[zorp-hu] zorp gpl default policy hole?
Gabor Halasz
zorp-hu@lists.balabit.hu
Tue, 02 Nov 2004 14:14:16 +0100
Kerekes Gyula wrote:
>=20
> InetZone("Wan", "0.0.0.0/0",
> inbound_services=3D[""],
> outbound_services=3D["Http_S"])
>=20
> InetZone("Dmz", "192.168.1.0/24",
> inbound_services=3D["Http_S"],
> outbound_services=3D[])
>=20
> Igy a Http_S service csak a 192.168.1.0/24 cimekre mehet (tehat a Dmz
> zonaba)
>=20
Ezt pr=F3b=E1ltam m=E1r egyszer, de az=E9rt haszn=E1lt, mert r=E1j=F6ttem=
a gyogy=F3ra=20
:) A turpiss=E1g: valami j=F3t=E9t l=E9lek el=EDrta a specifik=E1ci=F3t, =
rossz a dmz=20
z=F3na defin=EDci=F3ja (csak a http forgalmat routolj=E1k egy m=E1sik net=
re, hogy=20
nehezebb legyen =E9szrevenni), 23 bites maszkkal m=E1r j=F3.
K=F6sz.
Tanuls=E1gk=E9ppen: kiss=E9 f=E9lrevezet=F5ek az ilyen hiba=FCzenetek:
Nov 2 14:05:29 firewall fromWan[28899]:=20
(fromWan@zorp@firewall.domain.hu/Http_S:0/http): Proxy starting;=20
class=3D'Http_C', module=3D'http'
Nov 2 14:05:29 firewall fromWan[28906]:=20
(fromWan@zorp@firewall.domain.hu/Http_S:0/http): Accounting;=20
command=3D'GET', url=3D'http://www.domain.hu/'
Nov 2 14:05:29 firewall fromWan[28906]:=20
(fromWan@zorp@firewall.domain.hu/Http_S:0): Inbound service not=20
permitted; service=3D'Http_S', zone=3D'Zone(Wan, 0.0.0.0/0)'
Nov 2 14:05:29 firewall fromWan[28906]:=20
(fromWan@zorp@firewall.domain.hu/Http_S:0/http): DAC policy violation;=20
info=3D'None'
Nov 2 14:05:29 firewall fromWan[28899]:=20
(fromWan@zorp@firewall.domain.hu/Http_S:0/http): Proxy ending;=20
class=3D'Http_C', module=3D'http'
=C9rtem, mi=E9rt ezt =EDrja, csak keveset seg=EDt a probl=E9ma megold=E1s=
=E1ban.
--=20
Gabor HALASZ <halasz.g@freemail.hu>