Assuming you're using the shared IP stack (default), it is sufficient
for the global zone interface(s) to be plumbed so that the non-global
zones can use logical instances of the interface(s). So setting the GZ
interfaces as "down' will prevent network access to/from the global zone.
--Glenn
Jordan Vaughan wrote:
Is there a way to disable all remote connections to the GZ? In other
words, couldn't you use a firewall to reject connections on all ports
to the GZ? That would effectively deny remote access to the GZ
without having to disable any network interfaces.
Of course, disabling the GZ's interface(s) is preferable (it's
simpler), but I'm not sure if it's possible. I haven't tried it.
Jordan
On 09/29/10 10:33 AM, Orvar Korvar wrote:
Ok, so it is impossible to shutdown internet connection to the global
zone and surf only from the local zones. If I want to surf from the
local zones, the global zone's NIC must be activated. I suspect a
hacker will attack the global zone, instead of the local zone that I
surf from.
Are there any other ways to increase security instead of my original
plan (shutting down the global zone and surf from local zones)? I am
afraid the global zone will be attacked...
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org
--
ORACLE ®
Glenn Faden | Senior Principal Software Engineer
Phone: +1 650 786 4003 | Mobile: +1 415 637 8181
Oracle Solaris Security, Solaris Core OS Technology Engineering
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org