Ip filter between shared ip zones on a system – Sun Microsystems SOLARIS 10 User Manual
Page 89
Version 3.1-en
Solaris 10 Container Guide - 3.1 5. Cookbooks
Effective: 30/11/2009
5.2.4. Change network configuration from shared IP instance to exclusive IP instance
[dd] Zones that are already configured are run with shared IP instances up to Solaris 10 11/06. With
the introduction of Solaris 10 8/07, it is possible to run zones with an own IP stack. Such a zone
needs a different configuration, where ip-type is set to exclusive and the zone needs a physical
interface or a tagged VLAN interface assigned. In this example, a VLAN with VLAN-ID 1 on interface
bge0 is assigned to the zone. The device entry is created automatically by the global zone when the
zone is started up. The IP address is assigned to the interface by the zone itself.
global# zonecfg -z zone1
zonecfg:zone1> info net
net:
address: 192.168.2.1/24
physical: bge0
zonecfg:zone1> info ip-type
ip-type: shared
zonecfg:zone1> set ip-type=exclusive
zonecfg:zone1> verify
net: address cannot be specified for an exclusive IP type
zone1: Invalid argument
zonecfg:zone1> remove net physical=bge0
zonecfg:zone1> add net
zonecfg:zone1:net> set physical=bge1000
zonecfg:zone1:net> end
zonecfg:zone1> info net
net:
address not specified
physical: bge1000
zonecfg:zone1> verify
zonecfg:zone1> commit
zonecfg:zone1> exit
5.2.5. IP filter between shared IP zones on a system
[dd] IP filters can be used to filter network packages between shared IP zones. To do so, IP filter is
configured and started in the global zone but filters the data traffic between zones according to the
rules.
It should be noted that data traffic between shared IP zones does not leave the TCP/IP-stack of the
system. For this data traffic also to be considered by the IP filter, the line
set intercept_loopback true; must be set in the IP filter configuration.
The following example filters the entire data traffic between two zones (zone keetonga:
192.168.1.210; zone haitoda: 192.168.1.200).
global# cd /etc/ipf
global# more ipf.conf
set intercept_loopback true;
block in from 192.168.1.210/32 to 192.168.1.200/32
block out from 192.168.1.210/32 to 192.168.1.200/32
block in from 192.168.1.200/32 to 192.168.1.210/32
block out from 192.168.1.200/32 to 192.168.1.210/32
global# svcadm enable ipfilter
The following example shows how ssh connections from zone keetonga to zone haitoda are filtered
after a present IP filter configuration has been changed and reloaded.
global # more ipf.conf
set intercept_loopback true;
block in proto tcp from 192.168.1.210/32 to 192.168.1.200/32 port =
ssh
global # ipf -F a -f /etc/ipf/ipf.conf
82