[zorp-hu] zorp 3.3.6 + libzorpll 3.3.0.12 + Debian 6.0 ujra

Nyika Csaba csabany at freemail.hu
2011. Már. 9., Sze, 09:24:19 CET 

Sziasztok!

A fenti felallast szerttem volna kiprobalni - Barina Tamas utan szabadon -, de elakadtam.
A csomagokat feltettem, azutan en is belefutottam a python-os hibaba, amit A Kovacs Krisztian altal publikalt patch megoldott.
Szoval zorp el is indul a transparent http proxy hasit, de a https-el nem boldogulok.
A konfigjaim a kovetkezoek:

ip + iptables: 

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket --dport 433 -j DIVERT
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 443 -j TPROXY --on-port 50443 --on-ip 172.16.16.1 --tproxy-mark 0x1/0x1
iptables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
iptables -t mangle -A DIVERT -j ACCEPT


policy.py

from Zorp.Core import *
from Zorp.Http import *
from Zorp.Pssl import *

# defining the intranet zone, we only allow http connection from this zone
InetZone("intranet","172.16.16.0/24",
	  outbound_services=["intra_https"],
	  inbound_services=[])

# the internet zone, we do not allow any connection from this zone (coming "out" from this zone,
# that's why outbound_services is empty)
InetZone("internet","0.0.0.0/0",
	 inbound_services=["*"],
	 outbound_services=[])


class MyHttpsProxy(HttpProxy):
       def config(self):
               HttpProxy.config(self)
                   
               
               self.ssl.client_verify_type = SSL_VERIFY_NONE
               self.ssl.client_connection_security = SSL_FORCE_SSL
               self.ssl.server_connection_security = SSL_FORCE_SSL
               self.ssl.server_ca_directory = '/etc/zorp/ca.d/'
	       self.ssl.server_ssl_method = SSL_METHOD_ALL 

               self.ssl.server_verify_type = SSL_VERIFY_REQUIRED_UNTRUSTED
               self.ssl.server_disable_proto_sslv2 = TRUE
               self.ssl.server_ssl_cipher = SSL_CIPHERS_HIGH
               self.ssl.client_key_file = '/etc/zorp/https/server.key'
               self.ssl.client_cert_file = '/etc/zorp/https/server.crt'
                   
               self.stack_proxy = HttpProxy

def zorp_https():
    Service("intra_https", proxy_class=MyHttpsProxy, router=TransparentRouter(overrideable = FALSE, forge_addr = TRUE))
    Listener(bindto=SockAddrInet("172.16.16.1",50443), service="intra_https", transparent=TRUE, threaded=FALSE, backlog=255)


log kimenet:

Mar  9 08:54:45 firewallnew zorp/zorp_https[8165]: core.debug(0): (nosession): Starting up; verbose_level='5', version='3.3.6', startup_id='1299657285'
Mar  9 08:54:45 firewallnew zorp/zorp_https[8165]: core.debug(5): (nosession): Outbound service; zone='intranet', service='intra_http'
Mar  9 08:54:45 firewallnew zorp/zorp_https[8165]: core.debug(5): (nosession): Outbound service; zone='intranet', service='intra_https'
Mar  9 08:54:45 firewallnew zorp/zorp_https[8165]: core.debug(5): (nosession): Inbound service; zone='internet', service='*'
Mar  9 08:54:45 firewallnew zorp/zorp_https[8165]: core.info(4): (nosession): Interface added; if_index='1', if_name='lo', if_flags='73'
Mar  9 08:54:45 firewallnew zorp/zorp_https[8165]: core.info(4): (nosession): Interface added; if_index='2', if_name='eth0', if_flags='4098'
Mar  9 08:54:45 firewallnew zorp/zorp_https[8165]: core.info(4): (nosession): Interface added; if_index='3', if_name='eth1', if_flags='4098'
Mar  9 08:54:45 firewallnew zorp/zorp_https[8165]: core.info(4): (nosession): Interface added; if_index='4', if_name='eth2', if_flags='4098'
Mar  9 08:54:45 firewallnew zorp/zorp_https[8165]: core.info(4): (nosession): Interface added; if_index='5', if_name='eth3', if_flags='4163'
Mar  9 08:54:45 firewallnew zorp/zorp_https[8165]: core.info(4): (nosession): Interface added; if_index='6', if_name='eth4', if_flags='4163'
Mar  9 08:54:45 firewallnew zorp/zorp_https[8165]: core.info(4): (nosession): Address added to interface; if_name='lo', if_addr='127.0.0.1'
Mar  9 08:54:45 firewallnew zorp/zorp_https[8165]: core.info(4): (nosession): Address added to interface; if_name='eth3', if_addr='10.10.67.1'
Mar  9 08:54:45 firewallnew zorp/zorp_https[8165]: core.info(4): (nosession): Address added to interface; if_name='eth4', if_addr='172.16.16.1'
Mar  9 08:55:37 firewallnew zorp/zorp_https[8165]: core.info(4): (nosession): Interface info updated; if_index='6', if_name='eth4', if_flags='0x1043', if_group='0x0'
Mar  9 08:55:44 firewallnew zorp/zorp_https[8165]: core.accounting(4): (szig/conn:0/stream): accounting info; type='ZStreamFD', duration='0', sent='11', received='37'
Mar  9 08:55:44 firewallnew zorp/zorp_https[8165]: core.accounting(4): (szig/conn:0/stream): accounting info; type='ZStreamBuf', duration='0', sent='0', received='0'
Mar  9 08:55:44 firewallnew zorp/zorp_https[8165]: core.accounting(4): (szig/conn:0/stream): accounting info; type='ZStreamLine', duration='0', sent='11', received='36'

Ha barkinek van valami tippje, megkoszonom!

Koszonettel: Nyika Csaba

További információk a(z) zorp-hu levelezőlistáról