[zorp-hu] 0.7.11-1 konfig

Kosa Attila atkosa@shinwa.hu
Fri, 12 Jan 2001 16:47:32 +0100 

On Fri, Jan 12, 2001 at 04:38:45PM +0100, Gyorko Zoltan wrote:
> kuldd el az ujabb policy-t amit most editalsz, vagy legalabb a DMZ zona
> deklaraciojat.

# A tuzfal belso halo feloli laba: 192.168.0.250 eth2
# A tuzfal DMZ feloli laba: 192.168.1.1	eth1
# A tuzfal internet feloli laba: 100.100.100.100 eth0

from Zorp.Zorp import *
from Zorp import Zorp
from Zorp.Zone import InetZone
from Zorp.Service import Service
from Zorp.SockAddr import SockAddrInet
from Zorp.Chainer import TransparentChainer, DirectedChainer, \
			 InbandChainer, FailoverChainer
from Zorp.Plug import PlugProxy
from Zorp import Http
from Zorp.Http import HttpProxy
from Zorp.Ftp import FtpProxyAllow, FtpProxyMinimal
from Zorp.Listener import Listener

Zorp.firewall_name = 'zorp1@teszt.hu'

#---------------------------------------------------------#
#-----------------------ZONAK-----------------------------#
#---------------------------------------------------------#
# A zonak ertelmes felosztasan meg el kell gondolkoznom :)
# Sajnos ebbol a verziobol kimaradt az umbrella :)

#Zorp.zones = \
#[
InetZone("full", "192.168.0.0/24",
    inbound_services=[],
    outbound_services=["bd_http"]),

InetZone("levelezes", ["192.168.0.3", "192.168.0.4"],
    inbound_services=[],
    outbound_services=["bd_pop"]),

InetZone("sshdmz", ["192.168.0.2"],
    admin_parent="full",
    inbound_services=[],
    outbound_services=["bd_ssh", "bd_pop"]),

InetZone("sshki", ["192.168.0.1"],
    admin_parent="sshdmz",
    inbound_services=[],
    outbound_services=["bi_ssh", "bi_pop"]),

InetZone("web_mail", ["192.168.0.5", "192.168.0.6"],
    admin_parent="levelezes",
    inbound_services=[],
    outbound_services=["bi_http", "bi_ftp"]),

InetZone("DMZ", "192.168.1.0", "255.255.255.0",
    inbound_services=["bd_http", "bd_ssh", "bd_pop", "id_http", "id_pop"],
    outbound_services=[]),

InetZone("local", "127.0.0.0", "255.0.0.0",
    inbound_services=["*"],
    outbound_services=[]),

InetZone("internet", "0.0.0.0", "0.0.0.0",
    inbound_services=["bi_http", "bi_ftp", "bi_pop", "bi_ssh"],
    outbound_services=["id_http", "id_pop"])
#]

#---------------------------------------------------------#
#------------------CLASS-OK-------------------------------#
#---------------------------------------------------------#

# A belso halorol az internet elerese http-n keresztul
class BIHttp(Http.HttpProxy):
    def config(self):
	HttpProxy.config(self)
	self.transparent_mode = TRUE
	# Errol kaphatnek egy kis infot?
	self.request["GET"] = (Http.HTTP_POLICY, self.filterURL)

    # Errol is jo lenne egy kis info :)
    def filterURL(self, method, url, version):
	log("http.info", 3, "%s: GET: %s" % (self.session.session_id, url))

# A belso halorol az internet elerese ftp-n keresztul
class BIFtp(FtpProxyAllow):
    def config(self):
	FtpProxy.config(self)
	self.transparent_mode = TRUE

# A belso halorol az internet elerese pop3-mon keresztul
class BIPop(PlugProxy):
    def config(self):
	pass

# A belso halorol a DMZ elerese pop3-mon keresztul
class BDPop(PlugProxy):
    def config(self):
	pass

# Az internetrol a DMZ elerese pop3-mon keresztul
class IDPop(PlugProxy):
    def config(self):
	pass

# A belso halorol a DMZ elerese http-n keresztul
class BDHttp(HttpProxy):
    def config(self):
	self.transparent_mode = 1

