Zorp Professional 6 Reference Guide

This documentation and the product it describes are considered protected by copyright according to the applicable laws.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)

The BalaBit™ name and the BalaBit™ logo are registered trademarks of BalaBit IT Security Ltd..

The BalaBit Shell Control Box™ name and the BalaBit Shell Control Box™ logo are registered trademarks of BalaBit.

Hadoop™ and the Hadoop elephant logo are trademarks of the Apache Software Foundation.

Linux™ is a registered trademark of Linus Torvalds.

The syslog-ng™ name and the syslog-ng™ logo are registered trademarks of BalaBit.

Windows™ 95, 98, ME, 2000, XP, Server 2003, Vista, Server 2008, 7, 8, and Server 2013 are registered trademarks of Microsoft Corporation.

The Zorp™ name and the Zorp™ logo are registered trademarks of BalaBit.

All other product names mentioned herein are the trademarks of their respective owners.

DISCLAIMER

BalaBit is not responsible for any third-party Web sites mentioned in this document. BalaBit does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. BalaBit will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.

April 17, 2015


Table of Contents

Preface
1. Summary of contents
2. Terminology
3. Target audience and prerequisites
4. Products covered in this guide
5. Typographical conventions
6. Contact and support information
6.1. Sales contact
6.2. Support contact
6.3. Training
7. About this document
7.1. Feedback
1. How Zorp works
1.1. Zorp startup and initialization
1.2. Handling incoming connections
1.2.1. Handling packet-filtering services
1.2.2. Handling application-level services
1.3. Proxy startup and the server-side connection
2. Configuring Zorp proxies
2.1. Policies for requests and responses
2.1.1. Default actions
2.1.2. Response codes
2.2. Secondary sessions
2.3. Embedded protocol analysis
2.3.1. Proxy stacking
2.3.2. Program stacking
3. The Zorp SSL framework
3.1. The SSL and TLS protocols
3.1.1. The SSL handshake
3.2. Handling TLS and SSL connections in Zorp
3.2.1. Behavior of the SSL framework
3.2.2. Session reuse in SSL and TLS connections
3.2.3. Understanding Encryption policies
3.2.4. Configuring Encryption policies
3.2.5. Certificate verification options
3.2.6. Protocol-level SSL settings
3.2.7. Enabling STARTTLS
3.2.8. Configuring keybridging
3.3. Related standards
3.4. Encryption options reference
3.5. X.509 Certificates
3.5.1. X.509 Certificate Names
3.5.2. X.509 Certificate Revocation List
3.5.3. X.509 Certificate hash
3.5.4. X.509 CRL hash
4. Proxies
4.1. General information on the proxy modules
4.2. Attribute values
4.3. Examples
4.4. Module AnyPy
4.4.1. Related standards
4.4.2. Classes in the AnyPy module
4.4.3. Class AbstractAnyPyProxy
4.4.4. Class AnyPyProxy
4.5. Module Finger
4.5.1. The Finger protocol
4.5.2. Proxy behavior
4.5.3. Related standards
4.5.4. Classes in the Finger module
4.5.5. Class AbstractFingerProxy
4.5.6. Class FingerProxy
4.6. Module Ftp
4.6.1. The FTP protocol
4.6.2. Proxy behavior
4.6.3. Related standards
4.6.4. Classes in the Ftp module
4.6.5. Class AbstractFtpProxy
4.6.6. Class FtpProxy
4.6.7. Class FtpProxyAnonRO
4.6.8. Class FtpProxyAnonRW
4.6.9. Class FtpProxyRO
4.6.10. Class FtpProxyRW
4.7. Module Http
4.7.1. The HTTP protocol
4.7.2. Proxy behavior
4.7.3. Related standards
4.7.4. Classes in the Http module
4.7.5. Class AbstractHttpProxy
4.7.6. Class HttpProxy
4.7.7. Class HttpProxyNonTransparent
4.7.8. Class HttpProxyURIFilter
4.7.9. Class HttpProxyURIFilterNonTransparent
