I'm seeing 'import site failed' messages in the log when using zorpctl to start an instance. I only have one version of python installed (2.2.3). The zorp python lib seem to be found okay and the instance does start. Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Starting up; verbose_level='100', version='2.1.8' Oct 22 15:09:10 fw1 intra[6793]: (Log thread): thread starting; Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): System dependant init; sysdep_tproxy='1' Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Start to listen; fd='11' Oct 22 15:09:10 fw1 intra[6796]: (conntrack/thread): thread starting; Oct 22 15:09:10 fw1 intra[6791]: zorp version 2.1.8 starting up Oct 22 15:09:10 fw1 intra[6793]: (Log thread): 'import site' failed; use -v for traceback Oct 22 15:09:10 fw1 intra[6793]: (Log thread): 'import site' failed; use -v for traceback Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Zone(intra): outbound service=intra_HTTP Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Zone(dmz): inbound service=intra_HTTP Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Zone(inter): inbound service=intra_HTTP Oct 22 15:09:10 fw1 intra[6791]: (intra@zorp): Dispatcher on address; proto='1', local='AF_INET(192.168.115.45:50080)', prio='100' Oct 22 15:09:10 fw1 intra[6791]: (intra@zorp/nosession): Start to listen; fd='14' When I send an http request out, I get the, 'There was a problem connecting to the host you specified' message returned. This is a very simple policy (further below). The log reports, 'Inbound service not permitted'. When setting an outbound policy, is the return connection automatically allowed? Oct 22 15:29:38 fw2 priv[8970]: (priv@zorp/intra_HTTP:0): Starting proxy instance; client_fd='15', client_address='AF_INET(192.168.115.49:36435)', client_zone='Zone(priv, 192.168.0.0/16)', client_local='AF_INET(192.168.115.9:50080)' Oct 22 15:29:38 fw2 priv[9002]: (priv@zorp/intra_HTTP:0): Inbound service not permitted; service='intra_HTTP', zone='Zone(priv, 192.168.0.0/16)' Oct 22 15:29:38 fw2 priv[9002]: (priv@zorp/intra_HTTP:0/http): DAC policy violation; info='None' For fun, I added inbound_services(["*"]) to the zone and got the following repeated in the logs. Indeed, there were a lot of processes running on the system. Oct 22 15:24:26 fw2 priv[8739]: (priv@zorp/intra_HTTP:98): Starting proxy instance; client_fd='407', client_address='AF_INET(192.168.115.9:33167)', client_zone='Zone(priv, 192.168.0.0/16)', client_local='AF_INET(192.168.115.9:50080)' Oct 22 15:24:26 fw2 priv[8739]: (priv@zorp/nosession): Too many running threads, waiting for one to become free; num_threads='100', max_threads='100' Oct 22 15:24:26 fw2 priv[8869]: (priv@zorp/intra_HTTP:97/http): Server connection established; server_fd='406', server_address='AF_INET(192.168.115.9:50080)', server_zone='Zone(priv, 192.168.0.0/16)', server_local='AF_INET(192.168.115.9:33167)' Policy.py from Zorp.Core import * from Zorp.Http import * InetZone('priv', '192.168.0.0/16', outbound_services=['intra_HTTP']) InetZone('dmz', '172.17.1.0/24', inbound_services=[]) InetZone('public', '0.0.0.0/0', inbound_services=["*"]) def priv(): Service('intra_HTTP', HttpProxy) Listener(SockAddrInet('192.168.115.9', 50080), 'intra_HTTP') def dmz(): pass def public(): pass instances.conf priv -v3 -p /usr/local/etc/zorp/policy.py --autobind-ip 1.2.3.4 public -v3 -p /usr/local/etc/zorp/policy.py --autobind-ip 1.2.3.4 dmz -v3 -p /usr/local/etc/zorp/policy.py --autobind-ip 1.2.3.4 Thanks, Phil