forked from rfxn/advanced-policy-firewall
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
750 lines (634 loc) · 36.9 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
Advanced Policy Firewall (APF) v1.7.5
(C) 2002-2014, R-fx Networks <[email protected]>
(C) 2014, Ryan MacDonald <[email protected]>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Contents:
1 ............. Introduction
1.1 ........... Introduction: Supported Systems & Requirements
2 ............. Installation
2.1 ........... Installation: Boot Loading
3 ............. Configuration
3.1 ........... Configuration: Basic Options
3.2 ........... Configuration: Advanced Options
3.3 ........... Configuration: Reactive Address Blocking
3.4 ........... Configuration: Virtual Network Files
3.5 ........... Configuration: Global Variables & Custom Rules
4 ............. General Usage
4.1 ........... General Usage: Trust System
4.2 ........... General Usage: Global Trust System
4.3 ........... General Usage: Advanced Trust Syntax
4.4 ........... General Usage: Dynamic Trust Files
5 ............. License
6 ............. Support Information
1) Introduction:
Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system
designed around the essential needs of today's Internet deployed servers and the
unique needs of custom deployed Linux installations. The configuration of APF
is designed to be very informative and present the user with an easy to follow
process, from top to bottom of the configuration file. The management of APF on
a day-to-day basis is conducted from the command line with the 'apf' command,
which includes detailed usage information and all the features one would expect
from a current and forward thinking firewall solution.
The technical side of APF is such that it embraces the latest stable features
put forward by the iptables(netfilter) project to provide a very robust and
powerful firewall. The filtering performed by APF is three fold:
1) Static rule based policies (not to be confused with a "static firewall")
2) Connection based stateful policies
3) Sanity based policies
The first, static rule based policies, is the most traditional method of
firewalling. This is when the firewall has an unchanging set of instructions
(rules) on how traffic should be handled in certain conditions. An example of
a static rule based policy would be when you allow/deny an address access to the
server with the trust system or open a new port with conf.apf. So the short of
it is rules that infrequently or never change while the firewall is running.
The second, connection based stateful policies, is a means to distinguish
legitimate packets for different types of connections. Only packets matching a
known connection will be allowed by the firewall; others will be rejected. An
example of this would be FTP data transfers, in an older era of firewalling
you would have to define a complex set of static policies to allow FTA data
transfers to flow without a problem. That is not so with stateful policies,
the firewall can see that an address has established a connection to port 21
then "relate" that address to the data transfer portion of the connection and
dynamically alter the firewall to allow the traffic.
The third, sanity based policies, is the ability of the firewall to match
various traffic patterns to known attack methods or scrutinize traffic to
conform to Internet standards. An example of this would be when a would-be
attacker attempts to forge the source IP address of data they are sending to
you, APF can simply discard this traffic or optionally log it then discard it.
To the same extent another example would be when a broken router on the
Internet begins to relay malformed packets to you, APF can simply discard them
or in other situations reply to the router and have it stop sending you new
packets (TCP Reset).
These three key filtering methods employed by APF are simply a generalization
of how the firewall is constructed on a technical design level, there are a
great many more features in APF that can be put to use. For a detailed
description of all APF features you should review the configuration file
/etc/apf/conf.apf which has well outlined captions above all options. Below is
a point form summary of most APF features for reference and review:
- detailed and well commented configuration file
- granular inbound and outbound network filtering
- user id based outbound network filtering
- application based network filtering
- trust based rule files with an optional advanced syntax
- global trust system where rules can be downloaded from a central management
server
- reactive address blocking (RAB), next generation in-line intrusion prevention
- debug mode provided for testing new features and configuration setups
- fast load feature that allows for 1000+ rules to load in under 1 second
- inbound and outbound network interfaces can be independently configured
- global tcp/udp port & icmp type filtering with multiple methods of executing
filters (drop, reject, prohibit)
- configurable policies for each ip on the system with convenience variables to
import settings
- packet flow rate limiting that prevents abuse on the most widely abused
protocol, icmp
- prerouting and postrouting rules for optimal network performance
- dshield.org block list support to ban networks exhibiting suspicious activity
- spamhaus Don't Route Or Peer List support to ban known "hijacked zombie" IP
blocks
- any number of additional interfaces may be configured as firewalled
(untrusted) or trusted (not firewalled)
- additional firewalled interfaces can have there own unique firewall policies
applied
- intelligent route verification to prevent embarrassing configuration errors
- advanced packet sanity checks to make sure traffic coming and going meets
the strictest of standards
- filter attacks such as fragmented UDP, port zero floods, stuffed routing,
arp poisoning and more
- configurable type of service options to dictate the priority of different types
of network traffic
- intelligent default settings to meet every day server setups
- dynamic configuration of your servers local DNS revolvers into the firewall
- optional filtering of common p2p applications
- optional filtering of private & reserved IP address space
- optional implicit blocks of the ident service
- configurable connection tracking settings to scale the firewall to the size of
your network
- configurable kernel hooks (ties) to harden the system further to syn-flood
attacks & routing abuses
- advanced network control such as explicit congestion notification and overflow
control
- special chains that are aware of the state of FTP DATA and SSH connections to
prevent client side issues
- control over the rate of logged events, want only 30 filter events a minute?
