APF

From GoBlueMich Wiki
Jump to navigation Jump to search

APF is the interface that liquidweb installs that works together with iptables to perform firewall type functions for a server. The configuration files for APF are located in the /etc/apf/ folder.

Template:Info

apf can be interacted with via the command line using the following flags:

 usage /usr/local/sbin/apf [OPTION]
 -s|--start ......................... load all firewall policies
 -r|--restart ....................... stop (flush) & reload firewall rules
 -f|--stop........ .................. stop (flush) all firewall rules
 -l|--list .......................... list chain rules
 -t|--status ........................ firewall status
 -a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and
                                    immediately load new rule into firewall
 -d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and
                                    immediately load new rule into firewall
 -u|--unban HOST .................... remove host from [glob_]deny_hosts.rules
                                    and immediately remove rule from firewall
 -o|--ovars ......................... output all conifguration options

An example of how you would deny an IP address via the command line is apf -d 209.59.139.21

APF Configuration files

/etc/apf/conf.apf

This is the main configuration file for apf. The only changes that would typically be made to this file would be to open or close ports. The way apf handles open and closed ports is all ports are closed except the ones that are specified in this configuration file.

  1. Common ingress (inbound) UDP ports
 IG_UDP_CPORTS="20,21,53,6277"
 Outbound
 # Common egress (outbound) TCP ports
 EG_TCP_CPORTS="21,25,80,443,43"
 # Common egress (outbound) UDP ports
 EG_UDP_CPORTS="20,21,53"

To open up an additional port just add it to this line and restart apf /etc/init.d/apf restart.

If you have a question about what port is used for what you can refer to ether this wiki entry or this webapge.

/etc/apf/deny_hosts.rules

Template:Box Warning This is the file that contains all of the IPs are that specifically being blocked from accessing the server. IPs can be added to this list ether by hand, using the command apf -d x.x.x.x, or they get added by services like bfd. BFD watches the server for brute force attacks via FTP or SSH. If an IP has too many failed authentication attempts within a set amount of time it will be added to the firewall as a denied host. Below are examples of what these BFD added entries will look like:

 # added 60.28.200.143 on 03/30/07 09:00:02 with comment: {bfd.pure-ftpd}
 60.28.200.143
 # added 209.67.114.42 on 03/30/07 09:00:08 with comment: {bfd.sshd}
 209.67.114.42

If you need to remove an IP from this list it can be removed in one of two ways.

  • You can ether do apf -u 209.59.139.21
    • If you use this method, make sure you've looked at the deny.hosts file to see why the IP was blocked first.
  • The deny.hosts file can be edited followed by an apf restart.

/etc/apf/allow_hosts.rules

This is the file that is used to white list IPs. Adding an IP or range of IPs to this file whitelists them for the firewll. Please note it is important to be careful with regards what IPs are whitelisted. IPs that are whitelisted bypass all firewall rules.

There are two ways to go about whitelisting an IP

  • apf -a 209.59.139.21 will add the IP to the allow.hosts file
  • The allow.hosts file can be directed edited followed by an apf restart.

Typically the two office subnets are listed in here: 209.59.139.0/24 and 69.16.222.0/23.

Examples of Possible Customer Requests

(Un)Block/Allow one IP (quick)

Unblock

apf -u $IP

Block

apf -d $IP By\ $YOURNAME\ per\ ticket\ $#

Allow

apf -a $IP By\ $YOURNAME\ per\ ticket\ $#

Block all access on port 25 to and allow access only to 207.125.144.0 - 207.126.159.255

A good tool to find out how to figure that out is the following ip calculator website:

http://jodies.de/ipcalc

It is also free to download and install on your own cgi enabled hosting account.

Lines to add to /etc/apf/deny_hosts.rules:

0.0.0.0:25

Lines to add to /etc/apf/allow_hosts.rules:

207.126.144.0/20:25

Translate deny list in .htaccess to APF block

cat .htaccess | grep "deny from" | sed -e 's/deny from //' >> /root/blockthese.txt 

Then see "Bulk Operations," below

Bulk Operations

Block IPs from a text file list that is in /root/blockthese.txt with this script:

#!/bin/bash
if [ $# != 1 ]
then
echo "No source file specified.  Please use ./apfbulk.sh filename"
echo "The file specified should contain a list of IPs, one per line."
exit 0
fi

echo "Blocking IPs in text file: "$1;
  while read f
  do
    echo "  blocking: "$f"...";
    apf -d $f;
    echo "    done!";
  done < $1
  echo "";
  echo "Finished!";

Allow port access by IP

In /etc/apf/allow_hosts.rules:

d=port:s=[ip range]

So, for example:

d=1167:s=10.4.0.0/22

Block all WHM access except by 64.156.26.74

Delete the ,2086,2087 in /etc/apf/conf.apf:

IG_TCP_CPORTS=""20,21,22...2086,2087....7786"

Line to add to /etc/apf/allow_hosts.rules:

tcp:in:d=2086,2087:s=64.156.26.74

You'll also want to add these type of rule for internal IPs as well on these blocked ports ∏


