Nevada, Solaris 10 Update 4 - IPFilter and Zones
By avalon on Jul 02, 2007
Back in "Using IPFilter between zones for firewalling", I mentioned that our project to enable IPFilter between zones had been approved. This project was made a part of OpenSolaris (or nevada) late last year and in "Packet Filtering Hooks integrated into Solaris Nevada", I mentioned that the project had been successful. But the missing ingredient: how do I use this?
Out of the box, if you start using IPFilter with Solaris Zones (using shared stack instances), you won't be able to intercept those pesky packets that are going directly from zone to zone. There's a hidden button that you need to push in ipf.conf called intercept_loopback.
How is this button used? At the top of your ipf.conf file, you need to have a line like this:
set intercept_loopback true;
Note the ; at the end of the line. Similarly, to disable it, replacing "true" with "false" is sufficient.
NOTE that as this line implies, all loopback traffic will now be intercepted, including loopback (lo0) traffic, so you may need to be more careful about what you block vs pass.