Home page:
http://www.r-fx.org/apf.php

Availible at:
http://www.r-fx.org/downloads/apf-current.tar.gz

Documents:
http://www.r-fx.org/appdocs/README.apf
http://www.r-fx.org/appdocs/README.antidos
http://www.r-fx.org/appdocs/CHANGELOG.apf

APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux.

With built in support for DShield.org's "block" list of top networks that have exhibited suspicious activity; port of snort signatures too iptables based string match rules; anti-dos subsystem capable of banning attacking hosts based on kernel logged iptable chains and snort portscan.log, dropping destination interface of attack, route table drop and abuse report to remote network admin via ip whois info; ICMP & FTP protocol rate limiting to ease common web server issues of mass connection attempts/dos issues.

APF is a sure prospect as one of the best Linux based firewall systems, for internet deployed web hosts. APF is not ideal for intranet or home networks, it has no NAT support what so ever. It is geared for single-host based firewalling; of witch hosts don't have resources for hardware firewalling or large router based prerouting.

.: Summary of features:
- detailed and well commented configuration file
- granular inbound and outbound network filtering
- user id based outbound network filtering
- application based network filtering
- trust based rule files with an optional advanced syntax
- global trust system where rules can be downloaded from a central management server
- reactive address blocking (RAB), next generation in-line intrusion prevention
- debug mode provided for testing new features and configuration setups
- fast load feature that allows for 1000+ rules to load in under 1 second
- inbound and outbound network interfaces can be independently configured
- global tcp/udp port & icmp type filtering with multiple methods of executing filters (drop, reject, prohibit)
- configurable policies for each ip on the system with convenience variables to import settings
- packet flow rate limiting that prevents abuse on the most widely abused protocol, icmp
- prerouting and postrouting rules for optimal network performance
- dshield.org block list support to ban networks exhibiting suspicious activity
- spamhaus Don't Route Or Peer List support to ban known "hijacked zombie" IP blocks
- antidos subsystem to stop attacks before they become a significant threat
- any number of additional interfaces may be configured as firewalled (untrusted) or trusted (not firewalled)
- additional firewalled interfaces can have there own unique firewall policies applied
- intelligent route verification to prevent embarrassing configuration errors
- advanced packet sanity checks to make sure traffic coming and going meets the strictest of standards
- filter attacks such as fragmented UDP, port zero floods, stuffed routing, arp poisoning and more
- configurable type of service options to dictate the priority of different types of network traffic
- intelligent default settings to meet every day server setups
- dynamic configuration of your servers local DNS revolvers into the firewall
- optional filtering of common p2p applications
- optional filtering of private & reserved IP address space
- optional implicit blocks of the ident service
- configurable connection tracking settings to scale the firewall to the size of your network
- configurable kernel hooks (ties) to harden the system further to syn-flood attacks & routing abuses
- advanced network control such as explicit congestion notification and overflow control
- special chains that are aware of the state of FTP DATA and SSH connections to prevent client side issues
- control over the rate of logged events, want only 30 filter events a minute? 300 a minute? - you are the boss
- logging subsystem that allows for logging data to user space programs or standard syslog files
- logging that details every rule added and a comprehensive set of error checks to prevent config errors
- if you are familiar with netfilter you can create your own rules in any of the policy files
- pluggable and ready advanced use of QoS algorithms provided by the Linux
- 3rd party add-on projects that compliment APF features

Home page:
http://www.r-fx.org/apf.php

Availible at:
http://www.r-fx.org/downloads/apf-current.tar.gz

Documents:
http://www.r-fx.org/apf/README
http://www.r-fx.org/apf/README.antidos
http://www.r-fx.org/apf/CHANGELOG

0.8-1:
[Fix] fixed issues with vnetgen and the adapter variable
[Change] changed cron.hourly job to use the init script
[Change] reimplamented antidos system with snort portscan.log support
[Fix] fixed argument order for ad() function
[Change] readme file changes
[Fix] changed colum location for src/dst address in kernel log [antidos]
[Fix] permissions tightened on all files per default install
[New] added rate limiting per/second on ICMP/FTP protocols, configurable via conf.apf
[New] added iptables based rules for snort signatures; using string match rules
[Fix] removed errored private network ban in main firewall script; was banning valid networks

0.8:
[New] first public release of APF, formerly known as FWMGR

does this upgrade from the rpm version easily?
and is there going to be an rpm release?

