Sun Microsystems 10 manual IP filter between shared IP zones on a system, Set interceptloopback

5.2.4. Change network configuration from shared IP instance to exclusive IP instance

[dd]Zones that are already configured are run with shared IP instances up to Solaris 10 11/06. With the introduction of Solaris 10 8/07, it is possible to run zones with an own IP stack. Such a zone needs a different configuration, where ip-type is set to exclusive and the zone needs a physical interface or a tagged VLAN interface assigned. In this example, a VLAN with VLAN-ID 1 on interface bge0 is assigned to the zone. The device entry is created automatically by the global zone when the zone is started up. The IP address is assigned to the interface by the zone itself.

global# zonecfg -z zone1 zonecfg:zone1> info net net:

address: 192.168.2.1/24

physical: bge0 zonecfg:zone1> info ip-type ip-type: shared

zonecfg:zone1> set ip-type=exclusive zonecfg:zone1> verify

net: address cannot be specified for an exclusive IP type

zone1: Invalid argument

zonecfg:zone1> remove net physical=bge0 zonecfg:zone1> add net zonecfg:zone1:net> set physical=bge1000 zonecfg:zone1:net> end zonecfg:zone1> info net

net:

address not specified physical: bge1000

zonecfg:zone1> verify zonecfg:zone1> commit zonecfg:zone1> exit

5.2.5. IP filter between shared IP zones on a system

[dd]IP filters can be used to filter network packages between shared IP zones. To do so, IP filter is configured and started in the global zone but filters the data traffic between zones according to the rules.

It should be noted that data traffic between shared IP zones does not leave the TCP/IP-stack of the

The following example filters the entire data traffic between two zones (zone keetonga: 192.168.1.210; zone haitoda: 192.168.1.200).

global# cd /etc/ipf global# more ipf.conf

set intercept_loopback true;

block in from 192.168.1.210/32 to 192.168.1.200/32 block out from 192.168.1.210/32 to 192.168.1.200/32 block in from 192.168.1.200/32 to 192.168.1.210/32 block out from 192.168.1.200/32 to 192.168.1.210/32

global# svcadm enable ipfilter

The following example shows how ssh connections from zone keetonga to zone haitoda are filtered after a present IP filter configuration has been changed and reloaded.

global # more ipf.conf

set intercept_loopback true;

block in proto tcp from 192.168.1.210/32 to 192.168.1.200/32 port = ssh

global # ipf -F a -f /etc/ipf/ipf.conf

82