[zorp-hu] 0.7.11-1 konfig

Hello! A zonak ertelmes felosztasan meg el kell gondolkoznom :) Megprobaltam elinditani ezzel a konfiggal, de nem sikerult :( A hibauzenet: zorp-plug[16594]: File "/etc/zorp/policy-plug.py", line 29 zorp-plug[16594]: inbound_services[], zorp-plug[16594]: ^ zorp-plug[16594]: SyntaxError: invalid syntax zorp-plug[16592]: (noname/nosession): Error opening policy file /etc/zorp/policy-plug.py Lathatoan nem szereti az ures inbound_services[] (es az outbound-ot se!) reszeket. Tovabbment, ha ezt irtam [""]. Akkor eddig jutott: zorp-plug[16655]: Verbosity level: 3 zorp-plug[16657]: SyntaxError: non-keyword arg after keyword arg (line 49) zorp-plug[16655]: (noname/nosession): Error opening policy file /etc/zorp/policy-plug.py (Ez a web_mail zona outbound sora.) Es ezen mar nem tudtam atleptetni. Tehat el sem indult :( Jojjon a konfig: # A tuzfal belso halo feloli laba: 192.168.0.250 eth2 # A tuzfal DMZ feloli laba: 192.168.1.1 eth1 # A tuzfal internet feloli laba: 100.100.100.100 eth0 from Zorp.Zorp import * from Zorp import Zorp from Zorp.Zone import InetZone from Zorp.Service import Service from Zorp.SockAddr import SockAddrInet from Zorp.Chainer import TransparentChainer, DirectedChainer, \ InbandChainer, FailoverChainer from Zorp.Plug import PlugProxy from Zorp import Http from Zorp.Http import HttpProxy from Zorp.Ftp import FtpProxyAllow, FtpProxyMinimal from Zorp.Listener import Listener Zorp.firewall_name = 'zorp1@teszt.hu' #---------------------------------------------------------# #-----------------------ZONAK-----------------------------# #---------------------------------------------------------# # A zonak ertelmes felosztasan meg el kell gondolkoznom :) # Sajnos ebbol a verziobol kimaradt az umbrella :) Zorp.zones = \ [ InetZone("full", "192.168.0.0/24", None, inbound_services[""], outbound_services["bd_http"]), InetZone("levelezes", ["192.168.0.2", "192.168.0.3", "192.168.0.4"], None, inbound_services[""], outbound_services["bd_pop"]), InetZone("sshdmz", ["192.168.0.2"], None, admin_parent="full", inbound_services[""], outbound_services["bd_ssh"]), InetZone("sshki", ["192.168.0.1"], None, admin_parent="sshdmz", inbound_services[""], outbound_services["bi_ssh", "bi_pop"]), InetZone("web_mail", ["192.168.0.5", "192.168.0.6"], None, admin_parent="levelezes", inbound_services[""], outbound_services["bi_http", "bi_ftp"]), InetZone("DMZ", "192.168.1.0", "255.255.255.0", None, inbound_services["bd_http", "bd_ssh", "bd_pop", "id_http", "id_pop"], outbound_services[""]), InetZone("local", "127.0.0.0", "255.0.0.0", None, inbound_services=["*"], outbound_services=[""]), InetZone("internet", "0.0.0.0", "0.0.0.0", None, inbound_services["bi_http", "bi_ftp", "bi_pop", "bi_ssh"], outbound_services["id_http", "id_pop"]) ] #---------------------------------------------------------# #------------------CLASS-OK-------------------------------# #---------------------------------------------------------# # A belso halorol az internet elerese http-n keresztul class BIHttp(Http.HttpProxy): def config(self): HttpProxy.config(self) self.transparent_mode = TRUE # Errol kaphatnek egy kis infot? self.request["GET"] = (Http.HTTP_POLICY, self.filterURL) # Errol is jo lenne egy kis info :) def filterURL(self, method, url, version): log("http.info", 3, "%s: GET: %s" % (self.session.session_id, url)) # A belso halorol az internet elerese ftp-n keresztul class BIFtp(FtpProxyAllow): def config(self): FtpProxy.config(self) self.transparent_mode = TRUE # A belso halorol az