Steffen Weiberle wrote:
On 08/19/09 15:43, Robert Hartzell wrote:
Steffen Weiberle wrote:

That helps. So you are trying to do the following?:

   cable modem
      nic1 (, vnic1 (, vnic2 (,
    |                  vnic3 (
---bastion host----------
host1 host2 host3 host(n)
(all on

where dns, mail, and webserver would be using vnic[123]?

yes, exactly what I was thinking. My research indicates that moving each service into its own zone could enhance overall system security.

If so, I take it their default router is


Getting to/from them from may be tricky, as they are really only outbound facing, and I doubt your firewall knows to send things back to if the destination is

I'm not sure if I understand what you mean by this...

I am not sure who is the consumer of your dns, mail, and web services. If only from the internet, or from the global zone, the above configuration should work.

If you want your 'clients' (host1, host2, etc.) to also access those services, I don't think the configuration will work, due to general routing (or lack of it).

Because each zone only knows about it's own subnet it may not be able to find the other subnet???

Because the zones only have one default router, the firewall, and it knows only of routing/forwarding to the Internet. As I think about this, a static route to in exclusive IP Instance zones (not supported in shared IP Instances) may allow that.

zone-dns# route add 1

I gotta think about this is this is what you are really doing--not sure that using zones vs. discrete systems on the subnet would really behave differently (the nice thing about exclusive IP instances is that it really is very close to separate hardware at that level).

I would rather not have to add separate systems but instead spend the money on a duplicate system and another Internet feed. I could then set up some kind of fail over or load balancing system.

I was using that as a relative routing design only. I don't think separate systems will make a difference here, if they are single-homed as the zones are.


You have given me much to think about ;). I'm going to set up a test system this weekend and see what I can screw up... If I can find a reasonable solution for this I will ping the list and post a howto on my wiki.

again, thanks for helping out.

 Robert W Hartzell
bear at
zones-discuss mailing list

Reply via email to