[zorp-hu] Url szures es regularis kifejezesek

KUN Arpad kharpeet@kirowski.com
Thu, 13 Dec 2001 10:04:54 +0100


This is a multi-part message in MIME format.
--------------2F75ADD6A6F47FDEB14D2CF5
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


Szia

En nem nagyon (azaz egyelore nagyon nem) vagom a pythont, es az alap
configon tul, hiaba ilesztettem, es probaltam helyesen indentalni bele
uj rulet / ruleokat, syntax erroral mindig elhalt indulaskor, maga a
pelda is. Biztos valamit elneztem, de nem jottem ra a nyitjara eddig.

Itt akadtam el sajnos, pedig azt hiszem nem egy veszes dolog, amirol szo
van. :)

Mellekelem egy korabbi levelemet,

Minden yot,

KharpeeT


--------------------------------------------------------------------

Fut a zorp, az alap funkciok mukodnek is.
Vegigolvastam a share/zorp/pylib/Zorp/Http.py -t, hogy milyen funkciokra
kepes, talaltam peldakat is. Igaz ezek elteroek voltak azoktol, amiket a
zorp reference guide -ban olvastam. Gondolom azota valtozott nehany
dolog.
Nehany webserver elott transzparens szuresre szeretnem hasznalni a
zorpot, es egy ket dologgal nem boldogultam eddig.

Ami a problemam, hogy a megadott uj peldak nem nagyon akartak mukodni
(konkretan az url szures). A kerdesem, hogy mitol lehet ez? (alul a
reszletek)

A masik, ami erdekelne, hogy lehetseges-e reguralis kifejezesek alapjan
szurni? Pl http get-ekre szeretnek nehany rule-t felvinni, de a pyhton
egyelore eleg elvarazsolt nekem. Tudnal egy-ket peldat mondani, hogy
egymas ala hogy lehetne ezeket definialni?
Valahogy igy kepzelem el: (persze lehet, hogy hibasan, de talan ertheto
:) )

                if (url == "^.*\/etc\/passwd.*$")
                  return HTTP_REQ_ACCEPT
                self.error_info = 'Content denied by policy.'
                return HTTP_REQ_REJECT

                if (url == "http://www.ungabunga.hu")
                  return HTTP_REQ_ACCEPT
                self.error_info = 'Content denied by policy2.'
                return HTTP_REQ_REJECT

-----

Itt van a pillanatnyi config, amire a syslogba ezt a hibauzenetet
szorja:

---------- log ----------
zorp-http[25450]: zorp version 1.4.0rc13 going down. 
zorp-http[25452]: (zorp/nosession):   File
"/usr/local/zorp/etc/zorp/policy.py", line 83 
zorp-http[25452]: (zorp/nosession):     if (url ==
"http://www.balabit.hu") 
zorp-http[25452]:
(zorp/nosession):                                       ^ 
zorp-http[25452]: (zorp/nosession): SyntaxError: invalid syntax 
----------


A hibas configom ataccsban, mert levelben szetesik sajnos.
--------------2F75ADD6A6F47FDEB14D2CF5
Content-Type: text/plain; charset=us-ascii;
 name="policy.py"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="policy.py"

############################################################################
##
## Copyright (c) 2000, 2001 BalaBit IT Ltd, Budapest, Hungary
##
## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation; either version 2 of the License, or
## (at your option) any later version.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
## GNU General Public License for more details.
##
## You should have received a copy of the GNU General Public License
## along with this program; if not, write to the Free Software
## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
##
## $Id: policy.py.sample,v 1.10.2.2.4.2 2001/11/08 11:20:48 bazsi Exp $
##
############################################################################

#
# sample firewall policy with transparent access to FTP, HTTP and CVS protocols.
# For FTP and HTTP we use application level gateways, for CVS we use a plug.
# (as long as CVS protocol proxy is not available)
#
# firewall internal network: 192.168.1.0/24
# firewall internal interface: 192.168.1.1
# firewall external interface: 193.225.235.6
#

from Zorp.Core import *
from Zorp.Http import *
from Zorp.Plug import *
from Zorp.Ftp import *

Zorp.firewall_name = 'zorp@site'

InetZone("site-net", "0.0.0.0/0", 
	 # list of allowed outbound services, '*' matches anything
	 outbound_services=["intra_http", "intra_ftp"],
		
	 # list of allowed inbound services, '*' matches anything
	 inbound_services=[]),
		
InetZone("local", "127.0.0.0/8",
         inbound_services=["*"],
         outbound_services=[]),
        
InetZone("internet", "VEDETT/HALO",
         inbound_services=["*"],
         outbound_services=[])

# 
# Here's a proxy event handler definition. We are deriving from a
# simple plug proxy, which is blindly copying in both directions.
#
# Instances of this class represent a "plug proxy". For a complete
# documentation for the features and available attributes of plug see the
# file /doc/modules/plug.txt
#


#
# Let's define a transparent http proxy, which rewrites the user_agent
# header to something different.
#
class IntraHttp(HttpProxy):

        def config(self):
        	HttpProxy.config(self)
                self.transparent_mode = TRUE
		# self.request_header["User-Agent"] = (HTTP_HDR_CHANGE_VALUE, "Lynx/2.8.3rel.1")
                self.request["GET"] = (HTTP_REQ_POLICY, self.filterURL)
                
	def filterURL(self, method, url, version):
                if (url == "http://www.balabit.hu")
                  return HTTP_REQ_ACCEPT
                self.error_info = 'Content denied by policy.'
                return HTTP_REQ_REJECT
	        # return Z_REJECT here to reject this request
	        # change self.request_url to redirect to another url
	        # change connection_mode to HTTP_CONNECTION_CLOSE to force kept-alive connections to close
	        log("http.info", 3, "%s: GET: %s" % (self.session.session_id, url))
		return HTTP_REQ_ACCEPT


class IntraFtp(FtpProxy):
	def config(self):
		FtpProxy.config(self)
		self.transparent_mode = TRUE

#
# name is passed to the Zorp instance with the --as command line option
# you can use it to start different services for different names
# In this simple policy we ignore it.
#
def init(name):
	
	# create services

	Service("intra_http", IntraHttp, router=TransparentRouter())
	Service("intra_ftp", IntraFtp, router=TransparentRouter())
	
	# bind services to listeners
	# you'll need the packet filter redirect these connections, and
	# to protect transparent listeners, since if you connect to
	# a transparent listener directly, Zorp reconnects to itself.
	Listener(SockAddrInet("FIREWALL", 50080), "intra_http")
        Listener(SockAddrInet("FIREWALL", 50021), "intra_ftp")




--------------2F75ADD6A6F47FDEB14D2CF5--