APF - Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system
http://r-fx.org/apf.php
- 0.9.6
(rev:3)
[New] added SET_REFRESH to conf.apf which controls the rate at which trust rules are automatically refreshed, defaults to 10 minutes
[New] added SET_TRIM to conf.apf which controls the max allowed entries in the deny trust system, defaults to 50 lines with older entries purged first
[New] added -e|--refresh flag to apf command that is used to flush & refresh the (global)trust system chains, this will also re-download any global rules and re-resolve any DNS names in the rules
[Change] the cli_trust_remove() function has been updated to support the new (global)trust system chains
[Change] modified the trust system to load rules into specific chains to better support dynamic refreshing of the rules, the new chains are as follows TALLOW TDENY (standard trust) TGALLOW TGDENY (global trust)
[Fix] the cli_trust_remove() function was not using the ALL_STOP variable when matching rules in the firewall for removal, would fail if ALL_STOP was set to anything other than default value
[Change] set SYSCTL_ROUTE to default off as it was causing issues with VPS installations
[Fix] RAB_LOG_HIT was being enabled even with RAB parent variable disabled causing some noise in the logs
[Fix] the p2p drop chains are now implicit that the client side ports must be high ports (1024+) before a drop takes place
[Fix] the HELPER_SSH and HELPER_FTP variables in conf.apf were not referenced by the correct variable name in the back end
[Change] more netfilter module renaming in 2.6.20+, the ip_conntrack_* modules are now known as nf_conntract_* - compatibility support added [this was a silent compatibility change in previous 0.9.6-2 release]
[Change] more complete preload list for iptables modules added
[Fix] cli_trust_remove() now better handles situations where addresses appear in multiple trust files
[Change] appended /dev/null stdout redirects onto apf calls in the init script to prevent verbose output during boot/init operations
[Fix] added a check routine to the fast load feature so snapshots are no longer saved when there are no iptables chains loaded (i.e: double run apf -f)
[Change] scrub of APF to remove all ties to antidos, the antidos subsystem has been removed and will be replaced with expanded RAB features
[Change] very extensive updates to the README.apf file
[Change] a_cli_tr() and d_cli_tr() functions renamed to cli_trust_allow() and cli_trust_deny()
[Change] the --unban command flag has been changed to --remove with the former silently being preserved for compatibility
[Change] unban() function renamed to cli_trust_remove()
[Fix] the optional comment string on --allow|-a and --deny|-d was being cut short in certain circumstances
[Change] force disable fast load when devel mode is enabled
[Change] cron.daily entry for apf restart has been changed from 'fw' to 'apf', the install.sh will now remove old file and replace with the new
[New] added ability to log RAB HIT and TRIP events with variables RAB_LOG_HIT and RAB_LOG_TRIP
[Change] reserved.networks file now dynamically updated on the r-fx server daily from http://www.iana.org/assignments/ipv4-address-space
Download link:
- http://www.r-fx.ca/downloads/apf-current.tar.gz
Documents:
- http://www.rfxnetworks.com/appdocs/README.apf
Version History:
- http://www.rfxnetworks.com/appdocs/CHANGELOG.apf
http://r-fx.org/apf.php
- 0.9.6
(rev:3)
[New] added SET_REFRESH to conf.apf which controls the rate at which trust rules are automatically refreshed, defaults to 10 minutes
[New] added SET_TRIM to conf.apf which controls the max allowed entries in the deny trust system, defaults to 50 lines with older entries purged first
[New] added -e|--refresh flag to apf command that is used to flush & refresh the (global)trust system chains, this will also re-download any global rules and re-resolve any DNS names in the rules
[Change] the cli_trust_remove() function has been updated to support the new (global)trust system chains
[Change] modified the trust system to load rules into specific chains to better support dynamic refreshing of the rules, the new chains are as follows TALLOW TDENY (standard trust) TGALLOW TGDENY (global trust)
[Fix] the cli_trust_remove() function was not using the ALL_STOP variable when matching rules in the firewall for removal, would fail if ALL_STOP was set to anything other than default value
[Change] set SYSCTL_ROUTE to default off as it was causing issues with VPS installations
[Fix] RAB_LOG_HIT was being enabled even with RAB parent variable disabled causing some noise in the logs
[Fix] the p2p drop chains are now implicit that the client side ports must be high ports (1024+) before a drop takes place
[Fix] the HELPER_SSH and HELPER_FTP variables in conf.apf were not referenced by the correct variable name in the back end
[Change] more netfilter module renaming in 2.6.20+, the ip_conntrack_* modules are now known as nf_conntract_* - compatibility support added [this was a silent compatibility change in previous 0.9.6-2 release]
[Change] more complete preload list for iptables modules added
[Fix] cli_trust_remove() now better handles situations where addresses appear in multiple trust files
[Change] appended /dev/null stdout redirects onto apf calls in the init script to prevent verbose output during boot/init operations
[Fix] added a check routine to the fast load feature so snapshots are no longer saved when there are no iptables chains loaded (i.e: double run apf -f)
[Change] scrub of APF to remove all ties to antidos, the antidos subsystem has been removed and will be replaced with expanded RAB features
[Change] very extensive updates to the README.apf file
[Change] a_cli_tr() and d_cli_tr() functions renamed to cli_trust_allow() and cli_trust_deny()
[Change] the --unban command flag has been changed to --remove with the former silently being preserved for compatibility
[Change] unban() function renamed to cli_trust_remove()
[Fix] the optional comment string on --allow|-a and --deny|-d was being cut short in certain circumstances
[Change] force disable fast load when devel mode is enabled
[Change] cron.daily entry for apf restart has been changed from 'fw' to 'apf', the install.sh will now remove old file and replace with the new
[New] added ability to log RAB HIT and TRIP events with variables RAB_LOG_HIT and RAB_LOG_TRIP
[Change] reserved.networks file now dynamically updated on the r-fx server daily from http://www.iana.org/assignments/ipv4-address-space
Download link:
- http://www.r-fx.ca/downloads/apf-current.tar.gz
Documents:
- http://www.rfxnetworks.com/appdocs/README.apf
Version History:
- http://www.rfxnetworks.com/appdocs/CHANGELOG.apf