rfxn / advanced-policy-firewall Goto Github PK

View Code? Open in Web Editor NEW

92.0 92.0 44.0 219 KB

Advanced Policy Firewall (APF)

License: GNU General Public License v2.0

Shell 100.00%

advanced-policy-firewall's People

Contributors

Stargazers

Watchers

advanced-policy-firewall's Issues

How add a NAT rule

Hello,

Sorry for my english, i m French.
How add in APF a rule like that => iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

I dont know if it's possible... thanks for the answer.

apf doesn't log the year of when an event occured

This could help in scripting things.
I have a script that uses at. If at receives a date without a year, adn that date is before now, at will exhibit enough sense to run the job next year at the specified month, day, hour, etc. This is a strike of luck. For a program that doesn't make guesses like at, I would need to program a way to find out what year the event was logged. It's a trivial task, but it adds a little tedium.

Is there a chance apf could also log the year of when the event has taken place?

expirebans function inadvertently clearing mutex lock file

The expirebans shell function is calling apf recursively whenever a block is removed:

advanced-policy-firewall/files/internals/functions.apf

Line 1045 in b99bfbf

/etc/apf/apf -u "$ip" >> /dev/null 2>&1

This recursive call ends up hitting this line in its execution path:

advanced-policy-firewall/files/apf

Line 215 in b99bfbf

rm -f $LOCK_FILE

Which removes the lock file even though the parent process is still executing. This is problematic as if the random delay for anacron's daily apf reload ends up syncing with the 10 minute apf refresh cron, expirebans will clear the lock file in one process resulting in both crons running simultaneously.

This causes odd connectivity issues which can render the server inaccessible/offline.

eth0 hard coded in internals.conf

Line 38 in internals.conf has "eth0" hard coded instead of what should probably be $IFACE_UNTRUSTED like the line above it.

NET=`$ip addr list eth0 | tr '/' ' ' |  grep -w inet | head -n1 | awk '{print$2}'`

This prevents apf from starting on systems that do not have eth0 (i.e. using em1, em2, etc)

nftables?

Is there a new version for nftables?

thank you

Slower word-wide pings with APF enabled

When APF is enabled the http://www.host-tracker.com gives lot's of Bad and Warn pings. As soon as I disable APF it starts giving Good pings for my websites. I understand that this is probably about APF preventing too frequent ping requests, nevertheless I hope it is possible to make APF differ simple pings from malicious requests as otherwise it is giving really bad performance impression when users check their websites through http://www.host-tracker.com.

conf.apf documentation problem for IFACE_TRUSTED

The conf.apf says:

Trusted Network interface(s); all traffic on defined interface(s) will by-pass

ALL firewall rules, format is white space or comma separated list.

IFACE_TRUSTED=""

It appears that comma separated is not actually supported however. There's no error, but it just doesn't work.

files/firewall does:
if [ ! "$IFACE_TRUSTED" == "" ]; then
for i in echo $IFACE_TRUSTED; do

which doesn't take comma separated into account, and I don't see any place else that tries to.

typo in sysctl.rules for setting tcp_tw_recycle=0

same fix as for tcp_tw_reuse is needed in sysctl.rules

APF Config setting is not working correctly

In the config there is this section: https://puu.sh/AaePh.png but it results in https://puu.sh/AaeR0.png

THis can not be since the config states, to set it to "0,2,4,8,16" and not to only ONE of them. Please fix this, thanks.

NFTables Integration?

I have managed converted my apf-firewall iptables rules to nftables and am sorting through it at the moment. Making changes to the drop rules and putting them in the mangle prerouting chain then goto mangle log and dropping.

Would also like to see integration with ipsets.

