Hello! A zonak ertelmes felosztasan meg el kell gondolkoznom :) Megprobaltam elinditani ezzel a konfiggal, de nem sikerult :( A hibauzenet: zorp-plug[16594]: File "/etc/zorp/policy-plug.py", line 29 zorp-plug[16594]: inbound_services[], zorp-plug[16594]: ^ zorp-plug[16594]: SyntaxError: invalid syntax zorp-plug[16592]: (noname/nosession): Error opening policy file /etc/zorp/policy-plug.py Lathatoan nem szereti az ures inbound_services[] (es az outbound-ot se!) reszeket. Tovabbment, ha ezt irtam [""]. Akkor eddig jutott: zorp-plug[16655]: Verbosity level: 3 zorp-plug[16657]: SyntaxError: non-keyword arg after keyword arg (line 49) zorp-plug[16655]: (noname/nosession): Error opening policy file /etc/zorp/policy-plug.py (Ez a web_mail zona outbound sora.) Es ezen mar nem tudtam atleptetni. Tehat el sem indult :( Jojjon a konfig: # A tuzfal belso halo feloli laba: 192.168.0.250 eth2 # A tuzfal DMZ feloli laba: 192.168.1.1 eth1 # A tuzfal internet feloli laba: 100.100.100.100 eth0 from Zorp.Zorp import * from Zorp import Zorp from Zorp.Zone import InetZone from Zorp.Service import Service from Zorp.SockAddr import SockAddrInet from Zorp.Chainer import TransparentChainer, DirectedChainer, \ InbandChainer, FailoverChainer from Zorp.Plug import PlugProxy from Zorp import Http from Zorp.Http import HttpProxy from Zorp.Ftp import FtpProxyAllow, FtpProxyMinimal from Zorp.Listener import Listener Zorp.firewall_name = 'zorp1@teszt.hu' #---------------------------------------------------------# #-----------------------ZONAK-----------------------------# #---------------------------------------------------------# # A zonak ertelmes felosztasan meg el kell gondolkoznom :) # Sajnos ebbol a verziobol kimaradt az umbrella :) Zorp.zones = \ [ InetZone("full", "192.168.0.0/24", None, inbound_services[""], outbound_services["bd_http"]), InetZone("levelezes", ["192.168.0.2", "192.168.0.3", "192.168.0.4"], None, inbound_services[""], outbound_services["bd_pop"]), InetZone("sshdmz", ["192.168.0.2"], None, admin_parent="full", inbound_services[""], outbound_services["bd_ssh"]), InetZone("sshki", ["192.168.0.1"], None, admin_parent="sshdmz", inbound_services[""], outbound_services["bi_ssh", "bi_pop"]), InetZone("web_mail", ["192.168.0.5", "192.168.0.6"], None, admin_parent="levelezes", inbound_services[""], outbound_services["bi_http", "bi_ftp"]), InetZone("DMZ", "192.168.1.0", "255.255.255.0", None, inbound_services["bd_http", "bd_ssh", "bd_pop", "id_http", "id_pop"], outbound_services[""]), InetZone("local", "127.0.0.0", "255.0.0.0", None, inbound_services=["*"], outbound_services=[""]), InetZone("internet", "0.0.0.0", "0.0.0.0", None, inbound_services["bi_http", "bi_ftp", "bi_pop", "bi_ssh"], outbound_services["id_http", "id_pop"]) ] #---------------------------------------------------------# #------------------CLASS-OK-------------------------------# #---------------------------------------------------------# # A belso halorol az internet elerese http-n keresztul class BIHttp(Http.HttpProxy): def config(self): HttpProxy.config(self) self.transparent_mode = TRUE # Errol kaphatnek egy kis infot? self.request["GET"] = (Http.HTTP_POLICY, self.filterURL) # Errol