Advanced Policy Firewall

Current Release:
http://www.rfxn.com/downloads/apf-current.tar.gz
http://www.rfxn.com/appdocs/README.apf
http://www.rfxn.com/appdocs/CHANGELOG.apf

Description:
Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Internet deployed servers and the unique needs of custom deployed Linux installations. The configuration of APF is designed to be very informative and present the user with an easy to follow process, from top to bottom of the configuration file.

The technical side of APF is such that it utilizes the latest stable features from the iptables (netfilter) project to provide a very robust and powerful firewall. The filtering performed by APF is three fold:
1) Static rule based policies (not to be confused with a “static firewall”)
2) Connection based stateful policies
3) Sanity based policies

The first, static rule based policies, is the most traditional method of firewalling. This is when the firewall has an unchanging set of instructions (rules) on how traffic should be handled in certain conditions. An example of a static rule based policy would be when you allow/deny an address access to the server with the trust system or open a new port with conf.apf. So the short of it is rules that infrequently or never change while the firewall is running.

The second, connection based stateful policies, is a means to distinguish legitimate packets for different types of connections. Only packets matching a known connection will be allowed by the firewall; others will be rejected. An example of this would be FTP data transfers, in an older era of firewalling you would have to define a complex set of static policies to allow FTA data transfers to flow without a problem. That is not so with stateful policies, the firewall can see that an address has established a connection to port 21 then “relate” that address to the data transfer portion of the connection and dynamically alter the firewall to allow the traffic.

The third, sanity based policies, is the ability of the firewall to match various traffic patterns to known attack methods or scrutinize traffic to conform to Internet standards. An example of this would be when a would-be attacker attempts to forge the source IP address of data they are sending to you, APF can simply discard this traffic or optionally log it then discard it. To the same extent another example would be when a broken router on the Internet begins to relay malformed packets to you, APF can simply discard them or in other situations reply to the router and have it stop sending you new packets (TCP Reset).

Features:
– detailed and well commented configuration file
– granular inbound and outbound network filtering
– user id based outbound network filtering
– application based network filtering
– trust based rule files with an optional advanced syntax
– global trust system where rules can be downloaded from a central management server
– reactive address blocking (RAB), next generation in-line intrusion prevention
– debug mode provided for testing new features and configuration setups
– fast load feature that allows for 1000+ rules to load in under 1 second
– inbound and outbound network interfaces can be independently configured
– global tcp/udp port & icmp filtering with multiple filters (drop, reject, prohibit)
– configurable policies for each ip on the system with convenience variables to import settings
– packet flow rate limiting that prevents abuse on the most widely abused protocol, icmp
– prerouting and postrouting rules for optimal network performance
– dshield.org block list support to ban networks exhibiting suspicious activity
– spamhaus Don’t Route Or Peer List support to ban known “hijacked zombie” IP blocks
– any number of additional interfaces may be configured as trusted or untrusted
– additional firewalled interfaces can have there own unique firewall policies applied
– intelligent route verification to prevent embarrassing configuration errors
– advanced packet sanity checks to make sure traffic coming and going meets the strictest of standards
– filter attacks such as fragmented UDP, port zero floods, stuffed routing, arp poisoning and more
– configurable type of service options to dictate the priority of different types of network traffic
– intelligent default settings to meet every day server setups
– dynamic configuration of your servers local DNS revolvers into the firewall
– optional filtering of common p2p applications
– optional filtering of private & reserved IP address space
– optional implicit blocks of the ident service
– configurable connection tracking settings to scale the firewall to the size of your network
– configurable kernel hooks (ties) to harden the system further to syn-flood attacks & routing abuses
– advanced network control such as explicit congestion notification and overflow control
– helper chains for FTP DATA and SSH connections to prevent client side issues
– optional rate limited event logging
– logging subsystem that allows for logging data to user space programs or standard syslog files
– comprehensive logging of every rule added
– detailed startup error checking
– if you are familiar with netfilter you can create your own rules in any of the policy files
– pluggable and ready advanced use of QoS algorithms provided by the Linux
– 3rd party add-on projects that compliment APF features

Funding:
Funding for the continued development and research into this and other projects is solely dependent on public contributions and donations. If this is your first time using this software we ask that you evaluate it and consider a small donation; for those who frequent and are continued users of this and other projects we also ask that you make an occasional donation to help ensure the future of our public projects.

236 Replies to “Advanced Policy Firewall”

  1. This is a question about the The Spamhaus Don’t Route Or Peer Lists (DLIST_SPAMHAUS) option.

    If I disable that and restart APF it still blocks IPs on the list. It seems I have to reboot the server to ‘see’ the change’. (Because of this it took me ages to discover APF was blocking an IP as I had tried stopping APF to rule that out! But that was not sufficient…)

    Would it not be better if an APF restart *saw* the change to this DLIST_SPAMHAUS option? (I have APF 9.7 – and thanks for a great product BTW)

    1. This is not the expected behavior, I will look into this further. However, with APF shut off from CLI with apf -f or /etc/init.d/apf stop, there would be no iptables rules loaded at all. So, there may have been another issue at play there causing the address in question to remain blocked.

      1. Well further tests showed it was NOT the DLIST_SPAMHAUS option that caused the issue. It was SYSCTL_ECN.

        And I *think* I got confused through having SET_FASTLOAD enabled.

        All is well now!

  2. I have identified what I believe is a bug this evening…

    We have a server where we need to permit other servers in the same subnet to communicate with it, we placed the subnet into allow_hosts.rules.

    However it appears that APF/iptables interprets this to mean that all traffic to the server should be allowed (i.e. source OR destination matches), rather than traffic purely sourced from that address range.

    1. When you place an address with no advanced syntax into allow_hosts.rules, the trust on that address is added for inbound and outbound traffic. So in placing the subnet that the server is on, in allow_hosts.rules, you effectively are telling the firewall to allow everything in and out of the server sourced from that subnet which is essentially to trust everything (since traffic will always be sourced to or from the ip of the server).

      This is a very common policy mistake with firewalls, care needs to be taken in the addresses that you trust as you can inadvertently create a trust all situation.

      If there are specific ports you require your subnet to access, a rule in allow_hosts.rules such as the following is more appropriate:
      tcp:in:d=3306:s=24.11.34.0/24

      The above would allow tcp traffic from 24.11.34.0/24 to port 3306. Please see the comments in /etc/apf/allow_hosts.rules for further examples.

