Linux Software & Blog
- BFD Rules for Asterisk | Sean Siegel
- New Instalation Kloxo guide | www.prandah.com
- Real customer service is more than a catchy marketing phrase
- Locking Down Your Linux Server with APF + BFD | Snipe.Net | MKfmn | Matthew M. Kaufman
- Kloxo Installation Guide | blog netforall
- Securing cPanel After Install « Recon Hosting Docs
- Schutz bei (D)DOS Angriffen mit Iptables – Administrator’s Blog
- Proteggere il proprio server dagli attacchi brute force con APF e BFD | blog.codelime.net
- Best Hide Ip Programs | Hide My IP Free
- Kloxo Installation Guide : Free Tutorials
- Suddenly My hosting Sites Not loading!!!
- 5 Open Source Security Options that Cost Nothing
- Kloxo Installation Guide
- Kloxo Control Panel Installation Guide | HostBuddy
- Securing and Monitoring a Virtual Private Server – Admins Goodies
- IP tables – changes not persisting – Admins Goodies
- Anonymous
- At Pages » 5 Open Source Security Options that Cost Nothing
- 5 Open Source Security Options that Cost Nothing | Web Hosting Fan
- 5 Free Open Source Security Tools | Web Hosting Review
- 5 Free Open Source Security Tools – Seven 24 Host | Seven 24 Host
- 5 Free Open Source Security Tools « Transcom Hu
- 5 Free Open Source Security Tools | Reseller Web Hosting, Reseller Web Host
- 5 Free Open Source Security Tools | Web Host Summit
- 5 Free Open Source Security Tools by www.thehostingnews.com | tools
- 5 Free Open Source Security Tools « dotz.co
- Use APF to firewall your Asterisk based VoIP » ITOPS Tech Blog
- ITOPS Tech Blog : protect your VoIP investment
- APF:Linux下强大的防火墙组件 | linux系统架构–Linux系统运维工作手册
- LazyScripter Consulting > cPanel > How to change your SSH Port
- Kloxo / CentOS
- bfd script for Kerio Connect | apocalypticfail.com
- Securing and Monitoring a Virtual Private Server Drija
- How to Install BFD (Brute Force Detection)
- DDoS Protection and Mitigation | Moh Lab.
- Unix Blather » Blog Archive » Tracing malicious scripts on poorly configured gnu/linux servers.
- Kloxo Installation Guide | Video – Tutorial
- Iptables based firewall script | HostGator Coupons Code
- Installing (Advanced Firewall Policy) APF Firewall « Afraid.ws
- Установка Advanced Policy Firewall
- Use APF to manage your firewall | TechRepublic
- Introducing APF Firewall For Ubuntu, But You Can Use This On Many Other Linux Flavors « Essayboard
- 设置pptpd与apf | Wang Jun's Blog
- APF:Linux下强大的防火墙组件 | Wang Jun's Blog
- Advanced Policy Firewall by R-FX Networks | lucid_transition
- Block port 445 in linux | HostGator Coupons Code
- Securing your Linux Server using APF/BFD « MISDivision(tm) Blog
- How to Install Advanced Policy Firewall (APF) on WHM/cPanel Server | Webmaster Resources
- How to install CSF firewall on centos linux | SecureCentos.com
- DaboBlog – Por David Hernández (Dabo), Cibercultura | GNU/Linux | Mac OS X | Opinión |
- IP tables – changes not persisting Drija
- DDoS Protection and Mitigation
- How to use FQDN in firewall rules for GNU/Linux? | Drija
- Bob Hubbard, Online » Blog Archive » Computer Corner : Computer Viruses, Update 2010 by Bob Hubbard
- Configurar un cortafuegos en CPanel | HOSTING CPANEL
- The Next Generation VoIP » Installing APF and BFD
- How to Install APF (Advanced Policy Firewall ) firewall | comcities.com
- Security Recommendations for every Administrator « My VPS Box
- Aggiungere una regola di PREROUTING o POSTROUTING al firewall apf | SMsoft – informatica e dintorni
- Comparing VPS Hosting and Shared Hosting « FAQPAL Blog
- Advanced Policy Firewall (for cPanel) « kieranbarnes
- Protect Your Server with APF Firewall
- Wonderful email from ovh | HostGator Coupon Code
- DaboBlog – Por David Hernández (Dabo), Cibercultura | GNU/Linux | Mac OS X | Opinión |
- Locking down and securing SSH access to your server | SysadminSpot.com, SysAdmins, Server Administrators and IT Consultants
- Linux Software Firewalls | SysadminSpot.com, SysAdmins, Server Administrators and IT Consultants
- Allow, Deny and Remove with Advanced Policy Firewall (APF) | SysadminSpot.com, SysAdmins, Server Administrators and IT Consultants
- apf: command not found | SysadminSpot.com, SysAdmins, Server Administrators and IT Consultants
- Cpanel & Firewalls – cPanel Forums
- Proteger servidor Linux contra ataques de fuerza bruta y denegación de servicios. | Command Line
- v-nessa.net » Post Archive » 10 Excellent Open Source Alternatives
- (D)DoS Deflate | Rui Cruz
- How to install APF (Advanced Policy Firewall) « My Blog
- How To Install And Configure Advanced Policy Firewall (APF) On CentOS 5.3 | All Free For You
- Securing FTP Access on a cPanel Server :: The cPanel Admin
about 1 week ago
On some servers where their DNS is shaky at start up, APF basically locks up the machine because there appears to be no time out.
