Howdy Chris!
It is my understanding that since there is only one tcp/ip stack you can
only run ipfilter in the global zone. That said there is an opensolaris
project to look at virtualizing the network stack to make it possible to
route traffic so that you could use ipfilter in a future release of
Solaris 10. Also it is my understanding that all zones on the same
physical box route network traffic locally, so network traffic never
leaves the box.
Thanks!
Wences
Christine Tran wrote:
I'm reading this section from the ipf how-to:
"The rdr function is applied to packets that enter the firewall on the
specified interface. When a packet comes in that matches a rdr rule,
its destination address is then rewritten, it is pushed into ipf for
filtering, and should it successfully run the gauntlet of filter
rules, it is then sent to the unix routing code. Since this packet is
still inbound on the same interface that it will need to leave the
system on to reach a host, *the system gets confused*. Reflectors
don't work. Neither does specifying the address of the interface the
packet just came in on. Always remember that rdr destinations must
exit out of the firewall host on a different interface."
Does this mean I can't have my global zone redirect to a non-global
zone living on the same box? Because I'm really using the loopback
interface and not leaving the system on any physical interface? This
applies whether my global and non-global zone share one interface, or
have unique interfaces? I would like some clarification if Darren is
around? Thanks!
CT
_______________________________________________
zones-discuss mailing list
[email protected]
_______________________________________________
zones-discuss mailing list
[email protected]
