Advanced Policy Firewall

Current Release:
http://www.rfxn.com/downloads/apf-current.tar.gz
http://www.rfxn.com/appdocs/README.apf
http://www.rfxn.com/appdocs/CHANGELOG.apf

Description:
Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the ‘apf’ command, which includes detailed usage information on all the features.

The technical side of APF is such that it utilizes the latest stable features from the iptables (netfilter) project to provide a very robust and powerful firewall. The filtering performed by APF is three fold:
1) Static rule based policies (not to be confused with a “static firewall”)
2) Connection based stateful policies
3) Sanity based policies

The first, static rule based policies, is the most traditional method of firewalling. This is when the firewall has an unchanging set of instructions (rules) on how traffic should be handled in certain conditions. An example of a static rule based policy would be when you allow/deny an address access to the server with the trust system or open a new port with conf.apf. So the short of it is rules that infrequently or never change while the firewall is running.

The second, connection based stateful policies, is a means to distinguish legitimate packets for different types of connections. Only packets matching a known connection will be allowed by the firewall; others will be rejected. An example of this would be FTP data transfers, in an older era of firewalling you would have to define a complex set of static policies to allow FTA data transfers to flow without a problem. That is not so with stateful policies, the firewall can see that an address has established a connection to port 21 then “relate” that address to the data transfer portion of the connection and dynamically alter the firewall to allow the traffic.

The third, sanity based policies, is the ability of the firewall to match various traffic patterns to known attack methods or scrutinize traffic to conform to Internet standards. An example of this would be when a would-be attacker attempts to forge the source IP address of data they are sending to you, APF can simply discard this traffic or optionally log it then discard it. To the same extent another example would be when a broken router on the Internet begins to relay malformed packets to you, APF can simply discard them or in other situations reply to the router and have it stop sending you new packets (TCP Reset).

Features:
- detailed and well commented configuration file
- granular inbound and outbound network filtering
- user id based outbound network filtering
- application based network filtering
- trust based rule files with an optional advanced syntax
- global trust system where rules can be downloaded from a central management server
- reactive address blocking (RAB), next generation in-line intrusion prevention
- debug mode provided for testing new features and configuration setups
- fast load feature that allows for 1000+ rules to load in under 1 second
- inbound and outbound network interfaces can be independently configured
- global tcp/udp port & icmp filtering with multiple filters (drop, reject, prohibit)
- configurable policies for each ip on the system with convenience variables to import settings
- packet flow rate limiting that prevents abuse on the most widely abused protocol, icmp
- prerouting and postrouting rules for optimal network performance
- dshield.org block list support to ban networks exhibiting suspicious activity
- spamhaus Don’t Route Or Peer List support to ban known “hijacked zombie” IP blocks
- any number of additional interfaces may be configured as trusted or untrusted
- additional firewalled interfaces can have there own unique firewall policies applied
- intelligent route verification to prevent embarrassing configuration errors
- advanced packet sanity checks to make sure traffic coming and going meets the strictest of standards
- filter attacks such as fragmented UDP, port zero floods, stuffed routing, arp poisoning and more
- configurable type of service options to dictate the priority of different types of network traffic
- intelligent default settings to meet every day server setups
- dynamic configuration of your servers local DNS revolvers into the firewall
- optional filtering of common p2p applications
- optional filtering of private & reserved IP address space
- optional implicit blocks of the ident service
- configurable connection tracking settings to scale the firewall to the size of your network
- configurable kernel hooks (ties) to harden the system further to syn-flood attacks & routing abuses
- advanced network control such as explicit congestion notification and overflow control
- helper chains for FTP DATA and SSH connections to prevent client side issues
- optional rate limited event logging
- logging subsystem that allows for logging data to user space programs or standard syslog files
- comprehensive logging of every rule added
- detailed startup error checking
- if you are familiar with netfilter you can create your own rules in any of the policy files
- pluggable and ready advanced use of QoS algorithms provided by the Linux
- 3rd party add-on projects that compliment APF features

Funding:
Funding for the continued development and research into this and other projects is solely dependent on public contributions and donations. If this is your first time using this software we ask that you evaluate it and consider a small donation; for those who frequent and are continued users of this and other projects we also ask that you make an occasional donation to help ensure the future of our public projects.

  • #1 written by Peter M Abraham
    about 1 week ago

    On some servers where their DNS is shaky at start up, APF basically locks up the machine because there appears to be no time out.

    Can you please put in some logic that tests to see if DNS is working the way APF needs it to start, and then skip starting (sending an email out notifying it did not start)?

  • #2 written by Bryan Eggers
    about 2 weeks ago

    Using APF 9.7, when I use -r to restart I get these errors (DDOS and BFD are installed):

    apf(6891): {trust} deny all to/from /usr/local/ddos/ddos.sh
    iptables v1.3.5: invalid mask `ddos.sh’ specified

    apf(19641): {trust} deny all to/from /usr/local/sbin/bfd
    iptables v1.3.5: invalid mask `bfd’ specified

    I’ll buy you a couple of beers if you can help me fix this.
    Thanks

    • #3 written by Ryan M.
      about 2 weeks ago

      It looks like you got some invalid entries in the APF deny file , I would recommend clearing out the file /etc/apf/deny_hosts.rules. The file should only contain IP/Host entries or commented lines prefixed with #.

      rm -f /etc/apf/deny_hosts.rules
      (apf will recreate it)

  • #4 written by ari
    about 2 weeks ago

    are i must disable centos firewall before install apf?
    thanks for answer

    • #5 written by Ryan M.
      about 2 weeks ago

      No, APF will take over from CentOS Firewall for you.

  • #6 written by James
    about 1 month ago

    Where are the old versions of all your projects? Sometimes the new versions just dont work and you need exact old versions.

    Like the syntax changes you made to current version of AFP make iptables shit itself.

    • #7 written by Ryan M.
      about 1 month ago

      Are there any errors that you are seeing specifically ? Please let me know and I will look into it promptly to correct it.

      As for older versions of APF, I have put together a path where all previous versions can be downloaded:
      http://www.rfxn.com/downloads/old/apf/

      I hope this helps, thank you for your continued use of APF.

  • #8 written by Rob
    about 1 month ago

    Just thought I’d mention a couple of the external blocklists are significantly out of date:

    The Project Honey Pot blocklist (rfxn.com/downloads/php_list) doesn’t appear to have been updated in some time and most of the IPs I double checked haven’t seen any malicious activity in the last 3 months.

