Steffen Weiberle wrote:


That helps. So you are trying to do the following?:

   cable modem
    |
    |
   firewall(10.0.0.1)
    |
    |
      nic1 (10.0.0.2), vnic1 (10.0.0.3), vnic2 (10.0.0.4),
    |                  vnic3 (10.0.0.5)
---bastion host----------
      nic2(192.168.0.100)
    |
    |
     switch
    |
    |
host1 host2 host3 host(n)
(all on 192.168.0.0/24)

where dns, mail, and webserver would be using vnic[123]?

yes, exactly what I was thinking. My research indicates that moving each service into its own zone could enhance overall system security.

If so, I take it their default router is 10.0.0.1.

correct

Getting to/from them from 192.168.0.0/24 may be tricky, as they are really only outbound facing, and I doubt your firewall knows to send things back to 10.0.0.2 if the destination is 192.168.0.0.

I'm not sure if I understand what you mean by this...

Because each zone only knows about it's own subnet it may not be able to find the other subnet???

I gotta think about this is this is what you are really doing--not sure that using zones vs. discrete systems on the 10.0.0.0 subnet would really behave differently (the nice thing about exclusive IP instances is that it really is very close to separate hardware at that level).

I would rather not have to add separate systems but instead spend the money on a duplicate system and another Internet feed. I could then set up some kind of fail over or load balancing system.

Shared IP Instances might introduce other routing issues, but they may not apply here.

Steffen

Your comments are much appreciated

--
 Robert W Hartzell
bear at rwhartzell.net
  RwHartzell.Net
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to