[zorp-hu] 0.7.11-1 konfig
Kosa Attila
atkosa@shinwa.hu
Fri, 12 Jan 2001 16:47:32 +0100
On Fri, Jan 12, 2001 at 04:38:45PM +0100, Gyorko Zoltan wrote:
> kuldd el az ujabb policy-t amit most editalsz, vagy legalabb a DMZ zona
> deklaraciojat.
# A tuzfal belso halo feloli laba: 192.168.0.250 eth2
# A tuzfal DMZ feloli laba: 192.168.1.1 eth1
# A tuzfal internet feloli laba: 100.100.100.100 eth0
from Zorp.Zorp import *
from Zorp import Zorp
from Zorp.Zone import InetZone
from Zorp.Service import Service
from Zorp.SockAddr import SockAddrInet
from Zorp.Chainer import TransparentChainer, DirectedChainer, \
InbandChainer, FailoverChainer
from Zorp.Plug import PlugProxy
from Zorp import Http
from Zorp.Http import HttpProxy
from Zorp.Ftp import FtpProxyAllow, FtpProxyMinimal
from Zorp.Listener import Listener
Zorp.firewall_name = 'zorp1@teszt.hu'
#---------------------------------------------------------#
#-----------------------ZONAK-----------------------------#
#---------------------------------------------------------#
# A zonak ertelmes felosztasan meg el kell gondolkoznom :)
# Sajnos ebbol a verziobol kimaradt az umbrella :)
#Zorp.zones = \
#[
InetZone("full", "192.168.0.0/24",
inbound_services=[],
outbound_services=["bd_http"]),
InetZone("levelezes", ["192.168.0.3", "192.168.0.4"],
inbound_services=[],
outbound_services=["bd_pop"]),
InetZone("sshdmz", ["192.168.0.2"],
admin_parent="full",
inbound_services=[],
outbound_services=["bd_ssh", "bd_pop"]),
InetZone("sshki", ["192.168.0.1"],
admin_parent="sshdmz",
inbound_services=[],
outbound_services=["bi_ssh", "bi_pop"]),
InetZone("web_mail", ["192.168.0.5", "192.168.0.6"],
admin_parent="levelezes",
inbound_services=[],
outbound_services=["bi_http", "bi_ftp"]),
InetZone("DMZ", "192.168.1.0", "255.255.255.0",
inbound_services=["bd_http", "bd_ssh", "bd_pop", "id_http", "id_pop"],
outbound_services=[]),
InetZone("local", "127.0.0.0", "255.0.0.0",
inbound_services=["*"],
outbound_services=[]),
InetZone("internet", "0.0.0.0", "0.0.0.0",
inbound_services=["bi_http", "bi_ftp", "bi_pop", "bi_ssh"],
outbound_services=["id_http", "id_pop"])
#]
#---------------------------------------------------------#
#------------------CLASS-OK-------------------------------#
#---------------------------------------------------------#
# A belso halorol az internet elerese http-n keresztul
class BIHttp(Http.HttpProxy):
def config(self):
HttpProxy.config(self)
