Starting to install the apf firewall...
set it up.
CODE
# APF 0.9.3 [apf@r-fx.org]
#
# NOTE: This file should be edited with word/line wrapping off,
# if your using pico please start it with the -w switch.
# (e.g: pico -w filename)
#
##
# [Dev. Mode]
# !!! Do not leave set to (1) !!!
# When set to enabled; 5 minute cronjob is set to flush the firewall; set
# this mode off (0) when firewall determined to be operating as desired.
##
# Set firewall dev cronjob
# 1 = enabled / 0 = disabled
DEVM="1"
##
# [Main]
# Main configuration options, often no changes needed.
##
# Path of firewall installation
FWPATH="/etc/apf"
# Network interface
IF="eth0"
# Support Monolithic kernel builds [no LKM's]. This mode of operation is
# not really supported and you use at your own risk.
MONOKERN="1"
##
# [Filtering]
##
# These are general filtering options for APF
##
# How to handle TCP packet filtering?
#
# RESET (sends a tcp-reset; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
TCP_STOP="DROP"
# How to handle UDP packet filtering?
#
# RESET (sends a icmp-port-unreachable; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
# PROHIBIT (send an icmp-host-prohibited)
UDP_STOP="DROP"
# How to handle all other packet filtering? (icmp,arp,igmp)
#
# DROP (drop the packet)
# REJECT (reject the packet)
DSTOP="DROP"
# Set a reasonable packet/time ratio for ICMP packets; exceeding
# such packet flow ratio will result in dropped packets.
# pkt/s (packets/seconds), pkt/m (packets/minutes)
ICMP_LIM="60/m"
# You need multicasting if you intend to participate in the MBONE, a
# high bandwidth network on top of the Internet which carries audio
# and video broadcasts. More about MBONE at: www-itg.lbl.gov/mbone/,
# this is generally safe to enable. [0 = Disabled / 1 = Enabled]
BLK_MCATNET="0"
# Block all private ipv4 addresses; this is address space reserved
# for private networks; or otherwise unroutable on the internet.
# If this host resides behind a firewall with NAT or routing scheme
# that otherwise uses private addressing; leave this option off.
BLK_PRVNET="0"
# Block all ipv4 address space marked reserved for future use or
# unassigned; such networks have no business communicating with us.
# However they may at some point become live address space. Refer to
# the 'internals/reserved.networks' file for listing of address space.
# [0 = Disabled / 1 = Enabled]
BLK_RESNET="0"
# DShield.org's "block" list of top networks that have exhibited
# suspicious activity. [0 = Disabled / 1 = Enabled]
USE_DS="1"
# Import our ad.rules ban list generated by antidos;
# this is essentialy a quick enable/disable feature for
# the insertion of such bans. [0 = Disabled / 1 = Enabled]
USE_AD="1"
# Common drop ports; these are implicit ports you do not want logged
# with the default drop chains. Format is comma seperated and underscore
# seperator for ranges (135_139). Ports are droped and ignored for both
# TCP & UDP as well as inbound and outbound.
CDPORTS="135_139,111,161,199,513,445,1434,1234,1524"
##
# [Ingress]
# Configure ingress (inbound) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory.
#
# Example:
# IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000"
# IG_UDP_CPORTS="20,21,53,123"
# IG_ICMP_TYPES="3,5,11,0,30,8"
##
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,80,110,143,443,993,3306,10000,9999"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS=""
# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
##
# [Egress]
# Configure egress (outbound) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory.
#
# Egress filtering is not required but makes your firewall setup complete
# by providing full inbound and outbound packet filtering. You can toggle
# by providing full inbound and outbound packet filtering. You can toggle
# egress filtering on or off with the EGF variable.
#
# Example:
# EG_TCP_CPORTS="21,25,80,443,43"
# EG_UDP_CPORTS="20,21,53"
# EG_ICMP_TYPES="all"
##
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="0"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="20,21,22,25,80,110,143,443,993,43"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
# Common ICMP (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"
##
# [Logs]
# Log paths and control settings.
##
# Status log path
IPTLOG="/var/log/apf_log"
# Log TCP/UDP DROP chains [required for antidos]. Data logged to kernel log
# [often default is /var/log/messages]
DROP_LOG="1"
# Max firewall events to log per/minute. Log events exceeding these limits
# will be lost!
LRATE="60"
##
# [Import misc. vars]
##
#
# Internal vars file
CNFINT="$FWPATH/internals/internals.conf"