is jo lenne egy kis info :) def filterURL(self, method, url, version): log("http.info", 3, "%s: GET: %s" % (self.session.session_id, url)) # A belso halorol az internet elerese ftp-n keresztul class BIFtp(FtpProxyAllow): def config(self): FtpProxy.config(self) self.transparent_mode = TRUE # A belso halorol az internet elerese pop3-mon keresztul class BIPop(PlugProxy): def config(self): pass # A belso halorol a DMZ elerese pop3-mon keresztul class BDPop(PlugProxy): def config(self): pass # Az internetrol a DMZ elerese pop3-mon keresztul class IDPop(PlugProxy): def config(self): pass # A belso halorol a DMZ elerese http-n keresztul class BDHttp(HttpProxy): def config(self): self.transparent_mode = 1 # A belso halorol a DMZ elerese ssh-n keresztul class BDSsh(PlugProxy): def config(self): pass # A belso halorol az internet elerese ssh-n keresztul class BISsh(PlugProxy): def config(self): pass # Az internetrol a DMZ elerese http-n keresztul class IDHttp(HttpProxy): def config(self): self.transparent_mode = 1 #---------------------------------------------------------# #----------------INIT-EK----------------------------------# #---------------------------------------------------------# def init(name): debug(0, "Policy init, name=%s" % name) Service("bi_http", InbandChainer(), BIHttp) Service("bi_ftp", TransparentChainer(), BIFtp) Service("bi_pop", TransparentChainer(), BIPop) Service("bd_pop", TransparentChainer(), BDPop) Service("bd_http", TransparentChainer(), BDHttp) Service("bd_ssh", TransparentChainer(), BDSsh) Service("bi_ssh", TransparentChainer(), BISsh) # A 192.168.1.2 cimen a 80-as porton van a www szerver Service("id_http", DirectedChainer(SockAddrInet("192.168.1.2", 80), IDHttp)) # A 192.168.1.2 cimen a 110-es porton van a pop3 szerver Service("id_pop", DirectedChainer(SockAddrInet("192.168.1.2", 110), IDPop)) #---------------------------------------------------------# #----------------LISTENER-EK------------------------------# #---------------------------------------------------------# # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 80 -j REDIRECT 3128 Listener(SockAddrInet("192.168.0.250", 3128), "bi_http") # Ha kesz lesz a proxy-szerver: # ipchains -A input -i eth2 -s proxy.ip.cim.e -d 0/0 80 -j REDIRECT 3128 # Ekkor a proxyn nem kell semmit beallitani. # Kulon zonat kell definialni a proxy miatt. # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 21 -j REDIRECT 2021 # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 1024: -j REDIRECT 0 Listener(SockAddrInet("192.168.0.250", 2021), "bi_ftp") # Ha kesz lesz a proxy-szerver: # ipchains -A input -i eth2 -s proxy.ip.cim.e -d 0/0 21 -j REDIRECT 2021 # ipchains -A input -i eth2 -s proxy.ip.cim.e -d 0/0 1024: -j REDIRECT 0 # Kulon zonat kell definialni a proxy miatt. # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 110 -j REDIRECT 2110 Listener(SockAddrInet("192.168.0.250", 2110), "bi_pop") # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 192.168.1.3 110 -j REDIRECT 3110 Listener(SockAddrInet("192.168.0.250", 3110), "bd_pop") # Ugye ide ertelmetlen ipchains REDIRECT-et