[zorp] kzorp -e help
Szilárd Pfeiffer
szilard.pfeiffer at balabit.com
Tue Feb 28 17:18:42 CET 2012
On h, 2012-02-27 at 23:03 -0500, David Yerger wrote:
> Trying to migrate from zorp GPL 3.1.15 to 3.9.3, following the guide at
> http://siposg.blogs.balabit.com/2012/01/howto-install-zorp-3-9-2-on-debi
> an-squeeze/ mostly, with the virtual machine as an example for rc.local
> and /etc/iptables/rules.
>
> 1. Is kzorp supported on Zorp GPL now?
Yes, it is (in 3.9.x). NDimension dispatcher works only with KZorp.
>
> 2. My reverse proxy doesn't seem to be passing traffic. Don't see
> anything in the logs except accounting info, even after cranking the
> verbosity up. When I test my policy.py with with kzorp -e, having
> (among other things)
Does the client target the external address of the firewall or the real
address of the server?
Is the 'eth1' the external interface of the firewall?
Regards,
Szilárd
>
> InetZone("intra", "<internal network>/16",
> outbound_services=[],
> inbound_services=["INhttp", etc.])
>
> InetZone("local", "127.0.0.0/8",
> inbound_services=["*"],
> outbound_services=[])
>
> InetZone("inter", "0.0.0.0/0",
> inbound_services=[],
> outbound_services=["INhttp", etc.])
>
> InetZone(name="server",
> addr=["<internal address>/32", ],
> inbound_services=["*"],
> outbound_services=["*"],
> admin_parent="intra"
> )
>
>
> def Zhttp():
> Service(name="INhttp",
> proxy_class=INhttp,
> router=DirectedRouter(SockAddrInet("<internal address>",
> 80)
> )
> )
> #Listener(SockAddrInet("<external address>", 50080), "INhttp")
> NDimensionDispatcher(bindto=DBSockAddr(SockAddrInet('<external
> address>', 50080), ZD_PROTO_TCP), transparent=TRUE,
> rules=(
> {
> 'iface' : "eth1",
> 'proto' : socket.IPPROTO_TCP,
> 'dst_port' : 80,
> 'src_zone' : ('inter', ),
> 'dst_zone' : ('server', ),
> 'service' : 'INhttp'
> }
> )
> )
> class INhttp(HttpProxy):
> def config(self):
> HttpProxy.config(self)
>
> I get
>
> # kzorp -e tcp <outside client IP> 5000 <external interface> 50080
> <external interface>
> Evaluating ... on eth1
> Client zone: inter
> Server zone: inter
> Service: not found
> Dispatcher: not found
>
> # kzorp -e tcp <outside client IP> 5000 <external interface> 80
> <external interface>
> Evaluating ... on eth1
> Client zone: inter
> Server zone: inter
> Service: not found
> Dispatcher: not found
>
> But when I try one of my services having the old Listener syntax I get
>
> # kzorp -e tcp <outside client IP> 5000 <external interface> 443
> <external interface>
> Evaluating ... on eth1
> Client zone: inter
> Server zone: inter
> Service: not found
> Dispatcher: not found
>
> But:
>
> root at owa:/etc/zorp# kzorp -e tcp <outside client IP> 5000 <external
> address> 50443 eth1
> evaluating <outside client IP>:5000 -> <external address>:50443 on eth1
> Client zone: inter
> Server zone: inter
> Service: INhttps
> Dispatcher: SA(proto=1,addr=AF_INET(<external address>:50443))
>
> Not sure of the Server zone is right. Shouldn't it be 'server' or
> 'intra'?
>
> Also, it seems like kzorp can't find the service and dispatcher unless
>
> A. You give it the proxy port not the outside port?
> B. It wants the old Listener syntax?
>
> If I try to connect to the proxy port (:50080), I get in the logs
>
> ...Transparent listener connected directly, dropping connection;
>
> Which is reasonable enough. Seems like it would work if kzorp was
> feeding it properly. So what did I do wrong?
>
> Thanks
>
> David
> _______________________________________________
> zorp mailing list
> zorp at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/zorp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/zorp/attachments/20120228/d0b5b9e9/attachment.htm
More information about the zorp
mailing list