# Import internal vars file
. $CNFINT
#
# NOTE: This file should be edited with word/line wrapping off,
# if your using pico please start it with the -w switch.
# (e.g: pico -w filename)
#
##
# [Dev. Mode]
# !!! Do not leave set to (1) !!!
# When set to enabled; 5 minute cronjob is set to flush the firewall; set
# this mode off (0) when firewall determined to be operating as desired.
##
# Set firewall dev cronjob
# 1 = enabled / 0 = disabled
DEVM="1"
##
# [Main]
# Main configuration options, often no changes needed.
##
# Path of firewall installation
FWPATH="/etc/apf"
# Network interface
IF="eth0"
# Support Monolithic kernel builds [no LKM's]. This mode of operation is
# not really supported and you use at your own risk.
MONOKERN="1"
##
# [Filtering]
##
# These are general filtering options for APF
##
# How to handle TCP packet filtering?
#
# RESET (sends a tcp-reset; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
TCP_STOP="DROP"
# How to handle UDP packet filtering?
#
# RESET (sends a icmp-port-unreachable; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
# PROHIBIT (send an icmp-host-prohibited)
UDP_STOP="DROP"
# How to handle all other packet filtering? (icmp,arp,igmp)
#
# DROP (drop the packet)
# REJECT (reject the packet)
DSTOP="DROP"
# Set a reasonable packet/time ratio for ICMP packets; exceeding
# such packet flow ratio will result in dropped packets.
# pkt/s (packets/seconds), pkt/m (packets/minutes)
ICMP_LIM="60/m"
# You need multicasting if you intend to participate in the MBONE, a
# high bandwidth network on top of the Internet which carries audio
# and video broadcasts. More about MBONE at: www-itg.lbl.gov/mbone/,
# this is generally safe to enable. [0 = Disabled / 1 = Enabled]
BLK_MCATNET="0"
# Block all private ipv4 addresses; this is address space reserved
# for private networks; or otherwise unroutable on the internet.
# If this host resides behind a firewall with NAT or routing scheme
# that otherwise uses private addressing; leave this option off.
BLK_PRVNET="0"
# Block all ipv4 address space marked reserved for future use or
# unassigned; such networks have no business communicating with us.
# However they may at some point become live address space. Refer to
# the 'internals/reserved.networks' file for listing of address space.
# [0 = Disabled / 1 = Enabled]
BLK_RESNET="0"
# DShield.org's "block" list of top networks that have exhibited
# suspicious activity. [0 = Disabled / 1 = Enabled]
USE_DS="1"
# Import our ad.rules ban list generated by antidos;
# this is essentialy a quick enable/disable feature for
# the insertion of such bans. [0 = Disabled / 1 = Enabled]
USE_AD="1"
# Common drop ports; these are implicit ports you do not want logged
# with the default drop chains. Format is comma seperated and underscore
# seperator for ranges (135_139). Ports are droped and ignored for both
# TCP & UDP as well as inbound and outbound.
CDPORTS="135_139,111,161,199,513,445,1434,1234,1524"
##
# [Ingress]
# Configure ingress (inbound) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory.
#
# Example:
# IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000"
# IG_UDP_CPORTS="20,21,53,123"
# IG_ICMP_TYPES="3,5,11,0,30,8"
##
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,80,110,143,443,993,3306,10000,9999"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS=""
# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
##
# [Egress]
# Configure egress (outbound) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory.
#
# Egress filtering is not required but makes your firewall setup complete
# by providing full inbound and outbound packet filtering. You can toggle
# by providing full inbound and outbound packet filtering. You can toggle
# egress filtering on or off with the EGF variable.
#
# Example:
# EG_TCP_CPORTS="21,25,80,443,43"
# EG_UDP_CPORTS="20,21,53"
# EG_ICMP_TYPES="all"
##
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="0"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="20,21,22,25,80,110,143,443,993,43"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
# Common ICMP (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"
##
# [Logs]
# Log paths and control settings.
##
# Status log path
IPTLOG="/var/log/apf_log"
# Log TCP/UDP DROP chains [required for antidos]. Data logged to kernel log
# [often default is /var/log/messages]
DROP_LOG="1"
# Max firewall events to log per/minute. Log events exceeding these limits
# will be lost!
LRATE="60"
##
# [Import misc. vars]
##
#
# Internal vars file
CNFINT="$FWPATH/internals/internals.conf"
# Import internal vars file
. $CNFINT
but when i start it ./apf -s it says this:
I dont know where to start looking, I'm not using ipv6 anywhere..
CODE
/etc/apf/vnet/vnetgen: ip: command not found
iptables v1.2.6a: unknown protocol `ipv6-crypt' specified
Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables v1.2.6a: unknown protocol `ipv6-crypt' specified
Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
anybody have a solution?