Refactor layout

README.md

@@ -0,0 +1,23 @@
+Zorp examples
+-------------
+
+These folders contain various configuration examples for Zorp proxy firewall.
+
+You just have to replace the /etc/zorp directory's content with one of the examples and start the instance.
+
+Transparent HTTP proxy
+----------------------
+```bash
+    sudo zorpctl stop zorp_instance
+    sudo mv /etc/zorp /etc/zorp.backup
+    sudo ln -s /home/user/zorp-examples/transparent_http /etc/zorp
+    sudo zorpctl start zorp_instance
+```
+Transparent FTP proxy with virus scanning
+----------------------------------------
+```bash
+    sudo zorpctl stop zorp_instance
+    sudo mv /etc/zorp /etc/zorp.backup
+    sudo ln -s /home/user/zorp-examples/transparent_ftp_clamav /etc/zorp
+    sudo zorpctl start stack_instance
+```

audit_transparent_services/instances.conf

@@ -0,0 +1,19 @@
+############################################################################
+# -*- coding: UTF-8 -*-
+#
+# Copyright (c) 2011 BalaBit IT Ltd, Budapest, Hungary
+# Copyright (c) 2011 Szilárd Pfeiffer <szilard.pfeiffer@balabit.com>
+#
+# Authors: Szilárd Pfeiffer <szilard.pfeiffer@balabit.com>
+#
+# Permission is granted to copy, distribute and/or modify this document
+# under the terms of the GNU Free Documentation License, Version 1.3
+# or any later version published by the Free Software Foundation;
+# with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
+# A copy of the license is included in the section entitled "GNU
+# Free Documentation License".
+#
+############################################################################
+
+#instance  arguments
+audit_instance --verbose=3 --logspec 'http.accounting:4,ftp.request:6,ftp.response:6,pop3.request:7,pop3.response:7,smtp.request:7,smtp.response:7' --policy /etc/zorp/policy.py

audit_transparent_services/policy.py

@@ -0,0 +1,73 @@
+#
+# Authors: Szilárd Pfeiffer <szilard.pfeiffer@balabit.com>
+#          Tibor Balázs <tibor.balazs@balabit.com>
+#
+# Permission is granted to copy, distribute and/or modify this document
+# under the terms of the GNU Free Documentation License, Version 1.3
+# or any later version published by the Free Software Foundation;
+# with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
+# A copy of the license is included in the section entitled "GNU
+# Free Documentation License".
+#
+############################################################################
+
+from Zorp.Core import *
+
+from Zorp.Ftp import *
+from Zorp.Http import *
+from Zorp.Pop3 import *
+from Zorp.Smtp import *
+
+
+Zone(name="clients",
+     addr = ["172.16.10.0/23", ],
+    )
+
+Zone(name="servers",
+     addr = ["172.16.20.0/23", ],
+    )
+
+Zone(name="servers.audit",
+         addrs = ["172.16.21.1/32", ],
+         admin_parent = "servers"
+        )
+
+
+def audit_instance():
+    Service(name="service_ftp_transparent_audit",
+        proxy_class = FtpProxy,
+        router = TransparentRouter()
+    )
+    Service(name="service_http_transparent_audit",
+        proxy_class = HttpProxy,
+        router = TransparentRouter()
+    )
+    Service(name="service_pop3_transparent_audit",
+        proxy_class = Pop3Proxy,
+        router = TransparentRouter()
+    )
+    Service(name="service_smtp_transparent_audit",
+        proxy_class = SmtpProxy,
+        router = TransparentRouter()
+    )
+
+    Rule(service='service_ftp_transparent_audit',
+         dst_port = 21,
+         src_zone = ('clients', ),
+         dst_zone = ('servers.audit', )
+    )
+    Rule(service='service_http_transparent_audit',
+         dst_port = 80,
+         src_zone = ('clients', ),
+         dst_zone = ('servers.audit', )
+    )
+    Rule(service='service_pop3_transparent_audit',
+         dst_port = 110,
+         src_zone = ('clients', ),
+         dst_zone = ('servers.audit', )
+    )
+    Rule(service='service_smtp_transparent_audit',
+         dst_port = 25,
+         src_zone = ('clients', ),
+         dst_zone = ('servers.audit', )
+    )

audit_transparent_services/zones.py

@@ -0,0 +1,13 @@
+Zone(name="clients",
+     addr = ["172.16.10.0/23", ],
+    )
+
+Zone(name="servers",
+     addr = ["172.16.20.0/23", ],
+    )
+
+Zone(name="servers.audit",
+         addrs = ["172.16.21.1/32", ],
+         admin_parent = "servers"
+        )
+