4.7.10. Class HttpWebdavProxy
4.7.11. Class NontransHttpWebdavProxy
4.8. Module Imap
4.8.1. The IMAP protocol
4.8.2. Proxy behavior
4.8.3. Related standards
4.8.4. Classes in the Imap module
4.8.5. Class AbstractImapProxy
4.8.6. Class ImapProxy
4.8.7. Class ImapProxyStrict
4.9. Module Ldap
4.9.1. The LDAP protocol
4.9.2. Proxy behavior
4.9.3. Configuring policies for LDAP requests
4.9.4. Simple Authentication and Security Layer (SASL) on LDAP messages
4.9.5. Related standards
4.9.6. Classes in the Ldap module
4.9.7. Class AbstractLdapProxy
4.9.8. Class LdapProxy
4.9.9. Class LdapProxyRO
4.10. Module Lp
4.10.1. The LPD protocol
4.10.2. Proxy behavior
4.10.3. Related standards
4.10.4. Classes in the Lp module
4.10.5. Class AbstractLpProxy
4.10.6. Class LpProxy
4.11. Module Mime
4.11.1. The MIME protocol
4.11.2. Proxy behavior
4.11.3. Related standards
4.11.4. Classes in the Mime module
4.11.5. Class AbstractMimeProxy
4.11.6. Class MimeProxy
4.12. Module MSRpc
4.12.1. The RPC protocol
4.12.2. Proxy behavior
4.12.3. Classes in the MSRpc module
4.12.4. Class AbstractMSRpcProxy
4.12.5. Class MSRpcProxy
4.13. Module Nntp
4.13.1. The NNTP Protocol
4.13.2. Proxy behavior
4.13.3. Related standards
4.13.4. Classes in the Nntp module
4.13.5. Class AbstractNntpProxy
4.13.6. Class NntpProxy
4.13.7. Class NntpProxyGroupFilter
4.13.8. Class NntpProxyRO
4.13.9. Class NntpProxyStrict
4.14. Module Plug
4.14.1. Proxy behavior
4.14.2. Related standards
4.14.3. Classes in the Plug module
4.14.4. Class AbstractPlugProxy
4.14.5. Class PlugProxy
4.15. Module Pop3
4.15.1. The POP3 protocol
4.15.2. Proxy behavior
4.15.3. Related standards
4.15.4. Classes in the Pop3 module
4.15.5. Class AbstractPop3Proxy
4.15.6. Class Pop3Proxy
4.16. Module Radius
4.16.1. The RADIUS protocol
4.16.2. Proxy behavior
4.16.3. Related standards
4.16.4. Classes in the Radius module
4.16.5. Class AbstractRadiusProxy
4.16.6. Class RadiusProxy
4.16.7. Class RadiusProxyStrict
4.17. Module Rdp
4.17.1. The Remote Desktop Protocol protocol
4.17.2. Proxy behavior
4.17.3. Classes in the Rdp module
4.17.4. Class AbstractRdpProxy
4.17.5. Class Rdp4FallbackProxy
4.17.6. Class Rdp4Proxy
4.17.7. Class Rdp5Proxy
4.17.8. Class Rdp5ProxyStrict
4.17.9. Class RdpProxy
4.18. Module Rsh
4.18.1. The RSH protocol
4.18.2. Proxy behavior
4.18.3. Related standards
4.18.4. Classes in the Rsh module
4.18.5. Class AbstractRshProxy
4.18.6. Class RshProxy
4.19. Module Sip
4.19.1. The SIP protocol
4.19.2. Related standards
4.19.3. Classes in the Sip module
4.19.4. Class AbstractSipProxy
4.19.5. Class SipProxy
4.20. Module Smtp
4.20.1. The SMTP protocol
4.20.2. Proxy behavior
4.20.3. Related standards
4.20.4. Classes in the Smtp module
4.20.5. Class AbstractSmtpProxy
4.20.6. Class SmtpProxy
4.21. Module Socks
4.21.1. The SOCKS protocol
4.21.2. Proxy behaviour
4.21.3. Related standards
4.21.4. Classes in the Socks module
4.21.5. Class AbstractSocksProxy
4.21.6. Class SocksProxy
4.22. Module SQLNet
4.22.1. The SQL*Net protocol
4.22.2. Proxy behavior
4.22.3. Related standards
4.22.4. Classes in the SQLNet module
4.22.5. Class AbstractSQLNetProxy
4.22.6. Class SQLNetProxy
4.23. Module Ssh
4.23.1. The Secure Shell protocol
4.23.2. Proxy behavior
4.23.3. Related standards
4.23.4. Classes in the Ssh module
4.23.5. Class AbstractSshProxy
4.23.6. Class SshProxy
4.23.7. Class SshSFtpProxy
4.23.8. Class SshScpProxy
4.24. Module Telnet
4.24.1. The Telnet protocol
4.24.2. Proxy behavior
4.24.3. Related standards
4.24.4. Classes in the Telnet module
4.24.5. Class AbstractTelnetProxy
4.24.6. Class TelnetProxy
