10.10.1.1. Procedure – Edit the Policy.py file
Set the import statements.
The default-installed
policy.py.sample
file starts with the import statements:from PNS.Core import * from PNS.Plug import * from PNS.Http import * from PNS.Ftp import *
These statements mean that one or more required (Python) front-end modules are imported to the configuration. PNS.Core is essential, however, the other three imports are included because the sample file contains references to these three proxy classes.
Tip A good way of learning
policy.py
is to create firewall policies in MC and then look at the resulting configuration files.Provide the name of the firewall, and the zone definitions along with the access control defined for them, that is, the allowed outbound and inbound services.
Zone("site-net", ["192.168.1.0/24"])
Configure the classes used in service definitions.
These class definitions can be simple, with, in essence, naming the proxy class to be used, that is, to be derived from only; like the IntraFtp class in the sample file:
class IntraFtp(FtpProxy): def config(self): FtpProxy.config(self)
Or, they can be rather complex, customizing the derived proxy class with attributes, as in the case of the IntraHttp class in the sample file:
# Let's define a transparent http proxy, which rewrites the # user_agent header to something different. # class IntraHttp(HttpProxy): def config(self): HttpProxy.config(self) self.transparent_mode = TRUE self.request_headers["User-Agent"] = (HTTP_HDR_CHANGE_VALUE, "Lynx/2.8.3rel.1") self.request["GET"] = (HTTP_REQ_POLICY, self.filterURL) # self.parent_proxy = "proxy.site.net" # self.parent_proxy_port = 3128 # self.timeout = 60000 # self.max_keepalive_requests = 10 def filterURL (self, method, url, version): # return HTTP_REQ_REJECT here to reject this request # change self.request_url to redirect to another url # change connection_mode to HTTP_CONNECTION_CLOSE to # force kept-alive connections to close log("http.info", 3, "%s: GET: %s" % (self.session.session_id, url))
Define the instances to be used.
Besides its name, the most important characteristic of an instance is the list of services it provides. Therefore, define services within the instances:
# PNS_http instance def PNS_http () : # create services Service(name='intra_http', router=TransparentRouter(), chainer=ConnectChainer(), proxy_class=IntraHttp, max_instances=0, max_sessions=0, keepalive=V_KEEPALIVE_NONE) Service(name='intra_ftp', router=TransparentRouter(), chainer=ConnectChainer(), proxy_class=IntraFtp, max_instances=0, max_sessions=0, keepalive=V_KEEPALIVE_NONE) Rule(proto=6, dst_port=80, service='IntraHttp' ) Rule(proto=6, dst_port=21, service='IntraFtp' )
Still within the instance definition code block, with correct indentation, specify the firewall rules that will start these services.
© 2021 BalaSys IT Security.
Send your comments to support@balasys.hu