300 a minute? - you are the boss
- logging subsystem that allows for logging data to user space programs or
standard syslog files
- logging that details every rule added and a comprehensive set of error checks
to prevent config errors
- if you are familiar with netfilter you can create your own rules in any of
the policy files
- pluggable and ready advanced use of QoS algorithms provided by the Linux
- 3rd party add-on projects that compliment APF features
Still on the feature todo list is:
- full support for NAT/MASQ including port forwarding
- cluster oriented round-robin packet or port forwarding
- in-line firewall reactive address blocking of connction floods
- and much more...
1.1) Introduction: Supported Systems & Requirements
The APF package is designed to run on Linux based operating systems that have
an operational version of the iptables (netfilter) package installed. The
iptables (netfilter) package is supported on Linux kernels 2.4 and above,
you can find out more details on the netfilter project at:
http://www.netfilter.org/
If the version of Linux you are using already has an included copy of
iptables then chances are very high it has all the iptables modules that APF
will need. If you are configuring iptables in your own custom kernel then you
should be sure that the following modules are compiled with the kernel for
modular support:
ip_tables
iptable_filter
iptable_mangle
ip_conntrack
ip_conntrack_irc
ip_conntrack_ftp
ipt_state
ipt_multiport
ipt_limit
ipt_recent
ipt_LOG
ipt_REJECT
ipt_ecn
ipt_length
ipt_mac
ipt_multiport
ipt_owner
ipt_state
ipt_ttl
ipt_TOS
ipt_TCPMSS
ipt_ULOG
If you would like to make sure you support these modules then you can take a
look inside of /lib/modules/kernelver/kernel/net/ipv4/netfilter/ directory.
# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/
The known Linux platforms that APF will run on are very diverse and it is hard
to keep track but here is a short summary:
Redhat Enterprise AS/ES 2+
CentOS Any
Fedora Core Any
Slackware 8.0+
Debian GNU/Linux 3.0+
Suse Linux 8.1+
Unbuntu Any
TurboLinux Server 9+
TurboLinux Fuji (Desktop)
RedHat Linux 7.3,8,9
The base system specs for APF operating as intended are not set in stone and
you can easily scale the package into almost any situation that has a Linux
2.4+ kernel, iptables and bash shell with standard set of gnu-utils (grep,
awk, sed and the like). Below is a short table of what is recommended:
DEVICE MIN RECOMMENDED
CPU: 300Mhz 600Mhz
MEM: 64MB 96MB
DISK: OS OS
NETWORK: Any Any
2) Installation
The installation setup of APF is very straight forward, there is an included
install.sh script that will perform all the tasks of installing APF for you.
Begin Install:
# sh install.sh
If one so desires they may customize the setup of APF by editing the variables
inside the install.sh script followed by also editing the path variables in
the conf.apf and internals.conf files. This is however not recommends and the
default paths should meet all user needs, they are:
Install Path: /etc/apf
Bin Path: /usr/local/sbin/apf
The package includes two convenience scripts, the first is importconf which will
import all the variable settings from your previous version of APF into the
new installation. The second is get_ports, a script which will output the
systems currently in use 'server' ports for the user during the installation
process in an effort to aid in configuring port settings.
