several blogs that ipfilter(within a non global zone) 
has been possible since early this year.. Then when I looked at our 
zone and the ipf.conf and the ipfilter smf were available then I 
thought I could use it..My stupid assumption.


I have only just realized this only works if the non global zone has 
exclusive access to the nic, which was introduced as exclusive IP 
instancesI see this rather pointless in most situations as there 
is usually far less nics on a server than the number of zones you will 
want to create


Jason,

The information you found about using ipfilter within a zone is correct.
To reiterate, you do need to use the new exclusive IP stack with the zone
in order to do this. 


pfhooks won't help here?


From http://opensolaris.org/os/community/networking/files/pfhooks-2006-05-10.pdf

Background

"...with the aim of facilitating packet filtering between zones."



4.2.5.

Changes in IPFilter To bring IPFilter into line with this project,we need to 
replace all of the private interfaces it was using from the pfil module.These 
changes do not result in any loss or change of functionality in IPFilter. 
IPFilter will use the physical-in (input)and physical-out (output)filter taps 
for controlling packet flow into and out of a computer running Solaris. To 
enable filtering of loopback traffic it is necessary to tell IPFilter this in 
its configuration file.This setting must be placed before other comma d 
line.The syntax of this line is:


set intercept_loopback true;



--
Jeff VICTOR  Sun Microsystemsjeff.victor @ sun.com
OS AmbassadorSr. Technical Specialist
Solaris 10 Zones FAQ:http://www.opensolaris.org/os/community/zones/faq
--
___
zones-discuss mailing list
zones-discuss@opensolaris.org

Re: [zones-discuss] ipfilter in local zones

2007-06-06 Thread James Carlson

Jason Bradfield writes:
> I think we have decided to leave this for nowIt will be our clients 
> that will be using the non-global zones..
> Is their a way to manage this from within the global zone.. without 
> exclusive IP stacks..
> ie in the global zone can I specify ipf rules for the non-global zones..

Sure.  Ipf rules specified for the global zone apply to all 'regular'
(non-exclusive) non-global zones as well.

The rules themselves don't have a way to filter based on Zone ID or
name, but you can still filter based on address.

-- 
James Carlson, Solaris Networking  <[EMAIL PROTECTED]>
Sun Microsystems / 1 Network Drive 71.232W   Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757   42.496N   Fax +1 781 442 1677
___
zones-discuss mailing list
zones-discuss@opensolaris.org

Re: [zones-discuss] ipfilter in local zones

2007-06-06 Thread Jason Bradfield


Jerry Jelinek wrote:

Jason Bradfield wrote:
I have done some more reading around and found the following.. can 
you please confirm this..


I have read in several blogs that ipfilter(within a non global zone) 
has been possible since early this year.. Then when I looked at our 
zone and the ipf.conf and the ipfilter smf were available then I 
thought I could use it..My stupid assumption.


I have only just realized this only works if the non global zone has 
exclusive access to the nic, which was introduced as exclusive IP 
instancesI see this rather pointless in most situations as there 
is usually far less nics on a server than the number of zones you 
will want to create..


Here comes vnics.. According to the following link, I should be able 
to create a vnic for my zones and then ipfilters should work...
http://www.opensolaris.org/os/project/crossbow/CrossbowBeta/FeaturesOverview/ 



I just gave it a quick go and failed as my version of dladm does not 
have a create-vnic option...
Anyway I am looking into this now.. I see a list of pre-req bfu 
scripts and archives that I will need to install.. they should have 
what I need...

If I have any probs I'll post to the crossbow discuss.

Has anyone used vnics in a zone yet.. if so how was your 
experience??.. Are you using ipfilters? are there any performance 
issues?? if this works we will be going live in production with it 
soon...My fingers are crossed.


Jason,

The information you found about using ipfilter within a zone is correct.
To reiterate, you do need to use the new exclusive IP stack with the zone
in order to do this.  Currently you need to dedicate a NIC to the zone
when using an exclusive stack.  As you found, VNICs will address this
limitation.  However, the VNIC code has not yet integrated into 
opensolaris

although that project is under development.  I am not sure what the state
is of the crossbow project BFU archives you found.  You just need to be
aware that those are still project development bits and might not be 
synced
up with the latest code integrated into opensolaris and might still 
have the
usual sorts of bugs that code under development has.  Until the VNIC 
support is
integrated you will either have to dedicate a physical NIC to any zone 
that needs
to use an exclusive IP stack or use the development bits you found.  
I'm not
sure how stable those development bits would be for going live in 
production.
The crossbow discuss alias is definitely the place to get more info 
about that.


