Linux Software & Blog
- DirectAdmin basic security | Take Flight
- Back to the Basics #6: Network Security
- Hardening Linux come utilizzare gli script: firewall, brute force e ddos
- Evitar ataques de fuerza bruta y denegación de servicios | Noveria Blog
- How to get APF working with a server has poor local DNS resolution on reboot
- Securing cPanel After Install
- Web Hosting » Blog Archive » 5 Free Open Source Security Tools
- Kloxo Installation Guide « Host Gram
- Kloxo Installation Guide « Linux tutorials
- Yahya Nursalim Web Media » Kloxo : Open Source Server Control Panel and Webhosting Software
- Kloxo Installation Guide | Hitlanka
- BFD Rules for Asterisk | Sean Siegel
- New Instalation Kloxo guide | www.prandah.com
- Real customer service is more than a catchy marketing phrase
- Locking Down Your Linux Server with APF + BFD | Snipe.Net | MKfmn | Matthew M. Kaufman
- Kloxo Installation Guide | blog netforall
- Securing cPanel After Install « Recon Hosting Docs
- Schutz bei (D)DOS Angriffen mit Iptables – Administrator’s Blog
- Proteggere il proprio server dagli attacchi brute force con APF e BFD | blog.codelime.net
- Best Hide Ip Programs | Hide My IP Free
- Kloxo Installation Guide : Free Tutorials
- Suddenly My hosting Sites Not loading!!!
- 5 Open Source Security Options that Cost Nothing
- Kloxo Installation Guide
- Kloxo Control Panel Installation Guide | HostBuddy
- Securing and Monitoring a Virtual Private Server – Admins Goodies
- IP tables – changes not persisting – Admins Goodies
- Anonymous
- At Pages » 5 Open Source Security Options that Cost Nothing
- 5 Open Source Security Options that Cost Nothing | Web Hosting Fan
- 5 Free Open Source Security Tools | Web Hosting Review
- 5 Free Open Source Security Tools – Seven 24 Host | Seven 24 Host
- 5 Free Open Source Security Tools « Transcom Hu
- 5 Free Open Source Security Tools | Reseller Web Hosting, Reseller Web Host
- 5 Free Open Source Security Tools | Web Host Summit
- 5 Free Open Source Security Tools by www.thehostingnews.com | tools
- 5 Free Open Source Security Tools « dotz.co
- Use APF to firewall your Asterisk based VoIP » ITOPS Tech Blog
- ITOPS Tech Blog : protect your VoIP investment
- APF:Linux下强大的防火墙组件 | linux系统架构–Linux系统运维工作手册
- LazyScripter Consulting > cPanel > How to change your SSH Port
- Kloxo / CentOS
- bfd script for Kerio Connect | apocalypticfail.com
- Securing and Monitoring a Virtual Private Server Drija
- How to Install BFD (Brute Force Detection)
- DDoS Protection and Mitigation | Moh Lab.
- Unix Blather » Blog Archive » Tracing malicious scripts on poorly configured gnu/linux servers.
- Kloxo Installation Guide | Video – Tutorial
- Iptables based firewall script | HostGator Coupons Code
- Installing (Advanced Firewall Policy) APF Firewall « Afraid.ws
- Установка Advanced Policy Firewall
- Use APF to manage your firewall | TechRepublic
- Introducing APF Firewall For Ubuntu, But You Can Use This On Many Other Linux Flavors « Essayboard
- 设置pptpd与apf | Wang Jun's Blog
- APF:Linux下强大的防火墙组件 | Wang Jun's Blog
- Advanced Policy Firewall by R-FX Networks | lucid_transition
- Block port 445 in linux | HostGator Coupons Code
- Securing your Linux Server using APF/BFD « MISDivision(tm) Blog
- How to Install Advanced Policy Firewall (APF) on WHM/cPanel Server | Webmaster Resources
- How to install CSF firewall on centos linux | SecureCentos.com
- DaboBlog – Por David Hernández (Dabo), Cibercultura | GNU/Linux | Mac OS X | Opinión |
- IP tables – changes not persisting Drija
- DDoS Protection and Mitigation
- How to use FQDN in firewall rules for GNU/Linux? | Drija
- Bob Hubbard, Online » Blog Archive » Computer Corner : Computer Viruses, Update 2010 by Bob Hubbard
- Configurar un cortafuegos en CPanel | HOSTING CPANEL
- The Next Generation VoIP » Installing APF and BFD
- How to Install APF (Advanced Policy Firewall ) firewall | comcities.com
- Security Recommendations for every Administrator « My VPS Box
- Aggiungere una regola di PREROUTING o POSTROUTING al firewall apf | SMsoft – informatica e dintorni
- Comparing VPS Hosting and Shared Hosting « FAQPAL Blog
- Advanced Policy Firewall (for cPanel) « kieranbarnes
- Protect Your Server with APF Firewall
- Wonderful email from ovh | HostGator Coupon Code
- DaboBlog – Por David Hernández (Dabo), Cibercultura | GNU/Linux | Mac OS X | Opinión |
- Locking down and securing SSH access to your server | SysadminSpot.com, SysAdmins, Server Administrators and IT Consultants
- Linux Software Firewalls | SysadminSpot.com, SysAdmins, Server Administrators and IT Consultants
- Allow, Deny and Remove with Advanced Policy Firewall (APF) | SysadminSpot.com, SysAdmins, Server Administrators and IT Consultants
- apf: command not found | SysadminSpot.com, SysAdmins, Server Administrators and IT Consultants
- Cpanel & Firewalls – cPanel Forums
- Proteger servidor Linux contra ataques de fuerza bruta y denegación de servicios. | Command Line
- v-nessa.net » Post Archive » 10 Excellent Open Source Alternatives
- (D)DoS Deflate | Rui Cruz
- How to install APF (Advanced Policy Firewall) « My Blog
- How To Install And Configure Advanced Policy Firewall (APF) On CentOS 5.3 | All Free For You
- Securing FTP Access on a cPanel Server :: The cPanel Admin
about 11 months ago
This is a question about the The Spamhaus Don’t Route Or Peer Lists (DLIST_SPAMHAUS) option.
If I disable that and restart APF it still blocks IPs on the list. It seems I have to reboot the server to ‘see’ the change’. (Because of this it took me ages to discover APF was blocking an IP as I had tried stopping APF to rule that out! But that was not sufficient…)
Would it not be better if an APF restart *saw* the change to this DLIST_SPAMHAUS option? (I have APF 9.7 – and thanks for a great product BTW)
about 11 months ago
This is not the expected behavior, I will look into this further. However, with APF shut off from CLI with apf -f or /etc/init.d/apf stop, there would be no iptables rules loaded at all. So, there may have been another issue at play there causing the address in question to remain blocked.
about 11 months ago
Well further tests showed it was NOT the DLIST_SPAMHAUS option that caused the issue. It was SYSCTL_ECN.
And I *think* I got confused through having SET_FASTLOAD enabled.
All is well now!
about 1 year ago
I have identified what I believe is a bug this evening…
We have a server where we need to permit other servers in the same subnet to communicate with it, we placed the subnet into allow_hosts.rules.
However it appears that APF/iptables interprets this to mean that all traffic to the server should be allowed (i.e. source OR destination matches), rather than traffic purely sourced from that address range.
about 1 year ago
When you place an address with no advanced syntax into allow_hosts.rules, the trust on that address is added for inbound and outbound traffic. So in placing the subnet that the server is on, in allow_hosts.rules, you effectively are telling the firewall to allow everything in and out of the server sourced from that subnet which is essentially to trust everything (since traffic will always be sourced to or from the ip of the server).