4.24.7. Class TelnetProxyStrict
4.25. Module TFtp
4.25.1. The TFtp protocol
4.25.2. Proxy behavior
4.25.3. Related standards
4.25.4. Classes in the TFtp module
4.25.5. Class AbstractTFtpProxy
4.25.6. Class TFtpProxy
4.26. Module Vnc
4.26.1. Classes in the Vnc module
4.26.2. Class AbstractVncProxy
4.26.3. Class VncProxy
4.27. Module Whois
4.27.1. The Whois protocol
4.27.2. Proxy behavior
4.27.3. Related standards
4.27.4. Classes in the Whois module
4.27.5. Class AbstractWhoisProxy
4.27.6. Class WhoisProxy
4.28. Module X11
4.28.1. The X11 protocol
4.28.2. Proxy behavior
4.28.3. Classes in the X11 module
4.28.4. Class AbstractX11Proxy
4.28.5. Class X11Proxy
4.29. Module Xmlsec
4.29.1. The SOAP protocol
4.29.2. Proxy behaviour
4.29.3. Classes in the Xmlsec module
4.29.4. Class AbstractXmlsecProxy
4.29.5. Class XmlsecProxy
5. Core
5.1. Module Auth
5.1.1. Authentication and authorization basics
5.1.2. Authentication and authorization in Zorp
5.1.3. Classes in the Auth module
5.1.4. Class AbstractAuthentication
5.1.5. Class AbstractAuthorization
5.1.6. Class AuthCache
5.1.7. Class AuthenticationPolicy
5.1.8. Class AuthorizationPolicy
5.1.9. Class BasicAccessList
5.1.10. Class InbandAuthentication
5.1.11. Class NEyesAuthorization
5.1.12. Class PairAuthorization
5.1.13. Class PermitGroup
5.1.14. Class PermitTime
5.1.15. Class PermitUser
5.1.16. Class SatyrAuthentication
5.1.17. Class ServerAuthentication
5.1.18. Class ZAAuthentication
5.2. Module AuthDB
5.2.1. Classes in the AuthDB module
5.2.2. Class AbstractAuthenticationBackend
5.2.3. Class AuthenticationProvider
5.2.4. Class ZAS2AuthenticationBackend
5.3. Module Chainer
5.3.1. Selecting the network protocol
5.3.2. Classes in the Chainer module
5.3.3. Class AbstractChainer
5.3.4. Class ConnectChainer
5.3.5. Class FailoverChainer
5.3.6. Class MultiTargetChainer
5.3.7. Class RoundRobinChainer
5.3.8. Class SideStackChainer
5.3.9. Class StateBasedChainer
5.4. Module Config.py
5.5. Module Detector
5.5.1. Classes in the Detector module
5.5.2. Class AbstractDetector
5.5.3. Class CertDetector
5.5.4. Class DetectorPolicy
5.5.5. Class HttpDetector
5.5.6. Class SshDetector
5.6. Module Encryption
5.6.1. SSL parameter constants
5.6.2. Classes in the Encryption module
5.6.3. Class AbstractVerifier
5.6.4. Class Certificate
5.6.5. Class ClientCertificateVerifier
5.6.6. Class ClientOnlyEncryption
5.6.7. Class ClientOnlyStartTLSEncryption
5.6.8. Class ClientSSLOptions
5.6.9. Class DynamicCertificate
5.6.10. Class EncryptionPolicy
5.6.11. Class FakeStartTLSEncryption
5.6.12. Class ForwardStartTLSEncryption
5.6.13. Class PrivateKey
5.6.14. Class SNIBasedCertificate
5.6.15. Class SSLOptions
5.6.16. Class ServerCertificateVerifier
5.6.17. Class ServerOnlyEncryption
5.6.18. Class ServerSSLOptions
5.6.19. Class StaticCertificate
5.6.20. Class TwoSidedEncryption
5.7. Module Keybridge
5.7.1. Classes in the Keybridge module
5.7.2. Class X509KeyBridge
5.8. Module Matcher
5.8.1. Classes in the Matcher module
5.8.2. Class AbstractMatcher
5.8.3. Class CombineMatcher
5.8.4. Class DNSMatcher
5.8.5. Class MatcherPolicy
5.8.6. Class RegexpFileMatcher
5.8.7. Class RegexpMatcher
5.8.8. Class SmtpInvalidRecipientMatcher
5.8.9. Class WindowsUpdateMatcher
5.9. Module NAT
5.9.1. Classes in the NAT module
5.9.2. Class AbstractNAT
5.9.3. Class BalanceNAT
5.9.4. Class GeneralNAT
5.9.5. Class HashNAT
5.9.6. Class NAT46
5.9.7. Class NAT64
5.9.8. Class NATPolicy
5.9.9. Class OneToOneMultiNAT
5.9.10. Class OneToOneNAT
5.9.11. Class RandomNAT
5.9.12. Class StaticNAT
5.10. Module Notification
