We intend to use the firewall as a proxy server, like a Squid web cache.
The solution is very simple, since there is a proxy class that we can use to control the traffic on the proxy level. In this case, the clients connect to Zorp that acts as a proxy server, and allows traffic flow according to the rules, but communicates with the clients “in the proxy language”.
from Zorp.Http import * def default_instance(): Service(name="service_http_nontransparent_inband", # <2> proxy_class=HttpProxyNonTransparent, # <3> router=InbandRouter(forge_port=TRUE, forge_addr=TRUE) # <4> ) Rule(service='service_http_nontransparent_inband', # <1> dst_port=3128, dst_subnet=('172.16.10.254', ), src_zone=('clients', ) )
- Creates a rule which matches only, when the traffic comes from the
clientszone and targets the IP address
172.16.10.254and the port
3128, which address is the address of the client side interface of the firewall.
- Creates a service that works like a proxy server.
- It uses the predefined
HttpProxyNonTransparent, because this proxy class – against the
HttpProxyin the code sniplet tarnsparent proxy use case – handles the traffic as a proxy server.
- In this case the address of the HTTP server, that the client wants to connect to, comes from the application layer traffic and not from the network layer, so the default
DirectedRouter. It routes the traffic where it was originally considered to be routed, but in this case (non-transparent service) the client targets the proxy server (here, the firewall) itself. Setting
routercan handle the situation for both the HTTP and FTP protocol.
Now the IP address
172.16.10.254 and port
3128 can be set as HTTP proxy in the internet browsers.