    The DShield list (feeds.dshield.org/top10-2.txt) also appears to be very out of date – it has a timestamp of 1st June 2011, despite no obvious indications on their website.

    They have a newer top 100 list, but they recommend using a 20 subnet blocklist instead (http://feeds.dshield.org/block.txt).

    The Spamhaus list is still up to date and the reserved networks appears to be mostly correct as well (maybe a couple of entries missing).

  • #9 written by Peter M. Abraham
    about 2 months ago

    Good day, Ryan:

    On some servers where their DNS is shaky at start up, APF basically locks up the machine because there appears to be no time out.

    Can you please put in some logic that tests to see if DNS is working the way APF needs it to start, and then skip starting (sending an email out notifying it did not start)?

    Thank you.

  • #10 written by Shadyr
    about 2 months ago

    The current version of APF doesn’t like Ubuntu’s new kernel. Is there anything I can adjust in the configs to allow it to start?

    apf(32091): {glob} activating firewall
    apf(32131): {glob} kernel version not equal to 2.4.x or 2.6.x, aborting.
    apf(32091): {glob} firewall initalized

    uname -a
    Linux xxxxxx 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

  • #11 written by evcz
    about 2 months ago

    what about this error:

    apf(22428): {rab} force set RAB disabled, kernel module ipt_recent not found.

    on recent centos installations the module used is xt_recent not ipt_recent

  • #12 written by evcz
    about 2 months ago


    BARRY:

    How can I filter access to port 3306 and allow only internal “c-class” access
    thanks
    barry

    you can that by editing

    /etc/apf/allow_hosts.rules

    add in there something like:

    tcp:in:d=3306:s=192.168.0.0/24

    to allow incoming tcp traffic with source 192.168.0.0/24 and dest port 3306

    :)

  • #13 written by Odin K.
    about 2 months ago

    I couldn’t find anything in the docs or the changelog regarding IPv6 support, save for a one year old comment that promised it to be implemented in the “near future”. So what’s the current status of IPv6 support?

  • #14 written by Benke
    about 2 months ago

    Great firewall!! Best I’ve seen so far. But there is one tiny thing I wish for. I run Debian Squeeze and when looking into the apache2 access.log I often see IP’s trying to get files like PHPMYADMIN. Then I wish I could block that IP, a kind of conditional blocking.
    Otherwise I’m satified. Many thanks.

  • #15 written by Linuxas
    about 2 months ago

    I have a question on upgrading APF from a previous (any) version to the latest:
    Is it OK to install on top of the installed version while the firewall is running or we should uninstall the previous first??

    Thank you

  • #16 written by Noaye
    about 3 months ago

    Hi,

    I use your script with debian squeeze..

    Recently, I have :

    root@xxx:~# apf -d 91.86.84.61
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    apf(15440): (trust) added deny all to/from xx.xx.xx.xx

    Why ?

    My kernel is 2.6.38.2

    Thx for answer

  • #17 written by evcz
    about 3 months ago

    Found a server having very bad berformance on “high” latencies links (~80ms RTT, gbit USEU resulting in max 7mbit…)

    the poor performances were caused by
    “echo 0 > /proc/sys/net/ipv4/tcp_window_scaling”
    (part of SYSCTL_TCP)

    Is there a specific reason to keep it disabled?

    Re-enabling window_scaling allowed me to reach the expected 500mbit+ on the exact same link :/

    • #18 written by Richard
      about 3 months ago

      I have the same problem as evcz .

      SYSCTL_TCP=”1″ results in “tcp_window_scaling=0″ – which leads to very much poorer server performance!

      • #19 written by Ryan M.
        about 3 months ago

        This issue has been fixed in the production release of APF, I have removed tcp_window_scaling from the SYSCTL_TCP function. To enable window scaling again, run:
        echo 1 > /proc/sys/net/ipv4/tcp_window_scaling

        The use of window scaling is a double edged sword and though years ago posed some security implications along with standards issues, that is no longer the case today and its usage, being default enabled on most distro releases now, warrants the removal of disabling it from APF.

  • #20 written by Philippe Bolduc
    about 4 months ago


    Philippe Bolduc:


    Philippe Bolduc:

    Are you aware on any bug in apf 9.7 rev 1 or bfd removing local network from the firewall with a line like this in apf log ?
    {trust} removed 168 from trust system
    Thanks

    It’s related to ddos deflate
    it’s using command apf -u ip_adresse to unband ip !!
    What is does it delete remove host from [glob]*_hosts.rules and immediately remove rule from firewall

    So for an reason that i don’t understand it run apf -u 160 witch delete rules who match 160 in /etc/apf/allow_hosts.rules and /etc/apf/deny_hosts.rules

  • #21 written by Philippe Bolduc
    about 4 months ago


    Philippe Bolduc:

    Are you aware on any bug in apf 9.7 rev 1 or bfd removing local network from the firewall with a line like this in apf log ?
    {trust} removed 168 from trust system
    Thanks

    It’s related to ddos deflate

    it’s using command apf -u ip_adresse to unband ip !!

    What is does it delete remove host from [glob]*_hosts.rules and immediately remove rule from firewall

  • #22 written by loning
    about 4 months ago

    Hi,

    thx for your great tools,
    and i meet some problems as I have two NICs to the internet to different isp,I want apf work on them two,
    how can i do that?

    my config is :
    # Untrusted Network interface(s); all traffic on defined interface will be
    # subject to all firewall rules. This should be your internet exposed
    # interfaces. Only one interface is accepted for each value.
    #IFACE_IN=”eth1″
    #IFACE_OUT=”eth1″
    IFACE_IN=”eth2″
    IFACE_OUT=”eth2″
    IFACE_IN=”eth1″
    IFACE_OUT=”eth1″

  • #23 written by BARRY
    about 4 months ago

    How can I filter access to port 3306 and allow only internal “c-class” access

    thanks
    barry

    • #24 written by evcz
      about 2 months ago

      replying to comments in this page does not work (white page)

      anyhow that’s for the update without the disabling window scaling ;)

  • #25 written by CM
    about 4 months ago

    Great tool. Any plans to allow filtering on multiple interfaces like CSF? I am aware of the ability to specify different in and out interfaces as well as the trusted interface. However what I am looking for is the ability to filter 2 incoming interfaces for example.

  • #26 written by pozycjonowanie
    about 5 months ago

    A może jakieś spolszczenie jest do tego? Niestety, ale nie znam angielskiego…

  • #27 written by Hosted PBX
    about 6 months ago

    Hi, thanks so much to share with me here. Really a good discussion is provided by you here. Keep up such good posts!

