Advanced Policy Firewall

Current Release:
http://www.rfxn.com/downloads/apf-current.tar.gz
http://www.rfxn.com/appdocs/README.apf
http://www.rfxn.com/appdocs/CHANGELOG.apf

Description:
Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Internet deployed servers and the unique needs of custom deployed Linux installations. The configuration of APF is designed to be very informative and present the user with an easy to follow process, from top to bottom of the configuration file.

The technical side of APF is such that it utilizes the latest stable features from the iptables (netfilter) project to provide a very robust and powerful firewall. The filtering performed by APF is three fold:
1) Static rule based policies (not to be confused with a “static firewall”)
2) Connection based stateful policies
3) Sanity based policies

The first, static rule based policies, is the most traditional method of firewalling. This is when the firewall has an unchanging set of instructions (rules) on how traffic should be handled in certain conditions. An example of a static rule based policy would be when you allow/deny an address access to the server with the trust system or open a new port with conf.apf. So the short of it is rules that infrequently or never change while the firewall is running.

The second, connection based stateful policies, is a means to distinguish legitimate packets for different types of connections. Only packets matching a known connection will be allowed by the firewall; others will be rejected. An example of this would be FTP data transfers, in an older era of firewalling you would have to define a complex set of static policies to allow FTA data transfers to flow without a problem. That is not so with stateful policies, the firewall can see that an address has established a connection to port 21 then “relate” that address to the data transfer portion of the connection and dynamically alter the firewall to allow the traffic.

The third, sanity based policies, is the ability of the firewall to match various traffic patterns to known attack methods or scrutinize traffic to conform to Internet standards. An example of this would be when a would-be attacker attempts to forge the source IP address of data they are sending to you, APF can simply discard this traffic or optionally log it then discard it. To the same extent another example would be when a broken router on the Internet begins to relay malformed packets to you, APF can simply discard them or in other situations reply to the router and have it stop sending you new packets (TCP Reset).

Features:
– detailed and well commented configuration file
– granular inbound and outbound network filtering
– user id based outbound network filtering
– application based network filtering
– trust based rule files with an optional advanced syntax
– global trust system where rules can be downloaded from a central management server
– reactive address blocking (RAB), next generation in-line intrusion prevention
– debug mode provided for testing new features and configuration setups
– fast load feature that allows for 1000+ rules to load in under 1 second
– inbound and outbound network interfaces can be independently configured
– global tcp/udp port & icmp filtering with multiple filters (drop, reject, prohibit)
– configurable policies for each ip on the system with convenience variables to import settings
– packet flow rate limiting that prevents abuse on the most widely abused protocol, icmp
– prerouting and postrouting rules for optimal network performance
– dshield.org block list support to ban networks exhibiting suspicious activity
– spamhaus Don’t Route Or Peer List support to ban known “hijacked zombie” IP blocks
– any number of additional interfaces may be configured as trusted or untrusted
– additional firewalled interfaces can have there own unique firewall policies applied
– intelligent route verification to prevent embarrassing configuration errors
– advanced packet sanity checks to make sure traffic coming and going meets the strictest of standards
– filter attacks such as fragmented UDP, port zero floods, stuffed routing, arp poisoning and more
– configurable type of service options to dictate the priority of different types of network traffic
– intelligent default settings to meet every day server setups
– dynamic configuration of your servers local DNS revolvers into the firewall
– optional filtering of common p2p applications
– optional filtering of private & reserved IP address space
– optional implicit blocks of the ident service
– configurable connection tracking settings to scale the firewall to the size of your network
– configurable kernel hooks (ties) to harden the system further to syn-flood attacks & routing abuses
– advanced network control such as explicit congestion notification and overflow control
– helper chains for FTP DATA and SSH connections to prevent client side issues
– optional rate limited event logging
– logging subsystem that allows for logging data to user space programs or standard syslog files
– comprehensive logging of every rule added
– detailed startup error checking
– if you are familiar with netfilter you can create your own rules in any of the policy files
– pluggable and ready advanced use of QoS algorithms provided by the Linux
– 3rd party add-on projects that compliment APF features

Funding:
Funding for the continued development and research into this and other projects is solely dependent on public contributions and donations. If this is your first time using this software we ask that you evaluate it and consider a small donation; for those who frequent and are continued users of this and other projects we also ask that you make an occasional donation to help ensure the future of our public projects.

236 Replies to “Advanced Policy Firewall”

  1. This is a question about the The Spamhaus Don’t Route Or Peer Lists (DLIST_SPAMHAUS) option.

    If I disable that and restart APF it still blocks IPs on the list. It seems I have to reboot the server to ‘see’ the change’. (Because of this it took me ages to discover APF was blocking an IP as I had tried stopping APF to rule that out! But that was not sufficient…)

    Would it not be better if an APF restart *saw* the change to this DLIST_SPAMHAUS option? (I have APF 9.7 – and thanks for a great product BTW)

    1. This is not the expected behavior, I will look into this further. However, with APF shut off from CLI with apf -f or /etc/init.d/apf stop, there would be no iptables rules loaded at all. So, there may have been another issue at play there causing the address in question to remain blocked.

      1. Well further tests showed it was NOT the DLIST_SPAMHAUS option that caused the issue. It was SYSCTL_ECN.

        And I *think* I got confused through having SET_FASTLOAD enabled.

        All is well now!

  2. I have identified what I believe is a bug this evening…

    We have a server where we need to permit other servers in the same subnet to communicate with it, we placed the subnet into allow_hosts.rules.

