├── .ca.def ├── CHANGELOG ├── CHANGELOG.RELEASE ├── COPYING.GPL ├── README ├── apf.init ├── cron.daily ├── files ├── VERSION ├── allow_hosts.rules ├── apf ├── bt.rules ├── conf.apf ├── deny_hosts.rules ├── ds_hosts.rules ├── ecnshame_hosts.rules ├── extras │ ├── get_ports │ └── importconf ├── firewall ├── glob_allow.rules ├── glob_deny.rules ├── internals │ ├── cports.common │ ├── functions.apf │ ├── icmp.types │ ├── internals.conf │ ├── multicast.networks │ ├── private.networks │ ├── rab.ports │ └── reserved.networks ├── log.rules ├── main.rules ├── postroute.rules ├── preroute.rules ├── sdrop_hosts.rules ├── sysctl.rules └── vnet │ ├── main.vnet │ ├── vnetgen │ └── vnetgen.def ├── importconf ├── install.sh └── logrotate.d.apf /.ca.def: -------------------------------------------------------------------------------- 1 | cat > .conf.apf < 7 | # (C) 2019, Ryan MacDonald 8 | # This program may be freely redistributed under the terms of the GNU GPL v2 9 | ## 10 | # NOTE: This file should be edited with word/line wrapping off, 11 | # if your using pico/nano please start use the -w switch 12 | # (e.g: nano -w filename) 13 | 14 | ## 15 | # [Main] 16 | ## 17 | # !!! Do not leave set to (1) !!! 18 | # When set to enabled; 5 minute cronjob is set to stop the firewall. Set 19 | # this off (0) when firewall is determined to be operating as desired. 20 | DEVEL_MODE="1" 21 | 22 | # The installation path of APF; this can be changed but it is not recommended. 23 | INSTALL_PATH="$INSTALL_PATH" 24 | 25 | # Untrusted Network interface; all traffic on defined interface will be 26 | # subject to all firewall rules. This should be your internet exposed 27 | # interface. 28 | IFACE_UNTRUSTED="$IFACE_UNTRUSTED" 29 | 30 | # Trusted Network interface(s); all traffic on defined interface(s) will by-pass 31 | # ALL firewall rules, format is white space or comma separated list. 32 | IFACE_TRUSTED="$IFACE_TRUSTED" 33 | 34 | # This option enables IPv6 support for APF and loads all appropriate IPv6 kernel 35 | # modules. This feature depends on IPv6 support being enabled in your networking 36 | # configuration and that the modules are explicitly available. Please ensure that 37 | # you do not have IPv6 disabled via modprobe.conf/.d or in sysconfig files. 38 | # Note: The VNET (virtual network) feature does not currently support IPv6. 39 | USE_IPV6="$USE_IPV6" 40 | 41 | # This option will allow for all status events to be displayed in real time on 42 | # the console as you use the firewall. Typically, APF used to operate silent 43 | # with all logging piped to \$LOG_APF. The use of this option will not disable 44 | # the standard log file displayed by apf --status but rather compliment it. 45 | SET_VERBOSE="$SET_VERBOSE" 46 | 47 | # The fast load feature makes use of the iptables-save/restore facilities to do 48 | # a snapshot save of the current firewall rules on an APF stop then when APF is 49 | # instructed to start again it will restore the snapshot. This feature allows 50 | # APF to load hundreds of rules back into the firewall without the need to 51 | # regenerate every firewall entry. 52 | # Note: a) if system uptime is below 5 minutes, the snapshot is expired 53 | # b) if snapshot age exceeds 12 hours, the snapshot is expired 54 | # c) if conf or a .rule has changed since last load, snapshot is expired 55 | # d) if it is your first run of APF since install, snapshot is generated 56 | # - an expired snapshot means APF will do a full start rule-by-rule 57 | SET_FASTLOAD="$SET_FASTLOAD" 58 | 59 | # Virtual Network Sub-System (VNET) creates independent policy rule set for 60 | # each IP on a system to /etc/apf/vnet/IP.rules. These rule files can be 61 | # configured with conf.apf variables for unique but convenient firewall 62 | # policies or custom iptables entries for even greater flexibility. 63 | SET_VNET="$SET_VNET" 64 | 65 | # This feature firewalls any additional interfaces on the server as untrusted 66 | # through the VNET sub-system. Excluded are interfaces that have already been 67 | # defined by IFACE_* variables. This feature is ideal for systems running 68 | # private interfaces where not all hosts on the private network are trusted or 69 | # are otherwise exposed to "open" networks through this private interface 70 | # (i.e: the Internet, network accessible storage LAN, corporate WAN, etc..) 71 | SET_ADDIFACE="$SET_ADDIFACE" 72 | 73 | # This allows the firewall to work around modular kernel issues by assuming 74 | # that the system has all required firewall modules compiled directly into 75 | # kernel. This mode of operation is not generally recommended but can be used 76 | # scale APF to unique situations. 77 | SET_MONOKERN="$SET_MONOKERN" 78 | 79 | # The expiry interval, in seconds, that bans will be expired out of the trust 80 | # system. This only applies to local bans from deny_hosts.rules and not global 81 | # import rules. The value must not be less than equiv. seconds of SET_REFRESH. 82 | # [value in seconds, 0 to disable, recommended 600] 83 | SET_EXPIRE="$SET_EXPIRE" 84 | 85 | # This controls how often, if at all, we want the trust system to refresh rules. 86 | # The firewall will flush & reload all static rules, redownload global rules and 87 | # re-resolve any dns names in the rules. This is ideal when using dynamic dns 88 | # names or downloadable global trust rules. [value in minutes, 0 to disable] 89 | SET_REFRESH="$SET_REFRESH" 90 | 91 | # The refreshing of large allow/deny trust files can be resource intensive, this 92 | # feature checks for changes to trust files between refreshes and only performs 93 | # a refresh if contents have changed. If you are using dynamic DNS names in trust 94 | # rules, which require regular DNS refreshes, you should keep this disabled. 95 | # [value in minutes, 0 to disable] 96 | SET_REFRESH_MD5="$SET_REFRESH_MD5" 97 | 98 | # This is the total amount of rules allowed inside of the deny trust system. 99 | # When this limit is reached, the deny rule files will begin to purge older 100 | # entries to maintain the set limit. [value is max lines, 0 for unlimited] 101 | SET_TRIM="250" 102 | 103 | # Verifies that the IFACE_* and IFACE_TRUSTED interfaces are actually routed 104 | # to something. If configured interfaces are found with no routes setup then 105 | # APF will exit with an error to prevent further issues (such as being locked 106 | # out of the system). 107 | VF_ROUTE="$VF_ROUTE" 108 | 109 | # Verifies that all inbound traffic is sourced from a defined local gateway MAC 110 | # address. All other traffic that does not match this MAC address will be 111 | # rejected as untrusted traffic. It is quite easy to forge a MAC address and as 112 | # such this feature executes NO default accept policy. Leave this option empty 113 | # to disable or enter a 48-bit MAC address to enable. 114 | VF_LGATE="$VF_LGATE" 115 | 116 | ## 117 | # [Reactive Address Blocking] 118 | ## 119 | # The use of RAB is such that it allows the firewall to track an address as it 120 | # traverses the firewall rules and subsequently associate that address across 121 | # any number of violations. This allows the firewall to react to critical 122 | # policy violations by blocking addresses temporarily on the assumed precaution 123 | # that we are protecting the host from what the address may do on the pretext 124 | # of what the address has already done. The interface that allows RAB to work 125 | # resides inside the kernel and makes use of the iptables 'ipt_recent' module, 126 | # so there is no external programs causing any additional load. 127 | RAB="$RAB" 128 | 129 | # This enables RAB for sanity violations, which is when an address breaks a 130 | # strict conformity standard such as trying to spoof an address or modify 131 | # packet flags. It is strongly recommended that this option NOT be disabled. 132 | RAB_SANITY="$RAB_SANITY" 133 | 134 | # This enables RAB for port scan violations, which is when an address attempts 135 | # to connect to a port that has been classified as malicious. These types of 136 | # ports are those which are not commonly used in today's Internet but are 137 | # the subject of scrutiny by attackers, such as ports 1,7,9,11. Each security 138 | # level defines the amount of ports that RAB will react against. The port 139 | # security groups can be customized in 'internals/rab.ports'. 140 | # 0 = disabled | 1 = low security | 2 = medium security | 3 = high security 141 | RAB_PSCAN_LEVEL="$RAB_PSCAN_LEVEL" 142 | 143 | # This controls the amount of violation hits an address must have before it 144 | # is blocked. It is a good idea to keep this very low to prevent evasive 145 | # measures. The default is 0 or 1, meaning instant block on first violation. 146 | RAB_HITCOUNT="$RAB_HITCOUNT" 147 | 148 | # This is the amount of time (in seconds) that an address gets blocked for if 149 | # a violation is triggered, the default is 300s (5 minutes). 150 | RAB_TIMER="$RAB_TIMER" 151 | 152 | # This allows RAB to 'trip' the block timer back to 0 seconds if an address 153 | # attempts ANY subsiquent communication while still on the inital block period. 154 | RAB_TRIP="$RAB_TRIP" 155 | 156 | # This controls if the firewall should log all violation hits from an address. 157 | # The use of LOG_DROP variable set to 1 will override this to force logging. 158 | RAB_LOG_HIT="$RAB_LOG_HIT" 159 | 160 | # This controls if the firewall should log all subsiqent traffic from an address 161 | # that is already blocked for a violation hit, this can generate allot of logs. 162 | # The use of LOG_DROP variable set to 1 will override this to force logging. 163 | RAB_LOG_TRIP="$RAB_LOG_TRIP" 164 | 165 | ## 166 | # [Packet Filtering/Handling] 167 | ## 168 | # How to handle TCP packet filtering? 169 | # 170 | # RESET (sends a tcp-reset; TCP/IP default) 171 | # DROP (drop the packet; stealth ?) 172 | # REJECT (reject the packet) 173 | TCP_STOP="$TCP_STOP" 174 | 175 | # How to handle UDP packet filtering? 176 | # 177 | # RESET (sends a icmp-port-unreachable; TCP/IP default) 178 | # DROP (drop the packet; stealth ?) 179 | # REJECT (reject the packet) 180 | # PROHIBIT (send an icmp-host-prohibited) 181 | UDP_STOP="$UDP_STOP" 182 | 183 | # How to handle all other packet filtering? 184 | # 185 | # DROP (drop the packet) 186 | # REJECT (reject the packet) 187 | ALL_STOP="$ALL_STOP" 188 | 189 | # The sanity options control the way packets are scrutinized as they flow 190 | # through the firewall. The main PKT_SANITY option is a top level toggle for 191 | # all SANITY options and provides general packet flag sanity as a pre-scrub 192 | # for the other sanity options. In short, this makes sure that all packets 193 | # coming and going conform to strict TCP/IP standards. In doing so we make it 194 | # very difficult for attackers to inject raw/custom packets into the server. 195 | PKT_SANITY="$PKT_SANITY" 196 | 197 | # Block any packets that do not conform as VALID, this feature is safe for most 198 | # but some may experience protocol issues with broken remote clients. This is 199 | # very similar to PKT_SANITY but has a wider scope and as such has the ability 200 | # to affect many application protocols in undesirable ways. 201 | PKT_SANITY_INV="$PKT_SANITY_INV" 202 | 203 | # Block any fragmented UDP packets, this is safe as no UDP packets should 204 | # ever be fragmented. 205 | PKT_SANITY_FUDP="$PKT_SANITY_FUDP" 206 | 207 | # Block packets with a source or destination of port 0, this is safe as 208 | # nothing should ever communicate on port 0 (technically does not exist). 209 | PKT_SANITY_PZERO="$PKT_SANITY_PZERO" 210 | 211 | # The implementation of Type of Service (TOS) in APF is such that it allows 212 | # you to classify service priorities by port. These priorities are broken down 213 | # into 5 groups and they are: 214 | # 0 = No Change 215 | # 2 = Minimize-Cost 216 | # 4 = Minimize Delay - Maximize Reliability 217 | # 8 = Maximum Throughput - Minimum Delay 218 | # 16 = No Delay - Moderate Throughput - High Reliability 219 | # 220 | # Set the default TOS value [0,2,4,8,16] 221 | TOS_DEF="$TOS_DEF" 222 | 223 | # Set the default TOS port range 224 | TOS_DEF_RANGE="512:65535" 225 | 226 | # 0: Ports for Normal-Service 227 | TOS_0="$TOS_0" 228 | 229 | # 2: Ports for Minimize-Cost 230 | TOS_2="$TOS_2" 231 | 232 | # 4: Ports for Minimize Delay - Maximize Reliability 233 | TOS_4="$TOS_4" 234 | 235 | # 8: Ports for Maximum Throughput - Minimum Delay 236 | TOS_8="$TOS_8" 237 | 238 | # 16: Ports for No Delay - Moderate Throughput - High Reliability 239 | TOS_16="$TOS_16" 240 | 241 | # Allow traceroute requests on the defined range of ports. This feature 242 | # is not required for normal operations and some even prefer it disabled. 243 | # Enable Traceroute # Traceroute ports 244 | TCR_PASS="$TCR_PASS" TCR_PORTS="33434:33534" 245 | 246 | # Set a reasonable packet/time ratio for ICMP packets, exceeding this flow 247 | # will result in dropped ICMP packets. Supported values are in the form of: 248 | # pkt/s (packets/seconds), pkt/m (packets/minutes) 249 | # Set value to 0 for unlimited, anything above is enabled. 250 | ICMP_LIM="$ICMP_LIM" 251 | 252 | # Creates firewall rules based on the local name servers as defined in the 253 | # /etc/resolv.conf file. This is the preferred secure method for client side 254 | # name server requests. This option has no bearing on a locally hosted DNS 255 | # service. 256 | RESV_DNS="$RESV_DNS" 257 | 258 | # When RESV_DNS is enabled, all the untrusted name server traffic can fill the 259 | # logs with client DNS traffic. This can be suppressed with an implicit drop 260 | # of all such traffic (sport 53 inbound) as so to avoid log chains. If you run 261 | # applications that have unique name servers configured, this may break them. 262 | RESV_DNS_DROP="$RESV_DNS_DROP" 263 | 264 | # A common set of known Peer-To-Peer (p2p) protocol ports that are often 265 | # considered undesirable traffic on public Internet servers. These ports 266 | # are also often abused on web hosting servers where clients upload p2p 267 | # client agents for the purpose of distributing or downloading pirated media. 268 | # Format is comma separated for single ports and an underscore separator for 269 | # ranges (4660_4678). 270 | BLK_P2P_PORTS="$BLK_P2P_PORTS" 271 | 272 | # These are common Internet service ports that are understood in the wild 273 | # services you would not want logged under normal circumstances. All ports 274 | # that are defined here will be implicitly dropped with no logging for 275 | # TCP/UDP traffic inbound or outbound. Format is comma separated for single 276 | # ports and an underscore separator for ranges (135_139). 277 | BLK_PORTS="$BLK_PORTS" 278 | 279 | # You need multicasting if you intend to participate in the MBONE, a high 280 | # bandwidth network on top of the Internet which carries audio and video 281 | # broadcasts. More about MBONE at: www-itg.lbl.gov/mbone/, this is generally 282 | # safe to enable. 283 | BLK_MCATNET="$BLK_MCATNET" 284 | 285 | # Block all private ipv4 addresses, this is address space reserved for private 286 | # networks or otherwise unroutable on the Internet. If this host resides behind 287 | # a router with NAT or routing scheme that otherwise uses private addressing, 288 | # leave this option OFF. Refer to the 'internals/private.networks' file for 289 | # listing of private address space. 290 | BLK_PRVNET="$BLK_PRVNET" 291 | 292 | # Block all ipv4 address space marked reserved for future use (unassigned), 293 | # such networks have no business talking on the Internet. However they may at 294 | # some point become live address space. The USE_RD option further in this file 295 | # allows for dynamic updating of this list on every full restart of APF. Refer 296 | # to the 'internals/reserved.networks' file for listing of address space. 297 | BLK_RESNET="$BLK_RESNET" 298 | 299 | # Block all ident (tcp 113) requests in and out of the server IF the port is 300 | # not already opened in *_TCP_CPORTS. This uses a REJECT target to make sure 301 | # the ident requests terminate quickly. You can see an increase in irc and 302 | # other connection performance with this feature. 303 | BLK_IDENT="$BLK_IDENT" 304 | 305 | # Three related flaws were found in the Linux kernel’s handling of TCP Selective 306 | # Acknowledgement (SACK) packets handling with low MSS size. The extent of impact 307 | # is understood to be limited to denial of service at this time. 308 | # 309 | # ref: https://access.redhat.com/security/vulnerabilities/tcpsack 310 | # CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 311 | # 312 | # This may affect traffic from legitimate sources that require the lower MSS values 313 | # to transmit correctly. 314 | # 315 | # The recommended safe path is to disable TCP SACK with SYSCTL_TCP_NOSACK=1 316 | # This can be safely ignored if you are running on a modern patched kernel newer 317 | # than June 16th 2019. 318 | BLK_TCP_SACK_PANIC="$BLK_TCP_SACK_PANIC" 319 | 320 | # This is the maximum number of "sessions" (connection tracking entries) that 321 | # can be handled simultaneously by the firewall in kernel memory. Increasing 322 | # this value too high will simply waste memory - setting it too low may result 323 | # in some or all connections being refused, in particular during denial of 324 | # service attacks. 325 | SYSCTL_CONNTRACK="$SYSCTL_CONNTRACK" 326 | 327 | # These are system control (sysctl) option changes to disable TCP features 328 | # that can be abused in addition to tweaking other TCP features for increased 329 | # performance and reliability. 330 | SYSCTL_TCP="$SYSCTL_TCP" 331 | 332 | # Three related flaws were found in the Linux kernel’s handling of TCP Selective 333 | # Acknowledgement (SACK) packets handling with low MSS size. The extent of impact 334 | # is understood to be limited to denial of service at this time. 335 | # 336 | # ref: https://access.redhat.com/security/vulnerabilities/tcpsack 337 | # CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 338 | # 339 | # This can be safely ignored if you are running on a modern patched kernel newer 340 | # than June 16th 2109. 341 | SYSCTL_TCP_NOSACK="$SYSCTL_TCP_NOSACK" 342 | 343 | # These are system control (sysctl) option changes intended to help mitigate 344 | # syn-flood attacks by lowering syn retry, syn backlog & syn time-out values. 345 | SYSCTL_SYN="$SYSCTL_SYN" 346 | 347 | # These are system control (sysctl) option changes to provide protection from 348 | # spoofed packets and ip/arp/route redirection. If you are performing advanced 349 | # routing policies on this host such as NAT/MASQ you should disable this. 350 | SYSCTL_ROUTE="0" 351 | 352 | # This system control (sysctl) option will log all network traffic that is 353 | # from impossible source addresses. This option can discover attacks or issues 354 | # on your network you may otherwise not be aware of. 355 | SYSCTL_LOGMARTIANS="$SYSCTL_LOGMARTIANS" 356 | 357 | # This system control (sysctl) option will allow you to control ECN support 358 | # (Explicit Congestion Notification). This feature provides an improved method 359 | # for congestion avoidance by allowing the network to mark packets for 360 | # transmission later, rather than dropping them from the queue. Please also 361 | # see related USE_ECNSHAME option further down in this file. 362 | SYSCTL_ECN="$SYSCTL_ECN" 363 | 364 | # This system control (sysctl) option will allow you to make use of SynCookies 365 | # support. This feature will send out a 'syn-cookie' when the syn backlog for a 366 | # socket becomes overflowed. The cookie is used to interrupt the flow of syn 367 | # transmissions with a hashed sequence number that must be correlated with the 368 | # sending host. The hash is made up of the sending host address, packet flags 369 | # etc..; if the sending host does not validate against the hash then the tcp 370 | # hand-shake is terminated. In short, this helps to mitigate syn-flood attacks. 371 | # Note: syncookies seriously violates TCP protocol and can result in serious 372 | # degradation of some services (i.e. SMTP); visible not by you, but your 373 | # clients and relays whom are contacting your system. 374 | SYSCTL_SYNCOOKIES="$SYSCTL_SYNCOOKIES" 375 | 376 | # This system control (sysctl) option allows for the use of Abort_On_Overflow 377 | # support. This feature will help mitigate burst floods if a listening service 378 | # is too slow to accept new connections. This option is an alternative for 379 | # SynCookies and both should NEVER be enabled at once. 380 | # Note: This option can harm clients contacting your system. Enable option only 381 | # if you are sure that the listening daemon can not be tuned to accept 382 | # connections faster. 383 | SYSCTL_OVERFLOW="$SYSCTL_OVERFLOW" 384 | 385 | # The helper chains are designed to assist applications in working with the 386 | # stateful firewall in a more reliable fashion. You should keep these settings 387 | # current with the ports SSH and FTP are operating on. Please DO NOT CONFUSE 388 | # these settings with opening the SSH/FTP port as they have no bearing on 389 | # actually connecting to the services. They are only for helping maintain your 390 | # connection to the services [ESTABLISHED,RELATED connection states, not NEW]. 391 | HELPER_SSH="$HELPER_SSH" 392 | HELPER_SSH_PORT="$HELPER_SSH_PORT" 393 | 394 | HELPER_FTP="$HELPER_FTP" 395 | HELPER_FTP_PORT="$HELPER_FTP_PORT" 396 | HELPER_FTP_DATA="$HELPER_FTP_DATA" 397 | 398 | # Configure inbound (ingress) accepted services. This is an optional 399 | # feature; services and customized entries may be made directly to an ip's 400 | # virtual net file located in the vnet/ directory. Format is comma separated 401 | # and underscore separator for ranges. 402 | # 403 | # Example: 404 | # IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000" 405 | # IG_UDP_CPORTS="20,21,53,123" 406 | # IG_ICMP_TYPES="3,5,11,0,30,8" 407 | 408 | # Common inbound (ingress) TCP ports 409 | IG_TCP_CPORTS="$IG_TCP_CPORTS" 410 | 411 | # Common inbound (ingress) UDP ports 412 | IG_UDP_CPORTS="$IG_UDP_CPORTS" 413 | 414 | # Common ICMP inbound (ingress) types 415 | # 'internals/icmp.types' for type definition; 'all' is wildcard for any 416 | IG_ICMP_TYPES="$IG_ICMP_TYPES" 417 | 418 | # Configure outbound (egress) accepted services. This is an optional 419 | # feature; services and customized entries may be made directly to an ip's 420 | # virtual net file located in the vnet/ directory. 