[zorp] Python and Policy

Balazs Scheidler zorp@lists.balabit.hu
Sun, 24 Oct 2004 11:00:37 +0200 

On Fri, 2004-10-22 at 21:33, Phil Moors wrote:
> I'm seeing 'import site failed' messages in the log when using zorpctl
> to start an instance. I only have one version of python installed
> (2.2.3). The zorp python lib seem to be found okay and the instance does
> start. 
> 
> Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Starting up;
> verbose_level='100', version='2.1.8'
> Oct 22 15:09:10 fw1 intra[6793]: (Log thread): thread starting;
> Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): System dependant
> init; sysdep_tproxy='1'
> Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Start to listen;
> fd='11'
> Oct 22 15:09:10 fw1 intra[6796]: (conntrack/thread): thread starting;
> Oct 22 15:09:10 fw1 intra[6791]: zorp version 2.1.8 starting up
> Oct 22 15:09:10 fw1 intra[6793]: (Log thread): 'import site' failed; use
> -v for traceback
> Oct 22 15:09:10 fw1 intra[6793]: (Log thread): 'import site' failed; use
> -v for traceback
> Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Zone(intra):
> outbound service=intra_HTTP
> Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Zone(dmz): inbound
> service=intra_HTTP
> Oct 22 15:09:10 fw1 intra[6791]: (noname/nosession): Zone(inter):
> inbound service=intra_HTTP
> Oct 22 15:09:10 fw1 intra[6791]: (intra@zorp): Dispatcher on address;
> proto='1', local='AF_INET(192.168.115.45:50080)', prio='100'
> Oct 22 15:09:10 fw1 intra[6791]: (intra@zorp/nosession): Start to
> listen; fd='14'

site is an internal Python module, that it always tries to import when
you start the Python interpreter. It should be somewhere on your
PYTHONPATH. If you don't have one, you can create an empty site.py in
/etc/zorp.

> 
> When I send an http request out, I get the, 'There was a problem
> connecting to the host you specified' message returned. This is a very
> simple policy (further below). The log reports, 'Inbound service not
> permitted'. When setting an outbound policy, is the return connection
> automatically allowed?

Yes, as Zorp is a proxy based firewall, you only have one (the
initiating) direction.

Inbound service not permitted means that the service was not permitted
into the zone where the server resides.

Looking at your policy and the logfile you sent me, it looks like Zorp
has some problems autodetecting your tproxy setup (sysdep_tproxy value
is 1), as it sees the listener address as the original destination
address:

> 
> Oct 22 15:29:38 fw2 priv[8970]: (priv@zorp/intra_HTTP:0): Starting proxy
> instance; client_fd='15',
> client_address='AF_INET(192.168.115.49:36435)', client_zone='Zone(priv,
> 192.168.0.0/16)', client_local='AF_INET(192.168.115.9:50080)'

				^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Probably it cannot bind to the autobind-IP you specified, which probably
means that you don't have the dummy interface configured.

client_local is the transparent destination if everything is OK. The
rest is a consequence, the server address (as Zorp knows it) is
192.168.115.9, which is in Zone 'priv', where you don't permit the HTTP
service.


-- 
Bazsi