Can you please put in some logic that tests to see if DNS is working the way APF needs it to start, and then skip starting (sending an email out notifying it did not start)?
about 2 weeks ago
Using APF 9.7, when I use -r to restart I get these errors (DDOS and BFD are installed):
apf(6891): {trust} deny all to/from /usr/local/ddos/ddos.sh
iptables v1.3.5: invalid mask `ddos.sh’ specified
apf(19641): {trust} deny all to/from /usr/local/sbin/bfd
iptables v1.3.5: invalid mask `bfd’ specified
I’ll buy you a couple of beers if you can help me fix this.
Thanks
about 2 weeks ago
It looks like you got some invalid entries in the APF deny file , I would recommend clearing out the file /etc/apf/deny_hosts.rules. The file should only contain IP/Host entries or commented lines prefixed with #.
rm -f /etc/apf/deny_hosts.rules
(apf will recreate it)
about 2 weeks ago
are i must disable centos firewall before install apf?
thanks for answer
about 2 weeks ago
No, APF will take over from CentOS Firewall for you.
about 1 month ago
Where are the old versions of all your projects? Sometimes the new versions just dont work and you need exact old versions.
Like the syntax changes you made to current version of AFP make iptables shit itself.
about 1 month ago
Are there any errors that you are seeing specifically ? Please let me know and I will look into it promptly to correct it.
As for older versions of APF, I have put together a path where all previous versions can be downloaded:
http://www.rfxn.com/downloads/old/apf/
I hope this helps, thank you for your continued use of APF.
about 1 month ago
Just thought I’d mention a couple of the external blocklists are significantly out of date:
The Project Honey Pot blocklist (rfxn.com/downloads/php_list) doesn’t appear to have been updated in some time and most of the IPs I double checked haven’t seen any malicious activity in the last 3 months.
The DShield list (feeds.dshield.org/top10-2.txt) also appears to be very out of date – it has a timestamp of 1st June 2011, despite no obvious indications on their website.
They have a newer top 100 list, but they recommend using a 20 subnet blocklist instead (http://feeds.dshield.org/block.txt).
The Spamhaus list is still up to date and the reserved networks appears to be mostly correct as well (maybe a couple of entries missing).
about 2 months ago
Good day, Ryan:
On some servers where their DNS is shaky at start up, APF basically locks up the machine because there appears to be no time out.
Can you please put in some logic that tests to see if DNS is working the way APF needs it to start, and then skip starting (sending an email out notifying it did not start)?
Thank you.
about 2 months ago
The current version of APF doesn’t like Ubuntu’s new kernel. Is there anything I can adjust in the configs to allow it to start?
apf(32091): {glob} activating firewall
apf(32131): {glob} kernel version not equal to 2.4.x or 2.6.x, aborting.
apf(32091): {glob} firewall initalized
uname -a
Linux xxxxxx 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
about 2 months ago
what about this error:
apf(22428): {rab} force set RAB disabled, kernel module ipt_recent not found.
on recent centos installations the module used is xt_recent not ipt_recent
about 2 months ago
you can that by editing
/etc/apf/allow_hosts.rules
add in there something like:
tcp:in:d=3306:s=192.168.0.0/24
to allow incoming tcp traffic with source 192.168.0.0/24 and dest port 3306
about 2 months ago
I couldn’t find anything in the docs or the changelog regarding IPv6 support, save for a one year old comment that promised it to be implemented in the “near future”. So what’s the current status of IPv6 support?
about 2 months ago
Great firewall!! Best I’ve seen so far. But there is one tiny thing I wish for. I run Debian Squeeze and when looking into the apache2 access.log I often see IP’s trying to get files like PHPMYADMIN. Then I wish I could block that IP, a kind of conditional blocking.
Otherwise I’m satified. Many thanks.
about 2 months ago
I have a question on upgrading APF from a previous (any) version to the latest:
Is it OK to install on top of the installed version while the firewall is running or we should uninstall the previous first??
Thank you
about 3 months ago
Hi,
I use your script with debian squeeze..
Recently, I have :
root@xxx:~# apf -d 91.86.84.61
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
apf(15440): (trust) added deny all to/from xx.xx.xx.xx
Why ?
My kernel is 2.6.38.2
Thx for answer
about 3 months ago
Found a server having very bad berformance on “high” latencies links (~80ms RTT, gbit USEU resulting in max 7mbit…)
the poor performances were caused by
“echo 0 > /proc/sys/net/ipv4/tcp_window_scaling”
(part of SYSCTL_TCP)
Is there a specific reason to keep it disabled?
Re-enabling window_scaling allowed me to reach the expected 500mbit+ on the exact same link :/
about 3 months ago
I have the same problem as evcz .
SYSCTL_TCP=”1″ results in “tcp_window_scaling=0″ – which leads to very much poorer server performance!
about 3 months ago
This issue has been fixed in the production release of APF, I have removed tcp_window_scaling from the SYSCTL_TCP function. To enable window scaling again, run:
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
The use of window scaling is a double edged sword and though years ago posed some security implications along with standards issues, that is no longer the case today and its usage, being default enabled on most distro releases now, warrants the removal of disabling it from APF.
about 4 months ago
So for an reason that i don’t understand it run apf -u 160 witch delete rules who match 160 in /etc/apf/allow_hosts.rules and /etc/apf/deny_hosts.rules
about 4 months ago
It’s related to ddos deflate
it’s using command apf -u ip_adresse to unband ip !!