  3. Hello Ryan,

    I’ve got a request and a question:

    request: could you please check your anti-spam system? it seems to spam or at least moderate all of my comments on your blog

    question: how can I evaluate what apf drops? I mean I see a few actions in my logs where I am completely unsure why they happened, I’ll show you two examples:

    Apr 19 16:17:58 h1870666 kernel: [87217.512563] ** PHP ** IN=eth0 OUT= MAC=00:24:21:af:8a:99:00:25:84:7b:bc:00:08:00 SRC=75.125.47.162 DST=85.214.229.212 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=768 DF PROTO=TCP SPT=48470 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AD405DBBA0000000001030307)

    Apr 19 16:16:14 h1870666 kernel: [87113.329053] ** SDROP ** IN= OUT=eth0 SRC=85.214.249.219 DST=31.184.242.127 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=20863 DF PROTO=TCP SPT=37657 DPT=80 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B401010402)

  4. We are running into problems with a client that has APF set up on three (3) servers running CentOS 5.8 64-bit.

    Two of the three servers work as intended.

    On the one server, APF continues to block an IP that is valid doing valid things.

    The IP does not end up in /etc/apf/deny_hosts.rules

    It ends up in APF, and then in /etc/apf/internals/.apf.restore and sometimes also in /etc/apf/internals/refresh.drop.temp

    There’s no explanation why. Then when I remove the IP from those files (after stopping apf), and restart APF… it is like a battle where APF continues to block the IP, put it back in the files.. and I cannot find a way to have APF leave the IP alone.

    I’ve the IP set up in /etc/apf/allow_hosts.rules and /usr/local/bfd/ignore.hosts

    The IP is not listed in /var/log/apf_log so I have no idea as to why APF is treating this IP differently.

    I checked /var/log/messages and it is not even a SANITY issue.

    How can I trouble shoot this issue?

    Thank you.

  5. @Ryan:
    Thanks for replying but I am unsure about the documentation being clear, I mean look at this:

    # Log all traffic that is filtered by the firewall
    LOG_DROP=”1″

    I want that, as I am logging filtered traffic to my syslog file and I need it that way as I evaluate those logs later on.

    # This option will allow for all status events to be displayed in real time on
    # the console as you use the firewall. Typically, APF used to operate silent
    # with all logging piped to $LOG_APF. The use of this option will not disable
    # the standard log file displayed by apf –status but rather compliment it.
    SET_VERBOSE=”0″

    This sounds just like what I need: no log output to the console.

    Yet your reply to my comment sounds the other way around? Is it just me confused or is this misleading?

  6. It appears RAB TRIP is triggering incorrectly.

    Mar 27 15:50:53 mail kernel: ** RABHIT ** IN=eth1 OUT= MAC=52:99:c6:4c:f1:32:00:64:40:3a:43:40:08:00 SRC=[our client ip] DST=[our mail server] LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=32627 DF PROTO=TCP SPT=55353 DPT=995 WINDOW=34633 RES=0x3c CWR PSH SYN URGP=47720

    cat rab.ports
    # Low security ports
    RAB_PSCAN_LEVEL_1=”1,7,9,11,15,69,70″

    # Medium security ports
    RAB_PSCAN_LEVEL_2=”$RAB_PSCAN_LEVEL_1,79,109,119,512,513,517,518″

    # High security ports
    RAB_PSCAN_LEVEL_3=”$RAB_PSCAN_LEVEL_2,13,17,19,500,540,635,640,641,666,700,1024,1026,1027,1028,2023,2565,2703,3128,3389,4899,5900,6667,6711,7212,8000,8888,9989,10080,13000,16969,27374,32000″

    Given the rab ports above, even on rab level 3 (high security), why would the IP be blocked by RAB?

    Thank you.

    1. Peter,
      It may be and often is the case that the IP tripped RAB on a valid RAB monitored port then once its RAB ban is in place, all subsequent traffic on that IP will be logged, irrespective of the port. Likewise it is also possible it got tripped on a sanity rule, you can try disable RAB for packet sanity checks.

    1. This is something that has been making its way into most projects and I will work on it for APF as well, both back dating the changelog and putting in dates for all future updates.

  7. I have the smae problem all day at 4:03:01 a.m

    CRON: error in (/etc/cron.d/refresh.apf) problem is (bad minute)

    You can helpme, I should do?

  8. setting SET_VERBOSE=”0″ doesn’t seem to work, my console is still being flooded with messages making it impossible to work on the console.

    Any help here , please? I had to access my console during a DOS and it was impossible to use it as it was flooded with logs about packages being dropped 🙁

  9. Ubuntu has old version of APF in its repositories and strange ways of changing names of files and directories during the installation with apt-get. So I followed instructions on http://www.andyhuang.net/blog/2008/06/ to install the current version of APF on Ubuntu. But instead of modifying the APF files I have symlinked /etc/rc.d/init.d with /etc/init.d. So hence my two questions:

    1) Is it ok to symlink like this or do I really have to change paths inside of files?

    2) Running update-rc.d apf defaults gives:

    update-rc.d: warning: /etc/init.d/apf missing LSB information

    Is it ok to ignore it or I have to change something?

    Generally, it would be nice if install script was adopted to run under Ubuntu, since currently it is confused with paths. I tested on CentOS installation script runs fine, but on Ubuntu it aborts since can’t find files.

  10. On CentOS 5.8 we are seeing the following error in our logs as it relates to APF:

    ” Mar 9 04:08:01 cp crond[7331]: CRON: error in (/etc/cron.d/refresh.apf) problem is (bad minute)”

    Rather than using */480 in the minute mark, why not use */8 in the hour mark?

    Thank you.

    1. I’m get the same error. How did you correct it? Thanks.

      My refresh.apf file is below.

      MAILTO=
      SHELL=/bin/sh
      */10 * * * * root /etc/apf/apf –refresh >> /dev/null 2>&1 &

    2. Same problem with CentOS 5.8. cron_refresh () in internals/functions.apf uses */$SET_REFRESH. Would changing that to 0-59/$SET_REFRESH fix the issue?

  11. May I ask for a programming change to internals/functions.apf where you would add the following as part of the option string for wget?

    –bind-address=$NET

    Example:
    $WGET –bind-address=$NET -t 1 -T 4 $GD_URL_PROT://$GD_URL >> /dev/null 2>&1

    That way providers who are limiting access for say the global trust service can rely on the wget’s coming from the primary network card IP rather than a different IP.

    Thank you!

    1. I’ll get this into the next update of APF along with some of your more recent contributed changes, thanks as always Peter for being a loyal and long time supporter of my projects.


  12. Odin K.:

    I couldn’t find anything in the docs or the changelog regarding IPv6 support, save for a one year old comment that promised it to be implemented in the “near future”. So what’s the current status of IPv6 support?

    I am about to install a new system.

    I have been an ardent supporter of apf for 3 years now, but I want to make sure that my new system will handle ipv6.

    I saw 1-year-old comment from Ryan on this forum saying ipv6 would be addressed “in the very near future”.

    Is there a timetable for ipv6 capability in apf? If so, when? If ipv6 support will be added, will I be able to just upgrade an existing install or will I need to rip and replace?