This is a very common policy mistake with firewalls, care needs to be taken in the addresses that you trust as you can inadvertently create a trust all situation.
If there are specific ports you require your subnet to access, a rule in allow_hosts.rules such as the following is more appropriate:
tcp:in:d=3306:s=24.11.34.0/24
The above would allow tcp traffic from 24.11.34.0/24 to port 3306. Please see the comments in /etc/apf/allow_hosts.rules for further examples.
about 1 year ago
Hello Ryan,
I’ve got a request and a question:
request: could you please check your anti-spam system? it seems to spam or at least moderate all of my comments on your blog
question: how can I evaluate what apf drops? I mean I see a few actions in my logs where I am completely unsure why they happened, I’ll show you two examples:
Apr 19 16:17:58 h1870666 kernel: [87217.512563] ** PHP ** IN=eth0 OUT= MAC=00:24:21:af:8a:99:00:25:84:7b:bc:00:08:00 SRC=75.125.47.162 DST=85.214.229.212 LEN=60 TOS=0×00 PREC=0×00 TTL=54 ID=768 DF PROTO=TCP SPT=48470 DPT=25 WINDOW=5840 RES=0×00 SYN URGP=0 OPT (020405B40402080AD405DBBA0000000001030307)
Apr 19 16:16:14 h1870666 kernel: [87113.329053] ** SDROP ** IN= OUT=eth0 SRC=85.214.249.219 DST=31.184.242.127 LEN=48 TOS=0×00 PREC=0×00 TTL=64 ID=20863 DF PROTO=TCP SPT=37657 DPT=80 WINDOW=5840 RES=0×00 CWR ECE SYN URGP=0 OPT (020405B401010402)
about 1 year ago
We are running into problems with a client that has APF set up on three (3) servers running CentOS 5.8 64-bit.
Two of the three servers work as intended.
On the one server, APF continues to block an IP that is valid doing valid things.
The IP does not end up in /etc/apf/deny_hosts.rules
It ends up in APF, and then in /etc/apf/internals/.apf.restore and sometimes also in /etc/apf/internals/refresh.drop.temp
There’s no explanation why. Then when I remove the IP from those files (after stopping apf), and restart APF… it is like a battle where APF continues to block the IP, put it back in the files.. and I cannot find a way to have APF leave the IP alone.
I’ve the IP set up in /etc/apf/allow_hosts.rules and /usr/local/bfd/ignore.hosts
The IP is not listed in /var/log/apf_log so I have no idea as to why APF is treating this IP differently.
I checked /var/log/messages and it is not even a SANITY issue.
How can I trouble shoot this issue?
Thank you.
about 1 year ago
@Ryan:
Thanks for replying but I am unsure about the documentation being clear, I mean look at this:
# Log all traffic that is filtered by the firewall
LOG_DROP=”1″
I want that, as I am logging filtered traffic to my syslog file and I need it that way as I evaluate those logs later on.
# This option will allow for all status events to be displayed in real time on
# the console as you use the firewall. Typically, APF used to operate silent
# with all logging piped to $LOG_APF. The use of this option will not disable
# the standard log file displayed by apf –status but rather compliment it.
SET_VERBOSE=”0″
This sounds just like what I need: no log output to the console.
Yet your reply to my comment sounds the other way around? Is it just me confused or is this misleading?
about 1 year ago
It appears RAB TRIP is triggering incorrectly.
Mar 27 15:50:53 mail kernel: ** RABHIT ** IN=eth1 OUT= MAC=52:99:c6:4c:f1:32:00:64:40:3a:43:40:08:00 SRC=[our client ip] DST=[our mail server] LEN=40 TOS=0×00 PREC=0×00 TTL=55 ID=32627 DF PROTO=TCP SPT=55353 DPT=995 WINDOW=34633 RES=0x3c CWR PSH SYN URGP=47720
cat rab.ports
# Low security ports
RAB_PSCAN_LEVEL_1=”1,7,9,11,15,69,70″
# Medium security ports
RAB_PSCAN_LEVEL_2=”$RAB_PSCAN_LEVEL_1,79,109,119,512,513,517,518″
# High security ports
RAB_PSCAN_LEVEL_3=”$RAB_PSCAN_LEVEL_2,13,17,19,500,540,635,640,641,666,700,1024,1026,1027,1028,2023,2565,2703,3128,3389,4899,5900,6667,6711,7212,8000,8888,9989,10080,13000,16969,27374,32000″
Given the rab ports above, even on rab level 3 (high security), why would the IP be blocked by RAB?
Thank you.
about 1 year ago
Peter,
It may be and often is the case that the IP tripped RAB on a valid RAB monitored port then once its RAB ban is in place, all subsequent traffic on that IP will be logged, irrespective of the port. Likewise it is also possible it got tripped on a sanity rule, you can try disable RAB for packet sanity checks.
about 1 year ago
May I email you directly with a “** SANITY **” event that doesnt’ make sense?
Thank you.
about 1 year ago
Ryan, on your change logs, can you please include a date / timestamp along side the version number for easier tracking of updates? Thank you!!!!
about 1 year ago
This is something that has been making its way into most projects and I will work on it for APF as well, both back dating the changelog and putting in dates for all future updates.
about 1 year ago
I have the smae problem all day at 4:03:01 a.m
CRON: error in (/etc/cron.d/refresh.apf) problem is (bad minute)
You can helpme, I should do?
about 1 year ago
setting SET_VERBOSE=”0″ doesn’t seem to work, my console is still being flooded with messages making it impossible to work on the console.
Any help here , please? I had to access my console during a DOS and it was impossible to use it as it was flooded with logs about packages being dropped
about 1 year ago
The SET_VERBOSE option only controls the APF wrapper output, not iptables output itself. For this you can set LOG_DROP=0 and that should do the trick.
about 1 year ago
Ubuntu has old version of APF in its repositories and strange ways of changing names of files and directories during the installation with apt-get. So I followed instructions on http://www.andyhuang.net/blog/2008/06/ to install the current version of APF on Ubuntu. But instead of modifying the APF files I have symlinked /etc/rc.d/init.d with /etc/init.d. So hence my two questions:
1) Is it ok to symlink like this or do I really have to change paths inside of files?
2) Running update-rc.d apf defaults gives:
update-rc.d: warning: /etc/init.d/apf missing LSB information
Is it ok to ignore it or I have to change something?
Generally, it would be nice if install script was adopted to run under Ubuntu, since currently it is confused with paths. I tested on CentOS installation script runs fine, but on Ubuntu it aborts since can’t find files.
about 1 year ago
On CentOS 5.8 we are seeing the following error in our logs as it relates to APF:
” Mar 9 04:08:01 cp crond[7331]: CRON: error in (/etc/cron.d/refresh.apf) problem is (bad minute)”
Rather than using */480 in the minute mark, why not use */8 in the hour mark?
Thank you.
about 1 year ago
I’m get the same error. How did you correct it? Thanks.
My refresh.apf file is below.