ipv6 not working

I'm trying to enable ipv6 firewal. But it shows warning/error

root@Debian-102-buster-64-minimal ~ # apf -r
# Warning: iptables-legacy tables present, use iptables-legacy to see them
apf(32178): {glob} flushing & zeroing chain policies
apf(32178): {glob} firewall offline
apf(32271): {glob} activating firewall
# Warning: iptables-legacy tables present, use iptables-legacy to see them
apf(32373): {glob} determined (IFACE_UNTRUSTED) enp35s0 has address 116.202.155.233
apf(32373): {glob} loading preroute.rules
apf(32373): {resnet} downloading http://cdn.rfxn.com/downloads/reserved.networks
apf(32373): {resnet} parsing reserved.networks into /etc/apf/internals/reserved.networks
apf(32373): {glob} loading reserved.networks
apf(32373): {glob} loading bt.rules
apf(32373): {php} downloading http://cdn.rfxn.com/downloads/php_list
apf(32373): {php} parsing php_list into /etc/apf/php_hosts.rules
apf(32373): {php} loading php_hosts.rules
apf(32373): {dshield} downloading http://feeds.dshield.org/top10-2.txt
apf(32373): {dshield} parsing top10-2.txt into /etc/apf/ds_hosts.rules
apf(32373): {dshield} loading ds_hosts.rules
apf(32373): {sdrop} downloading http://www.spamhaus.org/drop/drop.lasso
apf(32373): {sdrop} parsing drop.lasso into /etc/apf/sdrop_hosts.rules
apf(32373): {sdrop} loading sdrop_hosts.rules
apf(32373): {glob} loading common drop ports
apf(32373): {blk_ports} deny all to/from tcp port 135:139
apf(32373): {blk_ports} deny all to/from udp port 135:139
apf(32373): {blk_ports} deny all to/from tcp port 111
apf(32373): {blk_ports} deny all to/from udp port 111
apf(32373): {blk_ports} deny all to/from tcp port 513
apf(32373): {blk_ports} deny all to/from udp port 513
apf(32373): {blk_ports} deny all to/from tcp port 520
apf(32373): {blk_ports} deny all to/from udp port 520
apf(32373): {blk_ports} deny all to/from tcp port 445
apf(32373): {blk_ports} deny all to/from udp port 445
apf(32373): {blk_ports} deny all to/from tcp port 1433
apf(32373): {blk_ports} deny all to/from udp port 1433
apf(32373): {blk_ports} deny all to/from tcp port 1434
apf(32373): {blk_ports} deny all to/from udp port 1434
apf(32373): {blk_ports} deny all to/from tcp port 1234
apf(32373): {blk_ports} deny all to/from udp port 1234
apf(32373): {blk_ports} deny all to/from tcp port 1524
apf(32373): {blk_ports} deny all to/from udp port 1524
apf(32373): {blk_ports} deny all to/from tcp port 3127
apf(32373): {blk_ports} deny all to/from udp port 3127
apf(32373): {rab} set active RAB_SANITY
apf(32373): {pkt_sanity} set active PKT_SANITY
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs ALL NONE
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs SYN,FIN SYN,FIN
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs SYN,RST SYN,RST
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs FIN,RST FIN,RST
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs ACK,FIN FIN
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs ACK,URG URG
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs ACK,PSH PSH
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs ALL FIN,URG,PSH
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs ALL SYN,RST,ACK,FIN,URG
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs ALL ALL
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs ALL FIN
apf(32373): {pkt_sanity} deny outbound tcp-flag pairs ALL NONE
apf(32373): {pkt_sanity} deny outbound tcp-flag pairs SYN,FIN SYN,FIN
apf(32373): {pkt_sanity} deny outbound tcp-flag pairs SYN,RST SYN,RST
apf(32373): {pkt_sanity} deny outbound tcp-flag pairs FIN,RST FIN,RST
apf(32373): {pkt_sanity} deny outbound tcp-flag pairs ACK,FIN FIN
apf(32373): {pkt_sanity} deny outbound tcp-flag pairs ACK,PSH PSH
apf(32373): {pkt_sanity} deny outbound tcp-flag pairs ACK,URG URG
apf(32373): {pkt_sanity} deny all fragmented udp
apf(32373): {pkt_sanity} deny inbound tcp port 0
apf(32373): {pkt_sanity} deny outbound tcp port 0
apf(32373): {blk_p2p} set active BLK_P2P
apf(32373): {blk_p2p} deny all to/from tcp port 1214
apf(32373): {blk_p2p} deny all to/from udp port 1214
apf(32373): {blk_p2p} deny all to/from tcp port 2323
apf(32373): {blk_p2p} deny all to/from udp port 2323
apf(32373): {blk_p2p} deny all to/from tcp port 4660:4678
apf(32373): {blk_p2p} deny all to/from udp port 4660:4678
apf(32373): {blk_p2p} deny all to/from tcp port 6257
apf(32373): {blk_p2p} deny all to/from udp port 6257
apf(32373): {blk_p2p} deny all to/from tcp port 6699
