Copyright © 1996-2024 Balasys IT Zrt. (Private Limited Company)
Copyright © 2024 Balasys IT Zrt. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Balasys.
This documentation and the product it describes are considered protected by copyright according to the applicable laws.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)
Linux™ is a registered trademark of Linus Torvalds.
Windows™ 10 is registered trademarks of Microsoft Corporation.
The Balasys™ name and the Balasys™ logo are registered trademarks of Balasys IT Zrt.
The Zorp™ name and the Zorp™ logo are registered trademarks of Balasys IT Zrt.
AMD Ryzen™ and AMD EPYC™ are registered trademarks of Advanced Micro Devices, Inc.
Intel® Core™ and Intel® Xeon™ are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.
All other product names mentioned herein are the trademarks of their respective owners.
DISCLAIMER
Balasys is not responsible for any third-party websites mentioned in this document. Balasys does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. Balasys will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.
May 30, 2024
Table of Contents
- Preface
- 1. How Zorp works
- 2. Configuring Zorp proxies
- 3. The Zorp SSL framework
- 4. Proxies
- 4.1. General information on the proxy modules
- 4.2. Attribute values
- 4.3. Examples
- 4.4. Module AnyPy
- 4.5. Module Finger
- 4.6. Module Ftp
- 4.7. Module Http
- 4.7.1. The HTTP protocol
- 4.7.2. Proxy behavior
- 4.7.3. Related standards
- 4.7.4. Classes in the Http module
- 4.7.5. Class AbstractHttpProxy
- 4.7.6. Class HttpProxy
- 4.7.7. Class HttpProxyNonTransparent
- 4.7.8. Class HttpProxyURIFilter
- 4.7.9. Class HttpProxyURIFilterNonTransparent
- 4.7.10. Class HttpProxyURLCategoryFilter
- 4.7.11. Class HttpWebdavProxy
- 4.7.12. Class NontransHttpWebdavProxy
- 4.8. Module Plug
- 4.9. Module Pop3
- 4.10. Module Smtp
- 4.11. Module Telnet
- 4.12. Module Whois
- 4.13. Module Imap
- 4.14. Module Ldap
- 4.14.1. The LDAP protocol
- 4.14.2. Proxy behavior
- 4.14.3. Configuring policies for LDAP requests
- 4.14.4. Simple Authentication and Security Layer (SASL) on LDAP messages
- 4.14.5. Related standards
- 4.14.6. Classes in the Ldap module
- 4.14.7. Class AbstractLdapProxy
- 4.14.8. Class LdapProxy
- 4.14.9. Class LdapProxyRO
- 4.15. Module Lp
- 4.16. Module Mime
- 4.17. Module MSRpc
- 4.18. Module Nntp
- 4.19. Module Radius
- 4.20. Module Rdp
- 4.21. Module Rsh
- 4.22. Module Sip
- 4.23. Module Socks
- 4.24. Module SQLNet
- 4.25. Module Ssh
- 4.26. Module TFtp
- 4.27. Module Vnc
- 5. Core
- 5.1. Module Auth
- 5.1.1. Authentication and authorization basics
- 5.1.2. Authentication and authorization in Zorp
- 5.1.3. Classes in the Auth module
- 5.1.4. Class AbstractAuthentication
- 5.1.5. Class AbstractAuthorization
- 5.1.6. Class AuthCache
- 5.1.7. Class AuthenticationPolicy
- 5.1.8. Class AuthorizationPolicy
- 5.1.9. Class BasicAccessList
- 5.1.10. Class InbandAuthentication
- 5.1.11. Class NEyesAuthorization
- 5.1.12. Class PairAuthorization
- 5.1.13. Class PermitGroup
- 5.1.14. Class PermitTime
- 5.1.15. Class PermitUser
- 5.1.16. Class SatyrAuthentication
- 5.1.17. Class ServerAuthentication
- 5.1.18. Class ZAAuthentication
- 5.2. Module AuthDB
- 5.3. Module Chainer
- 5.3.1. Selecting the network protocol
- 5.3.2. Classes in the Chainer module
- 5.3.3. Class AbstractChainer
- 5.3.4. Class AvailabilityChainer
- 5.3.5. Class ConnectChainer
- 5.3.6. Class FailoverChainer
- 5.3.7. Class MultiTargetChainer
- 5.3.8. Class RoundRobinAvailabilityChainer
- 5.3.9. Class RoundRobinChainer
- 5.3.10. Class SideStackChainer
- 5.3.11. Class StateBasedChainer
- 5.4. Module Detector
- 5.5. Module Encryption
- 5.5.1. SSL parameter constants