MAILTO=
SHELL=/bin/sh
*/10 * * * * root /etc/apf/apf –refresh >> /dev/null 2>&1 &
about 1 year ago
We were also seeing this error.. The MAILTO or SHELL lines of refresh.apf seem to cause the problem.
about 1 year ago
Same problem with CentOS 5.8. cron_refresh () in internals/functions.apf uses */$SET_REFRESH. Would changing that to 0-59/$SET_REFRESH fix the issue?
about 1 year ago
May I ask for a programming change to internals/functions.apf where you would add the following as part of the option string for wget?
–bind-address=$NET
Example:
$WGET –bind-address=$NET -t 1 -T 4 $GD_URL_PROT://$GD_URL >> /dev/null 2>&1
That way providers who are limiting access for say the global trust service can rely on the wget’s coming from the primary network card IP rather than a different IP.
Thank you!
about 1 year ago
I’ll get this into the next update of APF along with some of your more recent contributed changes, thanks as always Peter for being a loyal and long time supporter of my projects.
about 1 year ago
Hi Ryan:
http://www.dynamicnet.net/2012/03/digging-local-dns-resolution-apf/ is my answer for how to handle APF on machines where APF hangs on reboot.
Thank you.
about 1 year ago
I am about to install a new system.
I have been an ardent supporter of apf for 3 years now, but I want to make sure that my new system will handle ipv6.
I saw 1-year-old comment from Ryan on this forum saying ipv6 would be addressed “in the very near future”.
Is there a timetable for ipv6 capability in apf? If so, when? If ipv6 support will be added, will I be able to just upgrade an existing install or will I need to rip and replace?
A quick reply would be appreciated
Richard
about 1 year ago
I do not have an ETA on full ipv6 support for APF however since APF is simply an iptables wrapper, it should not be a terribly complicated process to implement. This is something I will put time into as soon as possible.
about 1 year ago
Please do. I have a number of systems with IPv6 addresses and as a result, are completely exposed. IPv6 support would be very much welcomed!
about 1 year ago
How to check whether apf is running after the reboot? It doesn’t have any status, so how can we know?
about 1 year ago
You can run apf -l to see a list of loaded iptables rules or check /var/log/apf_log to see the status output of the wrapper.
about 1 year ago
Hello All,
Is there a way to specify a port range in the apf rules?
in iptables is something like:
–dport 100:105
So it will open from 100 to 105
about 1 year ago
You can define port ranges with the underscore (_) character such as: 100_105
about 1 year ago
Hi,
APF won’t work (start) with a kernel above 2.6 … I installed the debian paket (apt-firewall) but it then won’t download the rules because starting with “/usr/local/sbin/apf -s” won’t work.
thanks for the good work!
martin
about 1 year ago
I’ll look into this and get an update released shortly.
about 1 year ago
Hi,
I am getting attack on apache doc root, and attacker is changing their IP-address randomly. is their any option to block attacker via using his MAC address.
about 1 year ago
You can only filter by mac addresses for traffic inside your own network, as all public internet traffic will have the mac address of your local router/switch.
about 1 year ago
Good day, Ryan:
In your next release of APF, please consider separate toggle (on/off) inclusions for the following:
http://www.dragonresearchgroup.org/insight/sshpwauth.txt
http://www.dragonresearchgroup.org/insight/vncprobe.txt
http://www.dragonresearchgroup.org/insight/http-report.txt
For any list that can be included, please consider adding checks to remove any duplications.
Thank you.
about 1 year ago
On some servers where their DNS is shaky at start up, APF basically locks up the machine because there appears to be no time out.
Can you please put in some logic that tests to see if DNS is working the way APF needs it to start, and then skip starting (sending an email out notifying it did not start)?
about 1 year ago
Hi Ryan:
On the iptables, DNS issue where APF can hang (until the server is rebooted and gone through interactively skipping APF), is there some type of shell wrapper you could write to run a dns test that if it fails, skip loading apf other start apf?
Thank you.
about 1 year ago
Hi Ryan:
Here is a proof of concept test that may help (it does require dig to be available on the server):
#!/bin/sh
DNS_CHECK=`/usr/bin/dig +time=1 +tries=1 +retry=0 yahoo.com | /bin/grep ‘timed out’`
DNS_FAILED=’;; connection timed out; no servers could be reached’
if [ "$DNS_CHECK" != "$DNS_FAILED" ]; then
echo “local DNS is working”
else
echo “local DNS is not working”
fi
I tested “/usr/bin/dig +time=1 +tries=1 +retry=0 yahoo.com” and if local DNS is down, it comes back with its answer in <= 2 seconds.
Could something like this be used to determine if APF should be started on reboot?
And if not, then have an email address in /etc/apf/conf.apf for the admin to be emailed that apf is down?
about 1 year ago
Using APF 9.7, when I use -r to restart I get these errors (DDOS and BFD are installed):
apf(6891): {trust} deny all to/from /usr/local/ddos/ddos.sh
iptables v1.3.5: invalid mask `ddos.sh’ specified
apf(19641): {trust} deny all to/from /usr/local/sbin/bfd
iptables v1.3.5: invalid mask `bfd’ specified
I’ll buy you a couple of beers if you can help me fix this.
Thanks
about 1 year ago
It looks like you got some invalid entries in the APF deny file , I would recommend clearing out the file /etc/apf/deny_hosts.rules. The file should only contain IP/Host entries or commented lines prefixed with #.
rm -f /etc/apf/deny_hosts.rules
(apf will recreate it)
about 1 year ago
are i must disable centos firewall before install apf?
thanks for answer
about 1 year ago
No, APF will take over from CentOS Firewall for you.
about 1 year ago
Where are the old versions of all your projects? Sometimes the new versions just dont work and you need exact old versions.
Like the syntax changes you made to current version of AFP make iptables shit itself.
about 1 year ago
Are there any errors that you are seeing specifically ? Please let me know and I will look into it promptly to correct it.
As for older versions of APF, I have put together a path where all previous versions can be downloaded:
http://www.rfxn.com/downloads/old/apf/
I hope this helps, thank you for your continued use of APF.
about 1 year ago
Just thought I’d mention a couple of the external blocklists are significantly out of date:
The Project Honey Pot blocklist (rfxn.com/downloads/php_list) doesn’t appear to have been updated in some time and most of the IPs I double checked haven’t seen any malicious activity in the last 3 months.
The DShield list (feeds.dshield.org/top10-2.txt) also appears to be very out of date – it has a timestamp of 1st June 2011, despite no obvious indications on their website.
They have a newer top 100 list, but they recommend using a 20 subnet blocklist instead (http://feeds.dshield.org/block.txt).
The Spamhaus list is still up to date and the reserved networks appears to be mostly correct as well (maybe a couple of entries missing).
about 1 year ago
Good day, Ryan:
On some servers where their DNS is shaky at start up, APF basically locks up the machine because there appears to be no time out.
Can you please put in some logic that tests to see if DNS is working the way APF needs it to start, and then skip starting (sending an email out notifying it did not start)?
Thank you.
about 1 year ago
The current version of APF doesn’t like Ubuntu’s new kernel. Is there anything I can adjust in the configs to allow it to start?
apf(32091): {glob} activating firewall
apf(32131): {glob} kernel version not equal to 2.4.x or 2.6.x, aborting.
apf(32091): {glob} firewall initalized
uname -a
Linux xxxxxx 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
about 1 year ago
You must go into the conf.apf and set a “1″ to MONOKERN. This is likely because you have a non-modular IPTables on your system.
I ran into the same issue when I tried to run it the first time.
