> Hi,
> I am putting 2 applications that talk to each other on two non-global
> zones of type exclusive-ip.  I do this for one reason only, that is to
> be able to observe traffic between the two applications for
> troubleshooting if and when things go wrong.  Unfortunately, this will
> run afoul of security guidelines, which says one should not be able to
> observe anything from the outside.  Encryption is just not in the
> picture right now.  I'm trying to think of a way to make traffic
> observable from the global zone only, and obscured to everyone else
> outside the box.  I thought of not cabling the interfaces and turning
> off ip_restrict_interzone_loopback, but that just backs me right into
> the corner of not being able to snoop anything on the lo0 channel. I
> don't have anything here that I can use, do I?  Just making sure.

Bad form here, to follow up my own post, but, how feasible would it be
to flap ip_restrict_interzone_loopback off and on, off for production
and on for diagnostic?  I'm reading comments lines 560 - 570 of

zones-discuss mailing list

Reply via email to