The networking configuration of the firewall which involves IP addresses, hostnames, and resolver configuration, rarely changes. However, the daily administration of the firewall often requires the changing of the actual ruleset. For more information on this process, see section Creating Zorp Policies.
Basically, the process can be divided into the following two main parts.
Configuring the necessary service definition(s).
Creating the matching packet filter ruleset, that is generating a skeleton.
The latter packet filter manipulation procedure is detailed in Section 10.9, Packet filter. This section shows how to edit a service definition locally.
The key configuration files needed are stored in the /etc/zorp
directory. The following files play the most important roles in the configuration.
policy.py
containing complete service definitions
instances.conf
listing the instances used in the firewall together with their parameters
Tip |
---|
In the default installation of Zorp there are two commented sample files, To learn command-line policy management it is advised to first use ZMC to graphically generate test-policies and then to check the generated policy files through a terminal connection. |
For background information on the possible contents of these files, see Chapter 6, Managing network traffic with Zorp.
The configuration of Zorp is based on the Python programming language. The configuration file ( policy.py
) is a Python module in itself. This does not mean, however, that proficiency is required in Python, knowing the syntax of the language and a few semantic elements is sufficient. Though the configuration file may not seem like a complete Python module, it is important to know that it is parsed as one. The following syntactical requirements of Python apply:
Indentation is important as it marks the beginning of a block, similar to what curly braces ('{}') do in C/C++/C#/Java. This means that the way blocks are intended, must be consistent for that given block. The below example shows a correct syntax first followed by an incorrect syntax.
Correct:
if self.request_url == 'http://www.balasys.hu/': print ('debug message') return HTTP_REQ_ACCEPT return HTTP_REQ_REJECT
Incorrect:
if self.request_url == 'http://www.balasys.hu/': print ('debug message') return HTTP_REQ_ACCEPT return HTTP_REQ_REJECT
Getting used to correct indentation is probably the most important Python task for a beginner, especially without any C or C-like programming experiences. Indentation in Python is the only way to separate blocks of code since there are no Begin and End statements or curly braces. Otherwise, the language itself is quite simple and easy to learn. Note that Python is case-sensitive.
For more information on Python, see Appendix C, Further readings.
Published on May 30, 2024
© BalaSys IT Ltd.
Send your comments to support@balasys.hu