  • #28 written by Alfredo
    about 6 months ago

    Hello again

    I forgot to add what I saw in a bug report:
    “internals/reserved.networks contains networks like 187.0.0.0/8 and many others that have been allocated by IANA and are now legitimate IP4 addresses”

    More details in Debian bug report:
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627157

    Regards

  • #29 written by Alfredo
    about 6 months ago

    Hello,

    First I want to thank you for this beautiful and easy firewall software.

    Issue #1:
    I have noticed that global trust rules can not contain the IP of the machines downloading the rules, or else the machine will go crazy and open itself to every connection.
    This is strange to me, I think one interesting use of global trust is to have a set of machines downloading a single trust allow file containing their own IPs so they can communicate freely with each other.
    Wouldn’t it be great if the downloading apf just ignored the line with its own IP and respected the other lines?

    Issue #2:
    The SET_REFRESH option is useless *(tested on Debian 5 and 6), because the cron daemon will ignore scripts in /etc/cron.d/ with dots (.) in their name. (Instead cron with download the rules one time a day).
    Interestingly, if you rename the refresh.apf and take out the dot, cron will complain saying that there is an error in the minutes format *(Debian specific issue?)

    Issue #3:
    I back up the guys who report RAB is not working because of a problem in check_rab() function in internal/functions.apf.
    Changing the line:
    if [ "$RAB" == "1" ] && [ ! -f "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_recent.$MEXT" ]; then
    To:
    if [ "$RAB" == "1" ] && [ `grep -c "recent" /proc/net/ip_tables_matches` == "0" ]; then
    will solve the issue as reported elsewhere.

    Thank you very much for your work, I hope my suggestions can further improve apf.

  • #30 written by Yannick Martin
    about 7 months ago

    I have installed APF and BFD on my Trixbox PBX that has an external IP Address. It looks like a lovely tool. However I was trying to confirm that all traffic is automatically blocked out and incoming upon installation but to me it doesn’t seem so. I dont have a rule for my VOIP provider yet incoming calls to my box via the VOIP proivder are going through.
    Can you assist me in letting me know what I am missing? I would like to confirm that there is no possible access to the Box without a rule.

    Thanks

  • #31 written by DH
    about 7 months ago

    I’d like to confirm that RAB won’t work on CentOS 5.5 with APF 9.7-1, giving the error “{rab} force set RAB disabled, kernel module ipt_recent not found.” (though the module is loaded)

    I had to change the internals/functions.apf check for ipt_recent as suggested by Mike.

  • #32 written by asrijaal
    about 8 months ago

    Hi there,

    I installed APF on a webserver of mine which deals some ddos attacks in the last time. Now the server requires SSL, so I added

    IG_TCP_CPORTS=”21,22,25,80,443″

    The firewall is working and in combination with ddos.sh it does the job but: If I try to connect to the site from different ISPs the connection fails.

    Am I missing something fundamental in the config? I’ve installed apf on my ubuntu 10.04 LTS server, Version: APF version 9.7

    Regards

    asrijaal

  • #33 written by Philippe Bolduc
    about 8 months ago

    Are you aware on any bug in apf 9.7 rev 1 or bfd removing local network from the firewall with a line like this in apf log ?

    {trust} removed 168 from trust system

    Thanks

  • #34 written by Donkzilla
    about 8 months ago

    random bad luck confused me! apf is working perfectly. I shall send a donation, thank you, apf is a great tool to manage iptables rules.

    • #35 written by Ryan
      about 8 months ago

      Glad to hear it was just an unfortunate case of luck and that things are working properly :)

  • #36 written by Donkzilla
    about 8 months ago

    after many hours reading and tweaking I overcame my newbie mistakes and got apf working… but I think it may be working too well, as Google Checkout were unable to complete callback to insert an order into my orders database.

    I got this error message from Google Checkout:
    “Your server returned no data in its response; Checkout requires data of type merchant-calculation-results in response to merchant-calculation-callback”

    It might be random bad luck or it might be the apf firewall – Google say there was a response, so I’m leaning towards the idea that apf didn’t block Google Checkout.

    I’ve configured conf.apf like so:

    IG_TCP_CPORTS=”21,22,25,53,80,443,110,143,6000_7000″

    IG_UDP_CPORTS=”20,21,53,123″

    IG_ICMP_TYPES=”3,5,11,0,30,8″

    EGF=”0″

    Have I made a newbie error by not allowing 80 and 443 in IG_UDP_CPORTS? Sorry if this is a silly question.

    I have looked at the possibility of creating a whitelist of Google Checkout IP numbers for allow_hosts.rules but Google Checkout are always changing their IP numbers, they are basically unhelpful to anyone asking for Google Checkout callback IP numbers.

    I’m also wondering if I’ll see similar callback problems with PayPal IPNs… for now I’ve run $ apf -f and will come back to apf when I’ve read more about ports and protocols and am feeling less newbish. Maybe I did overkill when I enabled so many blacklists.

    • #37 written by Ryan M.
      about 8 months ago

      I personally use APF on systems with IPN callbacks from paypal and have never had an issue nor has it ever been reported by anyone else — and there are over 21,000 severs using APF currently, so its not for a lack of opportunity for it to cause a problem. Technically speaking, as long as you have port 80/443 open, most callback systems should work fine.

  • #38 written by Alejandro
    about 8 months ago

    I have a problem, all the days, at 4am my server get blocked by firewall, i have to do “iptables -F” to gain access again, all day works good, and then at next 4am all get blocked.

    May 10 04:00:01 xela crond[17416]: (root) CMD (/usr/local/sbin/bfd -q)
    May 10 04:00:01 xela crond[17422]: (root) CMD (/etc/apf/apf –refresh >> /dev/null 2>&1 &)

    how to fix it??

  • #39 written by mike
    about 8 months ago

    How do I report a bug?

    RAB is always disabled on RHEL4 and RHEL5 though the kernel supports the necessary module:

    {rab} force set RAB disabled, kernel module ipt_recent not found.

    It happens because this check in internals/functions.apf fails:

    [ ! -f "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/xt_recent.$MEXT" ]

    I think there should be && instead of || in that line.

    Also, I think there is a better way to check for ipt_recent support:

    [ `grep -c "recent" /proc/net/ip_tables_matches` == "0" ]

    (idea taken from here: http://wiki.mediatemple.net/w/%28ve%29:Using_apf_with_RAB)

    Thanks for the great work!

