Instead of snooping the traffic, why not do it through DTrace? That
should meet your security requirements nicely.


On Tue, Dec 16, 2008 at 11:59 AM, Christine Tran
<> wrote:
> Hi,
> I am putting 2 applications that talk to each other on two non-global
> zones of type exclusive-ip.  I do this for one reason only, that is to
> be able to observe traffic between the two applications for
> troubleshooting if and when things go wrong.  Unfortunately, this will
> run afoul of security guidelines, which says one should not be able to
> observe anything from the outside.  Encryption is just not in the
> picture right now.  I'm trying to think of a way to make traffic
> observable from the global zone only, and obscured to everyone else
> outside the box.  I thought of not cabling the interfaces and turning
> off ip_restrict_interzone_loopback, but that just backs me right into
> the corner of not being able to snoop anything on the lo0 channel. I
> don't have anything here that I can use, do I?  Just making sure.
> CT
> _______________________________________________
> zones-discuss mailing list
zones-discuss mailing list

Reply via email to