What is does it delete remove host from [glob]*_hosts.rules and immediately remove rule from firewall
about 4 months ago
Hi,
thx for your great tools,
and i meet some problems as I have two NICs to the internet to different isp,I want apf work on them two,
how can i do that?
my config is :
# Untrusted Network interface(s); all traffic on defined interface will be
# subject to all firewall rules. This should be your internet exposed
# interfaces. Only one interface is accepted for each value.
#IFACE_IN=”eth1″
#IFACE_OUT=”eth1″
IFACE_IN=”eth2″
IFACE_OUT=”eth2″
IFACE_IN=”eth1″
IFACE_OUT=”eth1″
about 4 months ago
How can I filter access to port 3306 and allow only internal “c-class” access
thanks
barry
about 2 months ago
replying to comments in this page does not work (white page)
anyhow that’s for the update without the disabling window scaling
about 4 months ago
Great tool. Any plans to allow filtering on multiple interfaces like CSF? I am aware of the ability to specify different in and out interfaces as well as the trusted interface. However what I am looking for is the ability to filter 2 incoming interfaces for example.
about 5 months ago
A może jakieś spolszczenie jest do tego? Niestety, ale nie znam angielskiego…
about 6 months ago
Hi, thanks so much to share with me here. Really a good discussion is provided by you here. Keep up such good posts!
about 6 months ago
Hello again
I forgot to add what I saw in a bug report:
“internals/reserved.networks contains networks like 187.0.0.0/8 and many others that have been allocated by IANA and are now legitimate IP4 addresses”
More details in Debian bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627157
Regards
about 6 months ago
Hello,
First I want to thank you for this beautiful and easy firewall software.
Issue #1:
I have noticed that global trust rules can not contain the IP of the machines downloading the rules, or else the machine will go crazy and open itself to every connection.
This is strange to me, I think one interesting use of global trust is to have a set of machines downloading a single trust allow file containing their own IPs so they can communicate freely with each other.
Wouldn’t it be great if the downloading apf just ignored the line with its own IP and respected the other lines?
Issue #2:
The SET_REFRESH option is useless *(tested on Debian 5 and 6), because the cron daemon will ignore scripts in /etc/cron.d/ with dots (.) in their name. (Instead cron with download the rules one time a day).
Interestingly, if you rename the refresh.apf and take out the dot, cron will complain saying that there is an error in the minutes format *(Debian specific issue?)
Issue #3:
I back up the guys who report RAB is not working because of a problem in check_rab() function in internal/functions.apf.
Changing the line:
if [ "$RAB" == "1" ] && [ ! -f "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_recent.$MEXT" ]; then
To:
if [ "$RAB" == "1" ] && [ `grep -c "recent" /proc/net/ip_tables_matches` == "0" ]; then
will solve the issue as reported elsewhere.
Thank you very much for your work, I hope my suggestions can further improve apf.
about 7 months ago
I have installed APF and BFD on my Trixbox PBX that has an external IP Address. It looks like a lovely tool. However I was trying to confirm that all traffic is automatically blocked out and incoming upon installation but to me it doesn’t seem so. I dont have a rule for my VOIP provider yet incoming calls to my box via the VOIP proivder are going through.
Can you assist me in letting me know what I am missing? I would like to confirm that there is no possible access to the Box without a rule.
Thanks
about 7 months ago
I’d like to confirm that RAB won’t work on CentOS 5.5 with APF 9.7-1, giving the error “{rab} force set RAB disabled, kernel module ipt_recent not found.” (though the module is loaded)
I had to change the internals/functions.apf check for ipt_recent as suggested by Mike.
about 8 months ago
Hi there,
I installed APF on a webserver of mine which deals some ddos attacks in the last time. Now the server requires SSL, so I added
IG_TCP_CPORTS=”21,22,25,80,443″
The firewall is working and in combination with ddos.sh it does the job but: If I try to connect to the site from different ISPs the connection fails.
Am I missing something fundamental in the config? I’ve installed apf on my ubuntu 10.04 LTS server, Version: APF version 9.7
Regards
asrijaal
about 8 months ago
Are you aware on any bug in apf 9.7 rev 1 or bfd removing local network from the firewall with a line like this in apf log ?
{trust} removed 168 from trust system
Thanks
about 8 months ago
random bad luck confused me! apf is working perfectly. I shall send a donation, thank you, apf is a great tool to manage iptables rules.
about 8 months ago
Glad to hear it was just an unfortunate case of luck and that things are working properly
about 8 months ago
after many hours reading and tweaking I overcame my newbie mistakes and got apf working… but I think it may be working too well, as Google Checkout were unable to complete callback to insert an order into my orders database.
I got this error message from Google Checkout:
“Your server returned no data in its response; Checkout requires data of type merchant-calculation-results in response to merchant-calculation-callback”
It might be random bad luck or it might be the apf firewall – Google say there was a response, so I’m leaning towards the idea that apf didn’t block Google Checkout.
I’ve configured conf.apf like so:
IG_TCP_CPORTS=”21,22,25,53,80,443,110,143,6000_7000″
IG_UDP_CPORTS=”20,21,53,123″
IG_ICMP_TYPES=”3,5,11,0,30,8″
EGF=”0″
Have I made a newbie error by not allowing 80 and 443 in IG_UDP_CPORTS? Sorry if this is a silly question.
I have looked at the possibility of creating a whitelist of Google Checkout IP numbers for allow_hosts.rules but Google Checkout are always changing their IP numbers, they are basically unhelpful to anyone asking for Google Checkout callback IP numbers.
I’m also wondering if I’ll see similar callback problems with PayPal IPNs… for now I’ve run $ apf -f and will come back to apf when I’ve read more about ports and protocols and am feeling less newbish. Maybe I did overkill when I enabled so many blacklists.
about 8 months ago
I personally use APF on systems with IPN callbacks from paypal and have never had an issue nor has it ever been reported by anyone else — and there are over 21,000 severs using APF currently, so its not for a lack of opportunity for it to cause a problem. Technically speaking, as long as you have port 80/443 open, most callback systems should work fine.
about 8 months ago
I have a problem, all the days, at 4am my server get blocked by firewall, i have to do “iptables -F” to gain access again, all day works good, and then at next 4am all get blocked.