  • #40 written by Patrick
    about 8 months ago

    How can i see what line is not working

    i see a few lines:
    iptables: Unknown error 4294967295

    But don’t know with line is causing this.

    Can anybody help ?

    • #41 written by Paul Grant
      about 8 months ago

      Hi,

      That error looks like its coming from a Virtuozzo VPS. Either way its caused by not having the correct iptables kernel modules available.

      If you are running on a VPS you should raise the issue with your provider and if they look confused point them here : http://forum.parallels.com/showthread.php?t=62771

      Paul.

      • #42 written by Patrick
        about 8 months ago

        I’m running Centos 5.6 op an VPS

        (multi-homed XenServer Enterprise platform)

        but is there a way to see what rule or line is causing this error ? maybee i don’t need that line ?

        Thanxs.

  • #43 written by GordP
    about 9 months ago

    Ryan,
    Where exactly in the APF config would I specify this sort of iptables command:
    iptables -A INPUT -p tcp -m tcp –sport 2222 –dport 22 -j ACCEPT

    For the example above, I don’t want to change the listening port for the installed service, but I want external connections to have to connect to port 2222/tcp.

    I have tried manually running the iptables command, but it gets inserted after the 3 tcp,udp,all DROP commands on the INPUT chain.

    I presume I have the correct syntax.
    Thanks,
    –Gord.

    • #44 written by Ryan M.
      about 9 months ago

      You can add this entry to /etc/apf/preroute.rules

  • #45 written by GordP
    about 9 months ago

    Hi,
    The internals/reserved.networks file (829 bytes) contains 62 ‘Class A reserved networks’, but the IANA.org website only has 16 reserved networks 224.0.0.0/8 – 255.0.0.0/8.
    The other 46 Class A networks listed in the reserved.networks file cause legitimate IPs to be blocked.
    –Gord.

    • #46 written by Ryan M.
      about 9 months ago

      This is not the case:
      http://rfxn.com/downloads/reserved.networks

      The maintained reserved.networks file that rfxn.com hosts has only 13 lines in it. Unless you go out of your way to disable in conf.apf the updating of the reserved.networks file, this will automatically update whenever APF starts.

      However, I have went ahead and updated the reserved.networks file within the apf-current release package for good measure.

      • #47 written by GordP
        about 9 months ago

        The Debian 6.0 package for apf-firewall has the following default conf.apf settings:
        BLK_RESNET=”1″
        DLIST_RESERVED=”0″

        Also, in the conf.apf file, the description for BLK_RESNET describes a second variable called USE_RD, which does not exist. I presume USE_RD has been updated by DLIST_RESERVED.

        I have updated my reserved.networks file to the current one on your site.

        dpkg –list |grep apf
        ii apf-firewall 9.7+rev1-2 easy iptables based firewall system

        –Gord.

  • #48 written by Jean-Claude
    about 9 months ago

    I’ve been playing with apf for a few days. Looks really good.

    However, I run my Linux firewall as a NAT host as well as a router. Is there any support within apf for performing NAT as well?

    • #49 written by Jean-Claude
      about 9 months ago

      Let me clarify.. Because reading my post it might confuse.

      I use my CentOS linux box as a firewall on a dynamic DSL connection. My clients connect to it for internet access, and they expect the firewall to NAT connections for them.

  • #50 written by Tan Nguyen
    about 10 months ago

    Hi,
    Thank for your helpful projects very much.

    I am using your scripts, everything look working well but when I log in Cpanel there is a problem:

    ########################
    [a fatal error or timeout occurred while processing this directive]
    Pic: http://img847.imageshack.us/img847/5343/fatal.jpg
    ########################

    And here is content of this error:

    ########################
    not a reference at /usr/local/cpanel/Cpanel/DIp/MainIP.pm line 210
    Carp::croak(‘not a reference’) called at /usr/lib/perl5/site_perl/5.6.2/i686-linux/Storable.pm line 76
    Storable::logcroak(‘not a reference’) called at /usr/lib/perl5/site_perl/5.6.2/i686-linux/Storable.pm line 244
    Storable::_store(‘CODE(0x9ed647c)’, undef, ‘/home/lkstarv2/.cpanel/datastore/all_iplist.db’, 0) called at /usr/lib/perl5/site_perl/5.6.2/i686-linux/Storable.pm line 218
    Storable::nstore(undef, ‘/home/lkstarv2/.cpanel/datastore/all_iplist.db’) called at /usr/local/cpanel/Cpanel/DIp/MainIP.pm line 210
    Cpanel::DIp::MainIP::getconfiguredips() called at /usr/local/cpanel/Cpanel/DIp/MainIP.pm line 41
    Cpanel::DIp::MainIP::getmainip() called at /usr/local/cpanel/Cpanel/DIp.pm line 38
    Cpanel::DIp::isdedicatedip(210.211.110.235) called at /usr/local/cpanel/Cpanel/ExpVar.pm line 443
    Cpanel::ExpVar::hasdedicatedip() called at /usr/local/cpanel/Cpanel/StatsBar.pm line 63
    Cpanel::StatsBar::api2_stat(‘rowcounter’, ‘mainstats’, ‘display’, ‘hostingpackage|shorthostname|cpanelversion|theme|apacheversion|p…’) called at (eval 79) line 1
    eval ‘$dataref = [Cpanel::StatsBar::api2_stat(%{$rCFG})];’ called at /usr/local/cpanel/Cpanel/Api2/Exec.pm line 84
    Cpanel::Api2::Exec::api2_exec(‘StatsBar’, ‘stat’, ‘HASH(0xadff88c)’, ‘HASH(0xae06614)’) called at cpanel line 607
    main::real_cpexectag(‘<?cp StatsBar::stat(^J[tr class="row-%"]^J [td class="stats_lef...') called at cpanel line 3879
    main::dotag_finished_headers(0) called at cpanel line 3664
    main::cpanel_parseblock('<table width="100%" id="stats_extended" class="truncate-table" c...') called at cpanel line 3612
    main::cpanel_parse('GLOB(0xae24f94)') called at cpanel line 2491
    main::doinclude('/usr/local/cpanel/base/frontend/x3/branding//extended_statsbar.h...', 0, 1) called at /usr/local/cpanel/Cpanel/Branding.pm line 49
    Cpanel::Branding::Branding_include('extended_statsbar.html') called at (eval 74) line 1
    eval 'Cpanel::Branding::Branding_include(@{$argref});' called at cpanel line 1136
    main::real_exectag('<?cp StatsBar::stat(^J[tr class="row-%"]^J [td class="stats_lef...') called at cpanel line 3876
    main::dotag_finished_headers(0) called at cpanel line 3664
    main::cpanel_parseblock('<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "...') called at cpanel line 3612
    main::cpanel_parse('GLOB(0xa12eb44)') called at cpanel line 2491
    main::doinclude('/usr/local/cpanel/base/frontend/x3/branding//index.html', 0, 1) called at /usr/local/cpanel/Cpanel/Branding.pm line 49
    Cpanel::Branding::Branding_include('index.html') called at (eval 5) line 1
    eval 'Cpanel::Branding::Branding_include(@{$argref});' called at cpanel line 1136
    main::real_exectag('<?cp StatsBar::stat(^J[tr class="row-%"]^J [td class="stats_lef…') called at cpanel line 3876
    main::dotag_finished_headers(0) called at cpanel line 3704
    main::cpanel_parseblock('^J’) called at cpanel line 3612
    main::cpanel_parse(‘GLOB(0x9fd1710)’) called at cpanel line 5121
    main::run_standard_mode() called at cpanel line 424
    ########################

