Hello Zones experts,

We are attempting to create a new data center architecture that favors  
virtualization with zones. Previously, if we wanted to have zones from  
different security contexts (front-end, back-end, internet, etc), they  
had to be in different physical machines (or LDOMS). Now that we have  
the ability (ok, as of s10u4, but we have been busy) to use ipfilter  
between zones on the same host, we believe there may be enough  
separation to have zones in different security contexts on the same  

I would like to get people's feedback on what they would think of  
creating the ability to have ipfilter rules, that would normally be  
located in ipf.conf in the global zone, inside the zonecfg. When the  
zone is brought "online" it could pipe the rules into "ipf -f -" or  
something. I am thinking the zonecfg seems like a good place to store  
them because when I want to "move" a zone from one machine to another,  
I would prefer the firewall came along with the zone.

We have discussed using vnic interfaces (crossbow?), but I don't  
believe thats integrated yet? Besides, we don't really trust the  
application administrator (zone administrator) with the firewall, so  
we'd like to keep its configuration in the global zone, which I assume  
would still work even with vnic's.

QUESTION: If we put the firewall (ipf.conf) inside the zone and use a  
private IP instance, can they can put a "pass out quick on vnic0 keep  
state" and they have the ability to connect to any other zone on the  
same machine? I know that rule in the global zone makes it that way,  
but maybe ip stack instances fix that?

zones-discuss mailing list

Reply via email to