Zones: Different subnets securely

Guys (repost from the wrong forum),

with Solaris 10 and Zones, is it possible to lock a zone to a particular physical network interface? Is it possible that only that zone (and not the root zone) has access to that particular interface?

I'm wondering about the suitablity of Solaris 10 on a v210/v240 class system that has 4 ethernet ports, and how from a security perspective it might be possible to safely attach this system to different subnets, some maybe on the DMZ, doing web service things like apache and sendmail and whatnot.

Thoughts?

-jason

[590 byte] By [heavyj] at [2007-11-26 0:45:29]

«« Keyboard Problems
»» The UNKNOWN hostname problem...

# 1

It is possible to do this, for example if you want to dedicate bge1 to a zone:

a) don't configure a global zone address on bge1, leave it configured as 0.0.0.0

b) set ip_strict_dst_multihoming to 1 using ndd(1M)

c) if you want to prevent zones from talking to each other, you may need to add special routes; see http://docs.sun.com/app/docs/doc/817-1592/6mhahuos1?a=view for more details.

Feel free to follow-up on the Zones forum: http://forum.sun.com/forum.jspa?forumID=226

Blaise

blaises at 2007-7-5 19:40:53 >

top of Java-index,Solaris Operating System,Solaris 10 Features...

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

Zones: Different subnets securely

Solaris Operating System New Topic

Solaris Operating System Hot Topic

Solaris Operating System

All Classified