    Please help me to fix this problem, I can’t get my Cpanel info.
    Thanks you much,
    Regard.

    • #51 written by Ryan M.
      about 9 months ago

      This does not appear to be an error related to APF, you should seek help from cpanel forums or check out irc.freenode.net #cpanel.

  • #52 written by Robert
    about 10 months ago

    The docs for APF are about 4 years old. Do the iptables module requirements within it still hold true? With the move to virtualization, it appears the most recent CentOS builds of iptables do not include many of the modules you list (at least on our Xen servers). Looking forward to your thoughts.

    • #53 written by Ryan M.
      about 10 months ago

      I currently use the latest APF release on CentOS 5.5 based Xen servers and inside many Xen guest instances running CentOS as well. There should be no module specific changes required to APF as it will dynamically request the modules needed from the kernel.

      Likewise I will work to update the APF documentation here shortly, thank you.

  • #54 written by Peter M. Abraham
    about 10 months ago

    Ryan, for the past 2.5 months (approximately), we’ve been trouble shooting receiving automated emails from Versign / Geotrust.

    It turns out one of the rule imports blocks the emails from Verisgn / Geotrust.

    I’ve not yet been able to narrow down which rule import — php, spamhaus, dshield, ECN yet.

    Please do review these IP inclusions to make sure each IP on the list is still valid. Thank you!

    • #55 written by Ryan M.
      about 10 months ago

      Thank you for bringing this to my attention, I will look into it promptly.

  • #56 written by Paul McKinley
    about 10 months ago

    I’m trying to insert allow rules using the “apf -a” command, but I need to just allow ssh inbound. I’m trying to use the form

    apf -a tcp:in:d=22:s=10.10.10.10 “test address”

    but I get an error:

    iptables v1.3.5: host/network `tcp:in:d=22:s=10.10.10.10′ not found

    The rule seems to take anyway, at least an “apf -t” shows

    Mar 06 15:56:47 ip-10-10-10-1 apf(3543): (trust) added allow all to/from tcp:in:d=22:s=10.10.10.10

    and “apf -l” shows

    22 0 0 ACCEPT tcp — * * 10.10.10.10 0.0.0.0/0 tcp dpt:22

    I’m guessing that apf parses the port/address specification properly, but doesn’t feed it to iptables the way iptables likes.

    -Paul McKinley

  • #57 written by John Kinsella
    about 10 months ago

    Ryan – I have a patch for apf to allow support for ESP/AH protocols so IPSEC VPNs can be used in conjunction with apf – interested in a copy?

    • #58 written by Ryan M.
      about 10 months ago

      That would be great! if you could please shoot it over to ryan@rfxn.com that would be much appreciated. I will review it and toss it into the release version if appropriate. Thank you.

  • #59 written by Mark Remde
    about 11 months ago

    Hi,

    I have a strange issue that occurs intermittantly. My system (Centos 5.4) runs plesk, and occasionally at 4.30am it will lock down access to the server to everyone except those specifically in the allow_hosts.rules file.
    The cron log at the time shows that a RELOAD occurs at the same time as the 10 minute refreshes. Could this conflict?

    Mar 3 04:30:01 ns6 crond[17415]: (*system*) RELOAD (/etc/cron.d/refresh.apf)
    Mar 3 04:30:01 ns6 crond[30465]: (root) CMD (/etc/apf/apf –refresh >> /dev/null 2>&1 &)

    Performing a apf -r fixes the issue.

    Thanks in advance.
    Mark

    • #60 written by Ryan M.
      about 11 months ago

      What version of APF are you currently running? I would recommend you try clear any rules in deny_hosts and if needed attempt a fresh reinstall of APF.

  • #61 written by Peter M. Abraham
    about 11 months ago

    Ryan, at present, when a CentOS (versions don’t seem to matter) reboots with APF, if there are any problems whatsoever with /etc/resolv.conf working, APF hangs the entire machine.

    Can you please add a customizable time out feature to a future version of APF that if local DNS is (temporarily) down, APF will do what it can, and allow the reboot process to continue?

    Thank you.

    • #62 written by Ryan M.
      about 11 months ago

      Peter,
      This is a long standing issue that is more to do with accepting host names in the trust rules, that if there is any network issues they are not resolvable and iptables has no built in timeout feature for resolving DNS. I will see what I can come up with as a solution and put it into the next release, thank you for your continued support.

    • #63 written by Bozonius
      about 10 months ago

      In my case, it doesn’t hang the machine, but apf doesn’t run at all. The system continues to boot, leaving my CentOS 5.5 wide open.

      I look forward to an update.

      • #64 written by Ryan M.
        about 10 months ago

        Make sure APF is set to start at boot:
        chkconfig –level 2345 apf on

        • #65 written by Bozonius
          about 10 months ago

          Actually, apf is already set to run at boot time. It fails to run, period. I have to start it manually after boot.

          I think mine is a variant problem related to the OP’s.

  • #66 written by mayukmok00
    about 11 months ago

    Hi,

    Is there a way to block countries that will not affect the performance of apf? I did tried to use /etc/apf/deny_hosts.rules and placed CIDR. The file went up to 80K and this makes apf very slow when restarted and eventually crashed the servers.

