Hello! A konfigot a zorp-gateway-v3.3FR1-tutorial-ssl-en.pdf nevu - altalatok javasolt - dokumentaciobol vettem: from Zorp.Core import * from Zorp.Pssl import * from Zorp.Http import * InetZone("intranet", "192.168.2.0/24", inbound_services=[], outbound_services=["intra_Keybridge_HTTPS_inter"]) InetZone("internet", "0.0.0.0/0", inbound_services=["intra_Keybridge_HTTPS_inter"], outbound_services=[]) class StrongHttpsProxy(HttpProxy): def config(self): HttpProxy.config(self) self.ssl.client_keypair_files=("/etc/ssl/certs/fw.akarmi.hu.crt", "/etc/ssl/private/fw.akarmi.hu.key") self.ssl.client_verify_type=SSL_VERIFY_NONE self.ssl.client_connection_security = SSL_FORCE_SSL self.ssl.server_connection_security = SSL_FORCE_SSL self.ssl.server_cagroup_directories=("/etc/zorp/ca.crt", "/etc/zorp/crls/") self.ssl.server_ssl_method=SSL_METHOD_ALL self.ssl.server_disable_proto_sslv2=TRUE self.ssl.server_ssl_cipher=SSL_CIPHERS_HIGH self.ssl.server_verify_type=SSL_VERIFY_REQUIRED_UNTRUSTED class KeybrideStrongHttpsProxy(StrongHttpsProxy): def config(self): StrongPsslProxy.config(self) self.handshake_seq=PSSL_HSO_SERVER_CLIENT self.client_keypair_generate=TRUE self.ssl.key_generator=X509KeyBridge(key_file="/etc/zorp/keybridging_cert/fwca.key", key_passphrase="jelszo", cache_directory="/var/lib/zorp/ssl-bridge", trusted_ca_files=("/etc/zorp/certs/trust.crt", "/etc/zorp/certs/trust.key.nopass"), untrusted_ca_files=("/etc/zorp/certs/untrust.crt", "/etc/zorp/certs/untrust.key.nopass")) def ssl_keybridge() : Service(name="intra_Keybridge_HTTPS_inter", proxy_class=KeybrideStrongHttpsProxy, router=TransparentRouter(overrideable=FALSE, forge_addr=TRUE)) Dispatcher(bindto=SockAddrInet('192.168.2.254', 50443), service="intra_Keybridge_HTTPS_inter", transparent=TRUE, threaded=FALSE, backlog=255) A /etc/zorp/instances.conf fajl tartalma: ssl_keybridge --verbose=5 --threads=100 --policy /etc/zorp/policy.py --autobind-ip 192.168.200.254 # zorpctl start Starting Zorp Firewall Suite: /usr/share/zorp/pylib/Zorp/Pssl.py:525: DeprecationWarning: the sets module is deprecated from sets import ImmutableSet Traceback (most recent call last): File "/usr/share/zorp/pylib/Zorp/Zorp.py", line 485, in init func() File "/etc/zorp/policy.py", line 38, in ssl_keybridge Dispatcher(bindto=SockAddrInet('192.168.2.254', 50443), service="intra_Keybridge_HTTPS_inter", transparent=TRUE, threaded=FALSE, backlog=255) File "/usr/share/zorp/pylib/Zorp/Dispatch.py", line 388, in __init__ AbstractDispatch.__init__(self, Zorp.firewall_name, bindto, **kw) File "/usr/share/zorp/pylib/Zorp/Dispatch.py", line 224, in __init__ if bindto.protocol == ZD_PROTO_AUTO: AttributeError: No such attribute ssl_keybridge! The following errors occurred so far: Zorp instance startup failed, instance='ssl_keybridge', rc='512' # zorpctl version Zorp 3.9.0 Revision: ssh+git://coroner@git.balabit//var/scm/git/zorp/zorp-core--mainline--4.0#master#fcb59dd06e0805ce995b8d94cc8c12096e385365 Compile-Date: Apr 13 2011 09:11:19 Config-Date: 2011/04/13 Trace: off Debug: off IPOptions: off IPFilter-Tproxy: off Netfilter-Tproxy: on Linux22-Tproxy: off libzorpll 3.9.0.1 Revision: Compile-Date: Apr 12 2011 14:36:53 Trace: off MemTrace: off Caps: on Debug: off StackDump: off -- Udvozlettel Zsiga
On Wed, Apr 13, 2011 at 11:41:52AM +0200, Kosa Attila wrote:
Dispatcher(bindto=SockAddrInet('192.168.2.254', 50443), service="intra_Keybridge_HTTPS_inter", transparent=TRUE, threaded=FALSE, backlog=255)
Ezt a sort kicsereltem erre: Dispatcher(bindto=DBIface(protocol=ZD_PROTO_TCP, iface="eth1", ip="192.168.2.254", port=60443), service="intra_Keybridge_HTTPS_inter", transparent=TRUE, threaded=FALSE, backlog=255) Igy mar legalabb elindul. De mukodni tovabbra sem mukodik... A log: Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.debug(0): (nosession): Starting up; verbose_level='5', version='3.9.0', startup_id='1302698576' Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.debug(5): (nosession): Outbound service; zone='intranet', service='intra_Keybridge_HTTPS_inter' Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.debug(5): (nosession): Inbound service; zone='internet', service='intra_Keybridge_HTTPS_inter' Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.info(4): (nosession): Interface added; if_index='1', if_name='lo', if_flags='73' Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.info(4): (nosession): Interface added; if_index='2', if_name='eth0', if_flags='4163' Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.info(4): (nosession): Interface added; if_index='3', if_name='eth1', if_flags='4163' Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.info(4): (nosession): Address added to interface; if_name='lo', if_addr='127.0.0.1' Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.info(4): (nosession): Address added to interface; if_name='eth0', if_addr='192.168.100.140' Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.info(4): (nosession): Address added to interface; if_name='eth1', if_addr='192.168.2.254' Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.debug(4): (dsp/dispatch:0): Adding dynamic interface address; addr='AF_INET(192.168.2.254:60443)', dispatch='IFACE(proto=1,iface=eth1,ip=192.168.2.254,port=60443,family=2)' Apr 13 14:43:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.accounting(4): (szig/conn:0/stream): accounting info; type='ZStreamFD', duration='0', sent='11', received='37' Apr 13 14:43:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.accounting(4): (szig/conn:0/stream): accounting info; type='ZStreamBuf', duration='0', sent='0', received='0' Apr 13 14:43:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.accounting(4): (szig/conn:0/stream): accounting info; type='ZStreamLine', duration='0', sent='11', received='36' Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.session(5): (svc/intra_Keybridge_HTTPS_inter): Starting service; name='intra_Keybridge_HTTPS_inter' Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.session(3): (svc/intra_Keybridge_HTTPS_inter:0): Starting proxy instance; client_fd='15', client_address='AF_INET(192.168.2.1:1259)', client_zone='Zone(intranet, 192.168.2.0/24)', client_local='AF_INET(62.112.211.40:443)', client_protocol='TCP' Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Proxy starting; class='KeybrideStrongHttpsProxy', proxy='http' Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.stderr(3): (stderr): Traceback (most recent call last):#012 Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.stderr(3): (stderr): File "/etc/zorp/policy.py", line 29, in config#012 Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Proxy ending; class='KeybrideStrongHttpsProxy', module='http' Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.session(4): (svc/intra_Keybridge_HTTPS_inter:0): Ending proxy instance; Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:0/http/client): accounting info; type='ZStreamFD', duration='0', sent='0', received='0' Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.stderr(3): (stderr): StrongPsslProxy.config(self)#012 Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.stderr(3): (stderr): NameError: global name 'StrongPsslProxy' is not defined#012 Ok, nincs definialva a StrongPsslProxy. Mondtam mar, hogy remek a doksi? :) Jo, tudom, hogy az nem a gpl-es verziohoz keszult, de konkretan erre hivatkoztatok... A gpl-eshez hol van az a doksi, amibol mukodo megoldast lehet varazsolni? -- Udvozlettel Zsiga
possible typo? class='KeybrideStrongHttpsProxy' -- end.re
-----Original Message----- From: zorp-hu-bounces@lists.balabit.hu [mailto:zorp-hu- bounces@lists.balabit.hu] On Behalf Of Kosa Attila Sent: Wednesday, April 13, 2011 2:53 PM To: zorp-hu@lists.balabit.hu Subject: Re: [zorp-hu] 3.9 ssl keybridge nem indul
On Wed, Apr 13, 2011 at 11:41:52AM +0200, Kosa Attila wrote:
Dispatcher(bindto=SockAddrInet('192.168.2.254', 50443),
service="intra_Keybridge_HTTPS_inter", transparent=TRUE, threaded=FALSE, backlog=255)
Ezt a sort kicsereltem erre:
Dispatcher(bindto=DBIface(protocol=ZD_PROTO_TCP, iface="eth1", ip="192.168.2.254", port=60443), service="intra_Keybridge_HTTPS_inter", transparent=TRUE, threaded=FALSE, backlog=255)
Igy mar legalabb elindul. De mukodni tovabbra sem mukodik...
