Dave's Bit Bucket

Friday September 22, 2006

Blocking inter-zone network traffic

If I have a Solaris 10 box configured with multiple zones, then each zone on the box is by default able to communicate with any other zone on the box, provided that it has a route.

Currently, ipfilter isn't able to mediate such inter-zone traffic, as the ipfilter module resides below (ie "further out towards the physical interface from the OS") the module in the IP stack which handles packet routing; thus, a packet from one zone heads down the stack and gets routed to the other zone before it gets to where ipfilter lives. We know about this, and we're working on it.

However, there's two ways of mediating inter-zone traffic on the same box which do work. The first of these involves a little twist on routing, and the second involves tcp_wrappers:

1. If I want to completely block all traffic between zone A and zone B, then in the global zone I can do:

# route add <addr of zone A> <addr of zone B> -interface -reject
# route add <addr of zone B> <addr of zone A> -interface -reject

2. If the service I want to filter traffic for is compatible with tcp_wrappers (find this out either from the service docs or use ldd to check for binaries linked against libwrap.so.1), then I can turn wrapping on like this if the service has an SMF profile or is started by inetd, and then add the other zones' addresses to my /etc/hosts.deny as normal. tcp_wrapper functionality is implemented further up the stack than routing, so mediating inter-zone traffic with tcp_wrappers also works.

(2006-09-22 10:20:08.0) Permalink Comments [0]