PDA

View Full Version : How to: Install APF working with DA



NrgUser
09-18-2004, 05:00 PM
The first part was taken from webhostgear.com and the ports are mine, let me know if some are not needed.

Login to your server through SSH and su to the root user.

1. cd /root/downloads or another temporary folder where you store your files.

2. wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

3. tar -xvzf apf-current.tar.gz

4. cd apf-0.9.3_3/ or whatever the latest version is.

5. Run the install file: ./install.sh
You will receive a message saying it has been installed

.: APF installed
Install path: /etc/apf
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf

6. Lets configure the firewall: pico /etc/apf/conf.apf
We will go over the general configuration to get your firewall running. This isn't a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.

We like to use DShield.org's "block" list of top networks that have exhibited
suspicious activity.
FIND: USE_DS="0"
CHANGE TO: USE_DS="1"

7. Configuring Firewall Ports:

EG_TCP_CPORTS: (incoming) 21,22,25,53,80,110,143,443,1853,1821,1867,1903,1913,1924,1925,1976,2030,2031,2032,2033,2034,2035,2036,2037,2038,2096,3071,3079,3080,3081,3082,3083,3084,3085,3086,3306,5000,5669,5670,5671,5672,5673,5674,5675,5677,5678,5679,5680,5681,7524,9293,9301,9302,9925,9926,9067,9068,20440,20441,20442,20443

EG_ICMP_CPORTS: (out going)
37,53,873

DO NOT COPY AND PASTE THIS LIKE IT, take the port numbers and click copy, then right click it in putty!

TheLinuxGuy
09-18-2004, 05:40 PM
You really should have looked at it more, the apf version is out dated in the post. You also forgot the ingress filtering rules, and you have alot of unneeded out going ports.


EG_TCP_CPORTS == outgoing TCP ports

EG_ICMP_CPORTS == outgoing ICMP types

NrgUser
09-18-2004, 07:49 PM
Like I said the first part was from webhost gear but the default settings WILL lock you out of your settings. If you suggest someting to be removed then go ahead and tell me.

I got this to work with the latest version

ramprage
09-22-2004, 06:48 AM
If you have some suggestions of what ports to use for DA let me know and I'll update my guide at WebHostGear.com

Cheers

hostpc.com
09-22-2004, 07:47 AM
# Common TCP Ports
TCP_CPORTS="21,22,25,53,80,443,110,143,2222,2525,7000,9667,6000_7000"

# Common UDP Ports
UDP_CPORTS="53"

verruckt
12-26-2004, 11:42 AM
Originally posted by hostpc.com
# Common TCP Ports
TCP_CPORTS="21,22,25,53,80,443,110,143,2222,2525,7000,9667,6000_7000"

# Common UDP Ports
UDP_CPORTS="53"

Is this completely accurate? Obviously 21,22,25,53,80,443,110,143,2222 are needed, but what about 2525,7000,9667,6000_7000 ???

Are they necessary? Or used by DA to update?

NrgUser
12-26-2004, 12:07 PM
Look at my post date, some are not needed, if someone wants to update it go ahead.

verruckt
12-26-2004, 03:12 PM
Originally posted by NrgUser
Look at my post date, some are not needed, if someone wants to update it go ahead.

Yeah i noticed that. I guess I will go at it and post back.

hostpc.com
12-26-2004, 05:22 PM
Originally posted by verruckt
what about 2525,7000,9667,6000_7000 ???

Are they necessary? Or used by DA to update?

We use 2525 as an alternate sendmail port - thats probably unique to us.

6000_7000 is for passive mode FTP

9667 and 7000 were for specialized applications - you can ignore those.

Joe

sander815
12-28-2004, 02:34 PM
how well does the antidos feature from apf work?

hostpc.com
12-28-2004, 02:55 PM
I'm pretty happy with it... it keeps it's own log files so you can track what it's doing.

sander815
12-30-2004, 07:33 AM
better then kiss?

i have problems with kiss, when running some users cannot ftp

hostpc.com
12-30-2004, 07:46 AM
I've not had any problems with APF, but I've heard good things about KISS as well. Maybe you don't have the ports open for passive FTP ?

sander815
12-30-2004, 08:05 AM
BLOCK_LIST=""
TCP_IN="21 25 53 80 110 143 443 2222 6000_7000 10000"
TCP_OUT="21 22 25 37 43 53 80 443"
UDP_IN="53"
UDP_OUT="53"

these are my open ports

nobaloney
12-30-2004, 08:59 AM
Both KISS and APF should work properly with passive FTP without opening/using any of the ephemeral port range.