self.transparent_mode = TRUE
# Errol kaphatnek egy kis infot?
self.request["GET"] = (Http.HTTP_POLICY, self.filterURL)
# Errol is jo lenne egy kis info :)
def filterURL(self, method, url, version):
log("http.info", 3, "%s: GET: %s" % (self.session.session_id, url))
# A belso halorol az internet elerese ftp-n keresztul
class BIFtp(FtpProxyAllow):
def config(self):
FtpProxy.config(self)
self.transparent_mode = TRUE
# A belso halorol az internet elerese pop3-mon keresztul
class BIPop(PlugProxy):
def config(self):
pass
# A belso halorol a DMZ elerese pop3-mon keresztul
class BDPop(PlugProxy):
def config(self):
pass
# Az internetrol a DMZ elerese pop3-mon keresztul
class IDPop(PlugProxy):
def config(self):
pass
# A belso halorol a DMZ elerese http-n keresztul
class BDHttp(HttpProxy):
def config(self):
self.transparent_mode = 1
# A belso halorol a DMZ elerese ssh-n keresztul
class BDSsh(PlugProxy):
def config(self):
pass
# A belso halorol az internet elerese ssh-n keresztul
class BISsh(PlugProxy):
def config(self):
pass
# Az internetrol a DMZ elerese http-n keresztul
class IDHttp(HttpProxy):
def config(self):
self.transparent_mode = 1
#---------------------------------------------------------#
#----------------INIT-EK----------------------------------#
#---------------------------------------------------------#
def init(name):
debug(0, "Policy init, name=%s" % name)
Service("bi_http", InbandChainer(), BIHttp)
Service("bi_ftp", TransparentChainer(), BIFtp)
Service("bi_pop", TransparentChainer(), BIPop)
Service("bd_pop", TransparentChainer(), BDPop)
Service("bd_http", TransparentChainer(), BDHttp)
Service("bd_ssh", TransparentChainer(), BDSsh)
Service("bi_ssh", TransparentChainer(), BISsh)
# A 192.168.1.2 cimen a 80-as porton van a www szerver
Service("id_http", DirectedChainer(SockAddrInet("192.168.1.2", 80), IDHttp))
# A 192.168.1.2 cimen a 110-es porton van a pop3 szerver
Service("id_pop", DirectedChainer(SockAddrInet("192.168.1.2", 110), IDPop))
#---------------------------------------------------------#
#----------------LISTENER-EK------------------------------#
#---------------------------------------------------------#
# ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 80 -j REDIRECT 3128
Listener(SockAddrInet("192.168.0.250", 3128), "bi_http")
# Ha kesz lesz a proxy-szerver:
# ipchains -A input -i eth2 -s proxy.ip.cim.e -d 0/0 80 -j REDIRECT 3128
# Ekkor a proxyn nem kell semmit beallitani.
# Kulon zonat kell definialni a proxy miatt.
# ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 21 -j REDIRECT 2021
# ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 1024: -j REDIRECT 0
Listener(SockAddrInet("192.168.0.250", 2021), "bi_ftp")
# Ha kesz lesz a proxy-szerver:
# ipchains -A input -i eth2 -s proxy.ip.cim.e -d 0/0 21 -j REDIRECT 2021
# ipchains -A input -i eth2 -s proxy.ip.cim.e -d 0/0 1024: -j REDIRECT 0
# Kulon zonat kell definialni a proxy miatt.
# ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 110 -j REDIRECT 2110
Listener(SockAddrInet("192.168.0.250", 2110), "bi_pop")
# ipchains -A input -i eth2 -s 192.168.0.0/24 -d 192.168.1.3 110 -j REDIRECT 3110
Listener(SockAddrInet("192.168.0.250", 3110), "bd_pop")
# Ugye ide ertelmetlen ipchains REDIRECT-et tenni?
Listener(SockAddrInet("100.100.100.100", 110), "id_pop")
# A 192.168.1.2 80-as portjan figyel a www-szerver.
# ipchains -A input -i eth2 -s 192.168.0.0/24 -d 192.168.1.2 80 -j REDIRECT 3080
Listener(SockAddrInet("192.168.0.250", 3080), "bd_http")
# Ha ez is csak a proxy-n keresztul mehet, akkor nem kell az ipchains.
# ipchains -A input -i eth2 -s 192.168.0.0/24 -d 192.168.1.0/24 22 -j REDIRECT 3022
Listener(SockAddrInet("192.168.0.250", 3022), "bd_ssh")
# ipchains -A input -i eth2 -s 192.168.0.0/24 -d 0/0 22 -j REDIRECT 4022
Listener(SockAddrInet("192.168.0.250", 4022), "bi_ssh")
# Ugye ide ertelmetlen ipchains REDIRECT-et tenni?
Listener(SockAddrInet("100.100.100.100", 80), "id_http")
--
Udvozlettel
Zsiga