Daten herunterladen
cd /usr/local/src/ wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz tar -zxvf apf-current.tar.gz; cd apf-*
Installieren
sh ./install.sh
Danach kommen ein paar fehlermeldungen, die man ignoerieren kann.
Installing APF 9.7-2: /etc/apf/vnet/vnetgen: 24: /etc/apf/vnet/vnetgen: source: not found
/etc/apf/vnet/vnetgen: 30: [: unexpected operator
vnetgen.def not found, aborting.
Completed.
Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
Other Details:
./install.sh: 26: [: unexpected operator
./install.sh: 30: [: unexpected operator
....
Dann "/etc/apf/conf.apf" öffnen und configurieren.
Eine Anleitung findet man hier: http://knowledgelayer.softlayer.com/procedure/install-and-configure-advanced-policy-firewall-apf
Eine Beispieldatei von conf.apf sieht so aus:
#!/bin/bash
#
# APF 9.7 [apf@r-fx.org]
# Copyright (C) 2002-2011, R-fx Networks <proj@r-fx.org>
# Copyright (C) 2011, Ryan MacDonald <ryan@r-fx.org>
# This program may be freely redistributed under the terms of the GNU GPL
#
# NOTE: This file should be edited with word/line wrapping off,
# if your using pico/nano please start it with the -w switch
# (e.g: pico -w filename)
# NOTE: All options in this file are integer values unless otherwise
# indicated. This means value of 0 = disabled and 1 = enabled.
##
# [Main]
##
# !!! Do not leave set to (1) !!!
# When set to enabled; 5 minute cronjob is set to stop the firewall. Set
# this off (0) when firewall is determined to be operating as desired.
DEVEL_MODE="0"
# The installation path of APF; this can be changed but it is not recommended.
INSTALL_PATH="/etc/apf"
# Untrusted Network interface(s); all traffic on defined interface will be
# subject to all firewall rules. This should be your internet exposed
# interfaces. Only one interface is accepted for each value.
IFACE_IN="eth0"
IFACE_OUT="eth0"
# Trusted Network interface(s); all traffic on defined interface(s) will by-pass
# ALL firewall rules, format is white space or comma separated list.
IFACE_TRUSTED=""
# This option will allow for all status events to be displayed in real time on
# the console as you use the firewall. Typically, APF used to operate silent
# with all logging piped to $LOG_APF. The use of this option will not disable
# the standard log file displayed by apf --status but rather compliment it.
SET_VERBOSE="1"
# The fast load feature makes use of the iptables-save/restore facilities to do
# a snapshot save of the current firewall rules on an APF stop then when APF is
# instructed to start again it will restore the snapshot. This feature allows
# APF to load hundreds of rules back into the firewall without the need to
# regenerate every firewall entry.
# Note: a) if system uptime is below 5 minutes, the snapshot is expired
# b) if snapshot age exceeds 12 hours, the snapshot is expired
# c) if conf or a .rule has changed since last load, snapshot is expired
# d) if it is your first run of APF since install, snapshot is generated
# - an expired snapshot means APF will do a full start rule-by-rule
SET_FASTLOAD="0"
# Virtual Network Sub-System (VNET) creates independent policy rule set for
# each IP on a system to /etc/apf/vnet/IP.rules. These rule files can be
# configured with conf.apf variables for unique but convenient firewall
# policies or custom iptables entries for even greater flexibility.
SET_VNET="0"
# This feature firewalls any additional interfaces on the server as untrusted
# through the VNET sub-system. Excluded are interfaces that have already been
# defined by IFACE_* variables. This feature is ideal for systems running
# private interfaces where not all hosts on the private network are trusted or
# are otherwise exposed to "open" networks through this private interface
# (i.e: the Internet, network accessible storage LAN, corporate WAN, etc..)
SET_ADDIFACE="0"
# This allows the firewall to work around modular kernel issues by assuming
# that the system has all required firewall modules compiled directly into
# kernel. This mode of operation is not generally recommended but can be used
# scale APF to unique situations.
SET_MONOKERN="0"
# The expiry interval, in seconds, that bans will be expired out of the trust
# system. This only applies to local bans from deny_hosts.rules and not global
# import rules. The value must not be less than equiv. seconds of SET_REFRESH.
# [value in seconds, 0 to disable, recommended 600]
SET_EXPIRE="0"
# This controls how often, if at all, we want the trust system to refresh rules.
# The firewall will flush & reload all static rules, redownload global rules and
# re-resolve any dns names in the rules. This is ideal when using dynamic dns
# names or downloadable global trust rules. [value in minutes, 0 to disable]
SET_REFRESH="10"
