Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Fetching contributors…
Cannot retrieve contributors at this time
118 lines (87 sloc) 5.1 KB
What is Zorp?
Zorp as you probably know by now is a proxy firewall suite featuring several
native application level gateways for different protocols. This document
serves as an introduction for you to gasp the ideas behind Zorp.
1. What is a packet filter?
Packet filters just as their name suggest filters network traffic by
packets. For each individual packet a decision is made whether it is allowed
or rejected. Packet filters make their decisions based on packet headers,
without checking packet payload.
Since common services (like HTTP or FTP) have an assigned port number,
access of different services can be controlled by enabling some ports and
disallowing others.
The problem with this approach is that it is possible to run a service on a
port number different from its assigned number. For example you could run a
POP3 server on port 80, which is usually assigned to HTTP services.
Another problem is that the transmitted information flow is processed in
packets. There were several IP stack vulnerabilities (mainly DoS attacks)
which were exploitable with incorrectly formatted IP frames. Simple packet
filters do not protect against these attacks.
2. What is NAT (Network Address Translation)?
NAT is a technique commonly used in packet filters to change the source
and/or the destination addresses of forwarded packets.
A common scenario is when you have a protected subnet behind a firewall
using one of the reserved IP address ranges ( and NAT-ing
this address range to the outside world as if it was a single IP address
(this is commonly called masquerading).
The problem is that once a connection is established from inside, each
packet in the reverse direction is automatically forwarded provided that
it is sent to the appropriate port on the outside interface. Given that the
range of ports which masquerading uses is quite small, one can easily send
packets to all ports in that range, some of them will be forwarded to
internal hosts.
The linux kernel doesn't check by default whether a packet to be
demasqueraded was sent from the correct address.
3. What is an application level gateway?
Application level gateways (or proxies for short) - unlike simple packet
filters - process the information flow at the application level. This means
that while packet filters do not touch nor interpret packet payload, an
application level gateway implements a specific application protocol (HTTP,
FTP or POP3 for instance), and checks whether the dataflow conforms to that
given protocol. You cannot send POP3 requests in a HTTP proxy, the proxy
will try to interpret POP3 requests as HTTP protocol elements, and since the
two protocol differ, the request will fail.
Since most security vulnerabilities are exploited with protocol inconforming
requests, these - if the application level gateways are well written - can
be filtered by these gateways.
Application level gateways can bounds-check a given protocol element (check
for too long filenames) or look for invalid patterns (filter all filenames
containing '../' to prevent dot-dot bug exploits).
Since proxies process protocols at this level, they provide higher security
in most cases.
4. What is the architecture of a Zorp based firewall?
Zorp uses both application level gateways and packet filter. However packet
filter is only used as an aid, no packet forwarding is done.
IPChains filters packets as they enter the system, and denies all unneeded
Zorp application proxies are listening on the appropriate interfaces.
IPChains is the glue with its REDIRECT target, which intercepts connections
and redirects them to the listening proxy.
The proxy accepts the connection and acts in the name of the client to
initiate further connections to the server. Of course packet filtering is
done on the server side too.
5. What is this Python thing in Zorp?
In addition to providing well written proxies in Zorp, we didn't want to
limit you to the settings we wanted to implement. Everything is scriptable,
you can define your hooks to modify proxy behaviour. These little scriptlets
are written in Python.
Additionally Python is used as a glue between different Zorp components, so
high level abstractions are implemented in Python. For instance the whole
access control can easily be replaced with your own. We are currently using
a simple discretionary access control, but we want to implement
alternatives, like a TCSEC class B/CC LSPP mandatory access control.
The configuration and the firewall policy itself is written in Python too,
however we made everything possible to make it look like an ordinary
configuration file.
6. What are Zorp instances?
Just as any program, you can be launched more than once at the same time.
Each instance can have its own configuration and parameters. It is advisable
to split your Zorp services to instances.
Each Zorp instance is capable of using all protocol proxies, they are stored
in and loaded from shared objects.
Jump to Line
Something went wrong with that request. Please try again.