<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.28.3">
</HEAD>
<BODY>
On h, 2012-02-27 at 23:03 -0500, David Yerger wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
Trying to migrate from zorp GPL 3.1.15 to 3.9.3, following the guide at
<A HREF="http://siposg.blogs.balabit.com/2012/01/howto-install-zorp-3-9-2-on-debi">http://siposg.blogs.balabit.com/2012/01/howto-install-zorp-3-9-2-on-debi</A>
an-squeeze/ mostly, with the virtual machine as an example for rc.local
and /etc/iptables/rules.
1. Is kzorp supported on Zorp GPL now?
</PRE>
</BLOCKQUOTE>
Yes, it is (in 3.9.x). NDimension dispatcher works only with KZorp.<BR>
<BR>
<BLOCKQUOTE TYPE=CITE>
<PRE>
2. My reverse proxy doesn't seem to be passing traffic. Don't see
anything in the logs except accounting info, even after cranking the
verbosity up. When I test my policy.py with with kzorp -e, having
(among other things)
</PRE>
</BLOCKQUOTE>
<BR>
Does the client target the external address of the firewall or the real address of the server?<BR>
Is the 'eth1' the external interface of the firewall?<BR>
<BR>
Regards,<BR>
Szilárd<BR>
<BR>
<BLOCKQUOTE TYPE=CITE>
<PRE>
InetZone("intra", "<internal network>/16",
outbound_services=[],
inbound_services=["INhttp", etc.])
InetZone("local", "127.0.0.0/8",
inbound_services=["*"],
outbound_services=[])
InetZone("inter", "0.0.0.0/0",
inbound_services=[],
outbound_services=["INhttp", etc.])
InetZone(name="server",
addr=["<internal address>/32", ],
inbound_services=["*"],
outbound_services=["*"],
admin_parent="intra"
)
def Zhttp():
Service(name="INhttp",
proxy_class=INhttp,
router=DirectedRouter(SockAddrInet("<internal address>",
80)
)
)
#Listener(SockAddrInet("<external address>", 50080), "INhttp")
NDimensionDispatcher(bindto=DBSockAddr(SockAddrInet('<external
address>', 50080), ZD_PROTO_TCP), transparent=TRUE,
rules=(
{
'iface' : "eth1",
'proto' : socket.IPPROTO_TCP,
'dst_port' : 80,
'src_zone' : ('inter', ),
'dst_zone' : ('server', ),
'service' : 'INhttp'
}
)
)
class INhttp(HttpProxy):
def config(self):
HttpProxy.config(self)
I get
# kzorp -e tcp <outside client IP> 5000 <external interface> 50080
<external interface>
Evaluating ... on eth1
Client zone: inter
Server zone: inter
Service: not found
Dispatcher: not found
# kzorp -e tcp <outside client IP> 5000 <external interface> 80
<external interface>
Evaluating ... on eth1
Client zone: inter
Server zone: inter
Service: not found
Dispatcher: not found
But when I try one of my services having the old Listener syntax I get
# kzorp -e tcp <outside client IP> 5000 <external interface> 443
<external interface>
Evaluating ... on eth1
Client zone: inter
Server zone: inter
Service: not found
Dispatcher: not found
But:
root@owa:/etc/zorp# kzorp -e tcp <outside client IP> 5000 <external
address> 50443 eth1
evaluating <outside client IP>:5000 -> <external address>:50443 on eth1
Client zone: inter
Server zone: inter
Service: INhttps
Dispatcher: SA(proto=1,addr=AF_INET(<external address>:50443))
Not sure of the Server zone is right. Shouldn't it be 'server' or
'intra'?
Also, it seems like kzorp can't find the service and dispatcher unless
A. You give it the proxy port not the outside port?
B. It wants the old Listener syntax?
If I try to connect to the proxy port (:50080), I get in the logs
...Transparent listener connected directly, dropping connection;
Which is reasonable enough. Seems like it would work if kzorp was
feeding it properly. So what did I do wrong?
Thanks
David
_______________________________________________
zorp mailing list
<A HREF="mailto:zorp@lists.balabit.hu">zorp@lists.balabit.hu</A>
<A HREF="https://lists.balabit.hu/mailman/listinfo/zorp">https://lists.balabit.hu/mailman/listinfo/zorp</A>
</PRE>
</BLOCKQUOTE>
<BR>
<BR>
</BODY>
</HTML>