    A quick reply would be appreciated

    Richard

    1. I do not have an ETA on full ipv6 support for APF however since APF is simply an iptables wrapper, it should not be a terribly complicated process to implement. This is something I will put time into as soon as possible.

      1. Please do. I have a number of systems with IPv6 addresses and as a result, are completely exposed. IPv6 support would be very much welcomed!

  13. Hi,
    APF won’t work (start) with a kernel above 2.6 … I installed the debian paket (apt-firewall) but it then won’t download the rules because starting with “/usr/local/sbin/apf -s” won’t work.

    thanks for the good work!

    martin

  14. Hi,
    I am getting attack on apache doc root, and attacker is changing their IP-address randomly. is their any option to block attacker via using his MAC address.

    1. You can only filter by mac addresses for traffic inside your own network, as all public internet traffic will have the mac address of your local router/switch.

  15. On some servers where their DNS is shaky at start up, APF basically locks up the machine because there appears to be no time out.

    Can you please put in some logic that tests to see if DNS is working the way APF needs it to start, and then skip starting (sending an email out notifying it did not start)?

    1. Hi Ryan:

      On the iptables, DNS issue where APF can hang (until the server is rebooted and gone through interactively skipping APF), is there some type of shell wrapper you could write to run a dns test that if it fails, skip loading apf other start apf?

      Thank you.

    2. Hi Ryan:

      Here is a proof of concept test that may help (it does require dig to be available on the server):

      #!/bin/sh
      DNS_CHECK=`/usr/bin/dig +time=1 +tries=1 +retry=0 yahoo.com | /bin/grep ‘timed out’`
      DNS_FAILED=’;; connection timed out; no servers could be reached’
      if [ “$DNS_CHECK” != “$DNS_FAILED” ]; then
      echo “local DNS is working”
      else
      echo “local DNS is not working”
      fi

      I tested “/usr/bin/dig +time=1 +tries=1 +retry=0 yahoo.com” and if local DNS is down, it comes back with its answer in <= 2 seconds.

      Could something like this be used to determine if APF should be started on reboot?

      And if not, then have an email address in /etc/apf/conf.apf for the admin to be emailed that apf is down?

  16. Using APF 9.7, when I use -r to restart I get these errors (DDOS and BFD are installed):

    apf(6891): {trust} deny all to/from /usr/local/ddos/ddos.sh
    iptables v1.3.5: invalid mask `ddos.sh’ specified

    apf(19641): {trust} deny all to/from /usr/local/sbin/bfd
    iptables v1.3.5: invalid mask `bfd’ specified

    I’ll buy you a couple of beers if you can help me fix this.
    Thanks

    1. It looks like you got some invalid entries in the APF deny file , I would recommend clearing out the file /etc/apf/deny_hosts.rules. The file should only contain IP/Host entries or commented lines prefixed with #.

      rm -f /etc/apf/deny_hosts.rules
      (apf will recreate it)

  17. Where are the old versions of all your projects? Sometimes the new versions just dont work and you need exact old versions.

    Like the syntax changes you made to current version of AFP make iptables shit itself.

  18. Just thought I’d mention a couple of the external blocklists are significantly out of date:

    The Project Honey Pot blocklist (rfxn.com/downloads/php_list) doesn’t appear to have been updated in some time and most of the IPs I double checked haven’t seen any malicious activity in the last 3 months.

    The DShield list (feeds.dshield.org/top10-2.txt) also appears to be very out of date – it has a timestamp of 1st June 2011, despite no obvious indications on their website.

    They have a newer top 100 list, but they recommend using a 20 subnet blocklist instead (http://feeds.dshield.org/block.txt).

    The Spamhaus list is still up to date and the reserved networks appears to be mostly correct as well (maybe a couple of entries missing).

  19. Good day, Ryan:

    On some servers where their DNS is shaky at start up, APF basically locks up the machine because there appears to be no time out.

    Can you please put in some logic that tests to see if DNS is working the way APF needs it to start, and then skip starting (sending an email out notifying it did not start)?

    Thank you.

  20. The current version of APF doesn’t like Ubuntu’s new kernel. Is there anything I can adjust in the configs to allow it to start?

    apf(32091): {glob} activating firewall
    apf(32131): {glob} kernel version not equal to 2.4.x or 2.6.x, aborting.
    apf(32091): {glob} firewall initalized

    uname -a
    Linux xxxxxx 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

    1. You must go into the conf.apf and set a “1” to MONOKERN. This is likely because you have a non-modular IPTables on your system.

      I ran into the same issue when I tried to run it the first time.

      U.

  21. what about this error:

    apf(22428): {rab} force set RAB disabled, kernel module ipt_recent not found.

    on recent centos installations the module used is xt_recent not ipt_recent


  22. BARRY:

    How can I filter access to port 3306 and allow only internal “c-class” access
    thanks
    barry

    you can that by editing

    /etc/apf/allow_hosts.rules

    add in there something like:

    tcp:in:d=3306:s=192.168.0.0/24

    to allow incoming tcp traffic with source 192.168.0.0/24 and dest port 3306

    🙂

  23. I couldn’t find anything in the docs or the changelog regarding IPv6 support, save for a one year old comment that promised it to be implemented in the “near future”. So what’s the current status of IPv6 support?

  24. Great firewall!! Best I’ve seen so far. But there is one tiny thing I wish for. I run Debian Squeeze and when looking into the apache2 access.log I often see IP’s trying to get files like PHPMYADMIN. Then I wish I could block that IP, a kind of conditional blocking.
    Otherwise I’m satified. Many thanks.

  25. I have a question on upgrading APF from a previous (any) version to the latest:
    Is it OK to install on top of the installed version while the firewall is running or we should uninstall the previous first??

    Thank you

  26. Hi,

    I use your script with debian squeeze..

    Recently, I have :

    [email protected]:~# apf -d 91.86.84.61
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    apf(15440): (trust) added deny all to/from xx.xx.xx.xx

    Why ?

    My kernel is 2.6.38.2

    Thx for answer

  27. Found a server having very bad berformance on “high” latencies links (~80ms RTT, gbit USEU resulting in max 7mbit…)

    the poor performances were caused by
    “echo 0 > /proc/sys/net/ipv4/tcp_window_scaling”
    (part of SYSCTL_TCP)

    Is there a specific reason to keep it disabled?

    Re-enabling window_scaling allowed me to reach the expected 500mbit+ on the exact same link :/

    1. I have the same problem as evcz .

      SYSCTL_TCP=”1″ results in “tcp_window_scaling=0” – which leads to very much poorer server performance!

