Trying to migrate from zorp GPL 3.1.15 to 3.9.3, following the guide at http://siposg.blogs.balabit.com/2012/01/howto-install-zorp-3-9-2-on-debi an-squeeze/ mostly, with the virtual machine as an example for rc.local and /etc/iptables/rules. 1. Is kzorp supported on Zorp GPL now? 2. My reverse proxy doesn't seem to be passing traffic. Don't see anything in the logs except accounting info, even after cranking the verbosity up. When I test my policy.py with with kzorp -e, having (among other things) InetZone("intra", "<internal network>/16", outbound_services=[], inbound_services=["INhttp", etc.]) InetZone("local", "127.0.0.0/8", inbound_services=["*"], outbound_services=[]) InetZone("inter", "0.0.0.0/0", inbound_services=[], outbound_services=["INhttp", etc.]) InetZone(name="server", addr=["<internal address>/32", ], inbound_services=["*"], outbound_services=["*"], admin_parent="intra" ) def Zhttp(): Service(name="INhttp", proxy_class=INhttp, router=DirectedRouter(SockAddrInet("<internal address>", 80) ) ) #Listener(SockAddrInet("<external address>", 50080), "INhttp") NDimensionDispatcher(bindto=DBSockAddr(SockAddrInet('<external address>', 50080), ZD_PROTO_TCP), transparent=TRUE, rules=( { 'iface' : "eth1", 'proto' : socket.IPPROTO_TCP, 'dst_port' : 80, 'src_zone' : ('inter', ), 'dst_zone' : ('server', ), 'service' : 'INhttp' } ) ) class INhttp(HttpProxy): def config(self): HttpProxy.config(self) I get # kzorp -e tcp <outside client IP> 5000 <external interface> 50080 <external interface> Evaluating ... on eth1 Client zone: inter Server zone: inter Service: not found Dispatcher: not found # kzorp -e tcp <outside client IP> 5000 <external interface> 80 <external interface> Evaluating ... on eth1 Client zone: inter Server zone: inter Service: not found Dispatcher: not found But when I try one of my services having the old Listener syntax I get # kzorp -e tcp <outside client IP> 5000 <external interface> 443 <external interface> Evaluating ... on eth1 Client zone: inter Server zone: inter Service: not found Dispatcher: not found But: root@owa:/etc/zorp# kzorp -e tcp <outside client IP> 5000 <external address> 50443 eth1 evaluating <outside client IP>:5000 -> <external address>:50443 on eth1 Client zone: inter Server zone: inter Service: INhttps Dispatcher: SA(proto=1,addr=AF_INET(<external address>:50443)) Not sure of the Server zone is right. Shouldn't it be 'server' or 'intra'? Also, it seems like kzorp can't find the service and dispatcher unless A. You give it the proxy port not the outside port? B. It wants the old Listener syntax? If I try to connect to the proxy port (:50080), I get in the logs ...Transparent listener connected directly, dropping connection; Which is reasonable enough. Seems like it would work if kzorp was feeding it properly. So what did I do wrong? Thanks David
On h, 2012-02-27 at 23:03 -0500, David Yerger wrote:
Trying to migrate from zorp GPL 3.1.15 to 3.9.3, following the guide at http://siposg.blogs.balabit.com/2012/01/howto-install-zorp-3-9-2-on-debi an-squeeze/ mostly, with the virtual machine as an example for rc.local and /etc/iptables/rules.
1. Is kzorp supported on Zorp GPL now?
Yes, it is (in 3.9.x). NDimension dispatcher works only with KZorp.
2. My reverse proxy doesn't seem to be passing traffic. Don't see anything in the logs except accounting info, even after cranking the verbosity up. When I test my policy.py with with kzorp -e, having (among other things)
Does the client target the external address of the firewall or the real address of the server? Is the 'eth1' the external interface of the firewall? Regards, Szilárd
InetZone("intra", "<internal network>/16", outbound_services=[], inbound_services=["INhttp", etc.])
InetZone("local", "127.0.0.0/8", inbound_services=["*"], outbound_services=[])
InetZone("inter", "0.0.0.0/0", inbound_services=[], outbound_services=["INhttp", etc.])
InetZone(name="server", addr=["<internal address>/32", ], inbound_services=["*"], outbound_services=["*"], admin_parent="intra" )
def Zhttp(): Service(name="INhttp", proxy_class=INhttp, router=DirectedRouter(SockAddrInet("<internal address>", 80) ) ) #Listener(SockAddrInet("<external address>", 50080), "INhttp") NDimensionDispatcher(bindto=DBSockAddr(SockAddrInet('<external address>', 50080), ZD_PROTO_TCP), transparent=TRUE, rules=( { 'iface' : "eth1", 'proto' : socket.IPPROTO_TCP, 'dst_port' : 80, 'src_zone' : ('inter', ), 'dst_zone' : ('server', ), 'service' : 'INhttp' } ) ) class INhttp(HttpProxy): def config(self): HttpProxy.config(self)
I get
# kzorp -e tcp <outside client IP> 5000 <external interface> 50080 <external interface> Evaluating ... on eth1 Client zone: inter Server zone: inter Service: not found Dispatcher: not found
# kzorp -e tcp <outside client IP> 5000 <external interface> 80 <external interface> Evaluating ... on eth1 Client zone: inter Server zone: inter Service: not found Dispatcher: not found
But when I try one of my services having the old Listener syntax I get
# kzorp -e tcp <outside client IP> 5000 <external interface> 443 <external interface> Evaluating ... on eth1 Client zone: inter Server zone: inter Service: not found Dispatcher: not found
But:
root@owa:/etc/zorp# kzorp -e tcp <outside client IP> 5000 <external address> 50443 eth1 evaluating <outside client IP>:5000 -> <external address>:50443 on eth1 Client zone: inter Server zone: inter Service: INhttps Dispatcher: SA(proto=1,addr=AF_INET(<external address>:50443))
Not sure of the Server zone is right. Shouldn't it be 'server' or 'intra'?
Also, it seems like kzorp can't find the service and dispatcher unless
A. You give it the proxy port not the outside port? B. It wants the old Listener syntax?
If I try to connect to the proxy port (:50080), I get in the logs
...Transparent listener connected directly, dropping connection;
Which is reasonable enough. Seems like it would work if kzorp was feeding it properly. So what did I do wrong?
Thanks
David _______________________________________________ zorp mailing list zorp@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/zorp
1. Is kzorp supported on Zorp GPL now? Yes, it is (in 3.9.x).
Cool! Thanks
NDimension dispatcher works only with KZorp. OK
My reverse proxy doesn't seem to be passing traffic. Don't see anything in the logs except accounting info, even after cranking the verbosity up. <snip>
Does the client target the external address of the firewall or the real address of the server?
External address of the firewall
Is the 'eth1' the external interface of the firewall?
Yes Thanks again David
I think I recognized my problem--having used the old TPROXY method I was used to pointing my Listener to a fake port (that TPROXY redirects to), I'm thinking that's no longer necessary with kzorp - one can just specify the real port to listen to with Dispatcher or whatever. Am I right? Seems that it's working now. Thanks for your help! David Yerger
participants (2)
-
David Yerger
-
Szilárd Pfeiffer