U.
about 1 year ago
what about this error:
apf(22428): {rab} force set RAB disabled, kernel module ipt_recent not found.
on recent centos installations the module used is xt_recent not ipt_recent
about 1 year ago
you can that by editing
/etc/apf/allow_hosts.rules
add in there something like:
tcp:in:d=3306:s=192.168.0.0/24
to allow incoming tcp traffic with source 192.168.0.0/24 and dest port 3306
about 1 year ago
I couldn’t find anything in the docs or the changelog regarding IPv6 support, save for a one year old comment that promised it to be implemented in the “near future”. So what’s the current status of IPv6 support?
about 1 year ago
Great firewall!! Best I’ve seen so far. But there is one tiny thing I wish for. I run Debian Squeeze and when looking into the apache2 access.log I often see IP’s trying to get files like PHPMYADMIN. Then I wish I could block that IP, a kind of conditional blocking.
Otherwise I’m satified. Many thanks.
about 1 year ago
I have a question on upgrading APF from a previous (any) version to the latest:
Is it OK to install on top of the installed version while the firewall is running or we should uninstall the previous first??
Thank you
about 1 year ago
Hi,
I use your script with debian squeeze..
Recently, I have :
root@xxx:~# apf -d 91.86.84.61
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
apf(15440): (trust) added deny all to/from xx.xx.xx.xx
Why ?
My kernel is 2.6.38.2
Thx for answer
about 1 year ago
Found a server having very bad berformance on “high” latencies links (~80ms RTT, gbit USEU resulting in max 7mbit…)
the poor performances were caused by
“echo 0 > /proc/sys/net/ipv4/tcp_window_scaling”
(part of SYSCTL_TCP)
Is there a specific reason to keep it disabled?
Re-enabling window_scaling allowed me to reach the expected 500mbit+ on the exact same link :/
about 1 year ago
I have the same problem as evcz .
SYSCTL_TCP=”1″ results in “tcp_window_scaling=0″ – which leads to very much poorer server performance!
about 1 year ago
This issue has been fixed in the production release of APF, I have removed tcp_window_scaling from the SYSCTL_TCP function. To enable window scaling again, run:
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
The use of window scaling is a double edged sword and though years ago posed some security implications along with standards issues, that is no longer the case today and its usage, being default enabled on most distro releases now, warrants the removal of disabling it from APF.
about 1 year ago
So for an reason that i don’t understand it run apf -u 160 witch delete rules who match 160 in /etc/apf/allow_hosts.rules and /etc/apf/deny_hosts.rules
about 1 year ago
It’s related to ddos deflate
it’s using command apf -u ip_adresse to unband ip !!
What is does it delete remove host from [glob]*_hosts.rules and immediately remove rule from firewall
about 1 year ago
Hi,
thx for your great tools,
and i meet some problems as I have two NICs to the internet to different isp,I want apf work on them two,
how can i do that?
my config is :
# Untrusted Network interface(s); all traffic on defined interface will be
# subject to all firewall rules. This should be your internet exposed
# interfaces. Only one interface is accepted for each value.
#IFACE_IN=”eth1″
#IFACE_OUT=”eth1″
IFACE_IN=”eth2″
IFACE_OUT=”eth2″
IFACE_IN=”eth1″
IFACE_OUT=”eth1″
about 1 year ago
How can I filter access to port 3306 and allow only internal “c-class” access
thanks
barry
about 1 year ago
replying to comments in this page does not work (white page)
anyhow that’s for the update without the disabling window scaling
about 1 year ago
Great tool. Any plans to allow filtering on multiple interfaces like CSF? I am aware of the ability to specify different in and out interfaces as well as the trusted interface. However what I am looking for is the ability to filter 2 incoming interfaces for example.
about 1 year ago
A może jakieś spolszczenie jest do tego? Niestety, ale nie znam angielskiego…
about 1 year ago
Hi, thanks so much to share with me here. Really a good discussion is provided by you here. Keep up such good posts!
about 1 year ago
Hello again
I forgot to add what I saw in a bug report:
“internals/reserved.networks contains networks like 187.0.0.0/8 and many others that have been allocated by IANA and are now legitimate IP4 addresses”
More details in Debian bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627157
Regards
about 1 year ago
Hello,
First I want to thank you for this beautiful and easy firewall software.
Issue #1:
I have noticed that global trust rules can not contain the IP of the machines downloading the rules, or else the machine will go crazy and open itself to every connection.
This is strange to me, I think one interesting use of global trust is to have a set of machines downloading a single trust allow file containing their own IPs so they can communicate freely with each other.
Wouldn’t it be great if the downloading apf just ignored the line with its own IP and respected the other lines?
Issue #2:
The SET_REFRESH option is useless *(tested on Debian 5 and 6), because the cron daemon will ignore scripts in /etc/cron.d/ with dots (.) in their name. (Instead cron with download the rules one time a day).
Interestingly, if you rename the refresh.apf and take out the dot, cron will complain saying that there is an error in the minutes format *(Debian specific issue?)
Issue #3:
I back up the guys who report RAB is not working because of a problem in check_rab() function in internal/functions.apf.
Changing the line:
if [ "$RAB" == "1" ] && [ ! -f "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_recent.$MEXT" ]; then
To:
if [ "$RAB" == "1" ] && [ `grep -c "recent" /proc/net/ip_tables_matches` == "0" ]; then
will solve the issue as reported elsewhere.
Thank you very much for your work, I hope my suggestions can further improve apf.
about 1 year ago
I have installed APF and BFD on my Trixbox PBX that has an external IP Address. It looks like a lovely tool. However I was trying to confirm that all traffic is automatically blocked out and incoming upon installation but to me it doesn’t seem so. I dont have a rule for my VOIP provider yet incoming calls to my box via the VOIP proivder are going through.
Can you assist me in letting me know what I am missing? I would like to confirm that there is no possible access to the Box without a rule.
Thanks
about 2 years ago
I’d like to confirm that RAB won’t work on CentOS 5.5 with APF 9.7-1, giving the error “{rab} force set RAB disabled, kernel module ipt_recent not found.” (though the module is loaded)
I had to change the internals/functions.apf check for ipt_recent as suggested by Mike.
about 2 years ago
Hi there,
I installed APF on a webserver of mine which deals some ddos attacks in the last time. Now the server requires SSL, so I added
IG_TCP_CPORTS=”21,22,25,80,443″
The firewall is working and in combination with ddos.sh it does the job but: If I try to connect to the site from different ISPs the connection fails.
Am I missing something fundamental in the config? I’ve installed apf on my ubuntu 10.04 LTS server, Version: APF version 9.7
Regards
asrijaal
about 2 years ago
Are you aware on any bug in apf 9.7 rev 1 or bfd removing local network from the firewall with a line like this in apf log ?
{trust} removed 168 from trust system
Thanks
about 2 years ago
random bad luck confused me! apf is working perfectly. I shall send a donation, thank you, apf is a great tool to manage iptables rules.
about 2 years ago
Glad to hear it was just an unfortunate case of luck and that things are working properly
about 2 years ago
after many hours reading and tweaking I overcame my newbie mistakes and got apf working… but I think it may be working too well, as Google Checkout were unable to complete callback to insert an order into my orders database.
I got this error message from Google Checkout:
“Your server returned no data in its response; Checkout requires data of type merchant-calculation-results in response to merchant-calculation-callback”
It might be random bad luck or it might be the apf firewall – Google say there was a response, so I’m leaning towards the idea that apf didn’t block Google Checkout.
