Hi Christine,

After Mike D supplied me with some more details, I was able to use 'rdr' to redirect traffic as he suggested. Here is what I did:

1) Enable ipfilter
   Comment out the appropriate line in /etc/ipf/pfil.ap.
   svcadm enable network/ipfilter
   svcadm enbale network/pfil

2) Add a NAT rule to /etc/ipf/ipnat.conf and run:
   ipnat -f <filename>

   My ipnat.conf file just had this:

   rdr e1000g0 port 23 -> port 23 tcp/udp

   where is the global zone, and ...102 is the Container. This
   forwarded all inbound telnet connections to the Containers.

   The tcp/udp field probably isn't necessary.

If it doesn't work, test these:
   * ifconfig e1000g0 modlist
     The output should include the pfil module.

   * ipnat -l
     The output should include the rdr rule you inserted earlier.

   * Make sure pfild is running.

Christine Tran wrote:
Here's the link to ipf-howto for Jeff.

Mike Ditto wrote:

Christine Tran wrote:

Does this mean I can't have my global zone redirect to a non-global zone living on the same box? Because I'm really using the loopback interface and not leaving the system on any physical interface? This applies whether my global and non-global zone share one interface, or have unique interfaces? I would like some clarification if Darren is around? Thanks!


It should be possible to use rdr to redirect inbound traffic to another
zone (IP address) on the same machine.  This isn't mentioned in the ipf
how-to because without zones, there is generally no reason to do this.

Basically, when you use rdr, the inbound packet is modified before the
IP stack sees it, so it will be correctly delivered to the modified
destination if that destination is on the local machine or reachable
through some interface other than the one on which the packet arrived.

Customer was swearing up and down that he cannot use rdr to direct traffic onto a web server running inside a zone on a box that is also acting as a router and accepting inbound traffic. I don't know how much of this is a misconfiguration (he says he can redirect to another physical box, but not onto a zone on the same box). I was going to write to Darren directly but thought the list could benefit from the discussion.

The use for this, and I'm guessing here, might be something like, I have widgetco.com with several autonomous subdivisions. I can't all have my zones called widgetco (so that all my customers can access via http://widgetco.com) so I have one big server that accepts and redirects to different zones and then the webserver there does URL rewrites.

zones-discuss mailing list

Jeff VICTOR              Sun Microsystems            jeff.victor @ sun.com
OS Ambassador            Sr. Technical Specialist
Solaris 10 Zones FAQ:    http://www.opensolaris.org/os/community/zones/faq
zones-discuss mailing list

Reply via email to