Hi Elton, In what follows, I will assume raven is a TX host, and deepthought an unlabeled host, tell me if it is not the case.
Elton wrote: > I have also configured port 22 as an MLP for both private and shareed > (section 4 and 5 of tnzonefg). AFAIK, for non global zones, you should only update 4th field : as non global zones do not master shared adresses, the 5th field is of no use for them. So if I well understood and you update the unclass zone definition, you should only need to add it in the 4th field. > I can now ssh as a user in the unclass zone from deepthought to raven. This is probably because raven being an unlabeled host, it is seen as admin_low if you did not modify the tnrhdb default match template, or any other label under which it matches it's IP. As sshd is now on an MLP, it accepts deepthought's connection whatever label it is matching. > However, I can not ssh from raven as a user in the unclass zone to > deepthought.? I do not get a password prompt at all. I send a SYN from > raven and I immediately get a RST from deepthought. When you try to connect deepthought from a raven's zone, the default label under which deepthought is seen cannot be bypassed. If deepthought is seen as admin_low, you should only be able to connect it from the global zone only. If it is seen as unclass, only from the unclass zone, etc... If you wish to have deepthought reachable from your unclass zone, then you need to have it matching an unclass pattern in your tnrhdb. HTH, Bruno.
