[OpenIndiana-discuss] Isolating networks for zones

carlopmart carlopmart at gmail.com
Sat Oct 29 21:30:48 UTC 2011 

Hi all,

  I have installed oi zone under a oi_151a host to provide dns caching 
services. All works ok now, except network isolation. Running snoop on 
non-global zone I can see all traffic of all networks where global zone 
connects. For example:

root at oizone01:~# snoop -r
Using device dmzlan0 (promiscuous mode)
  172.25.80.5 -> 172.25.50.30 TCP D=57770 S=22 Push Ack=522318657 
Seq=2855015487 Len=80 Win=64436 Options=<nop,nop,tstamp 2572129 48037595>
172.25.50.30 -> 172.25.80.5  TCP D=22 S=57770 Ack=2855015567 
Seq=522318657 Len=0 Win=598 Options=<nop,nop,tstamp 48037601 2572129>
172.25.50.14 -> 239.192.33.21 UDP D=5405 S=5404 LEN=90
     10.0.0.0 -> 224.0.0.1    IGMP v3 membership query
     10.7.1.2 -> 172.25.50.10 DNS C 10.230.203.192.in-addr.arpa. 
Internet PTR ?
  172.25.80.5 -> 224.0.0.22   IGMP v3 membership report
     10.7.1.2 -> 239.192.31.23 UDP D=5405 S=5149 LEN=126
     10.7.1.2 -> 239.192.31.23 UDP D=5405 S=5149 LEN=126
  172.25.80.5 -> 172.25.50.30 TCP D=57770 S=22 Push Ack=522318657 
Seq=2855015567 Len=560 Win=64436 Options=<nop,nop,tstamp 2572229 48037601>
  172.25.80.5 -> 172.25.50.30 TCP D=57770 S=22 Push Ack=522318657 
Seq=2855016127 Len=160 Win=64436 Options=<nop,nop,tstamp 2572229 48037601>
172.25.50.30 -> 172.25.80.5  TCP D=22 S=57770 Ack=2855016127 
Seq=522318657 Len=0 Win=644 Options=<nop,nop,tstamp 48038597 2572229>
172.25.50.30 -> 172.25.80.5  TCP D=22 S=57770 Ack=2855016287 
Seq=522318657 Len=0 Win=689 Options=<nop,nop,tstamp 48038597 2572229>
     10.7.1.2 -> 239.192.31.23 UDP D=5405 S=5149 LEN=126
     10.7.1.2 -> 239.192.31.23 UDP D=5405 S=5149 LEN=126
     10.7.1.2 -> 239.192.31.23 UDP D=5405 S=5149 LEN=126
  172.25.80.5 -> 172.25.50.30 TCP D=57770 S=22 Push Ack=522318657 
Seq=2855016287 Len=592 Win=64436 Options=<nop,nop,tstamp 2572329 48038597>
  172.25.80.5 -> 172.25.50.30 TCP D=57770 S=22 Push Ack=522318657 
Seq=2855016879 Len=208 Win=64436 Options=<nop,nop,tstamp 2572329 48038597>
172.25.50.30 -> 172.25.80.5  TCP D=22 S=57770 Ack=2855016879 
Seq=522318657 Len=0 Win=734 Options=<nop,nop,tstamp 48039596 2572329>
172.25.50.30 -> 172.25.80.5  TCP D=22 S=57770 Ack=2855017087 
Seq=522318657 Len=0 Win=779 Options=<nop,nop,tstamp 48039596 2572329>
172.25.50.14 -> 239.192.33.21 UDP D=5405 S=5404 LEN=90
172.25.50.29 -> 10.7.1.2     TCP D=18190 S=1307 Push Ack=3561090956 
Seq=3412835876 Len=314 Win=65535
     10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561090956 Len=0 Win=65535
     10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Push Ack=3412836190 
Seq=3561090956 Len=202 Win=65535
     10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561091158 Len=1460 Win=65535
     10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561092618 Len=1460 Win=65535
172.25.50.29 -> 10.7.1.2     TCP D=18190 S=1307 Ack=3561092618 
Seq=3412836190 Len=0 Win=65535
     10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561094078 Len=1460 Win=65535
     10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561095538 Len=1460 Win=65535
     10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561096998 Len=1460 Win=65535
172.25.50.29 -> 10.7.1.2     TCP D=18190 S=1307 Ack=3561095538 
Seq=3412836190 Len=0 Win=64915
     10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561098458 Len=1460 Win=65535
     10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561099918 Len=1460 Win=65535
     10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561101378 Len=1460 Win=65535
172.25.50.29 -> 10.7.1.2     TCP D=18190 S=1307 Ack=3561095538 
Seq=3412836190 Len=0 Win=64915
172.25.50.29 -> 10.7.1.2     TCP D=18190 S=1307 Ack=3561098458 
Seq=3412836190 Len=0 Win=65535
     10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561102838 Len=1460 Win=65535
     10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561104298 Len=1460 Win=65535
     10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561105758 Len=1460 Win=65535
172.25.50.29 -> 10.7.1.2     TCP D=18190 S=1307 Ack=3561099918 
Seq=3412836190 Len=0 Win=65535
172.25.50.29 -> 10.7.1.2     TCP D=18190 S=1307 Ack=3561102838 
Seq=3412836190 Len=0 Win=62615
     10.7.1.2 -> 172.25.50.29 TCP D=1307 S=18190 Ack=3412836190 
Seq=3561107218 Len=1460 Win=65535

  OI zone is on 172.25.80.0/29 network. But, why this zone is seeing 
traffic for networks like 10.7.1.0/30 or 172.25.50.0/27?? How can I 
deploy a real network isolation for zones??

Zone config is:

root at oihost:~# zonecfg -z dnssrvdmz info
zonename: dnssrvdmz
zonepath: /zones/dnssrvdmz
brand: ipkg
autoboot: true
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: exclusive
hostid:
fs-allowed:
net:
	address not specified
	allowed-address not specified
	physical: dmzlan0
	defrouter not specified

Thanks.

-- 
CL Martinez
carlopmart {at} gmail {d0t} com

More information about the OpenIndiana-discuss mailing list