    However it appears that APF/iptables interprets this to mean that all traffic to the server should be allowed (i.e. source OR destination matches), rather than traffic purely sourced from that address range.

    1. When you place an address with no advanced syntax into allow_hosts.rules, the trust on that address is added for inbound and outbound traffic. So in placing the subnet that the server is on, in allow_hosts.rules, you effectively are telling the firewall to allow everything in and out of the server sourced from that subnet which is essentially to trust everything (since traffic will always be sourced to or from the ip of the server).

      This is a very common policy mistake with firewalls, care needs to be taken in the addresses that you trust as you can inadvertently create a trust all situation.

      If there are specific ports you require your subnet to access, a rule in allow_hosts.rules such as the following is more appropriate:
      tcp:in:d=3306:s=24.11.34.0/24

      The above would allow tcp traffic from 24.11.34.0/24 to port 3306. Please see the comments in /etc/apf/allow_hosts.rules for further examples.

  3. Hello Ryan,

    I’ve got a request and a question:

    request: could you please check your anti-spam system? it seems to spam or at least moderate all of my comments on your blog

    question: how can I evaluate what apf drops? I mean I see a few actions in my logs where I am completely unsure why they happened, I’ll show you two examples:

    Apr 19 16:17:58 h1870666 kernel: [87217.512563] ** PHP ** IN=eth0 OUT= MAC=00:24:21:af:8a:99:00:25:84:7b:bc:00:08:00 SRC=75.125.47.162 DST=85.214.229.212 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=768 DF PROTO=TCP SPT=48470 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080AD405DBBA0000000001030307)

    Apr 19 16:16:14 h1870666 kernel: [87113.329053] ** SDROP ** IN= OUT=eth0 SRC=85.214.249.219 DST=31.184.242.127 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=20863 DF PROTO=TCP SPT=37657 DPT=80 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B401010402)

  4. We are running into problems with a client that has APF set up on three (3) servers running CentOS 5.8 64-bit.

    Two of the three servers work as intended.

    On the one server, APF continues to block an IP that is valid doing valid things.

    The IP does not end up in /etc/apf/deny_hosts.rules

    It ends up in APF, and then in /etc/apf/internals/.apf.restore and sometimes also in /etc/apf/internals/refresh.drop.temp

    There’s no explanation why. Then when I remove the IP from those files (after stopping apf), and restart APF… it is like a battle where APF continues to block the IP, put it back in the files.. and I cannot find a way to have APF leave the IP alone.

    I’ve the IP set up in /etc/apf/allow_hosts.rules and /usr/local/bfd/ignore.hosts

    The IP is not listed in /var/log/apf_log so I have no idea as to why APF is treating this IP differently.

    I checked /var/log/messages and it is not even a SANITY issue.

    How can I trouble shoot this issue?

    Thank you.

  5. @Ryan:
    Thanks for replying but I am unsure about the documentation being clear, I mean look at this:

    # Log all traffic that is filtered by the firewall
    LOG_DROP=”1″

    I want that, as I am logging filtered traffic to my syslog file and I need it that way as I evaluate those logs later on.

    # This option will allow for all status events to be displayed in real time on
    # the console as you use the firewall. Typically, APF used to operate silent
    # with all logging piped to $LOG_APF. The use of this option will not disable
    # the standard log file displayed by apf –status but rather compliment it.
    SET_VERBOSE=”0″

    This sounds just like what I need: no log output to the console.

    Yet your reply to my comment sounds the other way around? Is it just me confused or is this misleading?

  6. It appears RAB TRIP is triggering incorrectly.

    Mar 27 15:50:53 mail kernel: ** RABHIT ** IN=eth1 OUT= MAC=52:99:c6:4c:f1:32:00:64:40:3a:43:40:08:00 SRC=[our client ip] DST=[our mail server] LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=32627 DF PROTO=TCP SPT=55353 DPT=995 WINDOW=34633 RES=0x3c CWR PSH SYN URGP=47720

    cat rab.ports
    # Low security ports
    RAB_PSCAN_LEVEL_1=”1,7,9,11,15,69,70″

    # Medium security ports
    RAB_PSCAN_LEVEL_2=”$RAB_PSCAN_LEVEL_1,79,109,119,512,513,517,518″

    # High security ports
    RAB_PSCAN_LEVEL_3=”$RAB_PSCAN_LEVEL_2,13,17,19,500,540,635,640,641,666,700,1024,1026,1027,1028,2023,2565,2703,3128,3389,4899,5900,6667,6711,7212,8000,8888,9989,10080,13000,16969,27374,32000″

    Given the rab ports above, even on rab level 3 (high security), why would the IP be blocked by RAB?

    Thank you.

    1. Peter,
      It may be and often is the case that the IP tripped RAB on a valid RAB monitored port then once its RAB ban is in place, all subsequent traffic on that IP will be logged, irrespective of the port. Likewise it is also possible it got tripped on a sanity rule, you can try disable RAB for packet sanity checks.

    1. This is something that has been making its way into most projects and I will work on it for APF as well, both back dating the changelog and putting in dates for all future updates.

  7. I have the smae problem all day at 4:03:01 a.m

    CRON: error in (/etc/cron.d/refresh.apf) problem is (bad minute)

    You can helpme, I should do?

  8. setting SET_VERBOSE=”0″ doesn’t seem to work, my console is still being flooded with messages making it impossible to work on the console.

    Any help here , please? I had to access my console during a DOS and it was impossible to use it as it was flooded with logs about packages being dropped 🙁

Leave a Reply

Your email address will not be published. Required fields are marked *