apf(32373): {blk_p2p} deny all to/from udp port 6699
apf(32373): {blk_p2p} deny all to/from tcp port 6346
apf(32373): {blk_p2p} deny all to/from udp port 6346
apf(32373): {blk_p2p} deny all to/from tcp port 6347
apf(32373): {blk_p2p} deny all to/from udp port 6347
apf(32373): {blk_p2p} deny all to/from tcp port 6881:6889
apf(32373): {blk_p2p} deny all to/from udp port 6881:6889
apf(32373): {blk_p2p} deny all to/from tcp port 6346
apf(32373): {blk_p2p} deny all to/from udp port 6346
apf(32373): {blk_p2p} deny all to/from tcp port 7778
apf(32373): {blk_p2p} deny all to/from udp port 7778
apf(32373): {glob} SET_REFRESH is set to 10 minutes
apf(32373): {glob} loading /etc/apf/allow_hosts.rules
apf(32373): {trust} allow all to/from 45.77.241.23/32
apf(32373): {trust} allow all to/from 87.121.98.240/32
apf(32373): {trust} allow all to/from 173.245.48.0/20
apf(32373): {trust} allow all to/from 103.21.244.0/22
apf(32373): {trust} allow all to/from 103.22.200.0/22
apf(32373): {trust} allow all to/from 103.31.4.0/22
apf(32373): {trust} allow all to/from 141.101.64.0/18
apf(32373): {trust} allow all to/from 108.162.192.0/18
apf(32373): {trust} allow all to/from 190.93.240.0/20
apf(32373): {trust} allow all to/from 188.114.96.0/20
apf(32373): {trust} allow all to/from 197.234.240.0/22
apf(32373): {trust} allow all to/from 198.41.128.0/17
apf(32373): {trust} allow all to/from 162.158.0.0/15
apf(32373): {trust} allow all to/from 104.16.0.0/12
apf(32373): {trust} allow all to/from 172.64.0.0/13
apf(32373): {trust} allow all to/from 131.0.72.0/22
apf(32373): {rab} set active RAB
apf(32373): {rab} set active RAB_PSCAN
apf(32373): {rab} RAB_PSCAN monitored ports 1,7,9,11,15,69,70
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9999' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:1010' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9898' not found
Try `iptables -h' or 'iptables --help' for more information.
apf(32373): {glob} loading log.rules
apf(32373): {glob} virtual net subsystem disabled.
apf(32373): {glob} loading main.rules
apf(32373): {glob} opening inbound tcp port 22 on 0/0
apf(32373): {glob} opening inbound icmp type 3 on 0/0
apf(32373): {glob} opening inbound icmp type 5 on 0/0
apf(32373): {glob} opening inbound icmp type 11 on 0/0
apf(32373): {glob} opening inbound icmp type 0 on 0/0
apf(32373): {glob} opening inbound icmp type 30 on 0/0
apf(32373): {glob} opening inbound icmp type 8 on 0/0
apf(32373): {glob} resolv dns discovery for 213.133.100.100
apf(32373): {glob} resolv dns discovery for 213.133.99.99
apf(32373): {glob} resolv dns discovery for 213.133.98.98
apf(32373): {glob} resolv dns discovery for 2a01:4f8:0:1::add:9999
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9999' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9999' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9999' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9999' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9999' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9999' not found
Try `iptables -h' or 'iptables --help' for more information.
apf(32373): {glob} resolv dns discovery for 2a01:4f8:0:1::add:1010
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:1010' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:1010' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:1010' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:1010' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:1010' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:1010' not found
Try `iptables -h' or 'iptables --help' for more information.
apf(32373): {glob} resolv dns discovery for 2a01:4f8:0:1::add:9898
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9898' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9898' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9898' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9898' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9898' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9898' not found
Try `iptables -h' or 'iptables --help' for more information.
apf(32373): {glob} loading postroute.rules
apf(32373): {glob} default (egress) output accept
apf(32373): {glob} default (ingress) input drop
apf(32271): {glob} firewall initialized
# Warning: iptables-legacy tables present, use iptables-legacy to see them
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
apf(32271): {glob} fast load snapshot saved