May 10 04:00:01 xela crond[17416]: (root) CMD (/usr/local/sbin/bfd -q)
May 10 04:00:01 xela crond[17422]: (root) CMD (/etc/apf/apf –refresh >> /dev/null 2>&1 &)
how to fix it??
about 8 months ago
How do I report a bug?
RAB is always disabled on RHEL4 and RHEL5 though the kernel supports the necessary module:
{rab} force set RAB disabled, kernel module ipt_recent not found.
It happens because this check in internals/functions.apf fails:
[ ! -f "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/xt_recent.$MEXT" ]
I think there should be && instead of || in that line.
Also, I think there is a better way to check for ipt_recent support:
[ `grep -c "recent" /proc/net/ip_tables_matches` == "0" ]
(idea taken from here: http://wiki.mediatemple.net/w/%28ve%29:Using_apf_with_RAB)
Thanks for the great work!
about 8 months ago
How can i see what line is not working
i see a few lines:
iptables: Unknown error 4294967295
But don’t know with line is causing this.
Can anybody help ?
about 8 months ago
Hi,
That error looks like its coming from a Virtuozzo VPS. Either way its caused by not having the correct iptables kernel modules available.
If you are running on a VPS you should raise the issue with your provider and if they look confused point them here : http://forum.parallels.com/showthread.php?t=62771
Paul.
about 8 months ago
I’m running Centos 5.6 op an VPS
(multi-homed XenServer Enterprise platform)
but is there a way to see what rule or line is causing this error ? maybee i don’t need that line ?
Thanxs.
about 9 months ago
Ryan,
Where exactly in the APF config would I specify this sort of iptables command:
iptables -A INPUT -p tcp -m tcp –sport 2222 –dport 22 -j ACCEPT
For the example above, I don’t want to change the listening port for the installed service, but I want external connections to have to connect to port 2222/tcp.
I have tried manually running the iptables command, but it gets inserted after the 3 tcp,udp,all DROP commands on the INPUT chain.
I presume I have the correct syntax.
Thanks,
–Gord.
about 9 months ago
You can add this entry to /etc/apf/preroute.rules
about 9 months ago
Hi,
The internals/reserved.networks file (829 bytes) contains 62 ‘Class A reserved networks’, but the IANA.org website only has 16 reserved networks 224.0.0.0/8 – 255.0.0.0/8.
The other 46 Class A networks listed in the reserved.networks file cause legitimate IPs to be blocked.
–Gord.
about 9 months ago
This is not the case:
http://rfxn.com/downloads/reserved.networks
The maintained reserved.networks file that rfxn.com hosts has only 13 lines in it. Unless you go out of your way to disable in conf.apf the updating of the reserved.networks file, this will automatically update whenever APF starts.
However, I have went ahead and updated the reserved.networks file within the apf-current release package for good measure.
about 9 months ago
The Debian 6.0 package for apf-firewall has the following default conf.apf settings:
BLK_RESNET=”1″
DLIST_RESERVED=”0″
Also, in the conf.apf file, the description for BLK_RESNET describes a second variable called USE_RD, which does not exist. I presume USE_RD has been updated by DLIST_RESERVED.
I have updated my reserved.networks file to the current one on your site.
dpkg –list |grep apf
ii apf-firewall 9.7+rev1-2 easy iptables based firewall system
–Gord.
about 9 months ago
I’ve been playing with apf for a few days. Looks really good.
However, I run my Linux firewall as a NAT host as well as a router. Is there any support within apf for performing NAT as well?
about 9 months ago
Let me clarify.. Because reading my post it might confuse.
I use my CentOS linux box as a firewall on a dynamic DSL connection. My clients connect to it for internet access, and they expect the firewall to NAT connections for them.
about 10 months ago
Hi,
Thank for your helpful projects very much.
I am using your scripts, everything look working well but when I log in Cpanel there is a problem:
########################
[a fatal error or timeout occurred while processing this directive]
Pic: http://img847.imageshack.us/img847/5343/fatal.jpg
########################
And here is content of this error:
########################
not a reference at /usr/local/cpanel/Cpanel/DIp/MainIP.pm line 210
Carp::croak(‘not a reference’) called at /usr/lib/perl5/site_perl/5.6.2/i686-linux/Storable.pm line 76
Storable::logcroak(‘not a reference’) called at /usr/lib/perl5/site_perl/5.6.2/i686-linux/Storable.pm line 244
Storable::_store(‘CODE(0x9ed647c)’, undef, ‘/home/lkstarv2/.cpanel/datastore/all_iplist.db’, 0) called at /usr/lib/perl5/site_perl/5.6.2/i686-linux/Storable.pm line 218
Storable::nstore(undef, ‘/home/lkstarv2/.cpanel/datastore/all_iplist.db’) called at /usr/local/cpanel/Cpanel/DIp/MainIP.pm line 210
Cpanel::DIp::MainIP::getconfiguredips() called at /usr/local/cpanel/Cpanel/DIp/MainIP.pm line 41
Cpanel::DIp::MainIP::getmainip() called at /usr/local/cpanel/Cpanel/DIp.pm line 38
Cpanel::DIp::isdedicatedip(210.211.110.235) called at /usr/local/cpanel/Cpanel/ExpVar.pm line 443
Cpanel::ExpVar::hasdedicatedip() called at /usr/local/cpanel/Cpanel/StatsBar.pm line 63
Cpanel::StatsBar::api2_stat(‘rowcounter’, ‘mainstats’, ‘display’, ‘hostingpackage|shorthostname|cpanelversion|theme|apacheversion|p…’) called at (eval 79) line 1
