On Fri, 2004-10-22 at 21:33, Phil Moors wrote:
I'm seeing 'import site failed' messages in the log when using zorpctl to start an instance. I only have one version of python installed (2.2.3). The zorp python lib seem to be found okay and the instance does start.
Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Starting up; verbose_level='100', version='2.1.8' Oct 22 15:09:10 fw1 intra[6793]: (Log thread): thread starting; Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): System dependant init; sysdep_tproxy='1' Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Start to listen; fd='11' Oct 22 15:09:10 fw1 intra[6796]: (conntrack/thread): thread starting; Oct 22 15:09:10 fw1 intra[6791]: zorp version 2.1.8 starting up Oct 22 15:09:10 fw1 intra[6793]: (Log thread): 'import site' failed; use -v for traceback Oct 22 15:09:10 fw1 intra[6793]: (Log thread): 'import site' failed; use -v for traceback Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Zone(intra): outbound service=intra_HTTP Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Zone(dmz): inbound service=intra_HTTP Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Zone(inter): inbound service=intra_HTTP Oct 22 15:09:10 fw1 intra[6791]: (intra@zorp): Dispatcher on address; proto='1', local='AF_INET(192.168.115.45:50080)', prio='100' Oct 22 15:09:10 fw1 intra[6791]: (intra@zorp/nosession): Start to listen; fd='14'
site is an internal Python module, that it always tries to import when you start the Python interpreter. It should be somewhere on your PYTHONPATH. If you don't have one, you can create an empty site.py in /etc/zorp.
When I send an http request out, I get the, 'There was a problem connecting to the host you specified' message returned. This is a very simple policy (further below). The log reports, 'Inbound service not permitted'. When setting an outbound policy, is the return connection automatically allowed?
Yes, as Zorp is a proxy based firewall, you only have one (the initiating) direction. Inbound service not permitted means that the service was not permitted into the zone where the server resides. Looking at your policy and the logfile you sent me, it looks like Zorp has some problems autodetecting your tproxy setup (sysdep_tproxy value is 1), as it sees the listener address as the original destination address:
Oct 22 15:29:38 fw2 priv[8970]: (priv@zorp/intra_HTTP:0): Starting proxy instance; client_fd='15', client_address='AF_INET(192.168.115.49:36435)', client_zone='Zone(priv, 192.168.0.0/16)', client_local='AF_INET(192.168.115.9:50080)'
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Probably it cannot bind to the autobind-IP you specified, which probably means that you don't have the dummy interface configured. client_local is the transparent destination if everything is OK. The rest is a consequence, the server address (as Zorp knows it) is 192.168.115.9, which is in Zone 'priv', where you don't permit the HTTP service. -- Bazsi