Howdy Chris!

It is my understanding that since there is only one tcp/ip stack you can only run ipfilter in the global zone. That said there is an opensolaris project to look at virtualizing the network stack to make it possible to route traffic so that you could use ipfilter in a future release of Solaris 10. Also it is my understanding that all zones on the same physical box route network traffic locally, so network traffic never leaves the box.



Christine Tran wrote:

I'm reading this section from the ipf how-to:

"The rdr function is applied to packets that enter the firewall on the specified interface. When a packet comes in that matches a rdr rule, its destination address is then rewritten, it is pushed into ipf for filtering, and should it successfully run the gauntlet of filter rules, it is then sent to the unix routing code. Since this packet is still inbound on the same interface that it will need to leave the system on to reach a host, *the system gets confused*. Reflectors don't work. Neither does specifying the address of the interface the packet just came in on. Always remember that rdr destinations must exit out of the firewall host on a different interface."

Does this mean I can't have my global zone redirect to a non-global zone living on the same box? Because I'm really using the loopback interface and not leaving the system on any physical interface? This applies whether my global and non-global zone share one interface, or have unique interfaces? I would like some clarification if Darren is around? Thanks!


zones-discuss mailing list

zones-discuss mailing list

Reply via email to