tenni? Listener(SockAddrInet("100.100.100.100", 110), "id_pop") # A 192.168.1.2 80-as portjan figyel a www-szerver. # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 192.168.1.2 80 -j REDIRECT 3080 Listener(SockAddrInet("192.168.0.250", 3080), "bd_http") # Ha ez is csak a proxy-n keresztul mehet, akkor nem kell az ipchains. # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 192.168.1.0/24 22 -j REDIRECT 3022 Listener(SockAddrInet("192.168.0.250", 3022), "bd_ssh") # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 22 -j REDIRECT 4022 Listener(SockAddrInet("192.168.0.250", 4022), "bi_ssh") # Ugye ide ertelmetlen ipchains REDIRECT-et tenni? Listener(SockAddrInet("100.100.100.100", 80), "id_http") -- Udvozlettel Zsiga
Szia! A zonak leirasa 0.7.x-hez:
Zorp.zones = \ [
ez itt fent nem kell. 0.6-os maradvany. A tobbinek tartalmat nem neztem, csak a szintaktikai hibakat javitottam. InetZone("full", "192.168.0.0/24", inbound_services=[""], outbound_services=["bd_http"]), InetZone("levelezes", ["192.168.0.2", "192.168.0.3", "192.168.0.4"], inbound_services=[""], outbound_services=["bd_pop"]), InetZone("sshdmz", ["192.168.0.2"], admin_parent="full", inbound_services=[""], outbound_services=["bd_ssh"]), InetZone("sshki", ["192.168.0.1"], admin_parent="sshdmz", inbound_services=[""], outbound_services=["bi_ssh", "bi_pop"]), InetZone("web_mail", ["192.168.0.5", "192.168.0.6"], admin_parent="levelezes", inbound_services=[""], outbound_services=["bi_http", "bi_ftp"]), InetZone("DMZ", "192.168.1.0/24", inbound_services=["bd_http", "bd_ssh", "bd_pop", "id_http", "id_pop"], outbound_services=[""]), InetZone("local", "127.0.0.0/8", inbound_services=["*"], outbound_services=[""]), InetZone("internet", "0.0.0.0/0", inbound_services=["bi_http", "bi_ftp", "bi_pop", "bi_ssh"], outbound_services=["id_http", "id_pop"]) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
On Fri, Jan 12, 2001 at 03:42:34PM +0100, Balazs Scheidler wrote:
Zorp.zones = \ [
ez itt fent nem kell. 0.6-os maradvany.
A 0.7.11-1-hez adott (a /etc/zorp konyvtarban levo) policy.py.sample fajlban szerepel :)
A tobbinek tartalmat nem neztem, csak a szintaktikai hibakat javitottam.
InetZone("full", "192.168.0.0/24", inbound_services=[""], ^^^^
Gyorko kollega azt irta, hogy ide nem kell "". Kinek van igaza? :) O viszont nem mondta, hogy a None nem kell. -- Udvozlettel Zsiga
Zorp.zones = \ [
ez itt fent nem kell. 0.6-os maradvany.
A 0.7.11-1-hez adott (a /etc/zorp konyvtarban levo) policy.py.sample fajlban szerepel :)
hmm.... az enyemben mar nincs :) amugy a doc/examples-ben van nehany pelda, azok ujabban keletkeztek, mint a policy.py.sample.
A tobbinek tartalmat nem neztem, csak a szintaktikai hibakat javitottam.
InetZone("full", "192.168.0.0/24", inbound_services=[""], ^^^^
Gyorko kollega azt irta, hogy ide nem kell "". Kinek van igaza? :) O viszont nem mondta, hogy a None nem kell.
A gyorko kolleganak igaza volt a ""-vel kapcsolatban. A none viszont akkor sem kell. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
On Fri, Jan 12, 2001 at 03:42:34PM +0100, Balazs Scheidler wrote:
A zonak leirasa 0.7.x-hez:
Zorp.zones = \ [
ez itt fent nem kell. 0.6-os maradvany.
