[zorp] zorp & debian sid

Alexandru Hartmann alex@nimic.net
Mon, 25 Nov 2002 15:09:03 +0100


Hi,

thanks for the prompt response, i'll look into it. 

On Monday 25 November 2002 10:29, Balazs Scheidler wrote:
> Hi,
>
> On Sat, Nov 23, 2002 at 12:14:27PM +0100, Alexandru Hartmann wrote:
> > i just installed zorp on a debian sid box, did some configuration and
> > tryied to fire it up :
> > - -------------------------
> > # /etc/init.d/zorp start
> > Warning: The number of file descriptors is 1024. You might want to
> > increase this.
> > /usr/sbin/zorpctl: line 100: [: unlimited: integer expression expected
> > Starting Zorp Firewall Suite: zorp
> > - --------------------------
> >
> > should i really increase that ?
>
> It depends on the number of parallel sessions you want to be able to serve
> on your firewall...
>
> Each session needs at least two fds (one for the client side, one for the
> server side), but some of the proxies need even more.
>
> > and here is the output of syslog:
> > - ---------------------------
> > Nov 23 11:53:35 xxxxxxx zorp[4575]: (noname/nosession): Verbosity level:
> > 3 Nov 23 11:53:35 xxxxxxx zorp[4577]: (Log thread): thread starting; Nov
> > 23 11:53:35 xxxxxxx zorp[4575]: (noname/nosession): System dependant
> > init; sysdep_tproxy='1'
> > Nov 23 11:53:35 xxxxxxx zorp[4575]: (noname/nosession): Changing process
> > capabilities; caps='= cap_net_bind_service+ep cap_net_admin+p'
> > Nov 23 11:53:35 xxxxxxx zorp[4575]: (noname/nosession): Changing process
> > capabilities; caps='= cap_net_bind_service,cap_net_admin+ep'
> > Nov 23 11:53:35 xxxxxxx zorp[4575]: (noname/nosession): bind() failed;
> > error='No such file or directory'
> > Nov 23 11:53:35 xxxxxxx zorp[4575]: (noname/nosession): Resetting process
> > capabilities; caps='= cap_net_bind_service,cap_net_admin+p'
> > Nov 23 11:53:35 xxxxxxx zorp[4580]: (conntrack/thread): thread starting;
> > Nov 23 11:53:35 xxxxxxx zorp[4575]: zorp version 2.0pre25 starting up
> > Nov 23 11:53:35 xxxxxxx zorp[4577]: (Log thread): Traceback (most recent
> > call last):
> > Nov 23 11:53:35 xxxxxxx zorp[4575]: (zorp/nosession): Error opening
> > policy file /etc/zorp/policy.py
> > Nov 23 11:53:35 xxxxxxx zorp[4577]: (Log thread):   File
> > "/etc/zorp/policy.py", line 25, in ?
> > Nov 23 11:53:35 xxxxxxx zorp[4575]: zorp version 2.0pre25 going down.
> > Nov 23 11:53:35 xxxxxxx zorp[4577]: (Log thread):     from Zorp.Chainer
> > import TransparentChainer, DirectedChainer, InbandChainer,
> > FailoverChainer Nov 23 11:53:35 xxxxxxx zorp[4577]: (Log thread):
> > ImportError: cannot import name TransparentChainer
> > - -----------------------------
> >
> > it seems to me that i'm missing some modules. the file
> > /etc/zorp/policy.py is there :
> > total 24
> > - -rw-r--r--    1 root     root          652 Nov 23 11:31 instances.conf
> > - -rw-r--r--    1 root     root          618 Nov 21 11:03
> > instances.conf.sample - -rw-r--r--    1 root     root         4947 Nov 23
> > 11:53 policy.py - -rw-r--r--    1 root     root         4987 Nov 21 11:03
> > policy.py.sample could it be that i'm missing some modules ? the truth is
> > that i don't have any TransparentChainer.py nor DirectedChainer.py in
> > /usr/share/zorp. does anybody have some hints for me ?
>
> The policy.py.sample file is completely out of date. Here's an updated
> policy.py.sample, this one actually starts on my box here.
>
> ###########################################################################
># ##
> ## Copyright (c) 2000-2001 BalaBit IT Ltd, Budapest, Hungary
> ## All rights reserved.
> ##
> ## $Id: policy.py.sample,v 1.13 2001/02/12 12:09:53 bazsi Exp $
> ##
> ###########################################################################
>#
>
> #
> # sample firewall policy with transparent access to FTP, HTTP and CVS
> protocols. # For FTP and HTTP we use application level gateways, for CVS we
> use a plug. # (as long as CVS protocol proxy is not available)
> #
> # firewall internal network: 192.168.1.0/24