Gpan will release an RPM, you can count on that. When i am not sure but as we all know he is speedy.

cool

[Fix] fixed issues with vnetgen and the adapter variable

does this fix mean that if a secondary ip contains the primary it will still work

what i mean is,
i have an ip
x.x.x.9 as the primary
i also have the ip's
x.x.x.90 - x.x.x.96

this caused problems before, i had to change the code in the vnetgen script (the "| grep -v $mad" part took them out)

apf 0.8.1 uses "..| grep -vw $MAD..", added the -w and it should fix it.

great,

my workaround was kinda cheesy

Home page:
http://www.r-fx.org/apf.php

Availible at:
http://www.r-fx.org/downloads/apf-current.tar.gz

Documents:
http://www.r-fx.org/apf/README
http://www.r-fx.org/apf/README.antidos
http://www.r-fx.org/apf/CHANGELOG

0.8.2:
[Change] revised vnet system
[Change] made TCP_CPORTS/UDP_CPORTS into for loop; 15+ ports support
[Change] revised conf.apf
[Change] variouse tweaks to snort string match signatures
[Change] variouse tweaks to iptsnort structure
[Change] readme file changes
[Change] revised install.sh

0.8.2 will be much more stable and reliable. The new vnet system should prove more functional than the old and by far much faster in terms of firewall startup.

Gpan as i understand will be releasing an RPM for 0.8.2 shortly; from what he tells me.

I installed this firewall and now I can't check my email via pop or webmail, how do i configure it to let me check my mail?

Did you read the README file ?
/etc/apf/doc/README
or gpans older rpm
/etc/apf/README

i dont have a readme file in my /etc/apf/ directory

I currently use PMfirewall and I have it setup to block SSH for everyone, but my IP address. How can I add this to your firewall? Also, in the allow hosts file, does it support DNS lookup? Like I can put in a hostname?

...also does APF reload automatically every hour? Mine appears to be doing just that, from the looks of the apf log file.

yes, its in /etc/cron.hourly

i think it does this so that it will always have fresh info from dsheild.org

ahh true true... i should of thought about that.

Well, I have another question.. I have pmfirewall installed and running. I can't shutdown the pmfirewall process because i dont know the process id (i cant ps -aux. so dont ask, long story).

Can I just clear the ipchain rules, then start APF? Will APF then be working?

APF restarts hourly for 3 reasons:
1) to update any changes from the dsheild.org list
2) to update the vnet system with any new IP addresses bound on the system
3) to update any rules written by APF modules (such as the antidos subsystem)

Zorafex: you can shutdown ipchains by using the init script for it located at:
/etc/init.d/ipchains
e.g: /etc/init.d/ipchains stop

As for restricting SSH to only your IP; this is easily done. I am assuming that your running APF 0.8.2.

- Open /etc/apf/conf.apf
remove port 22 from the TCP_CPORTS option.
- Open /etc/apf/tcp.rules
remove port 22 (SSH) line from this file
- Open /etc/apf/vnet/vnetgen.def
remove the same reference line too port 22 (SSH)
rm -f /etc/apf/vnet/*.rules
- Then add to /etc/apf/tcp.rules
$IPT -A INPUT -p tcp -s 1.1.1.1 -d 0/0 --dport 22 -j ACCEPT
replace 1.1.1.1 with your ip
- Restart APF
/etc/init.d/apf restart

Thanks for the SSH how-to.
Can I use a hostname rather than a decimal ip address? (aka, will it resolve the hostname to an ip like pmfirewall did?)

Yes you can use a hostname - its not PMFirewall or APF specific this. Netfilter nativley resolves ip's both forward and reverse (netfilter == iptables; big brother too ipchains).

Well I shutdown ipchains then did:

[root@server apf]# /etc/init.d/apf restart
Stopping APF:/lib/modules/2.4.18-27.7.x/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters.
You may find more information in syslog or the output from dmesg
/lib/modules/2.4.18-27.7.x/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.18-27.7.x/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.18-27.7.x/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
/lib/modules/2.4.18-27.7.x/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters.
You may find more information in syslog or the output from dmesg
/lib/modules/2.4.18-27.7.x/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.18-27.7.x/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.18-27.7.x/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
/lib/modules/2.4.18-27.7.x/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters.
You may find more information in syslog or the output from dmesg
/lib/modules/2.4.18-27.7.x/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.18-27.7.x/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.18-27.7.x/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
[ OK ]
Starting APF:[ OK ]

I never got this error before, when starting APF

[root@server apf]# rpm -q iptables
iptables-1.2.5-3

if i do /etc/init.d/apf start
no errors, it says starts fine.


