Comments on: Advanced Policy Firewall

By: Peter M Abraham

Peter M Abraham — Thu, 19 Jan 2012 16:23:30 +0000

On some servers where their DNS is shaky at start up, APF basically locks up the machine because there appears to be no time out.

Can you please put in some logic that tests to see if DNS is working the way APF needs it to start, and then skip starting (sending an email out notifying it did not start)?

By: Ryan M.

Ryan M. — Wed, 11 Jan 2012 11:58:49 +0000

It looks like you got some invalid entries in the APF deny file , I would recommend clearing out the file /etc/apf/deny_hosts.rules. The file should only contain IP/Host entries or commented lines prefixed with #.

rm -f /etc/apf/deny_hosts.rules
(apf will recreate it)

By: Ryan M.

Ryan M. — Wed, 11 Jan 2012 11:44:45 +0000

No, APF will take over from CentOS Firewall for you.

By: Bryan Eggers

Bryan Eggers — Wed, 11 Jan 2012 11:36:09 +0000

Using APF 9.7, when I use -r to restart I get these errors (DDOS and BFD are installed):

apf(6891): {trust} deny all to/from /usr/local/ddos/ddos.sh
iptables v1.3.5: invalid mask `ddos.sh’ specified

apf(19641): {trust} deny all to/from /usr/local/sbin/bfd
iptables v1.3.5: invalid mask `bfd’ specified

I’ll buy you a couple of beers if you can help me fix this.
Thanks

By: ari

ari — Tue, 10 Jan 2012 18:54:37 +0000

are i must disable centos firewall before install apf?
thanks for answer

By: BFD Rules for Asterisk | Sean Siegel

BFD Rules for Asterisk | Sean Siegel — Tue, 03 Jan 2012 08:01:47 +0000

[...] a regular user of APF and BFD by RF Networks, I decided to make my own BFD scripts. I did find some very similar scripts [...]

By: Ryan M.

Ryan M. — Mon, 26 Dec 2011 00:15:45 +0000

Are there any errors that you are seeing specifically ? Please let me know and I will look into it promptly to correct it.

As for older versions of APF, I have put together a path where all previous versions can be downloaded:
http://www.rfxn.com/downloads/old/apf/

I hope this helps, thank you for your continued use of APF.

By: James

James — Sun, 25 Dec 2011 23:50:42 +0000

Where are the old versions of all your projects? Sometimes the new versions just dont work and you need exact old versions.

Like the syntax changes you made to current version of AFP make iptables shit itself.

By: Rob

Rob — Thu, 15 Dec 2011 00:58:03 +0000

Just thought I’d mention a couple of the external blocklists are significantly out of date:

The Project Honey Pot blocklist (rfxn.com/downloads/php_list) doesn’t appear to have been updated in some time and most of the IPs I double checked haven’t seen any malicious activity in the last 3 months.

The DShield list (feeds.dshield.org/top10-2.txt) also appears to be very out of date – it has a timestamp of 1st June 2011, despite no obvious indications on their website.

They have a newer top 100 list, but they recommend using a 20 subnet blocklist instead (http://feeds.dshield.org/block.txt).

The Spamhaus list is still up to date and the reserved networks appears to be mostly correct as well (maybe a couple of entries missing).

By: New Instalation Kloxo guide | www.prandah.com

New Instalation Kloxo guide | www.prandah.com — Wed, 07 Dec 2011 09:41:24 +0000

[...] that, you may want to install third-party firewall management scripts such as CSF (cache) or APF (cache) and its complements to detect and block threats like brute-force attacks and unauthorized [...]

By: Real customer service is more than a catchy marketing phrase

Real customer service is more than a catchy marketing phrase — Fri, 02 Dec 2011 17:03:38 +0000

[...] Most of our customers use the Advanced Policy Firewall by R-fx Networks. [...]

By: Peter M. Abraham

Peter M. Abraham — Thu, 24 Nov 2011 14:30:42 +0000

Good day, Ryan:

On some servers where their DNS is shaky at start up, APF basically locks up the machine because there appears to be no time out.

Can you please put in some logic that tests to see if DNS is working the way APF needs it to start, and then skip starting (sending an email out notifying it did not start)?

Thank you.

By: Locking Down Your Linux Server with APF + BFD | Snipe.Net | MKfmn | Matthew M. Kaufman

Sat, 19 Nov 2011 11:23:22 +0000

[...] access and protect yourself from brute force attacks. Two of my favorite scripts to do this are Advanced Policy Firewall coupled with Brute Force Detection, both by R-FX [...]

By: Kloxo Installation Guide | blog netforall

Kloxo Installation Guide | blog netforall — Thu, 17 Nov 2011 13:33:57 +0000

[...] For that, you may want to install third-party firewall management scripts such as CSF (cache) or APF (cache) and its complements to detect and block threats like brute-force attacks and unauthorized [...]

By: Securing cPanel After Install « Recon Hosting Docs

Securing cPanel After Install « Recon Hosting Docs — Sun, 13 Nov 2011 04:06:42 +0000

[...] firewall and bruteforce detection mechanism such as the free firewall [CSF]. Other options include [APF]+[BFD], or custom iptables [...]