|Skip Navigation Links|
|Exit Print View|
|Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library|
Static routes enable labeled packets to reach their destination through labeled and unlabeled gateways. MLPs enable an application to use one entry point to reach all zones.
Before You Begin
You must be in the Security Administrator role in the global zone.
You have added each destination host, network, and gateway to a security template. For details, see How to Add a Host to a Security Template and How to Add a Range of Hosts to a Security Template.
# txzonemgr &
If the zone has more than one IP address, choose the entry with the desired interface.
Note - To remove or modify the default router, remove the entry, create the IP entry again and add the router. If the zone has only one IP address, you must remove the IP instance to remove the entry.
Example 16-17 Using the route Command to Set the Default Route for the Global Zone
In this example, the administrator uses the route command to create a default route for the global zone.
# route add default 192.168.113.1 -static
You can add private and shared MLPs to labeled zones and the global zone.
This procedure is used when an application that runs in a labeled zone requires a multilevel port (MLP) to communicate with the zone. In this procedure, a web proxy communicates with the zone.
Before You Begin
You must be in the root role in the global zone. The system must have at least two IP addresses and the labeled zone is halted.
## /etc/hosts file ... proxy-host-name IP-address web-service-host-name IP-address
For example, configure the public zone to recognize packets that are explicitly labeled PUBLIC. For this configuration, the security template is named webprox.
# tncfg -t webprox tncfg:public> set name=webprox tncfg:public> set host_type=cipso tncfg:public> set min_label=public tncfg:public> set max_label=public tncfg:public> add host=mywebproxy.oracle.comhost name associated with public zone tncfg:public> add host=10.1.2.3/16IP address of public zone tncfg:public> exit
For example, the web proxy service might communicate with the PUBLIC zone over the 8080/tcp interface.
# tncfg -z public add mlp_shared=8080/tcp # tncfg -z public add mlp_private=8080/tcp
# zoneadm -z zone-name boot
To add routes, perform How to Add Default Routes.
Example 16-18 Configuring an MLP by Using the txzonemgr GUI
The administrator configures the web proxy service by opening the Labeled Zone Manager.
# txzonemgr &
The administrator double-clicks the PUBLIC zone, then double-clicks Configure Multilevel Ports. Then the administrator selects and double-clicks the Private interfaces line. The selection changes to an entry field similar to the following:
The administrator starts the web proxy entry with a semicolon separator
After completing the private entry, the administrator types the web proxy into the Shared interfaces field.
A popup message indicates that the multilevel ports for the public zone will be active at the next boot of the zone.
Example 16-19 Configuring a Private Multilevel Port for NFSv3 Over udp
In this example, the administrator enables NFSv3 read-down mounts over udp. The administrator has the option of using the tncfg command.
# tncfg -z global add mlp_private=2049/udp
The txzonemgr GUI provides another way to define the MLP.
In the Labeled Zone Manager, the administrator double-clicks the global zone, then double-clicks Configure Multilevel Ports. In the MLP menu, the administrator selects and double-clicks the Private interfaces line and adds the port/protocol.
A popup message indicates that the multilevel ports for the global zone will be active at the next boot.
Example 16-20 Displaying Multilevel Ports on a System
In this example, a system is configured with several labeled zones. All zones share the same IP address. Some zones are also configured with zone-specific addresses. In this configuration, the TCP port for web browsing, port 8080, is an MLP on a shared interface in the public zone. The administrator has also set up telnet, TCP port 23, to be an MLP in the public zone. Because these two MLPs are on a shared interface, no other zone, including the global zone, can receive packets on the shared interface on ports 8080 and 23.
In addition, the TCP port for ssh, port 22, is a per-zone MLP in the public zone. The public zone's ssh service can receive any packets on its zone-specific address within the address's label range.
The following command shows the MLPs for the public zone:
$ tninfo -m public private: 22/tcp shared: 23/tcp;8080/tcp
The following command shows the MLPs for the global zone. Note that ports 23 and 8080 cannot be MLPs in the global zone because the global zone shares the same address with the public zone:
$ tninfo -m global private: 111/tcp;111/udp;514/tcp;515/tcp;631/tcp;2049/tcp; 6000-6003/tcp;38672/tcp;60770/tcp; shared: 6000-6003/tcp