A log:
Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Proxy ending; class='KeybrideStrongHttpsProxy', module='http'
Ok, nincs definialva a StrongPsslProxy. Mondtam mar, hogy remek a doksi? :) Jo, tudom, hogy az nem a gpl-es verziohoz keszult, de konkretan erre hivatkoztatok... A gpl-eshez hol van az a doksi, amibol mukodo megoldast lehet varazsolni?
-- Udvozlettel Zsiga _______________________________________________ zorp-hu mailing list zorp-hu@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/zorp-hu
Figyelmeztetés Ez az e-mail üzenet, a fenti címzetteknek szánt, üzleti titoktartás alá eső bizalmas információkat tartalmaz. Téves kézbesítés esetén kérjük, értesítsen a fent megjelölt telefon, fax számokon, vagy e-mail címen. Az eredeti példány visszaküldéséről címünkre, majd törléséről, azonnal rendelkezni szíveskedjen. Notice: This e-mail contains privileged and confidential business information intended only for the use of addresses(s) named above. Should you have received it in error, please notify us by phone or e-mail, and delete after returning the original e-mail to our address.
On Wed, Apr 13, 2011 at 03:00:33PM +0200, Szabó Endre Zoltán wrote:
possible typo?
class='KeybrideStrongHttpsProxy'
Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Proxy ending; class='KeybrideStrongHttpsProxy', module='http'
Mind a ket helyen elgepeltem, ugyhogy nem szamit :) Kijavitottam KeybridgeStrongHttpsProxy-ra, de semmit nem valtoztatott a helyzeten. -- Udvozlettel Zsiga
ez a StrongPsslProxy valami szarmaztatott osztaly akar lenni? zorp-3.9.0 % fgrep StrongPsslProxy -r * || echo \;\( ;( -- end.re
-----Original Message----- From: zorp-hu-bounces@lists.balabit.hu [mailto:zorp-hu- bounces@lists.balabit.hu] On Behalf Of Kosa Attila Sent: Wednesday, April 13, 2011 2:53 PM To: zorp-hu@lists.balabit.hu Subject: Re: [zorp-hu] 3.9 ssl keybridge nem indul
On Wed, Apr 13, 2011 at 11:41:52AM +0200, Kosa Attila wrote:
Dispatcher(bindto=SockAddrInet('192.168.2.254', 50443),
service="intra_Keybridge_HTTPS_inter", transparent=TRUE, threaded=FALSE, backlog=255)
Ezt a sort kicsereltem erre:
Dispatcher(bindto=DBIface(protocol=ZD_PROTO_TCP, iface="eth1", ip="192.168.2.254", port=60443), service="intra_Keybridge_HTTPS_inter", transparent=TRUE, threaded=FALSE, backlog=255)
Igy mar legalabb elindul. De mukodni tovabbra sem mukodik...
A log:
Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.debug(0): (nosession): Starting up; verbose_level='5', version='3.9.0', startup_id='1302698576' Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.debug(5): (nosession): Outbound service; zone='intranet', service='intra_Keybridge_HTTPS_inter' Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.debug(5): (nosession): Inbound service; zone='internet', service='intra_Keybridge_HTTPS_inter' Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.info(4): (nosession): Interface added; if_index='1', if_name='lo', if_flags='73' Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.info(4): (nosession): Interface added; if_index='2', if_name='eth0', if_flags='4163' Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.info(4): (nosession): Interface added; if_index='3', if_name='eth1', if_flags='4163' Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.info(4): (nosession): Address added to interface; if_name='lo', if_addr='127.0.0.1' Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.info(4): (nosession): Address added to interface; if_name='eth0', if_addr='192.168.100.140' Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.info(4): (nosession): Address added to interface; if_name='eth1', if_addr='192.168.2.254' Apr 13 14:42:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.debug(4): (dsp/dispatch:0): Adding dynamic interface address; addr='AF_INET(192.168.2.254:60443)', dispatch='IFACE(proto=1,iface=eth1,ip=192.168.2.254,port=60443,family=2 )' Apr 13 14:43:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.accounting(4): (szig/conn:0/stream): accounting info; type='ZStreamFD', duration='0', sent='11', received='37' Apr 13 14:43:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.accounting(4): (szig/conn:0/stream): accounting info; type='ZStreamBuf', duration='0', sent='0', received='0' Apr 13 14:43:56 squeeze-zorp39gpl zorp/zorp_https[13689]: core.accounting(4): (szig/conn:0/stream): accounting info; type='ZStreamLine', duration='0', sent='11', received='36' Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.session(5): (svc/intra_Keybridge_HTTPS_inter): Starting service; name='intra_Keybridge_HTTPS_inter' Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.session(3): (svc/intra_Keybridge_HTTPS_inter:0): Starting proxy instance; client_fd='15', client_address='AF_INET(192.168.2.1:1259)', client_zone='Zone(intranet, 192.168.2.0/24)', client_local='AF_INET(62.112.211.40:443)', client_protocol='TCP' Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Proxy starting; class='KeybrideStrongHttpsProxy', proxy='http' Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.stderr(3): (stderr): Traceback (most recent call last):#012 Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.stderr(3): (stderr): File "/etc/zorp/policy.py", line 29, in config#012 Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Proxy ending; class='KeybrideStrongHttpsProxy', module='http' Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.session(4): (svc/intra_Keybridge_HTTPS_inter:0): Ending proxy instance; Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:0/http/client): accounting info; type='ZStreamFD', duration='0', sent='0', received='0' Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.stderr(3): (stderr): StrongPsslProxy.config(self)#012 Apr 13 14:44:07 squeeze-zorp39gpl zorp/zorp_https[13689]: core.stderr(3): (stderr): NameError: global name 'StrongPsslProxy' is not defined#012
Ok, nincs definialva a StrongPsslProxy. Mondtam mar, hogy remek a doksi? :) Jo, tudom, hogy az nem a gpl-es verziohoz keszult, de konkretan erre hivatkoztatok... A gpl-eshez hol van az a doksi, amibol mukodo megoldast lehet varazsolni?
