Jason Bradfield writes:
> > set intercept_loopback true;
> I tried this... This doesn't allow non global zones to maintain their 
> own ipf.conf and run ipfilter.

I think that'd be fairly complex and a pretty serious security problem
if we allowed it.

For shared-stack zones, there's only one TCP/IP stack.  If we allowed
ipfilter to be configured inside the zone, then the user of the
non-global zone could do all sorts of nefarious things -- such as
redirecting packets out other interfaces, dropping packets intended
for other zones, and creating rewriting or NAT rules to impersonate
someone else.

What you have inside the zone is really an address, not a physical
interface.  It's not a separate machine -- it's a machine with shared
resources that relies on an independently managed infrastructure.  If
you want a separate machine, with its own kernel and own resources, I
think the right answer is to go with some VM-like solution, such as
Xen, LDOMS, Domains, or VMware.

> All this allows is filtering between zones the global zones ipf rules..

Yes; that's what the loopback intercept is for.

-- 
James Carlson, Solaris Networking              <[EMAIL PROTECTED]>
Sun Microsystems / 1 Network Drive         71.232W   Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757   42.496N   Fax +1 781 442 1677
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to