Appendix A. Example policy

from Zorp.Zorp import *
from Zorp import Zorp
from Zorp.Zone import InetZone
from Zorp.Service import Service
from Zorp.SockAddr import SockAddrInet
from Zorp.Chainer import TransparentChainer, DirectedChainer \
                         InbandChainer, FailoverChainer
from Zorp.Plug import PlugProxy
from Zorp import Http
from Zorp.Http import HttpProxy
from Zorp.Ftp import FtpProxyAllow
from Zorp.Listener import Listener

Zorp.firewall_name = 'fw@fiktiv'

InetZone('intranet', '192.168.1.0/24', 
        outbound_services = ["BIHttp", "BIFtp", "BIPop", 
                             "BDHttp", "BDFtp", "BDSsh"],
        inbound_services=[]

InetZone('DMZ', '192.168.0.0/24',
        outbound_services = ["DIHttp", "DIFtp"],
        inbound_services = ["BDHttp", "BDFtp", "BDSsh", 
                            "IDHttp", "IDFtp"]),

InetZone('internet', '0.0.0.0/0',
        outbound_services = ["IDHttp", "IDFtp"],
        inbound_services  = ["BIHttp", "BIFtp", "BIPop", 
                             "DIHttp", "DIFtp"])


class BIHttp(Http.HttpProxy):

    def config(self):
        HttpProxy.config(self)
        self.transparent_mode = 0
        self.request["POST"] = (Http.HTTP_DROP)
               self.request_headers["User-Agent"] = \
                        [Http.HTTP_CHANGE_VALUE, "Lynx/2.8.3rel.1"]


class BIFtp(FtpProxyAllow):

    def config(self):
        FtpProxy.config(self)
        self.fw_server_data.ip_s = "10.9.8.7"
        self.fw_client_data.ip_s = "192.168.1.1"

class BIPop(PlugProxy):

    def config(self):
        pass

class BDHttp(HttpProxy):

    def config(self):
        HttpProxy.config(self)
        self.transparent_mode = 1

class BDFtp(FtpProxyAllow):

    def config(self):
        FtpProxy.config(self)
        self.fw_server_data.ip_s = "192.168.0.1"
        self.fw_client_data.ip_s = "192.168.1.1"

class BDSsh(PlugProxy):

    def config(self):
        pass

class IDHttp(HttpProxy):

    def config(self):
        HttpProxy.config(self)
        self.transparent_mode = 0
        
class IDFtp(FtpProxyAllow):

    def config(self):
        FtpProxy.config(self)
        self.fw_server_data.ip_s = "192.168.0.1"
        self.fw_client_data.ip_s = "10.9.8.7"


    def user(self, dir, uname):
        if uname == "ftp"
            return Z_ACCEPT
        elsif uname == "anonymous"
            return Z_ACCEPT
        return Z_REJECT

class DIHttp(PlugProxy):

    def config(self):
        pass

class DIFtp(FtpProxyAllow):

    def config(self):
        FtpProxy.config(self)
        self.fw_client_data.ip_s = "192.168.0.1"
        self.fw_server_data.ip_s = "10.9.8.7"

def init(name):

    BIHttp_service = \
        Service("BIHttp",
                InbandChainer(),
                BIHttp)

    BIFtp_service = \
        Service("BIFtp",
                TransparentChainer(),
                BIFtp)

    BIPop_service = \
                Service("BIPop",
                TransparentChainer(),
                BIPop)

    BDHttp_service = \
                Service("BDHttp",
                TransparentChainer(),
                BDHttp)

    BDFtp_service = \
                Service("BDFtp",
                TransparentChainer(),
                BDFtp)
                
    BDSsh_service = \
                Service("BDSsh",
                TransparentChainer(),
                BDSsh)

    IDHttp_service = \
                Service("IDHttp",
                DirectedChainer(SockAddrInet("192.168.0.2", 80),
                IDHttp)

    IDFtp_service = \
                Service("IDFtp",
                DirectedChainer(SockAddrInet("192.168.0.3", 21)),
                IDFtp)

    DIHttp_service = \
                Service("DIHttp",
                TransparentChainer(),
                DIHttp)

    DIFtp_service = \
                Service("DIFtp",
                TransparentChainer(),
                DIFtp)

    Listener(SockAddrInet("192.168.1.1", 3128), BIHttp_service)
    Listener(SockAddrInet("192.168.1.1", 2021), BIFtp_service)
    Listener(SockAddrInet("192.168.1.1", 2110), BIPop_service)
    Listener(SockAddrInet("192.168.1.1", 3080), BDHttp_service)
    Listener(SockAddrInet("192.168.1.1", 3021), BDFtp_service)
    Listener(SockAddrInet("192.168.1.1", 3022), BDSsh_service)
    Listener(SockAddrInet("10.9.8.7", 80), IDHttp_service)
    Listener(SockAddrInet("10.9.8.7", 21), IDFtp_service)
    Listener(SockAddrInet("192.168.0.1", 80), DIHttp_service)
    Listener(SockAddrInet("192.168.0.1", 21), DIFtp_service)