[zorp] Zorp and Traffic Control

Balazs Scheidler zorp@lists.balabit.hu
Tue, 20 May 2003 19:41:11 +0200 

On Tue, May 20, 2003 at 11:16:36AM -0400, Philippe Lucas wrote:
> My instances.conf :
> 
> zorp_http   --autobind-ip '192.168.100.135'    --verbose=5 --policy 
> /etc/zorp/policy.py
> 
> I don't think you completly understood my request:
> 
> The system works fine. The client receives data from the server through 
> the proxy zorp. The client doesn't see zorp in the packets (source IP) 
> but the serveur does see zorp. I'd like zorp bee completly transparent.

hm. you might need to remove the apostrophes around the IP address (as the
line above is not interpreted by the shell),

> 
> My Logs :
> 
> May 20 06:01:40 bridge zorp_http[9677]: (noname/nosession): Verbosity 
> level: 5
> May 20 06:01:41 bridge zorp_http[9677]: zorp version 2.0.2 starting up
> May 20 06:01:41 bridge zorp_http[9677]: (noname/nosession): 
> Zone(site-net): outbound service=intra_http
> May 20 06:01:41 bridge zorp_http[9677]: (noname/nosession): Zone(local): 
> inbound service=*
> May 20 06:01:41 bridge zorp_http[9677]: (noname/nosession): 
> Zone(internet): inbound service=*
> May 20 06:01:45 bridge zorp_http[9677]: (zorp@site/intra_http): Starting 
> service; name='intra_http'
> May 20 06:01:45 bridge zorp_http[9677]: (zorp@site/intra_http:0): 
> Starting proxy instance; client_fd='16', 
> client_address='AF_INET(192.168.100.199:2092)', 
> client_zone='Zone(site-net, 192.168.100.0/24)', 
> client_local='AF_INET(192.168.0.251:80)'
> May 20 06:01:45 bridge zorp_http[9677]: (zorp@site/intra_http:0/http): 
> Proxy starting; class='IntraHttp', module='http'
> May 20 06:01:45 bridge zorp_http[9683]: (zorp@site/intra_http:0/http): 
> Server connection established; server_fd='17', 
> server_address='AF_INET(192.168.0.251:80)', server_zone='Zone(internet, 
> 0.0.0.0/0)', server_local='AF_INET(192.168.0.134:42488)'


Hmm. The log snippet above shows that a client was connected from
192.168.100.199:2092, with a destination address 192.168.0.251:80 and Zorp
wanted to connect to the same server using the local address
192.168.0.134:42488. This means that it did not even try to use the forged
address...

Please try using ForgeClientSourceNAT as SNAT instead of the forge_addr
parameter, like:

def zorp_http():
	Service("intra_http", HttpProxy, router=TransparentRouter(),
		snat=ForgeClientSourceNAT())
	....

(ForgeClientSourceNAT was the previous way to specify address forging)

If this does work, then there's some problem in forge_addr, if it doesn't
I'd suspect some problems with the --autobind-ip arguments.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1