      1. This issue has been fixed in the production release of APF, I have removed tcp_window_scaling from the SYSCTL_TCP function. To enable window scaling again, run:
        echo 1 > /proc/sys/net/ipv4/tcp_window_scaling

        The use of window scaling is a double edged sword and though years ago posed some security implications along with standards issues, that is no longer the case today and its usage, being default enabled on most distro releases now, warrants the removal of disabling it from APF.


  28. Philippe Bolduc:


    Philippe Bolduc:

    Are you aware on any bug in apf 9.7 rev 1 or bfd removing local network from the firewall with a line like this in apf log ?
    {trust} removed 168 from trust system
    Thanks

    It’s related to ddos deflate
    it’s using command apf -u ip_adresse to unband ip !!
    What is does it delete remove host from [glob]*_hosts.rules and immediately remove rule from firewall

    So for an reason that i don’t understand it run apf -u 160 witch delete rules who match 160 in /etc/apf/allow_hosts.rules and /etc/apf/deny_hosts.rules


  29. Philippe Bolduc:

    Are you aware on any bug in apf 9.7 rev 1 or bfd removing local network from the firewall with a line like this in apf log ?
    {trust} removed 168 from trust system
    Thanks

    It’s related to ddos deflate

    it’s using command apf -u ip_adresse to unband ip !!

    What is does it delete remove host from [glob]*_hosts.rules and immediately remove rule from firewall

  30. Hi,

    thx for your great tools,
    and i meet some problems as I have two NICs to the internet to different isp,I want apf work on them two,
    how can i do that?

    my config is :
    # Untrusted Network interface(s); all traffic on defined interface will be
    # subject to all firewall rules. This should be your internet exposed
    # interfaces. Only one interface is accepted for each value.
    #IFACE_IN=”eth1″
    #IFACE_OUT=”eth1″
    IFACE_IN=”eth2″
    IFACE_OUT=”eth2″
    IFACE_IN=”eth1″
    IFACE_OUT=”eth1″

  31. Great tool. Any plans to allow filtering on multiple interfaces like CSF? I am aware of the ability to specify different in and out interfaces as well as the trusted interface. However what I am looking for is the ability to filter 2 incoming interfaces for example.

  32. Pingback: Anonymous
  33. Hello,

    First I want to thank you for this beautiful and easy firewall software.

    Issue #1:
    I have noticed that global trust rules can not contain the IP of the machines downloading the rules, or else the machine will go crazy and open itself to every connection.
    This is strange to me, I think one interesting use of global trust is to have a set of machines downloading a single trust allow file containing their own IPs so they can communicate freely with each other.
    Wouldn’t it be great if the downloading apf just ignored the line with its own IP and respected the other lines?

    Issue #2:
    The SET_REFRESH option is useless *(tested on Debian 5 and 6), because the cron daemon will ignore scripts in /etc/cron.d/ with dots (.) in their name. (Instead cron with download the rules one time a day).
    Interestingly, if you rename the refresh.apf and take out the dot, cron will complain saying that there is an error in the minutes format *(Debian specific issue?)

    Issue #3:
    I back up the guys who report RAB is not working because of a problem in check_rab() function in internal/functions.apf.
    Changing the line:
    if [ “$RAB” == “1” ] && [ ! -f “/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_recent.$MEXT” ]; then
    To:
    if [ “$RAB” == “1” ] && [ `grep -c “recent” /proc/net/ip_tables_matches` == “0” ]; then
    will solve the issue as reported elsewhere.

    Thank you very much for your work, I hope my suggestions can further improve apf.

  34. I have installed APF and BFD on my Trixbox PBX that has an external IP Address. It looks like a lovely tool. However I was trying to confirm that all traffic is automatically blocked out and incoming upon installation but to me it doesn’t seem so. I dont have a rule for my VOIP provider yet incoming calls to my box via the VOIP proivder are going through.
    Can you assist me in letting me know what I am missing? I would like to confirm that there is no possible access to the Box without a rule.

    Thanks

  35. I’d like to confirm that RAB won’t work on CentOS 5.5 with APF 9.7-1, giving the error “{rab} force set RAB disabled, kernel module ipt_recent not found.” (though the module is loaded)

    I had to change the internals/functions.apf check for ipt_recent as suggested by Mike.

  36. Hi there,

    I installed APF on a webserver of mine which deals some ddos attacks in the last time. Now the server requires SSL, so I added

    IG_TCP_CPORTS=”21,22,25,80,443″

    The firewall is working and in combination with ddos.sh it does the job but: If I try to connect to the site from different ISPs the connection fails.

    Am I missing something fundamental in the config? I’ve installed apf on my ubuntu 10.04 LTS server, Version: APF version 9.7

    Regards

    asrijaal

  37. Are you aware on any bug in apf 9.7 rev 1 or bfd removing local network from the firewall with a line like this in apf log ?

    {trust} removed 168 from trust system

    Thanks

  38. after many hours reading and tweaking I overcame my newbie mistakes and got apf working… but I think it may be working too well, as Google Checkout were unable to complete callback to insert an order into my orders database.

    I got this error message from Google Checkout:
    “Your server returned no data in its response; Checkout requires data of type merchant-calculation-results in response to merchant-calculation-callback”

    It might be random bad luck or it might be the apf firewall – Google say there was a response, so I’m leaning towards the idea that apf didn’t block Google Checkout.

    I’ve configured conf.apf like so:

    IG_TCP_CPORTS=”21,22,25,53,80,443,110,143,6000_7000″

    IG_UDP_CPORTS=”20,21,53,123″

    IG_ICMP_TYPES=”3,5,11,0,30,8″

    EGF=”0″

    Have I made a newbie error by not allowing 80 and 443 in IG_UDP_CPORTS? Sorry if this is a silly question.

    I have looked at the possibility of creating a whitelist of Google Checkout IP numbers for allow_hosts.rules but Google Checkout are always changing their IP numbers, they are basically unhelpful to anyone asking for Google Checkout callback IP numbers.

    I’m also wondering if I’ll see similar callback problems with PayPal IPNs… for now I’ve run $ apf -f and will come back to apf when I’ve read more about ports and protocols and am feeling less newbish. Maybe I did overkill when I enabled so many blacklists.

    1. I personally use APF on systems with IPN callbacks from paypal and have never had an issue nor has it ever been reported by anyone else — and there are over 21,000 severs using APF currently, so its not for a lack of opportunity for it to cause a problem. Technically speaking, as long as you have port 80/443 open, most callback systems should work fine.

  39. I have a problem, all the days, at 4am my server get blocked by firewall, i have to do “iptables -F” to gain access again, all day works good, and then at next 4am all get blocked.

    May 10 04:00:01 xela crond[17416]: (root) CMD (/usr/local/sbin/bfd -q)
    May 10 04:00:01 xela crond[17422]: (root) CMD (/etc/apf/apf –refresh >> /dev/null 2>&1 &)

    how to fix it??