audit_transparent_services/zorpctl.conf

@@ -0,0 +1,75 @@
+############################################################################
+# -*- coding: UTF-8 -*-
+#
+# Copyright (c) 2011 BalaBit IT Ltd, Budapest, Hungary
+# Copyright (c) 2011 Szilárd Pfeiffer <szilard.pfeiffer@balabit.com>
+#
+# Authors: Szilárd Pfeiffer <szilard.pfeiffer@balabit.com>
+#
+# Permission is granted to copy, distribute and/or modify this document
+# under the terms of the GNU Free Documentation License, Version 1.3
+# or any later version published by the Free Software Foundation;
+# with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
+# A copy of the license is included in the section entitled "GNU
+# Free Documentation License".
+#
+############################################################################
+
+#
+# This file is sourced by zorpctl and contains default settings
+# for various parameters.
+#
+[root]
+# specifies whether --auto-restart is default
+AUTO_RESTART=1
+
+# wait a starting process to report back for this amount of time, assume the
+# startup failed if it exceeds this time.
+START_WAIT_TIMEOUT=10
+
+# The interval (in seconds) to check a stopping Zorp instance at, second
+# fractions are allowed.
+STOP_CHECK_DELAY=0.1
+
+# The number of seconds to wait for a stopping Zorp instance
+STOP_CHECK_TIMEOUT=5
+
+# The minimal process limit
+PROCESS_LIMIT_MIN=256
+
+# The extra processes to allocate limit for.
+PROCESS_LIMIT_RESERVE=64
+
+# automatically append this string to each Zorp command line, this was
+# renamed in Zorp 3.0.3, but the original APPEND_ARGS option still works.
+ZORP_APPEND_ARGS=""
+
+# arguments appended to the zorpctl instance specific options, such as
+# --enable-core
+ZORPCTL_APPEND_ARGS=""
+
+# whether to check /etc/zorp permissions
+CHECK_PERMS="1"
+#CONFIG_DIR=/etc/zorp
+#CONFIG_DIR_OWNER=root
+#CONFIG_DIR_GROUP=zorp
+#CONFIG_DIR_MODE=0750
+
+# directory where Zorp stores its pidfiles
+#PIDFILE_DIR=/var/run/zorp
+
+# set pidfile directory ownership according to the settings below (umask is
+# applied).
+# DO not modify this, unless you know what you are doing.
+PIDFILE_DIR_OWNER=zorp
+PIDFILE_DIR_GROUP=zorp
+PIDFILE_DIR_MODE=0770
+
+# Deprecated options, these options should not be used anymore and trigger a
+# warning in zorpctl if they are used.
+
+#PROCESS_LIMIT_THRESHOLD
+#AUTO_RESTART_TIME_THRESHOLD
+#AUTO_RESTART_MAX_COUNT
+#START_CHECK_TIMEOUT
+#AUTO_RESTART_DELAY

cloud_encryption/Cypher.py

@@ -0,0 +1,60 @@
+class BaseCypher(object):
+    def __init__(self, magic=""):
+        self.magic = magic
+        self.magic_len = len(magic)
+
+    def encrypt(self, plaintext):
+        cyphertext = self.magic + self._encrypt(plaintext)
+        return cyphertext
+
+    def _encrypt(self, plaintext):
+        raise NotImplementedError
+
+    def decrypt(self, cyphertext):
+        if self.magic_len > 0 and len(cyphertext) < self.magic_len:
+            raise IndexError
+        plaintext = self._decrypt(cyphertext[self.magic_len:])
+        return plaintext
+
+    def _decrypt(self, cyphertext):
+        raise NotImplementedError
+
+class NoCypher(BaseCypher):
+    def __init__(self, magic=""):
+        super(NoCypher, self).__init__(magic)
+
+    def _encrypt(self, plaintext):
+        return plaintext
+
+    def _decrypt(self, cyphertext):
+        return cyphertext
+
+
+class Base64Cypher(BaseCypher):
+    base64 = __import__('base64')
+
+    def __init__(self, magic=""):
+        super(Base64Cypher, self).__init__(magic)
+
+    def _encrypt(self, plaintext):
+        return Base64Cypher.base64.b64encode(plaintext)
+
+    def _decrypt(self, cyphertext):
+        return Base64Cypher.base64.b64decode(cyphertext)
+
+
+class RSAKeyCypher(BaseCypher):
+    m2c = __import__('M2Crypto')
+    base64 = __import__('base64')
+
+    def __init__(self, key_file, magic=""):
+        super(RSAKeyCypher, self).__init__(magic)
+        self.key = RSAKeyCypher.m2c.RSA.load_key(key_file)
+
+    def _encrypt(self, plaintext):
+        secret = self.key.public_encrypt(plaintext, RSAKeyCypher.m2c.RSA.pkcs1_oaep_padding)
+        return RSAKeyCypher.base64.b64encode(secret)
+
+    def _decrypt(self, cyphertext):
+        secret = RSAKeyCypher.base64.b64decode(cyphertext)
+        return self.key.private_decrypt(secret, RSAKeyCypher.m2c.RSA.pkcs1_oaep_padding).replace('\0','')

cloud_encryption/instances.conf

@@ -0,0 +1,19 @@
+############################################################################
+# -*- coding: UTF-8 -*-
+#
+# Copyright (c) 2011 BalaBit IT Ltd, Budapest, Hungary
+# Copyright (c) 2011 Szilárd Pfeiffer <szilard.pfeiffer@balabit.com>
+#
+# Authors: Szilárd Pfeiffer <szilard.pfeiffer@balabit.com>
+#
+# Permission is granted to copy, distribute and/or modify this document
+# under the terms of the GNU Free Documentation License, Version 1.3
+# or any later version published by the Free Software Foundation;
+# with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
+# A copy of the license is included in the section entitled "GNU
+# Free Documentation License".
+#
+############################################################################
+
+#instance  arguments
+cloud_encryption_instance --verbose=6 --policy /etc/zorp/policy.py