I would like to set up a zone to be a router - and nothing else - in a virtual network that is using crossbow on OpenSolaris 2009.06. I am trying to create a list of all of the necessary commands. Assume that: * the zone will have two VNICs: one going to the outside world via a NIC, and one going to an internal switch to which other zones are connected * the zone and its VNICs have been created * I want to disable all unnecessary services to harden the router-zone What commands do I need in the zone to persistently enable routing? So far I have: router-zone# svcadm enable svc:/network/ipv4-forwarding Also, what services can I disable? TIA, --JeffV
On 10/15/09 15:25, Jeff Victor wrote:> I would like to set up a zone to be a router - and nothing else - in a > virtual network that is using crossbow on OpenSolaris 2009.06. I am > trying to create a list of all of the necessary commands. > > Assume that: > * the zone will have two VNICs: one going to the outside world via a > NIC, and one going to an internal switch to which other zones are > connected > * the zone and its VNICs have been created > * I want to disable all unnecessary services to harden the router-zone > > What commands do I need in the zone to persistently enable routing? So > far I have: > > router-zone# svcadm enable svc:/network/ipv4-forwarding > > Also, what services can I disable?try netservices limited inside the zone to disable all network services, except sshd. Kais> > TIA, > --JeffV > > _______________________________________________ > crossbow-discuss mailing list > crossbow-discuss at opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/crossbow-discuss >
Jeff, I typically also disable: autofs disable name-service-cache cron might be possible to disable, but I would''nt do that If you really want to minimize you also could disable inetd rpc/bind ssh But then you are only able to login into your zone with zlogin. But that might be enough for a router. Detlef Kais Belgaied schrieb am 16.10.09 05:28:> On 10/15/09 15:25, Jeff Victor wrote: >> I would like to set up a zone to be a router - and nothing else - in a >> virtual network that is using crossbow on OpenSolaris 2009.06. I am >> trying to create a list of all of the necessary commands. >> >> Assume that: >> * the zone will have two VNICs: one going to the outside world via a >> NIC, and one going to an internal switch to which other zones are >> connected >> * the zone and its VNICs have been created >> * I want to disable all unnecessary services to harden the router-zone >> >> What commands do I need in the zone to persistently enable routing? So >> far I have: >> >> router-zone# svcadm enable svc:/network/ipv4-forwarding >> >> Also, what services can I disable? > > try netservices limited inside the zone to disable all network services, > except sshd. > > Kais >> >> TIA, >> --JeffV >> >> _______________________________________________ >> crossbow-discuss mailing list >> crossbow-discuss at opensolaris.org >> http://mail.opensolaris.org/mailman/listinfo/crossbow-discuss >> > > _______________________________________________ > crossbow-discuss mailing list > crossbow-discuss at opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/crossbow-discuss-- Sent from my OpenSolaris Laptop --- Detlef Drewanz Senior Systems Engineer Sun Microsystems GmbH Phone: (+49 30) 747096 856 Komturstrasse 18a mailto:detlef.drewanz at sun.com D-12099 Berlin http://blogs.sun.com/solarium --- Sitz der Gesellschaft: Sonnenallee 1, D-85551 Kirchheim-Heimstetten Amtsgericht Muenchen: HRB 161028 Geschaeftsfuehrer: Thomas Schroeder,Wolfgang Engels,Wolf Frenkel Vorsitzender des Aufsichtsrates: Martin Haering
On 10/15/09 18:25, Jeff Victor wrote:> I would like to set up a zone to be a router - and nothing else - in a > virtual network that is using crossbow on OpenSolaris 2009.06. I am > trying to create a list of all of the necessary commands. > > Assume that: > * the zone will have two VNICs: one going to the outside world via a > NIC, and one going to an internal switch to which other zones are connected > * the zone and its VNICs have been created > * I want to disable all unnecessary services to harden the router-zone > > What commands do I need in the zone to persistently enable routing? So > far I have: > > router-zone# svcadm enable svc:/network/ipv4-forwardingyou should also ifconfig() your interface to route cat /etc/hostname.mynet1 myaddress1 router up cat /etc/hostname.mnynet2 myaddress2 router up I don''t enable the forwarding service on my router. (note, S10 10/09 not OpenSolaris, however, this stuff is the same, AFAIK) steffensrouter# ifconfig -a4 lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 e1000g1: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 2 inet 129.154.53.130 netmask ffffff00 broadcast 129.154.53.255 ether 0:e:c:c0:6b:c4 e1000g1:1: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 2 inet 129.154.53.129 netmask ffffff00 broadcast 129.154.53.255 e1000g1:2: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 2 inet 192.168.200.129 netmask ffffff00 broadcast 192.168.200.255 nge0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 3 inet 10.1.14.130 netmask ffffffc0 broadcast 10.1.14.191 ether 0:17:31:46:d8:be nge0:1: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 3 inet 10.1.14.129 netmask ffffffc0 broadcast 10.1.14.191 Yes, I have two ''routers'' between the 10.1.14.128/26 and 129.154.53.0/24 network, as I collapsed two systems into one. I do have a default router on the 129.154.53.0/24 network. steffensrouter# steffensrouter# svcs *route* STATE STIME FMRI disabled Oct_07 svc:/network/routing/route:default steffensrouter# svcs *forward* STATE STIME FMRI disabled Oct_07 svc:/network/ipv4-forwarding:default disabled Oct_07 svc:/network/ipv6-forwarding:default steffensrouter#> > Also, what services can I disable? > > TIA, > --JeffV > > _______________________________________________ > crossbow-discuss mailing list > crossbow-discuss at opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/crossbow-discuss