I’ve configured conf.apf like so:
IG_TCP_CPORTS=”21,22,25,53,80,443,110,143,6000_7000″
IG_UDP_CPORTS=”20,21,53,123″
IG_ICMP_TYPES=”3,5,11,0,30,8″
EGF=”0″
Have I made a newbie error by not allowing 80 and 443 in IG_UDP_CPORTS? Sorry if this is a silly question.
I have looked at the possibility of creating a whitelist of Google Checkout IP numbers for allow_hosts.rules but Google Checkout are always changing their IP numbers, they are basically unhelpful to anyone asking for Google Checkout callback IP numbers.
I’m also wondering if I’ll see similar callback problems with PayPal IPNs… for now I’ve run $ apf -f and will come back to apf when I’ve read more about ports and protocols and am feeling less newbish. Maybe I did overkill when I enabled so many blacklists.
about 2 years ago
I personally use APF on systems with IPN callbacks from paypal and have never had an issue nor has it ever been reported by anyone else — and there are over 21,000 severs using APF currently, so its not for a lack of opportunity for it to cause a problem. Technically speaking, as long as you have port 80/443 open, most callback systems should work fine.
about 2 years ago
I have a problem, all the days, at 4am my server get blocked by firewall, i have to do “iptables -F” to gain access again, all day works good, and then at next 4am all get blocked.
May 10 04:00:01 xela crond[17416]: (root) CMD (/usr/local/sbin/bfd -q)
May 10 04:00:01 xela crond[17422]: (root) CMD (/etc/apf/apf –refresh >> /dev/null 2>&1 &)
how to fix it??
about 2 years ago
How do I report a bug?
RAB is always disabled on RHEL4 and RHEL5 though the kernel supports the necessary module:
{rab} force set RAB disabled, kernel module ipt_recent not found.
It happens because this check in internals/functions.apf fails:
[ ! -f "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/xt_recent.$MEXT" ]
I think there should be && instead of || in that line.
Also, I think there is a better way to check for ipt_recent support:
[ `grep -c "recent" /proc/net/ip_tables_matches` == "0" ]
(idea taken from here: http://wiki.mediatemple.net/w/%28ve%29:Using_apf_with_RAB)
Thanks for the great work!
about 2 years ago
How can i see what line is not working
i see a few lines:
iptables: Unknown error 4294967295
But don’t know with line is causing this.
Can anybody help ?
about 2 years ago
Hi,
That error looks like its coming from a Virtuozzo VPS. Either way its caused by not having the correct iptables kernel modules available.
If you are running on a VPS you should raise the issue with your provider and if they look confused point them here : http://forum.parallels.com/showthread.php?t=62771
Paul.
about 2 years ago
I’m running Centos 5.6 op an VPS
(multi-homed XenServer Enterprise platform)
but is there a way to see what rule or line is causing this error ? maybee i don’t need that line ?
Thanxs.
about 2 years ago
Ryan,
Where exactly in the APF config would I specify this sort of iptables command:
iptables -A INPUT -p tcp -m tcp –sport 2222 –dport 22 -j ACCEPT
For the example above, I don’t want to change the listening port for the installed service, but I want external connections to have to connect to port 2222/tcp.
I have tried manually running the iptables command, but it gets inserted after the 3 tcp,udp,all DROP commands on the INPUT chain.
I presume I have the correct syntax.
Thanks,
–Gord.
about 2 years ago
You can add this entry to /etc/apf/preroute.rules
about 2 years ago
Hi,
The internals/reserved.networks file (829 bytes) contains 62 ‘Class A reserved networks’, but the IANA.org website only has 16 reserved networks 224.0.0.0/8 – 255.0.0.0/8.
The other 46 Class A networks listed in the reserved.networks file cause legitimate IPs to be blocked.
–Gord.
about 2 years ago
This is not the case:
http://rfxn.com/downloads/reserved.networks
The maintained reserved.networks file that rfxn.com hosts has only 13 lines in it. Unless you go out of your way to disable in conf.apf the updating of the reserved.networks file, this will automatically update whenever APF starts.
However, I have went ahead and updated the reserved.networks file within the apf-current release package for good measure.
about 2 years ago
The Debian 6.0 package for apf-firewall has the following default conf.apf settings:
BLK_RESNET=”1″
DLIST_RESERVED=”0″
Also, in the conf.apf file, the description for BLK_RESNET describes a second variable called USE_RD, which does not exist. I presume USE_RD has been updated by DLIST_RESERVED.
I have updated my reserved.networks file to the current one on your site.
dpkg –list |grep apf
ii apf-firewall 9.7+rev1-2 easy iptables based firewall system
–Gord.
about 2 years ago
I’ve been playing with apf for a few days. Looks really good.
However, I run my Linux firewall as a NAT host as well as a router. Is there any support within apf for performing NAT as well?
about 2 years ago
Let me clarify.. Because reading my post it might confuse.
I use my CentOS linux box as a firewall on a dynamic DSL connection. My clients connect to it for internet access, and they expect the firewall to NAT connections for them.
about 2 years ago
Hi,
Thank for your helpful projects very much.
I am using your scripts, everything look working well but when I log in Cpanel there is a problem:
########################
[a fatal error or timeout occurred while processing this directive]
Pic: http://img847.imageshack.us/img847/5343/fatal.jpg
########################
And here is content of this error:
########################
not a reference at /usr/local/cpanel/Cpanel/DIp/MainIP.pm line 210
Carp::croak(‘not a reference’) called at /usr/lib/perl5/site_perl/5.6.2/i686-linux/Storable.pm line 76
Storable::logcroak(‘not a reference’) called at /usr/lib/perl5/site_perl/5.6.2/i686-linux/Storable.pm line 244
Storable::_store(‘CODE(0x9ed647c)’, undef, ‘/home/lkstarv2/.cpanel/datastore/all_iplist.db’, 0) called at /usr/lib/perl5/site_perl/5.6.2/i686-linux/Storable.pm line 218
Storable::nstore(undef, ‘/home/lkstarv2/.cpanel/datastore/all_iplist.db’) called at /usr/local/cpanel/Cpanel/DIp/MainIP.pm line 210
Cpanel::DIp::MainIP::getconfiguredips() called at /usr/local/cpanel/Cpanel/DIp/MainIP.pm line 41
Cpanel::DIp::MainIP::getmainip() called at /usr/local/cpanel/Cpanel/DIp.pm line 38
Cpanel::DIp::isdedicatedip(210.211.110.235) called at /usr/local/cpanel/Cpanel/ExpVar.pm line 443
Cpanel::ExpVar::hasdedicatedip() called at /usr/local/cpanel/Cpanel/StatsBar.pm line 63
Cpanel::StatsBar::api2_stat(‘rowcounter’, ‘mainstats’, ‘display’, ‘hostingpackage|shorthostname|cpanelversion|theme|apacheversion|p…’) called at (eval 79) line 1
eval ‘$dataref = [Cpanel::StatsBar::api2_stat(%{$rCFG})];’ called at /usr/local/cpanel/Cpanel/Api2/Exec.pm line 84
Cpanel::Api2::Exec::api2_exec(‘StatsBar’, ‘stat’, ‘HASH(0xadff88c)’, ‘HASH(0xae06614)’) called at cpanel line 607
main::real_cpexectag(‘<?cp StatsBar::stat(^J[tr class="row-%"]^J [td class="stats_lef...') called at cpanel line 3879
main::dotag_finished_headers(0) called at cpanel line 3664
main::cpanel_parseblock('<table width="100%" id="stats_extended" class="truncate-table" c...') called at cpanel line 3612
main::cpanel_parse('GLOB(0xae24f94)') called at cpanel line 2491
main::doinclude('/usr/local/cpanel/base/frontend/x3/branding//extended_statsbar.h...', 0, 1) called at /usr/local/cpanel/Cpanel/Branding.pm line 49
Cpanel::Branding::Branding_include('extended_statsbar.html') called at (eval 74) line 1
eval 'Cpanel::Branding::Branding_include(@{$argref});' called at cpanel line 1136
main::real_exectag('<?cp StatsBar::stat(^J[tr class="row-%"]^J [td class="stats_lef...') called at cpanel line 3876
main::dotag_finished_headers(0) called at cpanel line 3664
main::cpanel_parseblock('<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "...') called at cpanel line 3612
main::cpanel_parse('GLOB(0xa12eb44)') called at cpanel line 2491
main::doinclude('/usr/local/cpanel/base/frontend/x3/branding//index.html', 0, 1) called at /usr/local/cpanel/Cpanel/Branding.pm line 49
Cpanel::Branding::Branding_include('index.html') called at (eval 5) line 1
eval 'Cpanel::Branding::Branding_include(@{$argref});' called at cpanel line 1136
main::real_exectag('<?cp StatsBar::stat(^J[tr class="row-%"]^J [td class="stats_lef…') called at cpanel line 3876
main::dotag_finished_headers(0) called at cpanel line 3704
main::cpanel_parseblock('^J’) called at cpanel line 3612
main::cpanel_parse(‘GLOB(0x9fd1710)’) called at cpanel line 5121
main::run_standard_mode() called at cpanel line 424
########################
Please help me to fix this problem, I can’t get my Cpanel info.
