The UNIX and Linux Forums  
Hello and Welcome from United States to the UNIX and Linux Forums! Thank You for Visiting and Joining Our Global Community.

Go Back   The UNIX and Linux Forums > Operating Systems > SUN Solaris
.
google unix.com



SUN Solaris The Solaris Operating System, usually known simply as Solaris, is a free Unix-based operating system introduced by Sun Microsystems .

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Help needed in IPTables firewall/router setup - Linux chandan_m Security 1 11-06-2008 10:56 PM
Using iChat with a firewall or NAT router iBot OS X Support RSS 0 10-13-2008 10:20 PM
Protect your network with pfSense firewall/router iBot UNIX and Linux RSS News 0 10-03-2008 04:30 AM
Building project using MAKE abhinavsinha UNIX for Dummies Questions & Answers 0 05-28-2008 02:38 AM
Building Event-Driven Architecture with an Enterprise Service Bus iBot Oracle Updates (RSS) 0 04-06-2008 05:10 AM

Reply
English Japanese Spanish French German Portuguese Italian Dutch Swedish Russian Norwegian Hungarian Hebrew Danish Powered by Powered by Google
 
LinkBack Thread Tools Search this Thread Rate Thread Display Modes
  #1 (permalink)  
Old 06-10-2009
stdout stdout is offline
Registered User
  
 

Join Date: Feb 2006
Posts: 103
building solaris-based router-firewall project

hi guys,

its been a while since my last visit here,
could not keep up the pace on this ever changing industry

i'd just doing my home research under vmware to make a solaris-based router-firewall using zones - doing a lot of reading about zones & review solaris zone functionality.

and now, i'm a bit stuck interpreting these ip-type=shared and ip-type=exclusive under the non-global zone. i mean, cant i just have that NIC belongs to a non-global zone without being plumbed under the global-zone?

i'm sorry for this long question, but i'll make it short - does anyone has done this before?

my scenario is :
a stripped down SXCE using 3-NICs - so that it will be a 3-legs firewall :
global-zone=LAN interface, NIC#1,
WAN, NIC#2
DMZ, NIC#3
and, i also like to have somekind of tunnel interface between zones - so that the traffic entering WAN from LAN doesnt have to go out from the NIC?

so, is there any possibilities to do this setup?

any constructive input would be very appreciated.

thank you.

-----Post Update-----

addition :

on my current setup - under the global zone, i have 3 NICs - and each one having subinterface for the non-global zone, so

lo0 127/8
lo0.1 WAN 127/8
lo0.2 DMZ 127/8
pcn0 global 192.168.10.1/24
pcn1.0 global 0/8
pcn1.1 WAN 10.0.0.1/24
pcn2.0 global 0/8
pcn2.1 DMZ 172.16.0.1/24

so, all this interface are ip shared.

what i mean is that : can i just have that pcn1 belongs to WAN, pcn2 to DMZ without using the global zone as host?

thanks

Last edited by stdout; 08-02-2009 at 02:44 AM..
  #2 (permalink)  
Old 06-21-2009
TonyFullerMalv's Avatar
TonyFullerMalv TonyFullerMalv is offline Forum Advisor  
Registered User
  
 

Join Date: Sep 2008
Location: Malvern, Worcs. U.K.
Posts: 730
A firewall should really be installed on some dedicated hardware, so I won't address the issues with Zones (have never tried what is being asked); depending on the volume of traffic you are expecting and the complexity of your firewall rules you do not need terribly up to date hardware, e.g. a workstation such a Blade 150. Solaris 10 comes with ipfilter so you don't have to buy any Firewall software.

Take a look at: Firewalling on Solaris 10 sonia hamilton – life on the digital bikepath – sonia@snowfrog.net, Basic iptables Configuration|spiralbound.net,
http://www.homepage.montana.edu/~uni...laris_ipf.html and http://docs.sun.com/app/docs/doc/816-4554/eupsq?a=view.

HTH
  #3 (permalink)  
Old 06-21-2009
stdout stdout is offline
Registered User
  
 

Join Date: Feb 2006
Posts: 103
hi tony,

thank you for the reply btw

ok, firstable - i would like nor prefer to put this discussion as an inspiration how to build something different, in this case - as i said previously - i like to dig more deeper my unix and solaris knowledge by starting a home project to build a solaris zone-based firewall (using ipfilter of course) - so, i try to do it under some commodity hardware at first.

and, the second - i like to get in-depth with firewalling system which is to work with virtual system and virtual router - and this is where the solaris zones part comes into play. *i think*

i have talked to a Sun Microsystems engineer two days ago, pretty constructive discussion and inspiring one, especially some links that he gave me to achieve my goal.

currently, i have done about 70% of my home project which consist of :
1. to build a stripped down solaris system with zones
2. to put some routing protocols *if applicable*
3. to put some firewall (ipfilter) on those zones *if applicable*
4. put it on real environment

being 70% is a good progress since i really finding hard times to configure some logical interface until i manage to make them work. but now i'm a bit stuck in constructing dynamic routing under those zones because *IMHO* quagga *seems* dont play nice under b115 - but, that is only my current situation - still work it out though. still has plenty to read and to try.

i do like iptables, and other proprietary FW systems as well, but - this solaris zone thing has *something* which i like to get in-depth, very interesting feature

so, do you have any other idea for me to consider? do you want to join my home project? its fun really

Last edited by stdout; 08-02-2009 at 02:35 AM..
  #4 (permalink)  
Old 07-30-2009
gch gch is offline
Registered User
  
 

Join Date: Jul 2009
Posts: 26
Quote:
and, i also like to have somekind of tunnel interface between zones - so that the traffic entering WAN from LAN doesnt have to go out from the NIC?
This would violate security and defeat the advantage of zones.
You may look at this article that deals with some of your issues:
cr:zones [Cyber Renaissance]
  #5 (permalink)  
Old 07-30-2009
jlliagre jlliagre is offline Forum Advisor  
ɹǝsn sıɹɐlosuǝdo
  
 

Join Date: Dec 2007
Location: Paris
Posts: 1,380
It looks you'll be highly interested in the crossbow project, which go far further than the exclusive IP feature.

Project Crossbow
http://www.opensolaris.com/use/ProjectCrossbow.pdf
Sponsored Links
Reply

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT -4. The time now is 03:10 PM.


Powered by: vBulletin, Copyright ©2000 - 2006, Jelsoft Enterprises Limited. Language Translations Powered by .
vBCredits v1.4 Copyright ©2007 - 2008, PixelFX Studios
The UNIX and Linux Forums Content Copyright ©1993-2009. All Rights Reserved.Ad Management by RedTyger

Content Relevant URLs by vBSEO 3.2.0