  40. Pingback: Kloxo / CentOS
  41. How do I report a bug?

    RAB is always disabled on RHEL4 and RHEL5 though the kernel supports the necessary module:

    {rab} force set RAB disabled, kernel module ipt_recent not found.

    It happens because this check in internals/functions.apf fails:

    [ ! -f “/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/xt_recent.$MEXT” ]

    I think there should be && instead of || in that line.

    Also, I think there is a better way to check for ipt_recent support:

    [ `grep -c “recent” /proc/net/ip_tables_matches` == “0” ]

    (idea taken from here: http://wiki.mediatemple.net/w/%28ve%29:Using_apf_with_RAB)

    Thanks for the great work!

  42. How can i see what line is not working

    i see a few lines:
    iptables: Unknown error 4294967295

    But don’t know with line is causing this.

    Can anybody help ?

      1. I’m running Centos 5.6 op an VPS

        (multi-homed XenServer Enterprise platform)

        but is there a way to see what rule or line is causing this error ? maybee i don’t need that line ?

        Thanxs.

  43. Ryan,
    Where exactly in the APF config would I specify this sort of iptables command:
    iptables -A INPUT -p tcp -m tcp –sport 2222 –dport 22 -j ACCEPT

    For the example above, I don’t want to change the listening port for the installed service, but I want external connections to have to connect to port 2222/tcp.

    I have tried manually running the iptables command, but it gets inserted after the 3 tcp,udp,all DROP commands on the INPUT chain.

    I presume I have the correct syntax.
    Thanks,
    –Gord.

  44. Hi,
    The internals/reserved.networks file (829 bytes) contains 62 ‘Class A reserved networks’, but the IANA.org website only has 16 reserved networks 224.0.0.0/8 – 255.0.0.0/8.
    The other 46 Class A networks listed in the reserved.networks file cause legitimate IPs to be blocked.
    –Gord.

    1. This is not the case:
      http://rfxn.com/downloads/reserved.networks

      The maintained reserved.networks file that rfxn.com hosts has only 13 lines in it. Unless you go out of your way to disable in conf.apf the updating of the reserved.networks file, this will automatically update whenever APF starts.

      However, I have went ahead and updated the reserved.networks file within the apf-current release package for good measure.

      1. The Debian 6.0 package for apf-firewall has the following default conf.apf settings:
        BLK_RESNET=”1″
        DLIST_RESERVED=”0″

        Also, in the conf.apf file, the description for BLK_RESNET describes a second variable called USE_RD, which does not exist. I presume USE_RD has been updated by DLIST_RESERVED.

        I have updated my reserved.networks file to the current one on your site.

        dpkg –list |grep apf
        ii apf-firewall 9.7+rev1-2 easy iptables based firewall system

        –Gord.

  45. I’ve been playing with apf for a few days. Looks really good.

    However, I run my Linux firewall as a NAT host as well as a router. Is there any support within apf for performing NAT as well?

    1. Let me clarify.. Because reading my post it might confuse.

      I use my CentOS linux box as a firewall on a dynamic DSL connection. My clients connect to it for internet access, and they expect the firewall to NAT connections for them.

  46. Hi,
    Thank for your helpful projects very much.

    I am using your scripts, everything look working well but when I log in Cpanel there is a problem:

    ########################
    [a fatal error or timeout occurred while processing this directive]
    Pic: http://img847.imageshack.us/img847/5343/fatal.jpg
    ########################

    And here is content of this error:

    ########################
    not a reference at /usr/local/cpanel/Cpanel/DIp/MainIP.pm line 210
    Carp::croak(‘not a reference’) called at /usr/lib/perl5/site_perl/5.6.2/i686-linux/Storable.pm line 76
    Storable::logcroak(‘not a reference’) called at /usr/lib/perl5/site_perl/5.6.2/i686-linux/Storable.pm line 244
    Storable::_store(‘CODE(0x9ed647c)’, undef, ‘/home/lkstarv2/.cpanel/datastore/all_iplist.db’, 0) called at /usr/lib/perl5/site_perl/5.6.2/i686-linux/Storable.pm line 218
    Storable::nstore(undef, ‘/home/lkstarv2/.cpanel/datastore/all_iplist.db’) called at /usr/local/cpanel/Cpanel/DIp/MainIP.pm line 210
    Cpanel::DIp::MainIP::getconfiguredips() called at /usr/local/cpanel/Cpanel/DIp/MainIP.pm line 41
    Cpanel::DIp::MainIP::getmainip() called at /usr/local/cpanel/Cpanel/DIp.pm line 38
    Cpanel::DIp::isdedicatedip(210.211.110.235) called at /usr/local/cpanel/Cpanel/ExpVar.pm line 443
    Cpanel::ExpVar::hasdedicatedip() called at /usr/local/cpanel/Cpanel/StatsBar.pm line 63
    Cpanel::StatsBar::api2_stat(‘rowcounter’, ‘mainstats’, ‘display’, ‘hostingpackage|shorthostname|cpanelversion|theme|apacheversion|p…’) called at (eval 79) line 1
    eval ‘$dataref = [Cpanel::StatsBar::api2_stat(%{$rCFG})];’ called at /usr/local/cpanel/Cpanel/Api2/Exec.pm line 84
    Cpanel::Api2::Exec::api2_exec(‘StatsBar’, ‘stat’, ‘HASH(0xadff88c)’, ‘HASH(0xae06614)’) called at cpanel line 607
    main::real_cpexectag(‘<?cp StatsBar::stat(^J[tr class="row-%"]^J [td class="stats_lef…') called at cpanel line 3879
    main::dotag_finished_headers(0) called at cpanel line 3664
    main::cpanel_parseblock('<table width="100%" id="stats_extended" class="truncate-table" c…') called at cpanel line 3612
    main::cpanel_parse('GLOB(0xae24f94)') called at cpanel line 2491
    main::doinclude('/usr/local/cpanel/base/frontend/x3/branding//extended_statsbar.h…', 0, 1) called at /usr/local/cpanel/Cpanel/Branding.pm line 49
    Cpanel::Branding::Branding_include('extended_statsbar.html') called at (eval 74) line 1
    eval 'Cpanel::Branding::Branding_include(@{$argref});' called at cpanel line 1136
    main::real_exectag('<?cp StatsBar::stat(^J[tr class="row-%"]^J [td class="stats_lef…') called at cpanel line 3876
    main::dotag_finished_headers(0) called at cpanel line 3664
    main::cpanel_parseblock('<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "…') called at cpanel line 3612
    main::cpanel_parse('GLOB(0xa12eb44)') called at cpanel line 2491
    main::doinclude('/usr/local/cpanel/base/frontend/x3/branding//index.html', 0, 1) called at /usr/local/cpanel/Cpanel/Branding.pm line 49
    Cpanel::Branding::Branding_include('index.html') called at (eval 5) line 1
    eval 'Cpanel::Branding::Branding_include(@{$argref});' called at cpanel line 1136
    main::real_exectag('<?cp StatsBar::stat(^J[tr class="row-%"]^J [td class="stats_lef…') called at cpanel line 3876
    main::dotag_finished_headers(0) called at cpanel line 3704
    main::cpanel_parseblock('^J’) called at cpanel line 3612
    main::cpanel_parse(‘GLOB(0x9fd1710)’) called at cpanel line 5121
    main::run_standard_mode() called at cpanel line 424
    ########################

    Please help me to fix this problem, I can’t get my Cpanel info.
    Thanks you much,
    Regard.