They do for us.

Jeff

deltaned
01-01-2005, 11:21 PM
Hi,

I see when I start APF with /usr/local/sbin/apf -st firewall initalized
But after 5 min the firewall will be offline after the 5 min flush .

COPY LOGFILE:
APF Status Log:
jan 02 08:25:03 feyenoord apf(23833): firewall offline
jan 02 08:25:01 feyenoord apf(23833): flushing & zeroing chain policies
jan 02 08:20:01 feyenoord apf(23617): firewall offline
jan 02 08:20:01 feyenoord apf(23617): flushing & zeroing chain policies
jan 02 08:19:25 feyenoord apf(23049): firewall initalized
jan 02 08:19:25 feyenoord apf(23099): default (ingress) input drop
jan 02 08:19:25 feyenoord apf(23099): default (egress) output accept
jan 02 08:19:25 feyenoord apf(23099): opening inbound icmp type 8 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound icmp type 30 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound icmp type 0 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound icmp type 11 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound icmp type 5 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound icmp type 3 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound udp port 53 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 6000:7000 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 3306 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 2222 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 143 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 110 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 443 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 80 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 53 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 25 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 22 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 21 on 0/0
jan 02 08:19:25 feyenoord apf(23099): loading main.rules
jan 02 08:19:25 feyenoord apf(23099): virtual net subsystem disabled.
jan 02 08:19:25 feyenoord apf(23099): loading log.rules
jan 02 08:19:24 feyenoord apf(23099): loading ds_hosts.rules
jan 02 08:19:24 feyenoord apf(23099): loading bt.rules
jan 02 08:19:24 feyenoord apf(23099): loading preroute.rules
jan 02 08:19:24 feyenoord apf(23099): setting sysctl_syn enabled.
jan 02 08:19:24 feyenoord apf(23099): setting sysctl_tcp enabled.
jan 02 08:19:24 feyenoord apf(23099): loading sysctl.rules
jan 02 08:19:24 feyenoord apf(23099): determined (OUT_IF) eth0 has address 217.1
48.168.67
jan 02 08:19:24 feyenoord apf(23099): determined (IN_IF) eth0 has address xxx.xxx.xxx.xxx (my IP)
jan 02 08:19:24 feyenoord apf(23099): development mode enabled!; firewall will f
lush every 5 minutes.
jan 02 08:19:24 feyenoord apf(23049): parsing block.txt into /etc/apf/ds_hosts.r
ules
jan 02 08:19:24 feyenoord apf(23049): downloading http://feeds.dshield.org/block
.txt
jan 02 08:19:24 feyenoord apf(23049): activating firewall
jan 02 08:19:20 feyenoord apf(23022): status log not found, created

Anyone tips to let APF working?

torp
01-03-2005, 12:53 PM
I've been using the APF firewall for some time, and since the attacks on my server continued, I activated the Anti DOS feature in APF.

Problem is, the first user to get kicked was me :D Excellent!

I thought that removing the block for my IP would be easy, but after consulting all the documentation, I am not able to find out which file to edit. Furhermore, I am not even able to register on R-fx network's forum - don't know why it's not sending me the automated registration email.

So I'm posting the question here - hope someone has the answer.

I've removed all entries from the file afp/ad/ad.rules, but it doesn't seem to make any difference. I've also gone through all other files, and I can't find my IP address anywhere. But I'm not able to connect to any of my server's websites either...

hostpc.com
01-03-2005, 01:11 PM
Have you looked in /etc/apf/firewall ?