eval ‘$dataref = [Cpanel::StatsBar::api2_stat(%{$rCFG})];’ called at /usr/local/cpanel/Cpanel/Api2/Exec.pm line 84
Cpanel::Api2::Exec::api2_exec(‘StatsBar’, ‘stat’, ‘HASH(0xadff88c)’, ‘HASH(0xae06614)’) called at cpanel line 607
main::real_cpexectag(‘<?cp StatsBar::stat(^J[tr class="row-%"]^J [td class="stats_lef...') called at cpanel line 3879
main::dotag_finished_headers(0) called at cpanel line 3664
main::cpanel_parseblock('<table width="100%" id="stats_extended" class="truncate-table" c...') called at cpanel line 3612
main::cpanel_parse('GLOB(0xae24f94)') called at cpanel line 2491
main::doinclude('/usr/local/cpanel/base/frontend/x3/branding//extended_statsbar.h...', 0, 1) called at /usr/local/cpanel/Cpanel/Branding.pm line 49
Cpanel::Branding::Branding_include('extended_statsbar.html') called at (eval 74) line 1
eval 'Cpanel::Branding::Branding_include(@{$argref});' called at cpanel line 1136
main::real_exectag('<?cp StatsBar::stat(^J[tr class="row-%"]^J [td class="stats_lef...') called at cpanel line 3876
main::dotag_finished_headers(0) called at cpanel line 3664
main::cpanel_parseblock('<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "...') called at cpanel line 3612
main::cpanel_parse('GLOB(0xa12eb44)') called at cpanel line 2491
main::doinclude('/usr/local/cpanel/base/frontend/x3/branding//index.html', 0, 1) called at /usr/local/cpanel/Cpanel/Branding.pm line 49
Cpanel::Branding::Branding_include('index.html') called at (eval 5) line 1
eval 'Cpanel::Branding::Branding_include(@{$argref});' called at cpanel line 1136
main::real_exectag('<?cp StatsBar::stat(^J[tr class="row-%"]^J [td class="stats_lef…') called at cpanel line 3876
main::dotag_finished_headers(0) called at cpanel line 3704
main::cpanel_parseblock('^J’) called at cpanel line 3612
main::cpanel_parse(‘GLOB(0x9fd1710)’) called at cpanel line 5121
main::run_standard_mode() called at cpanel line 424
########################
Please help me to fix this problem, I can’t get my Cpanel info.
Thanks you much,
Regard.
about 9 months ago
This does not appear to be an error related to APF, you should seek help from cpanel forums or check out irc.freenode.net #cpanel.
about 10 months ago
The docs for APF are about 4 years old. Do the iptables module requirements within it still hold true? With the move to virtualization, it appears the most recent CentOS builds of iptables do not include many of the modules you list (at least on our Xen servers). Looking forward to your thoughts.
about 10 months ago
I currently use the latest APF release on CentOS 5.5 based Xen servers and inside many Xen guest instances running CentOS as well. There should be no module specific changes required to APF as it will dynamically request the modules needed from the kernel.
Likewise I will work to update the APF documentation here shortly, thank you.
about 10 months ago
Ryan, for the past 2.5 months (approximately), we’ve been trouble shooting receiving automated emails from Versign / Geotrust.
It turns out one of the rule imports blocks the emails from Verisgn / Geotrust.
I’ve not yet been able to narrow down which rule import — php, spamhaus, dshield, ECN yet.
Please do review these IP inclusions to make sure each IP on the list is still valid. Thank you!
about 10 months ago
Thank you for bringing this to my attention, I will look into it promptly.
about 10 months ago
I’m trying to insert allow rules using the “apf -a” command, but I need to just allow ssh inbound. I’m trying to use the form
apf -a tcp:in:d=22:s=10.10.10.10 “test address”
but I get an error:
iptables v1.3.5: host/network `tcp:in:d=22:s=10.10.10.10′ not found
The rule seems to take anyway, at least an “apf -t” shows
Mar 06 15:56:47 ip-10-10-10-1 apf(3543): (trust) added allow all to/from tcp:in:d=22:s=10.10.10.10
and “apf -l” shows
22 0 0 ACCEPT tcp — * * 10.10.10.10 0.0.0.0/0 tcp dpt:22
I’m guessing that apf parses the port/address specification properly, but doesn’t feed it to iptables the way iptables likes.
-Paul McKinley
about 10 months ago
Ryan – I have a patch for apf to allow support for ESP/AH protocols so IPSEC VPNs can be used in conjunction with apf – interested in a copy?
about 10 months ago
That would be great! if you could please shoot it over to ryan@rfxn.com that would be much appreciated. I will review it and toss it into the release version if appropriate. Thank you.
about 11 months ago
Hi,
I have a strange issue that occurs intermittantly. My system (Centos 5.4) runs plesk, and occasionally at 4.30am it will lock down access to the server to everyone except those specifically in the allow_hosts.rules file.
The cron log at the time shows that a RELOAD occurs at the same time as the 10 minute refreshes. Could this conflict?
Mar 3 04:30:01 ns6 crond[17415]: (*system*) RELOAD (/etc/cron.d/refresh.apf)
Mar 3 04:30:01 ns6 crond[30465]: (root) CMD (/etc/apf/apf –refresh >> /dev/null 2>&1 &)
Performing a apf -r fixes the issue.
Thanks in advance.
Mark
about 11 months ago
What version of APF are you currently running? I would recommend you try clear any rules in deny_hosts and if needed attempt a fresh reinstall of APF.
about 11 months ago
Ryan, at present, when a CentOS (versions don’t seem to matter) reboots with APF, if there are any problems whatsoever with /etc/resolv.conf working, APF hangs the entire machine.