# A belso halorol a DMZ elerese ssh-n keresztul
class BDSsh(PlugProxy):
    def config(self):
	pass

# A belso halorol az internet elerese ssh-n keresztul
class BISsh(PlugProxy):
    def config(self):
	pass

# Az internetrol a DMZ elerese http-n keresztul
class IDHttp(HttpProxy):
    def config(self):
	self.transparent_mode = 1

#---------------------------------------------------------#
#----------------INIT-EK----------------------------------#
#---------------------------------------------------------#

def init(name):
    debug(0, "Policy init, name=%s" % name)

    Service("bi_http", InbandChainer(), BIHttp)

    Service("bi_ftp", TransparentChainer(), BIFtp)

    Service("bi_pop", TransparentChainer(), BIPop)

    Service("bd_pop", TransparentChainer(), BDPop)

    Service("bd_http", TransparentChainer(), BDHttp)

    Service("bd_ssh", TransparentChainer(), BDSsh)

    Service("bi_ssh", TransparentChainer(), BISsh)

# A 192.168.1.2 cimen a 80-as porton van a www szerver
    Service("id_http", DirectedChainer(SockAddrInet("192.168.1.2", 80), IDHttp))

# A 192.168.1.2 cimen a 110-es porton van a pop3 szerver
    Service("id_pop", DirectedChainer(SockAddrInet("192.168.1.2", 110), IDPop))

#---------------------------------------------------------#
#----------------LISTENER-EK------------------------------#
#---------------------------------------------------------#

# ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 80 -j REDIRECT 3128
Listener(SockAddrInet("192.168.0.250", 3128), "bi_http")
# Ha kesz lesz a proxy-szerver:
# ipchains -A input -i eth2 -s proxy.ip.cim.e -d 0/0 80 -j REDIRECT 3128
# Ekkor a proxyn nem kell semmit beallitani.
# Kulon zonat kell definialni a proxy miatt.

# ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 21 -j REDIRECT 2021
# ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 1024: -j REDIRECT 0
Listener(SockAddrInet("192.168.0.250", 2021), "bi_ftp")
# Ha kesz lesz a proxy-szerver:
# ipchains -A input -i eth2 -s proxy.ip.cim.e -d 0/0 21 -j REDIRECT 2021
# ipchains -A input -i eth2 -s proxy.ip.cim.e -d 0/0 1024: -j REDIRECT 0
# Kulon zonat kell definialni a proxy miatt.

# ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 110 -j REDIRECT 2110
Listener(SockAddrInet("192.168.0.250", 2110), "bi_pop")

# ipchains -A input -i eth2 -s 192.168.0.0/24 -d 192.168.1.3 110 -j REDIRECT 3110
Listener(SockAddrInet("192.168.0.250", 3110), "bd_pop")

# Ugye ide ertelmetlen ipchains REDIRECT-et tenni?
Listener(SockAddrInet("100.100.100.100", 110), "id_pop")

# A 192.168.1.2 80-as portjan figyel a www-szerver.
# ipchains -A input -i eth2 -s 192.168.0.0/24 -d 192.168.1.2 80 -j REDIRECT 3080
Listener(SockAddrInet("192.168.0.250", 3080), "bd_http")
# Ha ez is csak a proxy-n keresztul mehet, akkor nem kell az ipchains.

# ipchains -A input -i eth2 -s 192.168.0.0/24 -d 192.168.1.0/24 22 -j REDIRECT 3022
Listener(SockAddrInet("192.168.0.250", 3022), "bd_ssh")

# ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 22 -j REDIRECT 4022
Listener(SockAddrInet("192.168.0.250", 4022), "bi_ssh")

# Ugye ide ertelmetlen ipchains REDIRECT-et tenni?
Listener(SockAddrInet("100.100.100.100", 80), "id_http")

--
		Udvozlettel
				Zsiga