It really should be in /etc/apf/ad/ad.rules - but I guess it could be either.

hostpc.com
01-03-2005, 01:12 PM
also try (as root)

iptables -F

deltaned
01-03-2005, 01:16 PM
@hostPC:
Who are you answering?

hostpc.com
01-03-2005, 01:26 PM
Well, I was answering torp, didn't see your post... but, to try and answer,

jan 02 08:19:24 feyenoord apf(23049): activating firewall

Looks like the firewall is loaded

You can try

apf -r

to verify that it is

torp
01-03-2005, 02:29 PM
Thanks!

There's nothing that would suggest that my IP is blocked in apf/firewall

My ad.rules is clean - this is very strange.

torp
01-03-2005, 03:12 PM
Fixed it.

Had to do a reboot :(

roel
01-04-2005, 04:37 AM
I've removed all entries from the file afp/ad/ad.rules, but it doesn't seem to make any difference. I've also gone through all other files, and I can't find my IP address anywhere. But I'm not able to connect to any of my server's websites either... [/B]
I had my APF kick me out as well, but I solved that by simply typing "apf" (after logging in from another IP, of course); you can add "allow" rules directly from command line, you don't need to edit anything.

markus
01-05-2005, 05:08 PM
deltaned: Read the comments about "dev mode" in /etc/apf/conf.apf ;)

roel: Add your own IP(s) in the /etc/apf/allow_hosts.rules file, those will never be banned

deltaned
01-17-2005, 02:28 AM
# [Dev. Mode]
# !!! Do not leave set to (1) !!!
# When set to enabled; 5 minute cronjob is set to flush the firewall; set
# this mode off (0) when firewall determined to be operating as desired.

OK, advice, what is the best: 1 or 0?

markus
01-17-2005, 06:35 AM
Quoted from the APF readme:

Option: DEVM="1"
Definition: APF comes default in dev. mode; meaning the firewall rules
will be flushed every 5 minutes. This is intended to prevent you from
being locked out of your system in the event of undesired results from APF.
Set the DEVM="1" option to zero (0) once APF is operating as desired.
Do NOT! leave this option enabled on a permanet basis, or you defeat
the purpose of using a firewall.
Running APF in DEVM="1" if you (your current IP) get banned from your server for whatever reason, you will be able to access your server again, after 5 minutes.

Running APF in DEVM="0" if you (your current IP) get banned from your server for whatever reason, the only way the reach your server will be: from another IP or getting physical access.

You could get banned at the firewall level by BFD, APF antidos, mistakes configuring other APF settings/rules, etc.

To avoid being banned, you could enter your IP in the /etc/apf/allow_hosts.rules file. I believe that would be enough.

winger
01-22-2005, 11:55 AM
Hi,
Iīve just install apf, and i need some help:

- port 3306 must be im IG_TCP_Cports?

- how can i see the LOG files form apf?

- what we have to set for run apf antidos?

:)

markus
01-23-2005, 04:53 AM
>> port 3306 must be im IG_TCP_Cports?
3306 is the port used by MySQL, so you should decide if you want to allow remote access to the MySQL server or not.

If not, your user will only be able to use it via local applications (such a phpMyAdmin or any other program) using localhost.

>> how can i see the LOG files form apf?
In my RHLE, APF logs are located at: /var/log/apf*

>> what we have to set for run apf antidos?
http://www.rfxnetworks.com/apf.php
http://www.rfxnetworks.com/apf/README
http://www.rfxnetworks.com/apf/README.antidos

Newbee
02-18-2005, 04:19 PM
Hi All.

I see this thread was started in Sept 04, was wondering if anyones found a working ruleset?

Would be grateful if someone could spare a little time and paste the info here for us newbies :-)

thanks!

winger
02-18-2005, 05:03 PM
Hi,
i used this:
http://www.webhostgear.com/index.php?art/id:61
maybe it can help you too!

you must set the ports that you need open - dont forget the 2222

:)

Newbee
02-18-2005, 05:11 PM
Hi Winger

Thanks for replying.

I did see that article, only thing there was no mention of settings for DA? I saw Cpanel and Ensim...

