6.4. Zorp services

Services define the traffic that can pass through the firewall. A service is not a software component, but a group of parameters that describe what kind of traffic should Zorp accept and how to handle the accepted traffic. The service specifies how thoroughly the traffic is analyzed (packet filter or application level), the protocol of the traffic (for example, HTTP, FTP, and so on), if the traffic is TLS-encrypted (and also related security settings like accepted certificates), NAT policies applied to the connections, and many other parameters.

Packet-filter services forward the incoming packets using the kzorp kernel module. Application-level services create two separate connections on the two sides of Zorp (client–Zorp, Zorp–server) different connections and analyze the traffic on the protocol level. Only application-level services can perform content filtering, authentication, and other advanced features.

Note

To allow IPSec traffic to pass Zorp, you must add packet filtering rules manually. See Procedure 16.3.4, Forwarding IPSec traffic on the packet level for details.

The following types of services are available in Zorp:

  • Service: It inspects the traffic on application level using proxies. For the highest available security, use application-level inspection whenever possible. For details, see Procedure 6.4.1, Creating a new service

  • PFService: It inspects the traffic only on packet level. Use packet-level filtering to transfer very large amount of UDP traffic (for example, streaming audio or video). For details, see Procedure 6.4.2, Creating a new packet filtering Service (PFService).

  • DenyService: It enables making a service unavailable for any reasons (for example, because accessing it is prohibited in certain zones), use DenyService. DenyService is a replacement for the umbrella zones of earlier Zorp versions. For details, see Procedure 6.4.3, Creating a new DenyService.

  • DetectorService: It attempts to determine the protocol used in the connection from the traffic itself, and to start a specified service. Currently it can detect HTTP, SSH, and SSL traffic. For HTTPS connections, it can also select a service based on the certificate of the server. For details, see Procedure 6.4.4, Creating a new DetectorService.

Services are managed from the Services tab of the Zorp ZMC component. The left side of the tab displays the configured services, while the right side shows the parameters of the selected service. Use this tab to delete unwanted services, modify existing ones, or create new ones.

Previous Up Next
 Home