# This is the total amount of rules allowed inside of the deny trust system.
# When this limit is reached, the deny rule files will begin to purge older
# entries to maintain the set limit. [value is max lines, 0 for unlimited]
SET_TRIM="150"
# Verifies that the IFACE_* and IFACE_TRUSTED interfaces are actually routed
# to something. If configured interfaces are found with no routes setup then
# APF will exit with an error to prevent further issues (such as being locked
# out of the system).
VF_ROUTE="1"
# Verifies that crond is running when DEVEL_MODE=1; if not then APF will not
# try to load as if lock-up occurs no cron service to flush firewall.
VF_CROND="1"
# Verifies that all inbound traffic is sourced from a defined local gateway MAC
# address. All other traffic that does not match this MAC address will be
# rejected as untrusted traffic. It is quite easy to forge a MAC address and as
# such this feature executes NO default accept policy. Leave this option empty
# to disable or enter a 48-bit MAC address to enable.
VF_LGATE=""
##
# [Reactive Address Blocking]
##
# Reactive Address Blocking (RAB) monitors addresses as they traverse the firewall
# rules and tracks all policy violations attempted by an address. The firewall then
# reacts to the violations by blocking addresses temporarily on the assumption that
# we are protecting the host from what an attacker may do under the pretext of what
# an attacker has already done. The interface that powers RAB is the iptables kernel
# module 'xt/ipt_recent'; as such there is no external programs required for this
# feature or additional load imposed by it.
RAB="0"
# This enables RAB for sanity violations, which is when an address breaks a
# strict conformity standard such as trying to spoof an address or modify
# packet flags. It is strongly recommended that this option NOT be disabled.
RAB_SANITY="1"
# This enables RAB for port scan violations, which is when an address attempts
# to connect to a port that has been classified as malicious. These types of
# ports are those which are not commonly used in today's Internet but are
# the subject of scrutiny by attackers, such as 1,7,9,11 and so on. The security
# level defines the group of ports that RAB will react against. The port groups
# can be customized in 'internals/rab.ports'.
# 0 = disabled | 1 = low security | 2 = medium security | 3 = high security
RAB_PSCAN_LEVEL="1"
# This controls the amount of violation hits an address must have before it
# is blocked. It is a good idea to keep this very low to prevent evasive
# measures. The default is 0 or 1, meaning instant block on first violation.
RAB_HITCOUNT="1"
# This is the amount of time (in seconds) that an address gets blocked for if
# a violation is triggered, the default is 300s (5 minutes).
RAB_TIMER="300"
# This allows RAB to 'trip' the block timer back to 0 seconds if an address
# attempts ANY subsiquent communication while still on the inital block period.
RAB_TRIP="1"
# This controls if the firewall should log all violation hits from an address.
# The use of LOG_DROP variable set to 1 will override this to force logging.
RAB_LOG_HIT="1"
# This controls if the firewall should log all subsiqent traffic from an address
# that is already blocked for a violation hit, this can generate allot of logs.
# The use of LOG_DROP variable set to 1 will override this to force logging.
RAB_LOG_TRIP="0"
##
# [Packet Filtering/Handling]
##
# How to handle TCP packet filtering?
#
# RESET (sends a tcp-reset; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
TCP_STOP="DROP"
# How to handle UDP packet filtering?
#
# RESET (sends a icmp-port-unreachable; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
# PROHIBIT (send an icmp-host-prohibited)
UDP_STOP="DROP"
# How to handle all other packet filtering?
#
# DROP (drop the packet)
# REJECT (reject the packet)
ALL_STOP="DROP"
# The sanity options control the way packets are scrutinized as they flow
# through the firewall. The main PKT_SANITY option is a top level toggle for
# all SANITY options and provides general packet flag sanity as a pre-scrub
# for the other sanity options. In short, this makes sure that all packets
# coming and going conform to strict TCP/IP standards. In doing so we make it
# very difficult for attackers to inject raw/custom packets into the server.
PKT_SANITY="1"
# Block any packets that do not conform as VALID, this feature is safe for most
# but some may experience protocol issues with broken remote clients. This is
# very similar to PKT_SANITY but has a wider scope and as such has the ability
# to affect many application protocols in undesirable ways.
PKT_SANITY_INV="0"
# Block any fragmented UDP packets, this is safe as no UDP packets should
# ever be fragmented.
PKT_SANITY_FUDP="1"