Can you please add a customizable time out feature to a future version of APF that if local DNS is (temporarily) down, APF will do what it can, and allow the reboot process to continue?
Thank you.
about 11 months ago
Peter,
This is a long standing issue that is more to do with accepting host names in the trust rules, that if there is any network issues they are not resolvable and iptables has no built in timeout feature for resolving DNS. I will see what I can come up with as a solution and put it into the next release, thank you for your continued support.
about 10 months ago
In my case, it doesn’t hang the machine, but apf doesn’t run at all. The system continues to boot, leaving my CentOS 5.5 wide open.
I look forward to an update.
about 10 months ago
Make sure APF is set to start at boot:
chkconfig –level 2345 apf on
about 10 months ago
Actually, apf is already set to run at boot time. It fails to run, period. I have to start it manually after boot.
I think mine is a variant problem related to the OP’s.
about 11 months ago
Hi,
Is there a way to block countries that will not affect the performance of apf? I did tried to use /etc/apf/deny_hosts.rules and placed CIDR. The file went up to 80K and this makes apf very slow when restarted and eventually crashed the servers.
Please advice on an alternative way to do this.
Thank you.
about 11 months ago
APF uses iptables, the linux kernel firewalling mechanism which stores rules into kernel memory. As the number of iptables rules in kernel memory increases, the performance of iptables degrades. When you enter the realm of 10k+ rules you really are entering an area that iptables is not intended or designed for, I would encourage you to consider broader rules using IP masking to encompass larger netblocks thus reducing the amount of rules required. An example would be that if you want to block 172.3.44.0 – 172.3.44.255, that you block it as 172.3.44.0/24 instead of adding every IP in the range to the rules.
about 11 months ago
Hi Ryan,
Appreciate the reply. I guess the limit is hit. I am already using x.x.x.x/24 on the file.
Thank you
about 1 year ago
Any tips for running APF on a public facing name server ?? We have attempted to run it and find that after a period of time strange events start happening where our Network monitor (opsview aka Nagios) starts thinking SMTP has died on a couple of our email servers, As soon as we turn off APF on the name servers our network monitor thinks all is good again .. SMTP is in fact Ok .. so not sure were to look and or how to correct what APF is clearly cuasing.
Any tips and or ideas ??
about 11 months ago
Trust your SMTP servers in the firewall if possible, i.e: apf -a IP. You can also try to disable RESV_DNS_DROP in conf.apf, which may help.
about 1 year ago
pour acceder au site adultdailycare.net il me demande nom d’utilisateur et mot de passe aidez moi
about 1 year ago
I am using Your APF solution on a couple of my servers and it is very useful. You did a great job with it.
Recently I have updated kernel to 2.6.18-194.26.1.el5xen (CentOS) on most of the machines due to security issues of the previous version. Unfortunately this breaks APF completely. Iptables when started manually and having the rules set manually work fine, but when I run APF it doesn’t.
All the rules are there. I tried doing iptables save and then reloading it with service iptables start – it doesn’t help.
It seems like nothing is being filtered by the rules set with APF. Can anyone help?
about 1 year ago
I am using APF firewall with plesk for around 3 years and I am quite satisfied with it.
Recently one of our customer required to limit the no. of connections per IP on his server but I couldn’t find anything in APF which can achieve this.
I found on a website the syntax that can be used to limit the connections per IP using connlimit module but I don’t know how to use this in APF.
/sbin/iptables -A INPUT -p tcp –syn –dport $port -m connlimit –connlimit-above N -j REJECT –reject-with tcp-reset
Please advice.
about 1 year ago
See the post by Ryan 19 posts below
If you are looking for generic flood protection from SYN/CONNECTION based flooding of port services, you can use fguard:
http://rfxn.com/downloads/fguard
Edit the script with your email address and set the ptrig values, they are in the format of PORT:TRIGGER , trigger is the maximum amount of connections from a single IP before it is blocked i.e: 80:100 = port 80, ban at 100 connections per ip.
about 1 year ago
Meaby you can tell how we can use this in apf??
Where does it need to be saved and how can we make apf understand to use the file??
about 1 year ago
You can run fguard from cron, it will pass bans to APF.
about 1 year ago
I was introduced to apf (and bfd) by a very helpful friend, Ian and I absolutely love the simplicity of configuration and the clarity of the documentation.
I am still in trial mode with it but I ran across a problem that was not solved by the recommended configuration and would like to see if there is a better way to handle it. I have used a workaround solution but it carries with it problems of its own so I do not want to leave that solution in place long term.
I tried going to the forum as recommended in the readme in /etc/apf/doc but the url bounced so I am trying this route.
Is there a way (like apf –d) that I can add IPs to a list that will stop ALL traffic from that IP, even if the traffic is coming in on a port that is allowed to all others?
It appears to me that when I try to add an IP to be blocked via apf –d IP, it places the DENY IP rule late in the iptables rule set, AFTER the ALLOW PORT rule has already passed the offender through to my server. This sequencing invalidated my attempt to use the apf –d IP to stop a hacker from South Africa from pounding away at my server. At one point, this hacker had over 2,000 connections going at my server. BFD did not catch and stop the hacker since I run a VOIP PBX and the hacker came in with SIP registrations which were legitimate (calls) according to the server.
We did stop the hacker by disabling the USE_RD=”0” to stop apf from refreshing the reserved.networks file and adding the offending IP (196.28.38.72) to the reserved networks file. This put the DENY IP rule early on in the iptables rule set and stopped the hacker before the ALLOW PORT rule was encountered. Unfortunately, I am now left with a static reserved.networks file and I do not like that solution long term.
