Wednesday, January 8, 2014

Global zone L2 & L3 protection

L2 (layer 2) and L3 (layer 3) refers respectively to MAC and IP addresses.
This is all similar to non-global zones (NGZ) L2 & L3 protection.

By default we have no protection setting for the global zone (GZ).
Note that ip-nospoof also requires setting the allowed-ips property.

$ dladm show-linkprop -p allowed-ips,protection net0
LINK  PROPERTY     PERM VALUE          DEFAULT  POSSIBLE
 
net0  allowed-ips  rw   --             --       --  
net0  protection   rw   --             --       mac-nospoof,
                                                restricted,
                                                ip-nospoof,
                                                dhcp-nospoof


In general both should be set to improve security.

# dladm set-linkprop -p allowed-ips=192.168.0.100 net0
# dladm set-linkprop -p protection=mac-nospoof,ip-nospoof net0

$ dladm show-linkprop -p allowed-ips,protection net0
LINK  PROPERTY     PERM VALUE          DEFAULT  POSSIBLE
net0  allowed-ips  rw   192.168.0.100  --       -- 

net0  protection   rw   mac-nospoof,   --       mac-nospoof,
                       
ip-nospoof              restricted,
                                                ip-nospoof,
                                                dhcp-nospoof