Thanks you much,
Regard.
about 2 years ago
This does not appear to be an error related to APF, you should seek help from cpanel forums or check out irc.freenode.net #cpanel.
about 2 years ago
The docs for APF are about 4 years old. Do the iptables module requirements within it still hold true? With the move to virtualization, it appears the most recent CentOS builds of iptables do not include many of the modules you list (at least on our Xen servers). Looking forward to your thoughts.
about 2 years ago
I currently use the latest APF release on CentOS 5.5 based Xen servers and inside many Xen guest instances running CentOS as well. There should be no module specific changes required to APF as it will dynamically request the modules needed from the kernel.
Likewise I will work to update the APF documentation here shortly, thank you.
about 2 years ago
Ryan, for the past 2.5 months (approximately), we’ve been trouble shooting receiving automated emails from Versign / Geotrust.
It turns out one of the rule imports blocks the emails from Verisgn / Geotrust.
I’ve not yet been able to narrow down which rule import — php, spamhaus, dshield, ECN yet.
Please do review these IP inclusions to make sure each IP on the list is still valid. Thank you!
about 2 years ago
Thank you for bringing this to my attention, I will look into it promptly.
about 2 years ago
I’m trying to insert allow rules using the “apf -a” command, but I need to just allow ssh inbound. I’m trying to use the form
apf -a tcp:in:d=22:s=10.10.10.10 “test address”
but I get an error:
iptables v1.3.5: host/network `tcp:in:d=22:s=10.10.10.10′ not found
The rule seems to take anyway, at least an “apf -t” shows
Mar 06 15:56:47 ip-10-10-10-1 apf(3543): (trust) added allow all to/from tcp:in:d=22:s=10.10.10.10
and “apf -l” shows
22 0 0 ACCEPT tcp — * * 10.10.10.10 0.0.0.0/0 tcp dpt:22
I’m guessing that apf parses the port/address specification properly, but doesn’t feed it to iptables the way iptables likes.
-Paul McKinley
about 2 years ago
Ryan – I have a patch for apf to allow support for ESP/AH protocols so IPSEC VPNs can be used in conjunction with apf – interested in a copy?
about 2 years ago
That would be great! if you could please shoot it over to ryan@rfxn.com that would be much appreciated. I will review it and toss it into the release version if appropriate. Thank you.
about 2 years ago
Hi,
I have a strange issue that occurs intermittantly. My system (Centos 5.4) runs plesk, and occasionally at 4.30am it will lock down access to the server to everyone except those specifically in the allow_hosts.rules file.
The cron log at the time shows that a RELOAD occurs at the same time as the 10 minute refreshes. Could this conflict?
Mar 3 04:30:01 ns6 crond[17415]: (*system*) RELOAD (/etc/cron.d/refresh.apf)
Mar 3 04:30:01 ns6 crond[30465]: (root) CMD (/etc/apf/apf –refresh >> /dev/null 2>&1 &)
Performing a apf -r fixes the issue.
Thanks in advance.
Mark
about 2 years ago
What version of APF are you currently running? I would recommend you try clear any rules in deny_hosts and if needed attempt a fresh reinstall of APF.
about 2 years ago
Ryan, at present, when a CentOS (versions don’t seem to matter) reboots with APF, if there are any problems whatsoever with /etc/resolv.conf working, APF hangs the entire machine.
Can you please add a customizable time out feature to a future version of APF that if local DNS is (temporarily) down, APF will do what it can, and allow the reboot process to continue?
Thank you.
about 2 years ago
Peter,
This is a long standing issue that is more to do with accepting host names in the trust rules, that if there is any network issues they are not resolvable and iptables has no built in timeout feature for resolving DNS. I will see what I can come up with as a solution and put it into the next release, thank you for your continued support.
about 2 years ago
In my case, it doesn’t hang the machine, but apf doesn’t run at all. The system continues to boot, leaving my CentOS 5.5 wide open.
I look forward to an update.
about 2 years ago
Make sure APF is set to start at boot:
chkconfig –level 2345 apf on
about 2 years ago
Actually, apf is already set to run at boot time. It fails to run, period. I have to start it manually after boot.
I think mine is a variant problem related to the OP’s.
about 2 years ago
Hi,
Is there a way to block countries that will not affect the performance of apf? I did tried to use /etc/apf/deny_hosts.rules and placed CIDR. The file went up to 80K and this makes apf very slow when restarted and eventually crashed the servers.
Please advice on an alternative way to do this.
Thank you.
about 2 years ago
APF uses iptables, the linux kernel firewalling mechanism which stores rules into kernel memory. As the number of iptables rules in kernel memory increases, the performance of iptables degrades. When you enter the realm of 10k+ rules you really are entering an area that iptables is not intended or designed for, I would encourage you to consider broader rules using IP masking to encompass larger netblocks thus reducing the amount of rules required. An example would be that if you want to block 172.3.44.0 – 172.3.44.255, that you block it as 172.3.44.0/24 instead of adding every IP in the range to the rules.
about 2 years ago
Hi Ryan,
Appreciate the reply. I guess the limit is hit. I am already using x.x.x.x/24 on the file.
Thank you
about 2 years ago
Any tips for running APF on a public facing name server ?? We have attempted to run it and find that after a period of time strange events start happening where our Network monitor (opsview aka Nagios) starts thinking SMTP has died on a couple of our email servers, As soon as we turn off APF on the name servers our network monitor thinks all is good again .. SMTP is in fact Ok .. so not sure were to look and or how to correct what APF is clearly cuasing.