    Please advice on an alternative way to do this.

    Thank you.

    • #67 written by Ryan M.
      about 11 months ago

      APF uses iptables, the linux kernel firewalling mechanism which stores rules into kernel memory. As the number of iptables rules in kernel memory increases, the performance of iptables degrades. When you enter the realm of 10k+ rules you really are entering an area that iptables is not intended or designed for, I would encourage you to consider broader rules using IP masking to encompass larger netblocks thus reducing the amount of rules required. An example would be that if you want to block 172.3.44.0 – 172.3.44.255, that you block it as 172.3.44.0/24 instead of adding every IP in the range to the rules.

      • #68 written by mayukmok00
        about 11 months ago

        Hi Ryan,

        Appreciate the reply. I guess the limit is hit. I am already using x.x.x.x/24 on the file.

        Thank you

  • #69 written by Brian
    about 1 year ago

    Any tips for running APF on a public facing name server ?? We have attempted to run it and find that after a period of time strange events start happening where our Network monitor (opsview aka Nagios) starts thinking SMTP has died on a couple of our email servers, As soon as we turn off APF on the name servers our network monitor thinks all is good again .. SMTP is in fact Ok .. so not sure were to look and or how to correct what APF is clearly cuasing.

    Any tips and or ideas ??

    • #70 written by Ryan M.
      about 11 months ago

      Trust your SMTP servers in the firewall if possible, i.e: apf -a IP. You can also try to disable RESV_DNS_DROP in conf.apf, which may help.

  • #71 written by bentayeb mohand
    about 1 year ago

    pour acceder au site adultdailycare.net il me demande nom d’utilisateur et mot de passe aidez moi

  • #72 written by Mephisto
    about 1 year ago

    I am using Your APF solution on a couple of my servers and it is very useful. You did a great job with it.

    Recently I have updated kernel to 2.6.18-194.26.1.el5xen (CentOS) on most of the machines due to security issues of the previous version. Unfortunately this breaks APF completely. Iptables when started manually and having the rules set manually work fine, but when I run APF it doesn’t.

    All the rules are there. I tried doing iptables save and then reloading it with service iptables start – it doesn’t help.

    It seems like nothing is being filtered by the rules set with APF. Can anyone help?

  • #73 written by Limit no. of connections from an IP
    about 1 year ago

    I am using APF firewall with plesk for around 3 years and I am quite satisfied with it.

    Recently one of our customer required to limit the no. of connections per IP on his server but I couldn’t find anything in APF which can achieve this.

    I found on a website the syntax that can be used to limit the connections per IP using connlimit module but I don’t know how to use this in APF.

    /sbin/iptables -A INPUT -p tcp –syn –dport $port -m connlimit –connlimit-above N -j REJECT –reject-with tcp-reset

    Please advice.

    • #74 written by Richard
      about 1 year ago

      See the post by Ryan 19 posts below

      If you are looking for generic flood protection from SYN/CONNECTION based flooding of port services, you can use fguard:
      http://rfxn.com/downloads/fguard

      Edit the script with your email address and set the ptrig values, they are in the format of PORT:TRIGGER , trigger is the maximum amount of connections from a single IP before it is blocked i.e: 80:100 = port 80, ban at 100 connections per ip.

      • #75 written by Dennis
        about 1 year ago

        Meaby you can tell how we can use this in apf??
        Where does it need to be saved and how can we make apf understand to use the file??

        • #76 written by Ryan M.
          about 1 year ago

          You can run fguard from cron, it will pass bans to APF.

  • #77 written by Block IP even if using allowed Port
    about 1 year ago

    I was introduced to apf (and bfd) by a very helpful friend, Ian and I absolutely love the simplicity of configuration and the clarity of the documentation.

    I am still in trial mode with it but I ran across a problem that was not solved by the recommended configuration and would like to see if there is a better way to handle it. I have used a workaround solution but it carries with it problems of its own so I do not want to leave that solution in place long term.

    I tried going to the forum as recommended in the readme in /etc/apf/doc but the url bounced so I am trying this route.

    Is there a way (like apf –d) that I can add IPs to a list that will stop ALL traffic from that IP, even if the traffic is coming in on a port that is allowed to all others?

    It appears to me that when I try to add an IP to be blocked via apf –d IP, it places the DENY IP rule late in the iptables rule set, AFTER the ALLOW PORT rule has already passed the offender through to my server. This sequencing invalidated my attempt to use the apf –d IP to stop a hacker from South Africa from pounding away at my server. At one point, this hacker had over 2,000 connections going at my server. BFD did not catch and stop the hacker since I run a VOIP PBX and the hacker came in with SIP registrations which were legitimate (calls) according to the server.

    We did stop the hacker by disabling the USE_RD=”0” to stop apf from refreshing the reserved.networks file and adding the offending IP (196.28.38.72) to the reserved networks file. This put the DENY IP rule early on in the iptables rule set and stopped the hacker before the ALLOW PORT rule was encountered. Unfortunately, I am now left with a static reserved.networks file and I do not like that solution long term.

    I would have thought that using apf –d would tell the system that IP is NEVER to be allowed in, but that does not seem to be the case.

    My question is: Is there a way (like apf –d) that I can add IPs to a list that will stop ALL traffic from that IP, even if the traffic is coming in on a port that is allowed to all others? And of course allow me to go back to a reserved.networks file that is automatically updated?

    Any ideas?

    Richard

    Richard Cantin
    Ayuda
    (519) 957-2414
    rcantin@ayuda.ca

    ++++++++++++++++++++++++++++++++++++++++++++++++++

    I run a VOIP PBX as the ONLY application on the server where I put apf and bfd

    I only need UDP ports 5060 and 10002_20000 accessible from the outside world to let this work so I have shut down all other incoming ports via IG_TCP_PORTS=”” and IG_UDP_PORTS=”5060,10002_20000”. Ian and I also tried leaving ALL ports disallowed in conf.apf (IG_UDP_PORTS=”” as well as IG_TCP_PORTS=””) and putting into allow_hosts.rules the following:
    # Add the local network to ensure internal connections can do anything
    192.168.1.0/24
    #
    # Open, to all external connections that are not denied in deny_hosts.rules,
    # the UDP Ports required to support external access for VOIP
    # SIP Registration (5060)
    upd:in:d=5060:s=0/0
    udp:out:d=5060:d=0/0
    # RDP (Audio) (10002_20000)
    udp:in:d=10002_20000:s=0/0
    udp:out:d=10002_20000:d=0/0
    but that did not make things any better.