Can you paste the settings your using?
Thanks in advance
:-)

winger
02-19-2005, 05:42 AM
Hi NewBee,

This setins are working for me:

IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2222"

IG_UDP_CPORTS="53"

EG_TCP_CPORTS="21,22,25,37,43,53,80,443"

EG_UDP_CPORTS="53"


i realy dont know if itīs correct or enought, but is working fine for my use.

you can also see this:

- http://www.rfxnetworks.com/apf/README
- http://www.rfxnetworks.com/apf/README.antidos

:D

Newbee
02-19-2005, 05:50 AM
Originally posted by winger
Hi NewBee,

This setins are working for me:

IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2222"

IG_UDP_CPORTS="53"

EG_TCP_CPORTS="21,22,25,37,43,53,80,443"

EG_UDP_CPORTS="53"


i realy dont know if itīs correct or enought, but is working fine for my use.

you can also see this:

- http://www.rfxnetworks.com/apf/README
- http://www.rfxnetworks.com/apf/README.antidos

:D

Thanks Winger - You've been a great help.

Can someone from DA Admin (or even RFX) please let us know if these settings are compatible/recommended?

I'm sure many of us would appreciate it :-)
Thanks.

jason
03-07-2005, 03:06 AM
well how i can put a range of ports like 12000-13000 is that acceptable
thanks

jason
03-07-2005, 03:58 AM
i think 12000_13000
thanks

Newbee
03-25-2005, 04:13 AM
Right.... I have the firewall up and running but have not yet activated the anti-dos feature, can someone please let us know what configurations to use?

Thanks!

dave6901_2000
06-23-2005, 12:07 PM
I started the anti-dos and got booted from the box right away and so did all services now can't get back in at all any ideas ???

jmstacey
06-23-2005, 04:40 PM
If it locked you out, you can try connecting from another computer (different IP address) that might not be blocked yet.
Otherwise you'll need physical access to the server to correct the problem.

dave6901_2000
06-23-2005, 07:13 PM
got back in lol called tech and had them reboot but i still haven't turned it back on again i was to affraid to get locked out again

any help in the config file would be good as to what to enable

# Parse klog for iptables logged attacks [0=off,1=on]
LP_KLOG="0"
#
# Parse snort portscan log for attacks [0=off,1=on]
LP_SNORT="0"
#
# Try to detect syn-flood attacks [0=off,1=on]
DET_SF="0"
#
# Kernel log file
KLOG="/var/log/messages"
#
# Snort portscan log file [experimental]
SLOG="/var/log/snort/portscan.log"
#
# Trigger value before we drop an event SRC
TRIG="20"
#
# Trigger value before we drop syn-floods for SRC
SF_TRIG="25"
#
# Trigger ports for syn-flood; null for all
SF_TRIG_PORTS="80,443"

##
# [Attack Filtering]
##
#
# Reject attackers in route table [0=off,1=on]
ROUTE_REJ="0"
#
# Drop destination interface [0=off,1=on]
DROP_IF="0"
#
# Do not drop interface for events matching these ports;
# line seperated strings.
NCRIT_PORTS="$INSPATH/noncrit.ports"
#
# Block attacks with iptables [0=off,1=on]
IPT_BL="1"
#
# Were to write iptable rules too
BLOCKR="$INSPATH/ad.rules"

ashagg
09-23-2005, 01:29 AM
Hi there..

I know this thread is quite old but I'm trying my luck anyways.. :)

I run a server on which we do both ... web as well as shell hosting.. (yes I know it's a very bad idea...)

I make all web hosting a/c via DA and the shell ones via the normal linux commands...

The shell a/c are used for eggs/bnc's.

Recently I installed snort/base and whoa!! 4905 alerts in 3 hours!! Most of them the SQL alerts on port 143? Also Brute-force attempts run into a couple of thousands... so I decided on putting in a firewall...

My question is...
what ideally should be my in/out ports for APF ?? I've really no clue about what protocol use which ports apart from the usual 22,80 ec.. I've decided and notified all my shell customers to use ports 20000-30000 for all eggs/bnc's..

Can someone please help ...

Regards,
ashagg

XBL
09-23-2005, 02:26 AM
Well, ashagg, if you know what you're running you know what ports to open. We currently have the following ports open for incoming traffic (we currently don't filter outgoing traffic, we do filter it).

