In this section we define a sample policy to be running at a fictitious company. Our fictitious company has the following network infrastructure:
intranet with non routable IP addresses (192.168.1.0/24)
DMZ with non routable IP address providing HTTP and FTP service to outside hosts. (192.168.0.0/24)
Internet access with leased line, external IP address 10.9.8.7 (I know it's also nonroutable, it's just for the sake of the example).
FIXME: figure
You'll need to describe your firewall's environment by defining zones that surrounds your firewall.
Example 3-6. Zone definition
InetZone('intranet', '192.168.1.0/24', inbound_services=["*"], outbound_services=["*"]) InetZone('DMZ', '192.168.0.0/24', inbound_services=["*"], outbound_services=["*"]) InetZone('internet', '0.0.0.0/0', inbound_services=["*"], outbound_services=["*"]) |
For now we allow all inbound, and outbound services using the asterisks (an asterisk matches all services), if you want to allow specific services you need to use their full name.
init() is called by the Zorp core after the policy file has been parsed. It is the responsibility of this function to set up services and start listeners.
This init function receives a single argument name containing the name of this instance (can be set with the --as command line argument, or using zorpctl)
If you don't provide an init function yourself the default one is used, which tries to call the function named as the instance name. So if you have an instance named intra_http and don't provide an init() function, the function intra_http() is called and is expected to correctly initialize the instance. If this function is not found an exception is raised.
If you run several instances using the same policy file, it is suggested that you use the init function provided by Zorp.
A service is something Zorp provides to clients. When a connection is accepted, a service instance is started.
Example 3-7. Creating a service
def init() Service("intra_http", InbandChainer(), HttpProxy) |
A listener is responsible for listening on the given address, and starting a service if a connection is accepted.
Example 3-8. Setting up a Listener
Listener(SockAddrInet('192.168.1.1', 50080), "intra_http") |
You can extend functionality of a given proxy by creating a custom proxy class derived from the original proxy class.
Example 3-9. Customizing proxy classes
class MyHttp(HttpProxy): def config(self): HttpProxy.config(self) self.transparent_mode = FALSE self.request["PUT"] = (HTTP_PASS,) |