Access Control¶
Use case¶
It is a general use case that we want to grant access for a user to an FTP server on the Internet to allow downloading anything, but at the same time we want to prevent them from uploadin anything.
Solution¶
The application level solution of the problem is to accept the read-only commands of the FTP protocol, but drop the commands used to write to the server (for example: PUT). As it is a general issue, Zorp provides a predefined proxy to perform that, so the system administrator does not have to do anything to implement a read-only FTP access, only use that proxy.
from Zorp.Ftp import *
Service(name="service_ftp_transparent", # <1>
proxy_class=FtpProxyRO
)
Rule(service='service_ftp_transparent', # <2>
dst_port=21,
src_zone=('clients', ),
dst_zone=('servers', )
)
- Creates a rule that matches the FTP traffic, as the destination port in the rule is the standard port of the FTP servers (
21). - The service uses the predefined
FtpProxyRO, which analyzes the traffic and when we issue a read-only command, it will be sent successfully to the server. When we issue a write command an error message will be sent to the client, but nothing will be sent to the server, as Zorp rejects them.
Result¶
Any kind of read-only operation works successfully, but error message is displayed on the client side when it tries to perform a write operation on the server.
The configuration file sniplet above grants read-only access to the servers in the zone servers for the users who come from the zone clients. Without the src_zone and dst_zone filters the rule would grant access to any server for any user.