# Block packets with a source or destination of port 0, this is safe as
# nothing should ever communicate on port 0 (technically does not exist).
PKT_SANITY_PZERO="1"
# Default Type of Service (TOS); These values should be set to a comma
# separated list of ports which you would like marked with the given TOS level.
#
# Set the default TOS value [0,2,4,8,16]
TOS_DEF="0"
# Set the default TOS port range
TOS_DEF_RANGE="512:65535"
# 0: Ports for Normal-Service
TOS_0=""
# 2: Ports for Minimize-Cost
TOS_2=""
# 4: Ports for Minimize Delay - Maximize Reliability
TOS_4=""
# 8: Ports for Maximum Throughput - Minimum Delay
TOS_8="21,20,80"
# 16: Ports for No Delay - Moderate Throughput - High Reliability
TOS_16="25,110,143"
# Allow traceroute requests on the defined range of ports. This feature
# is not required for normal operations and some even prefer it disabled.
# Enable Traceroute # Traceroute ports
TCR_PASS="1" TCR_PORTS="33434:33534"
# Set a reasonable packet/time ratio for ICMP packets, exceeding this flow
# will result in dropped ICMP packets. Supported values are in the form of:
# pkt/s (packets/seconds), pkt/m (packets/minutes)
# Set value to 0 for unlimited, anything above is enabled.
ICMP_LIM="30/s"
# Creates firewall rules based on the local name servers as defined in the
# /etc/resolv.conf file. This is the preferred secure method for client side
# name server requests. This option has no bearing on a locally hosted DNS
# service.
RESV_DNS="1"
# When RESV_DNS is enabled, all the untrusted name server traffic can fill the
# logs with client DNS traffic. This can be suppressed with an implicit drop
# of all such traffic (sport 53 inbound) as so to avoid log chains. If you run
# applications that have unique name servers configured, this may break them.
RESV_DNS_DROP="1"
# A common set of known Peer-To-Peer (p2p) protocol ports that are often
# considered undesirable traffic on public Internet servers. These ports
# are also often abused on web hosting servers where clients upload p2p
# client agents for the purpose of distributing or downloading pirated media.
# Format is comma separated for single ports and an underscore separator for
# ranges (4660_4678).
BLK_P2P_PORTS="1214,2323,4660_4678,6257,6699,6346,6347,6881_6889,6346,7778"
# These are common Internet service ports that are understood in the wild
# services you would not want logged under normal circumstances. All ports
# that are defined here will be implicitly dropped with no logging for
# TCP/UDP traffic inbound or outbound. Format is comma separated for single
# ports and an underscore separator for ranges (135_139).
BLK_PORTS="135_139,111,513,520,445,1433,1434,1234,1524,3127"
# You need multicasting if you intend to participate in the MBONE, a high
# bandwidth network on top of the Internet which carries audio and video
# broadcasts. More about MBONE at: www-itg.lbl.gov/mbone/, this is generally
# safe to enable.
BLK_MCATNET="0"
# Block all private ipv4 addresses, this is address space reserved for private
# networks or otherwise unroutable on the Internet. If this host resides behind
# a router with NAT or routing scheme that otherwise uses private addressing,
# leave this option OFF. Refer to the 'internals/private.networks' file for
# listing of private address space.
BLK_PRVNET="0"
# Block all ipv4 address space marked reserved for future use (unassigned),
# such networks have no business talking on the Internet. However they may at
# some point become live address space. The USE_RD option further in this file
# allows for dynamic updating of this list on every full restart of APF. Refer
# to the 'internals/reserved.networks' file for listing of address space.
BLK_RESNET="1"
# Block all ident (tcp 113) requests in and out of the server IF the port is
# not already opened in *_TCP_CPORTS. This uses a REJECT target to make sure
# the ident requests terminate quickly. You can see an increase in irc and
# other connection performance with this feature.
BLK_IDENT="0"
# This is the maximum number of "sessions" (connection tracking entries) that
# can be handled simultaneously by the firewall in kernel memory. Increasing
# this value too high will simply waste memory - setting it too low may result
# in some or all connections being refused, in particular during denial of
# service attacks.
SYSCTL_CONNTRACK="65536"
# These are system control (sysctl) option changes to disable TCP features
# that can be abused in addition to tweaking other TCP features for increased
# performance and reliability.
SYSCTL_TCP="1"
# These are system control (sysctl) option changes intended to help mitigate
# syn-flood attacks by lowering syn retry, syn backlog & syn time-out values.
SYSCTL_SYN="0"