internet elerese pop3-mon keresztul class BIPop(PlugProxy): def config(self): pass # A belso halorol a DMZ elerese pop3-mon keresztul class BDPop(PlugProxy): def config(self): pass # Az internetrol a DMZ elerese pop3-mon keresztul class IDPop(PlugProxy): def config(self): pass # A belso halorol a DMZ elerese http-n keresztul class BDHttp(HttpProxy): def config(self): self.transparent_mode = 1 # A belso halorol a DMZ elerese ssh-n keresztul class BDSsh(PlugProxy): def config(self): pass # A belso halorol az internet elerese ssh-n keresztul class BISsh(PlugProxy): def config(self): pass # Az internetrol a DMZ elerese http-n keresztul class IDHttp(HttpProxy): def config(self): self.transparent_mode = 1 #---------------------------------------------------------# #----------------INIT-EK----------------------------------# #---------------------------------------------------------# def init(name): debug(0, "Policy init, name=%s" % name) Service("bi_http", InbandChainer(), BIHttp) Service("bi_ftp", TransparentChainer(), BIFtp) Service("bi_pop", TransparentChainer(), BIPop) Service("bd_pop", TransparentChainer(), BDPop) Service("bd_http", TransparentChainer(), BDHttp) Service("bd_ssh", TransparentChainer(), BDSsh) Service("bi_ssh", TransparentChainer(), BISsh) # A 192.168.1.2 cimen a 80-as porton van a www szerver Service("id_http", DirectedChainer(SockAddrInet("192.168.1.2", 80), IDHttp)) # A 192.168.1.2 cimen a 110-es porton van a pop3 szerver Service("id_pop", DirectedChainer(SockAddrInet("192.168.1.2", 110), IDPop)) #---------------------------------------------------------# #----------------LISTENER-EK------------------------------# #---------------------------------------------------------# # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 80 -j REDIRECT 3128 Listener(SockAddrInet("192.168.0.250", 3128), "bi_http") # Ha kesz lesz a proxy-szerver: # ipchains -A input -i eth2 -s proxy.ip.cim.e -d 0/0 80 -j REDIRECT 3128 # Ekkor a proxyn nem kell semmit beallitani. # Kulon zonat kell definialni a proxy miatt. # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 21 -j REDIRECT 2021 # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 1024: -j REDIRECT 0 Listener(SockAddrInet("192.168.0.250", 2021), "bi_ftp") # Ha kesz lesz a proxy-szerver: # ipchains -A input -i eth2 -s proxy.ip.cim.e -d 0/0 21 -j REDIRECT 2021 # ipchains -A input -i eth2 -s proxy.ip.cim.e -d 0/0 1024: -j REDIRECT 0 # Kulon zonat kell definialni a proxy miatt. # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 110 -j REDIRECT 2110 Listener(SockAddrInet("192.168.0.250", 2110), "bi_pop") # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 192.168.1.3 110 -j REDIRECT 3110 Listener(SockAddrInet("192.168.0.250", 3110), "bd_pop") # Ugye ide ertelmetlen ipchains REDIRECT-et tenni? Listener(SockAddrInet("100.100.100.100", 110), "id_pop") # A 192.168.1.2 80-as portjan figyel a www-szerver. # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 192.168.1.2 80 -j REDIRECT 3080 Listener(SockAddrInet("192.168.0.250", 3080), "bd_http") # Ha ez is csak a proxy-n keresztul mehet, akkor nem kell az ipchains. # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 192.168.1.0/24 22 -j REDIRECT 3022 Listener(SockAddrInet("192.168.0.250", 3022), "bd_ssh") # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 22 -j REDIRECT 4022 Listener(SockAddrInet("192.168.0.250", 4022), "bi_ssh") # Ugye ide ertelmetlen ipchains REDIRECT-et tenni? Listener(SockAddrInet("100.100.100.100", 80), "id_http") -- Udvozlettel Zsiga