Re: [zorp-hu] 3.0.8-0.3 DeprecationWarning + nem mukodes

5 Feb 2009

      On Thu, Feb 05, 2009 at 08:00:15AM +0100, Kosa Attila wrote:
...
Etch, es a benne levo zorp. Indulaskor a kovetkezot nyomja a
logba:
Feb  5 00:50:18 fw zorp_https[32493]: (Log thread): /usr/lib/python2.4/whrandom.py:38: DeprecationWarning: the whrandom module is deprecated; please use the random module
Feb  5 00:50:18 fw zorp_https[32493]: (Log thread): DeprecationWarning)
Ez meg kerdes, bar ha ettol meg mukodik, akkor annyira nem
zavarna...
...
A 2.6.22.9 verzioju kernelre sikerult felrakni a letoltheto
patch-eket. Az iptables_tproxy modul tproxy_any=1 opcioval
toltodik be.
IP_TPROXY: Transparent proxy table initialized, version 4.0.6
IP_TPROXY: Copyright (c) 2002-2008 BalaBit IT Ltd.
IP_TPROXY: tproxy_any = '1'
Ket iptables szabaly peldanak:
-A PRintra -p tcp -s PROXYSERVER --sport 1024: --dport 80 -j TPROXY --on-port 50080
-A PRintra -p tcp -s PROXYSERVER --sport 1024: --dport 443 -j TPROXY --on-port 60443
Az elso szabaly hatasara elindul a http proxy, a masodik hatasara
semmi sem tortenik, meg plug proxy eseten sem. Ha sima redirect
szabalyt csinalok (plusz masikat az input lancon), akkor elindul
a plug proxy (es a https is), de mukodni akkor sem mukodik,
mindenfele (lenyegtelen es nagyjabol ertelmetlen) hibauzeneteket
dobal.
Ez megoldodott, egy masik szabaly eldobalta a csomagokat.

Viszont van egy masik gond. A kulso labon listenel egy plug
proxy, amely az ssh kapcsolatokat dobalna be a dmz-ben levo
gepre. 10-es debug level-en ennyit ir:

Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/nosession): Incoming connection; protocol='1', remote='AF_INET(y.y.y.y:35856)', local='AF_INET(x.x.x.x:22)', dest='AF_INET(x.x.x.x:22)'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/nosession): Setting socket ToS value; fd='17', tos='0'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh): Starting service; name='ssh'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh): Connection accepted; client_address='AF_INET(y.y.y.y:35856)'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0): Starting proxy instance; client_fd='17', client_address='AF_INET(y.y.y.y:35856)', client_zone='Zone(internet, 0.0.0.0/0)', client_local='AF_INET(x.x.x.x:22)', client_protocol='TCP'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): Proxy starting; class='IDSsh', module='plug'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/nosession): Module successfully loaded; module='plug', file='/usr/lib/zorp/libplug.so'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu): Accept count; accepts='1'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): thread starting;
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): calling __pre_config__() event;
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): calling config() event;
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): calling __post_config__() event;
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): Config dump, attribute value; name='secondary_sessions', value='10'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): Config dump, attribute value; name='copy_to_client', value='1'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): Config dump, attribute value; name='timeout', value='600000'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): Config dump, attribute value; name='secondary_mask', value='15'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): Config dump, attribute value; name='packet_stats_interval_time', value='0'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): Config dump, attribute value; name='packet_stats_interval_packet', value='0'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): Config dump, attribute value; name='buffer_size', value='1500'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): Config dump, attribute value; name='copy_to_server', value='1'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): Config dump, attribute value; name='shutdown_soft', value='0'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): calling __pre_startup__() event;
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): calling startup() event;
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): calling __post_startup__() event;
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): Connecting to remote host; protocol='1', local='AF_INET(y.y.y.y:0)', remote='AF_INET(192.168.2.253:22)'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): bind() failed; error='Cannot assign requested address'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): Error binding socket; local='AF_INET(y.y.y.y:0)', error='Cannot assign requested address'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): Server connection failure; server_address='AF_INET(192.168.2.253:22)', server_zone='Zone(DMZ, 192.168.2.0/24)', server_local='AF_INET(y.y.y.y:0)', server_protocol='TCP'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): calling __pre_shutdown__() event;
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): calling shutdown() event;
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): calling __post_shutdown__() event;
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): calling __destroy__() event;
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): Proxy destroy; class='IDSsh', module='plug'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0): Ending proxy instance;
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug/client): Shutdown channel; fd='17', mode='2'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug/client): Closing channel; fd='17'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug/client): accounting info; type='stream', duration='0', sent='0', received='0'
Feb  5 10:10:41 fw zorp[3491]: (zorp@zorp@xxx.hu/ssh:0/plug): thread exiting;

A konfig mindossze ennyi:

from Zorp.Core import *
from Zorp.Plug import *

Zorp.firewall_name = 'zorp@xxx.hu'

InetZone("DMZ", "192.168.2.0/24",
    inbound_services=["id_ssh"],
    outbound_services=[])

InetZone("internet", "0.0.0.0/0",
    inbound_services=[],
    outbound_services=["id_ssh"])

class IDSsh(PlugProxy):
        pass

Service("id_ssh", IDSsh, DirectedRouter(SockAddrInet("192.168.2.253", 22), forge_addr = TRUE))
Listener(SockAddrInet("x.x.x.x", 50022), "id_ssh")

A hozza tartozo iptables szabaly pedig az alabbi:
-A PRinter -p tcp --sport 1024: --dport 22 -j TPROXY --on-port 50022

A google szerint amikor legutobb ilyen problemam volt, akkor a
tproxy es a zorp verzioja nem fert meg egymassal. Lehetseges,
hogy most is ez a baj? Ha felrakom a 3.1.15-os verziot (amely a
weboldalatokrol letoltheto), akkor meg fog szunni a problema?

-- 
		Udvozlettel
				    Zsiga