Kikommenteztem a fentieket (es a lezaro ]-t is), inditok, es ez jon a syslog-ba: zorp-plug[17683]: Verbosity level: 3 zorp-plug[17685]: File "/etc/zorp/policy-plug.py", line 28 zorp-plug[17685]: InetZone("full", "192.168.0.0/24", zorp-plug[17685]: ^ zorp-plug[17685]: SyntaxError: invalid syntax zorp-plug[17683]: (noname/nosession): Error opening policy file /etc/zorp/policy-plug.py Otlet? -- Udvozlettel Zsiga
Kikommenteztem a fentieket (es a lezaro ]-t is), inditok, es ez jon a syslog-ba: zorp-plug[17683]: Verbosity level: 3 zorp-plug[17685]: File "/etc/zorp/policy-plug.py", line 28 zorp-plug[17685]: InetZone("full", "192.168.0.0/24", zorp-plug[17685]: ^ zorp-plug[17685]: SyntaxError: invalid syntax zorp-plug[17683]: (noname/nosession): Error opening policy file /etc/zorp/policy-plug.py
vidd ki az InetZone-t a sor elejere. (a python indentacioval jelzi a blokk kezdetet) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
On Fri, Jan 12, 2001 at 04:04:32PM +0100, Balazs Scheidler wrote:
vidd ki az InetZone-t a sor elejere. (a python indentacioval jelzi a blokk kezdetet)
Ez meglepett egy cseppet. De kivittem, inditok, mondjam meg? :) zorp-plug[17802]: Verbosity level: 3 zorp-plug[17804]: Traceback (innermost last): zorp-plug[17804]: File "/etc/zorp/policy-plug.py", line 39, in ? zorp-plug[17804]: outbound_services=["bd_ssh"]), zorp-plug[17804]: File "/usr/share/zorp/pylib/Zorp/Zone.p y", line 543, in __init__ zorp-plug[17804]: Zone.__init__(self, name, addr, inbou nd_services, outbound_services, admin_parent, umbrella, InetDomain) zorp-plug[17804]: File "/usr/share/zorp/pylib/Zorp/Zone.p y", line 422, in __init__ zorp-plug[17804]: Zone("%s-#%u" % (name, i), addr[i], a dmin_parent=self.name, domain=domain) zorp-plug[17804]: File "/usr/share/zorp/pylib/Zorp/Zone.p y", line 428, in __init__ zorp-plug[17804]: self.setAddrRelatives() zorp-plug[17804]: File "/usr/share/zorp/pylib/Zorp/Zone.p y", line 471, in setAddrRelatives zorp-plug[17804]: raise NotImplementedError zorp-plug[17804]: NotImplementedError zorp-plug[17802]: (noname/nosession): Error opening policy file /etc/zorp/policy-plug.py -- Udvozlettel Zsiga
vidd ki az InetZone-t a sor elejere. (a python indentacioval jelzi a blokk kezdetet)
Ez meglepett egy cseppet. De kivittem, inditok, mondjam meg? :) zorp-plug[17802]: Verbosity level: 3 zorp-plug[17804]: Traceback (innermost last): zorp-plug[17804]: File "/etc/zorp/policy-plug.py", line 39, in ? zorp-plug[17804]: outbound_services=["bd_ssh"]), zorp-plug[17804]: File "/usr/share/zorp/pylib/Zorp/Zone.p y", line 543, in __init__ zorp-plug[17804]: Zone.__init__(self, name, addr, inbou nd_services, outbound_services, admin_parent, umbrella, InetDomain) zorp-plug[17804]: File "/usr/share/zorp/pylib/Zorp/Zone.p y", line 422, in __init__ zorp-plug[17804]: Zone("%s-#%u" % (name, i), addr[i], a dmin_parent=self.name, domain=domain) zorp-plug[17804]: File "/usr/share/zorp/pylib/Zorp/Zone.p y", line 428, in __init__ zorp-plug[17804]: self.setAddrRelatives() zorp-plug[17804]: File "/usr/share/zorp/pylib/Zorp/Zone.p y", line 471, in setAddrRelatives zorp-plug[17804]: raise NotImplementedError zorp-plug[17804]: NotImplementedError zorp-plug[17802]: (noname/nosession): Error opening policy file /etc/zorp/policy-plug.py
ket zonanak ugyanaz a cimtartomanya. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
On Fri, Jan 12, 2001 at 04:14:46PM +0100, Balazs Scheidler wrote:
ket zonanak ugyanaz a cimtartomanya.
