Jason Bradfield writes: > > set intercept_loopback true; > I tried this... This doesn't allow non global zones to maintain their > own ipf.conf and run ipfilter.
I think that'd be fairly complex and a pretty serious security problem if we allowed it. For shared-stack zones, there's only one TCP/IP stack. If we allowed ipfilter to be configured inside the zone, then the user of the non-global zone could do all sorts of nefarious things -- such as redirecting packets out other interfaces, dropping packets intended for other zones, and creating rewriting or NAT rules to impersonate someone else. What you have inside the zone is really an address, not a physical interface. It's not a separate machine -- it's a machine with shared resources that relies on an independently managed infrastructure. If you want a separate machine, with its own kernel and own resources, I think the right answer is to go with some VM-like solution, such as Xen, LDOMS, Domains, or VMware. > All this allows is filtering between zones the global zones ipf rules.. Yes; that's what the loopback intercept is for. -- James Carlson, Solaris Networking <[EMAIL PROTECTED]> Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 _______________________________________________ zones-discuss mailing list zones-discuss@opensolaris.org