-- Udvozlettel Zsiga _______________________________________________ zorp-hu mailing list zorp-hu@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/zorp-hu
Figyelmeztetés Ez az e-mail üzenet, a fenti címzetteknek szánt, üzleti titoktartás alá eső bizalmas információkat tartalmaz. Téves kézbesítés esetén kérjük, értesítsen a fent megjelölt telefon, fax számokon, vagy e-mail címen. Az eredeti példány visszaküldéséről címünkre, majd törléséről, azonnal rendelkezni szíveskedjen. Notice: This e-mail contains privileged and confidential business information intended only for the use of addresses(s) named above. Should you have received it in error, please notify us by phone or e-mail, and delete after returning the original e-mail to our address.
On Wed, Apr 13, 2011 at 03:23:09PM +0200, Szabó Endre Zoltán wrote:
ez a StrongPsslProxy valami szarmaztatott osztaly akar lenni?
zorp-3.9.0 % fgrep StrongPsslProxy -r * || echo \;\( ;(
A fizetos zorp-ban van ilyen "eloregyartott" osztaly, erre hivatkozik a doksi, amit ajanlottak. Most azon probalkozom, hogy osszebogarasszak egy olyat, ami ahhoz hasonlit, es hajlando mukodni :) -- Udvozlettel Zsiga
Fizetos sem nyero latszolag. # find / -name \*.py | xargs fgrep -H StrongPsslProxy || echo \;\( ;( -- end.re
-----Original Message----- From: zorp-hu-bounces@lists.balabit.hu [mailto:zorp-hu- bounces@lists.balabit.hu] On Behalf Of Kosa Attila Sent: Wednesday, April 13, 2011 3:28 PM To: Magyar nyelvu Zorp levelezesi lista. Subject: Re: [zorp-hu] 3.9 ssl keybridge nem indul
On Wed, Apr 13, 2011 at 03:23:09PM +0200, Szabó Endre Zoltán wrote:
ez a StrongPsslProxy valami szarmaztatott osztaly akar lenni?
zorp-3.9.0 % fgrep StrongPsslProxy -r * || echo \;\( ;(
A fizetos zorp-ban van ilyen "eloregyartott" osztaly, erre hivatkozik a doksi, amit ajanlottak. Most azon probalkozom, hogy osszebogarasszak egy olyat, ami ahhoz hasonlit, es hajlando mukodni :)
-- Udvozlettel Zsiga _______________________________________________ zorp-hu mailing list zorp-hu@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/zorp-hu
Figyelmeztetés Ez az e-mail üzenet, a fenti címzetteknek szánt, üzleti titoktartás alá eső bizalmas információkat tartalmaz. Téves kézbesítés esetén kérjük, értesítsen a fent megjelölt telefon, fax számokon, vagy e-mail címen. Az eredeti példány visszaküldéséről címünkre, majd törléséről, azonnal rendelkezni szíveskedjen. Notice: This e-mail contains privileged and confidential business information intended only for the use of addresses(s) named above. Should you have received it in error, please notify us by phone or e-mail, and delete after returning the original e-mail to our address.
On Wed, Apr 13, 2011 at 03:31:55PM +0200, Szabó Endre Zoltán wrote:
Fizetos sem nyero latszolag.
# find / -name \*.py | xargs fgrep -H StrongPsslProxy || echo \;\( ;(
Ott megis mukodik. A .py fajlokban en sem talaltam, termeszetesen ott is megneztem, hatha kevesebbet kell dolgoznom :) -- Udvozlettel Zsiga
Hm hat en nem tudok ilyen proxyt kivalasztani. Biztos nem kezimunka es policy.py-ban van csak? -- end.re
-----Original Message----- From: zorp-hu-bounces@lists.balabit.hu [mailto:zorp-hu- bounces@lists.balabit.hu] On Behalf Of Kosa Attila Sent: Wednesday, April 13, 2011 3:39 PM To: Magyar nyelvu Zorp levelezesi lista. Subject: Re: [zorp-hu] 3.9 ssl keybridge nem indul
On Wed, Apr 13, 2011 at 03:31:55PM +0200, Szabó Endre Zoltán wrote:
Fizetos sem nyero latszolag.
# find / -name \*.py | xargs fgrep -H StrongPsslProxy || echo \;\( ;(
Ott megis mukodik. A .py fajlokban en sem talaltam, termeszetesen ott is megneztem, hatha kevesebbet kell dolgoznom :)
-- Udvozlettel Zsiga _______________________________________________ zorp-hu mailing list zorp-hu@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/zorp-hu
Figyelmeztetés Ez az e-mail üzenet, a fenti címzetteknek szánt, üzleti titoktartás alá eső bizalmas információkat tartalmaz. Téves kézbesítés esetén kérjük, értesítsen a fent megjelölt telefon, fax számokon, vagy e-mail címen. Az eredeti példány visszaküldéséről címünkre, majd törléséről, azonnal rendelkezni szíveskedjen. Notice: This e-mail contains privileged and confidential business information intended only for the use of addresses(s) named above. Should you have received it in error, please notify us by phone or e-mail, and delete after returning the original e-mail to our address.
On Wed, Apr 13, 2011 at 03:43:51PM +0200, Szabó Endre Zoltán wrote:
Hm hat en nem tudok ilyen proxyt kivalasztani. Biztos nem kezimunka es policy.py-ban van csak?