  47. The docs for APF are about 4 years old. Do the iptables module requirements within it still hold true? With the move to virtualization, it appears the most recent CentOS builds of iptables do not include many of the modules you list (at least on our Xen servers). Looking forward to your thoughts.

    1. I currently use the latest APF release on CentOS 5.5 based Xen servers and inside many Xen guest instances running CentOS as well. There should be no module specific changes required to APF as it will dynamically request the modules needed from the kernel.

      Likewise I will work to update the APF documentation here shortly, thank you.

  48. Ryan, for the past 2.5 months (approximately), we’ve been trouble shooting receiving automated emails from Versign / Geotrust.

    It turns out one of the rule imports blocks the emails from Verisgn / Geotrust.

    I’ve not yet been able to narrow down which rule import — php, spamhaus, dshield, ECN yet.

    Please do review these IP inclusions to make sure each IP on the list is still valid. Thank you!

  49. I’m trying to insert allow rules using the “apf -a” command, but I need to just allow ssh inbound. I’m trying to use the form

    apf -a tcp:in:d=22:s=10.10.10.10 “test address”

    but I get an error:

    iptables v1.3.5: host/network `tcp:in:d=22:s=10.10.10.10′ not found

    The rule seems to take anyway, at least an “apf -t” shows

    Mar 06 15:56:47 ip-10-10-10-1 apf(3543): (trust) added allow all to/from tcp:in:d=22:s=10.10.10.10

    and “apf -l” shows

    22 0 0 ACCEPT tcp — * * 10.10.10.10 0.0.0.0/0 tcp dpt:22

    I’m guessing that apf parses the port/address specification properly, but doesn’t feed it to iptables the way iptables likes.

    -Paul McKinley

  50. Hi,

    I have a strange issue that occurs intermittantly. My system (Centos 5.4) runs plesk, and occasionally at 4.30am it will lock down access to the server to everyone except those specifically in the allow_hosts.rules file.
    The cron log at the time shows that a RELOAD occurs at the same time as the 10 minute refreshes. Could this conflict?

    Mar 3 04:30:01 ns6 crond[17415]: (*system*) RELOAD (/etc/cron.d/refresh.apf)
    Mar 3 04:30:01 ns6 crond[30465]: (root) CMD (/etc/apf/apf –refresh >> /dev/null 2>&1 &)

    Performing a apf -r fixes the issue.

    Thanks in advance.
    Mark

    1. What version of APF are you currently running? I would recommend you try clear any rules in deny_hosts and if needed attempt a fresh reinstall of APF.

  51. Ryan, at present, when a CentOS (versions don’t seem to matter) reboots with APF, if there are any problems whatsoever with /etc/resolv.conf working, APF hangs the entire machine.

    Can you please add a customizable time out feature to a future version of APF that if local DNS is (temporarily) down, APF will do what it can, and allow the reboot process to continue?

    Thank you.

    1. Peter,
      This is a long standing issue that is more to do with accepting host names in the trust rules, that if there is any network issues they are not resolvable and iptables has no built in timeout feature for resolving DNS. I will see what I can come up with as a solution and put it into the next release, thank you for your continued support.

    2. In my case, it doesn’t hang the machine, but apf doesn’t run at all. The system continues to boot, leaving my CentOS 5.5 wide open.

      I look forward to an update.

        1. Actually, apf is already set to run at boot time. It fails to run, period. I have to start it manually after boot.

          I think mine is a variant problem related to the OP’s.

  52. Hi,

    Is there a way to block countries that will not affect the performance of apf? I did tried to use /etc/apf/deny_hosts.rules and placed CIDR. The file went up to 80K and this makes apf very slow when restarted and eventually crashed the servers.

    Please advice on an alternative way to do this.

    Thank you.

    1. APF uses iptables, the linux kernel firewalling mechanism which stores rules into kernel memory. As the number of iptables rules in kernel memory increases, the performance of iptables degrades. When you enter the realm of 10k+ rules you really are entering an area that iptables is not intended or designed for, I would encourage you to consider broader rules using IP masking to encompass larger netblocks thus reducing the amount of rules required. An example would be that if you want to block 172.3.44.0 – 172.3.44.255, that you block it as 172.3.44.0/24 instead of adding every IP in the range to the rules.

  53. Any tips for running APF on a public facing name server ?? We have attempted to run it and find that after a period of time strange events start happening where our Network monitor (opsview aka Nagios) starts thinking SMTP has died on a couple of our email servers, As soon as we turn off APF on the name servers our network monitor thinks all is good again .. SMTP is in fact Ok .. so not sure were to look and or how to correct what APF is clearly cuasing.

    Any tips and or ideas ??

  54. I am using Your APF solution on a couple of my servers and it is very useful. You did a great job with it.

    Recently I have updated kernel to 2.6.18-194.26.1.el5xen (CentOS) on most of the machines due to security issues of the previous version. Unfortunately this breaks APF completely. Iptables when started manually and having the rules set manually work fine, but when I run APF it doesn’t.

    All the rules are there. I tried doing iptables save and then reloading it with service iptables start – it doesn’t help.

    It seems like nothing is being filtered by the rules set with APF. Can anyone help?

  55. I am using APF firewall with plesk for around 3 years and I am quite satisfied with it.

    Recently one of our customer required to limit the no. of connections per IP on his server but I couldn’t find anything in APF which can achieve this.

    I found on a website the syntax that can be used to limit the connections per IP using connlimit module but I don’t know how to use this in APF.

    /sbin/iptables -A INPUT -p tcp –syn –dport $port -m connlimit –connlimit-above N -j REJECT –reject-with tcp-reset

    Please advice.

    1. See the post by Ryan 19 posts below

      If you are looking for generic flood protection from SYN/CONNECTION based flooding of port services, you can use fguard:
      http://rfxn.com/downloads/fguard

      Edit the script with your email address and set the ptrig values, they are in the format of PORT:TRIGGER , trigger is the maximum amount of connections from a single IP before it is blocked i.e: 80:100 = port 80, ban at 100 connections per ip.