How can i enable ipv6 filterin?

APF + other tools

Having read through the docs, i like the reactive aspects of this project. I currently use a combination of fail2ban, fwsnort, custom rules and ipset-blacklist for blacklist updating.

I'm wondering if this could be layered into my setup in a way to allow for the reactive aspects to function, rather than ripping out what i currently use.

Startscript not written correctly

Your Startscript for APF is missing LSB tags which are important!

Also there is no /etc/rc.d/init.d/functions on debian stretch which means that I must comment out this line if it causes problems with starting apf.

Please fix bot of them, thanks.

EDIT: Referencing to https://www.iplocation.net/apf-bfd-ddos-rootkit there should be a "USE_AD" option but it seems that this is no longer in APF is this true? If not, please shipp the missing files in the next update, thanks.

EROR

{glob} kernel version not compatible or netfilter support missing, aborting.
ubuntu 16.04

How do apf version numbers relate to the Debian Buster versioning?

Hi there,

I'm just wondering how to correlate the versioning used here on github: https://github.com/rfxn/advanced-policy-firewall/blob/master/CHANGELOG with the ones used in Debian Buster: https://packages.debian.org/buster/apf-firewall

could someone shed some light onto this issue or provide a link perhaps?

Docker support?

It seems that APF doesn't support docker in that if you enable APF docker containers are no longer accessible/can't access the internet. Is there any way to resolve this?

/etc/apf/deny_hosts.rules is loaded before /etc/apf/allow_hosts.rules on restart

The /etc/apf/allow_hosts.rules should be loaded before the /etc/apf/deny_hosts.rules on restart because it will cause blocked packet.

Thanks

support connection limit?

e.g. iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 50 -j REJECT

No ipv6 support / not working?

So when I set in the conf.apf
USE_IPV6="1"

it only does the following:

$IP6T -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
$IP6T -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT

thats it.

Am I missing something or shouldn't it also do a lot more. Any ports, etc are still open and accessible.

APF Not Block Ddos Attack After Update ipstresser.com Ddos Script

Today ipstresser.com Update New Ddos Script, APF Not Block Ddos Attack..
I Am Tested On My own Server, APF Work On Yesterday, But After Update ipstresser.com Ddos Script APF Not Block any Ddos Attack...

Please Update APF...
Thanks...

Open & Close port via CLI

First, I want to say thank you for this amazing package. My current usage requires frequently change specific port accessibility (drop port usage or accept incoming data).
Looking at the docs I couldn't find any way to open port for usage and block it (drop) after time. (ex afp open udp 7755)
Is there any other way to change apf .config file programmatically and not manual.

Bug in sysctl.rules

Hi,
Please change the file sysctl.rules line 68
replace
if [ "$SYSCTL_TCP_NOSACK" ]; then
by
if [ "$SYSCTL_TCP_NOSACK" == "1" ]; then

Thanks

dshield blocks networks, but data is hosts

apf uses dshield top 10 data as a /24 network and blocks as /24, but the data is actually single hosts:
https://feeds.dshield.org/top10-2.txt

This leads more traffic being blocked (read: legitimate traffic) than should be.

apf restart not cleaning existing iptables rules causing number of rules to multiply.

OS: Ubuntu 22.04

When restarting apf, the previously existing iptables rules are not cleaned and causing the rules to multiply.

root@db09-2:~# iptables -S | wc -l
17
root@db09-2:~# service apf start
root@db09-2:~# iptables -S | wc -l
1331
root@db09-2:~# service apf restart
root@db09-2:~# iptables -S | wc -l
2645
root@db09-2:~# service apf restart
root@db09-2:~# iptables -S | wc -l
3959
root@db09-2:~# service apf restart
root@db09-2:~# iptables -S | wc -l
5273

Since the apf is restarted each day (with cron), the rule accumulates and eventually cause system to not respond. I have several machines that has hundreds of thousands of rules, and iptables use up 100% CPU.

DNS firewall logic mistake with RESV_DNS_DROP enabled?

In the firewall file, there is the following code:

