Steffen Weiberle wrote:

That helps. So you are trying to do the following?:

   cable modem
      nic1 (, vnic1 (, vnic2 (,
    |                  vnic3 (
---bastion host----------
host1 host2 host3 host(n)
(all on

where dns, mail, and webserver would be using vnic[123]?

yes, exactly what I was thinking. My research indicates that moving each service into its own zone could enhance overall system security.

If so, I take it their default router is


Getting to/from them from may be tricky, as they are really only outbound facing, and I doubt your firewall knows to send things back to if the destination is

I'm not sure if I understand what you mean by this...

Because each zone only knows about it's own subnet it may not be able to find the other subnet???

I gotta think about this is this is what you are really doing--not sure that using zones vs. discrete systems on the subnet would really behave differently (the nice thing about exclusive IP instances is that it really is very close to separate hardware at that level).

I would rather not have to add separate systems but instead spend the money on a duplicate system and another Internet feed. I could then set up some kind of fail over or load balancing system.

Shared IP Instances might introduce other routing issues, but they may not apply here.


Your comments are much appreciated

 Robert W Hartzell
bear at
zones-discuss mailing list

Reply via email to