> Hi,
>
> I am putting 2 applications that talk to each other on two non-global
> zones of type exclusive-ip.  I do this for one reason only, that is to
> be able to observe traffic between the two applications for
> troubleshooting if and when things go wrong.  Unfortunately, this will
> run afoul of security guidelines, which says one should not be able to
> observe anything from the outside.  Encryption is just not in the
> picture right now.  I'm trying to think of a way to make traffic
> observable from the global zone only, and obscured to everyone else
> outside the box.  I thought of not cabling the interfaces and turning
> off ip_restrict_interzone_loopback, but that just backs me right into
> the corner of not being able to snoop anything on the lo0 channel. I
> don't have anything here that I can use, do I?  Just making sure.
>

Bad form here, to follow up my own post, but, how feasible would it be
to flap ip_restrict_interzone_loopback off and on, off for production
and on for diagnostic?  I'm reading comments lines 560 - 570 of
http://cvs.opensolaris.org/source/xref/netvirt/usr/src/uts/common/inet/ip/ip.c

CT
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to