# DNS
if [ -f "/etc/resolv.conf" ] && [ "$RESV_DNS" == "1" ]; then
LDNS=`cat /etc/resolv.conf  | grep -v "#" | grep -w nameserver | awk '{print$2}' | grep -v 127.0.0.1`
  if [ ! "$LDNS" == "" ]; then
        for i in `echo $LDNS`; do
        eout "{glob} resolv dns discovery for $i"
        $IPT -A INPUT -p udp -s $i --sport 53 --dport 1023:65535 -j ACCEPT
        $IPT -A INPUT -p tcp -s $i --sport 53 --dport 1023:65535 -j ACCEPT
        $IPT -A OUTPUT -p udp -d $i --dport 53 --sport 1023:65535 -j ACCEPT
        $IPT -A OUTPUT -p tcp -d $i --dport 53 --sport 1023:65535 -j ACCEPT
        if [ "$RESV_DNS_DROP" == "1" ]; then
                $IPT -A INPUT  -p tcp -s 0/0 --sport 53 --dport 1023:65535 -j $ALL_STOP
                $IPT -A INPUT  -p udp -s 0/0 --sport 53 --dport 1023:65535 -j $ALL_STOP
                $IPT -A OUTPUT -p udp -d $i --dport 53 --sport 1023:65535 -j ACCEPT
                $IPT -A OUTPUT -p tcp -d $i --dport 53 --sport 1023:65535 -j ACCEPT
        fi
        done
  fi
else
        $IPT -A INPUT  -p udp --sport 53 --dport 1023:65535 -j ACCEPT
        $IPT -A INPUT  -p tcp --sport 53 --dport 1023:65535 -j ACCEPT
        $IPT -A OUTPUT -p udp --dport 53 --sport 1023:65535 -j ACCEPT
        $IPT -A OUTPUT -p tcp --dport 53 --sport 1023:65535 -j ACCEPT
fi

However, with multiple DNS servers the INPUT/OUTPUT chains end up kind funky and I think only the first DNS server in the list would actually function...

If you have 2 DNS IPs.... Let's call them 1.1.1.1 & 2.2.2.2 your INPUT would look like (edited for brevity):

ACCEPT udp 1.1.1.1 0.0.0.0/0 udp spt:53 dpts:1023:65535
ACCEPT tcp 1.1.1.1 0.0.0.0/0 udp spt:53 dpts:1023:65535
DROP udp 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1023:65535
DROP tcp 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1023:65535
ACCEPT udp 2.2.2.2 0.0.0.0/0 udp spt:53 dpts:1023:65535
ACCEPT tcp 2.2.2.2 0.0.0.0/0 udp spt:53 dpts:1023:65535
DROP udp 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1023:65535
DROP tcp 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1023:65535

The first pair of DROP's would prevent any traffic being accepted from 2.2.2.2

On the OUTPUT side, the two OUTPUT lines in the RESV_DNS_DROP seem to be identical / redundant to the block right above them.

I believe the correct way (at least it's how I changed it in my code) would be as follows. Simply moving the done loop above the RESV_DNS_DROP if statement, and removing the two duplicate rows. This puts a single pair of DROP rules AFTER all the valid DNS server IPs have been listed to ACCEPT.

# DNS
if [ -f "/etc/resolv.conf" ] && [ "$RESV_DNS" == "1" ]; then
LDNS=`cat /etc/resolv.conf  | grep -v "#" | grep -w nameserver | awk '{print$2}' | grep -v 127.0.0.1`
  if [ ! "$LDNS" == "" ]; then
        for i in `echo $LDNS`; do
        eout "{glob} resolv dns discovery for $i"
        $IPT -A INPUT -p udp -s $i --sport 53 --dport 1023:65535 -j ACCEPT
        $IPT -A INPUT -p tcp -s $i --sport 53 --dport 1023:65535 -j ACCEPT
        $IPT -A OUTPUT -p udp -d $i --dport 53 --sport 1023:65535 -j ACCEPT
        $IPT -A OUTPUT -p tcp -d $i --dport 53 --sport 1023:65535 -j ACCEPT
        done
        if [ "$RESV_DNS_DROP" == "1" ]; then
                $IPT -A INPUT  -p tcp -s 0/0 --sport 53 --dport 1023:65535 -j $ALL_STOP
                $IPT -A INPUT  -p udp -s 0/0 --sport 53 --dport 1023:65535 -j $ALL_STOP
        fi
  fi
else
        $IPT -A INPUT  -p udp --sport 53 --dport 1023:65535 -j ACCEPT
        $IPT -A INPUT  -p tcp --sport 53 --dport 1023:65535 -j ACCEPT
        $IPT -A OUTPUT -p udp --dport 53 --sport 1023:65535 -j ACCEPT
        $IPT -A OUTPUT -p tcp --dport 53 --sport 1023:65535 -j ACCEPT
fi

ipv6 working?

Hi,
Please excuse me if this is not the proper place to ask. This is the only "forum" I could find regarding apf.
First of all, thank you for apf!

