Advanced Policy Firewall

Current Release:
http://www.rfxn.com/downloads/apf-current.tar.gz
http://www.rfxn.com/appdocs/README.apf
http://www.rfxn.com/appdocs/CHANGELOG.apf

Description:
Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Internet deployed servers and the unique needs of custom deployed Linux installations. The configuration of APF is designed to be very informative and present the user with an easy to follow process, from top to bottom of the configuration file.

The technical side of APF is such that it utilizes the latest stable features from the iptables (netfilter) project to provide a very robust and powerful firewall. The filtering performed by APF is three fold:
1) Static rule based policies (not to be confused with a “static firewall”)
2) Connection based stateful policies
3) Sanity based policies

The first, static rule based policies, is the most traditional method of firewalling. This is when the firewall has an unchanging set of instructions (rules) on how traffic should be handled in certain conditions. An example of a static rule based policy would be when you allow/deny an address access to the server with the trust system or open a new port with conf.apf. So the short of it is rules that infrequently or never change while the firewall is running.

The second, connection based stateful policies, is a means to distinguish legitimate packets for different types of connections. Only packets matching a known connection will be allowed by the firewall; others will be rejected. An example of this would be FTP data transfers, in an older era of firewalling you would have to define a complex set of static policies to allow FTA data transfers to flow without a problem. That is not so with stateful policies, the firewall can see that an address has established a connection to port 21 then “relate” that address to the data transfer portion of the connection and dynamically alter the firewall to allow the traffic.

The third, sanity based policies, is the ability of the firewall to match various traffic patterns to known attack methods or scrutinize traffic to conform to Internet standards. An example of this would be when a would-be attacker attempts to forge the source IP address of data they are sending to you, APF can simply discard this traffic or optionally log it then discard it. To the same extent another example would be when a broken router on the Internet begins to relay malformed packets to you, APF can simply discard them or in other situations reply to the router and have it stop sending you new packets (TCP Reset).

Features:
– detailed and well commented configuration file
– granular inbound and outbound network filtering
– user id based outbound network filtering
– application based network filtering
– trust based rule files with an optional advanced syntax
– global trust system where rules can be downloaded from a central management server
– reactive address blocking (RAB), next generation in-line intrusion prevention
– debug mode provided for testing new features and configuration setups
– fast load feature that allows for 1000+ rules to load in under 1 second
– inbound and outbound network interfaces can be independently configured
– global tcp/udp port & icmp filtering with multiple filters (drop, reject, prohibit)
– configurable policies for each ip on the system with convenience variables to import settings
– packet flow rate limiting that prevents abuse on the most widely abused protocol, icmp
– prerouting and postrouting rules for optimal network performance
– dshield.org block list support to ban networks exhibiting suspicious activity
– spamhaus Don’t Route Or Peer List support to ban known “hijacked zombie” IP blocks
– any number of additional interfaces may be configured as trusted or untrusted
– additional firewalled interfaces can have there own unique firewall policies applied
– intelligent route verification to prevent embarrassing configuration errors
– advanced packet sanity checks to make sure traffic coming and going meets the strictest of standards
– filter attacks such as fragmented UDP, port zero floods, stuffed routing, arp poisoning and more
– configurable type of service options to dictate the priority of different types of network traffic
– intelligent default settings to meet every day server setups
– dynamic configuration of your servers local DNS revolvers into the firewall
– optional filtering of common p2p applications
– optional filtering of private & reserved IP address space
– optional implicit blocks of the ident service
– configurable connection tracking settings to scale the firewall to the size of your network
– configurable kernel hooks (ties) to harden the system further to syn-flood attacks & routing abuses
– advanced network control such as explicit congestion notification and overflow control
– helper chains for FTP DATA and SSH connections to prevent client side issues
– optional rate limited event logging
– logging subsystem that allows for logging data to user space programs or standard syslog files
– comprehensive logging of every rule added
– detailed startup error checking
– if you are familiar with netfilter you can create your own rules in any of the policy files
– pluggable and ready advanced use of QoS algorithms provided by the Linux
– 3rd party add-on projects that compliment APF features

Funding:
Funding for the continued development and research into this and other projects is solely dependent on public contributions and donations. If this is your first time using this software we ask that you evaluate it and consider a small donation; for those who frequent and are continued users of this and other projects we also ask that you make an occasional donation to help ensure the future of our public projects.

236 Replies to “Advanced Policy Firewall”

  1. Hi Ryan,

    Firstly thanks for a great tool you provide in APF.

    I have recently installed 9.7-1 and greatly appreciate the ease of managing global allow and deny lists remotely from a single source.

