We're doing a similar thing, with many zones, each on its own vnic. After a
lot of late-night experimentation, we've got a first model working. All zones
are in a subnet different to our 'normal' internal machines...
Our first experiment has been to add additional granularity of control by using
Crossbow - excellent! - and features of IPFilter - to direct only specific
ports to specific zones. We found we had to kill the nwam service, using
We're then using NAT redirection to get traffic on specific ports into our
'ZoneWorld', where subnet '50' is the subnet in which the ZoneMachine lives,
and all zones are in subnet '0'. All are exclusive-ip zones. In our config
below, rge0 is the physical interface; address ...50.100 is the
externally-facing address; the only 'way out' for all the zones.
Following is a snippet of a working /etc/ipf/ipnat.conf file, sending all web
traffic to a discrete zone:
rdr rge0 192.168.50.100/32 port 80 -> 192.168.0.200
rdr rge0 192.168.50.100/32 port 443 -> 192.168.0.200
A lot of good notes on these forums, and elsewhere - thanks, all! - but with
varying levels of 'version accuracy'. Your mileage may vary.
We found the Crossbow Community Group Testing Server recipe most helpful:
(differing from this recipe, though, we have not needed to populate
/etc/defaultrouter in each zone).
Have fun! Lou
This message posted from opensolaris.org
zones-discuss mailing list