Nekem ott van ilyen, de a doksi is emliti: "Navigate to the Proxies tab of the Zorp ZMC component and select the SSL/TLS proxy to be used (e.g.: StrongPsslProxy, or derive a new one)." De a sajatomat hiaba probaltam "atemelni", ugyanugy elszallt az alabbi uzenettel. Ha kiszedem a StrongPsslProxy-t, akkor pedig azert obegat a logba, hogy nincs definialva az X509KeyBridge: Apr 13 15:45:59 squeeze-zorp39gpl zorp/zorp_https[13889]: core.session(5): (svc/intra_Keybridge_HTTPS_inter): Starting service; name='intra_Keybridge_HTTPS_inter' Apr 13 15:45:59 squeeze-zorp39gpl zorp/zorp_https[13889]: core.session(3): (svc/intra_Keybridge_HTTPS_inter:0): Starting proxy instance; client_fd='15', client_address='AF_INET(192.168.2.1:1290)', client_zone='Zone(intranet, 192.168.2.0/24)', client_local='AF_INET(62.112.211.40:443)', client_protocol='TCP' Apr 13 15:45:59 squeeze-zorp39gpl zorp/zorp_https[13889]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Proxy starting; class='KeybridgeStrongHttpsProxy', proxy='http' Apr 13 15:45:59 squeeze-zorp39gpl zorp/zorp_https[13889]: core.stderr(3): (stderr): Traceback (most recent call last):#012 Apr 13 15:45:59 squeeze-zorp39gpl zorp/zorp_https[13889]: core.stderr(3): (stderr): File "/etc/zorp/policy.py", line 29, in config#012 Apr 13 15:45:59 squeeze-zorp39gpl zorp/zorp_https[13889]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Proxy ending; class='KeybridgeStrongHttpsProxy', module='http' Apr 13 15:45:59 squeeze-zorp39gpl zorp/zorp_https[13889]: core.session(4): (svc/intra_Keybridge_HTTPS_inter:0): Ending proxy instance; Apr 13 15:45:59 squeeze-zorp39gpl zorp/zorp_https[13889]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:0/http/client): accounting info; type='ZStreamFD', duration='0', sent='0', received='0' Apr 13 15:45:59 squeeze-zorp39gpl zorp/zorp_https[13889]: core.stderr(3): (stderr): self.ssl.key_generator=X509KeyBridge(key_file="/etc/zorp/keybridging_cert/fwca.key", key_passphrase="12345678", cache_directory="/var/lib/zorp/ssl-bridge", trusted_ca_files=("/etc/zorp/certs/trust.crt", "/etc/zorp/certs/trust.key.nopass"), untrusted_ca_files=("/etc/zorp/certs/untrust.crt", "/etc/zorp/certs/untrust.key.nopass"))#012 Apr 13 15:45:59 squeeze-zorp39gpl zorp/zorp_https[13889]: core.stderr(3): (stderr): NameError: global name 'X509KeyBridge' is not defined#012 Szoval valaki elarulhatna, hogy akkor hogyan is kell keybridge-es ssl-t osszerakni, mert az ajanlott doksi alapjan nem akarodzik sikerulni... -- Udvozlettel Zsiga
On Wed, Apr 13, 2011 at 03:52:08PM +0200, Kosa Attila wrote:
Ha kiszedem a StrongPsslProxy-t, akkor pedig azert obegat a logba, hogy nincs definialva az X509KeyBridge:
Apr 13 15:45:59 squeeze-zorp39gpl zorp/zorp_https[13889]: core.stderr(3): (stderr): NameError: global name 'X509KeyBridge' is not defined#012
Miutan leirtam a fentieket, beugrott valami, es megneztem a /usr/share/zorp/pylib/Zorp konyvtarat, es mit ad Isten, van egy Keybridge.py fajl :) Importaltam, es maris mas a hibauzenet :) Rossz konyvtarat adtam meg neki, ahova generalta volna a kulcsokat. Azt is javitottam, es ezt kaptam a logba: Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(5): (svc/intra_Keybridge_HTTPS_inter): Starting service; name='intra_Keybridge_HTTPS_inter' Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(3): (svc/intra_Keybridge_HTTPS_inter:0): Starting proxy instance; client_fd='15', client_address='AF_INET(192.168.2.1:1296)', client_zone='Zone(intranet, 192.168.2.0/24)', client_local='AF_INET(62.112.211.40:443)', client_protocol='TCP' Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Proxy starting; class='KeybridgeStrongHttpsProxy', proxy='http' Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.error(3): (svc/intra_Keybridge_HTTPS_inter:0/http/client): Error while fetching line; error='Invalid line, embedded NUL character found, buffer=[#026#003#001]' Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:0/http/client): accounting info; type='ZStreamLine', duration='0', sent='0', received='49' Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Proxy ending; class='KeybridgeStrongHttpsProxy', module='http' Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(4): (svc/intra_Keybridge_HTTPS_inter:0): Ending proxy instance; Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:0/http/client): accounting info; type='ZStreamFD', duration='0', sent='0', received='77' Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(5): (svc/intra_Keybridge_HTTPS_inter): Starting service; name='intra_Keybridge_HTTPS_inter' Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(3): (svc/intra_Keybridge_HTTPS_inter:1): Starting proxy instance; client_fd='15', client_address='AF_INET(192.168.2.1:1297)', client_zone='Zone(intranet, 192.168.2.0/24)', client_local='AF_INET(62.112.211.40:443)', client_protocol='TCP' Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:1/http): Proxy starting; class='KeybridgeStrongHttpsProxy', proxy='http' Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.error(3): (svc/intra_Keybridge_HTTPS_inter:1/http/client): Error while fetching line; error='Invalid line, embedded NUL character found, buffer=[#026#003]' Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:1/http/client): accounting info; type='ZStreamLine', duration='0', sent='0', received='20' Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:1/http): Proxy ending; class='KeybridgeStrongHttpsProxy', module='http' Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(4): (svc/intra_Keybridge_HTTPS_inter:1): Ending proxy instance; Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:1/http/client): accounting info; type='ZStreamFD', duration='0', sent='0', received='72' Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(5): (svc/intra_Keybridge_HTTPS_inter): Starting service; name='intra_Keybridge_HTTPS_inter' Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(3): (svc/intra_Keybridge_HTTPS_inter:2): Starting proxy instance; client_fd='15', client_address='AF_INET(192.168.2.1:1298)', client_zone='Zone(intranet, 192.168.2.0/24)', client_local='AF_INET(62.112.211.40:443)', client_protocol='TCP' Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:2/http): Proxy starting; class='KeybridgeStrongHttpsProxy', proxy='http' Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:2/http/client): accounting info; type='ZStreamLine', duration='0', sent='0', received='0' Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:2/http): Proxy ending; class='KeybridgeStrongHttpsProxy', module='http' Apr 13 15:56:07 squeeze-zorp39gpl zorp/zorp_https[13959]: core.session(4): (svc/intra_Keybridge_HTTPS_inter:2): Ending proxy instance; A konfig most igy nez ki: from Zorp.Core import * from