Administrare server open source

Platforma de hosting cu software liber, gratuit, open source.

Comentariile sunt închise pentru APF – Advanced Policy Firewall

APF, Advanced Policy Firewall, e un firewall pentru Linux bazat pe netfilter (iptables) si are marele avantaj de a fi configurat foarte usor. Pentru ca APF sa functioneze corect trebuie instalate urmatoarele module:

  • ip_tables
  • iptable_filter
  • iptable_mangle
  • ip_conntrack
  • ip_conntrack_irc
  • ip_conntrack_ftp
  • ipt_state
  • ipt_multiport
  • ipt_limit
  • ipt_recent
  • ipt_LOG
  • ipt_REJECT
  • ipt_ecn
  • ipt_length
  • ipt_mac
  • ipt_multiport
  • ipt_owner
  • ipt_state
  • ipt_ttl
  • ipt_TOS
  • ipt_TCPMSS
  • ipt_ULOG

Majoritatea distributiilor Linux au modulele respective compilate in kernel deci ar trebui ca APF sa functioneze fara probleme. Oricum, daca se intampla sa nu functioneze corect, verificati daca kernelul are suport pentru modulele de mai sus.

Instalarea e simpla:

1. Se downloadeaza ultima versiune:

[root@localhost ~]# wget http://www.r-fx.ca/downloads/apf-current.tar.gz

2. Se dezarhiveaza:

[root@localhost ~]# tar -zxvf apf-current.tar.gz

3. Se ruleaza fisierul install.sh

[root@localhost ~]# cd apf-0.9.6-3
[root@localhost ~/apf-0.9.6-3]# ./install.sh

Acum ar trebui ca firewallul sa fie instalat. Urmeaza configurarea. Configurarea APF se face in fisierul /etc/apf/conf.apf. Majoritatea optiunilor le putem lasa asa cum sunt. Directivele mai importante ar fi urmatoarele:

DEVEL_MODE” – cand este pus 1 APF se opreste la fiecare 5 minute ca o metoda de protectie, pentru ca utilizatorul sa nu ramana pe din afara.

IFACE_IN” si „IFACE_OUT” sunt interfetele de comunicare – ex. eth0.

IFACE_TRUSTED” specifica interfata de comunicare pe care nu e cazul sa fie setat firewallul – de obicei e o retea locala, interna, sau o interfata pentru VPN folosita pentru administrare.

IG_TCP_CPORTS” si „IG_UDP_CPORTS” – aici se poate adauga o lista de porturi TCP respectiv UDP pe care se vor permite cererile de conexiune – ex. “20,21,22,25,26,53,80″. Trebuie avut grija ca toate porturile pe care ruleaza un server sa fie mentionate in functie de tipul comunicatiei folosite – TCP sau UDP.

IG_ICMP_TYPES” – aici putem da o lista de tipuri ICMP acceptate de firewall – ex.”3,5,11,0,30,8″. Daca dorim de exemplu ca serverul sa nu raspunda la ping vom scoate din lista 8. Orice echo request va fi ignorat.

EGF” poate avea valoarea 1 sau 0 ceea ce va activa sau dezactiva filtrul de iesire.

EG_TCP_CPORTS” si „EG_UDP_CPORTS” – analog directivelor „IG_” se pot specifica porturile pe care se permite comunicarea cu serverele externe.

EG_ICMP_TYPES” – specifica lista de semnale ICMP care pot fi trimise de pe server spre exterior.

Pentru o lista cu toate directivele posibile studiati fisierul README.apf care se gaseste in arhiva aplicatiei.

Mai jos pun un fisier conf.apf care il folosesc pe unul din servere in speranta ca va fi de folos:

#!/bin/sh
#
# APF 0.9.6 [[email protected]]
# Copyright (C) 1999-2007, R-fx Networks proj @r-fx.org
# Copyright (C) 2007, Ryan MacDonald ryan @r-fx.org
# This program may be freely redistributed under the terms of the GNU GPL
#
# NOTE: This file should be edited with word/line wrapping off,
# if your using pico/nano please start it with the -w switch
# (e.g: pico -w filename)
# NOTE: All options in this file are boolean value unless otherwise
# indicated. This means value of 0 = disabled and 1 = enabled.
 
