From chrishuff@home.com Fri, 6 Jul 2001 19:13:11 -0700
Date: Fri, 6 Jul 2001 19:13:11 -0700
From: Chris H chrishuff@home.com
Subject: [zorp] Hi... Installing on OpenBSD 2.7

This is a multi-part message in MIME format.

------=_NextPart_000_0026_01C1064F.B2E63960
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hello:

Im installing zorp on openbsd. Any requests (or hints;). other than the =
freebsd tips in a prior posting.
http://lists.balabit.hu/pipermail/zorp/2001-May/000066.html

Ill post info (dmesg, etc...) after.


--CH


------=_NextPart_000_0026_01C1064F.B2E63960
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4522.1800" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hello:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Im installing zorp on openbsd. Any =
requests (or=20
hints;). other than the freebsd tips in a prior posting.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"http://lists.balabit.hu/pipermail/zorp/2001-May/000066.html">http=
://lists.balabit.hu/pipermail/zorp/2001-May/000066.html</A></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Ill post info (dmesg,=20
etc...)&nbsp;after.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>--CH</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_0026_01C1064F.B2E63960--





From bazsi@balabit.hu Fri, 6 Jul 2001 09:21:37 +0200
Date: Fri, 6 Jul 2001 09:21:37 +0200
From: Balazs Scheidler bazsi@balabit.hu
Subject: [zorp] Hi... Installing on OpenBSD 2.7

On Fri, Jul 06, 2001 at 07:13:11PM -0700, Chris H wrote:
> Hello:
> 
> Im installing zorp on openbsd. Any requests (or hints;). other than the freebsd tips in a prior posting.
> http://lists.balabit.hu/pipermail/zorp/2001-May/000066.html
> 
> Ill post info (dmesg, etc...) after.

as ipfilter is available, there should be no other compilation problems.
however source address spoofing (when the firewall spoofs the address of the
original client) won't work.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1




From bazsi@balabit.hu Wed, 18 Jul 2001 13:03:30 +0200
Date: Wed, 18 Jul 2001 13:03:30 +0200
From: Balazs Scheidler bazsi@balabit.hu
Subject: [zorp] Re: Supported OS' for Zorp firewall

On Wed, Jul 18, 2001 at 11:03:35AM +0200, Andreas Pauley wrote:
> Hi,
> I would like to know on what Operating Systems will Zorp run.
> Are FreeBSD and OpenBSD supported?

0.9.1 was successfully compiled under FreeBSD, however only TCP based
proxying works, forging TCP source addresses and UDP connection tracking
doesn't.

The core of Zorp is quite platform independent, but some features require
platform dependent functions, which are either not implemented under *BSD,
or we don't know how they can be used.

Works:
* redirection via ipfw or ipfilter, Zorp finds the original destination
  (requires --enable-ipfilter configure option)

Doesn't work:
* setting the outgoing source IP address of TCP connections (required when
  you want to send real client IPs to a server in your protected zone)
* intercept connections without REDIRECT rule (used by the FTP proxy when
  the data channel is established)

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1




From bazsi@balabit.hu Wed, 18 Jul 2001 10:30:26 +0200
Date: Wed, 18 Jul 2001 10:30:26 +0200
From: Balazs Scheidler bazsi@balabit.hu
Subject: [zorp] Re: query abort zorp firewall suite?

On Wed, Jul 18, 2001 at 09:52:57AM +0800, Wang Huayong wrote:
> Dear sir or madam,
>     Sorry to disturb you. I am very interested in your product Zorp
>     firewall suite. I want to know if it can installed on Linux. I meet
>     trouble when compiling the src on Linux.  Thank you for your help.

Zorp was developed under Debian GNU/Linux and compiling it requires a couple
of packages:

python-1.5.2
python-dev 1.5.2
python-extclass 1.2
libcap 1.10 (available from our web site)
libglib 1.3.1 (available from our web site)
openssl 0.9.5 or later
libssl095 and libssl095-dev

if you have installed all of these and still can't compile zorp, the error
message would be useful.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1





From endre.wagner@dataware.debis.hu Thu, 26 Jul 2001 16:12:10 +0200
Date: Thu, 26 Jul 2001 16:12:10 +0200
From: endre.wagner@dataware.debis.hu endre.wagner@dataware.debis.hu
Subject: [zorp] Zorp IDS functionality?


Hello!

I have a little question.

Is it possible to lock out an ip address from the communication for a
while, if the zorp detects that some error repeated in the communication.
(for example: There is WEB server in DMZ. The "bad guy" try some evil URL,
and for the first x times  the WEB server said some error, before the "bad
guy" find a hole. Zorp detects the "error" answares from the WEB server and
closes the communication with the "bad guy"s ip address for a "configurable
time", if x > "a configurable parameter".

So, I think it is possible with zorp, but I have a very limited phyton
programming skill. So could anybody write an examply policy.py???

Edge






From bazsi@balabit.hu Thu, 26 Jul 2001 18:07:17 +0200
Date: Thu, 26 Jul 2001 18:07:17 +0200
From: Balazs Scheidler bazsi@balabit.hu
Subject: [zorp] Zorp IDS functionality

> Hello!
>
> I have a little question.
>
> Is it possible to lock out an ip address from the communication for a
> while, if the zorp detects that some error repeated in the communication.
> (for example: There is WEB server in DMZ. The "bad guy" try some evil URL,
> and for the first x times  the WEB server said some error, before the "bad
> guy" find a hole. Zorp detects the "error" answares from the WEB server and
> closes the communication with the "bad guy"s ip address for a "configurable
> time", if x > "a configurable parameter".
> 
> So, I think it is possible with zorp, but I have a very limited phyton
> programming skill. So could anybody write an examply policy.py???

Of course it is possible ;) first of all you must define who a bad guy is.

someone posting requests frequently with non-200 return codes (the OK return
code in HTTP). Or someone posting suspicious filenames (containing
/etc/passwd for example). Once this is defined, you have to hook into 
the appropriate events.

Afterwards you will need a hash table containing bad guys. The index will be
the IP address, and the value is the number of times that given IP address
did something bad.

Each suspicious event increments this value, and once it reaches a
threshold, further requests should be denied. An additional control should
be added, to decrement this threshold, for example 1% in each minute.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1