> # firewall internal interface: 192.168.1.1
> # firewall external interface: 193.225.235.6
> #
>
> from Zorp.Core import *
> from Zorp.Plug import *
> from Zorp.Http import *
> from Zorp.Ftp import *
>
> Zorp.firewall_name = 'zorp@site'
>
> InetZone("site-net", "192.168.1.0/24",
> 	 # list of allowed outbound services, '*' matches anything
> 	 outbound_services=["intra_http", "intra_ftp", "intra_cvs"],
>
> 	 # list of allowed inbound services, '*' matches anything
> 	 inbound_services=[]),
>
> InetZone("local", "127.0.0.0/8",
>          inbound_services=["*"],
>          outbound_services=[]),
>
> InetZone("internet", "0.0.0.0/0",
>          inbound_services=["*"],
>          outbound_services=[])
>
> #
> # Here's a proxy event handler definition. We are deriving from a
> # simple plug proxy, which is blindly copying in both directions.
> #
> # Instances of this class represent a "plug proxy". For a complete
> # documentation for the features and available attributes of plug see the
> # file /doc/modules/plug.txt
> #
>
> class IntraCvs(PlugProxy):
>
>         def config(self):
>
>      		""" The config event is sent in configuration state, some attributes
>      		can only be set here. """
>
>         	# uncommenting this would make this plug one-way only
> (server->client) #self.copy_to_server = FALSE
>                 # same but client->server copying would only be performed
>                 #self.copy_to_client = FALSE
>
>                 self.packet_stats_interval = 100
>
> 	def startUp(self):
> 		""" startUp is called after configuration, but before any data
> 		is transferred. """
>
> 		# this is empty now
> 		pass
>
> 	def shutDown(self):
> 		""" called just before terminating the proxy. """
> 		pass
>
> 	def packetStats(self, client_bytes, client_pkt, server_bytes, server_pkt):
> 		""" plug is sending this event after self.packet_stats_interval number
> 		of packets had been transferred. """
>
> 		# report traffic information
> 		proxyLog(self, 'plug.debug', 3, "server->client: packet=%d, bytes=%d,
> bandwidth=%f" % (client_pkt, client_bytes, self.bandwidth_to_client))
> proxyLog(self, 'plug.debug', 3, "client->server: packet=%d, bytes=%d,
> bandwidth=%f" % (server_pkt, server_bytes, self.bandwidth_to_server))
> return 1
>
>
> #
> # Let's define a transparent http proxy, which rewrites the user_agent
> # header to something different.
> #
> class IntraHttp(HttpProxy):
>
>         def config(self):
>         	HttpProxy.config(self)
>                 self.transparent_mode = TRUE
>                 self.request_headers["User-Agent"] =
> (HTTP_HDR_CHANGE_VALUE, "Lynx/2.8.3rel.1") self.request["GET"] =
> (HTTP_REQ_POLICY, self.filterURL) # self.parent_proxy = "proxy.site.net"
>                 # self.parent_proxy_port = 3128
>                 # self.timeout = 60000
>                 # self.max_keepalive_requests = 10
>
> 	def filterURL(self, method, url, version):
> 	        # return HTTP_REQ_REJECT here to reject this request
> 	        # change self.request_url to redirect to another url
> 	        # change connection_mode to HTTP_CONNECTION_CLOSE to force
> kept-alive connections to close log("http.info", 3, "%s: GET: %s" %
> (self.session.session_id, url))
>
> class IntraFtp(FtpProxy):
> 	def config(self):
> 		FtpProxy.config(self)
>
> #
> # name is passed to the Zorp instance with the --as command line option
> # you can use it to start different services for different names
> # In this simple policy we ignore it.
> #
> def init(name):
>
> 	# create services
> 	Service("intra_cvs", IntraCvs)
> 	Service("intra_http", IntraHttp)
> 	Service("intra_ftp", IntraFtp)
>
> 	# bind services to listeners
> 	# you'll need the packet filter redirect these connections, and
> 	# to protect transparent listeners, since if you connect to
> 	# a transparent listener directly, Zorp reconnects to itself.
> 	Listener(SockAddrInet("192.168.1.1", 50080), "intra_http")
> 	Listener(SockAddrInet("192.168.1.1", 50021), "intra_ftp")
> 	Listener(SockAddrInet("192.168.1.1", 52401), "intra_cvs")