Any tips and or ideas ??
about 2 years ago
Trust your SMTP servers in the firewall if possible, i.e: apf -a IP. You can also try to disable RESV_DNS_DROP in conf.apf, which may help.
about 2 years ago
pour acceder au site adultdailycare.net il me demande nom d’utilisateur et mot de passe aidez moi
about 2 years ago
I am using Your APF solution on a couple of my servers and it is very useful. You did a great job with it.
Recently I have updated kernel to 2.6.18-194.26.1.el5xen (CentOS) on most of the machines due to security issues of the previous version. Unfortunately this breaks APF completely. Iptables when started manually and having the rules set manually work fine, but when I run APF it doesn’t.
All the rules are there. I tried doing iptables save and then reloading it with service iptables start – it doesn’t help.
It seems like nothing is being filtered by the rules set with APF. Can anyone help?
about 2 years ago
I am using APF firewall with plesk for around 3 years and I am quite satisfied with it.
Recently one of our customer required to limit the no. of connections per IP on his server but I couldn’t find anything in APF which can achieve this.
I found on a website the syntax that can be used to limit the connections per IP using connlimit module but I don’t know how to use this in APF.
/sbin/iptables -A INPUT -p tcp –syn –dport $port -m connlimit –connlimit-above N -j REJECT –reject-with tcp-reset
Please advice.
about 2 years ago
See the post by Ryan 19 posts below
If you are looking for generic flood protection from SYN/CONNECTION based flooding of port services, you can use fguard:
http://rfxn.com/downloads/fguard
Edit the script with your email address and set the ptrig values, they are in the format of PORT:TRIGGER , trigger is the maximum amount of connections from a single IP before it is blocked i.e: 80:100 = port 80, ban at 100 connections per ip.
about 2 years ago
Meaby you can tell how we can use this in apf??
Where does it need to be saved and how can we make apf understand to use the file??
about 2 years ago
You can run fguard from cron, it will pass bans to APF.
about 2 years ago
I was introduced to apf (and bfd) by a very helpful friend, Ian and I absolutely love the simplicity of configuration and the clarity of the documentation.
I am still in trial mode with it but I ran across a problem that was not solved by the recommended configuration and would like to see if there is a better way to handle it. I have used a workaround solution but it carries with it problems of its own so I do not want to leave that solution in place long term.
I tried going to the forum as recommended in the readme in /etc/apf/doc but the url bounced so I am trying this route.
Is there a way (like apf –d) that I can add IPs to a list that will stop ALL traffic from that IP, even if the traffic is coming in on a port that is allowed to all others?
It appears to me that when I try to add an IP to be blocked via apf –d IP, it places the DENY IP rule late in the iptables rule set, AFTER the ALLOW PORT rule has already passed the offender through to my server. This sequencing invalidated my attempt to use the apf –d IP to stop a hacker from South Africa from pounding away at my server. At one point, this hacker had over 2,000 connections going at my server. BFD did not catch and stop the hacker since I run a VOIP PBX and the hacker came in with SIP registrations which were legitimate (calls) according to the server.
We did stop the hacker by disabling the USE_RD=”0” to stop apf from refreshing the reserved.networks file and adding the offending IP (196.28.38.72) to the reserved networks file. This put the DENY IP rule early on in the iptables rule set and stopped the hacker before the ALLOW PORT rule was encountered. Unfortunately, I am now left with a static reserved.networks file and I do not like that solution long term.
I would have thought that using apf –d would tell the system that IP is NEVER to be allowed in, but that does not seem to be the case.
My question is: Is there a way (like apf –d) that I can add IPs to a list that will stop ALL traffic from that IP, even if the traffic is coming in on a port that is allowed to all others? And of course allow me to go back to a reserved.networks file that is automatically updated?
Any ideas?
Richard
Richard Cantin
Ayuda
(519) 957-2414
rcantin@ayuda.ca
++++++++++++++++++++++++++++++++++++++++++++++++++
I run a VOIP PBX as the ONLY application on the server where I put apf and bfd
I only need UDP ports 5060 and 10002_20000 accessible from the outside world to let this work so I have shut down all other incoming ports via IG_TCP_PORTS=”” and IG_UDP_PORTS=”5060,10002_20000”. Ian and I also tried leaving ALL ports disallowed in conf.apf (IG_UDP_PORTS=”” as well as IG_TCP_PORTS=””) and putting into allow_hosts.rules the following:
# Add the local network to ensure internal connections can do anything
192.168.1.0/24
#
# Open, to all external connections that are not denied in deny_hosts.rules,
# the UDP Ports required to support external access for VOIP
# SIP Registration (5060)
upd:in:d=5060:s=0/0
udp:out:d=5060:d=0/0
# RDP (Audio) (10002_20000)
udp:in:d=10002_20000:s=0/0
udp:out:d=10002_20000:d=0/0
but that did not make things any better.
The VOIP PBX is working fine so this set up allows what I need to pass. (and unfortunately the South African hacker, unless I add the offending IP to the reserved.networks file)
about 2 years ago
I have changed the order in which APF loads the trust rules (allow/deny) to place the drop lists before any allow rules are loaded. This change has been pushed to the release version of APF.
about 2 years ago
Hi,
There is no explanation on how to set up a VNET for virtual private servers. In readme file it says look at 3.4 for more detailed information, but i did not find any info about how to set it up 3.4 just says topic name and no article is provided.
about 2 years ago
Hi
I’m a bit ‘lost’ with installing APF on Trustix Linux box, which is a very outdated linux release, but can’t afford to update/replace with newer live distros.
Anyway, I D/L-ed ‘apf-current.tar.gz’ and ran ./install.sh
then I edited conf and wanted to try but unfortunately with no luck as I get:
service apf restart
apf: unrecognized service
or
chkconfig –list apf
error reading information on service apf: No such file or directory
APF installed in “/etc/apf” but not as a service it seems.
Unfortunately RPM installation didn’t do it either.
Can it be done like it is on CentOS ?
Thank you
about 2 years ago
What do you mean when you say that you cannot afford to upgrade to a newer Linux? CentOS is freeware. All it will cost you is six blank CD’s.
about 2 years ago
Is there a forum for APF and other utilities? I see a forum when I search Google, but it appears to be restricted.
Any way I have a problem with APF not starting correctly on OpenVZ with multiple IP addresses. venet0 is 127.0.0.1 and venet0:0 and venet0:1 are the external IPs and APF comes up with errors on them. I don’t know whether the ethX:X/venetX:X syntax is affecting.
Does it work with multiple IPs? IFACE_IN and IFACE_OUT appear to take single IPs only
apf(20007): {glob} flushing & zeroing chain policies
apf(20007): {glob} firewall offline
apf(20043): {glob} activating firewall
apf(20088): {glob} could not verify that interface venet0:0 is routed to a network, aborting.
apf(20043): {glob} firewall initalized
apf(20043): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5 minutes.
about 2 years ago
May I ask on where did you did nmap? If its in the same system then you will see the results its up. Please test it on a separate system.
about 2 years ago
I recently installed APF . It appears installed properly. My aim is to Block port 25 on the server. However, after removing the port 25 from the config file, then i reloaded. But Port 25 is still OPEN. I confirmed this by running nmap, and port 25 is still open. Can someone tell me what might be wrong
about 2 years ago
Hi Ryan,
Looking forward to it.
