[zorp-hu] Url szures + RegexpFileMatcher

KUN Arpad kharpeet@kirowski.com
04 Jan 2002 14:09:01 +0100 

--=-ysTTOrnXcRZkG1Y0cKAD
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Haliho

Van egy kis problemam a regexpmatcherrel.

Bazsi ezt ajanlotta hasznaltra: 

> class MyHttp(HttpProxyURIFilter):
>        matcher=RegexpFileMatcher('/etc/zorp/http.deny',
'/etc/zorp/http.ignore')
> * minden ami a http.deny-be fel van sorolva, azt a proxy nem fogja
engedni (regexp)
> * minden ami a http.ignore -ban van, az kivetel, tehat ha veletlenul a
>  http.deny illeszkedik, akkor ezzel kiszurhetjuk

Ugy nez ki a matcher mukodik, mert amilyen uri-ket felsorolok a
http.deny-ben, es azt probalom meg atdongetni a zorpon,
policyviolation.html -t szerviroz.

Viszont, minden mas uri-t, amire nem matchel egyetlen kifejezes sem,a
http.deny -ben arra invalidurl.html -t kapok, hogy Badly formated url:
/index.html  (peldaul). Akkor is ez tortenik, ha a http.ignore fajlba
teszem (pl az index.html -t).

Valoszinu a policy.py-om rossz, de nem jottem ra hol a hiba.
(csatolom, hogy ne essen szet.)


Elore is koszi,

KharpeeT

-- 
system administrator
kirowski
1075 Budapest, Karoly korut 9.
www.kirowski.com | tel: +36 1 4112200 | fax: +36 1 4112299


--=-ysTTOrnXcRZkG1Y0cKAD
Content-Disposition: attachment; filename=policy.py
Content-Transfer-Encoding: quoted-printable
Content-Type: text/x-python; charset=ANSI_X3.4-1968

###########################################################################=
#
##
## Copyright (c) 2000, 2001 BalaBit IT Ltd, Budapest, Hungary
##
## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation; either version 2 of the License, or
## (at your option) any later version.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
## GNU General Public License for more details.
##
## You should have received a copy of the GNU General Public License
## along with this program; if not, write to the Free Software
## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
##
## $Id: policy.py.sample,v 1.10.2.2.4.2 2001/11/08 11:20:48 bazsi Exp $
##
###########################################################################=
#

#
# sample firewall policy with transparent access to FTP, HTTP and CVS proto=
cols.
# For FTP and HTTP we use application level gateways, for CVS we use a plug=
.
# (as long as CVS protocol proxy is not available)
#

from Zorp.Core import *
from Zorp.Http import *
from Zorp.Plug import *
from Zorp.Ftp import *
from Zorp.Matcher import *

Zorp.firewall_name =3D 'zorp@site'

InetZone("site-net", "0.0.0.0/0",=20
	 # list of allowed outbound services, '*' matches anything
	 outbound_services=3D["intra_http", "intra_ftp", "intra_cvs"],
	=09
	 # list of allowed inbound services, '*' matches anything
	 inbound_services=3D[]),
	=09
InetZone("local", "127.0.0.0/8",
         inbound_services=3D["*"],
         outbound_services=3D[]),
       =20
InetZone("internet", "VEDETT/HALO",
         inbound_services=3D["*"],
         outbound_services=3D[])

#=20
# Here's a proxy event handler definition. We are deriving from a
# simple plug proxy, which is blindly copying in both directions.
#
# Instances of this class represent a "plug proxy". For a complete
# documentation for the features and available attributes of plug see the
# file /doc/modules/plug.txt
#

class IntraHttp(HttpProxy):

        def config(self):
        	HttpProxy.config(self)
                self.transparent_mode =3D TRUE
                self.request["GET"] =3D (HTTP_REQ_POLICY, self.filterURL)
               =20
	def filterURL(self, method, url, version):
	        # return Z_REJECT here to reject this request
	        # change self.request_url to redirect to another url
	        # change connection_mode to HTTP_CONNECTION_CLOSE to force kept-al=
ive connections to close
	        log("http.info", 3, "%s: GET: %s" % (self.session.session_id, url)=
)
		return HTTP_REQ_ACCEPT

class IntraHttp(HttpProxyURIFilter):
        matcher=3DRegexpFileMatcher('/usr/local/zorp/etc/zorp/http.deny', '=
/usr/local/zorp/etc/zorp/http.ignore')


class IntraFtp(FtpProxy):
	def config(self):
		FtpProxy.config(self)
		self.transparent_mode =3D TRUE

#
# name is passed to the Zorp instance with the --as command line option
# you can use it to start different services for different names
# In this simple policy we ignore it.
#
def init(name):
=09
	# create services

	Service("intra_http", IntraHttp, router=3DTransparentRouter())
	Service("intra_ftp", IntraFtp, router=3DTransparentRouter())
=09
	# bind services to listeners
	# you'll need the packet filter redirect these connections, and
	# to protect transparent listeners, since if you connect to
	# a transparent listener directly, Zorp reconnects to itself.
	Listener(SockAddrInet("TUZFALIP", 50080), "intra_http")
	Listener(SockAddrInet("TUZFALIP", 50021), "intra_ftp")



--=-ysTTOrnXcRZkG1Y0cKAD--