Also, even though it says that it has started.. i can still ping my server (yes, i have edited icmp.rules to drop echo and all icmp traffic)

I noticed the code you gave me to use differs from the other:

$IPT -A INPUT -p tcp -s 216.77.253.67 -d 0/0 --dport 22 -j ACCEPT

similar one:
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 25 -j ACCEPT

should i make it:

$IPT --A INPUT -p tcp -s 216.77.253.67 -d 0/0 --dport 22 -j ACCEPT

instead?

/etc/init.d/ipchains stop
/etc/init.d/iptables start

should fix the mass errors from APF

The code i gave you will work fine.

I still get the errors when i try to restart APF. Also, still I can ping my server... If I turn pmfirewall back on, i cant ping the server.

/etc/init.d/ipchains stop
rmmod ipchains
/etc/init.d/iptables start

Check too make sure ipchains is not loaded:
lsmod | grep ipchains

Hey! It worked! Thanks

One my question. What flag would I add to that SSH code you gave me, so it logs all ACCEPTED and DENIED connections?

Thanks again!

This will log all ssh connection attempts. Place the above code BEFORE your line where you open SSH.

Awesome! Thanks for your help. I'll be donating some money for the program.

Home page:
http://www.r-fx.net/apf.php

Availible at:
http://www.r-fx.net/downloads/apf-current.tar.gz

Documents:
http://www.r-fx.net/apf/README
http://www.r-fx.net/apf/README.antidos
http://www.r-fx.net/apf/CHANGELOG

- 0.8.3:
[New] added prelog.rules file; for addition of log chains
[Fix] fixed preroute.rules and invalid APF log pointer
[Change] disabled ICMP type 8, inbound; by default
[Change] set all ports closed by default; 22 (SSH) left open (globally) in conf.apf
[New] added ipchains check/removal code
[Change] rewrote iptables module insertion code
[Fix] fixed CPORTS option relating to FTP_LIM value
[Change] made install.sh backup old APF install to /etc/apf.bk$$
[Change] comments modified/changed in variouse files
[Change] moved icmp.rules insertion after vnet rules insertion
[Fix] fixed typo in global ports code that caused undesired results
[Change] revised conf.apf; more comments and better organized
[New] created DEVM setting to put APF into devel testing mode
[Change] revised README, and install.sh to meet needs of DEVM feature
[Fix] fixed cleanup issue with ds_hosts.rules file

One new feature too speak of is the Devel mode. APF comes default in dev. mode; meaning the firewall rules will be flushed every 5 minutes. This is intended to prevent you from being locked out of your system in the event of undesired effects from APF.

Set the DEVM="1" option to zero (0) once APF is operating as desired. Do NOT! leave this option enabled on a permanet basis, or you defeat the purpose of using a firewall.

The above is also documented in the readme file and at the top of conf.apf.

Another important note is that now SSH (22) is the only default port opened globally. Compared to ports 21,22,25,80,443,110 that were open per default in previouse releases. So these ports must all now be added too the global ports option in conf.apf.

I have made the SSH log chain inspired by zorafex, default in APF now. All new inbound connections to SSH and Telnet will be logged by default now.

APF will now also check for the existence of ipchains module; if present remove it and load iptables. It will also verify iptables is loaded, if not APF will abort and exit. As well the many optional iptable modules loaded during startup of APF now pass through a function to check for their existence, removing some errors people noted from the kernel log such as "module not present".

From here-in releases will be somewhat more spread out; obviously i dont expect people too keep updating APF every 2 days with a new release.

so far so good

I just downloaded and installed the current apf version installed it with the following port configuration:
TCP_CPORTS="20,21,22,25,53,80,110,143,443,465"
TCP_CPORTS=2"993,995,2080,2081,2082,2083,2084,2085,2086,2087"
TCP_CPORTS=3"2088,2089,2090,2091,2092,2093,2094,2095,2096,2097"
TCP_CPORTS=4"2098,2099,3306"

And when I did a start apf the application closed the server down and neither I or the RS Support can reboot the server. Any ideas.:confused:

Your port configuration looks wrong.