Jerry

Thanks Jerry,

I think we have decided to leave this for nowIt will be our clients 
that will be using the non-global zones..
Is their a way to manage this from within the global zone.. without 
exclusive IP stacks..

ie in the global zone can I specify ipf rules for the non-global zones..




___
zones-discuss mailing list
zones-discuss@opensolaris.org

Re: [zones-discuss] ipfilter in local zones

2007-06-06 Thread Jerry Jelinek


Jason Bradfield wrote:
I have done some more reading around and found the following.. can you 
please confirm this..


I have read in several blogs that ipfilter(within a non global zone) has 
been possible since early this year.. Then when I looked at our zone and 
the ipf.conf and the ipfilter smf were available then I thought I could 
use it..My stupid assumption.


I have only just realized this only works if the non global zone has 
exclusive access to the nic, which was introduced as exclusive IP 
instancesI see this rather pointless in most situations as there is 
usually far less nics on a server than the number of zones you will want 
to create..


Here comes vnics.. According to the following link, I should be able to 
create a vnic for my zones and then ipfilters should work...
http://www.opensolaris.org/os/project/crossbow/CrossbowBeta/FeaturesOverview/ 



I just gave it a quick go and failed as my version of dladm does not 
have a create-vnic option...
Anyway I am looking into this now.. I see a list of pre-req bfu scripts 
and archives that I will need to install.. they should have what I need...

If I have any probs I'll post to the crossbow discuss.

Has anyone used vnics in a zone yet.. if so how was your experience??.. 
Are you using ipfilters? are there any performance issues?? if this 
works we will be going live in production with it soon...My fingers are 
crossed.


Jason,

The information you found about using ipfilter within a zone is correct.
To reiterate, you do need to use the new exclusive IP stack with the zone
in order to do this.  Currently you need to dedicate a NIC to the zone
when using an exclusive stack.  As you found, VNICs will address this
limitation.  However, the VNIC code has not yet integrated into opensolaris
although that project is under development.  I am not sure what the state
is of the crossbow project BFU archives you found.  You just need to be
aware that those are still project development bits and might not be synced
up with the latest code integrated into opensolaris and might still have the
usual sorts of bugs that code under development has.  Until the VNIC support is
integrated you will either have to dedicate a physical NIC to any zone that 
needs
to use an exclusive IP stack or use the development bits you found.  I'm not
sure how stable those development bits would be for going live in production.
The crossbow discuss alias is definitely the place to get more info about that.

Jerry
___
zones-discuss mailing list
zones-discuss@opensolaris.org

Re: [zones-discuss] ipfilter in local zones

2007-06-06 Thread Jason Bradfield

I have done some more reading around and found the following.. can you 
please confirm this..


I have read in several blogs that ipfilter(within a non global zone) has 
been possible since early this year.. Then when I looked at our zone and 
the ipf.conf and the ipfilter smf were available then I thought I could 
use it..My stupid assumption.


I have only just realized this only works if the non global zone has 
exclusive access to the nic, which was introduced as exclusive IP 
instancesI see this rather pointless in most situations as there is 
usually far less nics on a server than the number of zones you will want 
to create..


Here comes vnics.. According to the following link, I should be able to 
create a vnic for my zones and then ipfilters should work...

http://www.opensolaris.org/os/project/crossbow/CrossbowBeta/FeaturesOverview/

I just gave it a quick go and failed as my version of dladm does not 
have a create-vnic option...
Anyway I am looking into this now.. I see a list of pre-req bfu scripts 
and archives that I will need to install.. they should have what I need...

If I have any probs I'll post to the crossbow discuss.

Has anyone used vnics in a zone yet.. if so how was your experience??.. 
Are you using ipfilters? are there any performance issues?? if this 
works we will be going live in production with it soon...My fingers are 
crossed.


Thanks.
Jason Bradfield

Seng-Quee.Liang wrote:


Only global zone as ipfilter naturally needs manipulation of the NIC, 
which (hardware manuiplulation) is not allow from within the 
non-global zone.


