5.18. Module Zone

This module defines the Zone class.

Zones are the basis of access control in Zorp. A zone consists of a set of IP addresses, address ranges, or subnet. For example, a zone can contain an IPv4 or IPv6 subnet.

Zones are organized into a hierarchy created by the Zorp administrator. Child zones inherit the security attributes (set of permitted services etc.) from their parents. The administrative hierarchy often reflects the organization of the company, with zones assigned to the different departments.

When Zorp has to determine which zone a client belongs to, it selects the most specific zone containing the searched IP address. If an IP address belongs to two different zones, the most specific zone is selected.

Note

In earlier Zorp versions, zones had an option to stop child zones from inheriting parameters (umbrella zones). Starting from Zorp 3 F5, use DenyServices to achieve similar functionality.

Example 5.45. Finding IP networks

Suppose there are three zones configured: Zone_A containing the 10.0.0.0/8 network, Zone_B containing the 10.0.0.0/16 network, and Zone_C containing the 10.0.0.25 IP address. Searching for the 10.0.44.0 network returns Zone_B, because that is the most specific zone matching the searched IP address. Similarly, searching for 10.0.0.25 returns only Zone_C.

This approach is used in the service definitions as well: when a client sends a connection request, Zorp looks for the most specific zone containing the IP address of the client. Suppose that the clients in Zone_A are allowed to use HTTP. If a client with IP 10.0.0.50 (thus belonging to Zone_B) can only use HTTP if Zone_B is the child of Zone_A, or if a service definition explicitly permits Zone_B to use HTTP.

Example 5.46. Zone examples

The following example defines a simple zone hierarchy. The following zones are defined:

  • internet: This zone contains every possible IP addresses, if an IP address does not belong to another zone, than it belongs to the internet zone.

  • office: This zone contains the 192.168.1.0/32 and 192.168.2.0/32 networks.

  • management: This zone is separated from the office zone, because it contans an independent subnet 192.168.3.0/32 . But from the Zorp administrator's view, it is the child zone of the office zone, meaning that it can use (and accept) the same services as the office zone.

  • DMZ: This is a separate zone.

Zone('internet', ['0.0.0.0/0', '::0/0'])
Zone('office', ['192.168.1.0/32', '192.168.2.0/32'])
Zone('management', ['192.168.3.0/32'])
Zone('DMZ', ['10.50.0.0/32'])