Creating an example policy

In this section we define a sample policy to be running at a fictitious company. Our fictitious company has the following network infrastructure:

The leased lines will be connected to the external interface of our firewall, our intranet and DMZ will be connected to our firewall with dedicated interfaces.

FIXME: figure

Basis of access control: Zones

You'll need to describe your firewall's environment by defining zones that surrounds your firewall.

Example 3-6. Zone definition


InetZone('intranet', '192.168.1.0/24', 
         inbound_services=["*"], 
         outbound_services=["*"])

InetZone('DMZ', '192.168.0.0/24',
         inbound_services=["*"],
         outbound_services=["*"])

InetZone('internet', '0.0.0.0/0',
         inbound_services=["*"],
         outbound_services=["*"])

            
In the example above, we defined 3 zones: intranet with address range 192.168.1.0/24, DMZ with address range 192.168.0.0/24, and internet 0.0.0.0/0.

For now we allow all inbound, and outbound services using the asterisks (an asterisk matches all services), if you want to allow specific services you need to use their full name.

Providing an init() function

init() is called by the Zorp core after the policy file has been parsed. It is the responsibility of this function to set up services and start listeners.

This init function receives a single argument name containing the name of this instance (can be set with the --as command line argument, or using zorpctl)

If you don't provide an init function yourself the default one is used, which tries to call the function named as the instance name. So if you have an instance named intra_http and don't provide an init() function, the function intra_http() is called and is expected to correctly initialize the instance. If this function is not found an exception is raised.

If you run several instances using the same policy file, it is suggested that you use the init function provided by Zorp.

Defining a service

A service is something Zorp provides to clients. When a connection is accepted, a service instance is started.

Example 3-7. Creating a service

def init()
        Service("intra_http", 
                InbandChainer(), 
                HttpProxy)
            
The service definition above creates a service whose ID is intra_http, uses the InbandChainer() and launches a HttpProxy for established connections. InbandChainer uses the protocol logic for determining destination address.

Setting up a Listener

A listener is responsible for listening on the given address, and starting a service if a connection is accepted.

Example 3-8. Setting up a Listener

Listener(SockAddrInet('192.168.1.1', 50080), "intra_http")
            
The example above sets up a Listener to listen on 192.168.1.1:50080, and to start our intra_http_service when a connection is accepted.

Customizing proxies

You can extend functionality of a given proxy by creating a custom proxy class derived from the original proxy class.

Example 3-9. Customizing proxy classes

            
class MyHttp(HttpProxy):

    def config(self):
        HttpProxy.config(self)
        self.transparent_mode = FALSE
        self.request["PUT"] = (HTTP_PASS,)
        
            
The example above creates a new proxy class named MyHttp, derived from HttpProxy and overriding its config() method.