I would have thought that using apf –d would tell the system that IP is NEVER to be allowed in, but that does not seem to be the case.
My question is: Is there a way (like apf –d) that I can add IPs to a list that will stop ALL traffic from that IP, even if the traffic is coming in on a port that is allowed to all others? And of course allow me to go back to a reserved.networks file that is automatically updated?
Any ideas?
Richard
Richard Cantin
Ayuda
(519) 957-2414
rcantin@ayuda.ca
++++++++++++++++++++++++++++++++++++++++++++++++++
I run a VOIP PBX as the ONLY application on the server where I put apf and bfd
I only need UDP ports 5060 and 10002_20000 accessible from the outside world to let this work so I have shut down all other incoming ports via IG_TCP_PORTS=”” and IG_UDP_PORTS=”5060,10002_20000”. Ian and I also tried leaving ALL ports disallowed in conf.apf (IG_UDP_PORTS=”” as well as IG_TCP_PORTS=””) and putting into allow_hosts.rules the following:
# Add the local network to ensure internal connections can do anything
192.168.1.0/24
#
# Open, to all external connections that are not denied in deny_hosts.rules,
# the UDP Ports required to support external access for VOIP
# SIP Registration (5060)
upd:in:d=5060:s=0/0
udp:out:d=5060:d=0/0
# RDP (Audio) (10002_20000)
udp:in:d=10002_20000:s=0/0
udp:out:d=10002_20000:d=0/0
but that did not make things any better.
The VOIP PBX is working fine so this set up allows what I need to pass. (and unfortunately the South African hacker, unless I add the offending IP to the reserved.networks file)
about 1 year ago
I have changed the order in which APF loads the trust rules (allow/deny) to place the drop lists before any allow rules are loaded. This change has been pushed to the release version of APF.
about 1 year ago
Hi,
There is no explanation on how to set up a VNET for virtual private servers. In readme file it says look at 3.4 for more detailed information, but i did not find any info about how to set it up 3.4 just says topic name and no article is provided.
about 1 year ago
Hi
I’m a bit ‘lost’ with installing APF on Trustix Linux box, which is a very outdated linux release, but can’t afford to update/replace with newer live distros.
Anyway, I D/L-ed ‘apf-current.tar.gz’ and ran ./install.sh
then I edited conf and wanted to try but unfortunately with no luck as I get:
service apf restart
apf: unrecognized service
or
chkconfig –list apf
error reading information on service apf: No such file or directory
APF installed in “/etc/apf” but not as a service it seems.
Unfortunately RPM installation didn’t do it either.
Can it be done like it is on CentOS ?
Thank you
about 9 months ago
What do you mean when you say that you cannot afford to upgrade to a newer Linux? CentOS is freeware. All it will cost you is six blank CD’s.
about 1 year ago
Is there a forum for APF and other utilities? I see a forum when I search Google, but it appears to be restricted.
Any way I have a problem with APF not starting correctly on OpenVZ with multiple IP addresses. venet0 is 127.0.0.1 and venet0:0 and venet0:1 are the external IPs and APF comes up with errors on them. I don’t know whether the ethX:X/venetX:X syntax is affecting.
Does it work with multiple IPs? IFACE_IN and IFACE_OUT appear to take single IPs only
apf(20007): {glob} flushing & zeroing chain policies
apf(20007): {glob} firewall offline
apf(20043): {glob} activating firewall
apf(20088): {glob} could not verify that interface venet0:0 is routed to a network, aborting.
apf(20043): {glob} firewall initalized
apf(20043): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5 minutes.
about 1 year ago
May I ask on where did you did nmap? If its in the same system then you will see the results its up. Please test it on a separate system.
about 1 year ago
I recently installed APF . It appears installed properly. My aim is to Block port 25 on the server. However, after removing the port 25 from the config file, then i reloaded. But Port 25 is still OPEN. I confirmed this by running nmap, and port 25 is still open. Can someone tell me what might be wrong
about 1 year ago
Hi Ryan,
Looking forward to it.
Keep safe.
Thank you
about 1 year ago
Hi,
First of all, thank you for the great software you have created. It is one of our vital protection against outside threat.
Currently we have an issue with IPV6. May I ask if APF can filter IPV6? doing an iptables -L shows all the rules loaded but when ip6tables -L is used then the output is:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I guess there are no filter rules on ipv6. We are using ipv6 aware OS to public network.
Please advice on how to enable ipv6 filtering.
Thank you
about 1 year ago
IPv6 is not yet supported by APF, this is something that will be released in the very near future.
about 1 year ago
Hello
I was wondering if it’s possible to use apf for a standalone pc connected to an untrusted lan , not necessarily intented to be used as a server , just for personal use
thanks
about 1 year ago
Hi Ryan:
I hope you and your family are doing well.
When you get to updating APF, can you check how it can be made more user friendly on reboots when local dns (/etc/resolv.conf) may be broken?
What we’ve seen is that if there are any local DNS resolution issues, APF can cause bootup to hang for an indefinite period of time.
Thank you.
about 1 year ago
Can you put the proper way of updating from older versions of apf to your current version in your faq/readmes?
about 1 year ago
hello all,
was ddos´ed for 2 days now… apf + ddos-deflate seems to help!
but, could anybody helping me, howto run my own firewall script and apf simultaneously?
because my own firewall script is also kinda big and there some important dropes in it, so ive to get it running.
thx for ya help!
greetz mike
about 1 year ago
Hi Ryan,
Firstly thanks for a great tool you provide in APF.
I have recently installed 9.7-1 and greatly appreciate the ease of managing global allow and deny lists remotely from a single source.