5.10.1. Classes in the Notification module
5.10.2. Class AbstractNotificationMethod
5.10.3. Class EmailNotificationMethod
5.10.4. Class NotificationPolicy
5.11. Module Proxy
5.11.1. Functions in module Proxy
5.11.2. Classes in the Proxy module
5.11.3. Functions
5.11.4. Class Proxy
5.12. Module Resolver
5.12.1. Classes in the Resolver module
5.12.2. Class AbstractResolver
5.12.3. Class DNSResolver
5.12.4. Class HashResolver
5.12.5. Class ResolverPolicy
5.13. Module Router
5.13.1. The source address used in the server-side connection
5.13.2. Classes in the Router module
5.13.3. Class AbstractRouter
5.13.4. Class DirectedRouter
5.13.5. Class InbandRouter
5.13.6. Class TransparentRouter
5.14. Module Rule
5.14.1. Evaluating firewall rules
5.14.2. Sample rules
5.14.3. Adding metadata to rules: tags and description
5.14.4. Classes in the Rule module
5.14.5. Class PortRange
5.14.6. Class Rule
5.15. Module Service
5.15.1. Naming services
5.15.2. Classes in the Service module
5.15.3. Class AbstractService
5.15.4. Class DenyService
5.15.5. Class PFService
5.15.6. Class Service
5.16. Module Session
5.16.1. Classes in the Session module
5.16.2. Class StackedSession
5.17. Module SockAddr
5.17.1. Classes in the SockAddr module
5.17.2. Class SockAddrInet
5.17.3. Class SockAddrInet6
5.17.4. Class SockAddrInetHostname
5.17.5. Class SockAddrInetRange
5.17.6. Class SockAddrUnix
5.18. Module Stack
5.18.1. Classes in the Stack module
5.18.2. Class AbstractStackingBackend
5.18.3. Class RemoteStackingBackend
5.18.4. Class StackingProvider
5.19. Module Zone
5.19.1. Classes in the Zone module
5.19.2. Class Zone
5.20. Module Zorp
5.20.1. Functions in module Zorp
5.20.2. Functions
6. Core-internal
6.1. Module Cache
6.2. Module Core
6.3. Module Dispatch
6.3.1. Zone-based service selection
6.3.2. Classes in the Dispatch module
6.3.3. Class CSZoneDispatcher
6.3.4. Class Dispatcher
6.4. Module Globals
6.5. Module Stream
6.5.1. Classes in the Stream module
6.5.2. Class Stream
A. Additional proxy information
A.1. NNTP appendix
A.2. RADIUS appendix
A.3. SQL*Net appendix
A.4. TELNET appendix
B. Global options of Zorp
B.1. Setting global options of Zorp
blob
audit
options
C. Zorp manual pages
zas — Zorp Authentication Server
zas.cfg zas(8) configuration file.
zcv — Zorp Content Vectoring Server
zcv.cfg zcv(8) configuration file format
zms — Zorp Management Server engine
zms.confConfiguration file format for the Zorp Management Server (zms(8).
zms-integrity — ZMS Database Integrity Checker
instances.conf zorp(8) instances database
policy.py zorp(8) policy file.
zorp — Zorp Firewall Suite
zorpctl — Start and stop zorp instances.
zorpctl.conf zorpctl(8) configuration file.
zavupdate — Updates the various AntiVirus engine's databases.
zavupdate.options zavupdate(8) configuration files.
zqc — Zorp Quarantine Checker
D. Zorp Application Level Gateway End-User License Agreement
D.1. 1. SUBJECT OF THE LICENSE CONTRACT
D.2. 2. DEFINITIONS
D.3. 3. LICENSE GRANTS AND RESTRICTIONS
D.4. 4. SUBSIDIARIES
D.5. 5. INTELLECTUAL PROPERTY RIGHTS
D.6. 6. TRADE MARKS
D.7. 7. NEGLIGENT INFRINGEMENT
D.8. 8. INTELLECTUAL PROPERTY INDEMNIFICATION
D.9. 9. LICENSE FEE
D.10. 10. WARRANTIES
D.11. 11. DISCLAIMER OF WARRANTIES
D.12. 12. LIMITATION OF LIABILITY
D.13. 13.DURATION AND TERMINATION
D.14. 14. AMENDMENTS
D.15. 15. WAIVER
D.16. 16. SEVERABILITY
D.17. 17. NOTICES
D.18. 18. MISCELLANEOUS
E. Creative Commons Attribution Non-commercial No Derivatives (by-nc-nd) License
Index of Proxy attributes
Index of Core attributes
Index of all attributes

