building solaris-based enterprise router-firewall project

stdout · #1 (**permalink**) 06-10-2009

hi guys,

its been a while since my last visit here,
could not keep up the pace on this ever changing industry

i'd just doing my home research under vmware to make a solaris-based router-firewall using zones - doing a lot of reading about zones & review solaris zone functionality.

and now, i'm a bit stuck interpreting these ip-type=shared and ip-type=exclusive under the non-global zone. i mean, cant i just have that NIC belongs to a non-global zone without being plumbed under the global-zone?

i'm sorry for this long question, but i'll make it short - does anyone has done this before?

my scenario is :
a stripped down SXCE using 3-NICs - so that it will be a 3-legs firewall :
global-zone=LAN interface, NIC#1,
WAN, NIC#2
DMZ, NIC#3
and, i also like to have somekind of tunnel interface between zones - so that the traffic entering WAN from LAN doesnt have to go out from the NIC?

so, is there any possibilities to do this setup?

any constructive input would be very appreciated.

thank you.

-----Post Update-----

addition :

on my current setup - under the global zone, i have 3 NICs - and each one having subinterface for the non-global zone, so

lo0 127/8
lo0.1 WAN 127/8
lo0.2 DMZ 127/8
pcn0 global 192.168.10.1/24
pcn1.0 global 0/8
pcn1.1 WAN 10.0.0.1/24
pcn2.0 global 0/8
pcn2.1 DMZ 172.16.0.1/24

so, all this interface are ip shared.

what i mean is that : can i just have that pcn1 belongs to WAN, pcn2 to DMZ without using the global zone as host?

thanks

TonyFullerMalv · #2 (**permalink**) 06-21-2009

A firewall should really be installed on some dedicated hardware, so I won't address the issues with Zones (have never tried what is being asked); depending on the volume of traffic you are expecting and the complexity of your firewall rules you do not need terribly up to date hardware, e.g. a workstation such a Blade 150. Solaris 10 comes with ipfilter so you don't have to buy any Firewall software.

Take a look at: Firewalling on Solaris 10 sonia hamilton – life on the digital bikepath – sonia@snowfrog.net, Basic iptables Configuration|spiralbound.net,
http://www.homepage.montana.edu/~uni...laris_ipf.html and http://docs.sun.com/app/docs/doc/816-4554/eupsq?a=view.

HTH

stdout · #3 (**permalink**) 06-21-2009

hi tony,

thank you for the reply btw

ok, firstable - i would like nor prefer to put this discussion as an inspiration how to build something different, in this case - as i said previously - i like to dig more deeper my unix and solaris knowledge by starting a home project to build a solaris zone-based firewall (using ipfilter of course) - so, i try to do it under some commodity hardware at first.

and, the second - i like to get in-depth with firewalling system which is to work with virtual system and virtual router - and this is where the solaris zones part comes into play. *i think*

i have talked to a Sun Microsystems engineer two days ago, pretty constructive discussion and inspiring one, especially some links that he gave me to achieve my goal.

currently, i have done about 70% of my home project which consist of :
1. to build a stripped down solaris system with zones
2. to put some routing protocols *if applicable*
3. to put some firewall (ipfilter) on those zones *if applicable*
4. put it on real environment

being 70% is a good progress since i really finding hard times to configure some logical interface until i manage to make them work. but now i'm a bit stuck in constructing dynamic routing under those zones because *IMHO* quagga *seems* dont play nice under b115 - but, that is only my current situation - still work it out though. still has plenty to read and to try.

i do like iptables, and other proprietary FW systems as well, but - this solaris zone thing has *something* which i like to get in-depth, very interesting feature

so, do you have any other idea for me to consider? do you want to join my home project? its fun really

gch · #4 (**permalink**) 07-30-2009

Quote:

and, i also like to have somekind of tunnel interface between zones - so that the traffic entering WAN from LAN doesnt have to go out from the NIC?

This would violate security and defeat the advantage of zones.
You may look at this article that deals with some of your issues:
cr:zones [Cyber Renaissance]

jlliagre · #5 (**permalink**) 07-30-2009

It looks you'll be highly interested in the crossbow project, which go far further than the exclusive IP feature.

Project Crossbow
http://www.opensolaris.com/use/ProjectCrossbow.pdf

More UNIX and Linux Forum Topics You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
Help needed in IPTables firewall/router setup - Linux	chandan_m	Security	1	11-06-2008 10:56 PM
Using iChat with a firewall or NAT router	iBot	OS X Support RSS	0	10-13-2008 10:20 PM
Protect your network with pfSense firewall/router	iBot	UNIX and Linux RSS News	0	10-03-2008 04:30 AM
Building project using MAKE	abhinavsinha	UNIX for Dummies Questions & Answers	0	05-28-2008 02:38 AM
Building Event-Driven Architecture with an Enterprise Service Bus	iBot	Oracle Updates (RSS)	0	04-06-2008 05:10 AM

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:


	Powered by