Nezz bele legy szives a teljes konfigba, es allapitsd meg, hogy melyik, mert nekem tobb tippem is van: A full zona 192.168.0.0/24. A levelezes zonaban szerepel a 192.168.0.2 is. Az sshdmz zonaban szerepel a 192.168.0.2, ennek admin_parentje a full zona. Melyik nem tetszik neki? Akkor maris felmerult az a problema, amit az egyik elozo levelemben felvazoltam: "jo lenne, mert csak egy helyen kellene felvennem minden gepet, a tobbi jogot tudnam szarmaztatni." -- Udvozlettel Zsiga
InetZone("levelezes", ["192.168.0.2", "192.168.0.3", "192.168.0.4"], inbound_services=[""], outbound_services=["bd_pop"]),
InetZone("sshdmz", ["192.168.0.2"], admin_parent="full", inbound_services=[""], outbound_services=["bd_ssh"]),
itt a gond. a fenti zonabol vedd ki a 192.168.0.2-t, es engedelyezd a lentiben a a bd_pop szolgaltatast. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
On Fri, Jan 12, 2001 at 04:18:17PM +0100, Balazs Scheidler wrote:
itt a gond. a fenti zonabol vedd ki a 192.168.0.2-t, es engedelyezd a lentiben a a bd_pop szolgaltatast.
Kivettem: zorp-plug[17890]: Verbosity level: 3 zorp-plug[17892]: Traceback (innermost last): zorp-plug[17892]: File "/etc/zorp/policy-plug.py", line 53, in ? zorp-plug[17892]: outbound_services=[]), zorp-plug[17892]: TypeError: keyword parameter redefined zorp-plug[17890]: (noname/nosession): Error opening policy file /etc/zorp/policy-plug.py Ez a DMZ zona outbound-ja. -- Udvozlettel Zsiga
szia kuldd el az ujabb policy-t amit most editalsz, vagy legalabb a DMZ zona deklaraciojat.
Ez a DMZ zona outbound-ja.
-- Györkő Zoltán BalaBit IT Biztonságtechnikai Kft. tel/fax:(36-1)-217-14-98 1092 Bp. Köztelek u. 4/b http://www.balabit.hu
On Fri, Jan 12, 2001 at 04:38:45PM +0100, Gyorko Zoltan wrote:
kuldd el az ujabb policy-t amit most editalsz, vagy legalabb a DMZ zona deklaraciojat.
# A tuzfal belso halo feloli laba: 192.168.0.250 eth2 # A tuzfal DMZ feloli laba: 192.168.1.1 eth1 # A tuzfal internet feloli laba: 100.100.100.100 eth0 from Zorp.Zorp import * from Zorp import Zorp from Zorp.Zone import InetZone from Zorp.Service import Service from Zorp.SockAddr import SockAddrInet from Zorp.Chainer import TransparentChainer, DirectedChainer, \ InbandChainer, FailoverChainer from Zorp.Plug import PlugProxy from Zorp import Http from Zorp.Http import HttpProxy from Zorp.Ftp import FtpProxyAllow, FtpProxyMinimal from Zorp.Listener import Listener Zorp.firewall_name = 'zorp1@teszt.hu' #---------------------------------------------------------# #-----------------------ZONAK-----------------------------# #---------------------------------------------------------# # A zonak ertelmes felosztasan meg el kell gondolkoznom :) # Sajnos ebbol a verziobol kimaradt az umbrella :) #Zorp.zones = \ #[ InetZone("full", "192.168.0.0/24", inbound_services=[], outbound_services=["bd_http"]), InetZone("levelezes", ["192.168.0.3", "192.168.0.4"], inbound_services=[], outbound_services=["bd_pop"]), InetZone("sshdmz", ["192.168.0.2"], admin_parent="full", inbound_services=[], outbound_services=["bd_ssh", "bd_pop"]), InetZone("sshki", ["192.168.0.1"], admin_parent="sshdmz", inbound_services=[], outbound_services=["bi_ssh", "bi_pop"]), InetZone("web_mail", ["192.168.0.5", "192.168.0.6"], admin_parent="levelezes", inbound_services=[], outbound_services=["bi_http", "bi_ftp"]), InetZone("DMZ", "192.168.1.0", "255.255.255.0", inbound_services=["bd_http", "bd_ssh", "bd_pop", "id_http", "id_pop"], outbound_services=[]), InetZone("local", "127.0.0.0", "255.0.0.0", inbound_services=["*"], outbound_services=[]), InetZone("internet", "0.0.0.0", "0.0.0.0", inbound_services=["bi_http", "bi_ftp", "bi_pop", "bi_ssh"], outbound_services=["id_http", "id_pop"]) #] #---------------------------------------------------------# #------------------CLASS-OK-------------------------------# #---------------------------------------------------------# # A