Zorp.Pssl import * from Zorp.Http import * from Zorp.Keybridge import * InetZone("intranet", "192.168.2.0/24", inbound_services=[], outbound_services=["intra_Keybridge_HTTPS_inter"]) InetZone("internet", "0.0.0.0/0", inbound_services=["intra_Keybridge_HTTPS_inter"], outbound_services=[]) class StrongHttpsProxy(HttpProxy): def config(self): HttpProxy.config(self) self.ssl.client_keypair_files=("/etc/ssl/certs/fw.akarmi.hu.crt", "/etc/ssl/private/fw.akarmi.hu.key.nopass") self.ssl.client_verify_type=SSL_VERIFY_NONE self.ssl.client_connection_security = SSL_FORCE_SSL self.ssl.server_connection_security = SSL_FORCE_SSL self.ssl.server_cagroup_directories=("/etc/zorp/ca.crt", "/etc/zorp/crls/") self.ssl.server_ssl_method=SSL_METHOD_ALL self.ssl.server_disable_proto_sslv2=TRUE self.ssl.server_ssl_cipher=SSL_CIPHERS_HIGH self.ssl.server_verify_type=SSL_VERIFY_REQUIRED_UNTRUSTED class KeybridgeStrongHttpsProxy(StrongHttpsProxy): def config(self): self.ssl.key_generator=X509KeyBridge(key_file="/etc/zorp/keybridging_cert/fwca.key", key_passphrase="jelszo", cache_directory="/var/lib/zorp/keybridge-cache", trusted_ca_files=("/etc/zorp/certs/trust.crt", "/etc/zorp/certs/trust.key.nopass"), untrusted_ca_files=("/etc/zorp/certs/untrust.crt", "/etc/zorp/certs/untrust.key.nopass")) self.ssl.handshake_seq=PSSL_HSO_SERVER_CLIENT self.ssl.client_keypair_generate=TRUE def zorp_https() : Service(name="intra_Keybridge_HTTPS_inter", proxy_class=KeybridgeStrongHttpsProxy, router=TransparentRouter(overrideable=FALSE, forge_addr=TRUE)) Dispatcher(bindto=DBIface(protocol=ZD_PROTO_TCP, iface="eth1", ip="192.168.2.254", port=60443), service="intra_Keybridge_HTTPS_inter", transparent=TRUE, threaded=FALSE, backlog=255) -- Udvozlettel Zsiga
Sziasztok, On 04/13/2011 11:41 AM, Kosa Attila wrote:
A konfigot a zorp-gateway-v3.3FR1-tutorial-ssl-en.pdf nevu - altalatok javasolt - dokumentaciobol vettem:
from Zorp.Core import * from Zorp.Pssl import * from Zorp.Http import *
InetZone("intranet", "192.168.2.0/24", inbound_services=[], outbound_services=["intra_Keybridge_HTTPS_inter"])
InetZone("internet", "0.0.0.0/0", inbound_services=["intra_Keybridge_HTTPS_inter"], outbound_services=[])
class StrongHttpsProxy(HttpProxy): def config(self): HttpProxy.config(self) self.ssl.client_keypair_files=("/etc/ssl/certs/fw.akarmi.hu.crt", "/etc/ssl/private/fw.akarmi.hu.key") self.ssl.client_verify_type=SSL_VERIFY_NONE self.ssl.client_connection_security = SSL_FORCE_SSL self.ssl.server_connection_security = SSL_FORCE_SSL self.ssl.server_cagroup_directories=("/etc/zorp/ca.crt", "/etc/zorp/crls/") self.ssl.server_ssl_method=SSL_METHOD_ALL self.ssl.server_disable_proto_sslv2=TRUE self.ssl.server_ssl_cipher=SSL_CIPHERS_HIGH self.ssl.server_verify_type=SSL_VERIFY_REQUIRED_UNTRUSTED
class KeybrideStrongHttpsProxy(StrongHttpsProxy): def config(self): StrongPsslProxy.config(self)
A fentit javitsd ki 'StrongHttpsProxy.config(self)'-re. Vegulis itt arrol van szo, hogy a szulo osztaly config metodusat hivja meg, szoval a szulo osztaly nevet kell odairni a .config(self) ele.
self.handshake_seq=PSSL_HSO_SERVER_CLIENT self.client_keypair_generate=TRUE self.ssl.key_generator=X509KeyBridge(key_file="/etc/zorp/keybridging_cert/fwca.key", key_passphrase="jelszo", cache_directory="/var/lib/zorp/ssl-bridge", trusted_ca_files=("/etc/zorp/certs/trust.crt", "/etc/zorp/certs/trust.key.nopass"), untrusted_ca_files=("/etc/zorp/certs/untrust.crt", "/etc/zorp/certs/untrust.key.nopass"))
def ssl_keybridge() : Service(name="intra_Keybridge_HTTPS_inter", proxy_class=KeybrideStrongHttpsProxy, router=TransparentRouter(overrideable=FALSE, forge_addr=TRUE))
Dispatcher(bindto=SockAddrInet('192.168.2.254', 50443), service="intra_Keybridge_HTTPS_inter", transparent=TRUE, threaded=FALSE, backlog=255)
-- KOVACS Krisztian
On Wed, Apr 13, 2011 at 03:51:30PM +0200, KOVACS Krisztian wrote:
class KeybrideStrongHttpsProxy(StrongHttpsProxy): def config(self): StrongPsslProxy.config(self)
A fentit javitsd ki 'StrongHttpsProxy.config(self)'-re.
Vegulis itt arrol van szo, hogy a szulo osztaly config metodusat hivja meg, szoval a szulo osztaly nevet kell odairni a .config(self) ele.
Az elozo levelemben kuldtem egy teljes konfigot. Most abba beleirtam a fenti javaslatodat, de tovabbra sem mukodik. A logban ez van: Apr 13 16:01:59 squeeze-zorp39gpl zorp/zorp_https[14032]: core.debug(4): (dsp/dispatch:0): Adding dynamic interface address; addr='AF_INET(192.168.2.254:60443)', dispa tch='IFACE(proto=1,iface=eth1,ip=192.168.2.254,port=60443,family=2)' Apr 13 16:02:35 squeeze-zorp39gpl zorp/zorp_https[14032]: core.session(5): (svc/intra_Keybridge_HTTPS_inter): Starting service; name='intra_Keybridge_HTTPS_inter' Apr 13 16:02:35 squeeze-zorp39gpl zorp/zorp_https[14032]: core.session(3): (svc/intra_Keybridge_HTTPS_inter:0): Starting proxy instance; client_fd='15', client_address ='AF_INET(192.168.2.1:1302)', client_zone='Zone(intranet, 192.168.2.0/24)', client_local='AF_INET(195.228.112.250:443)', client_protocol='TCP' Apr 13 16:02:35 squeeze-zorp39gpl zorp/zorp_https[14032]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Proxy starting; class='KeybridgeStrongHttpsProxy', proxy='http' Apr 13 16:02:56 squeeze-zorp39gpl zorp/zorp_https[14032]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:0/http): accounting info; type='ZStreamFD', duration='0' , sent='0', received='0' Apr 13 16:02:56 squeeze-zorp39gpl zorp/zorp_https[14032]: core.session(3): (svc/intra_Keybridge_HTTPS_inter:0/http): Server connection failure; server_address='AF_INET (195.228.112.250:443)', server_zone='Zone(internet, 0.0.0.0/0)', server_local='None', server_protocol='TCP' Apr 13 16:02:56 squeeze-zorp39gpl zorp/zorp_https[14032]: core.error(3): (svc/intra_Keybridge_HTTPS_inter:0/http): Server connection failed to establish, giving up; Apr 13 16:02:56 squeeze-zorp39gpl zorp/zorp_https[14032]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:0/http/client): accounting info; type='ZStreamSsl', dura tion='21', sent='0', received='0' Apr 13 16:02:56 squeeze-zorp39gpl zorp/zorp_https[14032]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Proxy ending; class='KeybridgeStrongHttpsProxy', m odule='http' Apr 13 16:02:56 squeeze-zorp39gpl zorp/zorp_https[14032]: core.session(4): (svc/intra_Keybridge_HTTPS_inter:0): Ending proxy instance; Az otpbankot probaltam elerni, es tutira elerheto, mert egy masik (nem virtualis) geprol megneztem kozben. -- Udvozlettel Zsiga
Sziasztok, On 04/13/2011 04:06 PM, Kosa Attila wrote:
On Wed, Apr 13, 2011 at 03:51:30PM +0200, KOVACS Krisztian wrote:
class KeybrideStrongHttpsProxy(StrongHttpsProxy): def config(self): StrongPsslProxy.config(self)
A fentit javitsd ki 'StrongHttpsProxy.config(self)'-re.
