[OpenIndiana-discuss] Isolating networks for zones

Sat, 29 Oct 2011 14:31:13 -0700 

Hi all,
I have installed oi zone under a oi_151a host to provide dns caching services. All works ok now, except network isolation. Running snoop on non-global zone I can see all traffic of all networks where global zone connects. For example: 

root@oizone01:~# snoop -r
Using device dmzlan0 (promiscuous mode)

 172.25.80.5 -> 172.25.50.30 TCP D=57770 S=22 Push Ack=522318657 
Seq=2855015487 Len=80 Win=64436 Options=<nop,nop,tstamp 2572129 48037595>
172.25.50.30 -> 172.25.80.5  TCP D=22 S=57770 Ack=2855015567 
Seq=522318657 Len=0 Win=598 Options=<nop,nop,tstamp 48037601 2572129>

172.25.50.14 -> 239.192.33.21 UDP D=5405 S=5404 LEN=90
    10.0.0.0 -> 224.0.0.1    IGMP v3 membership query

    10.7.1.2 -> 172.25.50.10 DNS C 10.230.203.192.in-addr.arpa. 
Internet PTR ?

 172.25.80.5 -> 224.0.0.22   IGMP v3 membership report
    10.7.1.2 -> 239.192.31.23 UDP D=5405 S=5149 LEN=126
    10.7.1.2 -> 239.192.31.23 UDP D=5405 S=5149 LEN=126

 172.25.80.5 -> 172.25.50.30 TCP D=57770 S=22 Push Ack=522318657 
Seq=2855015567 Len=560 Win=64436 Options=<nop,nop,tstamp 2572229 48037601>
 172.25.80.5 -> 172.25.50.30 TCP D=57770 S=22 Push Ack=522318657 
Seq=2855016127 Len=160 Win=64436 Options=<nop,nop,tstamp 2572229 48037601>
172.25.50.30 -> 172.25.80.5  TCP D=22 S=57770 Ack=2855016127 
Seq=522318657 Len=0 Win=644 Options=<nop,nop,tstamp 48038597 2572229>
172.25.50.30 -> 172.25.80.5  TCP D=22 S=57770 Ack=2855016287 
Seq=522318657 Len=0 Win=689 Options=<nop,nop,tstamp 48038597 2572229>

    10.7.1.2 -> 239.192.31.23 UDP D=5405 S=5149 LEN=126
    10.7.1.2 -> 239.192.31.23 UDP D=5405 S=5149 LEN=126
    10.7.1.2 -> 239.192.31.23 UDP D=5405 S=5149 LEN=126

 172.25.80.5 -> 172.25.50.30 TCP D=57770 S=22 Push Ack=522318657 
Seq=2855016287 Len=592 Win=64436 Options=<nop,nop,tstamp 2572329 48038597>
 172.25.80.5 -> 172.25.50.30 TCP D=57770 S=22 Push Ack=522318657 
Seq=2855016879 Len=208 Win=64436 Options=<nop,nop,tstamp 2572329 48038597>
172.25.50.30 -> 172.25.80.5  TCP D=22 S=57770 Ack=2855016879 
Seq=522318657 Len=0 Win=734 Options=<nop,nop,tstamp 48039596 2572329>
172.25.50.30 -> 172.25.80.5  TCP D=22 S=57770 Ack=2855017087 
Seq=522318657 Len=0 Win=779 Options=<nop,nop,tstamp 48039596 2572329>

172.25.50.14 -> 239.192.33.21 UDP D=5405 S=5404 LEN=90

172.25.50.29 -> 10.7.1.2     TCP D=18190 S=1307 Push Ack=3561090956 
Seq=3412835876 Len=314 Win=65535
    10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561090956 Len=0 Win=65535
    10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Push Ack=3412836190 
Seq=3561090956 Len=202 Win=65535
    10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561091158 Len=1460 Win=65535
    10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561092618 Len=1460 Win=65535
172.25.50.29 -> 10.7.1.2     TCP D=18190 S=1307 Ack=3561092618 
Seq=3412836190 Len=0 Win=65535
    10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561094078 Len=1460 Win=65535
    10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561095538 Len=1460 Win=65535
    10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561096998 Len=1460 Win=65535
172.25.50.29 -> 10.7.1.2     TCP D=18190 S=1307 Ack=3561095538 
Seq=3412836190 Len=0 Win=64915
    10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561098458 Len=1460 Win=65535
    10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561099918 Len=1460 Win=65535
    10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561101378 Len=1460 Win=65535
172.25.50.29 -> 10.7.1.2     TCP D=18190 S=1307 Ack=3561095538 
Seq=3412836190 Len=0 Win=64915
172.25.50.29 -> 10.7.1.2     TCP D=18190 S=1307 Ack=3561098458 
Seq=3412836190 Len=0 Win=65535
    10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561102838 Len=1460 Win=65535
    10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561104298 Len=1460 Win=65535
    10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561105758 Len=1460 Win=65535
172.25.50.29 -> 10.7.1.2     TCP D=18190 S=1307 Ack=3561099918 
Seq=3412836190 Len=0 Win=65535
172.25.50.29 -> 10.7.1.2     TCP D=18190 S=1307 Ack=3561102838 
Seq=3412836190 Len=0 Win=62615
    10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561107218 Len=1460 Win=65535



 OI zone is on 172.25.80.0/29 network. But, why this zone is seeing 
traffic for networks like 10.7.1.0/30 or 172.25.50.0/27?? How can I 
deploy a real network isolation for zones??


Zone config is:

root@oihost:~# zonecfg -z dnssrvdmz info
zonename: dnssrvdmz
zonepath: /zones/dnssrvdmz
brand: ipkg
autoboot: true
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: exclusive
hostid:
fs-allowed:
net:
        address not specified
        allowed-address not specified
        physical: dmzlan0
        defrouter not specified

Thanks.

--
CL Martinez
carlopmart {at} gmail {d0t} com

_______________________________________________
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss






















					Reply via email to