      1. Meaby you can tell how we can use this in apf??
        Where does it need to be saved and how can we make apf understand to use the file??

  56. I was introduced to apf (and bfd) by a very helpful friend, Ian and I absolutely love the simplicity of configuration and the clarity of the documentation.

    I am still in trial mode with it but I ran across a problem that was not solved by the recommended configuration and would like to see if there is a better way to handle it. I have used a workaround solution but it carries with it problems of its own so I do not want to leave that solution in place long term.

    I tried going to the forum as recommended in the readme in /etc/apf/doc but the url bounced so I am trying this route.

    Is there a way (like apf –d) that I can add IPs to a list that will stop ALL traffic from that IP, even if the traffic is coming in on a port that is allowed to all others?

    It appears to me that when I try to add an IP to be blocked via apf –d IP, it places the DENY IP rule late in the iptables rule set, AFTER the ALLOW PORT rule has already passed the offender through to my server. This sequencing invalidated my attempt to use the apf –d IP to stop a hacker from South Africa from pounding away at my server. At one point, this hacker had over 2,000 connections going at my server. BFD did not catch and stop the hacker since I run a VOIP PBX and the hacker came in with SIP registrations which were legitimate (calls) according to the server.

    We did stop the hacker by disabling the USE_RD=”0” to stop apf from refreshing the reserved.networks file and adding the offending IP (196.28.38.72) to the reserved networks file. This put the DENY IP rule early on in the iptables rule set and stopped the hacker before the ALLOW PORT rule was encountered. Unfortunately, I am now left with a static reserved.networks file and I do not like that solution long term.

    I would have thought that using apf –d would tell the system that IP is NEVER to be allowed in, but that does not seem to be the case.

    My question is: Is there a way (like apf –d) that I can add IPs to a list that will stop ALL traffic from that IP, even if the traffic is coming in on a port that is allowed to all others? And of course allow me to go back to a reserved.networks file that is automatically updated?

    Any ideas?

    Richard

    Richard Cantin
    Ayuda
    (519) 957-2414
    [email protected]

    ++++++++++++++++++++++++++++++++++++++++++++++++++

    I run a VOIP PBX as the ONLY application on the server where I put apf and bfd

    I only need UDP ports 5060 and 10002_20000 accessible from the outside world to let this work so I have shut down all other incoming ports via IG_TCP_PORTS=”” and IG_UDP_PORTS=”5060,10002_20000”. Ian and I also tried leaving ALL ports disallowed in conf.apf (IG_UDP_PORTS=”” as well as IG_TCP_PORTS=””) and putting into allow_hosts.rules the following:
    # Add the local network to ensure internal connections can do anything
    192.168.1.0/24
    #
    # Open, to all external connections that are not denied in deny_hosts.rules,
    # the UDP Ports required to support external access for VOIP
    # SIP Registration (5060)
    upd:in:d=5060:s=0/0
    udp:out:d=5060:d=0/0
    # RDP (Audio) (10002_20000)
    udp:in:d=10002_20000:s=0/0
    udp:out:d=10002_20000:d=0/0
    but that did not make things any better.

    The VOIP PBX is working fine so this set up allows what I need to pass. (and unfortunately the South African hacker, unless I add the offending IP to the reserved.networks file)

    1. I have changed the order in which APF loads the trust rules (allow/deny) to place the drop lists before any allow rules are loaded. This change has been pushed to the release version of APF.

  57. Hi,

    There is no explanation on how to set up a VNET for virtual private servers. In readme file it says look at 3.4 for more detailed information, but i did not find any info about how to set it up 3.4 just says topic name and no article is provided.

  58. Hi

    I’m a bit ‘lost’ with installing APF on Trustix Linux box, which is a very outdated linux release, but can’t afford to update/replace with newer live distros.
    Anyway, I D/L-ed ‘apf-current.tar.gz’ and ran ./install.sh
    then I edited conf and wanted to try but unfortunately with no luck as I get:
    service apf restart
    apf: unrecognized service

    or
    chkconfig –list apf
    error reading information on service apf: No such file or directory

    APF installed in “/etc/apf” but not as a service it seems.
    Unfortunately RPM installation didn’t do it either.

    Can it be done like it is on CentOS ?

    Thank you


    1. Han Solo:

      Hi
      I’m a bit ‘lost’ with installing APF on Trustix Linux box, which is a very outdated linux release, but can’t afford to update/replace with newer live distros.

      What do you mean when you say that you cannot afford to upgrade to a newer Linux? CentOS is freeware. All it will cost you is six blank CD’s.

  59. Is there a forum for APF and other utilities? I see a forum when I search Google, but it appears to be restricted.

    Any way I have a problem with APF not starting correctly on OpenVZ with multiple IP addresses. venet0 is 127.0.0.1 and venet0:0 and venet0:1 are the external IPs and APF comes up with errors on them. I don’t know whether the ethX:X/venetX:X syntax is affecting.

    Does it work with multiple IPs? IFACE_IN and IFACE_OUT appear to take single IPs only

    apf(20007): {glob} flushing & zeroing chain policies
    apf(20007): {glob} firewall offline
    apf(20043): {glob} activating firewall
    apf(20088): {glob} could not verify that interface venet0:0 is routed to a network, aborting.
    apf(20043): {glob} firewall initalized
    apf(20043): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5 minutes.

  60. May I ask on where did you did nmap? If its in the same system then you will see the results its up. Please test it on a separate system.


    Martin:

    I recently installed APF . It appears installed properly. My aim is to Block port 25 on the server. However, after removing the port 25 from the config file, then i reloaded. But Port 25 is still OPEN. I confirmed this by running nmap, and port 25 is still open. Can someone tell me what might be wrong

  61. I recently installed APF . It appears installed properly. My aim is to Block port 25 on the server. However, after removing the port 25 from the config file, then i reloaded. But Port 25 is still OPEN. I confirmed this by running nmap, and port 25 is still open. Can someone tell me what might be wrong

  62. Hi,

    First of all, thank you for the great software you have created. It is one of our vital protection against outside threat.

    Currently we have an issue with IPV6. May I ask if APF can filter IPV6? doing an iptables -L shows all the rules loaded but when ip6tables -L is used then the output is:
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    I guess there are no filter rules on ipv6. We are using ipv6 aware OS to public network.

    Please advice on how to enable ipv6 filtering.

    Thank you

  63. Hello
    I was wondering if it’s possible to use apf for a standalone pc connected to an untrusted lan , not necessarily intented to be used as a server , just for personal use

    thanks

  64. Hi Ryan:

    I hope you and your family are doing well.

    When you get to updating APF, can you check how it can be made more user friendly on reboots when local dns (/etc/resolv.conf) may be broken?

    What we’ve seen is that if there are any local DNS resolution issues, APF can cause bootup to hang for an indefinite period of time.

