[zorp] zorp on a bridge

Balazs Scheidler zorp@lists.balabit.hu
Mon, 31 Mar 2003 11:24:23 +0200 

On Mon, Mar 31, 2003 at 10:44:15AM +0200, Robert Penz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Saturday 29 March 2003 17:58, Tito Flagella wrote:
> > I had the same error due to lackness of the /var/run/zorp directory.
> created that directory and i didn't get that error messages anymore, thx.
> 
> > At least with my configuration zorp needed to do an udp socket there.
> not really a socket but
> 
> debian:/var/run/zorp# l
> total 0
> srwxr-xr-x    1 root     root            0 Mar 31 10:38 zorpctl.extern
> srwxr-xr-x    1 root     root            0 Mar 31 10:38 zorpctl.intern
> 
> not very secure

These sockets are placeholders for IPC communication between Zorp and local
processes. For now they are not really used, the only possibility is to
query the running threads in a given instance.

The file permissions on the directory /var/run/zorp should be more
restrictive. (e.g. 700) however I'm adding a bugticket to fix the file
permissions as well.


> 
> > > intern -v3 -p /etc/zorp/policy.py --autobind-ip autobind='1.1.1.1'
> > > extern -v3 -p /etc/zorp/policy.py --autobind-ip autobind='1.1.1.2'
> > Are you sure about the autobind syntax? We are using "-B 1.1.1.1", from
> > the usage info it would seem that you should use "--autobind-ip 1.1.1.1"
> I know also of the -B stuff, I can also take that one ;-)
> 
> > We are now using one of the server's ip, and I didn't observe any
> > difference from using a dummy interface.
> my problem is that a bridge has only one ip on all interfaces, and I believe I 
> can only bind on instance to an ip.

No, the dummy IP can be shared among instances.

The dummy address is basically used for redirection to the local IP stack.
When Zorp wants to initiate a connection from a foreign IP address it binds
to the dummy interface and registers a NAT mapping between the local address
and the foreign address. So the only requirement that autobind-ip is local
and definitely not 127.0.0.1

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1