- 5.5.2. Classes in the Encryption module
- 5.5.3. Class AbstractVerifier
- 5.5.4. Class Certificate
- 5.5.5. Class CertificateCA
- 5.5.6. Class ClientCertificateVerifier
- 5.5.7. Class ClientNoneVerifier
- 5.5.8. Class ClientOnlyEncryption
- 5.5.9. Class ClientOnlyStartTLSEncryption
- 5.5.10. Class ClientSSLOptions
- 5.5.11. Class DHParam
- 5.5.12. Class DynamicCertificate
- 5.5.13. Class DynamicServerEncryption
- 5.5.14. Class EncryptionPolicy
- 5.5.15. Class FakeStartTLSEncryption
- 5.5.16. Class ForwardStartTLSEncryption
- 5.5.17. Class PrivateKey
- 5.5.18. Class SNIBasedCertificate
- 5.5.19. Class SSLOptions
- 5.5.20. Class ServerCertificateVerifier
- 5.5.21. Class ServerNoneVerifier
- 5.5.22. Class ServerOnlyEncryption
- 5.5.23. Class ServerSSLOptions
- 5.5.24. Class StaticCertificate
- 5.5.25. Class TwoSidedEncryption
- 5.6. Module Keybridge
- 5.7. Module Matcher
- 5.8. Module NAT
- 5.9. Module Notification
- 5.10. Module Proxy
- 5.11. Module Resolver
- 5.12. Module Router
- 5.13. Module Rule
- 5.14. Module Service
- 5.15. Module Session
- 5.16. Module SockAddr
- 5.17. Module Stack
- 5.18. Module Zone
- 5.19. Module Zorp
- 6. Core-internal
- A. Additional proxy information
- B. Global options of Zorp
- C. Zorp manual pages
- zas — Zorp Authentication Server
- zas.cfg zas(8) configuration file.
- zcv — Zorp Content Vectoring Server
- zcv.cfg zcv(8) configuration file format
- zms — Zorp Management Server engine
- zms.confConfiguration file format for the Zorp Management Server (zms(8).
- zms-integrity — ZMS Database Integrity Checker
- instances.conf zorp(8) instances database
- policy.py zorp(8) policy file.
- zorp — Zorp Firewall Suite
- zorpctl — Start and stop zorp instances.
- zorpctl.conf zorpctl(8) configuration file.
- kzorpd — KZorp daemon
- kzorpd.conf kzorpd(8) configuration file
- zavupdate — Updates the various AntiVirus engine's databases.
- zavupdate.options zavupdate(8) configuration files.
- zqc — Zorp Quarantine Checker
- D. Zorp Professional End-User License Agreement
- D.1. 1. SUBJECT OF THE LICENSE CONTRACT
- D.2. 2. DEFINITIONS
- D.3. 3. LICENSE GRANTS AND RESTRICTIONS
- D.4. 4. SUBSIDIARIES
- D.5. 5. INTELLECTUAL PROPERTY RIGHTS
- D.6. 6. TRADE MARKS
- D.7. 7. NEGLIGENT INFRINGEMENT
- D.8. 8. INTELLECTUAL PROPERTY INDEMNIFICATION
- D.9. 9. LICENSE FEE
- D.10. 10. WARRANTIES
- D.11. 11. DISCLAIMER OF WARRANTIES
- D.12. 12. LIMITATION OF LIABILITY
- D.13. 13.DURATION AND TERMINATION
- D.14. 14. AMENDMENTS
- D.15. 15. WAIVER
- D.16. 16. SEVERABILITY
- D.17. 17. NOTICES
- D.18. 18. MISCELLANEOUS
- E. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License
- Index of Proxy attributes
- Index of Core attributes
- Index of all attributes
List of Examples
- 2.1. Customizing FTP commands
- 2.2. Using the POLICY action
- 2.3. Default and explicit actions
- 2.4. Customizing response codes
- 2.5. Example PlugProxy allowing secondary sessions
- 2.6. HTTP proxy stacked into an HTTPS connection
- 2.7. Program stacking in HTTP
- 3.1. Accepting invalid certificates
- 3.2. Disabling specific TLS protocols
- 3.3. Configuring FTPS support
- 4.1. Controlling the number of max hops
- 4.2. FTP protocol sample
- 4.3. Customizing FTP to allow only anonymous sessions
- 4.4. Configuring FTPS support
- 4.5. Example HTTP transaction
- 4.6. Proxy style HTTP query
- 4.7. Data tunneling with connect method
- 4.8. Implementing URL filtering in the HTTP proxy
- 4.9. 404 response filtering in HTTP
- 4.10. Header filtering in HTTP
- 4.11. URL redirection in HTTP proxy
- 4.12. Redirecting HTTP to HTTPS
- 4.13. Using parent proxies in HTTP
- 4.14. URL filtering HTTP proxy
- 4.15. POP3 protocol sample
- 4.16. Example for allowing only APOP authentication in POP3