    The VOIP PBX is working fine so this set up allows what I need to pass. (and unfortunately the South African hacker, unless I add the offending IP to the reserved.networks file)

    • #78 written by Ryan M.
      about 1 year ago

      I have changed the order in which APF loads the trust rules (allow/deny) to place the drop lists before any allow rules are loaded. This change has been pushed to the release version of APF.

  • #79 written by David
    about 1 year ago

    Hi,

    There is no explanation on how to set up a VNET for virtual private servers. In readme file it says look at 3.4 for more detailed information, but i did not find any info about how to set it up 3.4 just says topic name and no article is provided.

  • #80 written by Han Solo
    about 1 year ago

    Hi

    I’m a bit ‘lost’ with installing APF on Trustix Linux box, which is a very outdated linux release, but can’t afford to update/replace with newer live distros.
    Anyway, I D/L-ed ‘apf-current.tar.gz’ and ran ./install.sh
    then I edited conf and wanted to try but unfortunately with no luck as I get:
    service apf restart
    apf: unrecognized service

    or
    chkconfig –list apf
    error reading information on service apf: No such file or directory

    APF installed in “/etc/apf” but not as a service it seems.
    Unfortunately RPM installation didn’t do it either.

    Can it be done like it is on CentOS ?

    Thank you

    • #81 written by Derek
      about 9 months ago


      Han Solo:

      Hi
      I’m a bit ‘lost’ with installing APF on Trustix Linux box, which is a very outdated linux release, but can’t afford to update/replace with newer live distros.

      What do you mean when you say that you cannot afford to upgrade to a newer Linux? CentOS is freeware. All it will cost you is six blank CD’s.

  • #82 written by Frank
    about 1 year ago

    Is there a forum for APF and other utilities? I see a forum when I search Google, but it appears to be restricted.

    Any way I have a problem with APF not starting correctly on OpenVZ with multiple IP addresses. venet0 is 127.0.0.1 and venet0:0 and venet0:1 are the external IPs and APF comes up with errors on them. I don’t know whether the ethX:X/venetX:X syntax is affecting.

    Does it work with multiple IPs? IFACE_IN and IFACE_OUT appear to take single IPs only

    apf(20007): {glob} flushing & zeroing chain policies
    apf(20007): {glob} firewall offline
    apf(20043): {glob} activating firewall
    apf(20088): {glob} could not verify that interface venet0:0 is routed to a network, aborting.
    apf(20043): {glob} firewall initalized
    apf(20043): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5 minutes.

  • #83 written by mayukmok00
    about 1 year ago

    May I ask on where did you did nmap? If its in the same system then you will see the results its up. Please test it on a separate system.


    Martin:

    I recently installed APF . It appears installed properly. My aim is to Block port 25 on the server. However, after removing the port 25 from the config file, then i reloaded. But Port 25 is still OPEN. I confirmed this by running nmap, and port 25 is still open. Can someone tell me what might be wrong

  • #84 written by Martin
    about 1 year ago

    I recently installed APF . It appears installed properly. My aim is to Block port 25 on the server. However, after removing the port 25 from the config file, then i reloaded. But Port 25 is still OPEN. I confirmed this by running nmap, and port 25 is still open. Can someone tell me what might be wrong

  • #85 written by mayukmok00
    about 1 year ago

    Hi Ryan,

    Looking forward to it.

    Keep safe.

    Thank you


    Ryan M.:

    IPv6 is not yet supported by APF, this is something that will be released in the very near future.

  • #86 written by mayukmok00
    about 1 year ago

    Hi,

    First of all, thank you for the great software you have created. It is one of our vital protection against outside threat.

    Currently we have an issue with IPV6. May I ask if APF can filter IPV6? doing an iptables -L shows all the rules loaded but when ip6tables -L is used then the output is:
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    I guess there are no filter rules on ipv6. We are using ipv6 aware OS to public network.

    Please advice on how to enable ipv6 filtering.

    Thank you

    • #87 written by Ryan M.
      about 1 year ago

      IPv6 is not yet supported by APF, this is something that will be released in the very near future.

  • #88 written by mike
    about 1 year ago

    Hello
    I was wondering if it’s possible to use apf for a standalone pc connected to an untrusted lan , not necessarily intented to be used as a server , just for personal use

    thanks

  • #89 written by Peter M. Abraham
    about 1 year ago

    Hi Ryan:

    I hope you and your family are doing well.

    When you get to updating APF, can you check how it can be made more user friendly on reboots when local dns (/etc/resolv.conf) may be broken?

    What we’ve seen is that if there are any local DNS resolution issues, APF can cause bootup to hang for an indefinite period of time.

    Thank you.

  • #90 written by david
    about 1 year ago

    Can you put the proper way of updating from older versions of apf to your current version in your faq/readmes?

  • #91 written by mike
    about 1 year ago

    hello all,

    was ddos´ed for 2 days now… apf + ddos-deflate seems to help!
    but, could anybody helping me, howto run my own firewall script and apf simultaneously?
    because my own firewall script is also kinda big and there some important dropes in it, so ive to get it running.
    thx for ya help!

    greetz mike

  • #92 written by Patric
    about 1 year ago

    Hi Ryan,

    Firstly thanks for a great tool you provide in APF.

    I have recently installed 9.7-1 and greatly appreciate the ease of managing global allow and deny lists remotely from a single source.

    I decided to keep my global lists in a secure password protected directory, and to this end made some modifications to APF to allow ease of configuration, which I believe may be a nice addition to your official release :)

    Herewith the changes:

    conf.apf:
    ———-

    # Global Trust

    USE_RGT=”1″

    # Specify whether wget should check the SSL certificate – used in conjunction with the https protocol.
    RGT_CHECK_CERT=”0″

    # Specify a username and password for wget to apply when fetching the global lists
    RGT_WGET_USER=”apf”
    RGT_WGET_PASS=”test”

    internals/functions.apf:

    glob_allow_download() {

    # Set whether wget should check the certificate or not
    if [ "$RGT_CHECK_CERT" == "1" ] && [ "$GA_URL_PROT" == "https"]; then
    CHECK_CERT=”"
    else
    CHECK_CERT=”–no-check-certificate”
    fi

    # Set the wget username if necessary
    if [ ! "$RGT_WGET_USER" == "" ]; then
    WGET_USER=”–user=$RGT_WGET_USER”
    else
    WGET_USER=”"
    fi