HTH,
/SQ


Jason Bradfield wrote:

Can anyone let me know if this is possible yet...
Or only from global zone..

Thanks.

Jason Bradfield wrote:

Hi,

I'm trying to get ipfilters working within a local zone on build 
snv_62.


I'm getting the following when trying to start the ipfilter service

bash-3.00# cat /var/svc/log/network-ipfilter:default.log
[ Jun  5 15:33:08 Enabled. ]
[ Jun  5 15:33:09 Executing start method ("/lib/svc/method/ipfilter 
start") ]

open device: No such file or directory
SIOCFRENB: Bad file number
open device: No such file or directory
User/kernel version check failed
/lib/svc/method/ipfilter: load of /etc/ipf/ipf.conf into alternate 
set failed

Not switching config due to load error.
[ Jun  5 15:33:09 Method "start" exited with status 96 ]


Also I get the following:
bash-3.00#
bash-3.00# ifconfig -a
lo0:3: flags=2001000849 
mtu 8232 index 1

   inet 127.0.0.1 netmask ff00
e1000g0:3: flags=201000843 
mtu 1500 index 2

   inet xxx.xxx.xxx.xxx netmask ff00 broadcast xxx.xxx.xxx.xxx


bash-3.00# ifconfig e1000g0:3 modlist
ifconfig: open: /dev/ip: No such file or directory


bash-3.00# ifconfig e1000g0 modlist
ifconfig: status: SIOCGLIFFLAGS: e1000g0: no such interface


I have also added the follwing to the global zones /etc/ipf.conf
set intercept_loopback true;

Has this been implemented yet??
Any ideas on how to get this to work??

Thanks,
Jason Bradfield.

___
zones-discuss mailing list
zones-discuss@opensolaris.org





___
zones-discuss mailing list
zones-discuss@opensolaris.org


___
zones-discuss mailing list
zones-discuss@opensolaris.org

Re: [zones-discuss] ipfilter in local zones

2007-06-06 Thread Jason Bradfield


Can anyone let me know if this is possible yet...
Or only from global zone..

Thanks.

Jason Bradfield wrote:

Hi,

I'm trying to get ipfilters working within a local zone on build snv_62.

I'm getting the following when trying to start the ipfilter service

bash-3.00# cat /var/svc/log/network-ipfilter:default.log
[ Jun  5 15:33:08 Enabled. ]
[ Jun  5 15:33:09 Executing start method ("/lib/svc/method/ipfilter 
start") ]

open device: No such file or directory
SIOCFRENB: Bad file number
open device: No such file or directory
User/kernel version check failed
/lib/svc/method/ipfilter: load of /etc/ipf/ipf.conf into alternate set 
failed

Not switching config due to load error.
[ Jun  5 15:33:09 Method "start" exited with status 96 ]


Also I get the following:
bash-3.00#
bash-3.00# ifconfig -a
lo0:3: flags=2001000849 
mtu 8232 index 1

   inet 127.0.0.1 netmask ff00
e1000g0:3: flags=201000843 
mtu 1500 index 2

   inet xxx.xxx.xxx.xxx netmask ff00 broadcast xxx.xxx.xxx.xxx


bash-3.00# ifconfig e1000g0:3 modlist
ifconfig: open: /dev/ip: No such file or directory


bash-3.00# ifconfig e1000g0 modlist
ifconfig: status: SIOCGLIFFLAGS: e1000g0: no such interface


I have also added the follwing to the global zones /etc/ipf.conf
set intercept_loopback true;

Has this been implemented yet??
Any ideas on how to get this to work??

Thanks,
Jason Bradfield.

___
zones-discuss mailing list
zones-discuss@opensolaris.org





___
zones-discuss mailing list
zones-discuss@opensolaris.org

Re: [zones-discuss] ipfilter in local zones

Re: [zones-discuss] ipfilter in local zones

Re: [zones-discuss] ipfilter in local zones

Re: [zones-discuss] ipfilter in local zones

Re: [zones-discuss] ipfilter in local zones

Re: [zones-discuss] ipfilter in local zones

Re: [zones-discuss] ipfilter in local zones

Re: [zones-discuss] ipfilter in local zones

Re: [zones-discuss] ipfilter in local zones

9 matches

Site Navigation

Mail list logo

Footer information