Re: Networking, Zones, & Firewall Question w/ Solaris 10+

*Assume:*
- Solaris 10 or OpenSolaris
- Three physical network adapters (bge0, e1000g0, & e1000g1)

Sure the router works fine, but that is not the point of this exercise. The
ultimate goal is to learn more about networking and Solaris while securely
setting up Solaris for internet/LAN connectivity on one box.

Then I'd suggest leaving the router as it is and start by becoming more
familiar with Solaris. If you wish security then the first thing to accomplish
is becoming more familiar with the OS.

Is is possible to setup Solaris so that one zone is created and dedicated to
the WAN (bge0) and that all outgoing traffic from global zone LAN NICs
(e1000g0 & e1000g1) route to the ISP through the WAN zone

That and not feasible too. I suggest you check the Sun website and perhaps
opensolaris website on the topic of zones. Its a virtual machine, but one
running on the same kernel and limited in some ways, like control over the
routing table.

Am I totally missing something by even suggestion this setup?

Yes, some basic understanding of zones.

First ask yourself why you'd want zones. Just because you can might not give
you the results you want. IMO a better approach would be using a zone to run
specific network services which are exposed to the Internet so that in a case
of an attack or worse you can limit the damage.

Does a much better/simpler method exist, given the background goals, that
I've overlooked?

Too many to even begin mentioning them all.

First keep on using the router untill you're more familiar with Solaris.
Personally I'd dump stuff on the global zone first, then see what might be
suitable to run in a zone.

oh; and I absolutely wouldn't try and use opensolaris ('Solaris Express') for a
gateway/firewall. Even though its not that unstable its still but a snapshot of
the upcoming release, one which doesn't get any security updates (unless
ofcourse you get a support contract from Sun).

So stick to the plain 1/6 release.

--
Groetjes, Peter

..\\ PGP/GPG key: http://www.catslair.org/pubkey.asc
.

Relevant Pages

  • Solaris 10 zone from flar
    ... The problem was that we use Solaris 9 and Solaris 10 ... It occurred to me that it could come in handy to install a Solaris 10 ... zone from a flar, just like you would install a branded Solaris 9 ... The first replacement defines the name of the brand, ...
    (comp.unix.solaris)
  • Re: Adding ZFS as "fs" to zone fails
    ... dataset to a non-global zone in the Solaris 10 8/07 release. ... see the excerpt from zfs get all: ... Preparing to install zone. ... cannot setup zone <dummy> inherited and configured file systems ...
    (comp.unix.solaris)
  • VPN in a container?
    ... I need ca. 50 Solaris, Linux and Windows clients ... to Solaris zone via encrypted TCP tunnel, ...
    (comp.unix.solaris)
  • Re: Solaris 10 Zones and Linux
    ... I see examples of Solaris Zones running Solaris and BrandZ examples, ... is there a way to install and run a perticular distro of Linux inside a ... So, no, you can't run Linux in a Zolaris 10 Zone. ...
    (comp.unix.solaris)
  • Re: The sorry state of SUNW
    ... One could wonder if Sun hasn't learned a valuable lesson when MS ... Would OpenSolaris be considered Unix or a Unix-like OS? ... shift from Debian to Solaris 10 on my server, ... will maintain the several software packages and actually make the call ...
    (comp.unix.solaris)