[zorp] Re: Desperately needs your help(Listener Syntax Error)

Balazs Scheidler bazsi@balabit.hu
Fri, 29 Jun 2001 21:35:30 +0200 

Hello,

I'm Cc:-ing this message to the zorp mailing list as well.

On Tue, Jun 26, 2001 at 02:38:42PM +0000, sameer multani wrote:
> 
> I want to configure zorp to connect to my ftp server 192.168.91.14 in DMZ 
> from internet m/c 202.60.30.2
> 
> My firewall internet interface is 202.60.30.1
> "    "      DMZ        "        " 192.168.91.23
> 
> When i use DirectedChainer it gives me error at Listener(..) function.
> While if i replace it with TransparentChainer it gives no error.
> Zorp Ftp Proxy starts and asks for the authentication and after entering the 
> username and password in logs it says
> 
> dropped line USER sameer and stops Ftp Proxy.
> 
> My Linux box has no ftp server running.
> 
> Can you tell me where am i going wrong?


I cleaned up your policy.py file (removed comments remaining from the sample
policy. I marked my changes.

#
# sample firewall policy with transparent access to FTP, HTTP and CVS 
# protocols.
# For FTP and HTTP we use application level gateways, for CVS we use a plug.
# (as long as CVS protocol proxy is not available)
#
# firewall internal network: 192.168.91.0/24
# firewall internal interface: 192.168.1.23
# firewall external interface: 202.60.30.1

from Zorp.Zorp import *
from Zorp import Zorp
from Zorp.Zone import InetZone
from Zorp.Service import Service
from Zorp.SockAddr import SockAddrInet
from Zorp.Chainer import TransparentChainer, DirectedChainer, InbandChainer, FailoverChainer
from Zorp.Plug import PlugProxy
from Zorp import Http
from Zorp.Http import HttpProxy
from Zorp.Ftp import FtpProxyAllow, FtpProxyMinimal, FtpProxy
from Zorp.Listener import Listener
 
 
Zorp.firewall_name = 'sameer@firewall'
 
InetZone("dmz", "192.168.91.0/24",
	inbound_services=["itod_ftp"],
	outbound_services=["dtoi_ftp"]),

InetZone("internet", "0.0.0.0/0",
	inbound_services=["*"],
	outbound_services=["*"])

class dtoi_ftp(FtpProxyAllow):
 
 	def config(self):
 		FtpProxyAllow.config(self)
 		#self.transparent_mode = TRUE
		# the following two lines are not needed
		# for zorp later than 0.8.x, 
		# ip addresses are automatically determined
 		#self.fw_server_data.ip_s = "202.60.30.1"
 		#self.fw_client_data.ip_s = "192.168.91.23"
 

 
class itod_ftp(FtpProxyAllow):
 
 	def config(self):
 		FtpProxyAllow.config(self)
 		#self.transparent_mode = FALSE
		# I commented these out, just like the previous ones
 		#self.fw_server_data.ip_s = "192.168.91.23"
		#self.fw_client_data.ip_s = "202.60.30.1"
 
# although def init() can still be used, the recommended way is
# to use def _instance_name(), so I changed the definition below
# zorp is the default instance name.

def zorp():
 	# create services
 
 	# this assignment is not needed, again a change between
	# 0.6.x and 0.8.x, services are simply identified by their
	# name.

	# dtoiftp = \
 	Service("dtoiftp", TransparentChainer(), dtoi_ftp)
 
 	#itodftp = \
        Service("itodftp", DirectedChainer(SockAddrInet("192.168.91.14", 21), itod_ftp)
 
 #	Service("itodftp",TransparentChainer(), itod_ftp)
 
 
 	Listener(SockAddrInet("202.60.30.1", 21), "itodftp")
 	Listener(SockAddrInet("192.168.91.23", 21), "dtoiftp")


--- end of policy ---

This policy file should work now. If you have a problem (an error message
for example), please send me the traceback (it is sent to the syslog)

Zorp can work both in transparent and in non-transparent mode. Your proxies
are configured in transparent_mode (the default setting), and you are
listening on port 21.

If you want transparent mode (when you simply connect to the ftp server from
the client, without first having to connect to the proxy), you should listen
on a port other than 21, and redirect traffic going through your firewall to
your local listener using ipchains.

For example:

we listen on port 50021:
        Listener(SockAddrInet("192.168.91.23", 50021), "dtoiftp")

and we use this ipchains rule to redirect traffic:

	ipchains -A input -i <DMZ interface> -p tcp -s 192.168.91.0/24 ! -d 192.168.91.23 21 -j REDIRECT 50021

(similarly in the other direction)

For this to work, you'll have to enable IP forwarding in your kernel (and
place a default DENY in your FORWARD chain). Other suggested IP stack settings:

rp_filter off (substitute with appropriate ipchains rules)
ip_dynaddr off
ip_forward on
tcp_keepalive_*  set to a short timeout, and small number of probes

You might need to increase the number of file descriptors, and number of
processes in your kernel, otherwise you might run out of them quite quickly.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1