How to: Install APF working with DA

NrgUser

Verified User
Joined
Sep 18, 2004
Messages
5
The first part was taken from webhostgear.com and the ports are mine, let me know if some are not needed.

Login to your server through SSH and su to the root user.

1. cd /root/downloads or another temporary folder where you store your files.

2. wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

3. tar -xvzf apf-current.tar.gz

4. cd apf-0.9.3_3/ or whatever the latest version is.

5. Run the install file: ./install.sh
You will receive a message saying it has been installed

.: APF installed
Install path: /etc/apf
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf

6. Lets configure the firewall: pico /etc/apf/conf.apf
We will go over the general configuration to get your firewall running. This isn't a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.

We like to use DShield.org's "block" list of top networks that have exhibited
suspicious activity.
FIND: USE_DS="0"
CHANGE TO: USE_DS="1"

7. Configuring Firewall Ports:

EG_TCP_CPORTS: (incoming) 21,22,25,53,80,110,143,443,1853,1821,1867,1903,1913,1924,1925,1976,2030,2031,2032,2033,2034,2035,2036,2037,2038,2096,3071,3079,3080,3081,3082,3083,3084,3085,3086,3306,5000,5669,5670,5671,5672,5673,5674,5675,5677,5678,5679,5680,5681,7524,9293,9301,9302,9925,9926,9067,9068,20440,20441,20442,20443

EG_ICMP_CPORTS: (out going)
37,53,873

DO NOT COPY AND PASTE THIS LIKE IT, take the port numbers and click copy, then right click it in putty!
 
You really should have looked at it more, the apf version is out dated in the post. You also forgot the ingress filtering rules, and you have alot of unneeded out going ports.


EG_TCP_CPORTS == outgoing TCP ports

EG_ICMP_CPORTS == outgoing ICMP types
 
Like I said the first part was from webhost gear but the default settings WILL lock you out of your settings. If you suggest someting to be removed then go ahead and tell me.

I got this to work with the latest version
 
# Common TCP Ports
TCP_CPORTS="21,22,25,53,80,443,110,143,2222,2525,7000,9667,6000_7000"

# Common UDP Ports
UDP_CPORTS="53"
 
hostpc.com said:
# Common TCP Ports
TCP_CPORTS="21,22,25,53,80,443,110,143,2222,2525,7000,9667,6000_7000"

# Common UDP Ports
UDP_CPORTS="53"

Is this completely accurate? Obviously 21,22,25,53,80,443,110,143,2222 are needed, but what about 2525,7000,9667,6000_7000 ???

Are they necessary? Or used by DA to update?
 
Look at my post date, some are not needed, if someone wants to update it go ahead.
 
NrgUser said:
Look at my post date, some are not needed, if someone wants to update it go ahead.

Yeah i noticed that. I guess I will go at it and post back.
 
verruckt said:
what about 2525,7000,9667,6000_7000 ???

Are they necessary? Or used by DA to update?

We use 2525 as an alternate sendmail port - thats probably unique to us.

6000_7000 is for passive mode FTP

9667 and 7000 were for specialized applications - you can ignore those.

Joe
 
better then kiss?

i have problems with kiss, when running some users cannot ftp
 
I've not had any problems with APF, but I've heard good things about KISS as well. Maybe you don't have the ports open for passive FTP ?
 
BLOCK_LIST=""
TCP_IN="21 25 53 80 110 143 443 2222 6000_7000 10000"
TCP_OUT="21 22 25 37 43 53 80 443"
UDP_IN="53"
UDP_OUT="53"

these are my open ports
 
Both KISS and APF should work properly with passive FTP without opening/using any of the ephemeral port range.

They do for us.

Jeff
 
Hi,

I see when I start APF with /usr/local/sbin/apf -st firewall initalized
But after 5 min the firewall will be offline after the 5 min flush .

COPY LOGFILE:
APF Status Log:
jan 02 08:25:03 feyenoord apf(23833): firewall offline
jan 02 08:25:01 feyenoord apf(23833): flushing & zeroing chain policies
jan 02 08:20:01 feyenoord apf(23617): firewall offline
jan 02 08:20:01 feyenoord apf(23617): flushing & zeroing chain policies
jan 02 08:19:25 feyenoord apf(23049): firewall initalized
jan 02 08:19:25 feyenoord apf(23099): default (ingress) input drop
jan 02 08:19:25 feyenoord apf(23099): default (egress) output accept
jan 02 08:19:25 feyenoord apf(23099): opening inbound icmp type 8 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound icmp type 30 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound icmp type 0 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound icmp type 11 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound icmp type 5 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound icmp type 3 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound udp port 53 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 6000:7000 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 3306 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 2222 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 143 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 110 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 443 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 80 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 53 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 25 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 22 on 0/0
jan 02 08:19:25 feyenoord apf(23099): opening inbound tcp port 21 on 0/0
jan 02 08:19:25 feyenoord apf(23099): loading main.rules
jan 02 08:19:25 feyenoord apf(23099): virtual net subsystem disabled.
jan 02 08:19:25 feyenoord apf(23099): loading log.rules
jan 02 08:19:24 feyenoord apf(23099): loading ds_hosts.rules
jan 02 08:19:24 feyenoord apf(23099): loading bt.rules
jan 02 08:19:24 feyenoord apf(23099): loading preroute.rules
jan 02 08:19:24 feyenoord apf(23099): setting sysctl_syn enabled.
jan 02 08:19:24 feyenoord apf(23099): setting sysctl_tcp enabled.
jan 02 08:19:24 feyenoord apf(23099): loading sysctl.rules
jan 02 08:19:24 feyenoord apf(23099): determined (OUT_IF) eth0 has address 217.1
48.168.67
jan 02 08:19:24 feyenoord apf(23099): determined (IN_IF) eth0 has address xxx.xxx.xxx.xxx (my IP)
jan 02 08:19:24 feyenoord apf(23099): development mode enabled!; firewall will f
lush every 5 minutes.
jan 02 08:19:24 feyenoord apf(23049): parsing block.txt into /etc/apf/ds_hosts.r
ules
jan 02 08:19:24 feyenoord apf(23049): downloading http://feeds.dshield.org/block
.txt
jan 02 08:19:24 feyenoord apf(23049): activating firewall
jan 02 08:19:20 feyenoord apf(23022): status log not found, created

Anyone tips to let APF working?
 
A funny thing happened to me today (APF Anti DOS problem)

I've been using the APF firewall for some time, and since the attacks on my server continued, I activated the Anti DOS feature in APF.

Problem is, the first user to get kicked was me :D Excellent!

I thought that removing the block for my IP would be easy, but after consulting all the documentation, I am not able to find out which file to edit. Furhermore, I am not even able to register on R-fx network's forum - don't know why it's not sending me the automated registration email.

So I'm posting the question here - hope someone has the answer.

I've removed all entries from the file afp/ad/ad.rules, but it doesn't seem to make any difference. I've also gone through all other files, and I can't find my IP address anywhere. But I'm not able to connect to any of my server's websites either...
 
Back
Top