# These are system control (sysctl) option changes to provide protection from
# spoofed packets and ip/arp/route redirection. If you are performing advanced
# routing policies on this host such as NAT/MASQ you should disable this.
SYSCTL_ROUTE="0"
# This system control (sysctl) option will log all network traffic that is
# from impossible source addresses. This option can discover attacks or issues
# on your network you may otherwise not be aware of.
SYSCTL_LOGMARTIANS="0"
# This system control (sysctl) option will allow you to control ECN support
# (Explicit Congestion Notification). This feature provides an improved method
# for congestion avoidance by allowing the network to mark packets for
# transmission later, rather than dropping them from the queue. Please also
# see related USE_ECNSHAME option further down in this file.
SYSCTL_ECN="0"
# This system control (sysctl) option will allow you to make use of SynCookies
# support. This feature will send out a 'syn-cookie' when the syn backlog for a
# socket becomes overflowed. The cookie is used to interrupt the flow of syn
# transmissions with a hashed sequence number that must be correlated with the
# sending host. The hash is made up of the sending host address, packet flags
# etc..; if the sending host does not validate against the hash then the tcp
# hand-shake is terminated. In short, this helps to mitigate syn-flood attacks.
# Note: syncookies seriously violates TCP protocol and can result in serious
# degradation of some services (i.e. SMTP); visible not by you, but your
# clients and relays whom are contacting your system.
SYSCTL_SYNCOOKIES="1"
# This system control (sysctl) option allows for the use of Abort_On_Overflow
# support. This feature will help mitigate burst floods if a listening service
# is too slow to accept new connections. This option is an alternative for
# SynCookies and both should NEVER be enabled at once.
# Note: This option can harm clients contacting your system. Enable option only
# if you are sure that the listening daemon can not be tuned to accept
# connections faster.
SYSCTL_OVERFLOW="0"
# The helper chains are designed to assist applications in working with the
# stateful firewall in a more reliable fashion. You should keep these settings
# current with the ports SSH and FTP are operating on. Please DO NOT CONFUSE
# these settings with opening the SSH/FTP port as they have no bearing on
# actually connecting to the services. They are only for helping maintain your
# connection to the services [ESTABLISHED,RELATED connection states, not NEW].
HELPER_SSH="1"
HELPER_SSH_PORT="22"
HELPER_FTP="1"
HELPER_FTP_PORT="21"
HELPER_FTP_DATA="20"
# Configure inbound (ingress) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory. Format is comma separated
# and underscore separator for ranges.
#
# Example:
# IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000"
# IG_UDP_CPORTS="20,21,53,123"
# IG_ICMP_TYPES="3,5,11,0,30,8"
# Common inbound (ingress) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000,10000,20000"
# Common inbound (ingress) UDP ports
IG_UDP_CPORTS="20,21,53,123"
# Common ICMP inbound (ingress) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
# Configure outbound (egress) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory.
#
# Outbound (egress) filtering is not required but makes your firewall setup
# complete by providing full inbound and outbound packet filtering. You can
# toggle outbound filtering on or off with the EGF variable. Format is comma
# separated and underscore separator for ranges.
#
# Example:
# EG_TCP_CPORTS="21,25,80,443,43"
# EG_UDP_CPORTS="20,21,53"
# EG_ICMP_TYPES="all"
# Outbound (egress) filtering
EGF="1"
# Common outbound (egress) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,10000"
# Common outbound (egress) UDP ports
EG_UDP_CPORTS="20,21,53"
# Common ICMP outbound (egress) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"
# Configure user-id specific outbound (egress) port access. This is a more
# granular feature to limit the scope of outbound packet flows with user-id
# conditioning. Format is comma separated and underscore separator for ranges.
# This is NOT A FILTERING FEATURE, this is an ACCESS CONTROL feature. That
# means EG_TCP_UID and EG_UDP_UID are intended to ALLOW outbound access for
# specified users, not DENY.
#
# Format: EG_[TCP|UDP]_UID="uid:port"
# Example:
# Allow outbound access to destination port 22 for uid 0
# EG_TCP_UID="0:22"
# UID-Match outbound (egress) TCP ports
EG_TCP_UID=""
# UID-Match outbound (egress) UDP ports
EG_UDP_UID=""