Vegulis itt arrol van szo, hogy a szulo osztaly config metodusat hivja meg, szoval a szulo osztaly nevet kell odairni a .config(self) ele.
Az elozo levelemben kuldtem egy teljes konfigot. Most abba beleirtam a fenti javaslatodat, de tovabbra sem mukodik. A logban ez van:
Apr 13 16:01:59 squeeze-zorp39gpl zorp/zorp_https[14032]: core.debug(4): (dsp/dispatch:0): Adding dynamic interface address; addr='AF_INET(192.168.2.254:60443)', dispa tch='IFACE(proto=1,iface=eth1,ip=192.168.2.254,port=60443,family=2)' Apr 13 16:02:35 squeeze-zorp39gpl zorp/zorp_https[14032]: core.session(5): (svc/intra_Keybridge_HTTPS_inter): Starting service; name='intra_Keybridge_HTTPS_inter' Apr 13 16:02:35 squeeze-zorp39gpl zorp/zorp_https[14032]: core.session(3): (svc/intra_Keybridge_HTTPS_inter:0): Starting proxy instance; client_fd='15', client_address ='AF_INET(192.168.2.1:1302)', client_zone='Zone(intranet, 192.168.2.0/24)', client_local='AF_INET(195.228.112.250:443)', client_protocol='TCP' Apr 13 16:02:35 squeeze-zorp39gpl zorp/zorp_https[14032]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Proxy starting; class='KeybridgeStrongHttpsProxy', proxy='http' Apr 13 16:02:56 squeeze-zorp39gpl zorp/zorp_https[14032]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:0/http): accounting info; type='ZStreamFD', duration='0' , sent='0', received='0' Apr 13 16:02:56 squeeze-zorp39gpl zorp/zorp_https[14032]: core.session(3): (svc/intra_Keybridge_HTTPS_inter:0/http): Server connection failure; server_address='AF_INET (195.228.112.250:443)', server_zone='Zone(internet, 0.0.0.0/0)', server_local='None', server_protocol='TCP' Apr 13 16:02:56 squeeze-zorp39gpl zorp/zorp_https[14032]: core.error(3): (svc/intra_Keybridge_HTTPS_inter:0/http): Server connection failed to establish, giving up; Apr 13 16:02:56 squeeze-zorp39gpl zorp/zorp_https[14032]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:0/http/client): accounting info; type='ZStreamSsl', dura tion='21', sent='0', received='0' Apr 13 16:02:56 squeeze-zorp39gpl zorp/zorp_https[14032]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Proxy ending; class='KeybridgeStrongHttpsProxy', m odule='http' Apr 13 16:02:56 squeeze-zorp39gpl zorp/zorp_https[14032]: core.session(4): (svc/intra_Keybridge_HTTPS_inter:0): Ending proxy instance;
Az otpbankot probaltam elerni, es tutira elerheto, mert egy masik (nem virtualis) geprol megneztem kozben.
Valtozik a helyzet, ha a forge_addr-ot kikapcsolod erre a service-re? (A logbol az latszik, hogy a Zorp nem tudott kapcsolodni. Meg kellene nezned egy tcpdump-ot, hogy mi tortenik pontosan.) -- KOVACS Krisztian
On Wed, Apr 13, 2011 at 04:21:02PM +0200, KOVACS Krisztian wrote:
Valtozik a helyzet, ha a forge_addr-ot kikapcsolod erre a service-re? (A logbol az latszik, hogy a Zorp nem tudott kapcsolodni. Meg kellene nezned egy tcpdump-ot, hogy mi tortenik pontosan.)
Valtozik, igy mar kimegy, es generalodik is tanusitvany. Viszont a klienshez nem jut el semmi. Apr 14 09:49:04 squeeze-zorp39gpl zorp/zorp_https[15299]: core.session(5): (svc/intra_Keybridge_HTTPS_inter): Starting service; name='intra_Keybridge_HTTPS_inter' Apr 14 09:49:04 squeeze-zorp39gpl zorp/zorp_https[15299]: core.session(3): (svc/intra_Keybridge_HTTPS_inter:0): Starting proxy instance; client_fd='20', client_address='AF_INET(192.168.2.1:1398)', client_zone='Zone(intranet, 192.168.2.0/24)', client_local='AF_INET(195.228.112.250:443)', client_protocol='TCP' Apr 14 09:49:04 squeeze-zorp39gpl zorp/zorp_https[15299]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Proxy starting; class='KeybridgeStrongHttpsProxy', proxy='http' Apr 14 09:49:04 squeeze-zorp39gpl zorp/zorp_https[15299]: core.session(3): (svc/intra_Keybridge_HTTPS_inter:0/http): Server connection established; server_fd='24', server_address='AF_INET(195.228.112.250:443)', server_zone='Zone(internet, 0.0.0.0/0)', server_local='AF_INET(192.168.100.140:44708)', server_protocol='TCP' Apr 14 09:49:04 squeeze-zorp39gpl zorp/zorp_https[15299]: core.debug(4): (svc/intra_Keybridge_HTTPS_inter:0/http): Identified peer; side='server', peer='/1.3.6.1.4.1.311.60.2.1.3=HU/businessCategory=V1.0, Clause 5.(b)/serialNumber=CG 01-10-041585/C=HU/postalCode=1051/ST=Budapest/L=Budapest/street=Nador utca 16./O=OTP Bank Nyrt./OU=ITUIG/CN=www.otpbank.hu', issuer='/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA', serial='1CA1232D46C148CACE9D67EA4AA4D58D', version='2' Apr 14 09:49:04 squeeze-zorp39gpl zorp/zorp_https[15299]: core.debug(4): (svc/intra_Keybridge_HTTPS_inter:0/http): Generating key for the client; trusted='1' Apr 14 09:49:04 squeeze-zorp39gpl zorp/zorp_https[15299]: core.debug(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Loading cached certificate; file='/var/lib/zorp/keybridge-cache/trusted-1e5e384ebb1630a2e0d7137de2b33fbe.crt' Apr 14 09:49:04 squeeze-zorp39gpl zorp/zorp_https[15299]: core.debug(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Cached certificate ok, reusing; file='/var/lib/zorp/keybridge-cache/trusted-1e5e384ebb1630a2e0d7137de2b33fbe.crt' Apr 14 09:49:04 squeeze-zorp39gpl zorp/zorp_https[15299]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:0/http/client): accounting info; type='ZStreamSsl', duration='0', sent='0', received='0' Apr 14 09:49:04 squeeze-zorp39gpl zorp/zorp_https[15299]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:0/http/client): accounting info; type='ZStreamLine', duration='0', sent='0', received='0' Apr 14 09:49:05 squeeze-zorp39gpl zorp/zorp_https[15299]: core.error(1): (svc/intra_Keybridge_HTTPS_inter:0/http/server): Stream read failed; stream='ZStreamFD', reason='Channel read timed out' Apr 14 09:49:05 squeeze-zorp39gpl zorp/zorp_https[15299]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:0/http/server): accounting info; type='ZStreamSsl', duration='1', sent='0', received='0' Apr 14 09:49:05 squeeze-zorp39gpl zorp/zorp_https[15299]: core.session(5): (svc/intra_Keybridge_HTTPS_inter:0/http): Proxy ending; class='KeybridgeStrongHttpsProxy', module='http' Apr 14 09:49:05 squeeze-zorp39gpl zorp/zorp_https[15299]: core.accounting(4): (svc/intra_Keybridge_HTTPS_inter:0/http/server): accounting info; type='ZStreamFD', duration='1', sent='438', received='4631' Apr 14 09:49:05 squeeze-zorp39gpl zorp/zorp_https[15299]: core.session(4): (svc/intra_Keybridge_HTTPS_inter:0): Ending proxy instance; Sima http oldal bejon, tehat a halozat mukodik. Azonban az latszik, hogy a bongeszo mar dobja, hogy nem elerheto az oldal, es a logban csak ezutan jelennek meg a zorp uzenetei. Ugyanakkor a tcpdump-ban az latszik, hogy jonnek-mennek a csomagok a kliens es a tuzfal kozott. Ennel jobban meg nem melyultem el a tcpdump elemzeseben eddig. -- Udvozlettel Zsiga
On Thu, Apr 14, 2011 at 10:11:11AM +0200, Kosa Attila wrote:
Sima http oldal bejon, tehat a halozat mukodik. Azonban az latszik, hogy a bongeszo mar dobja, hogy nem elerheto az oldal, es a logban csak ezutan jelennek meg a zorp uzenetei. Ugyanakkor a tcpdump-ban az latszik, hogy jonnek-mennek a csomagok a kliens es a tuzfal kozott. Ennel jobban meg nem melyultem el a tcpdump elemzeseben eddig.
