Starting with Zorp 5.0, you can directly use hostnames in zones. During startup, Zorp automatically resolves these hostnames to /32 IP addresses, and updates them periodically to follow any changes in the IP addresses related to the hostname. When using hostnames in zones, note the following considerations and warnings:
Ensure that your Domain Name Server (DNS) is reliable and continuously available. If you cannot depend on your DNS to resolve the hostnames, do not use hostnames in zones.
Do not use zones that include hostnames to deny access, that is, do not use such zones in DenyServices. If Zorp cannot resolve a hostname, it will omit the hostname from the zone. If the zone contains only a single hostname (because you want to use it to restrict access to a specific site), the zone will be empty, that will never match any connection. If you have a firewall rule that is more permissive than the DenyService you are using the zone with the hosname, this more permissive rule will be effective, permitting traffic you want to block. (For example, you create a rule that permits HTTP traffic to the Internet, and a DenyService to block HTTP traffic to the example.com hostname. If Zorp cannot resolve the example.com hostname, then the broader, more permissive rule will permit traffic to the example.com site.)
kzorp, besides maintaining zone address information in kzorp kernel modules, also enables the filtering and blocking of any, possibly illegitimate, so called 'bogus' IP addresses.
The filtering of the DNS-based zone IP addresses is from now on set by default in the configuration. The level of filtering is set to the recommended value, 3 by default, which indicates the following level of filtering:
Filtering level Filtering 0 No filtering takes place. 1 Filtering of invalid host addresses takes place: unspecified addresses ( 0.0.0.0/32,::/128).2 Filtering loopback address ranges takes place ( 127.0.0.0/8,::1/128).3 Filtering of private address ranges ( 192.168.0.0/16,10.0.0.0/8,172.16. 0.0/12,fc00::/7), link-local address ranges (169.254.0.0/16,fe80::/10) and multicast ranges (224.0.0.0/4,ff00::/8) takes place.Table 6.1. Filtering levels
Note, that although up until now, the kzorpd configuration options could only be changed via the command line interface, now it is already possible to make changes to the actual kzorpd configuration file with the help of a text editor.
If the level of filtering is requested to be configured differently than the recommended value, it is possible to change it in the kzorpd configuration file with the help of text editor.
For details see the kzorpd and the kzorpd configuration file manual pages in Appendix C, Zorp manual pages in Zorp Professional 7 Reference Guide.
If the hostname is resolved to an IP address that is explicitly used in another zone, then Zorp will use the rule with the explicit IP address. For example, you have a zone that includes the example.com hostname, another zone that includes the
192.168.100.1/32IP address, and you have two different rules that use these zones (Rule_1 uses the hostname, Rule_2 the explicit IP address). If the example.com hostname is resolved to the 192.168.100.1 IP address, Zorp will use Rule_2 instead of Rule_1.If more than one hostname is resolved to the same IP address, Zorp ignores that specific IP address associated with more hostnames. Consequently, it is not possible to use a hostname in a zone if the server uses name-based virtual hosting.
Zones are global in Zorp, and apply to all firewalls of the site, so carefully consider every modification of a zone, and its possible side-effects.
Published on March 04, 2024
© BalaSys IT Ltd.
Send your comments to support@balasys.hu
