[zorp] Python and Policy

Phil Moors zorp@lists.balabit.hu
Fri, 22 Oct 2004 15:33:03 -0400 

I'm seeing 'import site failed' messages in the log when using zorpctl
to start an instance. I only have one version of python installed
(2.2.3). The zorp python lib seem to be found okay and the instance does
start. 

Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Starting up;
verbose_level='100', version='2.1.8'
Oct 22 15:09:10 fw1 intra[6793]: (Log thread): thread starting;
Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): System dependant
init; sysdep_tproxy='1'
Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Start to listen;
fd='11'
Oct 22 15:09:10 fw1 intra[6796]: (conntrack/thread): thread starting;
Oct 22 15:09:10 fw1 intra[6791]: zorp version 2.1.8 starting up
Oct 22 15:09:10 fw1 intra[6793]: (Log thread): 'import site' failed; use
-v for traceback
Oct 22 15:09:10 fw1 intra[6793]: (Log thread): 'import site' failed; use
-v for traceback
Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Zone(intra):
outbound service=intra_HTTP
Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Zone(dmz): inbound
service=intra_HTTP
Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Zone(inter):
inbound service=intra_HTTP
Oct 22 15:09:10 fw1 intra[6791]: (intra@zorp): Dispatcher on address;
proto='1', local='AF_INET(192.168.115.45:50080)', prio='100'
Oct 22 15:09:10 fw1 intra[6791]: (intra@zorp/nosession): Start to
listen; fd='14'

When I send an http request out, I get the, 'There was a problem
connecting to the host you specified' message returned. This is a very
simple policy (further below). The log reports, 'Inbound service not
permitted'. When setting an outbound policy, is the return connection
automatically allowed?

Oct 22 15:29:38 fw2 priv[8970]: (priv@zorp/intra_HTTP:0): Starting proxy
instance; client_fd='15',
client_address='AF_INET(192.168.115.49:36435)', client_zone='Zone(priv,
192.168.0.0/16)', client_local='AF_INET(192.168.115.9:50080)'
Oct 22 15:29:38 fw2 priv[9002]: (priv@zorp/intra_HTTP:0): Inbound
service not permitted; service='intra_HTTP', zone='Zone(priv,
192.168.0.0/16)'
Oct 22 15:29:38 fw2 priv[9002]: (priv@zorp/intra_HTTP:0/http): DAC
policy violation; info='None'

For fun, I added inbound_services(["*"]) to the zone and got the
following repeated in the logs. Indeed, there were a lot of processes
running on the system.

Oct 22 15:24:26 fw2 priv[8739]: (priv@zorp/intra_HTTP:98): Starting
proxy instance; client_fd='407',
client_address='AF_INET(192.168.115.9:33167)', client_zone='Zone(priv,
192.168.0.0/16)', client_local='AF_INET(192.168.115.9:50080)'
Oct 22 15:24:26 fw2 priv[8739]: (priv@zorp/nosession): Too many running
threads, waiting for one to become free; num_threads='100',
max_threads='100'
Oct 22 15:24:26 fw2 priv[8869]: (priv@zorp/intra_HTTP:97/http): Server
connection established; server_fd='406',
server_address='AF_INET(192.168.115.9:50080)', server_zone='Zone(priv,
192.168.0.0/16)', server_local='AF_INET(192.168.115.9:33167)'

Policy.py
from Zorp.Core import *
from Zorp.Http import *
 
InetZone('priv', '192.168.0.0/16',
         outbound_services=['intra_HTTP'])
InetZone('dmz', '172.17.1.0/24',
         inbound_services=[])
InetZone('public', '0.0.0.0/0',
         inbound_services=["*"])
 
def priv():
        Service('intra_HTTP', HttpProxy)
        Listener(SockAddrInet('192.168.115.9', 50080), 'intra_HTTP')
 
def dmz():
        pass
 
def public():
        pass

instances.conf
priv -v3 -p /usr/local/etc/zorp/policy.py --autobind-ip 1.2.3.4
public -v3 -p /usr/local/etc/zorp/policy.py --autobind-ip 1.2.3.4
dmz -v3 -p /usr/local/etc/zorp/policy.py --autobind-ip 1.2.3.4

Thanks,
Phil