421 | # 422 | # Outbound (egress) filtering is not required but makes your firewall setup 423 | # complete by providing full inbound and outbound packet filtering. You can 424 | # toggle outbound filtering on or off with the EGF variable. Format is comma 425 | # separated and underscore separator for ranges. 426 | # 427 | # Example: 428 | # EG_TCP_CPORTS="21,25,80,443,43" 429 | # EG_UDP_CPORTS="20,21,53" 430 | # EG_ICMP_TYPES="all" 431 | 432 | # Outbound (egress) filtering 433 | EGF="$EGF" 434 | 435 | # Common outbound (egress) TCP ports 436 | EG_TCP_CPORTS="$EG_TCP_CPORTS" 437 | 438 | # Common outbound (egress) UDP ports 439 | EG_UDP_CPORTS="$EG_UDP_CPORTS" 440 | 441 | # Common ICMP outbound (egress) types 442 | # 'internals/icmp.types' for type definition; 'all' is wildcard for any 443 | EG_ICMP_TYPES="$EG_ICMP_TYPES" 444 | 445 | # Configure user-id specific outbound (egress) port access. This is a more 446 | # granular feature to limit the scope of outbound packet flows with user-id 447 | # conditioning. Format is comma separated and underscore separator for ranges. 448 | # This is NOT A FILTERING FEATURE, this is an ACCESS CONTROL feature. That 449 | # means EG_TCP_UID and EG_UDP_UID are intended to ALLOW outbound access for 450 | # specified users, not DENY. 451 | # 452 | # Format: EG_[TCP|UDP]_UID="uid:port" 453 | # Example: 454 | # Allow outbound access to destination port 22 for uid 0 455 | # EG_TCP_UID="0:22" 456 | 457 | # UID-Match outbound (egress) TCP ports 458 | EG_TCP_UID="$EG_TCP_UID" 459 | 460 | # UID-Match outbound (egress) UDP ports 461 | EG_UDP_UID="$EG_UDP_UID" 462 | 463 | # Configure executable specific outbound (egress) filtering. This is a more 464 | # granular feature to limit the scope of outbound packet flows with executable 465 | # conditioning. The packet filtering is based on the CMD process field being 466 | # passed along to iptables. All logged events for these rules will also include 467 | # the executable CMD name in the log chain. This is A FILTERING FEATURE, not an 468 | # ACCESS CONTROL feature. That means EG_DROP_CMD is intended to DENY outbound 469 | # access for specified programs, not ALLOW. 470 | # 471 | # Format is comma separated list of executable names you wish to ban from being 472 | # able to transmit data out of your server. 473 | 474 | # CMD-Match outbound (egress) denied applications 475 | EG_DROP_CMD="$EG_DROP_CMD" 476 | 477 | ## 478 | # [Remote Rule Imports] 479 | ## 480 | # Project Honey Pot is the first and only distributed system for identifying 481 | # spammers and the spambots they use to scrape addresses from your website. 482 | # This aggregate list combines Harvesters, Spammers and SMTP Dictionary attacks 483 | # from the PHP IP Data at: http://www.projecthoneypot.org/list_of_ips.php 484 | DLIST_PHP="$DLIST_PHP" 485 | DLIST_PHP_URL="http://rfxn.com/downloads/php_list" 486 | 487 | # The Spamhaus Don't Route Or Peer List (DROP) is an advisory "drop all 488 | # traffic" list, consisting of stolen 'zombie' netblocks and netblocks 489 | # controlled entirely by professional spammers. For more information please 490 | # see http://www.spamhaus.org/drop/. 491 | DLIST_SPAMHAUS="$DLIST_SPAMHAUS" 492 | DLIST_SPAMHAUS_URL="http://www.spamhaus.org/drop/drop.lasso" 493 | 494 | # DShield collects data about malicious activity from across the Internet. 495 | # This data is cataloged, summarized and can be used to discover trends in 496 | # activity, confirm widespread attacks, or assist in preparing better firewall 497 | # rules. This is a list of top networks that have exhibited suspicious activity. 498 | DLIST_DSHIELD="$DLIST_DSHIELD" 499 | DLIST_DSHIELD_URL="http://feeds.dshield.org/top10-2.txt" 500 | 501 | # The reserved networks list is addresses which ARIN has marked as reserved 502 | # for future assignement and have no business as valid traffic on the internet. 503 | # Such addresses are often used as spoofed (Fake) hosts during attacks, this 504 | # will update the reserved networks list in order to prevent new ip assignments 505 | # on the internet from getting blocked; this option is only important when 506 | # BLK_RESNET is set to enabled. 507 | DLIST_RESERVED="1" 508 | DLIST_RESERVED_URL="http://rfxn.com/downloads/reserved.networks" 509 | 510 | # ECN is an extension which helps reduce congestion. Unfortunately some 511 | # clueless software/hardware vendors have setup their sites or implemented 512 | # TCP/IP in a very broken manner. If you try to talk to these sites with ECN 513 | # turned on, they will drop all packets from you. This feature uses the ECN 514 | # hall of shame list to turn off ECN in packets to these hosts so your traffic 515 | # is accepted as intended. This option is dependent on setting SYSCTL_ECN="1" 516 | # otherwise it stays disabled. 517 | DLIST_ECNSHAME="$DLIST_ECNSHAME" 518 | DLIST_ECNSHAME_URL="http://rfxn.com/downloads/ecnshame.lst" 519 | 520 | ## 521 | # Global Trust 522 | ## 523 | # This is an implementation of the trust rules (allow/deny_hosts) but 524 | # on a global perspective. You can define below remote addresses from 525 | # which the glob_allow/deny.rules files should be downloaded from on 526 | # a daily basis. The files can be maintained in a static fashion by 527 | # leaving USE_RGT=0, ideal for a host serving the files. 528 | USE_RGT="$USE_RGT" 529 | 530 | GA_URL="$GA_URL" 531 | GD_URL="$GD_URL" 532 | 533 | ## 534 | # [Logging and control settings] 535 | ## 536 | # Log all traffic that is filtered by the firewall 537 | LOG_DROP="$LOG_DROP" 538 | 539 | # What log level should we send all log data too? 540 | # refer to man syslog.conf for levels 541 | LOG_LEVEL="$LOG_LEVEL" 542 | 543 | # Where should we send all the logging data? 544 | # ULOG (Allow ulogd to handle the logging) 545 | # LOG (Default; sends logging to kernel log) 546 | LOG_TARGET="$LOG_TARGET" 547 | 548 | # Log interactive access over telnet & ssh; uses 549 | # custom log prefix of ** SSH ** & ** TELNET ** 550 | LOG_IA="$LOG_IA" 551 | 552 | # Log all foreign gateway traffic 553 | LOG_LGATE="$LOG_LGATE" 554 | 555 | # Extended logging information; this forces the output of tcp options and 556 | # ip options for packets passing through the log chains 557 | LOG_EXT="$LOG_EXT" 558 | 559 | # Max firewall events to log per/minute. Log events exceeding these limits 560 | # will be lost (1440 minutes/day * 30 events/minute = 43200 events per/day) 561 | LOG_RATE="$LOG_RATE" 562 | 563 | # Location of the apf status log; all startup, shutdown and runtime status 564 | # sends outputs to this file 565 | LOG_APF="$LOG_APF" 566 | 567 | # Adds -w flag to iptables to enable locking support. This is only available 568 | # on iptables >= 1.4.20, but if supported you probably want this. 569 | IPT_LOCK_SUPPORT="$IPT_LOCK_SUPPORT" 570 | IPT_LOCK_TIMEOUT="$IPT_LOCK_TIMEOUT" 571 | 572 | ## 573 | # [Import misc. conf] 574 | ## 575 | # Internal variable file 576 | CNFINT="\$INSTALL_PATH/internals/internals.conf" 577 | . \$CNFINT 578 | EOF 579 | -------------------------------------------------------------------------------- /CHANGELOG.RELEASE: -------------------------------------------------------------------------------- 1 | - 1.7.6-2 | Nov 18 2020: 2 | [New] add iptables locking support with iptables >= 1.4.20; pr #36 3 | IPT_LOCK_SUPPORT 4 | IPT_LOCK_TIMEOUT 5 | [Fix] typos 6 | 7 | - 1.7.6-1 | Jun 18 2019: 8 | [New] add mitigation options for TCP SACK Panic vulnerability 9 | SYSCTL_TCP_NOSACK and BLK_TCP_SACK_PANIC added to conf.apf 10 | https://access.redhat.com/security/vulnerabilities/tcpsack 11 | [Change] updated autoconf template 12 | [Change] ignore value of BLK_TCP_SACK_PANIC when SYSCTL_TCP_NOSACK is set 13 | [Change] make init script LSB compliant for use with systemd; pr #26 14 | [Fix] README typos; pr #28 15 | [Fix] flush ip6tables rules on stop/flush if USE_IPV6 enabled; pr #28 16 | [Fix] only the first nameserver in resolv.conf would be whitelisted when 17 | RESV_DNS_DROP is set enabled; issue #25 18 | [Fix] change ipv4.ip_local_port_range to not emmit errors ref: 19 | Marco Padovan 20 | https://access.redhat.com/solutions/2887631 21 | https://www.spinics.net/lists/netdev/msg330895.html 22 | -------------------------------------------------------------------------------- /COPYING.GPL: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc. 5 | 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Library General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License 307 | along with this program; if not, write to the Free Software 308 | Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 309 | 310 | 311 | Also add information on how to contact you by electronic and paper mail. 312 | 313 | If the program is interactive, make it output a short notice like this 314 | when it starts in an interactive mode: 315 | 316 | Gnomovision version 69, Copyright (C) year name of author 317 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 318 | This is free software, and you are welcome to redistribute it 319 | under certain conditions; type `show c' for details. 320 | 321 | The hypothetical commands `show w' and `show c' should show the appropriate 322 | parts of the General Public License. Of course, the commands you use may 323 | be called something other than `show w' and `show c'; they could even be 324 | mouse-clicks or menu items--whatever suits your program. 325 | 326 | You should also get your employer (if you work as a programmer) or your 327 | school, if any, to sign a "copyright disclaimer" for the program, if 328 | necessary. Here is a sample; alter the names: 329 | 330 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 331 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 332 | 333 | , 1 April 1989 334 | Ty Coon, President of Vice 335 | 336 | This General Public License does not permit incorporating your program into 337 | proprietary programs. If your program is a subroutine library, you may 338 | consider it more useful to permit linking proprietary applications with the 339 | library. If this is what you want to do, use the GNU Library General 340 | Public License instead of this License. 341 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | Advanced Policy Firewall (APF) v1.7.6 2 | (C) 2002-2019, R-fx Networks 3 | (C) 2019, Ryan MacDonald 4 | 5 | This program is free software; you can redistribute it and/or modify 6 | it under the terms of the GNU General Public License as published by 7 | the Free Software Foundation; either version 2 of the License, or 8 | (at your option) any later version. 9 | 10 | This program is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | GNU General Public License for more details. 14 | 15 | You should have received a copy of the GNU General Public License 16 | along with this program; if not, write to the Free Software 17 | Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 18 | 19 | Contents: 20 | 1 ............. Introduction 21 | 1.1 ........... Introduction: Supported Systems & Requirements 22 | 2 ............. Installation 23 | 2.1 ........... Installation: Boot Loading 24 | 3 ............. Configuration 25 | 3.1 ........... Configuration: Basic Options 26 | 3.2 ........... Configuration: Advanced Options 27 | 3.3 ........... Configuration: Reactive Address Blocking 28 | 3.4 ........... Configuration: Virtual Network Files 29 | 3.5 ........... Configuration: Global Variables & Custom Rules 30 | 4 ............. General Usage 31 | 4.1 ........... General Usage: Trust System 32 | 4.2 ........... General Usage: Global Trust System 33 | 4.3 ........... General Usage: Advanced Trust Syntax 34 | 4.4 ........... General Usage: Dynamic Trust Files 35 | 5 ............. License 36 | 6 ............. Support Information 37 | 38 | 1) Introduction: 39 | Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system 40 | designed around the essential needs of today's Internet deployed servers and the 41 | unique needs of custom deployed Linux installations. The configuration of APF 42 | is designed to be very informative and present the user with an easy to follow 43 | process, from top to bottom of the configuration file. The management of APF on 44 | a day-to-day basis is conducted from the command line with the 'apf' command, 45 | which includes detailed usage information and all the features one would expect 46 | from a current and forward thinking firewall solution. 47 | 48 | The technical side of APF is such that it embraces the latest stable features 49 | put forward by the iptables(netfilter) project to provide a very robust and 50 | powerful firewall. The filtering performed by APF is three fold: 51 | 1) Static rule based policies (not to be confused with a "static firewall") 52 | 2) Connection based stateful policies 53 | 3) Sanity based policies 54 | 55 | The first, static rule based policies, is the most traditional method of 56 | firewalling. This is when the firewall has an unchanging set of instructions 57 | (rules) on how traffic should be handled in certain conditions. An example of 58 | a static rule based policy would be when you allow/deny an address access to the 59 | server with the trust system or open a new port with conf.apf. So the short of 60 | it is rules that infrequently or never change while the firewall is running. 61 | 62 | The second, connection based stateful policies, is a means to distinguish 63 | legitimate packets for different types of connections. Only packets matching a 64 | known connection will be allowed by the firewall; others will be rejected. An 65 | example of this would be FTP data transfers, in an older era of firewalling 66 | you would have to define a complex set of static policies to allow FTA data 67 | transfers to flow without a problem. That is not so with stateful policies, 68 | the firewall can see that an address has established a connection to port 21 69 | then "relate" that address to the data transfer portion of the connection and 70 | dynamically alter the firewall to allow the traffic. 71 | 72 | The third, sanity based policies, is the ability of the firewall to match 73 | various traffic patterns to known attack methods or scrutinize traffic to 74 | conform to Internet standards. An example of this would be when a would-be 75 | attacker attempts to forge the source IP address of data they are sending to 76 | you, APF can simply discard this traffic or optionally log it then discard it. 77 | To the same extent another example would be when a broken router on the 78 | Internet begins to relay malformed packets to you, APF can simply discard them 79 | or in other situations reply to the router and have it stop sending you new 80 | packets (TCP Reset). 81 | 82 | These three key filtering methods employed by APF are simply a generalization 83 | of how the firewall is constructed on a technical design level, there are a 84 | great many more features in APF that can be put to use. For a detailed 85 | description of all APF features you should review the configuration file 86 | /etc/apf/conf.apf which has well outlined captions above all options. Below is 87 | a point form summary of most APF features for reference and review: 88 | 89 | - detailed and well commented configuration file 90 | - granular inbound and outbound network filtering 91 | - user id based outbound network filtering 92 | - application based network filtering 93 | - trust based rule files with an optional advanced syntax 94 | - global trust system where rules can be downloaded from a central management 95 | server 96 | - reactive address blocking (RAB), next generation in-line intrusion prevention 97 | - debug mode provided for testing new features and configuration setups 98 | - fast load feature that allows for 1000+ rules to load in under 1 second 99 | - inbound and outbound network interfaces can be independently configured 100 | - global tcp/udp port & icmp type filtering with multiple methods of executing 101 | filters (drop, reject, prohibit) 102 | - configurable policies for each ip on the system with convenience variables to 103 | import settings 104 | - packet flow rate limiting that prevents abuse on the most widely abused 105 | protocol, icmp 106 | - prerouting and postrouting rules for optimal network performance 107 | - dshield.org block list support to ban networks exhibiting suspicious activity 108 | - spamhaus Don't Route Or Peer List support to ban known "hijacked zombie" IP 109 | blocks 110 | - any number of additional interfaces may be configured as firewalled 111 | (untrusted) or trusted (not firewalled) 112 | - additional firewalled interfaces can have there own unique firewall policies 113 | applied 114 | - intelligent route verification to prevent embarrassing configuration errors 115 | - advanced packet sanity checks to make sure traffic coming and going meets 116 | the strictest of standards 117 | - filter attacks such as fragmented UDP, port zero floods, stuffed routing, 118 | arp poisoning and more 119 | - configurable type of service options to dictate the priority of different types 120 | of network traffic 121 | - intelligent default settings to meet every day server setups 122 | - dynamic configuration of your servers local DNS revolvers into the firewall 123 | - optional filtering of common p2p applications 124 | - optional filtering of private & reserved IP address space 125 | - optional implicit blocks of the ident service 126 | - configurable connection tracking settings to scale the firewall to the size of 127 | your network 128 | - configurable kernel hooks (ties) to harden the system further to syn-flood 129 | attacks & routing abuses 130 | - advanced network control such as explicit congestion notification and overflow 131 | control 132 | - special chains that are aware of the state of FTP DATA and SSH connections to 133 | prevent client side issues 134 | - control over the rate of logged events, want only 30 filter events a minute? 135 | 300 a minute? - you are the boss 136 | - logging subsystem that allows for logging data to user space programs or 137 | standard syslog files 138 | - logging that details every rule added and a comprehensive set of error checks 139 | to prevent config errors 140 | - if you are familiar with netfilter you can create your own rules in any of 141 | the policy files 142 | - pluggable and ready advanced use of QoS algorithms provided by the Linux 143 | - 3rd party add-on projects that compliment APF features 144 | 145 | Still on the feature todo list is: 146 | - full support for NAT/MASQ including port forwarding 147 | - cluster oriented round-robin packet or port forwarding 148 | - in-line firewall reactive address blocking of connection floods 149 | - and much more... 150 | 151 | 1.1) Introduction: Supported Systems & Requirements 152 | The APF package is designed to run on Linux based operating systems that have 153 | an operational version of the iptables (netfilter) package installed. The 154 | iptables (netfilter) package is supported on Linux kernels 2.4 and above, 155 | you can find out more details on the netfilter project at: 156 | 157 | http://www.netfilter.org/ 158 | 159 | If the version of Linux you are using already has an included copy of 160 | iptables then chances are very high it has all the iptables modules that APF 161 | will need. If you are configuring iptables in your own custom kernel then you 162 | should be sure that the following modules are compiled with the kernel for 163 | modular support: 164 | 165 | ip_tables 166 | iptable_filter 167 | iptable_mangle 168 | ip_conntrack 169 | ip_conntrack_irc 170 | ip_conntrack_ftp 171 | ipt_state 172 | ipt_multiport 173 | ipt_limit 174 | ipt_recent 175 | ipt_LOG 176 | ipt_REJECT 177 | ipt_ecn 178 | ipt_length 179 | ipt_mac 180 | ipt_multiport 181 | ipt_owner 182 | ipt_state 183 | ipt_ttl 184 | ipt_TOS 185 | ipt_TCPMSS 186 | ipt_ULOG 187 | 188 | If you would like to make sure you support these modules then you can take a 189 | look inside of /lib/modules/kernelver/kernel/net/ipv4/netfilter/ directory. 190 | 191 | # ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ 192 | 193 | The known Linux platforms that APF will run on are very diverse and it is hard 194 | to keep track but here is a short summary: 195 | 196 | Redhat Enterprise AS/ES 2+ 197 | CentOS Any 198 | Fedora Core Any 199 | Slackware 8.0+ 200 | Debian GNU/Linux 3.0+ 201 | Suse Linux 8.1+ 202 | Unbuntu Any 203 | TurboLinux Server 9+ 204 | TurboLinux Fuji (Desktop) 205 | RedHat Linux 7.3,8,9 206 | 207 | The base system specs for APF operating as intended are not set in stone and 208 | you can easily scale the package into almost any situation that has a Linux 209 | 2.4+ kernel, iptables and bash shell with standard set of gnu-utils (grep, 210 | awk, sed and the like). Below is a short table of what is recommended: 211 | DEVICE MIN RECOMMENDED 212 | CPU: 300Mhz 600Mhz 213 | MEM: 64MB 96MB 214 | DISK: OS OS 215 | NETWORK: Any Any 216 | 217 | 2) Installation 218 | The installation setup of APF is very straight forward, there is an included 219 | install.sh script that will perform all the tasks of installing APF for you. 220 | 221 | Begin Install: 222 | # sh install.sh 223 | or 224 | # INSTALL_PATH=/etc/yourpath sh install.sh 225 | 226 | 227 | If one so desires they may customize the setup of APF by editing the variables 228 | inside the install.sh script followed by also editing the path variables in 229 | the conf.apf and internals.conf files. This is however not recommends and the 230 | default paths should meet all user needs, they are: 231 | 232 | Install Path: /etc/apf 233 | Bin Path: /usr/local/sbin/apf 234 | 235 | The package includes two convenience scripts, the first is importconf which will 236 | import all the variable settings from your previous version of APF into the 237 | new installation. The second is get_ports, a script which will output the 238 | systems currently in use 'server' ports for the user during the installation 239 | process in an effort to aid in configuring port settings. 