    Thank you.

  65. hello all,

    was ddos´ed for 2 days now… apf + ddos-deflate seems to help!
    but, could anybody helping me, howto run my own firewall script and apf simultaneously?
    because my own firewall script is also kinda big and there some important dropes in it, so ive to get it running.
    thx for ya help!

    greetz mike

  66. Hi Ryan,

    Firstly thanks for a great tool you provide in APF.

    I have recently installed 9.7-1 and greatly appreciate the ease of managing global allow and deny lists remotely from a single source.

    I decided to keep my global lists in a secure password protected directory, and to this end made some modifications to APF to allow ease of configuration, which I believe may be a nice addition to your official release 🙂

    Herewith the changes:

    conf.apf:
    ———-

    # Global Trust

    USE_RGT=”1″

    # Specify whether wget should check the SSL certificate – used in conjunction with the https protocol.
    RGT_CHECK_CERT=”0″

    # Specify a username and password for wget to apply when fetching the global lists
    RGT_WGET_USER=”apf”
    RGT_WGET_PASS=”test”

    internals/functions.apf:

    glob_allow_download() {

    # Set whether wget should check the certificate or not
    if [ “$RGT_CHECK_CERT” == “1” ] && [ “$GA_URL_PROT” == “https”]; then
    CHECK_CERT=””
    else
    CHECK_CERT=”–no-check-certificate”
    fi

    # Set the wget username if necessary
    if [ ! “$RGT_WGET_USER” == “” ]; then
    WGET_USER=”–user=$RGT_WGET_USER”
    else
    WGET_USER=””
    fi

    # Set the wget password if necessary
    if [ ! “$RGT_WGET_PASS” == “” ]; then
    WGET_PASS=”–password=$RGT_WGET_PASS”
    else
    WGET_PASS=””
    fi

    $WGET -t 1 -T 4 $CHECK_CERT $WGET_USER $WGET_PASS $GA_URL_PROT://$GA_URL >> /dev/null 2>&1

    }

    glob_deny_download() {

    # Set whether wget should check the certificate or not
    if [ “$RGT_CHECK_CERT” == “1” ] && [ “$GD_URL_PROT” == “https”]; then
    CHECK_CERT=””
    else
    CHECK_CERT=”–no-check-certificate”
    fi

    # Set the wget username if necessary
    if [ ! “$RGT_WGET_USER” == “” ]; then
    WGET_USER=”–user=$RGT_WGET_USER”
    else
    WGET_USER=””
    fi

    # Set the wget password if necessary
    if [ ! “$RGT_WGET_PASS” == “” ]; then
    WGET_PASS=”–password=$RGT_WGET_PASS”
    else
    WGET_PASS=””
    fi

    $WGET -t 1 -T 4 $CHECK_CERT $WGET_USER $WGET_PASS $GD_URL_PROT://$GD_URL >> /dev/null 2>&1

    }

    This allows you to specify via the configuration file whether or not to check the SSL certificate against the available certificate authorities, as well as being able to password protect the global access lists that you have made publicly accessible.

    Regards,
    Patric

  67. I’ve been trying to find a way to take an existing APF box with two NICs and use it as network gateway. But I cant seem to get it to pass traffic as long as APF is on it. Are there any tutorials or instructions that cover this goal?

    Otherwise, this is a hell of a great application firewall! Thanks!

  68. Hi Ryan,

    Thanks for your reply. I’m still getting the same error after replacing functions.apf

    Everything else is still running fine. I am quite certain ipt_recent is loaded.

    apf(30459): {rab} force set RAB disabled, kernel module ipt_recent not found.

  69. Mike, I made a change to the functions file that I think should fix this, if you are running the latest version of APF please go ahead and download http://www.rfxn.com/downloads/functions.apf and replace /etc/apf/internals/functions.apf with it, let me know if you still experience the issue with RAB.


    Mike:

    Hi Ryan,

    I’ve been a long time user of APF. I am currently trying to install it with RAB in an OpenVZ container. I am successful with APF, but not APF with RAB:

    {rab} force set RAB disabled, kernel module ipt_
    recent not found.

    As you can see here, my modules should be properly loaded:

    # cat /proc/net/ip_tables_matches
    udp
    tcp
    recent
    state
    length
    ttl
    tcpmss
    multiport
    multiport
    limit
    tos
    icmp
    owner

    I have SET_MONOKERN=”1″ also.

    Perhaps there is some mis-communication between SET_MONOKERN and RAB? Or do you notice any mistakes in my configurations?

    1. Hi, I also get the error {rab} force set RAB disabled, kernel module ipt_
      recent not found.

      On line 155 of functions.apf where testing -f ipt_recent, || supposed to be &&?

      I’ve changed the line and seems to be working correctly.

  70. Hi Ryan,

    I’ve been a long time user of APF. I am currently trying to install it with RAB in an OpenVZ container. I am successful with APF, but not APF with RAB:

    {rab} force set RAB disabled, kernel module ipt_
    recent not found.

    As you can see here, my modules should be properly loaded:

    # cat /proc/net/ip_tables_matches
    udp
    tcp
    recent
    state
    length
    ttl
    tcpmss
    multiport
    multiport
    limit
    tos
    icmp
    owner

    I have SET_MONOKERN=”1″ also.

    Perhaps there is some mis-communication between SET_MONOKERN and RAB? Or do you notice any mistakes in my configurations?

  71. If you are looking for generic flood protection from SYN/CONNECTION based flooding of port services, you can use fguard:
    http://rfxn.com/downloads/fguard

    Edit the script with your email address and set the ptrig values, they are in the format of PORT:TRIGGER , trigger is the maximum amount of connections from a single IP before it is blocked i.e: 80:100 = port 80, ban at 100 connections per ip.


  72. Faizan:

    Hello i did not see antidos feature in APF also did not find ad directory in apf i have installed latest version

    hello, the changelog says that the antidos feature is replaced by the RAB feature.

  73. The get_ports command (and install.sh) leave out some of my open ports, such as 80 and 443 from Apache. Here is what “netstat -an” shows:

    tcp 0 0 :::80 :::* LISTEN
    tcp 0 0 :::443 :::* LISTEN

  74. APF automatically updates the reserved.networks file on the first start from http://www.rfxn.com/downloads/reserved.networks – this file is updated on every start call to APF and through a cron.daily job added during installation.

    If the reserved.networks file is not updating for you, please check: http://www.rfxn.com/bogon-filtering-update-it/


    Tech:

    iana.orgHi,
    I have see that the file internals/reserved.networks isn’t updated.
    For Example I see in http://www.iana.org/assignments/ipv4-address-space the network 95.0.0.0/8 assigned from 2007, but the reserved.networks tcontinues to block these network

Leave a Reply

Your email address will not be published. Required fields are marked *