# Configure executable specific outbound (egress) filtering. This is a more
# granular feature to limit the scope of outbound packet flows with executable
# conditioning. The packet filtering is based on the CMD process field being
# passed along to iptables. All logged events for these rules will also include
# the executable CMD name in the log chain. This is A FILTERING FEATURE, not an
# ACCESS CONTROL feature. That means EG_DROP_CMD is intended to DENY outbound
# access for specified programs, not ALLOW.
#
# Format is comma separated list of executable names you wish to ban from being
# able to transmit data out of your server.
# CMD-Match outbound (egress) denied applications
EG_DROP_CMD="eggdrop psybnc bitchx BitchX init udp.pl"
##
# [Remote Rule Imports]
##
# Project Honey Pot is the first and only distributed system for identifying
# spammers and the spambots they use to scrape addresses from your website.
# This aggregate list combines Harvesters, Spammers and SMTP Dictionary attacks
# from the PHP IP Data at: http://www.projecthoneypot.org/list_of_ips.php
DLIST_PHP="1"
DLIST_PHP_URL="cdn.rfxn.com/downloads/php_list"
DLIST_PHP_URL_PROT="http"
# The Spamhaus Don't Route Or Peer List (DROP) is an advisory "drop all
# traffic" list, consisting of stolen 'zombie' netblocks and netblocks
# controlled entirely by professional spammers. For more information please
# see http://www.spamhaus.org/drop/.
DLIST_SPAMHAUS="1"
DLIST_SPAMHAUS_URL="www.spamhaus.org/drop/drop.lasso"
DLIST_SPAMHAUS_URL_PROT="http"
# DShield collects data about malicious activity from across the Internet.
# This data is cataloged, summarized and can be used to discover trends in
# activity, confirm widespread attacks, or assist in preparing better firewall
# rules. This is a list of top networks that have exhibited suspicious activity.
DLIST_DSHIELD="1"
DLIST_DSHIELD_URL="feeds.dshield.org/top10-2.txt"
DLIST_DSHIELD_URL_PROT="http"
# The reserved networks list is addresses which ARIN has marked as reserved
# for future assignement and have no business as valid traffic on the internet.
# Such addresses are often used as spoofed (Fake) hosts during attacks, this
# will update the reserved networks list in order to prevent new ip assignments
# on the internet from getting blocked; this option is only important when
# BLK_RESNET is set to enabled.
DLIST_RESERVED="1"
DLIST_RESERVED_URL="cdn.rfxn.com/downloads/reserved.networks"
DLIST_RESERVED_URL_PROT="http"
# ECN is an extension which helps reduce congestion. Unfortunately some
# clueless software/hardware vendors have setup their sites or implemented
# TCP/IP in a very broken manner. If you try to talk to these sites with ECN
# turned on, they will drop all packets from you. This feature uses the ECN
# hall of shame list to turn off ECN in packets to these hosts so your traffic
# is accepted as intended. This option is dependent on setting SYSCTL_ECN="1"
# otherwise it stays disabled.
DLIST_ECNSHAME="0"
DLIST_ECNSHAME_URL="cdn.rfxn.com/downloads/ecnshame.lst"
DLIST_ECNSHAME_URL_PROT="http"
##
# Global Trust
##
# This is an implementation of the trust rules (allow/deny_hosts) but
# on a global perspective. You can define below remote addresses from
# which the glob_allow/deny.rules files should be downloaded from on
# a daily basis. The files can be maintained in a static fashion by
# leaving USE_RGT=0, ideal for a host serving the files.
USE_RGT="0"
GA_URL="yourhost.com/glob_allow.rules"
GA_URL_PROT="http"
GD_URL="yourhost.com/glob_deny.rules"
GD_URL_PROT="http"
##
# [Logging and control settings]
##
# Log all traffic that is filtered by the firewall
LOG_DROP="0"
# What log level should we send all log data too?
# refer to man syslog.conf for levels
LOG_LEVEL="crit"
# Where should we send all the logging data?
# ULOG (Allow ulogd to handle the logging)
# LOG (Default; sends logging to kernel log)
LOG_TARGET="LOG"
# Log interactive access over telnet & ssh; uses
# custom log prefix of ** SSH ** & ** TELNET **
LOG_IA="1"
# Log all foreign gateway traffic
LOG_LGATE="0"
# Extended logging information; this forces the output of tcp options and
# ip options for packets passing through the log chains
LOG_EXT="0"
# Max firewall events to log per/minute. Log events exceeding these limits
# will be lost (1440 minutes/day * 30 events/minute = 43200 events per/day)
LOG_RATE="30"
# Location of the apf status log; all startup, shutdown and runtime status
# sends outputs to this file
LOG_APF="/var/log/apf_log"
##
# [Import misc. conf]
##
# Internal variable file
CNFINT="$INSTALL_PATH/internals/internals.conf"
. $CNFINT
Es gibt offizielle DEB für
Es gibt offizielle DEB für Debian. So kann man installieren:
apt-get install apf-firewall
Neuen Kommentar schreiben