240 | 241 | All previous versions of APF are saved upon the installation of newer 242 | versions and stored in /etc/apf.bkDDMMYY-UTIME format. In addition, there is a 243 | /etc/apf.bk.last sym-link created to the last version of APF you had installed. 244 | 245 | After installation is completed the documentation and convenience scripts are 246 | copied to /etc/apf/docs and /etc/apf/extras respective. 247 | 248 | 2.1) Installation: Boot Loading 249 | On installation APF will install an init script to /etc/init.d/apf 250 | and configure it to load on boot. If you are setting up APF in a more 251 | custom situation then you may follow the below instructions. 252 | 253 | There is really 3 modes of operation for having APF firewall our system 254 | and each has no real benefit except tailoring itself to your needs. 255 | 256 | The first is to setup APF in the init system with chkconfig (done by 257 | default during install), as detailed below: 258 | 259 | chkconfig --add apf 260 | chkconfig --level 345 apf on 261 | 262 | Secondly, you can add the following string too the bottom of the 263 | /etc/rc.local file: 264 | 265 | sh -c "/etc/apf/apf -s" & 266 | 267 | It is NOT recommended that you use both of these startup methods together, 268 | for most systems the init script via chkconfig should be fine. 269 | 270 | The third and final approach is to simply run APF in an on-demand fashion. That 271 | is, enable it with the 'apf -s' command when desired and disable it with the 272 | 'apf -f' when desired. 273 | 274 | 3) Configuration: 275 | On your first installation of APF it will come pretty bare in the way of 276 | preconfigured options, this is intentional. The most common issue with many 277 | firewalls is that they come configured with so many options that a user may 278 | never use or disable, that it leaves systems riddled with firewall holes. 279 | 280 | Now with that said, APF comes configured with only a single incoming port 281 | enabled by default and that is port 22 SSH. Along with a set of common practice 282 | filtering options preset in the most compatible fashion for all users. All the 283 | real advanced options APF has to offer are by default disabled including 284 | outbound (egress) port filtering, reactive address blocking (rab) and the 285 | virtual network subsystem to name a few. 286 | 287 | The main APF configuration file is located at /etc/apf/conf.apf and has 288 | detailed usage information above all configuration variables. The file uses 289 | integer based values for setting configuration options and they are 290 | 0 = disabled 291 | 1 = enabled 292 | 293 | All configuration options use this integer value system unless otherwise 294 | indicated in the description of that option. 295 | 296 | You should put aside 5 minutes and review the configuration file from top to 297 | bottom taking the time to read all the captions for the options that are 298 | provided. This may seem like a daunting task but a firewall is only as good 299 | as it is configured and that requires you, the administrator, to take a few 300 | minutes to understand what it is you are setting up. 301 | 302 | APF is a very powerful firewall that when setup to make use of all the advanced 303 | features, will provide a sophisticated and robust level of protection. Please 304 | continue reading further along this file for more information or see the 305 | support options at the bottom of this file for further assistance if you find 306 | yourself lost in the configuration process. 307 | 308 | 3.1) Configuration: Basic Options 309 | This section will cover some of the basic configuration options found inside 310 | of the conf.apf configuration file. These options, despite how basic, are the 311 | most vital in the proper operation of your firewall. 312 | 313 | Option: DEVEL_MODE 314 | Description: This tells APF to run in a development mode which in short means 315 | that the firewall will shut itself off every 5 minutes from a cronjob. When 316 | you install any version of APF, upgrade or new install, this feature is by 317 | default enabled to make sure the user does not lock themselves out of the 318 | system with configuration errors. Once you are satisfied that you have the 319 | firewall configured and operating as intended then you must disable it. 320 | 321 | Option: INSTALL_PATH 322 | Description: As it implies, this is the installation path for APF and unless 323 | you have become a brave surgeon it is unlikely you will ever need to reconfigure 324 | this option - on we go. 325 | 326 | Option: IFACE_UNTRUSTED 327 | Description: This variable controls the interface that firewall rules are applied 328 | against. This interface is commonly the Internet facing interface or any interface 329 | that faces the main network of untrusted communication (WAN). 330 | 331 | Option: IFACE_TRUSTED 332 | Description: It is common that you may want to set a specific interface as 333 | trusted to be excluded from the firewall, these may be administrative private 334 | links, virtualized VPN interfaces or a local area network that is contains 335 | trusted resources. This feature is similar to what some term as demilitarized 336 | zone or DMZ for short, any interfaces set in this option will be exempt from 337 | all firewall rules with an implicit trust rule set early in the firewall load. 338 | 339 | Option: SET_VERBOSE 340 | Description: This option tells the apf script to print very detailed event logs 341 | to the screen as you are conducting firewall operations from the command line. 342 | This will allow for easier trouble shooting of firewall issues or to assist the 343 | user in better understanding what the firewall is doing rule-by-rule. Although 344 | the SET_VERBOSE option is new to APF, this level of logging has long been 345 | provided in the /var/log/apf_log file and still remains as such. 346 | 347 | Option: SET_FASTLOAD 348 | Description: This tells APF to use a special feature to take saved snap shots 349 | of the running firewall. Instead of regenerating every single firewall rule 350 | when we stop/start the firewall, APF will use these snap shots to "fast load" 351 | the rules in bulk. There are internal features in APF that will detect when 352 | configuration has changed and then expire the snap shot forcing a full reload 353 | of the firewall. 354 | 355 | Option: SET_VNET 356 | Description: The ever curious option called SET_VNET, to put it brief this 357 | option controls the virtual network subsystem of APF also known as VNET. This 358 | is a subsystem that generates policy files for all aliased addresses on the 359 | IFACE_IN/OUT interfaces. In general this option is not needed for the normal 360 | operation of APF but is provided should you want to easily configured unique 361 | policies for the aliased addresses on an Interface. Please see topic 3.4 of 362 | this document for more advanced details related to this option. 363 | 364 | Option: SET_ADDIFACE 365 | Description: This allows you to have additional untrusted interfaces firewalled 366 | by APF and this is done through the VNET system. So for example let assume you 367 | have a datacenter provided eth2 interface for local network backups but you 368 | know hundreds of other Internet facing servers are also on this network. In 369 | such a situation it would be the best course to enable this option (along with 370 | SET_VNET) so that the interface is firewalled. Please see topic 3.4 of this 371 | document for more advanced details related to this option. 372 | 373 | Option: IG_TCP_CPORTS 374 | Description: This controls what TCP ports are allowed for incoming traffic, this 375 | is also known as the "server" or "listening services" ports. You would for 376 | example configure here the ports 21,25,80,110,443 if you were operating the 377 | FTP, SMTP, HTTP, POP3 & HTTPS services from this host. This is a global context 378 | rule and will apply to all addresses on this host unless virtual net rules are 379 | set to operate in another fashion. 380 | 381 | Option: IG_UDP_CPORTS 382 | Description: This controls what UDP ports are allowed for incoming traffic, this 383 | is also known as the "server" or "listening services" ports. You would for 384 | example configure here the ports 20,53 if you were operating the FTP & DNS 385 | services from this host. This is a global context rule and will apply to all 386 | addresses on this host unless virtual net rules are set to operate in another 387 | fashion. 388 | 389 | Option: IG_ICMP_TYPES 390 | Description: This controls what ICMP types are allowed for incoming traffic, 391 | these are control messages that the Internet uses to communicate any number of 392 | error messages during communication between hosts and networks. The default 393 | options should meet most needs however if you wish to filter a specific set 394 | of ICMP types you should review the 'internals/icmp.types' file. This is a 395 | global context rule and will apply to all addresses on this host unless virtual 396 | net rules are set to operate in another fashion. 397 | 398 | Option: EGF 399 | Description: This is a top level control feature for enabling or disabling all 400 | the outbound (egress) filtering features of the firewall. In the most basic 401 | setup of the firewall from install, this will be set to disabled and we will be 402 | operating in a mostly inbound (ingress) only filtering fashion. It is however 403 | recommended that you enable the outbound (egress) filtering as it provides a 404 | very robust level of protection and is a common practice to filtering outbound 405 | traffic. 406 | 407 | Option: EG_TCP_CPORTS 408 | Description: This controls what TCP ports are allowed for outgoing traffic, this 409 | is also known as the "client side" communication on a host. Here we would set 410 | any ports we wish to communicate with on the Internet, for example if you use 411 | many remote RSS feeds on websites then you will want to make sure port 80,443 412 | is defined here so you can access the HTTP/HTTPS service on Internet servers. 413 | This is a global context rule and will apply to all addresses on this host 414 | unless virtual net rules are set to operate in another fashion. 415 | 416 | Option: EG_UDP_CPORTS 417 | Description: This controls what UDP ports are allowed for outgoing traffic, this 418 | is also known as the "client side" communication on a host. Here we would set 419 | any ports we wish to communicate with on the Internet, for example if you use 420 | many remote RSYNC servers then you will want to make sure port 873 is defined 421 | here so you can properly access the RSYNC service on Internet servers. This is 422 | a global context rule and will apply to all addresses on this host unless 423 | virtual net rules are set to operate in another fashion. 424 | 425 | Option: EG_ICMP_TYPES 426 | Description: This controls what ICMP types are allowed for outgoing traffic, 427 | these are control messages that the Internet uses to communicate any number of 428 | error messages during communication between hosts and networks. The default 429 | options should meet most needs however if you wish to filter a specific set 430 | of ICMP types you should review the 'internals/icmp.types' file. This is a 431 | global context rule and will apply to all addresses on this host unless virtual 432 | net rules are set to operate in another fashion. 433 | 434 | Option: LOG_DROP 435 | Description: The use of this option allows to firewall to perform very detailed 436 | firewall logging of packets as they are filtered by the firewall. This can help 437 | identify issues with the firewall or provide insightful information on who is 438 | taking pokes at the host. Typically however this option is left disabled on 439 | production systems as it can get very noisy in the log files which also can 440 | increase i/o wait loads to the disk from the heavy logging. 441 | 442 | 3.2) Configuration: Advanced Options 443 | The advanced options, although not required, are those which afford the firewall 444 | the ability to be a more robust and encompassing solution in protecting a host. 445 | These options should be reviewed on a case-by-case basis and enabled only as 446 | you determine there merit to meet a particular need on a host or network. 447 | 448 | 449 | Option: SET_MONOKERN 450 | Description: This option tells the system that instead of looking for iptables 451 | modules, that we should expect them to be compiled directly into the kernel. So 452 | unless you have a custom compiled kernel on your system where modular support 453 | is disabled or iptables (netfilter) is compiled in directly, you should not 454 | enable this option. There are also exceptions here if you have a unique system 455 | setup and APF is unable to find certain iptables modules but you know for a 456 | fact they are there, then enable this option. 457 | 458 | Option: VF_ROUTE 459 | Description: This option will make sure that the IP addresses associated to 460 | the IFACE_* variables do actually have route entries. If a route entry can not 461 | be found then APF will not load as it is likely a configuration error has been 462 | made with possible results being a locked-up server. 463 | 464 | Option: VF_LGATE 465 | Description: This option will make sure that all traffic coming into this host 466 | is going through this defined MAC address. This is not something you will want 467 | enabled in most situations but it is something certain people will desire with 468 | servers residing behind a NAT/MASQ gateway for example. 469 | 470 | Option: RAB 471 | Description: This is a top level toggle for the reactive address blocking in 472 | APF and does nothing more than either enable or disable it. 473 | 474 | Option: RAB_SANITY 475 | Description: This enables RAB for sanity violations, which is when an address 476 | breaks a strict conformity standard such as trying to spoof an address or modify 477 | packet flags. When addresses are found to have made such violations they are 478 | temporarily banned for the duration of RAB_TIMER value in seconds. 479 | 480 | Option: RAB_PSCAN_LEVEL 481 | Description: This enables RAB for port scan violations, which is when an 482 | address attempts to connect to a port that has been classified as malicious. 483 | These types of are those which are not commonly used in today's Internet but are 484 | the subject of scrutiny by attackers, such as ports 1,7,9,11. The values for 485 | this option are broken into 4 integers and they are 0 for disabled, 1 for 486 | low security, 2 for medium security and 3 for high security. 487 | 488 | Option: RAB_HITCOUNT 489 | Description: This controls the amount of violation hits an address must have 490 | before it is blocked. It is a good idea to keep this very low to prevent 491 | evasive measures. The default is 0 or 1, meaning instant block on first hit. 492 | 493 | Option: RAB_TIMER 494 | Description: This is the amount of time (in seconds) that an address gets 495 | blocked for if a violation is triggered, the default is 300s (5 minutes). This 496 | option has a max accepted value of 43200 seconds or 12 hours. 497 | 498 | Option: RAB_TRIP 499 | Description: This allows RAB to 'trip' the block timer back to 0 seconds if an 500 | address attempts ANY subsequent communication while still on the initial block 501 | period. This option really is one of the more exciting features of the RAB 502 | system as it can cut off an attack at the legs before it ever mounts into 503 | something tangible against the system. 504 | 505 | Option: RAB_LOG_HIT 506 | Description: This controls if the firewall should log all violation hits from 507 | an address. It is recommended that this be enabled to provide insightful log 508 | data on addresses which are attempting to probe or conduct questionable actions 509 | against this host. The use of LOG_DROP variable set to 1 will override this to 510 | force logging. 511 | 512 | Option: RAB_LOG_TRIP 513 | Description: This controls if the firewall should log all subsequent traffic 514 | from an address that is already blocked for a violation hit, this can generate 515 | allot of logs. However, the use of this option despite the depth of log data it 516 | may generate could provide valuable information as to the intents of an attacker. 517 | The use of LOG_DROP variable set to 1 will override this to force logging. 518 | 519 | Option: TCP_STOP, UDP_STOP, ALL_STOP 520 | Description: These options tell the firewall in which way to go about filtering 521 | traffic, the supported values are DROP, RESET, REJECT and PROHIBIT. We will 522 | review these options below in short and provide the pro/con's of their uses. 523 | 524 | - The default is DROP which tells the firewall silently discard packets 525 | and not reply to them at all, which some consider to be "stealth" firewall 526 | behavior. The direct benefit is that it saves system resources, especially 527 | during a DoS attack in not having to reply to every discarded packet. However 528 | the problem is experienced attackers know the way TCP/IP works and it is such 529 | that when you try to connect to a service that is unavailable, your server or 530 | local router replies with an "icmp-port/host-unreachable" message. So when an 531 | attacker probing your IP address receives no reply from the server or local 532 | router to the scans, they will instantly know you are running a firewall, 533 | possibly peaking curiosity more. 534 | 535 | - Then we have RESET which allows the firewall to reply to discarded packets 536 | in such a way that it trys to make the remote host "reset/terminate" the 537 | connection attempts to you. This option is more in-line with TCP/IP 538 | standards however in most situations will provide no real benefits or 539 | drawbacks. In some really isolated situations you may find that using RESET 540 | during DoS attacks will help terminate connections more promptly but in 541 | general this does not serve to counter the system resources expended to 542 | send back replies to every single packet filtered. 543 | 544 | - Then we have the REJECT value which is a more common alternative to DROP as 545 | it allows the firewall to reply to packets with an error message. This 546 | accomplishes the goal of filtering a packet while at the same time not 547 | allowing the remote host to know that we are running a firewall, they just 548 | think the port/service is closed/unavailable. 549 | 550 | - Finally we have the PROHIBIT value which is specific for UDP_STOP but can 551 | be used as other *_STOP values with similar effect. When we set PROHIBIT we 552 | are telling the firewall to reply to the sender of packets with only ICMP 553 | error messages instead of like the case with RESET, TCP packets. This is a 554 | good alternative to reply to packets with as it does not load the system 555 | as "much" during aggressive attacks. This is also the default expected 556 | reply for UDP packets that are not accepted by a host, however APF will by 557 | default use a DROP value on UDP packets. 558 | 559 | Option: PKT_SANITY 560 | Description: This option controls the way packets are scrutinized as they flow 561 | through the firewall. The main PKT_SANITY option is a top level toggle for all 562 | SANITY options and provides general packet flag sanity as a pre-scrub for the 563 | other sanity options. In short, this makes sure that all packets coming and 564 | going conform to strict TCP/IP standards. In doing so we make it very difficult 565 | for attackers to inject raw/custom packets into this host. 566 | 567 | Now onto the sanity filters, these are options that allow APF to scrutinize 568 | traffic coming into and out of the server so it conforms to TCP/IP standards 569 | and also filters common attack characteristics. There are a number of sanity 570 | options and each one has a well detailed captain in hte configuration file. In 571 | addition, these options comes preconfigured to suite most situation needs and 572 | provide the best protection possible. With that, I will defer the PKT_SANITY 573 | details to the conf.apf file where you can find ample information on each 574 | option. 575 | 576 | Moving forward we now have the Type of Service (TOS) settings which provide a 577 | simple classification system to dictate traffic priority based on port numbers. 578 | The use of TOS in it respective capacities can have a wide ranging impact on the 579 | performance of your services, both positive and negative depending on settings. 580 | That is why it is very important that you understand and study the impact of any 581 | changes to TOS values and then act accordingly, as no two networks are alike. A 582 | very good rule of thumb with TOS configuration is to look at the name of the TOS 583 | value and apply some good judgement to how that name applies to certain service 584 | based traffic on your network. For example the TOS value Minimize-Cost designed 585 | to minimize data transmission generally not be a good setting to improve the 586 | response time or throughput of HTTP connections. A more fitting setting for 587 | this would be "Maximum Throughput - Minimum Delay", as set to default for HTTP. 588 | The default TOS settings are designed to improve throughput and reliability for 589 | FTP,HTTP,SMTP,POP3 and IMAP, please review conf.apf under the TOS_ settings for 590 | further details on Type of Service (TOS). 591 | 592 | Following the TOS settings we find the traceroute settings TCR_ which tell the 593 | firewall if and how we should handle traceroute traffic. This is by default 594 | enabled in APF, mostly cause of popular demand but really there is no reason 595 | to have it enabled or disabled other than personal preference. The TCR_PASS 596 | option tells the firewall if we want to accept traceroutes and on the TCR_PORTS 597 | 598 | 599 | 3.3) Configuration: Reactive Address Blocking 600 | 3.4) Configuration: Virtual Network Files 601 | 3.5) Configuration: Global Variables & Custom Rules 602 | 603 | 4) General Usage: 604 | The /usr/local/sbin/apf command has a number of options that will ease the 605 | day-to-day use of your firewall. Here is a quick snap-shot of the options: 606 | 607 | usage /usr/local/sbin/apf [OPTION] 608 | -s|--start ......................... load the firewall rules 609 | -r|--restart ....................... stop (flush) & reload firewall rules 610 | -f|--stop .......................... stop (flush) all firewall rules 611 | -l|--list .......................... list chain rules 612 | -t|--status ........................ firewall status 613 | -e|--refresh ....................... refresh & resolve dns names in trust rules 614 | -a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and 615 | immediately load new rule into firewall 616 | -d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and 617 | immediately load new rule into firewall 618 | -u|--remove HOST ................... remove host from [glob_]deny_hosts.rules 619 | and immediately remove rule from firewall 620 | -o|--ovars ......................... output all configuration options 621 | 622 | These options explain themselves very clearly such as the start/stop/restart 623 | operations. 624 | 625 | The -l|--list option will list all the firewall rules you currently have loaded, 626 | this is more of a feature intended for experienced users but nevertheless can be 627 | insightful for any administrator to peak at. 628 | 629 | As for the -t|--status option, this will simply show you page-by-page the APF 630 | status log that tracks any operations you perform with APF - if something is 631 | not working properly, this is what you want to run. 632 | 633 | The -e|--refresh option will flush the trust system chains and reload them from 634 | the rule files, this will also cause any dns names in the rules to re-resolve. 635 | This feature is ideal if you have dynamic dns names in the trust system, apart 636 | from that it has few other uses. 637 | 638 | If you need to quickly allow or deny someone access on the system then the 639 | -a|--allow and -d|--deny options are your champions. If you need to quickly 640 | remove an allow or deny entry from the firewall then the -u|--remove option 641 | is there for it. These options are immediate in action and do NOT require 642 | the firewall to be restarted. Please the below sections of this file for 643 | more information on the trust system. 644 | 645 | Finally the -o|--ovars options is a debug feature, if something is not working 646 | the way it was intended and you need help them please send me an email to 647 | apf@r-fx.org and be sure to include the output of this option with your email. 648 | 649 | 4.1) General Usage: Trust System: 650 | The trust system in APF is a very traditional setup with two basic trust levels; 651 | allow and deny. These two basic trust levels are also extended with two global 652 | trust levels that can be imported from a remote server to assist with central 653 | trust management in a large scale deployment. We will first look at the basic 654 | trust levels then have a look at the extended global trust system in the 655 | following section 4.2 then the advanced trust syntax in 4.3. 656 | 657 | The two basic trust level files are located at: 658 | /etc/apf/allow_hosts.rules 659 | /etc/apf/deny_hosts.rules 660 | 661 | These files by nature are static, meaning that once you add an entry to them, 662 | they will remain in the files till you remove them yourself. The trust files 663 | accept both FQDN (fully qualified domain names) and IP addresses with optional 664 | bit masking. Examples of these formats are: 665 | 666 | yourhost.you.com (FQDN) 667 | 192.168.2.102 (IP Address) 668 | 192.168.1.0/24 (IP Address with 24 bit mask) 669 | 670 | The definition of IP bit masking is slightly out of the scope of this document 671 | but some common bit masks that are used would be: 672 | /24 (192.168.1.0 to 192.168.1.255) 673 | /16 (192.168.0.0 to 192.168.255.255) 674 | 675 | If you have common abuse from a network of addresses you can whois that address 676 | then determine the network operators assigned address space and ban the network 677 | with bit masking. 678 | 679 | There are two methods for adding entries to the trust files and they are first 680 | and foremost by using an editor or interface of some type to edit the two files 681 | manually, such as nano (pico clone) or vi (old school editor). 682 | 683 | The second is by using the 'apf' command with the options --allow (-a for 684 | short), --deny (-d for short) and --remove (-u for short). The --allow|-a and 685 | --deny|-d flags both accept a comment option which is simply a string at the 686 | end of the command that you would like added to the trust rule files for 687 | reference. Here are some operating examples of these commands: 688 | 689 | Trust an address: 690 | apf -a ryanm.dynip.org "my home dynamic-ip" 691 | 692 | Deny an address: 693 | apf -d 192.168.3.111 "keeps trying to bruteforce" 694 | 695 | Remove an address: 696 | apf -u ryanm.dynip.org 697 | 698 | Please take note that the --remove|-u option does not accept a comment string 699 | for obvious reason and that it will remove entries that match from 700 | allow_hosts.rules, deny_hosts.rules and the global extensions of these files. 701 | 702 | 4.2) General Usage: Global Trust System 703 | 704 | 4.3) General Usage: Advanced Trust Syntax 705 | Advanced trust usage; The trust rules can be made in advanced format with 4 706 | options (proto:flow:port:ip); 707 | 1) protocol: [packet protocol tcp/udp] 708 | 2) flow in/out: [packet direction, inbound or outbound] 709 | 3) s/d=port: [packet source or destination port] 710 | 4) s/d=ip(/xx) [packet source or destination address, masking supported] 711 | 712 | Flow assumed as Input if not defined. Protocol assumed as TCP if not defined. 713 | When defining rules with protocol, flow is required. 714 | 715 | Syntax: 716 | proto:flow:[s/d]=port:[s/d]=ip(/mask) 717 | s - source , d - destination , flow - packet flow in/out 718 | 719 | Examples: 720 | inbound to destination port 22 from 24.202.16.11 721 | tcp:in:d=22:s=24.202.16.11 722 | 723 | outbound to destination port 23 to destination host 24.2.11.9 724 | out:d=23:d=24.2.11.9 725 | 726 | inbound to destination port 3306 from 24.202.11.0/24 727 | d=3306:s=24.202.11.0/24 728 | 729 | 4.4) General Usage: Dynamic Trust Files 730 | dyn_allow_hosts.rules 731 | dyn_deny_hosts.rules 732 | 733 | 5) License: 734 | APF is developed and supported on a volunteer basis by Ryan MacDonald 735 | [ryan@r-fx.org] 736 | 737 | APF (Advanced policy firewall) is distributed under the GNU General Public 738 | License (GPL) without restrictions on usage or redistribution. The APF 739 | copyright statement, and GNU GPL, "COPYING.GPL" are included in the top-level 740 | directory of the distribution. Credit must be given for derivative works as 741 | required under GNU GPL. 742 | 743 | 6) Support Information: 744 | If you require any assistance with APF you may refer to the R-fx Networks 745 | community forums located at http://forums.rfxnetworks.com. You may also send 746 | an e-mail to support@r-fx.org. 747 | 748 | The official home page for APF is located at: 749 | http://www.rfxnetworks.com/apf.php 750 | 751 | All bugs or feature requests should be sent to apf@r-fx.org and please be sure 752 | to include as much information as possible or conceptual ideas of how you think 753 | a new feature should work. 754 | -------------------------------------------------------------------------------- /apf.init: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ## 3 | # Advanced Policy Firewall (APF) v1.7.6 4 | # (C) 2002-2019, R-fx Networks 5 | # (C) 2019, Ryan MacDonald 6 | # This program may be freely redistributed under the terms of the GNU GPL v2 7 | ## 8 | ### BEGIN INIT INFO 9 | # Provides: apf 10 | # Required-Start: $network $local_fs $remote_fs 11 | # Required-Stop: $network $local_fs $remote_fs 12 | # Should-Start: 13 | # Should-Stop: 14 | # Default-Start: 2 3 4 5 15 | # Default-Stop: 0 1 6 16 | # Short-Description: Start apf at boot time 17 | # chkconfig: 345 55 25 18 | # description: Advanced Policy Firewall (APF); iptables firewall wrapper 19 | ### END INIT INFO 20 | 21 | # source function library 22 | . /etc/rc.d/init.d/functions 23 | # import variables 24 | . /etc/apf/conf.apf 25 | . /etc/apf/internals/internals.conf 26 | 27 | ipt="/sbin/iptables" 28 | inspath="/etc/apf" 29 | prog="apf" 30 | 31 | case "$1" in 32 | start) 33 | echo -n "Starting APF:" 34 | /usr/local/sbin/apf --start >> /dev/null 2>&1 35 | echo_success 36 | echo 37 | ;; 38 | stop) 39 | echo -n "Stopping APF:" 40 | /usr/local/sbin/apf --stop >> /dev/null 2>&1 41 | echo_success 42 | echo 43 | ;; 44 | restart) 45 | $0 stop 46 | $0 start 47 | ;; 48 | condrestart) 49 | if $ipt $IPT_FLAGS -n -L TALLOW > /dev/null 2>&1 && \ 50 | $ipt $IPT_FLAGS -n -L TDENY > /dev/null 2>&1 && \ 51 | $ipt $IPT_FLAGS -n -L TGALLOW > /dev/null 2>&1 && \ 52 | $ipt $IPT_FLAGS -n -L TGDENY > /dev/null 2>&1; then 53 | $0 stop 54 | $0 start 55 | else 56 | echo "APF not running, doing nothing." 57 | fi 58 | ;; 59 | *) 60 | echo "usage: $0 [start|stop|restart|condrestart]" 61 | esac 62 | exit 0 63 | -------------------------------------------------------------------------------- /cron.daily: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | /etc/init.d/apf restart >> /dev/null 2>&1 3 | -------------------------------------------------------------------------------- /files/VERSION: -------------------------------------------------------------------------------- 1 | version: 1.7.6-2 2 | -------------------------------------------------------------------------------- /files/allow_hosts.rules: -------------------------------------------------------------------------------- 1 | ## 2 | # allow_hosts 3 | # 4 | # Trust based rule file to define addresses that are granted all or specific 5 | # access through the firewall. 6 | # 7 | # Format of this file is line-seperated addresses, IP masking is supported. 8 | # Example: 9 | # 192.168.2.1 10 | # 192.168.5.0/24 11 | # 12 | # advanced usage 13 | # 14 | # The trust rules can be made in advanced format with 4 options 15 | # (proto:flow:port:ip); 16 | # 1) protocol: [packet protocol tcp/udp] 17 | # 2) flow in/out: [packet direction, inbound or outbound] 18 | # 3) s/d=port: [packet source or destination port] 19 | # 4) s/d=ip(/xx) [packet source or destination address, masking supported] 20 | # 21 | # Syntax: 22 | # proto:flow:[s/d]=port:[s/d]=ip(/mask) 23 | # s - source , d - destination , flow - packet flow in/out 24 | # 25 | # Examples: 26 | # inbound to destination port 22 from 192.168.2.1 27 | # tcp:in:d=22:s=192.168.2.1 28 | # 29 | # outbound to destination port 23 to destination host 192.168.2.1 30 | # out:d=23:d=192.168.2.1 31 | # 32 | # inbound to destination port 3306 from 192.168.5.0/24 33 | # d=3306:s=192.168.5.0/24 34 | # 35 | ## 36 | -------------------------------------------------------------------------------- /files/apf: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | ## 4 | # Advanced Policy Firewall (APF) v1.7.6 5 | # (C) 2002-2019, R-fx Networks 6 | # (C) 2019, Ryan MacDonald 7 | # This program may be freely redistributed under the terms of the GNU GPL v2 8 | ## 9 | # 10 | VER="1.7.6-2" 11 | CNF="/etc/apf/conf.apf" 12 | 13 | head() { 14 | echo "Advanced Policy Firewall (APF) v$VER " 15 | echo " Copyright (C) 2002-2019, R-fx Networks " 16 | echo " Copyright (C) 2019, Ryan MacDonald " 17 | echo "This program may be freely redistributed under the terms of the GNU GPL" 18 | echo "" 19 | } 20 | 21 | if [ -f "$CNF" ] && [ ! "$CNF" == "" ]; then 22 | source $CNF 23 | else 24 | head 25 | echo "\$CNF not found, aborting." 26 | exit 1 27 | fi 28 | 29 | if [ ! -f $LOG_APF ]; then 30 | touch $LOG_APF 31 | chmod 600 $LOG_APF 32 | eout "{glob} status log not found, created" 33 | fi 34 | 35 | start() { 36 | ## 37 | # Fast Load 38 | ## 39 | if [ "$SET_FASTLOAD" == "1" ]; then 40 | # is this our first startup? 41 | # if so we certainly do not want fast load 42 | if [ ! -f "$INSTALL_PATH/internals/.last.full" ]; then 43 | SKIP_FASTLOAD_FIRSTRUN=1 44 | fi 45 | # Is our last full load more than 12h ago? 46 | # if so we are going to full load 47 | if [ -f "$INSTALL_PATH/internals/.last.full" ]; then 48 | LAST_FULL=`cat $INSTALL_PATH/internals/.last.full` 49 | CURRENT_LOAD=`date +"%s"` 50 | LOAD_DIFF=$[CURRENT_LOAD-LAST_FULL] 51 | if [ ! "$LOAD_DIFF" -lt "43200" ]; then 52 | SKIP_FASTLOAD_EXPIRED=1 53 | fi 54 | fi 55 | 56 | # has our configuration changed since full load? 57 | # if so full we go 58 | MD5_FILES="$ADR $INSTALL_PATH/*.rules $INSTALL_PATH/internals/*.networks $INSTALL_PATH/vnet/*.rules" 59 | if [ ! -f "$INSTALL_PATH/internals/.md5.cores" ]; then 60 | SKIP_FASTLOAD_VARS=1 61 | MD5_FIRSTRUN=1 62 | else 63 | EMPTY_MD5=`cat $INSTALL_PATH/internals/.md5.cores` 64 | if [ "$EMPTY_MD5" == "" ]; then 65 | $MD5 $MD5_FILES > $INSTALL_PATH/internals/.md5.cores 2> /dev/null 66 | fi 67 | $MD5 $MD5_FILES > $INSTALL_PATH/internals/.md5.cores.new 2> /dev/null 68 | VARS_DIFF=`$DIFF $INSTALL_PATH/internals/.md5.cores.new $INSTALL_PATH/internals/.md5.cores` 69 | if [ ! "$VARS_DIFF" == "" ]; then 70 | $MD5 $MD5_FILES > $INSTALL_PATH/internals/.md5.cores 2> /dev/null 71 | SKIP_FASTLOAD_VARS=1 72 | fi 73 | fi 74 | if [ "$DEVEL_ON" == "1" ]; then 75 | SKIP_FASTLOAD_VARS=1 76 | fi 77 | if [ ! -f "$INSTALL_PATH/internals/.md5.cores.new" ] && [ -f "$INSTALL_PATH/internals/.md5.cores" ]; then 78 | cp $INSTALL_PATH/internals/.md5.cores $INSTALL_PATH/internals/.md5.cores.new 79 | fi 80 | 81 | if [ ! -f "$INSTALL_PATH/internals/.last.vars" ]; then 82 | $INSTALL_PATH/apf -o > $INSTALL_PATH/internals/.last.vars 83 | SKIP_FASTLOAD_VARS=1 84 | else 85 | $INSTALL_PATH/apf -o > $INSTALL_PATH/internals/.last.vars.new 86 | VARS_DIFF=`$DIFF $INSTALL_PATH/internals/.last.vars.new $INSTALL_PATH/internals/.last.vars` 87 | if [ ! "$VARS_DIFF" == "" ]; then 88 | $INSTALL_PATH/apf -o > $INSTALL_PATH/internals/.last.vars 89 | SKIP_FASTLOAD_VARS=1 90 | fi 91 | fi 92 | 93 | # check uptime is greater than 5 minutes (300s) 94 | UPSEC=`cat /proc/uptime | tr '.' ' ' | awk '{print$1}'` 95 | if [ "$UPSEC" -lt "300" ]; then 96 | SET_FASTLOAD_UPSEC=1 97 | fi 98 | 99 | # check if we are flagged to skip fast load, otherwise off we go 100 | if [ "$SKIP_FASTLOAD_FIRSTRUN" == "" ] && [ "$SKIP_FASTLOAD_EXPIRED" == "" ] && [ "$SKIP_FASTLOAD_VARS" == "" ] && [ "$SET_FASTLOAD_UPSEC" == "" ]; then 101 | devm 102 | eout "{glob} activating firewall, fast load" 103 | $IPTR $IPT_FLAGS $INSTALL_PATH/internals/.apf.restore 104 | eout "{glob} firewall initialized" 105 | if [ "$SET_VERBOSE" == "1" ] && [ "$DEVEL_ON" == "1" ]; then 106 | eout "{glob} !!DEVELOPMENT MODE ENABLED!! - firewall will flush every 5 minutes." 107 | fi 108 | mutex_unlock 109 | exit 0 110 | elif [ "$SKIP_FASTLOAD_FIRSTRUN" == "1" ]; then 111 | eout "{glob} first run? fast load skipped [internals/.last.full not present]" 112 | elif [ "$SKIP_FASTLOAD_EXPIRED" == "1" ]; then 113 | eout "{glob} fast load snapshot more than 1h old, going full load" 114 | elif [ "$SKIP_FASTLOAD_VARS" == "1" ]; then 115 | eout "{glob} config. or .rule file has changed since last full load, going full load" 116 | elif [ "$SET_FASTLOAD_UPSEC" == "1" ]; then 117 | eout "{glob} uptime less than 5 minutes, going full load" 118 | fi 119 | 120 | fi 121 | ## 122 | # Full Load 123 | ## 124 | eout "{glob} activating firewall" 125 | # record our last full load 126 | date +"%s" > $INSTALL_PATH/internals/.last.full 127 | if [ ! -f "$DS_HOSTS" ]; then 128 | touch $DS_HOSTS 129 | chmod 600 $DS_HOSTS 130 | fi 131 | if [ ! -f "$DENY_HOSTS" ]; then 132 | touch $DENY_HOSTS 133 | chmod 600 $DENY_HOSTS 134 | fi 135 | if [ ! -f "$ALLOW_HOSTS" ]; then 136 | touch $ALLOW_HOSTS 137 | chmod 600 $ALLOW_HOSTS 138 | fi 139 | # check dev mode 140 | devm 141 | # generate vnet rules 142 | $INSTALL_PATH/vnet/vnetgen 143 | # start main firewall script 144 | $INSTALL_PATH/firewall 145 | # check for/load bandmin 146 | LOAD=`cat /proc/loadavg | tr '.' ' ' | awk '{print$1}'` 147 | if [ ! "$LOAD" -gt "10" ]; then 148 | bandmin 149 | fi 150 | eout "{glob} firewall initialized" 151 | if [ "$MD5_FIRSTRUN" == "1" ]; then 152 | $MD5 $MD5_FILES > $INSTALL_PATH/internals/.md5.cores 2> /dev/null 153 | fi 154 | 155 | firewall_on=`$IPT $IPT_FLAGS -L --numeric | grep -vE "Chain|destination"` 156 | if [ ! "$DEVEL_ON" == "1" ] && [ ! "$firewall_on" == "" ]; then 157 | $IPTS > $INSTALL_PATH/internals/.apf.restore 158 | eout "{glob} fast load snapshot saved" 159 | fi 160 | if [ "$SET_VERBOSE" == "1" ] && [ "$DEVEL_ON" == "1" ]; then 161 | eout "{glob} !!DEVELOPMENT MODE ENABLED!! - firewall will flush every 5 minutes." 162 | fi 163 | 164 | if [ "$SET_REFRESH_MD5" == "1" ] && [ "$MD5" ]; then 165 | $MD5 $DENY_HOSTS $GDENY_HOSTS $ALLOW_HOSTS $GALLOW_HOSTS | $MD5 | awk '{print$1}' > /etc/apf/internals/.trusts.md5 166 | fi 167 | } 168 | 169 | case "$1" in 170 | -s|--start) 171 | mutex_lock 172 | start 173 | ;; 174 | -f|--flush|--stop) 175 | mutex_lock 176 | flush 177 | ;; 178 | -l|--list) 179 | list 180 | ;; 181 | -t|-st|--status) 182 | status 183 | ;; 184 | 185 | -r|--restart) 186 | $0 --flush 187 | sleep 2 188 | $0 --start 189 | ;; 190 | -a|--allow) 191 | cli_trust "TALLOW" "ALLOW" "$ALLOW_HOSTS" "$2" "$3" 192 | ;; 193 | -d|--deny) 194 | cli_trust "TDENY" "DENY" "$DENY_HOSTS" "$2" "$3" 195 | ;; 196 | -u|--remove|--unban) 197 | cli_trust_remove $2 >> /dev/null 2>&1 198 | eout "{trust} removed $2 from trust system" 199 | if [ ! "$SET_VERBOSE" == "1" ]; then 200 | echo "Removed $2 from trust system." 201 | fi 202 | ;; 203 | -e|--refresh) 204 | mutex_lock 205 | refresh 206 | ;; 207 | -o|--ovars) 208 | head 209 | ovars 210 | ;; 211 | *) 212 | head 213 | help 214 | esac 215 | mutex_unlock 216 | exit 0 217 | -------------------------------------------------------------------------------- /files/bt.rules: -------------------------------------------------------------------------------- 1 | eout "{glob} loading bt.rules" 2 | 3 | # Load our Deny Hosts rules 4 | glob_deny_download 5 | deny_hosts $GDENY_HOSTS TGDENY 6 | deny_hosts $DENY_HOSTS TDENY 7 | 8 | # Load our projecthoneypot drop list 9 | dlist_php 10 | dlist_php_hosts 11 | 12 | # Load our dshield drop list 13 | dlist_dshield 14 | dlist_dshield_hosts 15 | 16 | # Load our Spamhaus Don't Route Or Peer List 17 | dlist_spamhaus 18 | dlist_spamhaus_hosts 19 | 20 | # Block common drop ports 21 | cdports 22 | 23 | # Filter all traffic not from local gateway 24 | if [ ! "$VF_LGATE" == "" ]; then 25 | lgate_mac 26 | fi 27 | 28 | if [ "$RAB" == "1" ] && [ "$RAB_SANITY" == "1" ]; then 29 | eout "{rab} set active RAB_SANITY" 30 | RAB_SANITY_FLAGS="-m recent --set" 31 | else 32 | RAB_SANITY_FLAGS="" 33 | fi 34 | if [ "$PKT_SANITY" == "1" ]; then 35 | eout "{pkt_sanity} set active PKT_SANITY" 36 | # Drop packets With invalid flag order 37 | eout "{pkt_sanity} deny inbound tcp-flag pairs ALL NONE" 38 | eout "{pkt_sanity} deny inbound tcp-flag pairs SYN,FIN SYN,FIN" 39 | eout "{pkt_sanity} deny inbound tcp-flag pairs SYN,RST SYN,RST" 40 | eout "{pkt_sanity} deny inbound tcp-flag pairs FIN,RST FIN,RST" 41 | eout "{pkt_sanity} deny inbound tcp-flag pairs ACK,FIN FIN" 42 | eout "{pkt_sanity} deny inbound tcp-flag pairs ACK,URG URG" 43 | eout "{pkt_sanity} deny inbound tcp-flag pairs ACK,PSH PSH" 44 | eout "{pkt_sanity} deny inbound tcp-flag pairs ALL FIN,URG,PSH" 45 | eout "{pkt_sanity} deny inbound tcp-flag pairs ALL SYN,RST,ACK,FIN,URG" 46 | eout "{pkt_sanity} deny inbound tcp-flag pairs ALL ALL" 47 | eout "{pkt_sanity} deny inbound tcp-flag pairs ALL FIN" 48 | $IPT $IPT_FLAGS -N IN_SANITY 49 | if [ "$LOG_DROP" == "1" ]; then 50 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ALL NONE -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 51 | fi 52 | if [ "$RAB_LOG_HIT" == "1" ]; then 53 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ALL NONE -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " 54 | fi 55 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ALL NONE $RAB_SANITY_FLAGS -j $TCP_STOP 56 | if [ "$LOG_DROP" == "1" ]; then 57 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 58 | fi 59 | if [ "$RAB_LOG_HIT" == "1" ]; then 60 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " 61 | fi 62 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags SYN,FIN SYN,FIN $RAB_SANITY_FLAGS -j $TCP_STOP 63 | if [ "$LOG_DROP" == "1" ]; then 64 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 65 | fi 66 | if [ "$RAB_LOG_HIT" == "1" ]; then 67 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " 68 | fi 69 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags SYN,RST SYN,RST $RAB_SANITY_FLAGS -j $TCP_STOP 70 | if [ "$LOG_DROP" == "1" ]; then 71 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 72 | fi 73 | if [ "$RAB_LOG_HIT" == "1" ]; then 74 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " 75 | fi 76 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags FIN,RST FIN,RST $RAB_SANITY_FLAGS -j $TCP_STOP 77 | if [ "$LOG_DROP" == "1" ]; then 78 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ACK,FIN FIN -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 79 | fi 80 | if [ "$RAB_LOG_HIT" == "1" ]; then 81 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ACK,FIN FIN -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " 82 | fi 83 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ACK,FIN FIN $RAB_SANITY_FLAGS -j $TCP_STOP 84 | if [ "$LOG_DROP" == "1" ]; then 85 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ACK,URG URG -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 86 | fi 87 | if [ "$RAB_LOG_HIT" == "1" ]; then 88 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ACK,URG URG -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " 89 | fi 90 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ACK,URG URG $RAB_SANITY_FLAGS -j $TCP_STOP 91 | if [ "$LOG_DROP" == "1" ]; then 92 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ACK,PSH PSH -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 93 | fi 94 | if [ "$RAB_LOG_HIT" == "1" ]; then 95 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ACK,PSH PSH -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " 96 | fi 97 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ACK,PSH PSH $RAB_SANITY_FLAGS -j $TCP_STOP 98 | if [ "$LOG_DROP" == "1" ]; then 99 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 100 | fi 101 | if [ "$RAB_LOG_HIT" == "1" ]; then 102 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " 103 | fi 104 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ALL