/usr/sadm/bin/smtnzonecfg subcommand [auth_args] -- [subcommand_args]
The smtnzonecfg command adds, modifies, deletes, and lists entries in the tnzonecfg database.
smtnzonecfg subcommands are:
The smtnzonecfg authentication arguments, auth_args, are derived from the smc argument set and are the same regardless of which subcommand you use. The smtnzonecfg command requires the Solaris Management Console to be initialized for the command to succeed (see smc(1M)). After rebooting the Solaris Management Console server, the first smc connection can time out, so you might need to retry the command.
The subcommand-specific options, subcommand_args, must be preceded by the -- option.
The valid auth_args are -D, -H, -l, -p, -r, and -u; they are all optional. If no auth_args are specified, certain defaults will be assumed and the user can be prompted for additional information, such as a password for authentication purposes. These letter options can also be specified by their equivalent option words preceded by a double dash. For example, you can use either -D or --domain.
-D | --domain domain
If you do not specify this option, the Solaris Management Console assumes the file default domain on whatever server you choose to manage, meaning that changes are local to the server. Toolboxes can change the domain on a tool-by-tool basis. This option specifies the domain for all other tools.
-H | --hostname host_name:port
-l | --rolepassword role_password
-p | --password password
-r | --rolename role_name
-u | --username user_name
Descriptions and other argument options that contain white spaces must be enclosed in double quotes.
/usr/sbin/zoneadm list -c
ICMP packets that are received on the global zone IP address are accepted based on the label range of the global zone's security template if the global zone's policymatch field is set to 1. When this field is set to 0 for a zone, the zone will not respond to an ICMP echo request from a host with a different label.
This subcommand argument is optional. If not specified, it will have a default value of 0.
An MLP is used to provide multilevel service in the global zone as well as in non-global zones. As an example of how a non-global zone can use an MLP, consider setting up two labeled zones, internal and public. The internal zone can access company networks; the public zone can access public internet but not the company's internal networks. For safe browsing, when a user in the internal zone wants to browse the Internet, the internal zone browser forwards the URL to the public zone, and the web content is then displayed in a public zone web browser. That way, if the download in public zone compromises the web browser, it cannot affect the company's internal network. To set this up, TCP port 8080 in the public zone is an MLP (8080/tcp), and the security template for the public zone has a label range from PUBLIC to INTERNAL.
A shared IP address can reduce the total number of IP addresses that are needed on the system, especially when configuring a large number of zones. Unlike the case of the zone-specific IP address, when MLPs are declared on shared IP addresses, only the global zone can receive the incoming network traffic that is destined for the MLP.
-n zonename -l label [-x policymatch=policy-match-level \ -x mlpzone=port/protocol;.... | \ -x mlpshared=port/protocol;.... ] -h
-n zonename [-l label] [-x policymatch=policy-match-level \ -x mlpzone=port/protocol;.... |\ -x mlpshared=port/protocol;.... ] -h
-n zonename | -h
-n zonename | -h
Example 1 Adding a New Entry to the Zone Configuration Database
The admin role creates a new zone entry, public, with a label of public, a policy match level of 1, and a shared MLP port and protocol of 666 and TCP. The administrator is prompted for the admin password.
$ /usr/sadm/bin/smtnzonecfg add -- -n public -l public \ -x policymatch=1 -x mlpshared=666/tcp
Example 2 Modifying an Entry in the Zone Configuration Database
The admin role changes the public entry in the tnzonecfg database to needtoknow. The administrator is prompted for the admin password.
$ /usr/sadm/bin/smtnzonecfg modify -- -n public -l needtoknow
Example 3 Listing the Zone Configuration Database
The admin role lists the entries in the tnzonecfg database. The administrator is prompted for the admin password.
$ /usr/sadm/bin/smtnzonecfg list --
The following exit values are returned:
The following files are used by the smtnzonecfg command:
See attributes(5) for descriptions of the following attributes:
The functionality described on this manual page is available only if the system is configured with Trusted Extensions.