
Zorp – Open source proxy firewall with deep protocol analysis - dedalus
http://balasys.github.io/zorp/about/
======
Havoc
Anyone running something like this in a home scenario?

I kinda thought about it but the 50-100 bucks expenditure just for curiosity
seems a bit heavy

~~~
Operyl
Zorp GPL is free/opensource, so unless you're looking for some of the closed
source features in Zorp Professional you should be able to tinker pretty
heavily.

------
sgt
First sentence mentions deep packet analysis for protocols like HTTP. But
that's not really relevant anymore is it? Most modern websites will
automatically redirect HTTP to HTTPS and then you can't apply deep packet
analysis anymore. I can see some other fairly nice features here but not
really enough to make me switch.

~~~
amanzi
I guess it's terminating the HTTPS traffic and then proxying on to the
respective server.

~~~
tgragnato
Yes, TLS offloading is there

[https://github.com/Balasys/zorp/blob/master/lib/proxyssl.cc](https://github.com/Balasys/zorp/blob/master/lib/proxyssl.cc)
[https://github.com/Balasys/zorp/blob/master/lib/pyx509.cc](https://github.com/Balasys/zorp/blob/master/lib/pyx509.cc)

It's able to inspect and relay the connection as well as passing it to another
proxy

[https://github.com/Balasys/zorp/blob/master/lib/proxystack.c...](https://github.com/Balasys/zorp/blob/master/lib/proxystack.cc)

------
ausjke
how is this different from squid proxy?

~~~
tgragnato
Squid is mainly a web caching proxy. Zorp is a next generation firewall.

The architecture is modular, and you can write plug-ins that analyse the
structure of communications beyond packet headers: the content is inspected.
The open source version includes out of the box support for inspecting HTTP,
FTP, SMTP, POP3, Finger, Whois, Telnet (+TLS). But you can write plugins that
couple the engine with anything, from an IDS such as Snort, Bro or Suricata,
to something like nDPI or AssemblyLine.

[https://www.ntop.org/products/deep-packet-
inspection/ndpi/](https://www.ntop.org/products/deep-packet-inspection/ndpi/)
[https://bitbucket.org/cse-
assemblyline/assemblyline](https://bitbucket.org/cse-
assemblyline/assemblyline)

Based on the results of the analysis, you can choose to apply firewall rules.

~~~
ausjke
squid also has redirectors and c-icap filters etc, firewall wise it uses the
OS(e.g. iptables), so it's more than a proxy but it does not do packet-level-
firewall as it depends on iptables.

looks like zorp is a all-in-one solution, hope i have time to play with it
soon

------
nwmcsween
So why not sample via netfilter and EBPF to filter?

------
frankzander
In short: It's censorship software.

~~~
unethical_ban
If I agree with you: Yep it sure is, and that's perfectly ethical for personal
and corporate use. To businesses, they have a responsibility to filter what
goes in and out of their network, in the interest of their customers and
themselves.

If I don't agree with you: Do you think IP/port based firewalls are
censorship? That any kind of cyber-border security is an affront to rights? If
not, then how do you govern access as a private organization when everything
is tcp/443 on AWS? Gotta know what it's going to.