Na, most elmelyultem :) Es jelentem, mukodik! A Internet Explorer szivatott meg. Ugyanis mukodik a konfig, csak az IE nem szolt egy szot sem, hogy gond van a tanusitvannyal, hanem lecsapta a kapcsolatot. Ellenorzendo megneztem Firefox-szal, az szolt, hogy nem ismeri a tanusitvanyt. Megetettem vele (es az IE-vel is) a trust.crt fajlt, azonnal mukodott mindket bongeszovel az otpbank. Koszi a segitseget mindenkinek! Es hogy meglegyen a komplett konfig, ami mukodik: from Zorp.Core import * from Zorp.Pssl import * from Zorp.Http import * from Zorp.Keybridge import * InetZone("intranet", "192.168.2.0/24", inbound_services=[], outbound_services=["intra_Keybridge_HTTPS_inter"]) InetZone("internet", "0.0.0.0/0", inbound_services=["intra_Keybridge_HTTPS_inter"], outbound_services=[]) class StrongHttpsProxy(HttpProxy): def config(self): HttpProxy.config(self) self.ssl.client_keypair_files=("/etc/ssl/certs/fw.akarmi.hu.crt", "/etc/ssl/private/fw.akarmi.hu.key.nopass") self.ssl.client_verify_type=SSL_VERIFY_NONE self.ssl.client_connection_security = SSL_FORCE_SSL self.ssl.server_connection_security = SSL_FORCE_SSL self.ssl.server_cagroup_directories=("/etc/zorp/ca.crt", "/etc/zorp/crls/") self.ssl.server_ssl_method=SSL_METHOD_ALL self.ssl.server_disable_proto_sslv2=TRUE self.ssl.server_ssl_cipher=SSL_CIPHERS_HIGH self.ssl.server_verify_type=SSL_VERIFY_REQUIRED_UNTRUSTED class KeybridgeStrongHttpsProxy(StrongHttpsProxy): def config(self): StrongHttpsProxy.config(self) self.ssl.key_generator=X509KeyBridge(key_file="/etc/zorp/keybridging_cert/fwca.key", key_passphrase="12345678", cache_directory="/var/lib/zorp/keybridge-cache", trusted_ca_files=("/etc/zorp/certs/trust.crt", "/etc/zorp/certs/trust.key.nopass"), untrusted_ca_files=("/etc/zorp/certs/untrust.crt", "/etc/zorp/certs/untrust.key.nopass")) self.ssl.handshake_seq=PSSL_HSO_SERVER_CLIENT self.ssl.client_keypair_generate=TRUE def zorp_https() : Service(name="intra_Keybridge_HTTPS_inter", proxy_class=KeybridgeStrongHttpsProxy, router=TransparentRouter(overrideable=FALSE, forge_addr=FALSE)) Dispatcher(bindto=DBIface(protocol=ZD_PROTO_TCP, iface="eth1", ip="192.168.2.254", port=60443), service="intra_Keybridge_HTTPS_inter", transparent=TRUE, threaded=FALSE, backlog=255) Meg kellettek ezek a parancsok: /sbin/ip route add local 0.0.0.0/0 dev lo table 100 /sbin/ip rule add fwmark 1 lookup 100 /sbin/ip route flush cache A csomagszuro tartalma: *mangle :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :DIVERT - -A PREROUTING -p tcp -m socket -j DIVERT -A DIVERT -j MARK --set-mark 1 -A DIVERT -j ACCEPT -A PREROUTING -i IFintra -p tcp -s INTRANET --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 60080 --on-ip 192.168.2.254 -A PREROUTING -i IFintra -p tcp -s INTRANET --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 60443 --on-ip 192.168.2.254 COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :LOintra - :LOinter - :icmpk - -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -j icmpk -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -i IFintra -j LOintra -A INPUT -i IFinter -j LOinter -A INPUT -j LOG --log-prefix "INPUT DROP: " -A INPUT -j DROP -A FORWARD -j LOG --log-prefix "FORWARD DROP: " -A FORWARD -j DROP -A LOintra -p tcp --dport 53 -j ACCEPT -A LOintra -p udp --dport 53 -j ACCEPT -A LOintra -p tcp --dport ZORPKIFELE -j ACCEPT -A LOintra -j LOG --log-prefix "LOintra DROP: " -A LOintra -j DROP -A LOinter -p tcp --dport 22 -j ACCEPT -A LOinter -j LOG --log-prefix "LOinter DROP: " -A LOinter -j DROP -A icmpk -p icmp --icmp-type destination-unreachable -j ACCEPT -A icmpk -p icmp --icmp-type time-exceeded -j ACCEPT -A icmpk -p icmp --icmp-type parameter-problem -j ACCEPT -A icmpk -p icmp --icmp-type source-quench -j ACCEPT -A icmpk -p icmp --icmp-type echo-request -j ACCEPT -A icmpk -p icmp --icmp-type echo-reply -j ACCEPT -A icmpk -j LOG --log-prefix "Icmpk DROP: " -A icmpk -j DROP COMMIT Egy dolog nem egeszen vilagos a mukodesben, a ZORPKIFELE valtozot tartalmazo szabaly. Ebbe ugyanis fel kell vennem az osszes portot, amit a zorpon keresztul akarok engedni (a fenti peldaban a 443-at), kulonben a LOintra agon eldobasra kerulnek a csomagok, nem jutnak el a zorp-hoz. Hogy kellene ezt "elegansabban" megoldani? -- Udvozlettel Zsiga
Sziasztok, Klassz, koszonjuk. :) Jol ertesultem, hogy a GPL-es Zorpbol el fog tunni a keybridging feature? udv, -- end.re
-----Original Message----- From: zorp-hu-bounces@lists.balabit.hu [mailto:zorp-hu- bounces@lists.balabit.hu] On Behalf Of Kosa Attila Sent: Thursday, April 14, 2011 12:43 PM To: Magyar nyelvu Zorp levelezesi lista. Subject: Re: [zorp-hu] 3.9 ssl keybridge nem indul - megoldas
Egy dolog nem egeszen vilagos a mukodesben, a ZORPKIFELE valtozot tartalmazo szabaly. Ebbe ugyanis fel kell vennem az osszes portot, amit a zorpon keresztul akarok engedni (a fenti peldaban a 443-at), kulonben a LOintra agon eldobasra kerulnek a csomagok, nem jutnak el a zorp-hoz. Hogy kellene ezt "elegansabban" megoldani?