Change Strictness of Firewall

/usr/local/bfd

Most of the files for most requests will be found at this location and from there it should be pretty self explanatory.

https://wiki.int.liquidweb.com/articles/APF#BFD_Configuration_File_Locations

Fu to remove all the odd text entries added by bfd

This will take out all the addresses in the deny_hosts file which are not real IPs.

for ip in $(cat /etc/apf/deny_hosts.rules | awk '!/#/'| awk '/[a-zA-Z]/'); do apf -u $ip ; /etc/init.d/apf restart ; done

This can take forever if the firewall is restarted after every one. If you run into a ton of entries and the deny list is huge.

for ip in $(cat /etc/apf/deny_hosts.rules | awk '!/#/'| awk '/[a-zA-Z]/'); do apf -u $ip ; done

and restart after:

service apf restart

APF gives odd error of ipt_state

root@server1 [/etc/apf]# apf -s Unable to load iptables module (ipt_state), aborting. root@server1 [/etc/apf]#

Is the error to fix this:

Edit:

/etc/apf/internals/functions.apf

Replace these lines (96-97):

ml ipt_state 1
ml ipt_multiport 1 

with this:

ml xt_state
ml xt_multiport

heres a sed to replace em:

sed -i.lwbak  -e 's/^ml ipt_state 1$/ml xt_state/g' -e 's/^ml ipt_multiport 1$/ml xt_multiport/g' /etc/apf/internals/functions.apf

SMTP Tweak

Add the line into the apf init script /etc/init.d/apf

/scripts/smtpmailgidonly on

so it looks like this:

case "$1" in start)

       echo -n "Starting APF:"
       /usr/local/sbin/apf --start
       /scripts/smtpmailgidonly on
       echo_success
       echo
       ;;

APF Installation

Yum Installation

Dedicated Servers

There are a few types of Dedicated servers

Managed Dedicated

lp-apf is an old package; if installing APF on CentOS 6, use just 'apf' (yum install apf).

Note: lpyum is not used for Cent 6

lpyum -y install lp-apf

or

/usr/bin/yum -c /usr/local/lp/configs/yum/yum.stable.conf -y install lp-apf

core managed / XEN

lpyum is not used for Cent 6

lpyum search apf
lpyum -y install apf.noarch

Make sure to set in conf.apf:

DEVEL_MODE="0"

or the firewall will auto-turn off and become useless.

VPS Servers

Do not use our RPM for VPS servers, instead try the pre-configured package:

cd /home/temp; wget layer3.liquidweb.com/vps/linux/install/apf-lw.tar.gz
tar -zxf apf-lw.tar.gz; cd apf-lw
chmod +x install.sh
./install.sh
chkconfig --add apf
chkconfig --level 345 apf on

Manual Installation

This install is completely manual, you will need to do everything from scratch, eg edit and set configuration options and ports...

URLS:

http://www.rfxn.com/projects/advanced-policy-firewall

http://www.rfxn.com/downloads/apf-current.tar.gz

cd /home/temp/; wget http://www.rfxn.com/downloads/apf-current.tar.gz
tar zxvf apf-current.tar.gz && cd apf-*
./install.sh

Edit the conf.apf file, remove dev mode, set ports, etc.... more info goes here........

APF Removal

In case you don't want apf anymore:

If it was installed from Yum:

rpm -qa |grep apf
#cent <= 5 lpyum remove lp-apf
lpyum remove apf
#cent6:
yum remove apf

If it was installed from source:

/etc/init.d/iptables stop
rm -Rfv /etc/apf
rm -fv /etc/cron.daily/fw
chkconfig apf off
rm -fv /etc/init.d/apf

Found here

APF errors

Unable to load iptables module (ipt_state), aborting

http://www.scriptinstallation.in/apf_ipt_state.html

Trying to start apf from command line shows this error:

 [root@host2.aceygaspard.com] netfilter >> apf -s
 Unable to load iptables module (ipt_state), aborting.
 [root@host2.aceygaspard.com] netfilter >> 

The problem is due to module ipt_state is no longer exists, the name is changed to xt_state.

On my server, the module is available at "/lib/modules/2.x.x.x/kernel/net/netfilter"

The error can be fixed by editing /etc/apf/internals/functions.apf

 # vi /etc/apf/internals/functions.apf

FIND

 ml ipt_state 1 
 ml ipt_multiport 1

REPLACE WITH

 ml xt_state
 ml xt_multiport

Now start apf with service apf restart, firewall will work.


Deprecated config file /etc/modprobe.conf

If you get:

[root@host ~]# service apf start
Starting APF:WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.

make sure you have both, identical files:

/etc/modprobe.conf
/etc/modprobe.d/modprobe.conf

Move /etc/modprobe.conf to /etc/modprobe.conf.rpmsave and try restarting.

BFD Install

Until it has its own page, for the VPS:

wget http://layer3.liquidweb.com/vps/linux/install/bfd-current.tar.gz

Untar, cd into it, and run:

# sh install.sh


BFD Log File Location

APF uses BFD, not LFD like CSF does:

/var/log/bfd_log

BFD Configuration File Locations

You will find most of the important files in this location:

/usr/local/bfd