############################################################################ ## ## Copyright (c) 2000, 2001 BalaBit IT Ltd, Budapest, Hungary ## ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by ## the Free Software Foundation; either version 2 of the License, or ## (at your option) any later version. ## ## This program is distributed in the hope that it will be useful, ## but WITHOUT ANY WARRANTY; without even the implied warranty of ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ## GNU General Public License for more details. ## ## You should have received a copy of the GNU General Public License ## along with this program; if not, write to the Free Software ## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ## ## $Id: policy.py.sample,v 1.10.2.2.4.2 2001/11/08 11:20:48 bazsi Exp $ ## ############################################################################ # # sample firewall policy with transparent access to FTP, HTTP and CVS protocols. # For FTP and HTTP we use application level gateways, for CVS we use a plug. # (as long as CVS protocol proxy is not available) # from Zorp.Core import * from Zorp.Http import * from Zorp.Plug import * from Zorp.Ftp import * from Zorp.Matcher import * Zorp.firewall_name = 'zorp@site' InetZone("site-net", "0.0.0.0/0", # list of allowed outbound services, '*' matches anything outbound_services=["intra_http", "intra_ftp", "intra_cvs"], # list of allowed inbound services, '*' matches anything inbound_services=[]), InetZone("local", "127.0.0.0/8", inbound_services=["*"], outbound_services=[]), InetZone("internet", "VEDETT/HALO", inbound_services=["*"], outbound_services=[]) # # Here's a proxy event handler definition. We are deriving from a # simple plug proxy, which is blindly copying in both directions. # # Instances of this class represent a "plug proxy". For a complete # documentation for the features and available attributes of plug see the # file /doc/modules/plug.txt # class IntraHttp(HttpProxy): def config(self): HttpProxy.config(self) self.transparent_mode = TRUE self.request["GET"] = (HTTP_REQ_POLICY, self.filterURL) def filterURL(self, method, url, version): # return Z_REJECT here to reject this request # change self.request_url to redirect to another url # change connection_mode to HTTP_CONNECTION_CLOSE to force kept-alive connections to close log("http.info", 3, "%s: GET: %s" % (self.session.session_id, url)) return HTTP_REQ_ACCEPT class IntraHttp(HttpProxyURIFilter): matcher=RegexpFileMatcher('/usr/local/zorp/etc/zorp/http.deny', '/usr/local/zorp/etc/zorp/http.ignore') class IntraFtp(FtpProxy): def config(self): FtpProxy.config(self) self.transparent_mode = TRUE # # name is passed to the Zorp instance with the --as command line option # you can use it to start different services for different names # In this simple policy we ignore it. # def init(name): # create services Service("intra_http", IntraHttp, router=TransparentRouter()) Service("intra_ftp", IntraFtp, router=TransparentRouter()) # bind services to listeners # you'll need the packet filter redirect these connections, and # to protect transparent listeners, since if you connect to # a transparent listener directly, Zorp reconnects to itself. Listener(SockAddrInet("TUZFALIP", 50080), "intra_http") Listener(SockAddrInet("TUZFALIP", 50021), "intra_ftp")