I decided to keep my global lists in a secure password protected directory, and to this end made some modifications to APF to allow ease of configuration, which I believe may be a nice addition to your official release
Herewith the changes:
conf.apf:
———-
# Global Trust
…
USE_RGT=”1″
# Specify whether wget should check the SSL certificate – used in conjunction with the https protocol.
RGT_CHECK_CERT=”0″
# Specify a username and password for wget to apply when fetching the global lists
RGT_WGET_USER=”apf”
RGT_WGET_PASS=”test”
…
internals/functions.apf:
glob_allow_download() {
…
# Set whether wget should check the certificate or not
if [ "$RGT_CHECK_CERT" == "1" ] && [ "$GA_URL_PROT" == "https"]; then
CHECK_CERT=”"
else
CHECK_CERT=”–no-check-certificate”
fi
# Set the wget username if necessary
if [ ! "$RGT_WGET_USER" == "" ]; then
WGET_USER=”–user=$RGT_WGET_USER”
else
WGET_USER=”"
fi
# Set the wget password if necessary
if [ ! "$RGT_WGET_PASS" == "" ]; then
WGET_PASS=”–password=$RGT_WGET_PASS”
else
WGET_PASS=”"
fi
$WGET -t 1 -T 4 $CHECK_CERT $WGET_USER $WGET_PASS $GA_URL_PROT://$GA_URL >> /dev/null 2>&1
…
}
glob_deny_download() {
…
# Set whether wget should check the certificate or not
if [ "$RGT_CHECK_CERT" == "1" ] && [ "$GD_URL_PROT" == "https"]; then
CHECK_CERT=”"
else
CHECK_CERT=”–no-check-certificate”
fi
# Set the wget username if necessary
if [ ! "$RGT_WGET_USER" == "" ]; then
WGET_USER=”–user=$RGT_WGET_USER”
else
WGET_USER=”"
fi
# Set the wget password if necessary
if [ ! "$RGT_WGET_PASS" == "" ]; then
WGET_PASS=”–password=$RGT_WGET_PASS”
else
WGET_PASS=”"
fi
$WGET -t 1 -T 4 $CHECK_CERT $WGET_USER $WGET_PASS $GD_URL_PROT://$GD_URL >> /dev/null 2>&1
…
}
This allows you to specify via the configuration file whether or not to check the SSL certificate against the available certificate authorities, as well as being able to password protect the global access lists that you have made publicly accessible.
Regards,
Patric
about 1 year ago
I’ve been trying to find a way to take an existing APF box with two NICs and use it as network gateway. But I cant seem to get it to pass traffic as long as APF is on it. Are there any tutorials or instructions that cover this goal?
Otherwise, this is a hell of a great application firewall! Thanks!
about 1 year ago
Hi Ryan,
Thanks for your reply. I’m still getting the same error after replacing functions.apf
Everything else is still running fine. I am quite certain ipt_recent is loaded.
apf(30459): {rab} force set RAB disabled, kernel module ipt_recent not found.
about 1 year ago
Mike, I made a change to the functions file that I think should fix this, if you are running the latest version of APF please go ahead and download http://www.rfxn.com/downloads/functions.apf and replace /etc/apf/internals/functions.apf with it, let me know if you still experience the issue with RAB.
about 10 months ago
Hi, I also get the error {rab} force set RAB disabled, kernel module ipt_
recent not found.
On line 155 of functions.apf where testing -f ipt_recent, || supposed to be &&?
I’ve changed the line and seems to be working correctly.
about 1 year ago
Hi Ryan,
I’ve been a long time user of APF. I am currently trying to install it with RAB in an OpenVZ container. I am successful with APF, but not APF with RAB:
{rab} force set RAB disabled, kernel module ipt_
recent not found.
As you can see here, my modules should be properly loaded:
# cat /proc/net/ip_tables_matches
udp
tcp
recent
state
length
ttl
tcpmss
multiport
multiport
limit
tos
icmp
owner
I have SET_MONOKERN=”1″ also.
Perhaps there is some mis-communication between SET_MONOKERN and RAB? Or do you notice any mistakes in my configurations?
about 1 year ago
If you are looking for generic flood protection from SYN/CONNECTION based flooding of port services, you can use fguard:
http://rfxn.com/downloads/fguard
Edit the script with your email address and set the ptrig values, they are in the format of PORT:TRIGGER , trigger is the maximum amount of connections from a single IP before it is blocked i.e: 80:100 = port 80, ban at 100 connections per ip.
about 1 year ago
how can i use fguard with apf ? is there any installation guide ?
about 1 year ago
hello, the changelog says that the antidos feature is replaced by the RAB feature.
about 1 year ago
Hello i did not see antidos feature in APF also did not find ad directory in apf i have installed latest version
about 1 year ago
Does anybody know howto block all ip’s something like 0.0.0.0/0 an trust only in 1 ip?.
Thanks
about 1 year ago
The get_ports command (and install.sh) leave out some of my open ports, such as 80 and 443 from Apache. Here is what “netstat -an” shows:
tcp 0 0 :::80 :::* LISTEN
tcp 0 0 :::443 :::* LISTEN
about 1 year ago
Ryan, you might want to update the README.apf link above to the new version. The one there is for 0.9.6
about 1 year ago
APF automatically updates the reserved.networks file on the first start from http://www.rfxn.com/downloads/reserved.networks – this file is updated on every start call to APF and through a cron.daily job added during installation.
If the reserved.networks file is not updating for you, please check: http://www.rfxn.com/bogon-filtering-update-it/
about 1 year ago
Hi,
I have see that the file internals/reserved.networks isn’t updated.
For Example I see in http://www.iana.org/assignments/ipv4-address-space the network 95.0.0.0/8 assigned from 2007, but the reserved.networks tcontinues to block these network