TCP: 21 (ftp), 22 (ssh), 25 (smtp), 53 (dns), 80 (http), 110 (pop3), 143 (imap), 443 (https), 2222 (directadmin) and 3306 (MySQL, only for our monitoring server open).
UDP: only 53 (dns).

If you have incoming traffic for other services, like bots, and you know what port(s) they are running on, you just add those ports. If it's a port range, like you mentioned, you can add it like 20000_30000.

Jochem

vdvm
10-24-2005, 01:39 PM
Hi,

I've configured APF like this.
I've also enabled outbound filtering on the same ports as inbound.
Is this the correct way?

What about inboud/outbound ICMP?

Thank you!


# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,443,110,143,2222"

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"

# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"


# Egress filtering [0 = Disabled / 1 = Enabled] // outbound filtering
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,22,25,53,80,443,110,143,2222"

# Common egress (outbound) UDP ports
EG_UDP_CPORTS="53"

# Common ICMP egress (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"


# DShield.org's "block" list of top networks that have exhibited
# suspicious activity. [0 = Disabled / 1 = Enabled]
USE_DS="1"

torp
11-17-2005, 07:10 AM
The installer does not work on Debian. It attempts to put the startup file for apf in /etc/rcd.0/ but this directory does not exist on Debian.

I have tried to find documentation on how to install in a specific directory, but I haven't been able to. Anyone know how to remedy this in any way?

vod
01-11-2006, 08:46 AM
Hi,

After several attempts to install apf, i have decided to remove it.

How can i completely remove APF? i can see that a cron job
"unix1 CROND[21749]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)" is running every 5 minutes.

thanks.

nobaloney
01-11-2006, 06:58 PM
First try would be to go into the directory from where you installed it and see if there's an uninstall script.

Jeff

vod
01-11-2006, 07:11 PM
Thanks but could not find any uninstall script.

any manual way?

nobaloney
01-11-2006, 07:49 PM
Find everything and delete it.

Especially the startup script.

I don't have time to look right now.

Jeff

vod
01-11-2006, 07:54 PM
thanks jeff.

I did a chkconfig --del apf and then deleted files below:

rm /etc/init.d/apf
rm /etc/cron.daily/fw
rm -rf /etc/apf

there is no more apf scripts in crn.daily, cron.hourly, cron.weekly, etc

crontab -e does not have any apf entries.

the cron log still showing apf stop executed every 5 mins. :(

nobaloney
01-11-2006, 07:56 PM
# cd /var/spool/cron
# grep apf *

If you see any output edit those cronjobs:

crontab -e <username>

and remove those lines, then save the file.

Either way be sure to restart the cron daemon:

# service crond restart

Exactly what line do you see in the logs (time for a cut and paste into the forum)?

Jeff

vod
01-11-2006, 08:11 PM
# cd /var/spool/cron # grep apf *
returned nothing

manually cat each of the user files in that directory (admin, root, diradmin) none of them have any apf entry.


# service crond restart
Have restarted crond sevaral times. Anyway, this is a vps box. I have even rebooted the whole vps through virtuozo.


Exactly what line do you see in the logs (time for a cut and paste into the forum)?

Jan 12 12:00:00 unix1 CROND[5794]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)

there is definitely no apf file in /etc/init.d, it has been removed.

Again, thanks a lot jeff for looking into this

nobaloney
01-11-2006, 08:15 PM
Something is trying to run it, and it's not there.

How about the /etc/crontab file?

That could be the culprit?

If you change it you do have to restart the crond daemon.

Jeff

vod
01-11-2006, 08:18 PM
argh what an oversight. :D it is indeed in /etc/crontab.

you just make my day Jeff. thanks a lot.

nobaloney
01-14-2006, 07:44 PM
It took me a while to think of it as well.

I would have found it more quickly while logged in because I start by doing this:

# grep <whatever> /etc/cron*
# grep <whatever> /etc/cron*/*

and so forth until I get an error that no lower level files exist.

Jeff

ju5t
01-15-2006, 12:45 AM
Originally posted by jlasman
If you change it you do have to restart the crond daemon.

