APF, Advanced Policy Firewall, e un firewall pentru Linux bazat pe netfilter (iptables) si are marele avantaj de a fi configurat foarte usor. Pentru ca APF sa functioneze corect trebuie instalate urmatoarele module:
- ip_tables
- iptable_filter
- iptable_mangle
- ip_conntrack
- ip_conntrack_irc
- ip_conntrack_ftp
- ipt_state
- ipt_multiport
- ipt_limit
- ipt_recent
- ipt_LOG
- ipt_REJECT
- ipt_ecn
- ipt_length
- ipt_mac
- ipt_multiport
- ipt_owner
- ipt_state
- ipt_ttl
- ipt_TOS
- ipt_TCPMSS
- ipt_ULOG
Majoritatea distributiilor Linux au modulele respective compilate in kernel deci ar trebui ca APF sa functioneze fara probleme. Oricum, daca se intampla sa nu functioneze corect, verificati daca kernelul are suport pentru modulele de mai sus.
Instalarea e simpla:
1. Se downloadeaza ultima versiune:
[root@localhost ~]# wget http://www.r-fx.ca/downloads/apf-current.tar.gz
2. Se dezarhiveaza:
[root@localhost ~]# tar -zxvf apf-current.tar.gz
3. Se ruleaza fisierul install.sh
[root@localhost ~]# cd apf-0.9.6-3 [root@localhost ~/apf-0.9.6-3]# ./install.sh
Acum ar trebui ca firewallul sa fie instalat. Urmeaza configurarea. Configurarea APF se face in fisierul /etc/apf/conf.apf. Majoritatea optiunilor le putem lasa asa cum sunt. Directivele mai importante ar fi urmatoarele:
“DEVEL_MODE” – cand este pus 1 APF se opreste la fiecare 5 minute ca o metoda de protectie, pentru ca utilizatorul sa nu ramana pe din afara.
“IFACE_IN” si “IFACE_OUT” sunt interfetele de comunicare – ex. eth0.
“IFACE_TRUSTED” specifica interfata de comunicare pe care nu e cazul sa fie setat firewallul – de obicei e o retea locala, interna, sau o interfata pentru VPN folosita pentru administrare.
“IG_TCP_CPORTS” si “IG_UDP_CPORTS” – aici se poate adauga o lista de porturi TCP respectiv UDP pe care se vor permite cererile de conexiune – ex. “20,21,22,25,26,53,80″. Trebuie avut grija ca toate porturile pe care ruleaza un server sa fie mentionate in functie de tipul comunicatiei folosite – TCP sau UDP.
“IG_ICMP_TYPES” – aici putem da o lista de tipuri ICMP acceptate de firewall – ex.”3,5,11,0,30,8″. Daca dorim de exemplu ca serverul sa nu raspunda la ping vom scoate din lista 8. Orice echo request va fi ignorat.
“EGF” poate avea valoarea 1 sau 0 ceea ce va activa sau dezactiva filtrul de iesire.
“EG_TCP_CPORTS” si “EG_UDP_CPORTS” – analog directivelor “IG_” se pot specifica porturile pe care se permite comunicarea cu serverele externe.
“EG_ICMP_TYPES” – specifica lista de semnale ICMP care pot fi trimise de pe server spre exterior.
Pentru o lista cu toate directivele posibile studiati fisierul README.apf care se gaseste in arhiva aplicatiei.
Mai jos pun un fisier conf.apf care il folosesc pe unul din servere in speranta ca va fi de folos:
#!/bin/sh # # APF 0.9.6 [apf@r-fx.org] # Copyright (C) 1999-2007, R-fx Networks proj @r-fx.org # Copyright (C) 2007, Ryan MacDonald ryan @r-fx.org # This program may be freely redistributed under the terms of the GNU GPL # # NOTE: This file should be edited with word/line wrapping off, # if your using pico/nano please start it with the -w switch # (e.g: pico -w filename) # NOTE: All options in this file are boolean value unless otherwise # indicated. This means value of 0 = disabled and 1 = enabled. # [Main] DEVEL_MODE="0" INSTALL_PATH="/etc/apf" IFACE_IN="eth0" IFACE_OUT="eth0" IFACE_TRUSTED="" SET_VERBOSE="1" SET_FASTLOAD="0" SET_VNET="0" SET_ADDIFACE="0" SET_MONOKERN="0" VF_ROUTE="1" VF_CROND="0" VF_LGATE="" ## # [Packet Filtering/Handling] TCP_STOP="DROP" UDP_STOP="DROP" ALL_STOP="DROP" PKT_SANITY="1" PKT_SANITY_INV="0" PKT_SANITY_FUDP="1" PKT_SANITY_PZERO="1" PKT_SANITY_STUFFED="0" # Default Type of Service (TOS); These values should be set to a comma # separated list of ports which you would like marked with the given TOS level. # # Set the default TOS value [0,2,4,8,16] TOS_DEF="0" # Set the default TOS port range TOS_DEF_RANGE="512:65535" # 0: Ports for Normal-Service TOS_0="" # 2: Ports for Minimize-Cost TOS_2="3306" # 4: Ports for Minimize Delay - Maximize Reliability TOS_4="80" # 8: Ports for Maximum Throughput - Minimum Delay TOS_8="21,20,80" # 16: Ports for No Delay - Moderate Throughput - High Reliability TOS_16="21,25,110,143" # Allow traceroute requests on the defined range of ports. This feature # is not required for normal operations and some even prefer it disabled. # Enable Traceroute # Traceroute ports TCR_PASS="0" TCR_PORTS="33434:33534" # Set a reasonable packet/time ratio for ICMP packets, exceeding this flow # will result in dropped ICMP packets. Supported values are in the form of: # pkt/s (packets/seconds), pkt/m (packets/minutes) # Set value to 0 for unlimited, anything above is enabled. ICMP_LIM="14/s" RESV_DNS="0" RESV_DNS_DROP="1" BLK_P2P_PORTS="1214,2323,4660_4678,6257,6699,6346,6347,6881_6889,6346,7778" BLK_PORTS="135_139,111,513,520,445,1433,1434,1234,1524,3127" BLK_MCATNET="0" BLK_PRVNET="0" BLK_RESNET="0" BLK_IDENT="0" SYSCTL_CONNTRACK="34576" SYSCTL_TCP="1" SYSCTL_SYN="1" SYSCTL_ROUTE="0" SYSCTL_LOGMARTIANS="0" SYSCTL_ECN="0" SYSCTL_SYNCOOKIES="1" SYSCTL_OVERFLOW="0" HELPER_SSH="1" HELPER_SSH_PORT="22" HELPER_FTP="1" HELPER_FTP_PORT="21,30000_40000" HELPER_FTP_DATA="20,30000_40000" IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2077,2078,2082,2083,2086,2087,2095,2096,2255,3306,30000_40000" IG_UDP_CPORTS="21,53,873" IG_ICMP_TYPES="3,5,11,0,30,8" EGF="1" EG_TCP_CPORTS="20,21,22,25,26,37,43,53,80,110,113,465,873,4343,2082,2083,2086,2087,2095,2096,2255" EG_UDP_CPORTS="20,21,37,53,873" EG_ICMP_TYPES="all" EG_TCP_UID="" EG_UDP_UID="" EG_DROP_CMD="eggdrop psybnc bitchx BitchX init udp.pl" USE_DS="0" DS_URL="feeds.dshield.org/top10-2.txt" # block.txt url (no *://) DS_URL_PROT="http" # protocol to use for wget USE_DROP="0" DROP_URL="www.spamhaus.org/drop/drop.lasso" # drop.lasso url (no *://) DROP_URL_PROT="http" # protocol to use for wget USE_ECNSHAME="0" ECNSHAME_URL="r-fx.ca/downloads/ecnshame.lst" # url (no *://) ECNSHAME_URL_PROT="http" # protocol to use for wget USE_RD="0" RD_URL="r-fx.ca/downloads/reserved.networks" # reserved.networks url RD_URL_PROT="http" # protocol to use for wget USE_RGT="0" GA_URL="yourhost.com/glob_allow.rules" # glob_allow.rules url (no *://) GA_URL_PROT="http" # protocol for use with wget GD_URL="yourhost.com/glob_deny.rules" # glob_deny.rules url (no *://) GD_URL_PROT="http" # protocol for use with wget USE_AD="0" ## # [Logging and control settings] ## # Log all traffic that is filtered by the firewall LOG_DROP="0" LOG_LEVEL="crit" LOG_TARGET="LOG" LOG_IA="1" LOG_LGATE="0" LOG_EXT="0" LOG_RATE="30" LOG_APF="/var/log/apf_log" ## # [Import misc. conf] ## # Internal variable file CNFINT="$INSTALL_PATH/internals/internals.conf" . $CNFINT
Popularity: 2% [?]
Articole si tutoriale legate de serverul web Apache.
/articole-tutoriale-apache/
cPanel
Articole si tutoriale legate de utilizarea si administrarea sistemului de gestiune a serverelor de hosting, cPanel.
/articole-tutoriale-cpanel-whm/
DNS
Vezi toate articolele din categoria DNS
/dns-bind-domain-name-services/
Linux
Articole si tutoriale legate de Linux, sisteme BSD sau alte sisteme de operare din familia UNIX.
/articole-tutoriale-linux/
Vezi toate articolele din categoria Mail
/mail/
MySQL
Articole si tutoriale despre serverul de baze de date MySQL.
/articole-tutoriale-optimizare-mysql/
Perl
Vezi toate articolele din categoria Perl
/perl-practical-extraction-and-report-language/
PHP
Vezi toate articolele din categoria PHP
/php-language-hypertext-preprocessor/
Retele
Tutoriale despre retele de calculatoare, configurarea interfetelor de retea si rutarea IP-urilor.
/retele-networking/
Virtualizare
Articole si tutoriale despre virtualizare si sistemel virtuale create cu Xen sau OpenVZ.
/virtualizare-xen-openvz/
Web hosting
Articole despre serviciile de gazduire web, dedicate sau in regim shared.
/web-hosting/
Webmin / Virtualmin
Articole si tutoriale legate de sistemul de gestiune gratuit Webmin sau modulul Virtualmin.
/webmin-virtualmin/