All previous versions of APF are saved upon the installation of newer
versions and stored in /etc/apf.bkDDMMYY-UTIME format. In addition, there is a
/etc/apf.bk.last sym-link created to the last version of APF you had installed.
After installation is completed the documentation and convenience scripts are
copied to /etc/apf/docs and /etc/apf/extras respective.
2.1) Installation: Boot Loading
On installation APF will install an init script to /etc/init.d/apf
and configure it to load on boot. If you are setting up APF in a more
custom situation then you may follow the below instructions.
There is really 3 modes of operation for having APF firewall our system
and each has no real benifit except tailoring itself to your needs.
The first is to setup APF in the init system with chkconfig (done by
default during install), as detailed below:
chkconfig --add apf
chkconfig --level 345 apf on
Secondly, you can add the following string too the bottom of the
/etc/rc.local file:
sh -c "/etc/apf/apf -s" &
It is NOT recommended that you use both of these startup methods together,
for most systems the init script via chkconfig should be fine.
The third and final approuch is to simply run APF in an on-demand fashion. That
is, enable it with the 'apf -s' command when desired and disable it with the
'apf -f' when desired.
3) Configuration:
On your first installation of APF it will come pretty bare in the way of
preconfigured options, this is intentional. The most common issue with many
firewalls is that they come configured with so many options that a user may
never use or disable, that it leaves systems riddled with firewall holes.
Now with that said, APF comes configured with only a single incoming port
enabled by default and that is port 22 SSH. Along with a set of common practice
filtering options preset in the most compatible fashion for all users. All the
real advanced options APF has to offer are by default disabled including
outbound (egress) port filtering, reactive address blocking (rab) and the
virtual network subsystem to name a few.
The main APF configuration file is located at /etc/apf/conf.apf and has
detailed usage information above all configuration variables. The file uses
integer based values for setting configuration options and they are
0 = disabled
1 = enabled
All configuration options use this integer value system unless otherwise
indicated in the description of that option.
You should put aside 5 minutes and review the configuration file from top to
bottom taking the time to read all the captions for the options that are
provided. This may seem like a daunting task but a firewall is only as good
as it is configured and that requires you, the administrator, to take a few
minutes to understand what it is you are setting up.
APF is a very powerful firewall that when setup to make use of all the advanced
features, will provide a sophisticated and robust level of protection. Please
continue reading further along this file for more information or see the
support options at the bottom of this file for further assistance if you find
yourself lost in the configuration process.
3.1) Configuration: Basic Options
This section will cover some of the basic configuration options found inside
of the conf.apf configuration file. These options, despite how basic, are the
most vital in the proper operation of your firewall.
Option: DEVEL_MODE
Description: This tells APF to run in a development mode which in short means
that the firewall will shut itself off every 5 minutes from a cronjob. When
you install any version of APF, upgrade or new install, this feature is by
default enabled to make sure the user does not lock themself out of the
system with configuration errors. Once you are satisfied that you have the
firewall configured and operating as intended then you must disable it.
Option: INSTALL_PATH
Description: As it implies, this is the installation path for APF and unless
you have become a brave surgeon it is unlikely you will ever need to reconfigure
this option - on we go.
Option: IFACE_UNTRUSTED
Description: This variable controls the interface that firewall rules are applied
against. This interface is commonly the Internet facing interface or any interface
that faces the main network of untrusted communication (WAN).
Option: IFACE_TRUSTED
Description: It is common that you may want to set a specific interface as
trusted to be excluded from the firewall, these may be administrative private
links, virtualized VPN interfaces or a local area network that is contains
trusted resources. This feature is similar to what some term as demilitarized
zone or DMZ for short, any interfaces set in this option will be excempt from
all firewall rules with an implicit trust rule set early in the firewall load.
Option: SET_VERBOSE
Description: This option tells the apf script to print very detailed event logs
to the screen as you are conducting firewall operations from the command line.