No, it will find changes automatically the last time I checked.

nobaloney
01-15-2006, 06:42 PM
You're right. My error.

Not that it hurts.

:)

Jeff

milan
02-23-2006, 07:15 PM
Is there any info how to get this working on a debian box?

XBL
02-23-2006, 10:32 PM
Originally posted by milan
Is there any info how to get this working on a debian box? The how-to will also work on a debian box. APF doesn't use any package systems, but simply compiles from source. It should work on most *nix systems (and probably all big Linux distro's).

Jochem

milan
02-24-2006, 04:31 PM
It works :)

A+++++

Seth
03-17-2006, 04:38 PM
Originally posted by hostpc.com


6000_7000 is for passive mode FTP

Joe

THAT'S WHY IT WON'T WORK! Glad I read this thread

Seth
03-17-2006, 04:54 PM
Originally posted by deltaned
Hi,

I see when I start APF with /usr/local/sbin/apf -st firewall initalized
But after 5 min the firewall will be offline after the 5 min flush .

COPY LOGFILE:
APF Status Log:
jan 02 08:25:03 feyenoord apf(23833): firewall offline
jan 02 08:25:01 feyenoord apf(23833): flushing & zeroing chain policies
jan 02 08:20:01 feyenoord apf(23617): firewall offline
jan 02 08:20:01 feyenoord apf(23617): flushing & zeroing chain policies
jan 02 08:19:25 feyenoord apf(23049): firewall initalized
jan 02 08:19:25 feyenoord apf(23099): default (ingress) input drop
jan 02 08:19:25 feyenoord apf(23099): default (egress) output accept
jan 02 08:19:25 feyenoord apf(23099): opening inbound icmp type 8 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound icmp type 30 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound icmp type 0 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound icmp type 11 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound icmp type 5 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound icmp type 3 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound udp port 53 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 6000:7000 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 3306 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 2222 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 143 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 110 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 443 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 80 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 53 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 25 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 22 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 21 on 0/0
jan 02 08:19:25 feyenoord apf(23099): loading main.rules
jan 02 08:19:25 feyenoord apf(23099): virtual net subsystem disabled.
jan 02 08:19:25 feyenoord apf(23099): loading log.rules
jan 02 08:19:24 feyenoord apf(23099): loading ds_hosts.rules
jan 02 08:19:24 feyenoord apf(23099): loading bt.rules
jan 02 08:19:24 feyenoord apf(23099): loading preroute.rules
jan 02 08:19:24 feyenoord apf(23099): setting sysctl_syn enabled.
jan 02 08:19:24 feyenoord apf(23099): setting sysctl_tcp enabled.
jan 02 08:19:24 feyenoord apf(23099): loading sysctl.rules
jan 02 08:19:24 feyenoord apf(23099): determined (OUT_IF) eth0 has address 217.1
48.168.67
jan 02 08:19:24 feyenoord apf(23099): determined (IN_IF) eth0 has address xxx.xxx.xxx.xxx (my IP)
jan 02 08:19:24 feyenoord apf(23099): development mode enabled!; firewall will f
lush every 5 minutes.
jan 02 08:19:24 feyenoord apf(23049): parsing block.txt into /etc/apf/ds_hosts.r
ules
jan 02 08:19:24 feyenoord apf(23049): downloading http://feeds.dshield.org/block
.txt
jan 02 08:19:24 feyenoord apf(23049): activating firewall
jan 02 08:19:20 feyenoord apf(23022): status log not found, created

Anyone tips to let APF working?

# Set firewall cronjob (devel mode)
# 1 = enabled / 0 = disabled
DEVEL_MODE="0"

make sure it is disabled

torp
03-18-2006, 03:06 AM
Originally posted by milan
Is there any info how to get this working on a debian box?

I tried compiling APF on Debian. You'll get an error that it cannot copy over the rc.d scripts, as Debian uses it's own system for this. You'll have to copy over the startup script manually after the install.

jmstacey
03-19-2006, 04:14 PM
And after copying the startup script to /etc/init.d manually, you will also need to run update-rc.d apf defaults to have apf automatically start if the system is ever restarted.