I wonder if ipv6 is working in my case. I am using v1.7.6-2
ifconfig reports a ipv4 and ipv6 address on my public interface.
I have ipv6 enabled in conf.apf
USE_IPV6="1"

If I issue a apf -r, no message is being displayed that refers to ipv6.
Afterwards, iptables -S shows all things I have configured.
ip6tables -S shows only:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

Furthermore, in allow_hosts.rules I have a rule that allow me to ssh to my box from my home address:
tcp:in:d=22:s=1.2.3.4
But if put there also my ipv6 home address:
tcp:in:d=22:s=a:b:c:d:e:f:g:h

and restart apf, I see a message:

apf(1441925): {trust} allow inbound tcp 2a00 to port 22
iptables v1.8.4 (nf_tables): host/network `2a00' not found
Try `iptables -h' or 'iptables --help' for more information.

So this makes me wondering if I am doing something wrong here?
Thank you

ignore error-log files inside user's dir from ionotify

how i can set a ignore path to a specific errorlog inside all users directory . something like

/home/?/public_html/logs/error.log

will this work in ignored path ?

CentOS daily logrotate gives errors for apf

Anacron is sending the following error on daily basis:

/etc/cron.daily/logrotate:

error: apf:prerotate, postrotate or preremove without endscript
error: found error in file apf, skipping

Running the /etc/cron.daily/logrotate command on command line gives the same error:

error: apf:prerotate, postrotate or preremove without endscript
error: found error in file apf, skipping

Suggestion use systemd, as init.d has no status

Hi,

init.d does not report any issues with apf:

/etc/init.d/apf start
Starting apf (via systemctl): [ OK ]

Will report OK even if iptables is not running for example:

https://www.eukhost.com/blog/webhosting/apf-unable-to-load-iptables-module-ip_tables/

Currently only starting apf manually or iptables -S would show if there is an issue. If started with systemd unit:

[Unit]
Description=apf firewall with iptables
After=syslog.target network.target

[Service]
RemainAfterExit=yes
ExecStart=/usr/local/sbin/apf --start
ExecStop=/usr/local/sbin/apf --stop
Restart=on-failure
RestartSec=5

[Install]
WantedBy=basic.target

status will advise if iptables is running or not:

systemctl status apf

● apf.service - apf firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/apf.service; enabled; vendor preset: disabled)
   Active: active (exited) since Tue 2018-11-20 14:33:21 GMT; 3min 44s ago
  Process: 5443 ExecStop=/usr/local/sbin/apf --stop (code=exited, status=0/SUCCESS)
  Process: 5531 ExecStart=/usr/local/sbin/apf --start (code=exited, status=0/SUCCESS)
 Main PID: 5531 (code=exited, status=0/SUCCESS)

Nov 20 14:33:23 localhost.localdomain apf[5531]: apf(5638): {glob} opening inbound icmp type 30 on 0/0
Nov 20 14:33:23 localhost.localdomain apf[5531]: apf(5638): {glob} opening inbound icmp type 8 on 0/0
Nov 20 14:33:23 localhost.localdomain apf[5531]: apf(5638): {glob} resolv dns discovery for 192.168.1.20
Nov 20 14:33:23 localhost.localdomain apf[5531]: apf(5638): {glob} resolv dns discovery for 192.168.1.22
Nov 20 14:33:23 localhost.localdomain apf[5531]: apf(5638): {glob} resolv dns discovery for 192.168.1.1
Nov 20 14:33:23 localhost.localdomain apf[5531]: apf(5638): {glob} loading postroute.rules
Nov 20 14:33:23 localhost.localdomain apf[5531]: apf(5638): {glob} default (egress) output accept
Nov 20 14:33:23 localhost.localdomain apf[5531]: apf(5638): {glob} default (ingress) input drop
Nov 20 14:33:23 localhost.localdomain apf[5531]: apf(5531): {glob} firewall initalized
Nov 20 14:33:23 localhost.localdomain apf[5531]: apf(5531): {glob} fast load snapshot saved

Systemd unit file can probably be improved to actaul fail if iptables, this more of a start/suggestion.

Thanks

rfxn / advanced-policy-firewall Goto Github PK

advanced-policy-firewall's People

Contributors

Stargazers

Watchers

Forkers

advanced-policy-firewall's Issues

Trusted Network interface(s); all traffic on defined interface(s) will by-pass

ALL firewall rules, format is white space or comma separated list.

Recommend Projects

Recommend Topics

Recommend Org