- 4.17. Example for converting simple USER/PASS authentication to APOP in POP3
- 4.18. Rewriting the banner in POP3
- 4.19. SMTP protocol sample
- 4.20. Example for disabling the Telnet X Display Location option
- 4.21. Rewriting the DISPLAY environment variable
- 4.22. Example WhoisProxy logging all whois requests
- 4.23. IMAP protocol sample
- 4.24. Rewriting IMAP capability response
- 4.25. Changing the greeting string in IMAP
- 4.26. IMAP arguments in use
- 4.27. Example Ldap entry
- 4.28. Example of the commands usage
- 4.29. Example mail header containing MIME message
- 4.30. Example PNG format picture attachment
- 4.31. Example multipart message
- 4.32. Example usage of MimeProxy module, denying applications
- 4.33. Customising RPC to allow connection to service "11223344-5566-7788-99aa-bbccddeeff00"
- 4.34. Example NNTP connection
- 4.35. Example for filtering accessible newsgroups
- 4.36. Example for defining policies for responses in NNTP
- 4.37. Example RadiusProxy config
- 4.38. Disabling RDP5 protocol by force-reverting it to RDP4
- 4.39. Disabling channel RDPDR
- 4.40. Enabling custom channels
- 4.41. Dynamically change username and server address
- 4.42. Strict Rsh proxy denying root user access and logging the issued Rsh commands
- 4.43. Disabling video traffic in SIP
- 4.44. SOCKS and HTTP traffic
- 4.45. Enabling and disabling SSH channels
- 4.46. Enabling only SFTP connections
- 4.47. Restricting local forwarding
- 4.48. Modifying the keypair used in public-key authentication
- 5.1. A simple authentication policy
- 5.2. Caching authentication decisions
- 5.3. A simple authorization policy
- 5.4. BasicAccessList example
- 5.5. A simple PairAuthorization policy
- 5.6. A simple PermitGroup policy
- 5.7. PermitTime example
- 5.8. A simple PermitUser policy
- 5.9. Outband authentication example
- 5.10. A sample authentication provider
- 5.11. A DirectedRouter using AvailabilityChainer
- 5.12. A sample ConnectChainer
- 5.13. A DirectedRouter using FailoverChainer
- 5.14. A DirectedRouter using RoundRobinAvailabilityChainer
- 5.15. A DirectedRouter using RoundRobinChainer
- 5.16. CertDetector example
- 5.17. HttpDetector example
- 5.18. SNIDetector example
- 5.19. SshDetector example
- 5.20. Loading a certificate
- 5.21. Loading DH parameters
- 5.22. Loading a private key
- 5.23. Whitelisting e-mail recipients
- 5.24. DNSMatcher example
- 5.25. RegexpFileMatcher example
- 5.26. RegexpMatcher example
- 5.27. SmtpInvalidMatcher example
- 5.28. WindowsUpdateMatcher example
- 5.29. GeneralNat example
- 5.30. Using Natpolicies
- 5.31. A simple DNSResolver policy
- 5.32. A simple HashResolver policy
- 5.33. DirectedRouter example
- 5.34. InbandRouter example
- 5.35. TransparentRouter example
- 5.36. Sample rule definitions
- 5.37. Tagging rules
- 5.38. A simple DenyService
- 5.39. PFService example
- 5.40. Service example
- 5.41. SockAddrInet example
- 5.42. SockAddrInet example
- 5.43. SockAddrInetHostname example
- 5.44. SockAddrUnix example
- 5.45. A simple StackingProvider class
- 5.46. Using a StackingProvider in an FTP proxy
- 5.47. Finding IP networks
- 5.48. Zone examples
- 5.49. Determining the zone of an IP address
- 6.1. CSZoneDispatcher example
- 6.2. Dispatcher example
- A.1. An example for the SQL*Net connection string
List of Procedures
- 1.1. Zorp startup and initialization
- 1.2.1. Handling packet filtering services
- 1.2.2. Handling application-level services
- 1.3. Proxy startup and the server-side connection
- 3.1.1. The SSL handshake
- 3.2.4.1. Enabling SSL-encryption in the connection
- 3.2.8. Configuring keybridging
- B.1. Setting global options of Zorp
Published on May 30, 2024
© BalaSys IT Ltd.
Send your comments to support@balasys.hu