belso halorol az internet elerese http-n keresztul class BIHttp(Http.HttpProxy): def config(self): HttpProxy.config(self) self.transparent_mode = TRUE # Errol kaphatnek egy kis infot? self.request["GET"] = (Http.HTTP_POLICY, self.filterURL) # Errol is jo lenne egy kis info :) def filterURL(self, method, url, version): log("http.info", 3, "%s: GET: %s" % (self.session.session_id, url)) # A belso halorol az internet elerese ftp-n keresztul class BIFtp(FtpProxyAllow): def config(self): FtpProxy.config(self) self.transparent_mode = TRUE # A belso halorol az internet elerese pop3-mon keresztul class BIPop(PlugProxy): def config(self): pass # A belso halorol a DMZ elerese pop3-mon keresztul class BDPop(PlugProxy): def config(self): pass # Az internetrol a DMZ elerese pop3-mon keresztul class IDPop(PlugProxy): def config(self): pass # A belso halorol a DMZ elerese http-n keresztul class BDHttp(HttpProxy): def config(self): self.transparent_mode = 1 # A belso halorol a DMZ elerese ssh-n keresztul class BDSsh(PlugProxy): def config(self): pass # A belso halorol az internet elerese ssh-n keresztul class BISsh(PlugProxy): def config(self): pass # Az internetrol a DMZ elerese http-n keresztul class IDHttp(HttpProxy): def config(self): self.transparent_mode = 1 #---------------------------------------------------------# #----------------INIT-EK----------------------------------# #---------------------------------------------------------# def init(name): debug(0, "Policy init, name=%s" % name) Service("bi_http", InbandChainer(), BIHttp) Service("bi_ftp", TransparentChainer(), BIFtp) Service("bi_pop", TransparentChainer(), BIPop) Service("bd_pop", TransparentChainer(), BDPop) Service("bd_http", TransparentChainer(), BDHttp) Service("bd_ssh", TransparentChainer(), BDSsh) Service("bi_ssh", TransparentChainer(), BISsh) # A 192.168.1.2 cimen a 80-as porton van a www szerver Service("id_http", DirectedChainer(SockAddrInet("192.168.1.2", 80), IDHttp)) # A 192.168.1.2 cimen a 110-es porton van a pop3 szerver Service("id_pop", DirectedChainer(SockAddrInet("192.168.1.2", 110), IDPop)) #---------------------------------------------------------# #----------------LISTENER-EK------------------------------# #---------------------------------------------------------# # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 80 -j REDIRECT 3128 Listener(SockAddrInet("192.168.0.250", 3128), "bi_http") # Ha kesz lesz a proxy-szerver: # ipchains -A input -i eth2 -s proxy.ip.cim.e -d 0/0 80 -j REDIRECT 3128 # Ekkor a proxyn nem kell semmit beallitani. # Kulon zonat kell definialni a proxy miatt. # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 21 -j REDIRECT 2021 # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 1024: -j REDIRECT 0 Listener(SockAddrInet("192.168.0.250", 2021), "bi_ftp") # Ha kesz lesz a proxy-szerver: # ipchains -A input -i eth2 -s proxy.ip.cim.e -d 0/0 21 -j REDIRECT 2021 # ipchains -A input -i eth2 -s proxy.ip.cim.e -d 0/0 1024: -j REDIRECT 0 # Kulon zonat kell definialni a proxy miatt. # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 110 -j REDIRECT 2110 