-- Udvozlettel Zsiga _______________________________________________ zorp-hu mailing list zorp-hu@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/zorp-hu
Figyelmeztetés Ez az e-mail üzenet, a fenti címzetteknek szánt, üzleti titoktartás alá eső bizalmas információkat tartalmaz. Téves kézbesítés esetén kérjük, értesítsen a fent megjelölt telefon, fax számokon, vagy e-mail címen. Az eredeti példány visszaküldéséről címünkre, majd törléséről, azonnal rendelkezni szíveskedjen. Notice: This e-mail contains privileged and confidential business information intended only for the use of addresses(s) named above. Should you have received it in error, please notify us by phone or e-mail, and delete after returning the original e-mail to our address.
On Thu, Apr 14, 2011 at 12:54:49PM +0200, Szabó Endre Zoltán wrote:
Jol ertesultem, hogy a GPL-es Zorpbol el fog tunni a keybridging feature?
Mivel tudtommal most kerult bele a 3.9-be, nem tunik tul valoszinunek, de majd megmondjak a fejlesztok. -- Udvozlettel Zsiga
On cs, 2011-04-14 at 12:54 +0200, Szabó Endre Zoltán wrote:
Sziasztok,
Klassz, koszonjuk. :) Jol ertesultem, hogy a GPL-es Zorpbol el fog tunni a keybridging feature?
Két kérdés is felmerül ezzel kapcsoltban. Az egyik inkább csak költői, hogy kitől sikerült ilyen információt beszerezni. A másik, hogy egy GPL-es szoftver esetén, hogy lehetne egy feature-t "eltűntetni", hiszen az ahhoz tartozó forrás már GPL licenc alatt adott. Gyakorlatban persze ki lehetne venni az upstream verzióból, hogy aztán a BalaBittól függetlenül kelljen azt minden release-kor visszatenni, de ilyen irányú tervekről én nem tudok. Üdv, Pfeiffer Szilárd
Sziasztok, On 04/14/2011 12:43 PM, Kosa Attila wrote:
A csomagszuro tartalma:
[...] *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :LOintra - :LOinter - :icmpk - -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -j icmpk -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -i IFintra -j LOintra -A INPUT -i IFinter -j LOinter -A INPUT -j LOG --log-prefix "INPUT DROP: " -A INPUT -j DROP -A FORWARD -j LOG --log-prefix "FORWARD DROP: " -A FORWARD -j DROP -A LOintra -p tcp --dport 53 -j ACCEPT -A LOintra -p udp --dport 53 -j ACCEPT -A LOintra -p tcp --dport ZORPKIFELE -j ACCEPT -A LOintra -j LOG --log-prefix "LOintra DROP: " -A LOintra -j DROP -A LOinter -p tcp --dport 22 -j ACCEPT -A LOinter -j LOG --log-prefix "LOinter DROP: " -A LOinter -j DROP -A icmpk -p icmp --icmp-type destination-unreachable -j ACCEPT -A icmpk -p icmp --icmp-type time-exceeded -j ACCEPT -A icmpk -p icmp --icmp-type parameter-problem -j ACCEPT -A icmpk -p icmp --icmp-type source-quench -j ACCEPT -A icmpk -p icmp --icmp-type echo-request -j ACCEPT -A icmpk -p icmp --icmp-type echo-reply -j ACCEPT -A icmpk -j LOG --log-prefix "Icmpk DROP: " -A icmpk -j DROP COMMIT
Egy dolog nem egeszen vilagos a mukodesben, a ZORPKIFELE valtozot tartalmazo szabaly. Ebbe ugyanis fel kell vennem az osszes portot, amit a zorpon keresztul akarok engedni (a fenti peldaban a 443-at), kulonben a LOintra agon eldobasra kerulnek a csomagok, nem jutnak el a zorp-hoz. Hogy kellene ezt "elegansabban" megoldani?
Meg tudod ugy oldani, hogy beteszel egy olyan szabalyt, ami minden olyan csomagot elfogad, amit a mangle tablaban divertaltal (azaz a Zorp-hoz fog kerulni): Azaz mondjuk a "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" szabaly utan beteszel valami ilyesmit: -A INPUT -m mark --mark 0x1/0x1 -j ACCEPT Termeszetesen itt sem kotelezo a 0x1 erteket hasznalni (peldaul ha mas dolgokra is hasznalsz markot egy bonyolultabb csomagszuro rulesetben). Arra kell csak figyelni, hogy a DIVERT chain-en, a TPROXY targetnel, a policy routing rule hozzaadasanal es itt, a mark ellenorzesenel is ugyanaz a mark ertek (bit) legyen beallitva illetve ellenorizve. -- KOVACS Krisztian
On Fri, Apr 15, 2011 at 09:04:07AM +0200, KOVACS Krisztian wrote:
On 04/14/2011 12:43 PM, Kosa Attila wrote:
Egy dolog nem egeszen vilagos a mukodesben, a ZORPKIFELE valtozot tartalmazo szabaly. Ebbe ugyanis fel kell vennem az osszes portot, amit a zorpon keresztul akarok engedni (a fenti peldaban a 443-at), kulonben a LOintra agon eldobasra kerulnek a csomagok, nem jutnak el a zorp-hoz. Hogy kellene ezt "elegansabban" megoldani?
Meg tudod ugy oldani, hogy beteszel egy olyan szabalyt, ami minden olyan csomagot elfogad, amit a mangle tablaban divertaltal (azaz a Zorp-hoz fog kerulni):
Azaz mondjuk a "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" szabaly utan beteszel valami ilyesmit:
-A INPUT -m mark --mark 0x1/0x1 -j ACCEPT
Ez eszembe juthatott volna :) Koszi, termeszetesen mukodik. -- Udvozlettel Zsiga
participants (4)
-
Kosa Attila
-
KOVACS Krisztian
-
Szabó Endre Zoltán
-
Szilárd Pfeiffer