In Zorp, packet filtering is handled by the kzorp kernel module, therefore packet filtering services are completely handled on the kernel level. When Zorp starts, it sends all information about the traffic permitted to pass the gateway (that is, the list of configured services, zones, firewall rules, and so on) to the kzorp module.
Application-level services (also called proxy services) are handled on two levels:
The kzorp kernel module receives and accepts the connections.
All other functionality is performed by Zorp in the userspace.
For both service types, the kzorp kernel module makes the client-side access control (DAC) decision. Both service types can be configured from a uniform interface using ZMC.
Handling packet filtering in the kernel has the following important consequences:
Packet filtering rules can match on zones as well, not only on IP addresses.
Network Address Translation (NAT) is available also in the kernel, therefore it is possible to NAT on packet filtering services. However, not every type of NatPolicy can be used with packet filtering services. For details, see Section 6.7.5, NAT policies.
The tproxy table of the iptables utility that earlier Zorp versions used to perform transparent proxying is empty. Zorp does not use it, however it is available if manual adding of rules is necessary.
Published on May 30, 2024
© BalaSys IT Ltd.
Send your comments to support@balasys.hu