On Fri, Nov 7, 2008 at 12:13 PM, Tommy McNeely <[EMAIL PROTECTED]> wrote: > Hello Zones experts, > > We are attempting to create a new data center architecture that favors > virtualization with zones. Previously, if we wanted to have zones from > different security contexts (front-end, back-end, internet, etc), they > had to be in different physical machines (or LDOMS). Now that we have > the ability (ok, as of s10u4, but we have been busy) to use ipfilter > between zones on the same host, we believe there may be enough > separation to have zones in different security contexts on the same > global-zone. > > I would like to get people's feedback on what they would think of > creating the ability to have ipfilter rules, that would normally be > located in ipf.conf in the global zone, inside the zonecfg. When the > zone is brought "online" it could pipe the rules into "ipf -f -" or > something. I am thinking the zonecfg seems like a good place to store > them because when I want to "move" a zone from one machine to another, > I would prefer the firewall came along with the zone. > > We have discussed using vnic interfaces (crossbow?), but I don't > believe thats integrated yet? Besides, we don't really trust the > application administrator (zone administrator) with the firewall, so > we'd like to keep its configuration in the global zone, which I assume > would still work even with vnic's. > > QUESTION: If we put the firewall (ipf.conf) inside the zone and use a > private IP instance, can they can put a "pass out quick on vnic0 keep > state" and they have the ability to connect to any other zone on the > same machine? I know that rule in the global zone makes it that way, > but maybe ip stack instances fix that?
Crossbow is not a feature in S10. You mentioned the use of S10U4 above. In that context, the simple answer to your question is "no, because VNICs don't exist." --JeffV _______________________________________________ zones-discuss mailing list zones-discuss@opensolaris.org