FIN,URG,PSH $RAB_SANITY_FLAGS -j $TCP_STOP 105 | if [ "$LOG_DROP" == "1" ]; then 106 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 107 | fi 108 | if [ "$RAB_LOG_HIT" == "1" ]; then 109 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " 110 | fi 111 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG $RAB_SANITY_FLAGS -j $TCP_STOP 112 | if [ "$LOG_DROP" == "1" ]; then 113 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ALL ALL -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 114 | fi 115 | if [ "$RAB_LOG_HIT" == "1" ]; then 116 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ALL ALL -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " 117 | fi 118 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ALL ALL $RAB_SANITY_FLAGS -j $TCP_STOP 119 | if [ "$LOG_DROP" == "1" ]; then 120 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ALL FIN -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 121 | fi 122 | if [ "$RAB_LOG_HIT" == "1" ]; then 123 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ALL FIN -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " 124 | fi 125 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-flags ALL FIN $RAB_SANITY_FLAGS -j $TCP_STOP 126 | 127 | eout "{pkt_sanity} deny outbound tcp-flag pairs ALL NONE" 128 | eout "{pkt_sanity} deny outbound tcp-flag pairs SYN,FIN SYN,FIN" 129 | eout "{pkt_sanity} deny outbound tcp-flag pairs SYN,RST SYN,RST" 130 | eout "{pkt_sanity} deny outbound tcp-flag pairs FIN,RST FIN,RST" 131 | eout "{pkt_sanity} deny outbound tcp-flag pairs ACK,FIN FIN" 132 | eout "{pkt_sanity} deny outbound tcp-flag pairs ACK,PSH PSH" 133 | eout "{pkt_sanity} deny outbound tcp-flag pairs ACK,URG URG" 134 | $IPT $IPT_FLAGS -N OUT_SANITY 135 | if [ "$LOG_DROP" == "1" ]; then 136 | $IPT $IPT_FLAGS -A OUT_SANITY -p tcp --tcp-flags ALL NONE -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 137 | fi 138 | $IPT $IPT_FLAGS -A OUT_SANITY -p tcp --tcp-flags ALL NONE -j $TCP_STOP 139 | if [ "$LOG_DROP" == "1" ]; then 140 | $IPT $IPT_FLAGS -A OUT_SANITY -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 141 | fi 142 | $IPT $IPT_FLAGS -A OUT_SANITY -p tcp --tcp-flags SYN,FIN SYN,FIN -j $TCP_STOP 143 | if [ "$LOG_DROP" == "1" ]; then 144 | $IPT $IPT_FLAGS -A OUT_SANITY -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 145 | fi 146 | $IPT $IPT_FLAGS -A OUT_SANITY -p tcp --tcp-flags SYN,RST SYN,RST -j $TCP_STOP 147 | if [ "$LOG_DROP" == "1" ]; then 148 | $IPT $IPT_FLAGS -A OUT_SANITY -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 149 | fi 150 | $IPT $IPT_FLAGS -A OUT_SANITY -p tcp --tcp-flags FIN,RST FIN,RST -j $TCP_STOP 151 | if [ "$LOG_DROP" == "1" ]; then 152 | $IPT $IPT_FLAGS -A OUT_SANITY -p tcp --tcp-flags ACK,FIN FIN -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 153 | fi 154 | $IPT $IPT_FLAGS -A OUT_SANITY -p tcp --tcp-flags ACK,FIN FIN -j $TCP_STOP 155 | if [ "$LOG_DROP" == "1" ]; then 156 | $IPT $IPT_FLAGS -A OUT_SANITY -p tcp --tcp-flags ACK,PSH PSH -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 157 | fi 158 | $IPT $IPT_FLAGS -A OUT_SANITY -p tcp --tcp-flags ACK,PSH PSH -j $TCP_STOP 159 | if [ "$LOG_DROP" == "1" ]; then 160 | $IPT $IPT_FLAGS -A OUT_SANITY -p tcp --tcp-flags ACK,URG URG -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 161 | fi 162 | $IPT $IPT_FLAGS -A OUT_SANITY -p tcp --tcp-flags ACK,URG URG -j $TCP_STOP 163 | 164 | if [ "$PKT_SANITY_INV" == "1" ]; then 165 | # Block Traffic With Invalid Flags 166 | eout "{pkt_sanity} check inbound for INVALID states" 167 | eout "{pkt_sanity} check outbound for INVALID states" 168 | eout "{pkt_sanity} deny inbound tcp-option 64" 169 | eout "{pkt_sanity} deny inbound tcp-option 128" 170 | if [ "$LOG_DROP" == "1" ]; then 171 | $IPT $IPT_FLAGS -A IN_SANITY -m state --state INVALID -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 172 | fi 173 | $IPT $IPT_FLAGS -A IN_SANITY -m state --state INVALID -j $ALL_STOP 174 | if [ "$LOG_DROP" == "1" ]; then 175 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-option 64 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 176 | fi 177 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-option 64 -j $TCP_STOP 178 | if [ "$LOG_DROP" == "1" ]; then 179 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-option 128 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 180 | fi 181 | $IPT $IPT_FLAGS -A IN_SANITY -p tcp --tcp-option 128 -j $TCP_STOP 182 | if [ "$LOG_DROP" == "1" ]; then 183 | $IPT $IPT_FLAGS -A OUT_SANITY -m state --state INVALID -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " 184 | fi 185 | $IPT $IPT_FLAGS -A OUT_SANITY -m state --state INVALID -j $ALL_STOP 186 | fi 187 | 188 | $IPT $IPT_FLAGS -A OUTPUT -j OUT_SANITY 189 | $IPT $IPT_FLAGS -A INPUT -j IN_SANITY 190 | 191 | if [ "$PKT_SANITY_FUDP" == "1" ]; then 192 | # Block fragmented UDP 193 | eout "{pkt_sanity} deny all fragmented udp" 194 | $IPT $IPT_FLAGS -N FRAG_UDP 195 | if [ "$LOG_DROP" == "1" ]; then 196 | $IPT $IPT_FLAGS -A FRAG_UDP -p udp -f -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** UDP Frag ** " 197 | fi 198 | if [ "$RAB_LOG_HIT" == "1" ]; then 199 | $IPT $IPT_FLAGS -A FRAG_UDP -p udp -f -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** RABHIT ** " 200 | fi 201 | $IPT $IPT_FLAGS -A FRAG_UDP -p udp -f $RAB_SANITY_FLAGS -j $UDP_STOP 202 | $IPT $IPT_FLAGS -A INPUT -j FRAG_UDP 203 | $IPT $IPT_FLAGS -A OUTPUT -j FRAG_UDP 204 | fi 205 | if [ "$PKT_SANITY_PZERO" == "1" ]; then 206 | # Block port zero traffic 207 | eout "{pkt_sanity} deny inbound tcp port 0" 208 | eout "{pkt_sanity} deny outbound tcp port 0" 209 | $IPT $IPT_FLAGS -N PZERO 210 | if [ "$LOG_DROP" == "1" ]; then 211 | $IPT $IPT_FLAGS -A PZERO -p tcp --dport 0 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** Port Zero ** " 212 | fi 213 | $IPT $IPT_FLAGS -A PZERO -p tcp --dport 0 $RAB_SANITY_FLAGS -j $TCP_STOP 214 | if [ "$LOG_DROP" == "1" ]; then 215 | $IPT $IPT_FLAGS -A PZERO -p udp --dport 0 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** Port Zero ** " 216 | fi 217 | $IPT $IPT_FLAGS -A PZERO -p udp --dport 0 $RAB_SANITY_FLAGS -j $UDP_STOP 218 | if [ "$LOG_DROP" == "1" ]; then 219 | $IPT $IPT_FLAGS -A PZERO -p tcp --sport 0 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** Port Zero ** " 220 | fi 221 | $IPT $IPT_FLAGS -A PZERO -p tcp --sport 0 $RAB_SANITY_FLAGS -j $TCP_STOP 222 | if [ "$LOG_DROP" == "1" ]; then 223 | $IPT $IPT_FLAGS -A PZERO -p udp --sport 0 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** Port Zero ** " 224 | fi 225 | $IPT $IPT_FLAGS -A PZERO -p udp --sport 0 $RAB_SANITY_FLAGS -j $UDP_STOP 226 | $IPT $IPT_FLAGS -A INPUT -j PZERO 227 | $IPT $IPT_FLAGS -A OUTPUT -j PZERO 228 | fi 229 | fi 230 | 231 | if [ "$BLK_IDENT" = "1" ]; then 232 | eout "{blk_ident} set active BLK_IDENT" 233 | # Reject ident request if not defined in IG_TCP_CPORTS 234 | if [ "$(echo $IG_TCP_CPORTS | tr ',' '\n' | grep -w 113)" == "" ]; then 235 | eout "{blk_ident} reject all to/from tcp port 113" 236 | $IPT $IPT_FLAGS -N IDENT 237 | if [ "$LOG_DROP" == "1" ]; then 238 | $IPT $IPT_FLAGS -A IDENT -p tcp -s 0/0 -d 0/0 --dport 113 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** IDENT ** " 239 | fi 240 | $IPT $IPT_FLAGS -A IDENT -p tcp -s 0/0 -d 0/0 --dport 113 -j REJECT 241 | if [ "$LOG_DROP" == "1" ]; then 242 | $IPT $IPT_FLAGS -A IDENT -p tcp -s 0/0 -d 0/0 --sport 113 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** IDENT ** " 243 | fi 244 | $IPT $IPT_FLAGS -A IDENT -p tcp -s 0/0 -d 0/0 --sport 113 -j REJECT 245 | if [ "$LOG_DROP" == "1" ]; then 246 | $IPT $IPT_FLAGS -A IDENT -p udp -s 0/0 -d 0/0 --dport 113 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** IDENT ** " 247 | fi 248 | $IPT $IPT_FLAGS -A IDENT -p udp -s 0/0 -d 0/0 --dport 113 -j REJECT 249 | if [ "$LOG_DROP" == "1" ]; then 250 | $IPT $IPT_FLAGS -A IDENT -p udp -s 0/0 -d 0/0 --sport 113 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** IDENT ** " 251 | fi 252 | $IPT $IPT_FLAGS -A IDENT -p udp -s 0/0 -d 0/0 --sport 113 -j REJECT 253 | $IPT $IPT_FLAGS -A INPUT -j IDENT 254 | $IPT $IPT_FLAGS -A OUTPUT -j IDENT 255 | fi 256 | fi 257 | 258 | if [ "$BLK_MCATNET" == "1" ]; then 259 | eout "{blk_mcat} set active BLK_MCATNET" 260 | # Block Multicast 261 | eout "{blk_mcat} deny all from 224.0.0.0/8" 262 | eout "{blk_mcat} deny all to 224.0.0.0/8" 263 | $IPT $IPT_FLAGS -N MCAST 264 | if [ "$LOG_DROP" == "1" ]; then 265 | $IPT $IPT_FLAGS -A MCAST -s 224.0.0.0/8 -d 0/0 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** MCAST ** " 266 | fi 267 | $IPT $IPT_FLAGS -A MCAST -s 224.0.0.0/8 -d 0/0 -j $ALL_STOP 268 | if [ "$LOG_DROP" == "1" ]; then 269 | $IPT $IPT_FLAGS -A MCAST -s 0/0 -d 224.0.0.0/8 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** MCAST ** " 270 | fi 271 | $IPT $IPT_FLAGS -A MCAST -s 0/0 -d 224.0.0.0/8 -j $ALL_STOP 272 | $IPT $IPT_FLAGS -A INPUT -j MCAST 273 | $IPT $IPT_FLAGS -A OUTPUT -j MCAST 274 | fi 275 | 276 | if [ ! "$BLK_P2P_PORTS" == "" ]; then 277 | eout "{blk_p2p} set active BLK_P2P" 278 | # Drop traffic to/from common p2p networks 279 | # winmx,napster,bittorrent,gnutella,edonkey,kazaa,morpheus 280 | $IPT $IPT_FLAGS -N P2P 281 | for i in `echo $BLK_P2P_PORTS | tr ',' ' '`; do 282 | MVAL=`echo $i | grep "_"` 283 | PORT=$i 284 | if [ "$MVAL" == "" ]; then 285 | eout "{blk_p2p} deny all to/from tcp port $i" 286 | eout "{blk_p2p} deny all to/from udp port $i" 287 | if [ "$LOG_DROP" == "1" ]; then 288 | $IPT $IPT_FLAGS -A P2P -p tcp -s 0/0 -d 0/0 --sport 1024:65534 --dport $PORT -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** P2P ** " 289 | fi 290 | $IPT $IPT_FLAGS -A P2P -p tcp -s 0/0 -d 0/0 --dport $PORT -j REJECT 291 | if [ "$LOG_DROP" == "1" ]; then 292 | $IPT $IPT_FLAGS -A P2P -p tcp -s 0/0 -d 0/0 --dport 1024:65534 --sport $PORT -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** P2P ** " 293 | fi 294 | $IPT $IPT_FLAGS -A P2P -p tcp -s 0/0 -d 0/0 --dport 1024:65534 --sport $PORT -j REJECT 295 | if [ "$LOG_DROP" == "1" ]; then 296 | $IPT $IPT_FLAGS -A P2P -p udp -s 0/0 -d 0/0 --sport 1024:65534 --dport $PORT -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** P2P ** " 297 | fi 298 | $IPT $IPT_FLAGS -A P2P -p udp -s 0/0 -d 0/0 --sport 1024:65534 --dport $PORT -j REJECT 299 | if [ "$LOG_DROP" == "1" ]; then 300 | $IPT $IPT_FLAGS -A P2P -p udp -s 0/0 -d 0/0 --dport 1024:65534 --sport $PORT -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** P2P ** " 301 | fi 302 | $IPT $IPT_FLAGS -A P2P -p udp -s 0/0 -d 0/0 --dport 1024:65534 --sport $PORT -j REJECT 303 | else 304 | PORT_BEG=`echo $i | tr '_' ' ' | awk '{print$1}'` 305 | PORT_END=`echo $i | tr '_' ' ' | awk '{print$2}'` 306 | PORTST="$PORT_BEG:$PORT_END" 307 | eout "{blk_p2p} deny all to/from tcp port $PORTST" 308 | eout "{blk_p2p} deny all to/from udp port $PORTST" 309 | if [ "$LOG_DROP" == "1" ]; then 310 | $IPT $IPT_FLAGS -A P2P -p tcp -s 0/0 -d 0/0 --sport 1024:65534 --dport $PORTST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** P2P ** " 311 | fi 312 | $IPT $IPT_FLAGS -A P2P -p tcp -s 0/0 -d 0/0 --sport 1024:65534 --dport $PORTST -j REJECT 313 | if [ "$LOG_DROP" == "1" ]; then 314 | $IPT $IPT_FLAGS -A P2P -p tcp -s 0/0 -d 0/0 --dport 1024:65534 --sport $PORTST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** P2P ** " 315 | fi 316 | $IPT $IPT_FLAGS -A P2P -p tcp -s 0/0 -d 0/0 --dport 1024:65534 --sport $PORTST -j REJECT 317 | if [ "$LOG_DROP" == "1" ]; then 318 | $IPT $IPT_FLAGS -A P2P -p udp -s 0/0 -d 0/0 --sport 1024:65534 --dport $PORTST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** P2P ** " 319 | fi 320 | $IPT $IPT_FLAGS -A P2P -p udp -s 0/0 -d 0/0 --sport 1024:65534 --dport $PORTST -j REJECT 321 | if [ "$LOG_DROP" == "1" ]; then 322 | $IPT $IPT_FLAGS -A P2P -p udp -s 0/0 -d 0/0 --dport 1024:65534 --sport $PORTST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** P2P ** " 323 | fi 324 | $IPT $IPT_FLAGS -A P2P -p udp -s 0/0 -d 0/0 --dport 1024:65534 --sport $PORTST -j REJECT 325 | fi 326 | done 327 | $IPT $IPT_FLAGS -A INPUT -j P2P 328 | $IPT $IPT_FLAGS -A OUTPUT -j P2P 329 | fi 330 | 331 | if [ "$BLK_TCP_SACK_PANIC" == "1" ] && [ ! "$SYSCTL_TCP_NOSACK" == "1" ]; then 332 | eout "{blk_tcp_sack_panic} applying mitigation for TCP SACK Panic CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 https://access.redhat.com/security/vulnerabilities/tcpsack" 333 | eout "{blk_tcp_sack_panic} deny inbound tcp-flags SYN with MSS size 1 to 500 bytes " 334 | $IPT $IPT_FLAGS -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j $TCP_STOP 335 | if [ "$USE_IPV6" == "1" ]; then 336 | $IP6T -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j $TCP_STOP 337 | fi 338 | fi 339 | -------------------------------------------------------------------------------- /files/conf.apf: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | ## 4 | # Advanced Policy Firewall (APF) v1.7.6 5 | # (C) 2002-2019, R-fx Networks 6 | # (C) 2019, Ryan MacDonald 7 | # This program may be freely redistributed under the terms of the GNU GPL v2 8 | ## 9 | # NOTE: This file should be edited with word/line wrapping off, 10 | # if your using pico/nano please start use the -w switch 11 | # (e.g: nano -w filename) 12 | 13 | ## 14 | # [Main] 15 | ## 16 | # !!! Do not leave set to (1) !!! 17 | # When set to enabled; 5 minute cronjob is set to stop the firewall. Set 18 | # this off (0) when firewall is determined to be operating as desired. 19 | DEVEL_MODE="1" 20 | 21 | # The installation path of APF; this can be changed but it is not recommended. 22 | INSTALL_PATH="/etc/apf" 23 | 24 | # Untrusted Network interface; all traffic on defined interface will be 25 | # subject to all firewall rules. This should be your internet exposed 26 | # interface. 27 | IFACE_UNTRUSTED="eth0" 28 | 29 | # Trusted Network interface(s); all traffic on defined interface(s) will by-pass 30 | # ALL firewall rules, format is white space or comma separated list. 31 | IFACE_TRUSTED="" 32 | 33 | # This option enables IPv6 support for APF and loads all appropriate IPv6 kernel 34 | # modules. This feature depends on IPv6 support being enabled in your networking 35 | # configuration and that the modules are explicitly available. Please ensure that 36 | # you do not have IPv6 disabled via modprobe.conf/.d or in sysconfig files. 37 | # Note: The VNET (virtual network) feature does not currently support IPv6. 38 | USE_IPV6="0" 39 | 40 | # This option will allow for all status events to be displayed in real time on 41 | # the console as you use the firewall. Typically, APF used to operate silent 42 | # with all logging piped to $LOG_APF. The use of this option will not disable 43 | # the standard log file displayed by apf --status but rather compliment it. 44 | SET_VERBOSE="1" 45 | 46 | # The fast load feature makes use of the iptables-save/restore facilities to do 47 | # a snapshot save of the current firewall rules on an APF stop then when APF is 48 | # instructed to start again it will restore the snapshot. This feature allows 49 | # APF to load hundreds of rules back into the firewall without the need to 50 | # regenerate every firewall entry. 51 | # Note: a) if system uptime is below 5 minutes, the snapshot is expired 52 | # b) if snapshot age exceeds 12 hours, the snapshot is expired 53 | # c) if conf or a .rule has changed since last load, snapshot is expired 54 | # d) if it is your first run of APF since install, snapshot is generated 55 | # - an expired snapshot means APF will do a full start rule-by-rule 56 | SET_FASTLOAD="0" 57 | 58 | # Virtual Network Sub-System (VNET) creates independent policy rule set for 59 | # each IP on a system to /etc/apf/vnet/IP.rules. These rule files can be 60 | # configured with conf.apf variables for unique but convenient firewall 61 | # policies or custom iptables entries for even greater flexibility. 62 | SET_VNET="0" 63 | 64 | # This feature firewalls any additional interfaces on the server as untrusted 65 | # through the VNET sub-system. Excluded are interfaces that have already been 66 | # defined by IFACE_* variables. This feature is ideal for systems running 67 | # private interfaces where not all hosts on the private network are trusted or 68 | # are otherwise exposed to "open" networks through this private interface 69 | # (i.e: the Internet, network accessible storage LAN, corporate WAN, etc..) 70 | SET_ADDIFACE="0" 71 | 72 | # This allows the firewall to work around modular kernel issues by assuming 73 | # that the system has all required firewall modules compiled directly into 74 | # kernel. This mode of operation is not generally recommended but can be used 75 | # scale APF to unique situations. 76 | SET_MONOKERN="0" 77 | 78 | # The expiry interval, in seconds, that bans will be expired out of the trust 79 | # system. This only applies to local bans from deny_hosts.rules and not global 80 | # import rules. The value must not be less than equiv. seconds of SET_REFRESH. 81 | # [value in seconds, 0 to disable, recommended 600] 82 | SET_EXPIRE="0" 83 | 84 | # This controls how often, if at all, we want the trust system to refresh rules. 85 | # The firewall will flush & reload all static rules, redownload global rules and 86 | # re-resolve any dns names in the rules. This is ideal when using dynamic dns 87 | # names or downloadable global trust rules. 88 | # [value in minutes, 0 to disable] 89 | SET_REFRESH="10" 90 | 91 | # The refreshing of large allow/deny trust files can be resource intensive, this 92 | # feature checks for changes to trust files between refreshes and only performs 93 | # a refresh if contents have changed. If you are using dynamic DNS names in trust 94 | # rules, which require regular DNS refreshes, you should keep this disabled. 95 | # [value 1 to enable, 0 to disable] 96 | SET_REFRESH_MD5="0" 97 | 98 | # This is the total amount of rules allowed inside of the deny trust system. 99 | # When this limit is reached, the deny rule files will begin to purge older 100 | # entries to maintain the set limit. [value is max lines, 0 for unlimited] 101 | SET_TRIM="250" 102 | 103 | # Verifies that the IFACE_* and IFACE_TRUSTED interfaces are actually routed 104 | # to something. If configured interfaces are found with no routes setup then 105 | # APF will exit with an error to prevent further issues (such as being locked 106 | # out of the system). 107 | VF_ROUTE="1" 108 | 109 | # Verifies that all inbound traffic is sourced from a defined local gateway MAC 110 | # address. All other traffic that does not match this MAC address will be 111 | # rejected as untrusted traffic. It is quite easy to forge a MAC address and as 112 | # such this feature executes NO default accept policy. Leave this option empty 113 | # to disable or enter a 48-bit MAC address to enable. 114 | VF_LGATE="" 115 | 116 | ## 117 | # [Reactive Address Blocking] 118 | ## 119 | # Reactive Address Blocking (RAB) monitors addresses as they traverse the firewall 120 | # rules and tracks all policy violations attempted by an address. The firewall then 121 | # reacts to the violations by blocking addresses temporarily on the assumption that 122 | # we are protecting the host from what an attacker may do under the pretext of what 123 | # an attacker has already done. The interface that powers RAB is the iptables kernel 124 | # module 'xt/ipt_recent'; as such there is no external programs required for this 125 | # feature or additional load imposed by it. 126 | RAB="0" 127 | 128 | # This enables RAB for sanity violations, which is when an address breaks a 129 | # strict conformity standard such as trying to spoof an address or modify 130 | # packet flags. It is strongly recommended that this option NOT be disabled. 131 | RAB_SANITY="1" 132 | 133 | # This enables RAB for port scan violations, which is when an address attempts 134 | # to connect to a port that has been classified as malicious. These types of 135 | # ports are those which are not commonly used in today's Internet but are 136 | # the subject of scrutiny by attackers, such as 1,7,9,11 and so on. The security 137 | # level defines the group of ports that RAB will react against. The port groups 138 | # can be customized in 'internals/rab.ports'. 139 | # 0 = disabled | 1 = low security | 2 = medium security | 3 = high security 140 | RAB_PSCAN_LEVEL="1" 141 | 142 | # This controls the amount of violation hits an address must have before it 143 | # is blocked. It is a good idea to keep this very low to prevent evasive 144 | # measures. The default is 0 or 1, meaning instant block on first violation. 145 | RAB_HITCOUNT="1" 146 | 147 | # This is the amount of time (in seconds) that an address gets blocked for if 148 | # a violation is triggered, the default is 300s (5 minutes). 149 | RAB_TIMER="300" 150 | 151 | # This allows RAB to 'trip' the block timer back to 0 seconds if an address 152 | # attempts ANY subsiquent communication while still on the inital block period. 153 | RAB_TRIP="1" 154 | 155 | # This controls if the firewall should log all violation hits from an address. 156 | # The use of LOG_DROP variable set to 1 will override this to force logging. 157 | RAB_LOG_HIT="1" 158 | 159 | # This controls if the firewall should log all subsiqent traffic from an address 160 | # that is already blocked for a violation hit, this can generate allot of logs. 161 | # The use of LOG_DROP variable set to 1 will override this to force logging. 162 | RAB_LOG_TRIP="0" 163 | 164 | ## 165 | # [Packet Filtering/Handling] 166 | ## 167 | # How to handle TCP packet filtering? 168 | # 169 | # RESET (sends a tcp-reset; TCP/IP default) 170 | # DROP (drop the packet; stealth ?) 171 | # REJECT (reject the packet) 172 | TCP_STOP="DROP" 173 | 174 | # How to handle UDP packet filtering? 175 | # 176 | # RESET (sends a icmp-port-unreachable; TCP/IP default) 177 | # DROP (drop the packet; stealth ?) 178 | # REJECT (reject the packet) 179 | # PROHIBIT (send an icmp-host-prohibited) 180 | UDP_STOP="DROP" 181 | 182 | # How to handle all other packet filtering? 