looking at omnios.org/makingof/nginxconfig.html there's a acme fetch config, but I'm not seeing an obvious acme client in either core or ooce. I'm probably just overlooking something, but is there one I'm missing?

There appears to be something called acmefetch in ooce

(Although I've always used dehydrated myself.)

-.- not sure how I missed that. Thank you.

Hi.

I am looking for some (handholding) guide to set-up a router zone.

My background: this is my first omnios install, I use it as a NAS, no SMB, just SSH, and some programs accessible via web running in various zones.

Currently every zone have own vnic with exclusive IP. All vnic is connected to the global zone nic

I'd liek to implement some firewall rules, but I don't know how to secure my various branded zones.

I assume in the current situation I supposed to install firewall rules in every zone.

In that situation yes. You can create firewall rules which are managed by the global zone, and therefore the zone doesn't see them and can't override them, or you can create rules within the zone, or even a combination of both.

Compared to this a router/firewall zone sound compelling.

That's fair, and it's what I have on some of my servers.

Am I supposed to create an illumos zone with one vnic derived from the GZ NIC, and an additional nic as connector for the zones, right?

Yes. The second NIC would be connected to an etherstub (effectively a virtual switch).

Then you connect the other zones to that etherstub

OK, so far clear.

Question: right now all zone have an exclusive IP, so from outside they look like standalone computers on my LAN. Can I keep this with the router/firewall zone?

Usually you'd run a private network (RFC1918 or similar) on the etherstub. You can set up 1:1 NAT entries on the router zone though, and use proxy ARP to advertise the external addresses to the local network.

huh, this sentence contains way too many unknown words for me.

Ok, well you would run a different network range on the etherstub - something private like 192.168.111.0/24.

I see.

Then you would need to set up static network address translation (1:1 NAT) between external LAN and etherstub IPs.

And the last piece is that the router zone needs to respond to ARP requests on the external LAN when people are looking up where to send traffic for one of the external addresses.

Right now to make my life easier, I use 10.0.0.x IP in my LAN, .1 is my router and .10 is the nas, from here every zone gets an IP each dividable with 10 (20,30,40...)

To do what you want you would run something different like 10.0.1.x on the virtual internal LAN and create mappings between 10.0.0.20 and 10.0.1.20 etc.

Considering that each zone provides services on different port, i could use shared ip for the zones. Am I right then every zone would get the same IP as the NAS itself?

Yes. You can easily provide outbound access from the zones (if necessary), all hiding behind the NAS IP address.

And inbound rules for different ports on the NAS address mapping through to different hosts on the internal network.

I see. I think I need to think about my priorities.

I have to head off for a while but will be around later.

thx, have a great day!

szilard: if you just want to manage all the firewall rules in one place is there anything you don't like about managing the rules in the GZ

just in case you missed the line: 8:08 <@andyf> In that situation yes. You can create firewall rules which are managed by the global zone, and therefore the zone doesn't see them and can't override them, or you can create rules within the zone, or even a combination of both.

m1ari: I wasn't aware I can do that in the GZ.

I have found the ipf config files using the command : svccfg -s ipfilter:default listprop | grep file

Which one am I supposed to use to secure my zones?

I use IPV4 in the LAN.

from memory /etc/ipf/ipf.conf

Do you happen to have any example how to cover zones with exclusive IP in the GZ firewall rules?

I don't think I've ever done a zone based config manually - I just remember it being an option back when I tried smartOS many years ago

ipf(8) has /usr/share/ipfilter/examples/

Contains numerous IP Filter examples.

I don't know if any of those are useful

super, great! Thanks for the hint!

how was it with linked zones, if I do pkg update in the root zone will the other packages in the linked zone be updated too?

megaTherion: use "pkg update -r -v "

-r means recursive

szilard: nice, thanks :)

in case you are using a pkgsrc zone you have to make sure running "pkin -y upgrade " in those zones

szilard: i don't have a router zone set up on this server im using as an example, but i do have an etherstub that all the zones connect to and then the GZ does the routing/forwarding. i have a rule "pass in quick from 10.222.27.0/24 to any" to allow the zones to reach the outside, and then if i have a service i want public i add something like "pass in quick proto tcp/udp from any to 10.222.27.11 port = 64738 keep state keep frags"

with a matching rule in ipnat.conf to properly forward. if you use a router zone it's not much different except you apply those rules in that zone instead of the GZ

patrikr: thank you!

no worries

though for my home NAS i haven't bothered with a virual network, i just use the 2nd nic for all of them and let my router handle the rest