Listener(SockAddrInet("192.168.0.250", 2110), "bi_pop") # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 192.168.1.3 110 -j REDIRECT 3110 Listener(SockAddrInet("192.168.0.250", 3110), "bd_pop") # Ugye ide ertelmetlen ipchains REDIRECT-et tenni? Listener(SockAddrInet("100.100.100.100", 110), "id_pop") # A 192.168.1.2 80-as portjan figyel a www-szerver. # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 192.168.1.2 80 -j REDIRECT 3080 Listener(SockAddrInet("192.168.0.250", 3080), "bd_http") # Ha ez is csak a proxy-n keresztul mehet, akkor nem kell az ipchains. # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 192.168.1.0/24 22 -j REDIRECT 3022 Listener(SockAddrInet("192.168.0.250", 3022), "bd_ssh") # ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 22 -j REDIRECT 4022 Listener(SockAddrInet("192.168.0.250", 4022), "bi_ssh") # Ugye ide ertelmetlen ipchains REDIRECT-et tenni? Listener(SockAddrInet("100.100.100.100", 80), "id_http") -- Udvozlettel Zsiga
InetZone("web_mail", ["192.168.0.5", "192.168.0.6"], admin_parent="levelezes", inbound_services=[], outbound_services=["bi_http", "bi_ftp"]),
itt meg ip-ket soroltal fel, idaig jo
InetZone("DMZ", "192.168.1.0", "255.255.255.0", inbound_services=["bd_http", "bd_ssh", "bd_pop", "id_http", "id_pop"], outbound_services=[]),
itt viszont nem ipket sorolsz fel zonakent hanem tartomanyt, tehat a netmaskot sem felsorolni kell helyesen (mint fullban): 192.168.1.0/24
InetZone("local", "127.0.0.0", "255.0.0.0", inbound_services=["*"], outbound_services=[]),
ez meg ugye 127.0.0.0/8 -- Györkő Zoltán BalaBit IT Biztonságtechnikai Kft. tel/fax:(36-1)-217-14-98 1092 Bp. Köztelek u. 4/b http://www.balabit.hu
On Fri, Jan 12, 2001 at 04:52:58PM +0100, Gyorko Zoltan wrote:
InetZone("DMZ", "192.168.1.0", "255.255.255.0", inbound_services=["bd_http", "bd_ssh", "bd_pop", "id_http", "id_pop"], outbound_services=[]),
itt viszont nem ipket sorolsz fel zonakent hanem tartomanyt, tehat a netmaskot sem felsorolni kell
Kijavitottam (az internet zonaval egyutt 0.0.0.0/0): zorp-plug[4861]: Verbosity level: 3 zorp-plug[4863]: Traceback (innermost last): zorp-plug[4863]: File "/etc/zorp/policy-plug.py", line 153, in ? zorp-plug[4863]: Listener(SockAddrInet("192.168.0.250", 3128), "bi_http") zorp-plug[4863]: File "/usr/share/zorp/pylib/Zorp/Listene r.py", line 76, in __init__ zorp-plug[4863]: raise ServiceException, "Service %s no t found" % (service,) zorp-plug[4863]: Service: Service bi_http not found zorp-plug[4861]: (noname/nosession): Error opening policy f ile /etc/zorp/policy-plug.py Mar csak az a baja, hogy az ipchains redirectek nincsenek meg beuzemelve? Ha tenyleg az, akkor mi a bevett (helyes, altalatok javasolt) modja (es sorrendje) az ipchains rule-ok beallitasanak? Egy par kerdest elrejtettem a konfigban :) tudnatok ra valaszt adni? Kiemelem oket: class BIHttp(Http.HttpProxy): # Errol kaphatnek egy kis infot? self.request["GET"] = (Http.HTTP_POLICY, self.filterURL) # Errol is jo lenne egy kis info :) def filterURL(self, method, url, version): log("http.info", 3, "%s: GET: %s" % (self.session.session_id, url)) Ez a mail szerver internet feloli pop3 elereseert felelos. # Ide ertelmetlen ipchains REDIRECT-et tenni? Listener(SockAddrInet("100.100.100.100", 110), "id_pop") Ez a www szerver internet feloli www elereseert felelos. # Ide ertelmetlen ipchains REDIRECT-et tenni? Listener(SockAddrInet("100.100.100.100", 80), "id_http") -- Udvozlettel Zsiga
participants (3)
-
Balazs Scheidler
-
Gyorko Zoltan
-
Kosa Attila