183 | # 184 | # DROP (drop the packet) 185 | # REJECT (reject the packet) 186 | ALL_STOP="DROP" 187 | 188 | # The sanity options control the way packets are scrutinized as they flow 189 | # through the firewall. The main PKT_SANITY option is a top level toggle for 190 | # all SANITY options and provides general packet flag sanity as a pre-scrub 191 | # for the other sanity options. In short, this makes sure that all packets 192 | # coming and going conform to strict TCP/IP standards. In doing so we make it 193 | # very difficult for attackers to inject raw/custom packets into the server. 194 | PKT_SANITY="1" 195 | 196 | # Block any packets that do not conform as VALID, this feature is safe for most 197 | # but some may experience protocol issues with broken remote clients. This is 198 | # very similar to PKT_SANITY but has a wider scope and as such has the ability 199 | # to affect many application protocols in undesirable ways. 200 | PKT_SANITY_INV="0" 201 | 202 | # Block any fragmented UDP packets, this is safe as no UDP packets should 203 | # ever be fragmented. 204 | PKT_SANITY_FUDP="1" 205 | 206 | # Block packets with a source or destination of port 0, this is safe as 207 | # nothing should ever communicate on port 0 (technically does not exist). 208 | PKT_SANITY_PZERO="1" 209 | 210 | # Default Type of Service (TOS); These values should be set to a comma 211 | # separated list of ports which you would like marked with the given TOS level. 212 | # 213 | # Set the default TOS value [0,2,4,8,16] 214 | TOS_DEF="0" 215 | 216 | # Set the default TOS port range 217 | TOS_DEF_RANGE="512:65535" 218 | 219 | # 0: Ports for Normal-Service 220 | TOS_0="" 221 | 222 | # 2: Ports for Minimize-Cost 223 | TOS_2="" 224 | 225 | # 4: Ports for Minimize Delay - Maximize Reliability 226 | TOS_4="" 227 | 228 | # 8: Ports for Maximum Throughput - Minimum Delay 229 | TOS_8="21,20,80" 230 | 231 | # 16: Ports for No Delay - Moderate Throughput - High Reliability 232 | TOS_16="25,110,143" 233 | 234 | # Allow traceroute requests on the defined range of ports. This feature 235 | # is not required for normal operations and some even prefer it disabled. 236 | # Enable Traceroute # Traceroute ports 237 | TCR_PASS="1" TCR_PORTS="33434:33534" 238 | 239 | # Set a reasonable packet/time ratio for ICMP packets, exceeding this flow 240 | # will result in dropped ICMP packets. Supported values are in the form of: 241 | # pkt/s (packets/seconds), pkt/m (packets/minutes) 242 | # Set value to 0 for unlimited, anything above is enabled. 243 | ICMP_LIM="30/s" 244 | 245 | # Creates firewall rules based on the local name servers as defined in the 246 | # /etc/resolv.conf file. This is the preferred secure method for client side 247 | # name server requests. This option has no bearing on a locally hosted DNS 248 | # service. 249 | RESV_DNS="1" 250 | 251 | # When RESV_DNS is enabled, all the untrusted name server traffic can fill the 252 | # logs with client DNS traffic. This can be suppressed with an implicit drop 253 | # of all such traffic (sport 53 inbound) as so to avoid log chains. If you run 254 | # applications that have unique name servers configured, this may break them. 255 | RESV_DNS_DROP="1" 256 | 257 | # A common set of known Peer-To-Peer (p2p) protocol ports that are often 258 | # considered undesirable traffic on public Internet servers. These ports 259 | # are also often abused on web hosting servers where clients upload p2p 260 | # client agents for the purpose of distributing or downloading pirated media. 261 | # Format is comma separated for single ports and an underscore separator for 262 | # ranges (4660_4678). 263 | BLK_P2P_PORTS="1214,2323,4660_4678,6257,6699,6346,6347,6881_6889,6346,7778" 264 | 265 | # These are common Internet service ports that are understood in the wild 266 | # services you would not want logged under normal circumstances. All ports 267 | # that are defined here will be implicitly dropped with no logging for 268 | # TCP/UDP traffic inbound or outbound. Format is comma separated for single 269 | # ports and an underscore separator for ranges (135_139). 270 | BLK_PORTS="135_139,111,513,520,445,1433,1434,1234,1524,3127" 271 | 272 | # You need multicasting if you intend to participate in the MBONE, a high 273 | # bandwidth network on top of the Internet which carries audio and video 274 | # broadcasts. More about MBONE at: www-itg.lbl.gov/mbone/, this is generally 275 | # safe to enable. 276 | BLK_MCATNET="0" 277 | 278 | # Block all private ipv4 addresses, this is address space reserved for private 279 | # networks or otherwise unroutable on the Internet. If this host resides behind 280 | # a router with NAT or routing scheme that otherwise uses private addressing, 281 | # leave this option OFF. Refer to the 'internals/private.networks' file for 282 | # listing of private address space. 283 | BLK_PRVNET="0" 284 | 285 | # Block all ipv4 address space marked reserved for future use (unassigned), 286 | # such networks have no business talking on the Internet. However they may at 287 | # some point become live address space. The USE_RD option further in this file 288 | # allows for dynamic updating of this list on every full restart of APF. Refer 289 | # to the 'internals/reserved.networks' file for listing of address space. 290 | BLK_RESNET="1" 291 | 292 | # Three related flaws were found in the Linux kernel’s handling of TCP Selective 293 | # Acknowledgement (SACK) packets handling with low MSS size. The extent of impact 294 | # is understood to be limited to denial of service at this time. 295 | # 296 | # ref: https://access.redhat.com/security/vulnerabilities/tcpsack 297 | # CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 298 | # 299 | # This may affect traffic from legitimate sources that require the lower MSS values 300 | # to transmit correctly. 301 | # 302 | # The recommended safe path is to disable TCP SACK with SYSCTL_TCP_NOSACK=1 303 | # This can be safely ignored if you are running on a modern patched kernel newer 304 | # than June 16th 2019. 305 | BLK_TCP_SACK_PANIC="0" 306 | 307 | # Block all ident (tcp 113) requests in and out of the server IF the port is 308 | # not already opened in *_TCP_CPORTS. This uses a REJECT target to make sure 309 | # the ident requests terminate quickly. You can see an increase in irc and 310 | # other connection performance with this feature. 311 | BLK_IDENT="0" 312 | 313 | # This is the maximum number of "sessions" (connection tracking entries) that 314 | # can be handled simultaneously by the firewall in kernel memory. Increasing 315 | # this value too high will simply waste memory and add latency but setting it 316 | # too low may result in some or all connections being refused, in particular 317 | # during denial of service attacks. 318 | SYSCTL_CONNTRACK="131072" 319 | 320 | SYSCTL_CONNTRACK_ADAPTIVE="0" 321 | SYSCTL_CONNTRACK_INCREMENT="65536" 322 | SYSCTL_CONNTRACK_HIGH="1048576" 323 | SYSCTL_CONNTRACK_BUCKETS="16384" 324 | 325 | # These are system control (sysctl) option changes to disable TCP features 326 | # that can be abused in addition to tweaking other TCP features for increased 327 | # performance and reliability. 328 | SYSCTL_TCP="1" 329 | 330 | # Three related flaws were found in the Linux kernel’s handling of TCP Selective 331 | # Acknowledgement (SACK) packets handling with low MSS size. The extent of impact 332 | # is understood to be limited to denial of service at this time. 333 | # 334 | # ref: https://access.redhat.com/security/vulnerabilities/tcpsack 335 | # CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 336 | # 337 | # This can be safely ignored if you are running on a modern patched kernel newer 338 | # than June 16th 2109. 339 | SYSCTL_TCP_NOSACK="0" 340 | 341 | # These are system control (sysctl) option changes intended to help mitigate 342 | # syn-flood attacks by lowering syn retry, syn backlog & syn time-out values. 343 | SYSCTL_SYN="0" 344 | 345 | # These are system control (sysctl) option changes to provide protection from 346 | # spoofed packets and ip/arp/route redirection. If you are performing advanced 347 | # routing policies on this host such as NAT/MASQ you should disable this. 348 | SYSCTL_ROUTE="0" 349 | 350 | # This system control (sysctl) option will log all network traffic that is 351 | # from impossible source addresses. This option can discover attacks or issues 352 | # on your network you may otherwise not be aware of. 353 | SYSCTL_LOGMARTIANS="0" 354 | 355 | # This system control (sysctl) option will allow you to control ECN support 356 | # (Explicit Congestion Notification). This feature provides an improved method 357 | # for congestion avoidance by allowing the network to mark packets for 358 | # transmission later, rather than dropping them from the queue. Please also 359 | # see related USE_ECNSHAME option further down in this file. 360 | SYSCTL_ECN="0" 361 | 362 | # This system control (sysctl) option will allow you to make use of SynCookies 363 | # support. This feature will send out a 'syn-cookie' when the syn backlog for a 364 | # socket becomes overflowed. The cookie is used to interrupt the flow of syn 365 | # transmissions with a hashed sequence number that must be correlated with the 366 | # sending host. The hash is made up of the sending host address, packet flags 367 | # etc..; if the sending host does not validate against the hash then the tcp 368 | # hand-shake is terminated. In short, this helps to mitigate syn-flood attacks. 369 | # Note: syncookies seriously violates TCP protocol and can result in serious 370 | # degradation of some services (i.e. SMTP); visible not by you, but your 371 | # clients and relays whom are contacting your system. 372 | SYSCTL_SYNCOOKIES="1" 373 | 374 | # This system control (sysctl) option allows for the use of Abort_On_Overflow 375 | # support. This feature will help mitigate burst floods if a listening service 376 | # is too slow to accept new connections. This option is an alternative for 377 | # SynCookies and both should NEVER be enabled at once. 378 | # Note: This option can harm clients contacting your system. Enable option only 379 | # if you are sure that the listening daemon can not be tuned to accept 380 | # connections faster. 381 | SYSCTL_OVERFLOW="0" 382 | 383 | # The helper chains are designed to assist applications in working with the 384 | # stateful firewall in a more reliable fashion. You should keep these settings 385 | # current with the ports SSH and FTP are operating on. Please DO NOT CONFUSE 386 | # these settings with opening the SSH/FTP port as they have no bearing on 387 | # actually connecting to the services. They are only for helping maintain your 388 | # connection to the services [ESTABLISHED,RELATED connection states, not NEW]. 389 | HELPER_SSH="1" 390 | HELPER_SSH_PORT="22" 391 | 392 | HELPER_FTP="1" 393 | HELPER_FTP_PORT="21" 394 | HELPER_FTP_DATA="20" 395 | 396 | # Configure inbound (ingress) accepted services. This is an optional 397 | # feature; services and customized entries may be made directly to an ip's 398 | # virtual net file located in the vnet/ directory. Format is comma separated 399 | # and underscore separator for ranges. 400 | # 401 | # Example: 402 | # IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000" 403 | # IG_UDP_CPORTS="20,21,53,123" 404 | # IG_ICMP_TYPES="3,5,11,0,30,8" 405 | 406 | # Common inbound (ingress) TCP ports 407 | IG_TCP_CPORTS="22" 408 | 409 | # Common inbound (ingress) UDP ports 410 | IG_UDP_CPORTS="" 411 | 412 | # Common ICMP inbound (ingress) types 413 | # 'internals/icmp.types' for type definition; 'all' is wildcard for any 414 | IG_ICMP_TYPES="3,5,11,0,30,8" 415 | 416 | # Configure outbound (egress) accepted services. This is an optional 417 | # feature; services and customized entries may be made directly to an ip's 418 | # virtual net file located in the vnet/ directory. 419 | # 420 | # Outbound (egress) filtering is not required but makes your firewall setup 421 | # complete by providing full inbound and outbound packet filtering. You can 422 | # toggle outbound filtering on or off with the EGF variable. Format is comma 423 | # separated and underscore separator for ranges. 424 | # 425 | # Example: 426 | # EG_TCP_CPORTS="21,25,80,443,43" 427 | # EG_UDP_CPORTS="20,21,53" 428 | # EG_ICMP_TYPES="all" 429 | 430 | # Outbound (egress) filtering 431 | EGF="0" 432 | 433 | # Common outbound (egress) TCP ports 434 | EG_TCP_CPORTS="21,25,80,443,43" 435 | 436 | # Common outbound (egress) UDP ports 437 | EG_UDP_CPORTS="20,21,53" 438 | 439 | # Common ICMP outbound (egress) types 440 | # 'internals/icmp.types' for type definition; 'all' is wildcard for any 441 | EG_ICMP_TYPES="all" 442 | 443 | # Configure user-id specific outbound (egress) port access. This is a more 444 | # granular feature to limit the scope of outbound packet flows with user-id 445 | # conditioning. Format is comma separated and underscore separator for ranges. 446 | # This is NOT A FILTERING FEATURE, this is an ACCESS CONTROL feature. That 447 | # means EG_TCP_UID and EG_UDP_UID are intended to ALLOW outbound access for 448 | # specified users, not DENY. 449 | # 450 | # Format: EG_[TCP|UDP]_UID="uid:port" 451 | # Example: 452 | # Allow outbound access to destination port 22 for uid 0 453 | # EG_TCP_UID="0:22" 454 | 455 | # UID-Match outbound (egress) TCP ports 456 | EG_TCP_UID="" 457 | 458 | # UID-Match outbound (egress) UDP ports 459 | EG_UDP_UID="" 460 | 461 | # Configure executable specific outbound (egress) filtering. This is a more 462 | # granular feature to limit the scope of outbound packet flows with executable 463 | # conditioning. The packet filtering is based on the CMD process field being 464 | # passed along to iptables. All logged events for these rules will also include 465 | # the executable CMD name in the log chain. This is A FILTERING FEATURE, not an 466 | # ACCESS CONTROL feature. That means EG_DROP_CMD is intended to DENY outbound 467 | # access for specified programs, not ALLOW. 468 | # 469 | # Format is comma separated list of executable names you wish to ban from being 470 | # able to transmit data out of your server. 471 | 472 | # CMD-Match outbound (egress) denied applications 473 | EG_DROP_CMD="eggdrop psybnc bitchx BitchX init udp.pl" 474 | 475 | ## 476 | # [Remote Rule Imports] 477 | ## 478 | # Project Honey Pot is the first and only distributed system for identifying 479 | # spammers and the spambots they use to scrape addresses from your website. 480 | # This aggregate list combines Harvesters, Spammers and SMTP Dictionary attacks 481 | # from the PHP IP Data at: http://www.projecthoneypot.org/list_of_ips.php 482 | DLIST_PHP="0" 483 | DLIST_PHP_URL="http://cdn.rfxn.com/downloads/php_list" 484 | 485 | # The Spamhaus Don't Route Or Peer List (DROP) is an advisory "drop all 486 | # traffic" list, consisting of stolen 'zombie' netblocks and netblocks 487 | # controlled entirely by professional spammers. For more information please 488 | # see http://www.spamhaus.org/drop/. 489 | DLIST_SPAMHAUS="0" 490 | DLIST_SPAMHAUS_URL="http://www.spamhaus.org/drop/drop.lasso" 491 | 492 | # DShield collects data about malicious activity from across the Internet. 493 | # This data is cataloged, summarized and can be used to discover trends in 494 | # activity, confirm widespread attacks, or assist in preparing better firewall 495 | # rules. This is a list of top networks that have exhibited suspicious activity. 496 | DLIST_DSHIELD="0" 497 | DLIST_DSHIELD_URL="http://feeds.dshield.org/top10-2.txt" 498 | 499 | # The reserved networks list is addresses which ARIN has marked as reserved 500 | # for future assignement and have no business as valid traffic on the internet. 501 | # Such addresses are often used as spoofed (Fake) hosts during attacks, this 502 | # will update the reserved networks list in order to prevent new ip assignments 503 | # on the internet from getting blocked; this option is only important when 504 | # BLK_RESNET is set to enabled. 505 | DLIST_RESERVED="1" 506 | DLIST_RESERVED_URL="http://cdn.rfxn.com/downloads/reserved.networks" 507 | 508 | # ECN is an extension which helps reduce congestion. Unfortunately some 509 | # clueless software/hardware vendors have setup their sites or implemented 510 | # TCP/IP in a very broken manner. If you try to talk to these sites with ECN 511 | # turned on, they will drop all packets from you. This feature uses the ECN 512 | # hall of shame list to turn off ECN in packets to these hosts so your traffic 513 | # is accepted as intended. This option is dependent on setting SYSCTL_ECN="1" 514 | # otherwise it stays disabled. 515 | DLIST_ECNSHAME="0" 516 | DLIST_ECNSHAME_URL="http://cdn.rfxn.com/downloads/ecnshame.lst" 517 | 518 | ## 519 | # Global Trust 520 | ## 521 | # This is an implementation of the trust rules (allow/deny_hosts) but 522 | # on a global perspective. You can define below remote addresses from 523 | # which the glob_allow/deny.rules files should be downloaded from on 524 | # a daily basis. The files can be maintained in a static fashion by 525 | # leaving USE_RGT=0, ideal for a host serving the files. 526 | USE_RGT="0" 527 | GA_URL="http://yourhost.com/glob_allow.rules" 528 | GD_URL="http://yourhost.com/glob_deny.rules" 529 | 530 | ## 531 | # [Logging and control settings] 532 | ## 533 | # Log all traffic that is filtered by the firewall 534 | LOG_DROP="0" 535 | 536 | # What log level should we send all log data too? 537 | # refer to man syslog.conf for levels 538 | LOG_LEVEL="crit" 539 | 540 | # Where should we send all the logging data? 541 | # ULOG (Allow ulogd to handle the logging) 542 | # LOG (Default; sends logging to kernel log) 543 | LOG_TARGET="LOG" 544 | 545 | # Log interactive access over telnet & ssh; uses 546 | # custom log prefix of ** SSH ** & ** TELNET ** 547 | LOG_IA="1" 548 | 549 | # Log all foreign gateway traffic 550 | LOG_LGATE="0" 551 | 552 | # Extended logging information; this forces the output of tcp options and 553 | # ip options for packets passing through the log chains 554 | LOG_EXT="0" 555 | 556 | # Max firewall events to log per/minute. Log events exceeding these limits 557 | # will be lost (1440 minutes/day * 30 events/minute = 43200 events per/day) 558 | LOG_RATE="30" 559 | 560 | # Location of the apf status log; all startup, shutdown and runtime status 561 | # sends outputs to this file 562 | LOG_APF="/var/log/apf_log" 563 | 564 | # Adds -w flag to iptables to enable locking support. This is only available 565 | # on iptables >= 1.4.20, but if supported you probably want this. 566 | IPT_LOCK_SUPPORT="0" 567 | IPT_LOCK_TIMEOUT="3" 568 | 569 | ## 570 | # [Import misc. conf] 571 | ## 572 | # Internal variable file 573 | CNFINT="$INSTALL_PATH/internals/internals.conf" 574 | . $CNFINT 575 | -------------------------------------------------------------------------------- /files/deny_hosts.rules: -------------------------------------------------------------------------------- 1 | ## 2 | # deny_hosts 3 | # 4 | # Trust based rule file to define addresses that are implicitly denied. 5 | # 6 | # Format of this file is line-seperated addresses, IP masking is supported. 7 | # Example: 8 | # 192.168.2.1 9 | # 192.168.5.0/24 10 | # 11 | # advanced usage 12 | # 13 | # The trust rules can be made in advanced format with 4 options 14 | # (proto:flow:port:ip); 15 | # 1) protocol: [packet protocol tcp/udp] 16 | # 2) flow in/out: [packet direction, inbound or outbound] 17 | # 3) s/d=port: [packet source or destination port] 18 | # 4) s/d=ip(/xx) [packet source or destination address, masking supported] 19 | # 20 | # Syntax: 21 | # proto:flow:[s/d]=port:[s/d]=ip(/mask) 22 | # s - source , d - destination , flow - packet flow in/out 23 | # 24 | # Examples: 25 | # inbound to destination port 22 from 192.168.2.1 26 | # tcp:in:d=22:s=192.168.2.1 27 | # 28 | # outbound to destination port 23 to destination host 192.168.2.1 29 | # out:d=23:d=192.168.2.1 30 | # 31 | # inbound to destination port 3306 from 192.168.5.0/24 32 | # d=3306:s=192.168.5.0/24 33 | # 34 | ## 35 | -------------------------------------------------------------------------------- /files/ds_hosts.rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rfxn/advanced-policy-firewall/c0435d7b5b94c9902d55db7d9df27306284b1784/files/ds_hosts.rules -------------------------------------------------------------------------------- /files/ecnshame_hosts.rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rfxn/advanced-policy-firewall/c0435d7b5b94c9902d55db7d9df27306284b1784/files/ecnshame_hosts.rules -------------------------------------------------------------------------------- /files/extras/get_ports: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | ## 4 | # Advanced Policy Firewall (APF) v1.7.6 5 | # (C) 2002-2019, R-fx Networks 6 | # (C) 2019, Ryan MacDonald 7 | # This program may be freely redistributed under the terms of the GNU GPL v2 8 | ## 9 | # 10 | tcp_ports="" 11 | udp_ports="" 12 | for ptcp in `netstat -napl | grep LISTEN | grep -v 127.0.0.1 | grep tcp | awk '{print$4}' | grep : | tr ':' ' ' | awk '{print$2}' | sort -n`; do 13 | if [ "$tcp_ports" == "" ]; then 14 | tcp_ports="$ptcp" 15 | else 16 | val=`echo $tcp_ports | grep -w $ptcp` 17 | if [ "$val" == "" ]; then 18 | tcp_ports="$tcp_ports,$ptcp" 19 | fi 20 | fi 21 | done 22 | 23 | for pudp in `netstat -napl | grep -v 127.0.0.1 | grep udp | awk '{print$4}' | grep : | tr ':' ' ' | awk '{print$2}' | sort -n`; do 24 | if [ "$udp_ports" == "" ]; then 25 | udp_ports="$pudp" 26 | else 27 | val=`echo $udp_ports | grep -w $pudp` 28 | if [ "$val" == "" ]; then 29 | udp_ports="$udp_ports,$pudp" 30 | fi 31 | fi 32 | done 33 | 34 | echo " Listening TCP ports: $tcp_ports" 35 | echo " Listening UDP ports: $udp_ports" 36 | -------------------------------------------------------------------------------- /files/extras/importconf: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | ## 4 | # Advanced Policy Firewall (APF) v1.7.6 5 | # (C) 2002-2019, R-fx Networks 6 | # (C) 2019, Ryan MacDonald 7 | # This program may be freely redistributed under the terms of the GNU GPL v2 8 | ## 9 | # 10 | INSTALL_PATH="/etc/apf" 11 | DEF=".ca.def" 12 | DOUT=".conf.apf" 13 | 14 | if [ -d "/etc/apf.bk.last" ]; then 15 | # get all the vars from current release 16 | . /etc/apf/conf.apf 17 | # replace with any vars old release had 18 | . /etc/apf.bk.last/conf.apf 19 | # generate new conf 20 | . $DEF 21 | 22 | cp -f $INSTALL_PATH/conf.apf $INSTALL_PATH/conf.apf.orig 23 | cp -f $DOUT $INSTALL_PATH/conf.apf 24 | cp -f /etc/apf.bk.last/*_hosts.rules /etc/apf/ 25 | cp -f /etc/apf.bk.last/vnet/*.rules /etc/apf/vnet/ 26 | 27 | OV=`cat /etc/apf.bk.last/VERSION | awk '{print$2}'` 28 | NV=`cat /etc/apf/VERSION | awk '{print$2}'` 29 | echo " Imported options from $OV to $NV." 30 | fi 31 | -------------------------------------------------------------------------------- /files/firewall: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | ## 4 | # Advanced Policy Firewall (APF) v1.7.6 5 | # (C) 2002-2019, R-fx Networks 6 | # (C) 2019, Ryan MacDonald 7 | # This program may be freely redistributed under the terms of the GNU GPL v2 8 | ## 9 | # 10 | CNF="/etc/apf/conf.apf" 11 | 12 | if [ -f "$CNF" ] && [ ! "$CNF" == "" ]; then 13 | source $CNF 14 | else 15 | head 16 | echo "\$CNF not found; aborting" 17 | exit 1 18 | fi 19 | 20 | if [ ! -f "$ip" ] && [ ! -f "$ifconfig" ]; then 21 | eout "{glob} $ip and $ifconfig not found; aborting" 22 | exit 1 23 | fi 24 | 25 | # load our iptables modules 26 | modinit 27 | 28 | # Delete user made chains. Flush and zero the chains. 