    # Set the wget password if necessary
    if [ ! "$RGT_WGET_PASS" == "" ]; then
    WGET_PASS=”–password=$RGT_WGET_PASS”
    else
    WGET_PASS=”"
    fi

    $WGET -t 1 -T 4 $CHECK_CERT $WGET_USER $WGET_PASS $GA_URL_PROT://$GA_URL >> /dev/null 2>&1

    }

    glob_deny_download() {

    # Set whether wget should check the certificate or not
    if [ "$RGT_CHECK_CERT" == "1" ] && [ "$GD_URL_PROT" == "https"]; then
    CHECK_CERT=”"
    else
    CHECK_CERT=”–no-check-certificate”
    fi

    # Set the wget username if necessary
    if [ ! "$RGT_WGET_USER" == "" ]; then
    WGET_USER=”–user=$RGT_WGET_USER”
    else
    WGET_USER=”"
    fi

    # Set the wget password if necessary
    if [ ! "$RGT_WGET_PASS" == "" ]; then
    WGET_PASS=”–password=$RGT_WGET_PASS”
    else
    WGET_PASS=”"
    fi

    $WGET -t 1 -T 4 $CHECK_CERT $WGET_USER $WGET_PASS $GD_URL_PROT://$GD_URL >> /dev/null 2>&1

    }

    This allows you to specify via the configuration file whether or not to check the SSL certificate against the available certificate authorities, as well as being able to password protect the global access lists that you have made publicly accessible.

    Regards,
    Patric

  • #93 written by CJ
    about 1 year ago

    I’ve been trying to find a way to take an existing APF box with two NICs and use it as network gateway. But I cant seem to get it to pass traffic as long as APF is on it. Are there any tutorials or instructions that cover this goal?

    Otherwise, this is a hell of a great application firewall! Thanks!

  • #94 written by Mike
    about 1 year ago

    Hi Ryan,

    Thanks for your reply. I’m still getting the same error after replacing functions.apf

    Everything else is still running fine. I am quite certain ipt_recent is loaded.

    apf(30459): {rab} force set RAB disabled, kernel module ipt_recent not found.

  • #95 written by Ryan M.
    about 1 year ago

    Mike, I made a change to the functions file that I think should fix this, if you are running the latest version of APF please go ahead and download http://www.rfxn.com/downloads/functions.apf and replace /etc/apf/internals/functions.apf with it, let me know if you still experience the issue with RAB.


    Mike:

    Hi Ryan,

    I’ve been a long time user of APF. I am currently trying to install it with RAB in an OpenVZ container. I am successful with APF, but not APF with RAB:

    {rab} force set RAB disabled, kernel module ipt_
    recent not found.

    As you can see here, my modules should be properly loaded:

    # cat /proc/net/ip_tables_matches
    udp
    tcp
    recent
    state
    length
    ttl
    tcpmss
    multiport
    multiport
    limit
    tos
    icmp
    owner

    I have SET_MONOKERN=”1″ also.

    Perhaps there is some mis-communication between SET_MONOKERN and RAB? Or do you notice any mistakes in my configurations?

    • #96 written by taka
      about 10 months ago

      Hi, I also get the error {rab} force set RAB disabled, kernel module ipt_
      recent not found.

      On line 155 of functions.apf where testing -f ipt_recent, || supposed to be &&?

      I’ve changed the line and seems to be working correctly.

  • #97 written by Mike
    about 1 year ago

    Hi Ryan,

    I’ve been a long time user of APF. I am currently trying to install it with RAB in an OpenVZ container. I am successful with APF, but not APF with RAB:

    {rab} force set RAB disabled, kernel module ipt_
    recent not found.

    As you can see here, my modules should be properly loaded:

    # cat /proc/net/ip_tables_matches
    udp
    tcp
    recent
    state
    length
    ttl
    tcpmss
    multiport
    multiport
    limit
    tos
    icmp
    owner

    I have SET_MONOKERN=”1″ also.

    Perhaps there is some mis-communication between SET_MONOKERN and RAB? Or do you notice any mistakes in my configurations?

  • #98 written by Ryan M.
    about 1 year ago

    If you are looking for generic flood protection from SYN/CONNECTION based flooding of port services, you can use fguard:
    http://rfxn.com/downloads/fguard

    Edit the script with your email address and set the ptrig values, they are in the format of PORT:TRIGGER , trigger is the maximum amount of connections from a single IP before it is blocked i.e: 80:100 = port 80, ban at 100 connections per ip.

    • #99 written by chris
      about 1 year ago

      how can i use fguard with apf ? is there any installation guide ?

  • #100 written by Mike
    about 1 year ago


    Faizan:

    Hello i did not see antidos feature in APF also did not find ad directory in apf i have installed latest version

    hello, the changelog says that the antidos feature is replaced by the RAB feature.

  • #101 written by Faizan
    about 1 year ago

    Hello i did not see antidos feature in APF also did not find ad directory in apf i have installed latest version

  • #102 written by Enrique Romero Montes
    about 1 year ago

    Does anybody know howto block all ip’s something like 0.0.0.0/0 an trust only in 1 ip?.

    Thanks

  • #103 written by admin
    about 1 year ago

    The get_ports command (and install.sh) leave out some of my open ports, such as 80 and 443 from Apache. Here is what “netstat -an” shows:

    tcp 0 0 :::80 :::* LISTEN
    tcp 0 0 :::443 :::* LISTEN

  • #104 written by John
    about 1 year ago

    Ryan, you might want to update the README.apf link above to the new version. The one there is for 0.9.6

  • #105 written by Ryan M.
    about 1 year ago

    APF automatically updates the reserved.networks file on the first start from http://www.rfxn.com/downloads/reserved.networks – this file is updated on every start call to APF and through a cron.daily job added during installation.

    If the reserved.networks file is not updating for you, please check: http://www.rfxn.com/bogon-filtering-update-it/


    Tech:

    iana.orgHi,
    I have see that the file internals/reserved.networks isn’t updated.
    For Example I see in http://www.iana.org/assignments/ipv4-address-space the network 95.0.0.0/8 assigned from 2007, but the reserved.networks tcontinues to block these network

  • #106 written by Tech
    about 1 year ago

    Hi,
    I have see that the file internals/reserved.networks isn’t updated.
    For Example I see in http://www.iana.org/assignments/ipv4-address-space the network 95.0.0.0/8 assigned from 2007, but the reserved.networks tcontinues to block these network