10.10.1.1. Procedure – Edit the Policy.py file

1. Set the import statements.

   The default-installed policy.py.sample file starts with the import statements:

   from Zorp.Core import *
   from Zorp.Plug import *
   from Zorp.Http import *
   from Zorp.Ftp import *

   These statements mean that one or more required (Python) front-end modules are imported to the configuration. Zorp.Core is essential, however, the other three imports are included because the sample file contains references to these three proxy classes.

   Tip
   A good way of learning policy.py is to create firewall policies in ZMC and then look at the resulting configuration files.

2. Provide the name of the firewall, and the zone definitions along with the access control defined for them, that is, the allowed outbound and inbound services.

   Zone("site-net", ["192.168.1.0/24"])

3. Configure the classes used in service definitions.

   These class definitions can be simple, with, in essence, naming the proxy class to be used, that is, to be derived from only; like the IntraFtp class in the sample file:

   class IntraFtp(FtpProxy):
     def config(self):
       FtpProxy.config(self)

   Or, they can be rather complex, customizing the derived proxy class with attributes, as in the case of the IntraHttp class in the sample file:

   # Let's define a transparent http proxy, which rewrites the
   # user_agent header to something different.
   #
   class IntraHttp(HttpProxy):
     def config(self):
       HttpProxy.config(self)
       self.transparent_mode = TRUE
       self.request_headers["User-Agent"] = (HTTP_HDR_CHANGE_VALUE, "Lynx/2.8.3rel.1")
       self.request["GET"] = (HTTP_REQ_POLICY, self.filterURL)
       # self.parent_proxy = "proxy.site.net"
       # self.parent_proxy_port = 3128
       # self.timeout = 60000
       # self.max_keepalive_requests = 10
   
     def filterURL (self, method, url, version):
       # return HTTP_REQ_REJECT here to reject this request
       # change self.request_url to redirect to another url
       # change connection_mode to HTTP_CONNECTION_CLOSE to
       # force kept-alive connections to close
       log("http.info", 3, "%s: GET: %s" % (self.session.session_id, url))

4. Define the instances to be used.

   Besides its name, the most important characteristic of an instance is the list of services it provides. Therefore, define services within the instances:

   # zorp_http instance
   def zorp_http () :
     # create services
     Service(name='intra_http', router=TransparentRouter(), chainer=ConnectChainer(), proxy_class=IntraHttp, max_instances=0, max_sessions=0, keepalive=Z_KEEPALIVE_NONE)
     Service(name='intra_ftp', router=TransparentRouter(), chainer=ConnectChainer(), proxy_class=IntraFtp, max_instances=0, max_sessions=0, keepalive=Z_KEEPALIVE_NONE)
     Rule(proto=6,
       dst_port=80,
       service='IntraHttp'
       )
     Rule(proto=6,
       dst_port=21,
       service='IntraFtp'
       )

   Still within the instance definition code block, with correct indentation, specify the firewall rules that will start these services.