Instead of snooping the traffic, why not do it through DTrace? That should meet your security requirements nicely.
fpsm On Tue, Dec 16, 2008 at 11:59 AM, Christine Tran <christine.t...@gmail.com> wrote: > Hi, > > I am putting 2 applications that talk to each other on two non-global > zones of type exclusive-ip. I do this for one reason only, that is to > be able to observe traffic between the two applications for > troubleshooting if and when things go wrong. Unfortunately, this will > run afoul of security guidelines, which says one should not be able to > observe anything from the outside. Encryption is just not in the > picture right now. I'm trying to think of a way to make traffic > observable from the global zone only, and obscured to everyone else > outside the box. I thought of not cabling the interfaces and turning > off ip_restrict_interzone_loopback, but that just backs me right into > the corner of not being able to snoop anything on the lo0 channel. I > don't have anything here that I can use, do I? Just making sure. > > CT > _______________________________________________ > zones-discuss mailing list > firstname.lastname@example.org > _______________________________________________ zones-discuss mailing list email@example.com