10.10. PNS configuration

The networking configuration of the firewall which involves IP addresses, hostnames, and resolver configuration, usually changes rarely. However, the daily administration of the firewall often requires the changing of the actual ruleset. For more information on this process, see section Creating PNS Policies.

Basically, the process can be divided into the following two main parts.

  1. Configuring the necessary service definition(s).

  2. Creating the matching packet filter ruleset, that is generating a skeleton.

The latter packet filter manipulation procedure is detailed in section Packet filter, above. This section shows how to edit a service definition locally.

The key configuration files needed are stored in the /etc/zorp directory. The following files play the most important roles in the configuration.

  • policy.py

    containing complete service definitions

  • instances.conf

    listing the instances used in the firewall together with their parameters

Tip

In the default installation of PNS there are two commented sample files, policy.py.sample and instances.conf.sample that can help you to get started with configuration.

To learn command-line policy management it is a good idea to first use MC to graphically generate test-policies and then to check the generated policy files through a terminal connection.

For background information on the possible contents of these files, see Chapter 6, Managing network traffic with PNS.

The configuration of PNS is based on the Python programming language. The configuration file ( policy.py) is a Python module in itself. This does not mean, however, that you have to learn Python, knowing the syntax of the language and a few semantic elements is sufficient. Though the configuration file may not seem like a complete Python module, it is important to know that it is parsed as one. So the following syntactical requirements of Python apply:

Indentation is important as it marks the beginning of a block, similar to what curly braces ('{}') do in C/C++/C#/Java. This means that the way you indent blocks must be consistent for that given block. The below example shows a correct syntax first followed by an incorrect syntax.

Correct:

if self.request_url == 'http://www.balasys.hu/':
  print ('debug message') return HTTP_REQ_ACCEPT
return HTTP_REQ_REJECT

Incorrect:

if self.request_url == 'http://www.balasys.hu/':
   print ('debug message')
  return HTTP_REQ_ACCEPT
return HTTP_REQ_REJECT

Getting used to correct indentation is probably the most important Python task for a beginner, especially if you have not done any C or C-like programming before. Indentation in Python is the only way to separate blocks of code since there are no Begin and End statements or curly braces. Otherwise, the language itself is quite simple and easy to learn. Note that Python is case-sensitive.

For more information on Python, see Appendix C, Further readings.