List of Examples

2.1. Customizing FTP commands
2.2. Using the POLICY action
2.3. Default and explicit actions
2.4. Customizing response codes
2.5. Example PlugProxy allowing secondary sessions
2.6. HTTP proxy stacked into an HTTPS connection
2.7. Program stacking in HTTP
3.1. Accepting invalid certificates
3.2. Disabling specific SSL/TLS protocols
3.3. Configuring FTPS support
4.1. Controlling the number of max hops
4.2. FTP protocol sample
4.3. Customizing FTP to allow only anonymous sessions
4.4. Configuring FTPS support
4.5. Example HTTP transaction
4.6. Proxy style HTTP query
4.7. Data tunneling with connect method
4.8. Implementing URL filtering in the HTTP proxy
4.9. 404 response filtering in HTTP
4.10. Header filtering in HTTP
4.11. URL redirection in HTTP proxy
4.12. Redirecting HTTP to HTTPS
4.13. Using parent proxies in HTTP
4.14. URL-filtering example
4.15. URL filtering HTTP proxy
4.16. IMAP protocol sample
4.17. Rewriting IMAP capability response
4.18. Changing the greeting string in IMAP
4.19. IMAP arguments in use
4.20. Example Ldap entry
4.21. Example of the commands usage
4.22. Example mail header containing MIME message
4.23. Example PNG format picture attachment
4.24. Example multipart message
4.25. Example usage of MimeProxy module, denying applications
4.26. Customising RPC to allow connection to service "11223344-5566-7788-99aa-bbccddeeff00"
4.27. Example NNTP connection
4.28. Example for filtering accessible newsgroups
4.29. Example for defining policies for responses in NNTP
4.30. POP3 protocol sample
4.31. Example for allowing only APOP authentication in POP3
4.32. Example for converting simple USER/PASS authentication to APOP in POP3
4.33. Rewriting the banner in POP3
4.34. Example RadiusProxy config
4.35. Disabling RDP5 protocol by force-reverting it to RDP4
4.36. Disabling channel RDPDR
4.37. Enabling custom channels
4.38. Dynamically change username and server address
4.39. Strict Rsh proxy denying root user access and logging the issued Rsh commands
4.40. Disabling video traffic in SIP
4.41. SMTP protocol sample
4.42. SOCKS and HTTP traffic
4.43. Enabling and disabling SSH channels
4.44. Enabling only SFTP connections
4.45. Restricting local forwarding
4.46. Modifying the keypair used in public-key authentication
4.47. Example for disabling the Telnet X Display Location option
4.48. Rewriting the DISPLAY environment variable
4.49. Example WhoisProxy logging all whois requests
4.50. Stacking Xmlsec into an HTTP proxy
4.51. Custom SOAP validation
5.1. A simple authentication policy
5.2. Caching authentication decisions
5.3. A simple authorization policy
5.4. BasicAccessList example
5.5. A simple PairAuthorization policy
5.6. A simple PermitGroup policy
5.7. PermitTime example
5.8. A simple PermitUser policy
5.9. Outband authentication example
5.10. A sample authentication provider
5.11. A sample ConnectChainer
5.12. A DirectedRouter using FailoverChainer
5.13. A DirectedRouter using RoundRobinChainer
5.14. CertDetector example
5.15. HttpDetector example
5.16. SshDetector example
5.17. Loading a certificate
5.18. Loading a private key
5.19. Whitelisting e-mail recipients
5.20. DNSMatcher example
5.21. RegexpFileMatcher example
5.22. RegexpMatcher example
5.23. SmtpInvalidMatcher example
5.24. WindowsUpdateMatcher example
5.25. GeneralNat example
5.26. Using Natpolicies
5.27. A simple DNSResolver policy
5.28. A simple HashResolver policy
5.29. DirectedRouter example
5.30. InbandRouter example
5.31. TransparentRouter example
5.32. Sample rule definitions
5.33. Tagging rules
5.34. A simple DenyService
5.35. PFService example
5.36. Service example
5.37. SockAddrInet example
5.38. SockAddrInet example
5.39. SockAddrInetHostname example
5.40. SockAddrUnix example
5.41. A simple StackingProvider class
5.42. Using a StackingProvider in an FTP proxy
5.43. Finding IP networks
5.44. Zone examples
5.45. Determining the zone of an IP address
6.1. CSZoneDispatcher example
6.2. Dispatcher example
A.1. An example for the SQL*Net connection string