Jan Hendrik Mangold writes: > I create several zones using a physical network inteface (ce1) that > isn't actually physically connected.
Packets probably flow best when the physical interface is connected. What's the goal in leaving it unconnected? > I don't want the zones to be able to talk amongst themselves, but > still be able to access the outside world. For the sake of simple > web browsing I setup squid in the GZ and configure mozilla to use > 192.168.x.254:8080 in the NGZ. By default, if there's a route that makes another zone's IP address reachable, then those zones can talk via internal loopback. This usually means that if they can communicate with the outside world, then they can talk to each other. To prevent that, you can set up '-reject' or '-blackhole' routes. > In case I do want to access another class C subnet, how do I setup > the default routes? Lets say I do want to connect from a NGZ zone in > the 192.168.1.x network to a 192.168.2.x network? If they're on separate subnets, you'll need one set of routes per zone, all configured in the global zone. (That "set" for each could consist of a single default route.) > No dice, because these IPs are non routable? Can I setup ipf on the > GZ to do this? No ... IP Filter currently does not intercept traffic flowing locally between zones. -- James Carlson, KISS Network <[EMAIL PROTECTED]> Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 _______________________________________________ zones-discuss mailing list [email protected]