29 | flush 1 30 | 31 | if [ ! "$IF" == "" ] && [ "$VF_ROUTE" == "1" ]; then 32 | for i in `echo $IF`; do 33 | VAL_IF=`/sbin/route -n | grep -w $i` 34 | if [ "$VAL_IF" == "" ]; then 35 | eout "{glob} could not verify that interface $IF is routed to a network, aborting." 36 | if [ ! "$SET_VERBOSE" == "1" ]; then 37 | echo "could not verify that interface $IF is routed to a network, aborting." 38 | fi 39 | exit 1 40 | fi 41 | done 42 | fi 43 | if [ ! "$IFACE_TRUSTED" == "" ] && [ "$VF_ROUTE" == "1" ]; then 44 | for i in `echo $IFACE_TRUSTED | tr ',' ' '`; do 45 | VAL_IFACE_TRUSTED=`/sbin/route -n | grep -w $i` 46 | if [ "$VAL_IFACE_TRUSTED" == "" ]; then 47 | eout "{glob} could not verify that interface $IFACE_TRUSTED is routed to a network, aborting." 48 | if [ ! "$SET_VERBOSE" == "1" ]; then 49 | echo "could not verify that interface $IFACE_TRUSTED is routed to a network, aborting." 50 | fi 51 | exit 1 52 | fi 53 | done 54 | fi 55 | 56 | if [ "$DLIST_PHP" == "1" ] || [ "$DLIST_SPAMHAUS" == "1" ] || [ "$DLIST_DSHIELD" == "1" ] || [ "$DLIST_RESERVED" == "1" ] || [ "$DLIST_ECNSHAME" == "1" ] || [ "$USE_RGT" == "1" ]; then 57 | if [ ! -f "$WGET" ]; then 58 | echo "DLIST_* or RGT enabled but wget binary not found, aborting" 59 | exit 1 60 | fi 61 | fi 62 | 63 | /sbin/ip addr list $IFACE_UNTRUSTED | grep -w inet | grep -v inet6 | tr '/' ' ' | awk '{print$2}' > /etc/apf/internals/.localaddrs 64 | 65 | if [ "$RAB" == "0" ]; then 66 | RAB_LOG_HIT=0 67 | fi 68 | 69 | eout "{glob} determined (IFACE_UNTRUSTED) $IFACE_UNTRUSTED has address $NET" 70 | 71 | # Load our PREROUTE rules 72 | tosroute PREROUTING 73 | . $PRERT 74 | 75 | # Allow all traffic on the loopback interface 76 | $IPT $IPT_FLAGS -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT 77 | $IPT $IPT_FLAGS -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT 78 | if [ "$USE_IPV6" == "1" ]; then 79 | $IP6T -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT 80 | $IP6T -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT 81 | fi 82 | 83 | 84 | # Allow all traffic on trusted interfaces 85 | if [ ! "$IFACE_TRUSTED" == "" ]; then 86 | for i in `echo $IFACE_TRUSTED | tr ',' ' '`; do 87 | VAL_IF=`/sbin/ip addr list | grep -w $i` 88 | if [ "$VAL_IF" == "" ]; then 89 | eout "{glob} unable to verify status of interface $i; assuming untrusted" 90 | else 91 | eout "{glob} allow all to/from trusted interface $i" 92 | $IPT $IPT_FLAGS -A INPUT -i $i -s 0/0 -d 0/0 -j ACCEPT 93 | $IPT $IPT_FLAGS -A OUTPUT -o $i -s 0/0 -d 0/0 -j ACCEPT 94 | fi 95 | done 96 | fi 97 | 98 | # Create TCP RESET & UDP PROHIBIT chains 99 | $IPT $IPT_FLAGS -N RESET 100 | $IPT $IPT_FLAGS -A RESET -p tcp -j REJECT --reject-with tcp-reset 101 | $IPT $IPT_FLAGS -N PROHIBIT 102 | $IPT $IPT_FLAGS -A PROHIBIT -j REJECT --reject-with icmp-host-prohibited 103 | 104 | # Load our SYSCTL rules 105 | . $INSTALL_PATH/sysctl.rules >> /dev/null 2>&1 106 | 107 | # Fix MTU/MSS Problems 108 | $IPT $IPT_FLAGS -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 109 | 110 | # Block common nonroutable IP networks 111 | if [ "$BLK_MCATNET" = "1" ]; then 112 | dnet $MCATNET 113 | fi 114 | if [ "$BLK_PRVNET" = "1" ]; then 115 | dnet $PRVNET 116 | fi 117 | if [ "$BLK_RESNET" = "1" ]; then 118 | if [ "$DLIST_RESERVED" == "1" ]; then 119 | dlist_resnet 120 | fi 121 | dnet $RESNET 122 | fi 123 | 124 | # Create (glob)trust system chains 125 | $IPT $IPT_FLAGS -N TALLOW 126 | $IPT $IPT_FLAGS -N TDENY 127 | $IPT $IPT_FLAGS -N TGALLOW 128 | $IPT $IPT_FLAGS -N TGDENY 129 | $IPT $IPT_FLAGS -N REFRESH_TEMP 130 | $IPT $IPT_FLAGS -A INPUT -j REFRESH_TEMP 131 | $IPT $IPT_FLAGS -A OUTPUT -j REFRESH_TEMP 132 | $IPT $IPT_FLAGS -A INPUT -j TALLOW 133 | $IPT $IPT_FLAGS -A OUTPUT -j TALLOW 134 | $IPT $IPT_FLAGS -A INPUT -j TGALLOW 135 | $IPT $IPT_FLAGS -A OUTPUT -j TGALLOW 136 | $IPT $IPT_FLAGS -A INPUT -j TDENY 137 | $IPT $IPT_FLAGS -A OUTPUT -j TDENY 138 | $IPT $IPT_FLAGS -A INPUT -j TGDENY 139 | $IPT $IPT_FLAGS -A OUTPUT -j TGDENY 140 | 141 | # Load our Blocked Traffic rules 142 | . $INSTALL_PATH/bt.rules 143 | 144 | # Set refresh cron 145 | cron_refresh 146 | 147 | # Load our Allow Hosts rules 148 | glob_allow_download 149 | allow_hosts $GALLOW_HOSTS TGALLOW 150 | allow_hosts $ALLOW_HOSTS TALLOW 151 | 152 | # RAB default drop for events 153 | check_rab 154 | if [ "$RAB" == "1" ]; then 155 | eout "{rab} set active RAB" 156 | if [ "$RAB_HITCOUNT" == "0" ]; then 157 | RAB_HITCOUNT="1" 158 | fi 159 | 160 | if [ "$RAB_TRIP" == "0" ]; then 161 | RAB_TRIP_FLAGS="--rcheck" 162 | else 163 | RAB_TRIP_FLAGS="--update" 164 | fi 165 | 166 | if [ "$LOG_DROP" == "1" ] || [ "$RAB_LOG_TRIP" == "1" ]; then 167 | $IPT $IPT_FLAGS -A INPUT -p all -m recent --rcheck --hitcount $RAB_HITCOUNT --seconds $RAB_TIMER -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABTRIP ** " 168 | fi 169 | $IPT $IPT_FLAGS -A INPUT -p all -m recent $RAB_TRIP_FLAGS --hitcount $RAB_HITCOUNT --seconds $RAB_TIMER -j $ALL_STOP 170 | 171 | # RAB portscan rules 172 | if [ ! "$RAB_PSCAN_LEVEL" == "0" ] || [ ! "$RAB_PSCAN_LEVEL" == "" ]; then 173 | eout "{rab} set active RAB_PSCAN" 174 | case "$RAB_PSCAN_LEVEL" in 175 | 1) 176 | RAB_PSCAN_PORTS="$RAB_PSCAN_LEVEL_1" 177 | ;; 178 | 2) 179 | RAB_PSCAN_PORTS="$RAB_PSCAN_LEVEL_2" 180 | ;; 181 | 3) 182 | RAB_PSCAN_PORTS="$RAB_PSCAN_LEVEL_3" 183 | esac 184 | eout "{rab} RAB_PSCAN monitored ports $RAB_PSCAN_PORTS" 185 | $IPT $IPT_FLAGS -N RABPSCAN 186 | LDNS=`cat /etc/resolv.conf | grep -v "#" | grep -w nameserver | awk '{print$2}' | grep -v 127.0.0.1` 187 | if [ "$LDNS" ]; then 188 | for i in `echo $LDNS`; do 189 | $IPT $IPT_FLAGS -I RABPSCAN -s $i -j RETURN 190 | done 191 | fi 192 | for i in `echo $RAB_PSCAN_PORTS | tr ',' ' '`; do 193 | if [ "$LOG_DROP" == "1" ] || [ "$RAB_LOG_HIT" == "1" ]; then 194 | $IPT $IPT_FLAGS -A RABPSCAN -p tcp --dport $i -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " 195 | $IPT $IPT_FLAGS -A RABPSCAN -p udp --dport $i -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " 196 | fi 197 | $IPT $IPT_FLAGS -A RABPSCAN -p tcp --dport $i -m recent --set -j $TCP_STOP 198 | $IPT $IPT_FLAGS -A RABPSCAN -p udp --dport $i -m recent --set -j $UDP_STOP 199 | done 200 | $IPT $IPT_FLAGS -A INPUT -j RABPSCAN 201 | fi 202 | fi 203 | 204 | trim $DENY_HOSTS $SET_TRIM 205 | trim $GDENY_HOSTS $SET_TRIM 206 | 207 | # Load our LOG rules 208 | . $INSTALL_PATH/log.rules 209 | 210 | # Virtual Adapters 211 | . $INSTALL_PATH/vnet/main.vnet 212 | 213 | # Clear any cport values 214 | cl_cports 215 | . $CNF 216 | 217 | # Load our main TCP/UDP rules 218 | if [ "$SET_VNET" == "1" ]; then 219 | VNET="$NET" 220 | else 221 | VNET="0/0" 222 | fi 223 | . $INSTALL_PATH/main.rules 224 | 225 | # Drop NEW tcp connections after this point 226 | $IPT $IPT_FLAGS -A INPUT -p tcp ! --syn -m state --state NEW -j $ALL_STOP 227 | $IPT $IPT_FLAGS -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT 228 | $IPT $IPT_FLAGS -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT 229 | $IPT $IPT_FLAGS -A OUTPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT 230 | $IPT $IPT_FLAGS -A OUTPUT -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT 231 | 232 | # DNS 233 | if [ -f "/etc/resolv.conf" ] && [ "$RESV_DNS" == "1" ]; then 234 | LDNS=`cat /etc/resolv.conf | grep -v "#" | grep -w nameserver | awk '{print$2}' | grep -v 127.0.0.1` 235 | if [ ! "$LDNS" == "" ]; then 236 | for i in `echo $LDNS`; do 237 | eout "{glob} resolv dns discovery for $i" 238 | $IPT $IPT_FLAGS -A INPUT -p udp -s $i --sport 53 --dport 1023:65535 -j ACCEPT 239 | $IPT $IPT_FLAGS -A INPUT -p tcp -s $i --sport 53 --dport 1023:65535 -j ACCEPT 240 | $IPT $IPT_FLAGS -A OUTPUT -p udp -d $i --dport 53 --sport 1023:65535 -j ACCEPT 241 | $IPT $IPT_FLAGS -A OUTPUT -p tcp -d $i --dport 53 --sport 1023:65535 -j ACCEPT 242 | if [ "$RESV_DNS_DROP" == "1" ]; then 243 | $IPT $IPT_FLAGS -A OUTPUT -p udp -d $i --dport 53 --sport 1023:65535 -j ACCEPT 244 | $IPT $IPT_FLAGS -A OUTPUT -p tcp -d $i --dport 53 --sport 1023:65535 -j ACCEPT 245 | fi 246 | done 247 | if [ "$RESV_DNS_DROP" == "1" ]; then 248 | $IPT $IPT_FLAGS -A INPUT -p tcp -s 0/0 --sport 53 --dport 1023:65535 -j $ALL_STOP 249 | $IPT $IPT_FLAGS -A INPUT -p udp -s 0/0 --sport 53 --dport 1023:65535 -j $ALL_STOP 250 | fi 251 | fi 252 | else 253 | $IPT $IPT_FLAGS -A INPUT -p udp --sport 53 --dport 1023:65535 -j ACCEPT 254 | $IPT $IPT_FLAGS -A INPUT -p tcp --sport 53 --dport 1023:65535 -j ACCEPT 255 | $IPT $IPT_FLAGS -A OUTPUT -p udp --dport 53 --sport 1023:65535 -j ACCEPT 256 | $IPT $IPT_FLAGS -A OUTPUT -p tcp --dport 53 --sport 1023:65535 -j ACCEPT 257 | fi 258 | 259 | # FTP 260 | if [ "$HELPER_FTP" == "1" ]; then 261 | $IPT $IPT_FLAGS -A INPUT -p tcp --sport 1023:65535 --dport $HELPER_FTP_PORT -m state --state RELATED,ESTABLISHED -j ACCEPT 262 | $IPT $IPT_FLAGS -A INPUT -p tcp -m multiport --dport $HELPER_FTP_PORT,$HELPER_FTP_DATA -m state --state ESTABLISHED,RELATED -j ACCEPT 263 | $IPT $IPT_FLAGS -A INPUT -p udp -m multiport --dport $HELPER_FTP_PORT,$HELPER_FTP_DATA -m state --state ESTABLISHED,RELATED -j ACCEPT 264 | $IPT $IPT_FLAGS -A OUTPUT -p tcp --dport 1023:65535 --sport $HELPER_FTP_PORT -m state --state RELATED,ESTABLISHED -j ACCEPT 265 | $IPT $IPT_FLAGS -A OUTPUT -p tcp -m multiport --dport $HELPER_FTP_PORT,$HELPER_FTP_DATA -m state --state ESTABLISHED,RELATED -j ACCEPT 266 | $IPT $IPT_FLAGS -A OUTPUT -p udp -m multiport --dport $HELPER_FTP_PORT,$HELPER_FTP_DATA -m state --state ESTABLISHED,RELATED -j ACCEPT 267 | fi 268 | 269 | # SSH 270 | if [ "$HELPER_SSH" == "1" ]; then 271 | $IPT $IPT_FLAGS -A INPUT -p tcp --sport $HELPER_SSH_PORT --dport 513:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT 272 | $IPT $IPT_FLAGS -A INPUT -p tcp --sport 1024:65535 --dport $HELPER_SSH_PORT --syn -m state --state ESTABLISHED,RELATED -j ACCEPT 273 | $IPT $IPT_FLAGS -A INPUT -p udp --dport $HELPER_SSH_PORT -m state --state ESTABLISHED -j ACCEPT 274 | fi 275 | 276 | # Traceroute 277 | if [ "$TCR_PASS" == "1" ]; then 278 | $IPT $IPT_FLAGS -A INPUT -p udp -m state --state NEW --dport $TCR_PORTS -j ACCEPT 279 | $IPT $IPT_FLAGS -A OUTPUT -p udp -m state --state NEW --dport $TCR_PORTS -j ACCEPT 280 | fi 281 | 282 | 283 | if [ "$LOG_DROP" == "1" ]; then 284 | # Default TCP/UDP INPUT log chain 285 | $IPT $IPT_FLAGS -A INPUT -p tcp -m limit --limit $LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** IN_TCP DROP ** " 286 | $IPT $IPT_FLAGS -A INPUT -p udp -m limit --limit $LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** IN_UDP DROP ** " 287 | fi 288 | 289 | if [ "$LOG_DROP" == "1" ] && [ "$EGF" == "1" ]; then 290 | # Default TCP/UDP OUTPUT log chain 291 | $IPT $IPT_FLAGS -A OUTPUT -p tcp -m limit --limit $LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** OUT_TCP DROP ** " 292 | $IPT $IPT_FLAGS -A OUTPUT -p udp -m limit --limit $LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** OUT_UDP DROP ** " 293 | fi 294 | 295 | 296 | # ECNSHAME 297 | if [ "$SYSCTL_ECN" == "1" ]; then 298 | dlist_ecnshame 299 | dlist_ecnshame_hosts 300 | fi 301 | 302 | # Load our POSTROUTE rules 303 | tosroute POSTROUTING 304 | . $POSTRT 305 | 306 | # Default Output Policies 307 | if [ ! "$EGF" == "1" ] || [ "$EGF" == "" ]; then 308 | $IPT $IPT_FLAGS -A OUTPUT -j ACCEPT 309 | eout "{glob} default (egress) output accept" 310 | elif [ "$EGF" == "1" ]; then 311 | $IPT $IPT_FLAGS -A OUTPUT -p tcp -j $TCP_STOP 312 | $IPT $IPT_FLAGS -A OUTPUT -p udp -j $UDP_STOP 313 | $IPT $IPT_FLAGS -A OUTPUT -p all -j $ALL_STOP 314 | eout "{glob} default (egress) output drop" 315 | fi 316 | 317 | # Default Input Policies 318 | eout "{glob} default (ingress) input drop" 319 | $IPT $IPT_FLAGS -A INPUT -p tcp -j $TCP_STOP 320 | $IPT $IPT_FLAGS -A INPUT -p udp -j $UDP_STOP 321 | $IPT $IPT_FLAGS -A INPUT -p all -j $ALL_STOP 322 | -------------------------------------------------------------------------------- /files/glob_allow.rules: -------------------------------------------------------------------------------- 1 | ## 2 | # glob_allow_hosts 3 | # 4 | # Trust based rule file to define addresses that are granted all or specific 5 | # access through the firewall. 6 | # 7 | # Format of this file is line-seperated addresses, IP masking is supported. 8 | # Example: 9 | # 192.168.2.1 10 | # 192.168.5.0/24 11 | # 12 | # advanced usage 13 | # 14 | # The trust rules can be made in advanced format with 4 options 15 | # (proto:flow:port:ip); 16 | # 1) protocol: [packet protocol tcp/udp] 17 | # 2) flow in/out: [packet direction, inbound or outbound] 18 | # 3) s/d=port: [packet source or destination port] 19 | # 4) s/d=ip(/xx) [packet source or destination address, masking supported] 20 | # 21 | # Syntax: 22 | # proto:flow:[s/d]=port:[s/d]=ip(/mask) 23 | # s - source , d - destination , flow - packet flow in/out 24 | # 25 | # Examples: 26 | # inbound to destination port 22 from 192.168.2.1 27 | # tcp:in:d=22:s=192.168.2.1 28 | # 29 | # outbound to destination port 23 to destination host 192.168.2.1 30 | # out:d=23:d=192.168.2.1 31 | # 32 | # inbound to destination port 3306 from 192.168.5.0/24 33 | # d=3306:s=192.168.5.0/24 34 | # 35 | ## 36 | -------------------------------------------------------------------------------- /files/glob_deny.rules: -------------------------------------------------------------------------------- 1 | ## 2 | # glob_deny_hosts 3 | # 4 | # Trust based rule file to define addresses that are implicitly denied. 5 | # 6 | # Format of this file is line-seperated addresses, IP masking is supported. 7 | # Example: 8 | # 192.168.2.1 9 | # 192.168.5.0/24 10 | # 11 | # advanced usage 12 | # 13 | # The trust rules can be made in advanced format with 4 options 14 | # (proto:flow:port:ip); 15 | # 1) protocol: [packet protocol tcp/udp] 16 | # 2) flow in/out: [packet direction, inbound or outbound] 17 | # 3) s/d=port: [packet source or destination port] 18 | # 4) s/d=ip(/xx) [packet source or destination address, masking supported] 19 | # 20 | # Syntax: 21 | # proto:flow:[s/d]=port:[s/d]=ip(/mask) 22 | # s - source , d - destination , flow - packet flow in/out 23 | # 24 | # Examples: 25 | # inbound to destination port 22 from 192.168.2.1 26 | # tcp:in:d=22:s=192.168.2.1 27 | # 28 | # outbound to destination port 23 to destination host 192.168.2.1 29 | # out:d=23:d=192.168.2.1 30 | # 31 | # inbound to destination port 3306 from 192.168.5.0/24 32 | # d=3306:s=192.168.5.0/24 33 | # 34 | ## 35 | -------------------------------------------------------------------------------- /files/internals/cports.common: -------------------------------------------------------------------------------- 1 | if [ ! "$IG_TCP_CPORTS" == "" ]; then 2 | IG_TCP_CPORTS=`echo "$IG_TCP_CPORTS" | tr ',' ' '` 3 | PROTO="tcp" 4 | for i in `echo $IG_TCP_CPORTS`; do 5 | if [ "$(echo $i | grep "_")" == "" ]; then 6 | if [ ! "$i" == "" ]; then 7 | $IPT $IPT_FLAGS -A INPUT -p $PROTO -s 0/0 -d $VNET --dport $i -j ACCEPT 8 | eout "{glob} opening inbound $PROTO port $i on $VNET" 9 | fi 10 | else 11 | i=`echo $i | tr '_' ':'` 12 | if [ ! "$i" == "" ]; then 13 | $IPT $IPT_FLAGS -A INPUT -p $PROTO -s 0/0 -d $VNET --dport $i -j ACCEPT 14 | eout "{glob} opening inbound $PROTO port $i on $VNET" 15 | fi 16 | fi 17 | done 18 | fi 19 | 20 | if [ ! "$IG_UDP_CPORTS" == "" ]; then 21 | IG_UDP_CPORTS=`echo "$IG_UDP_CPORTS" | tr ',' ' '` 22 | PROTO="udp" 23 | for i in `echo $IG_UDP_CPORTS`; do 24 | if [ "$(echo $i | grep "_")" == "" ]; then 25 | if [ ! "$i" == "" ]; then 26 | $IPT $IPT_FLAGS -A INPUT -p $PROTO -s 0/0 -d $VNET --dport $i -j ACCEPT 27 | eout "{glob} opening inbound $PROTO port $i on $VNET" 28 | fi 29 | else 30 | i=`echo $i | tr '_' ':'` 31 | if [ ! "$i" == "" ]; then 32 | $IPT $IPT_FLAGS -A INPUT -p $PROTO -s 0/0 -d $VNET --dport $i -j ACCEPT 33 | eout "{glob} opening inbound $PROTO port $i on $VNET" 34 | fi 35 | fi 36 | done 37 | fi 38 | 39 | if [ "$EGF" == "1" ]; then 40 | if [ ! "$EG_TCP_CPORTS" == "" ]; then 41 | EG_TCP_CPORTS=`echo "$EG_TCP_CPORTS" | tr ',' ' '` 42 | PROTO="tcp" 43 | for i in `echo $EG_TCP_CPORTS`; do 44 | if [ "$(echo $i | grep "_")" == "" ]; then 45 | if [ ! "$i" == "" ]; then 46 | $IPT $IPT_FLAGS -A OUTPUT -p $PROTO -s $VNET --dport $i -j ACCEPT 47 | eout "{glob} opening outbound $PROTO port $i on $VNET" 48 | fi 49 | else 50 | i=`echo $i | tr '_' ':'` 51 | if [ ! "$i" == "" ]; then 52 | $IPT $IPT_FLAGS -A OUTPUT -p $PROTO -s $VNET --dport $i -j ACCEPT 53 | eout "{glob} opening outbound $PROTO port $i on $VNET" 54 | fi 55 | fi 56 | done 57 | fi 58 | fi 59 | 60 | if [ "$EGF" == "1" ]; then 61 | if [ ! "$EG_UDP_CPORTS" == "" ]; then 62 | EG_UDP_CPORTS=`echo "$EG_UDP_CPORTS" | tr ',' ' '` 63 | PROTO="udp" 64 | for i in `echo $EG_UDP_CPORTS`; do 65 | if [ "$(echo $i | grep "_")" == "" ]; then 66 | if [ ! "$i" == "" ]; then 67 | $IPT $IPT_FLAGS -A OUTPUT -p $PROTO -s $VNET --dport $i -j ACCEPT 68 | eout "{glob} opening outbound $PROTO port $i on $VNET" 69 | fi 70 | else 71 | i=`echo $i | tr '_' ':'` 72 | if [ ! "$i" == "" ]; then 73 | $IPT $IPT_FLAGS -A OUTPUT -p $PROTO -s $VNET --dport $i -j ACCEPT 74 | eout "{glob} opening outbound $PROTO port $i on $VNET" 75 | fi 76 | fi 77 | done 78 | fi 79 | fi 80 | 81 | if [ ! "$IG_ICMP_TYPES" == "" ]; then 82 | PROTO="icmp" 83 | if [ "$ICMP_LIM" == "" ]; then 84 | ICMP_LIM=0 85 | fi 86 | if [ "$(echo $ICMP_LIM | tr '/' ' ' | awk '{print$1}')" -gt "0" ]; then 87 | ICMP_EARGS="-m limit --limit $ICMP_LIM" 88 | else 89 | ICMP_EARGS="" 90 | fi 91 | IG_ICMP_TYPES=`echo $IG_ICMP_TYPES | tr ',' ' '` 92 | for i in `echo $IG_ICMP_TYPES`; do 93 | if [ ! "$i" == "" ]; then 94 | i=`echo $i | tr '[:upper:]' '[:lower:]'` 95 | if [ "$i" == "all" ]; then 96 | $IPT $IPT_FLAGS -A INPUT -p icmp -d $VNET -s 0/0 $ICMP_EARGS -j ACCEPT 97 | eout "{glob} opening inbound $PROTO all on $VNET" 98 | else 99 | $IPT $IPT_FLAGS -A INPUT -p icmp --icmp-type $i -d $VNET -s 0/0 $ICMP_EARGS -j ACCEPT 100 | eout "{glob} opening inbound $PROTO type $i on $VNET" 101 | fi 102 | fi 103 | done 104 | fi 105 | 106 | if [ "$EGF" == "1" ]; then 107 | if [ ! "$EG_ICMP_TYPES" == "" ]; then 108 | PROTO="icmp" 109 | if [ "$ICMP_LIM" == "" ]; then 110 | ICMP_LIM=0 111 | fi 112 | if [ "$(echo $ICMP_LIM | tr '/' ' ' | awk '{print$1}')" -gt "0" ]; then 113 | ICMP_EARGS="-m limit --limit $ICMP_LIM" 114 | else 115 | ICMP_EARGS="" 116 | fi 117 | EG_ICMP_TYPES=`echo $EG_ICMP_TYPES | tr ',' ' '` 118 | for i in `echo $EG_ICMP_TYPES`; do 119 | if [ ! "$i" == "" ]; then 120 | i=`echo $i | tr '[:upper:]' '[:lower:]'` 121 | if [ "$i" == "all" ]; then 122 | $IPT $IPT_FLAGS -A OUTPUT -p icmp -s $VNET -d 0/0 $ICMP_EARGS -j ACCEPT 123 | eout "{glob} opening outbound $PROTO all on $VNET" 124 | else 125 | $IPT $IPT_FLAGS -A OUTPUT -p icmp --icmp-type $i -s $VNET -d 0/0 $ICMP_EARGS -j ACCEPT 126 | eout "{glob} opening outbound $PROTO type $i on $VNET" 127 | fi 128 | fi 129 | done 130 | fi 131 | fi 132 | 133 | if [ "$EGF" == "1" ]; then 134 | if [ ! "$EG_TCP_UID" == "" ]; then 135 | EG_TCP_UID=`echo "$EG_TCP_UID" | tr ',' ' '` 136 | PROTO="tcp" 137 | for i in `echo $EG_TCP_UID`; do 138 | uid=`echo $i | tr ':' ' ' | awk '{print$1}'` 139 | port=`echo $i | tr ':' ' ' | awk '{print$2}'` 140 | 141 | if [ "$(echo $port | grep "_")" == "" ]; then 142 | if [ ! "$port" == "" ]; then 143 | $IPT $IPT_FLAGS -A OUTPUT -p $PROTO -s $VNET --dport $port --match owner --uid-owner $uid -j ACCEPT 144 | eout "{glob} opening outbound $PROTO port $port for uid $uid from $VNET" 145 | fi 146 | else 147 | i=`echo $port | tr '_' ':'` 148 | if [ ! "$i" == "" ]; then 149 | $IPT $IPT_FLAGS -A OUTPUT -p $PROTO -s $VNET --dport $i --match owner --uid-owner $uid -j ACCEPT 150 | eout "{glob} opening outbound $PROTO port $i for uid $uid from $VNET" 151 | fi 152 | fi 153 | done 154 | fi 155 | fi 156 | 157 | if [ "$EGF" == "1" ]; then 158 | if [ ! "$EG_UDP_UID" == "" ]; then 159 | EG_UDP_UID=`echo "$EG_UDP_UID" | tr ',' ' '` 160 | PROTO="udp" 161 | for i in `echo $EG_UDP_UID`; do 162 | uid=`echo $i | tr ':' ' ' | awk '{print$1}'` 163 | port=`echo $i | tr ':' ' ' | awk '{print$2}'` 164 | 165 | if [ "$(echo $port | grep "_")" == "" ]; then 166 | if [ ! "$port" == "" ]; then 167 | $IPT $IPT_FLAGS -A OUTPUT -p $PROTO -s $VNET --dport $port --match owner --uid-owner $uid -j ACCEPT 168 | eout "{glob} opening outbound $PROTO port $port for uid $uid from $VNET" 169 | fi 170 | else 171 | i=`echo $port | tr '_' ':'` 172 | if [ ! "$i" == "" ]; then 173 | $IPT $IPT_FLAGS -A OUTPUT -p $PROTO -s $VNET --dport $i --match owner --uid-owner $uid -j ACCEPT 174 | eout "{glob} opening outbound $PROTO port $i for uid $uid from $VNET" 175 | fi 176 | fi 177 | done 178 | fi 179 | fi 180 | 181 | if [ "$EGF" == "1" ]; then 182 | if [ "$EG_DROP_CMD" == "1" ]; then 183 | $IPT $IPT_FLAGS -N DEG 184 | for i in `echo $EG_DROP_CMD | tr ',' ' '`; do 185 | si=`echo $i | cut -c 1-6` 186 | if [ "LOG_DROP" == "1" ]; then 187 | $IPT $IPT_FLAGS -A DEG -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** DEG_$si ** " 188 | fi 189 | $IPT $IPT_FLAGS -A DEG -s 0/0 -d 0/0 -m owner --cmd-owner=$i -j $ALL_STOP 190 | done 191 | $IPT $IPT_FLAGS -A OUTPUT -j DEG 192 | fi 193 | fi 194 | -------------------------------------------------------------------------------- /files/internals/icmp.types: -------------------------------------------------------------------------------- 1 | ########## 2 | # icmp types 3 | # 4 | # 0 Echo Reply [RFC792] 5 | # 1 Unassigned [JBP] 6 | # 2 Unassigned [JBP] 7 | # 3 Destination Unreachable [RFC792] 8 | # 4 Source Quench [RFC792] 9 | # 5 Redirect [RFC792] 10 | # 6 Alternate Host Address [JBP] 11 | # 7 Unassigned [JBP] 12 | # 8 Echo [RFC792] 13 | # 9 Router Advertisement [RFC1256] 14 | # 10 Router Solicitation [RFC1256] 15 | # 11 Time Exceeded [RFC792] 16 | # 12 Parameter Problem [RFC792] 17 | # 13 Timestamp [RFC792] 18 | # 14 Timestamp Reply [RFC792] 19 | # 15 Information Request [RFC792] 20 | # 16 Information Reply [RFC792] 21 | # 17 Address Mask Request [RFC950] 22 | # 18 Address Mask Reply [RFC950] 23 | # 19 Reserved (for Security) [Solo] 24 | # 20-29 Reserved (for Robustness Experiment) [ZSu] 25 | # 30 Traceroute [RFC1393] 26 | # 31 Datagram Conversion Error [RFC1475] 27 | # 32 Mobile Host Redirect [David Johnson] 28 | # 33 IPv6 Where-Are-You [Bill Simpson] 29 | # 34 IPv6 I-Am-Here [Bill Simpson] 30 | # 35 Mobile Registration Request [Bill Simpson] 31 | # 36 Mobile Registration Reply [Bill Simpson] 32 | # 37 Domain Name Request [Simpson] 33 | # 38 Domain Name Reply [Simpson] 34 | # 39 SKIP [Markson] 35 | # 40 Photuris [Simpson] 36 | # 41-255 Reserved [JBP] 37 | ########## 38 | -------------------------------------------------------------------------------- /files/internals/internals.conf: -------------------------------------------------------------------------------- 1 | ## 2 | # [Misc. Configuration] 3 | ## 4 | # 5 | PATH=/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin:$PATH ; export PATH 6 | VER="1.7.6-2" 7 | APPN="apf" 8 | 9 | ifconfig=`which ifconfig` 10 | ip=`which ip 2> /dev/null` 11 | HOST=`which host 2> /dev/null` 12 | IPT=`which iptables 2> /dev/null` 13 | IP6T=`which ip6tables 2> /dev/null` 14 | MPB=`which modprobe 2> /dev/null` 15 | LSM=`which /sbin/lsmod 2> /dev/null` 16 | RMM=`which /sbin/rmmod 2> /dev/null` 17 | IPTS=`which iptables-save 2> /dev/null` 18 | IPTR=`which iptables-restore 2> /dev/null` 19 | DIFF=`which diff 2> /dev/null` 20 | WGET=`which wget 2> /dev/null` 21 | MD5=`which md5sum 2> /dev/null` 22 | UNAME=`which uname 2> /dev/null` 23 | 24 | ## Force MONOKERN option on Virtuozzo/OpenVZ based VPS 25 | if [ -d /proc/vz -a ! -d /proc/bc ]; then 26 | SET_MONOKERN="1" 27 | fi 28 | 29 | ## LEGACY VARIABLE DEFINITIONS 30 | if [ -z "$IFACE_UNTRUSTED" ] && [ "$IFACE_IN" ]; then 31 | IFACE_UNTRUSTED="$IFACE_IN" 32 | fi 33 | IF="$IFACE_UNTRUSTED" 34 | IN_IF="$IFACE_UNTRUSTED" 35 | OUT_IF="$IFACE_UNTRUSTED" 36 | 37 | ALL_STOP="DROP" 38 | LSTOP="LD" 39 | LACCEPT="LA" 40 | TOS_DEF_TOS="$TOS_DEF" 41 | 42 | IP6_NET=`$ip addr list $IFACE_UNTRUSTED | grep -w inet6| head -n1 | awk '{print$2}'` 43 | NET=`$ip addr list $IFACE_UNTRUSTED | tr '/' ' ' | grep -w inet | head -n1 | awk '{print$2}'` 44 | NAME=`echo $APPN | tr '[:lower:]' '[:upper:]'` 45 | TIME=`date +"%D %H:%M:%S"` 46 | UTIME=`date +"%s"` 47 | KREL=`$UNAME -r | cut -d\. -f 1,2` 48 | 49 | LOCK_TIMEOUT="300" 50 | ENTER_LOCK_TIMEOUT="60" 51 | LOCK_FILE="$INSTALL_PATH/lock.utime" 52 | 53 | if [[ "$IPT_LOCK_SUPPORT" == "1" ]]; then 54 | IPT_FLAGS="$IPT_FLAGS -w $IPT_LOCK_TIMEOUT" 55 | fi 56 | 57 | ADR="$INSTALL_PATH/ad/ad.rules" 58 | ALLOW_HOSTS="$INSTALL_PATH/allow_hosts.rules" 59 | DENY_HOSTS="$INSTALL_PATH/deny_hosts.rules" 60 | GALLOW_HOSTS="$INSTALL_PATH/glob_allow.rules" 61 | GDENY_HOSTS="$INSTALL_PATH/glob_deny.rules" 62 | DS_HOSTS="$INSTALL_PATH/ds_hosts.rules" 63 | PHP_HOSTS="$INSTALL_PATH/php_hosts.rules" 64 | DROP_HOSTS="$INSTALL_PATH/sdrop_hosts.rules" 65 | ECNSHAME_HOSTS="$INSTALL_PATH/ecnshame_hosts.rules" 66 | RABP="$INSTALL_PATH/internals/rab.ports" 67 | MD5_FILES="$ADR $INSTALL_PATH/*.rules $INSTALL_PATH/internals/*.networks $INSTALL_PATH/vnet/*.rules $RABP" 68 | MCATNET="$INSTALL_PATH/internals/multicast.networks" 69 | PRVNET="$INSTALL_PATH/internals/private.networks" 70 | RESNET="$INSTALL_PATH/internals/reserved.networks" 71 | PRERT="$INSTALL_PATH/preroute.rules" 72 | POSTRT="$INSTALL_PATH/postroute.rules" 73 | DSTOP=$ALL_STOP 74 | if [ "$LOG_EXT" == "1" ]; then 75 | LEXT="--log-tcp-options --log-ip-options" 76 | else 77 | LEXT="" 78 | fi 79 | if [ -z "$SET_EXPIRE" ]; then 80 | SET_EXPIRE=0 81 | fi 82 | 83 | . $RABP 84 | CNF_FUNC="$INSTALL_PATH/internals/functions.apf" 85 | . $CNF_FUNC 86 | -------------------------------------------------------------------------------- /files/internals/multicast.networks: -------------------------------------------------------------------------------- 1 | # multicast 2 | # 3 | # http://www.iana.org/assignments/ipv4-address-space 4 | # http://www-itg.lbl.gov/mbone/www-itg.lbl.gov/mbone/ 5 | # 6 | # 224/8 Sep 81 IANA - Multicast 7 | # 225/8 Sep 81 IANA - Multicast 8 | # 226/8 Sep 81 IANA - Multicast 9 | # 227/8 Sep 81 IANA - Multicast 10 | # 228/8 Sep 81 IANA - Multicast 11 | # 229/8 Sep 81 IANA - Multicast 12 | # 230/8 Sep 81 IANA - Multicast 13 | # 231/8 Sep 81 IANA - Multicast 14 | # 232/8 Sep 81 IANA - Multicast 15 | # 233/8 Sep 81 IANA - Multicast 16 | # 234/8 Sep 81 IANA - Multicast 17 | # 235/8 Sep 81 IANA - Multicast 18 | # 236/8 Sep 81 IANA - Multicast 19 | # 237/8 Sep 81 IANA - Multicast 20 | # 238/8 Sep 81 IANA - Multicast 21 | # 239/8 Sep 81 IANA - Multicast 22 | # 23 | 224.0.0.0/8 24 | 225.0.0.0/8 25 | 226.0.0.0/8 26 | 227.0.0.0/8 27 | 228.0.0.0/8 28 | 229.0.0.0/8 29 | 230.0.0.0/8 30 | 231.0.0.0/8 31 | 232.0.0.0/8 32 | 233.0.0.0/8 33 | 234.0.0.0/8 34 | 235.0.0.0/8 35 | 236.0.0.0/8 36 | 237.0.0.0/8 37 | 238.0.0.0/8 38 | 239.0.0.0/8 39 | -------------------------------------------------------------------------------- /files/internals/private.networks: -------------------------------------------------------------------------------- 1 | # The Internet Assigned Numbers Authority (IANA) has reserved the 2 | # following three blocks of the IP address space for private internets: 3 | # 4 | # 10.0.0.0 - 10.255.255.255 (10/8 prefix) 5 | # 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 6 | # 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) 7 | # http://www.faqs.org/rfcs/rfc1918.html 8 | 10.0.0.0/8 9 | 172.16.0.0/12 10 | 192.168.0.0/16 11 | -------------------------------------------------------------------------------- /files/internals/rab.ports: -------------------------------------------------------------------------------- 1 | # Low security ports 2 | RAB_PSCAN_LEVEL_1="1,7,9,11,15,69,70" 3 | 4 | # Medium security ports 5 | RAB_PSCAN_LEVEL_2="$RAB_PSCAN_LEVEL_1,79,109,119,512,513,517,518" 6 | 7 | # High security ports 8 | RAB_PSCAN_LEVEL_3="$RAB_PSCAN_LEVEL_2,13,17,19,540,635,640,641,666,700" 9 | -------------------------------------------------------------------------------- /files/internals/reserved.networks: -------------------------------------------------------------------------------- 1 | # Unassigned/reserved address space 2 | # refer to: http://www.iana.org/assignments/ipv4-address-space 3 | # 4 | 127.0.0.0/8 5 | 169.254.0.0/16 6 | 192.0.0.0/24 7 | 192.0.2.0/24 8 | 198.18.0.0/15 9 | 198.51.100.0/24 10 | 203.0.113.0/24 11 | 224.0.0.0/4 12 | 240.0.0.0/4 13 | -------------------------------------------------------------------------------- /files/log.rules: -------------------------------------------------------------------------------- 1 | eout "{glob} loading log.rules" 2 | 3 | if [ "$LOG_DROP" == "1" ]; then 4 | if [ "$LOG_IA" == "1" ]; then 5 | $IPT $IPT_FLAGS -N TELNET_LOG 6 | $IPT $IPT_FLAGS -A TELNET_LOG -p tcp -s 0/0 -d 0/0 --dport 23 -m state --state NEW -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** TELNET ** " 7 | $IPT $IPT_FLAGS -N SSH_LOG 8 | $IPT $IPT_FLAGS -A SSH_LOG -p tcp -s 0/0 -d 0/0 --dport $HELPER_SSH_PORT -m state --state NEW -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** SSH ** " 9 | $IPT $IPT_FLAGS -A INPUT -j TELNET_LOG 10 | $IPT $IPT_FLAGS -A INPUT -j SSH_LOG 11 | fi 12 | fi 13 | -------------------------------------------------------------------------------- /files/main.rules: -------------------------------------------------------------------------------- 1 | eout "{glob} loading main.rules" 2 | 3 | # Policy configurable ports -- per policy file basis 4 | # 5 | 6 | # 7 | # conf.apf configurable common ports 8 | . /etc/apf/internals/cports.common 9 | -------------------------------------------------------------------------------- /files/postroute.rules: -------------------------------------------------------------------------------- 1 | eout "{glob} loading postroute.rules" 2 | 3 | # place your custom routing rules below 4 | 5 | -------------------------------------------------------------------------------- /files/preroute.rules: -------------------------------------------------------------------------------- 1 | eout "{glob} loading preroute.rules" 2 | 3 | # place your custom routing rules below 4 | -------------------------------------------------------------------------------- /files/sdrop_hosts.rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rfxn/advanced-policy-firewall/c0435d7b5b94c9902d55db7d9df27306284b1784/files/sdrop_hosts.rules -------------------------------------------------------------------------------- /files/sysctl.rules: -------------------------------------------------------------------------------- 1 | eout "{glob} loading sysctl.rules" 2 | 3 | # START SYSCTL config 4 | 5 | if [ "$SYSCTL_CONNTRACK" == "" ]; then 6 | SYSCTL_CONNTRACK=131072 7 | fi 8 | 9 | if [ -f "/proc/sys/net/ipv4/ip_conntrack_max" ]; then 10 | echo $SYSCTL_CONNTRACK > /proc/sys/net/ipv4/ip_conntrack_max 11 | elif [ -f "/proc/sys/net/nf_conntrack_max" ]; then 12 | echo $SYSCTL_CONNTRACK > /proc/sys/net/nf_conntrack_max 13 | fi 14 | 15 | if [ -f "/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established" ]; then 16 | echo 600 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established 17 | echo 90 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait 18 | elif [ -f "/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established" ]; then 19 | echo 600 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established 20 | echo 90 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait 21 | fi 22 | 23 | echo '24577 65534' > /proc/sys/net/ipv4/ip_local_port_range 24 | echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 25 | echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 26 | 27 | if [ "$SYSCTL_LOGMARTIANS" == "1" ]; then 28 | eout "{glob} setting sysctl_logmartians enabled" 29 | echo 1 > /proc/sys/net/ipv4/conf/$IFACE_UNTRUSTED/log_martians 30 | echo 1 > /proc/sys/net/ipv4/conf/$IFACE_UNTRUSTED/log_martians 31 | else 32 | eout "{glob} setting sysctl_logmartians disabled" 33 | echo 0 > /proc/sys/net/ipv4/conf/$IFACE_UNTRUSTED/log_martians 34 | echo 0 > /proc/sys/net/ipv4/conf/$IFACE_UNTRUSTED/log_martians 35 | fi 36 | 37 | if [ "$SYSCTL_ECN" == "1" ]; then 38 | eout "{glob} setting sysctl_ecn enabled" 39 | echo 1 > /proc/sys/net/ipv4/tcp_ecn 40 | else 41 | eout "{glob} setting sysctl_ecn disabled" 42 | echo 0 > /proc/sys/net/ipv4/tcp_ecn 43 | fi 44 | 45 | if [ "$SYSCTL_SYNCOOKIES" == "1" ]; then 46 | eout "{glob} setting sysctl_syncookies enabled" 47 | echo 1 > /proc/sys/net/ipv4/tcp_syncookies 48 | else 49 | eout "{glob} setting sysctl_syncookies disabled" 50 | echo 0 > /proc/sys/net/ipv4/tcp_syncookies 51 | fi 52 | 53 | if [ "$SYSCTL_OVERFLOW" == "1" ]; then 54 | eout "{glob} setting sysctl_overflow enabled" 55 | echo 1 > /proc/sys/net/ipv4/tcp_abort_on_overflow 56 | else 57 | eout "{glob} setting sysctl_overflow disabled" 58 | echo 0 > /proc/sys/net/ipv4/tcp_abort_on_overflow 59 | fi 60 | 61 | # TCP Parameters 62 | if [ "$SYSCTL_TCP" == "1" ]; then 63 | eout "{glob} setting sysctl_tcp enabled" 64 | echo 0 > /proc/sys/net/ipv4/tcp_tw_recycle 65 | echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse 66 | echo 1 > /proc/sys/net/ipv4/tcp_window_scaling 67 | echo 0 > /proc/sys/net/ipv4/tcp_timestamps 68 | if [ "$SYSCTL_TCP_NOSACK" ]; then 69 | echo 0 > /proc/sys/net/ipv4/tcp_sack 70 | else 71 | echo 1 > /proc/sys/net/ipv4/tcp_sack 72 | fi 73 | echo 1 > /proc/sys/net/ipv4/tcp_dsack 74 | echo 1 > /proc/sys/net/ipv4/tcp_fack 75 | echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time 76 | echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout 77 | echo 3 > /proc/sys/net/ipv4/tcp_retries1 78 | fi 79 | 80 | # SYN Parameters 81 | if [ "$SYSCTL_SYN" == "1" ]; then 82 | eout "{glob} setting sysctl_syn enabled" 83 | echo 2 > /proc/sys/net/ipv4/tcp_synack_retries 84 | echo 3 > /proc/sys/net/ipv4/tcp_syn_retries 85 | echo 4096 > /proc/sys/net/ipv4/tcp_max_syn_backlog 86 | fi 87 | 88 | # Routing Parameters 89 | if [ "$SYSCTL_ROUTE" == "1" ]; then 90 | eout "{glob} setting sysctl_routing enabled" 91 | echo 1 > /proc/sys/net/ipv4/conf/$IFACE_UNTRUSTED/rp_filter 92 | echo 1 > /proc/sys/net/ipv4/conf/$IFACE_UNTRUSTED/rp_filter 93 | echo 0 > /proc/sys/net/ipv4/conf/$IFACE_UNTRUSTED/accept_source_route 94 | echo 0 > /proc/sys/net/ipv4/conf/$IFACE_UNTRUSTED/accept_source_route 95 | echo 0 > /proc/sys/net/ipv4/conf/all/bootp_relay 96 | echo 0 > /proc/sys/net/ipv4/ip_forward 97 | echo 0 > /proc/sys/net/ipv4/conf/all/forwarding 98 | echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects 99 | echo 0 > /proc/sys/net/ipv4/secure_redirects 100 | echo 0 > /proc/sys/net/ipv4/send_redirects 101 | echo 0 > /proc/sys/net/ipv4/proxy_arp 102 | else 103 | echo 0 > /proc/sys/net/ipv4/conf/$IFACE_UNTRUSTED/rp_filter 104 | echo 0 > /proc/sys/net/ipv4/conf/$IFACE_UNTRUSTED/rp_filter 105 | echo 1 > /proc/sys/net/ipv4/conf/all/bootp_relay 106 | echo 1 > /proc/sys/net/ipv4/ip_forward 107 | echo 1 > /proc/sys/net/ipv4/conf/all/forwarding 108 | 109 | fi 110 | 111 | echo 1 > /proc/sys/net/ipv4/route/flush 112 | 113 | # END SYSCTL config 114 | -------------------------------------------------------------------------------- /files/vnet/main.vnet: -------------------------------------------------------------------------------- 1 | # 2 | ## 3 | # Advanced Policy Firewall (APF) v1.7.6 4 | # (C) 2002-2019, R-fx Networks 5 | # (C) 2019, Ryan MacDonald 6 | # This program may be freely redistributed under the terms of the GNU GPL v2 7 | ## 8 | # 9 | INSTALL_PATH="/etc/apf" 10 | if [ "$SET_VNET" == "1" ]; then 11 | eout "{glob} virtual network enabled, loading vnet rules." 12 | for i in `ls $INSTALL_PATH/vnet/ | grep .rules`; do 13 | VALIP=`echo $i | sed 's/.rules//'` 14 | IFVALIP=`ifconfig | grep -w $VALIP` 15 | if [ ! "$IFVALIP" == "" ]; then 16 | source $INSTALL_PATH/conf.apf 17 | source $INSTALL_PATH/vnet/$i 18 | else 19 | eout "{glob} $VALIP not bound, skipping $VALIP.rules" 20 | fi 21 | done 22 | else 23 | eout "{glob} virtual net subsystem disabled." 24 | fi 25 | -------------------------------------------------------------------------------- /files/vnet/vnetgen: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | ## 4 | # Advanced Policy Firewall (APF) v1.7.6 5 | # (C) 2002-2019, R-fx Networks 6 | # (C) 2019, Ryan MacDonald 7 | # This program may be freely redistributed under the terms of the GNU GPL v2 8 | ## 9 | # 10 | CNF="/etc/apf/conf.apf" 11 | if [ -f $CNF ]; then 12 | source $CNF 13 | else 14 | echo "$CNF not found, aborting." 15 | exit 1 16 | fi 17 | 18 | if [ "$SET_VNET" == "0" ]; then 19 | exit 1 20 | fi 21 | 22 | if [ ! -f "$INSTALL_PATH/vnet/vnetgen.def" ]; then 23 | echo "vnetgen.def not found, aborting." 24 | exit 1 25 | fi 26 | 27 | if [ ! -f "$ip" ] && [ ! -f "$ifconfig" ]; then 28 | eout "{glob} $ip and $ifconfig not found; aborting" 29 | echo "$ip and $ifconfig not found; aborting" 30 | exit 1 31 | elif [ -f "$ip" ]; then 32 | for addr in `/sbin/ip addr list | tr '/' ' ' | grep -w inet | grep -w $IF | grep -v 127.0.0.1 | grep -vw $NET | awk '{print$2}'`; do 33 | if [ ! -f "$INSTALL_PATH/vnet/$addr.rules" ]; then 34 | touch $INSTALL_PATH/vnet/$addr.rules 35 | chmod 600 $INSTALL_PATH/vnet/$addr.rules 36 | . $INSTALL_PATH/vnet/vnetgen.def 37 | fi 38 | done 39 | elif [ -f "$ifconfig" ]; then 40 | for iface in `ifconfig | grep -w $IF | awk '{print$1}'`; do 41 | for addr in `ifconfig $iface | grep -w inet | tr ':' ' ' | grep -vw $NET | awk '{print$3}'`; do 42 | if [ ! -f "$INSTALL_PATH/vnet/$addr.rules" ]; then 43 | touch $INSTALL_PATH/vnet/$addr.rules 44 | chmod 600 $INSTALL_PATH/vnet/$addr.rules 45 | . $INSTALL_PATH/vnet/vnetgen.def 46 | fi 47 | done 48 | done 49 | fi 50 | 51 | 52 | if [ "$SET_ADDIFACE" == "1" ]; then 53 | ## associate a vnet rule for ip's on additional interfaces other than the main 54 | for anet in `ifconfig | grep Link | grep -vwE "inet|inet6|lo|$IFACE_UNTRUSTED|$IFACE_UNTRUSTED" | awk '{print$1}'`; do 55 | if [ -f "$ip" ]; then 56 | valtif=`echo $TIF | grep $anet` 57 | if [ "$valtif" == "" ]; then 58 | for addr in `/sbin/ip addr list | tr '/' ' ' | grep -w inet | grep -w $anet | grep -v 127.0.0.1 | grep -vw $NET | awk '{print$2}'`; do 59 | if [ ! -f "$INSTALL_PATH/vnet/$addr.rules" ]; then 60 | touch $INSTALL_PATH/vnet/$addr.rules 61 | chmod 600 $INSTALL_PATH/vnet/$addr.rules 62 | . $INSTALL_PATH/vnet/vnetgen.def 63 | fi 64 | done 65 | fi 66 | elif [ -f "$ifconfig" ]; then 67 | for iface in `ifconfig | grep -w $anet | awk '{print$1}'`; do 68 | valtif=`echo $TIF | grep $anet` 69 | if [ "$valtif" == "" ]; then 70 | for addr in `ifconfig $iface | grep -w inet | tr ':' ' ' | grep -vw $NET | awk '{print$3}'`; do 71 | if [ ! -f "$INSTALL_PATH/vnet/$addr.rules" ]; then 72 | touch $INSTALL_PATH/vnet/$addr.rules 73 | chmod 600 $INSTALL_PATH/vnet/$addr.rules 74 | . $INSTALL_PATH/vnet/vnetgen.def 75 | fi 76 | done 77 | fi 78 | done 79 | fi 80 | done 81 | fi 82 | -------------------------------------------------------------------------------- /files/vnet/vnetgen.def: -------------------------------------------------------------------------------- 1 | cat > /etc/apf/vnet/$addr.rules < 6 | # (C) 2016, Ryan MacDonald 7 | # This program may be freely redistributed under the terms of the GNU GPL v2 8 | ## 9 | # 10 | INSTALL_PATH=${INSTALL_PATH:-"/etc/apf"} 11 | DEF=${DEF:-".ca.def"} 12 | DOUT=${DOUT:-".conf.apf"} 13 | 14 | if [ -d "$INSTALL_PATH.bk.last" ]; then 15 | # get all the vars from current release 16 | . $INSTALL_PATH/conf.apf 17 | # replace with any vars old release had 18 | . $INSTALL_PATH.bk.last/conf.apf 19 | # generate new conf 20 | . $DEF 21 | 22 | cp -f $INSTALL_PATH/conf.apf $INSTALL_PATH/conf.apf.orig 23 | cp -f $DOUT $INSTALL_PATH/conf.apf 24 | cp -f $INSTALL_PATH.bk.last/*_hosts.rules /etc/apf/ 25 | cp -f $INSTALL_PATH.bk.last/vnet/*.rules /etc/apf/vnet/ 26 | 27 | OV=`cat $INSTALL_PATH.bk.last/VERSION | awk '{print$2}'` 28 | NV=`cat $INSTALL_PATH/VERSION | awk '{print$2}'` 29 | echo " Imported options from $OV to $NV." 30 | fi 31 | -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | ## 4 | # Advanced Policy Firewall (APF) v1.7.6 5 | # (C) 2002-2016, R-fx Networks 6 | # (C) 2016, Ryan MacDonald 7 | # This program may be freely redistributed under the terms of the GNU GPL v2 8 | ## 9 | # 10 | INSTALL_PATH=${INSTALL_PATH:-"/etc/apf"} 11 | BINPATH=${BINPATH:-"/usr/local/sbin/apf"} 12 | COMPAT_BINPATH=${COMPAT_BINPATH:-"/usr/local/sbin/fwmgr"} 13 | 14 | install() { 15 | mkdir $INSTALL_PATH 16 | find ./files -type f -exec sed -i s:/etc/apf:$INSTALL_PATH:g {} \; 17 | cp -fR files/* $INSTALL_PATH 18 | chmod -R 640 $INSTALL_PATH/* 19 | chmod 750 $INSTALL_PATH/apf 20 | chmod 750 $INSTALL_PATH/firewall 21 | chmod 750 $INSTALL_PATH/vnet/vnetgen 22 | chmod 750 $INSTALL_PATH/extras/get_ports 23 | chmod 750 $INSTALL_PATH 24 | cp -pf .ca.def importconf $INSTALL_PATH/extras/ 25 | mkdir $INSTALL_PATH/doc 26 | cp README CHANGELOG COPYING.GPL $INSTALL_PATH/doc 27 | ln -fs $INSTALL_PATH/apf $BINPATH 28 | ln -fs $INSTALL_PATH/apf $COMPAT_BINPATH 29 | rm -f /etc/cron.hourly/fw /etc/cron.daily/fw /etc/cron.d/fwdev $INSTALL_PATH/cron.fwdev 30 | if [ -f "/etc/cron.daily/apf" ]; then 31 | rm -f /etc/cron.daily/apf 32 | cp cron.daily /etc/cron.daily/apf 33 | chmod 755 /etc/cron.daily/apf 34 | else 35 | cp cron.daily /etc/cron.daily/apf 36 | chmod 755 /etc/cron.daily/apf 37 | fi 38 | if [ -d "/etc/rc.d/init.d" ]; then 39 | cp -f apf.init /etc/rc.d/init.d/apf 40 | elif [ -d "/etc/init.d" ]; then 41 | cp -f apf.init /etc/init.d/apf 42 | else 43 | if [ -f "/etc/rc.local" ]; then 44 | val=`grep -i apf /etc/rc.local` 45 | if [ "$val" == "" ]; then 46 | echo "$INSTALL_PATH/apf -s >> /dev/null 2>&1" >> /etc/rc.local 47 | fi 48 | fi 49 | fi 50 | if [ -f "/var/log/apf_log" ] || [ -f "/var/log/apfados_log" ]; then 51 | rm -f /var/log/apf_log /var/log/apfados_log 52 | fi 53 | if [ -d "/etc/logrotate.d" ] && [ -f "logrotate.d.apf" ]; then 54 | cp logrotate.d.apf /etc/logrotate.d/apf 55 | fi 56 | if [ -f "/sbin/chkconfig" ]; then 57 | /sbin/chkconfig --add apf 58 | /sbin/chkconfig --level 345 apf on 59 | fi 60 | $INSTALL_PATH/vnet/vnetgen 61 | if [ -f "/usr/bin/dialog" ] && [ -d "$INSTALL_PATH/extras/apf-m" ]; then 62 | last=`pwd` 63 | cd $INSTALL_PATH/extras/apf-m/ 64 | sh install -i 65 | cd $last 66 | fi 67 | chmod 750 $INSTALL_PATH 68 | } 69 | 70 | VER=`cat files/VERSION | grep version | awk '{print$2}'` 71 | if [ -d "$INSTALL_PATH" ]; then 72 | DVAL=`date +"%d%m%Y-%s"` 73 | cp -R $INSTALL_PATH $INSTALL_PATH.bk$DVAL 74 | rm -f $INSTALL_PATH.bk.last 75 | ln -fs $INSTALL_PATH.bk$DVAL ${INSTALL_PATH}.bk.last 76 | rm -rf $INSTALL_PATH 77 | echo -n "Installing APF $VER: " 78 | install 79 | else 80 | echo -n "Installing APF $VER: " 81 | install 82 | fi 83 | 84 | sleep 1 85 | echo "Completed." 86 | echo "" 87 | echo "Installation Details:" 88 | echo " Install path: $INSTALL_PATH/" 89 | echo " Config path: $INSTALL_PATH/conf.apf" 90 | echo " Executable path: $BINPATH" 91 | echo "" 92 | echo "Other Details:" 93 | if [ -d "$INSTALL_PATH.bk.last" ]; then 94 | ./importconf 95 | echo " Note: Please review $INSTALL_PATH/conf.apf for consistency, install default backed up to $INSTALL_PATH/conf.apf.orig" 96 | else 97 | . $INSTALL_PATH/extras/get_ports 98 | echo " Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options." 99 | fi 100 | 101 | rm -f .conf.apf 102 | -------------------------------------------------------------------------------- /logrotate.d.apf: -------------------------------------------------------------------------------- 1 | /var/log/apfados_log /var/log/apf_log { 2 | missingok 3 | postrotate 4 | endscript 5 | } 6 | 7 | --------------------------------------------------------------------------------