SUMMARY: Solaris 10 and ipfilter
This is a discussion on SUMMARY: Solaris 10 and ipfilter within the IPFilter forums, part of the System Security and Security Related category; I have come up with a work around that I thought I would share. The following ifconfig options will configure ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-27-2005
|
|||
|
|||
SUMMARY: Solaris 10 and ipfilter
I have come up with a work around that I thought I would share.
The following ifconfig options will configure an interface on the Global zone without allowing traffic to the global zone and allow ipfilter to work on the local zones. This is the best option I could come up with. Bring up the interface with nolocal and noxmit options on the global zone Ifconfig ce1 plumb Ifconfig ce1 -local -xmit up This produces the following ce1: flags=201030843<UP,BROADCAST,RUNNING,MULTICAST,NOX MIT,NOLOCAL,IPv4,CoS> mtu 1500 index 3 inet subnet 0.0.0.0/8 netmask ff000000 Yet the interface for the local zone it configured correctly. Now ipfilter will work on this interface. Hope is that this will help someone else before a true fix is found. Thanks <mike> -----Original Message----- From: owner-ipfilter@coombs.anu.edu.au [mailto:owner-ipfilter@coombs.anu.edu.au] On Behalf Of Mike Demarco Sent: Monday, July 25, 2005 7:43 AM To: Chris Ross; Darren Reed Cc: sunmanagers@sunmanagers.org; ipfilter@coombs.anu.edu.au Subject: RE: Solaris 10 and ipfilter Yes Chris, Exactly. The interface that is plumbed but not assigned a address on the global zone will not give a error from IPfilter but will not filter the traffic for the zones that have Addresses configured on them. I am not looking to filter traffic between zones just to use the global zone configuration of IPfilter to filter traffic on the local zones. -----Original Message----- From: Chris Ross [mailto:cross+ipfilter@distal.com] Sent: Friday, July 22, 2005 5:50 PM To: Darren Reed Cc: Mike Demarco; sunmanagers@sunmanagers.org; ipfilter@coombs.anu.edu.au Subject: Re: Solaris 10 and ipfilter Darren Reed wrote: > See: > http://blogs.sun.com/roller/page/ava...er_between_zon es_for I think you're looking at a different aspect of the problem than Mike was, Darren. Correct me if I'm wrong, Mike, but I think he just wants the ability to protect the zone's (via their wholly owned interfaces, that are configured in the zone level, not globally) from the outside world. I don't think he was trying to protect them from each other. I read his message to mean that because ipf was coming up in the global zone, it wasn't able to understand/filter properly on the interfaces that were assigned no address in the global zone, but assigned an address in the "local" zones... - Chris 
|
Linear Mode