    I decided to keep my global lists in a secure password protected directory, and to this end made some modifications to APF to allow ease of configuration, which I believe may be a nice addition to your official release 🙂

    Herewith the changes:

    conf.apf:
    ———-

    # Global Trust

    USE_RGT=”1″

    # Specify whether wget should check the SSL certificate – used in conjunction with the https protocol.
    RGT_CHECK_CERT=”0″

    # Specify a username and password for wget to apply when fetching the global lists
    RGT_WGET_USER=”apf”
    RGT_WGET_PASS=”test”

    internals/functions.apf:

    glob_allow_download() {

    # Set whether wget should check the certificate or not
    if [ “$RGT_CHECK_CERT” == “1” ] && [ “$GA_URL_PROT” == “https”]; then
    CHECK_CERT=””
    else
    CHECK_CERT=”–no-check-certificate”
    fi

    # Set the wget username if necessary
    if [ ! “$RGT_WGET_USER” == “” ]; then
    WGET_USER=”–user=$RGT_WGET_USER”
    else
    WGET_USER=””
    fi

    # Set the wget password if necessary
    if [ ! “$RGT_WGET_PASS” == “” ]; then
    WGET_PASS=”–password=$RGT_WGET_PASS”
    else
    WGET_PASS=””
    fi

    $WGET -t 1 -T 4 $CHECK_CERT $WGET_USER $WGET_PASS $GA_URL_PROT://$GA_URL >> /dev/null 2>&1

    }

    glob_deny_download() {

    # Set whether wget should check the certificate or not
    if [ “$RGT_CHECK_CERT” == “1” ] && [ “$GD_URL_PROT” == “https”]; then
    CHECK_CERT=””
    else
    CHECK_CERT=”–no-check-certificate”
    fi

    # Set the wget username if necessary
    if [ ! “$RGT_WGET_USER” == “” ]; then
    WGET_USER=”–user=$RGT_WGET_USER”
    else
    WGET_USER=””
    fi

    # Set the wget password if necessary
    if [ ! “$RGT_WGET_PASS” == “” ]; then
    WGET_PASS=”–password=$RGT_WGET_PASS”
    else
    WGET_PASS=””
    fi

    $WGET -t 1 -T 4 $CHECK_CERT $WGET_USER $WGET_PASS $GD_URL_PROT://$GD_URL >> /dev/null 2>&1

    }

    This allows you to specify via the configuration file whether or not to check the SSL certificate against the available certificate authorities, as well as being able to password protect the global access lists that you have made publicly accessible.

    Regards,
    Patric

  2. I’ve been trying to find a way to take an existing APF box with two NICs and use it as network gateway. But I cant seem to get it to pass traffic as long as APF is on it. Are there any tutorials or instructions that cover this goal?

    Otherwise, this is a hell of a great application firewall! Thanks!

  3. Hi Ryan,

    Thanks for your reply. I’m still getting the same error after replacing functions.apf

    Everything else is still running fine. I am quite certain ipt_recent is loaded.

    apf(30459): {rab} force set RAB disabled, kernel module ipt_recent not found.

  4. Mike, I made a change to the functions file that I think should fix this, if you are running the latest version of APF please go ahead and download http://www.rfxn.com/downloads/functions.apf and replace /etc/apf/internals/functions.apf with it, let me know if you still experience the issue with RAB.


    Mike:

    Hi Ryan,

    I’ve been a long time user of APF. I am currently trying to install it with RAB in an OpenVZ container. I am successful with APF, but not APF with RAB:

    {rab} force set RAB disabled, kernel module ipt_
    recent not found.

    As you can see here, my modules should be properly loaded:

    # cat /proc/net/ip_tables_matches
    udp
    tcp
    recent
    state
    length
    ttl
    tcpmss
    multiport
    multiport
    limit
    tos
    icmp
    owner

    I have SET_MONOKERN=”1″ also.

    Perhaps there is some mis-communication between SET_MONOKERN and RAB? Or do you notice any mistakes in my configurations?

    1. Hi, I also get the error {rab} force set RAB disabled, kernel module ipt_
      recent not found.

      On line 155 of functions.apf where testing -f ipt_recent, || supposed to be &&?

      I’ve changed the line and seems to be working correctly.

  5. Hi Ryan,

    I’ve been a long time user of APF. I am currently trying to install it with RAB in an OpenVZ container. I am successful with APF, but not APF with RAB:

    {rab} force set RAB disabled, kernel module ipt_
    recent not found.

    As you can see here, my modules should be properly loaded:

    # cat /proc/net/ip_tables_matches
    udp
    tcp
    recent
    state
    length
    ttl
    tcpmss
    multiport
    multiport
    limit
    tos
    icmp
    owner

    I have SET_MONOKERN=”1″ also.

    Perhaps there is some mis-communication between SET_MONOKERN and RAB? Or do you notice any mistakes in my configurations?

  6. If you are looking for generic flood protection from SYN/CONNECTION based flooding of port services, you can use fguard:
    http://rfxn.com/downloads/fguard

    Edit the script with your email address and set the ptrig values, they are in the format of PORT:TRIGGER , trigger is the maximum amount of connections from a single IP before it is blocked i.e: 80:100 = port 80, ban at 100 connections per ip.


  7. Faizan:

    Hello i did not see antidos feature in APF also did not find ad directory in apf i have installed latest version

    hello, the changelog says that the antidos feature is replaced by the RAB feature.

Leave a Reply

Your email address will not be published. Required fields are marked *