We're doing a similar thing, with many zones, each on its own vnic.  After a 
lot of late-night experimentation, we've got a first model working.  All zones 
are in a subnet different to our 'normal' internal machines... 

Our first experiment has been to add additional granularity of control by using 
Crossbow - excellent! - and features of IPFilter - to direct only specific 
ports to specific zones.  We found we had to kill the nwam service, using 
network/physical only.

We're then using NAT redirection to get traffic on specific ports into our 
'ZoneWorld', where subnet '50' is the subnet in which the ZoneMachine lives, 
and all zones are in subnet '0'.  All are exclusive-ip zones.  In our config 
below, rge0 is the physical interface; address ...50.100 is the 
externally-facing address; the only 'way out' for all the zones.

Following is a snippet of a working /etc/ipf/ipnat.conf file, sending all web 
traffic to a discrete zone:

rdr     rge0       port 80         ->   
port 80
rdr     rge0       port 443        ->   
port 443

A lot of good notes on these forums, and elsewhere - thanks, all! - but with 
varying levels of 'version accuracy'.  Your mileage may vary.

We found the Crossbow Community Group Testing Server recipe most helpful:
# http://hub.opensolaris.org/bin/view/Community+Group+testing/crossbow

(differing from this recipe, though, we have not needed to populate 
/etc/defaultrouter in each zone).

Have fun!     Lou
This message posted from opensolaris.org
zones-discuss mailing list

Reply via email to