TCP_CPORTS=2"993,...

Plus I thought you were only allowed 2 lines, with a max of 15 each line to a max of 30. (But that's in previous versions, not sure about this one).

Thanks for that, I grabbed the configuration from a post on the forum and maybe it does conflict with this version. If I ever get the server back I'll look at the configuration again.

Let me reiterate...

the CPORTS options are no longer devided into multiple lines, it is all now one single line such as:
TCP_CPORTS="21,22,25,53"
UDP_CPORTS="53"

The CPORTS entries now support unlimited values; no longer restricted to 15 ports.

barryj, did you read the README file ?
and did you have DEVM="1" (on) or ="0" (off) in conf.apf ?

Anything listed in other threads chances are DOES not apply to the current release of APF. Gpan's RPM was based on version 0.8 of APF, that was rather problematic release. Unless you see it in this thread do not copy configuration settings from other threads.

Thanks for the post. I read the README but obviously not carefully enough!!! I left DEVM="1" as I thought that was what I needed to do until I was happy with the settings.
I'm still waiting for RS to reboot the server (81/2 hours by my watch), so I'm dead in the water at the moment, I can't do anything.

I am very sorry for your mishap; However APF runs through the dev mode check before loading any rules what so ever... so in theory after 5 minutes you should beable to log back into your system without a problem. But as with anything there is always a factor for the unexpected and clearly something like that happened.

Do you remember if you enabled the dshield option ?

Gpan has released an RPM version of APF 0.8.3. Much thanks goes out too gpan for the many RPM's he has produced as well as his feedback in making APF what it is today.

http://download.cheetaweb.com/apf-0.8.3-1.i386.rpm

I did enable dshield as far as I remember. The RS guys are trying to start the server again now, so what would be the best thing to do when I'm up and running, remove the current install and do the RPM or just leave it with a better configured apf.conf?

Do not enable dshield... it may be your problem; some people have noted being locked out like the way you are when enabling it.

If RS gets the box rebooted ask them too run:
/etc/init.d/iptables stop

Then once you get access, remove the whole:
/etc/apf
directory, just rm -rf it

Then sure try the RPM or the tar.gz... either or. And configure it this time with no special features (e.g: dshield).

Thanks, I'm back in, so will do the stop on the iptables and also rf the file and see how it goes.

Thanks, the latest rpm is working great, with dshield on.

Since updating to this version, my FTP has ceased to work.

This is the case with DSHIELD on or off. Everything else works great.

Have I forgotten something? Putting my IP in the allow_hosts.rules would make FTP work. Stopping apf will make FTP work. Starting apf will make it stop working. So it must a port I'm forgetting. Please advise.

try increase
FTP_LIM="6"
in conf.apf.

also check
ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_limit.o

see if that exists.

Thanks, I added:

FTP_LIM="6"

to conf.apf and it fixed the problem. For some reason, upgrading from the rpm version did not update my conf.apf with new settings, as this variable was never in it in the first place.

O really ?
Thanks for that insight... The old conf file is not really compatible too the new APF release. You should maybe do a fresh install.

*shrugs*

If i want to "upgrade" my current rpm version(0. to the latest one,what should i do? simply install the new RPM,or remove apf(with rpm -e apf ?) and install the new one?

Thanks

I'll take a look. In the meantime, the firewall is blocking the correct ports, and it works, so if it ain't broke, I'm not going to do a fresh install yet.

almogeh; id recommend a fresh install but hey be my guest to try a -Uhv

well I just installed the rpm. After configuring with the known cpanel ports: i used this.

# Common TCP Ports
TCP_CPORTS="20,21,22,25,53,80,110,143,443,465"
TCP_CPORTS=2"993,995,2080,2081,2082,2083,2084,2085,2086,2087"
TCP_CPORTS=3"2088,2089,2090,2091,2092,2093,2094,2095,2096,2097"
TCP_CPORTS=4"2098,2099,3306"

I am screwed??????? help!!!!!!!!!! locked out after a few minutes.

Did you read the README or the post rfxn posted a couple of posts above? Put everything on 1 line only. And you can put more than 30 on 1 line now.

TCP_CPORTS="21,22,25,53"
UDP_CPORTS="53"