# [Main]
DEVEL_MODE="0"
 
INSTALL_PATH="/etc/apf"
 
IFACE_IN="eth0"
IFACE_OUT="eth0"
IFACE_TRUSTED=""
SET_VERBOSE="1"
SET_FASTLOAD="0"
SET_VNET="0"
SET_ADDIFACE="0"
SET_MONOKERN="0"
 
VF_ROUTE="1"
VF_CROND="0"
VF_LGATE=""
 
##
# [Packet Filtering/Handling]
TCP_STOP="DROP"
UDP_STOP="DROP"
ALL_STOP="DROP"
 
PKT_SANITY="1"
PKT_SANITY_INV="0"
PKT_SANITY_FUDP="1"
PKT_SANITY_PZERO="1"
PKT_SANITY_STUFFED="0"
 
# Default Type of Service (TOS); These values should be set to a comma
# separated list of ports which you would like marked with the given TOS level.
#
# Set the default TOS value [0,2,4,8,16]
TOS_DEF="0"
 
# Set the default TOS port range
TOS_DEF_RANGE="512:65535"
 
# 0: Ports for Normal-Service
TOS_0=""
 
# 2: Ports for Minimize-Cost
TOS_2="3306"
 
# 4: Ports for Minimize Delay - Maximize Reliability
TOS_4="80"
 
# 8: Ports for Maximum Throughput - Minimum Delay
TOS_8="21,20,80"
 
# 16: Ports for No Delay - Moderate Throughput - High Reliability
TOS_16="21,25,110,143"
 
# Allow traceroute requests on the defined range of ports. This feature
# is not required for normal operations and some even prefer it disabled.
# Enable Traceroute # Traceroute ports
TCR_PASS="0" TCR_PORTS="33434:33534"
 
# Set a reasonable packet/time ratio for ICMP packets, exceeding this flow
# will result in dropped ICMP packets. Supported values are in the form of:
# pkt/s (packets/seconds), pkt/m (packets/minutes)
# Set value to 0 for unlimited, anything above is enabled.
ICMP_LIM="14/s"
 
RESV_DNS="0"
RESV_DNS_DROP="1"
 
BLK_P2P_PORTS="1214,2323,4660_4678,6257,6699,6346,6347,6881_6889,6346,7778"
BLK_PORTS="135_139,111,513,520,445,1433,1434,1234,1524,3127"
BLK_MCATNET="0"
BLK_PRVNET="0"
BLK_RESNET="0"
BLK_IDENT="0"
SYSCTL_CONNTRACK="34576"
SYSCTL_TCP="1"
SYSCTL_SYN="1"
SYSCTL_ROUTE="0"
SYSCTL_LOGMARTIANS="0"
SYSCTL_ECN="0"
SYSCTL_SYNCOOKIES="1"
SYSCTL_OVERFLOW="0"
 
HELPER_SSH="1"
HELPER_SSH_PORT="22"
 
HELPER_FTP="1"
HELPER_FTP_PORT="21,30000_40000"
HELPER_FTP_DATA="20,30000_40000"
 
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2077,2078,2082,2083,2086,2087,2095,2096,2255,3306,30000_40000"
IG_UDP_CPORTS="21,53,873"
IG_ICMP_TYPES="3,5,11,0,30,8"
 
EGF="1"
EG_TCP_CPORTS="20,21,22,25,26,37,43,53,80,110,113,465,873,4343,2082,2083,2086,2087,2095,2096,2255"
EG_UDP_CPORTS="20,21,37,53,873"
EG_ICMP_TYPES="all"
 
EG_TCP_UID=""
EG_UDP_UID=""
EG_DROP_CMD="eggdrop psybnc bitchx BitchX init udp.pl"
 
USE_DS="0"
DS_URL="feeds.dshield.org/top10-2.txt" # block.txt url (no *://)
DS_URL_PROT="http" # protocol to use for wget
 
USE_DROP="0"
DROP_URL="www.spamhaus.org/drop/drop.lasso" # drop.lasso url (no *://)
DROP_URL_PROT="http" # protocol to use for wget
 
USE_ECNSHAME="0"
ECNSHAME_URL="r-fx.ca/downloads/ecnshame.lst" # url (no *://)
ECNSHAME_URL_PROT="http" # protocol to use for wget
 
USE_RD="0"
RD_URL="r-fx.ca/downloads/reserved.networks" # reserved.networks url
RD_URL_PROT="http" # protocol to use for wget
 
USE_RGT="0"
GA_URL="yourhost.com/glob_allow.rules" # glob_allow.rules url (no *://)
GA_URL_PROT="http" # protocol for use with wget
GD_URL="yourhost.com/glob_deny.rules" # glob_deny.rules url (no *://)
GD_URL_PROT="http" # protocol for use with wget
 
USE_AD="0"
 
##
# [Logging and control settings]
##
# Log all traffic that is filtered by the firewall
LOG_DROP="0"
LOG_LEVEL="crit"
LOG_TARGET="LOG"
LOG_IA="1"
LOG_LGATE="0"
LOG_EXT="0"
LOG_RATE="30"
LOG_APF="/var/log/apf_log"
 
##
# [Import misc. conf]
##
# Internal variable file
CNFINT="$INSTALL_PATH/internals/internals.conf"
. $CNFINT
Linux

Comments are closed.