Keep safe.
Thank you
about 2 years ago
Hi,
First of all, thank you for the great software you have created. It is one of our vital protection against outside threat.
Currently we have an issue with IPV6. May I ask if APF can filter IPV6? doing an iptables -L shows all the rules loaded but when ip6tables -L is used then the output is:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I guess there are no filter rules on ipv6. We are using ipv6 aware OS to public network.
Please advice on how to enable ipv6 filtering.
Thank you
about 2 years ago
IPv6 is not yet supported by APF, this is something that will be released in the very near future.
about 2 years ago
Hello
I was wondering if it’s possible to use apf for a standalone pc connected to an untrusted lan , not necessarily intented to be used as a server , just for personal use
thanks
about 2 years ago
Hi Ryan:
I hope you and your family are doing well.
When you get to updating APF, can you check how it can be made more user friendly on reboots when local dns (/etc/resolv.conf) may be broken?
What we’ve seen is that if there are any local DNS resolution issues, APF can cause bootup to hang for an indefinite period of time.
Thank you.
about 2 years ago
Can you put the proper way of updating from older versions of apf to your current version in your faq/readmes?
about 2 years ago
hello all,
was ddos´ed for 2 days now… apf + ddos-deflate seems to help!
but, could anybody helping me, howto run my own firewall script and apf simultaneously?
because my own firewall script is also kinda big and there some important dropes in it, so ive to get it running.
thx for ya help!
greetz mike
about 2 years ago
Hi Ryan,
Firstly thanks for a great tool you provide in APF.
I have recently installed 9.7-1 and greatly appreciate the ease of managing global allow and deny lists remotely from a single source.
I decided to keep my global lists in a secure password protected directory, and to this end made some modifications to APF to allow ease of configuration, which I believe may be a nice addition to your official release
Herewith the changes:
conf.apf:
———-
# Global Trust
…
USE_RGT=”1″
# Specify whether wget should check the SSL certificate – used in conjunction with the https protocol.
RGT_CHECK_CERT=”0″
# Specify a username and password for wget to apply when fetching the global lists
RGT_WGET_USER=”apf”
RGT_WGET_PASS=”test”
…
internals/functions.apf:
glob_allow_download() {
…
# Set whether wget should check the certificate or not
if [ "$RGT_CHECK_CERT" == "1" ] && [ "$GA_URL_PROT" == "https"]; then
CHECK_CERT=”"
else
CHECK_CERT=”–no-check-certificate”
fi
# Set the wget username if necessary
if [ ! "$RGT_WGET_USER" == "" ]; then
WGET_USER=”–user=$RGT_WGET_USER”
else
WGET_USER=”"
fi
# Set the wget password if necessary
if [ ! "$RGT_WGET_PASS" == "" ]; then
WGET_PASS=”–password=$RGT_WGET_PASS”
else
WGET_PASS=”"
fi
$WGET -t 1 -T 4 $CHECK_CERT $WGET_USER $WGET_PASS $GA_URL_PROT://$GA_URL >> /dev/null 2>&1
…
}
glob_deny_download() {
…
# Set whether wget should check the certificate or not
if [ "$RGT_CHECK_CERT" == "1" ] && [ "$GD_URL_PROT" == "https"]; then
CHECK_CERT=”"
else
CHECK_CERT=”–no-check-certificate”
fi
# Set the wget username if necessary
if [ ! "$RGT_WGET_USER" == "" ]; then
WGET_USER=”–user=$RGT_WGET_USER”
else
WGET_USER=”"
fi
# Set the wget password if necessary
if [ ! "$RGT_WGET_PASS" == "" ]; then
WGET_PASS=”–password=$RGT_WGET_PASS”
else
WGET_PASS=”"
fi
$WGET -t 1 -T 4 $CHECK_CERT $WGET_USER $WGET_PASS $GD_URL_PROT://$GD_URL >> /dev/null 2>&1
…
}
This allows you to specify via the configuration file whether or not to check the SSL certificate against the available certificate authorities, as well as being able to password protect the global access lists that you have made publicly accessible.
Regards,
Patric
about 2 years ago
I’ve been trying to find a way to take an existing APF box with two NICs and use it as network gateway. But I cant seem to get it to pass traffic as long as APF is on it. Are there any tutorials or instructions that cover this goal?
Otherwise, this is a hell of a great application firewall! Thanks!
about 2 years ago
Hi Ryan,
Thanks for your reply. I’m still getting the same error after replacing functions.apf
Everything else is still running fine. I am quite certain ipt_recent is loaded.
apf(30459): {rab} force set RAB disabled, kernel module ipt_recent not found.
about 2 years ago
Mike, I made a change to the functions file that I think should fix this, if you are running the latest version of APF please go ahead and download http://www.rfxn.com/downloads/functions.apf and replace /etc/apf/internals/functions.apf with it, let me know if you still experience the issue with RAB.
about 2 years ago
Hi, I also get the error {rab} force set RAB disabled, kernel module ipt_
recent not found.
On line 155 of functions.apf where testing -f ipt_recent, || supposed to be &&?
I’ve changed the line and seems to be working correctly.
about 2 years ago
Hi Ryan,
I’ve been a long time user of APF. I am currently trying to install it with RAB in an OpenVZ container. I am successful with APF, but not APF with RAB:
{rab} force set RAB disabled, kernel module ipt_
recent not found.
As you can see here, my modules should be properly loaded:
# cat /proc/net/ip_tables_matches
udp
tcp
recent
state
length
ttl
tcpmss
multiport
multiport
limit
tos
icmp
owner
I have SET_MONOKERN=”1″ also.
Perhaps there is some mis-communication between SET_MONOKERN and RAB? Or do you notice any mistakes in my configurations?
about 2 years ago
If you are looking for generic flood protection from SYN/CONNECTION based flooding of port services, you can use fguard:
http://rfxn.com/downloads/fguard
Edit the script with your email address and set the ptrig values, they are in the format of PORT:TRIGGER , trigger is the maximum amount of connections from a single IP before it is blocked i.e: 80:100 = port 80, ban at 100 connections per ip.
about 2 years ago
how can i use fguard with apf ? is there any installation guide ?
about 2 years ago
hello, the changelog says that the antidos feature is replaced by the RAB feature.
about 2 years ago
Hello i did not see antidos feature in APF also did not find ad directory in apf i have installed latest version
about 3 years ago
Does anybody know howto block all ip’s something like 0.0.0.0/0 an trust only in 1 ip?.
Thanks
about 3 years ago
The get_ports command (and install.sh) leave out some of my open ports, such as 80 and 443 from Apache. Here is what “netstat -an” shows:
tcp 0 0 :::80 :::* LISTEN
tcp 0 0 :::443 :::* LISTEN
about 3 years ago
Ryan, you might want to update the README.apf link above to the new version. The one there is for 0.9.6
about 3 years ago
APF automatically updates the reserved.networks file on the first start from http://www.rfxn.com/downloads/reserved.networks – this file is updated on every start call to APF and through a cron.daily job added during installation.
If the reserved.networks file is not updating for you, please check: http://www.rfxn.com/bogon-filtering-update-it/
about 3 years ago
Hi,
I have see that the file internals/reserved.networks isn’t updated.
For Example I see in http://www.iana.org/assignments/ipv4-address-space the network 95.0.0.0/8 assigned from 2007, but the reserved.networks tcontinues to block these network