This will allow for easier trouble shooting of firewall issues or to assist the
user in better understanding what the firewall is doing rule-by-rule. Although
the SET_VERBOSE option is new to APF, this level of logging has long been
provided in the /var/log/apf_log file and still remains as such.
Option: SET_FASTLOAD
Description: This tells APF to use a special feature to take saved snap shots
of the running firewall. Instead of regenerating every single firewall rule
when we stop/start the firewall, APF will use these snap shots to "fast load"
the rules in bulk. There are internal features in APF that will detect when
configuration has changed and then expire the snap shot forcing a full reload
of the firewall.
Option: SET_VNET
Description: The ever curious option called SET_VNET, to put it brief this
option controls the virtual network subsystem of APF also known as VNET. This
is a subsystem that generates policy files for all aliased addresses on the
IFACE_IN/OUT interfaces. In general this option is not needed for the normal
operation of APF but is provided should you want to easily configured unique
policies for the aliased addresses on an Interface. Please see topic 3.4 of
this document for more advanced details related to this option.
Option: SET_ADDIFACE
Description: This allows you to have additional untrusted interfaces firewalled
by APF and this is done through the VNET system. So for example let assume you
have a datacenter provided eth2 interface for local network backups but you
know hundreds of other Internet facing servers are also on this network. In
such a situation it would be the best course to enable this option (along with
SET_VNET) so that the interface is firewalled. Please see topic 3.4 of this
document for more advanced details related to this option.
Option: IG_TCP_CPORTS
Description: This controls what TCP ports are allowed for incoming traffic, this
is also known as the "server" or "listening services" ports. You would for
example configure here the ports 21,25,80,110,443 if you were operating the
FTP, SMTP, HTTP, POP3 & HTTPS services from this host. This is a global context
rule and will apply to all addresses on this host unless virtual net rules are
set to operate in another fashion.
Option: IG_UDP_CPORTS
Description: This controls what UDP ports are allowed for incoming traffic, this
is also known as the "server" or "listening services" ports. You would for
example configure here the ports 20,53 if you were operating the FTP & DNS
services from this host. This is a global context rule and will apply to all
addresses on this host unless virtual net rules are set to operate in another
fashion.
Option: IG_ICMP_TYPES
Description: This controls what ICMP types are allowed for incoming traffic,
these are control messages that the Internet uses to communicate any number of
error messages during communication between hosts and networks. The default
options should meet most needs however if you wish to filter a specific set
of ICMP types you should review the 'internals/icmp.types' file. This is a
global context rule and will apply to all addresses on this host unless virtual
net rules are set to operate in another fashion.
Option: EGF
Description: This is a top level control feature for enabling or disabling all
the outbound (egress) filtering features of the firewall. In the most basic
setup of the firewall from install, this will be set to disabled and we will be
operating in a mostly inbound (ingress) only filtering fashion. It is however
recommended that you enable the outbound (egress) filtering as it provides a
very robust level of protection and is a common practice to filtering outbound
traffic.
Option: EG_TCP_CPORTS
Description: This controls what TCP ports are allowed for outgoing traffic, this
is also known as the "client side" communication on a host. Here we would set
any ports we wish to communicate with on the Internet, for example if you use
many remote RSS feeds on websites then you will want to make sure port 80,443
is defined here so you can access the HTTP/HTTPS service on Internet servers.
This is a global context rule and will apply to all addresses on this host
unless virtual net rules are set to operate in another fashion.
Option: EG_UDP_CPORTS
Description: This controls what UDP ports are allowed for outgoing traffic, this
is also known as the "client side" communication on a host. Here we would set
any ports we wish to communicate with on the Internet, for example if you use
many remote RSYNC servers then you will want to make sure port 873 is defined
here so you can properly access the RSYNC service on Internet servers. This is
a global context rule and will apply to all addresses on this host unless
virtual net rules are set to operate in another fashion.
Option: EG_ICMP_TYPES
Description: This controls what ICMP types are allowed for outgoing traffic,
these are control messages that the Internet uses to communicate any number of
error messages during communication between hosts and networks. The default
options should meet most needs however if you wish to filter a specific set
of ICMP types you should review the 'internals/icmp.types' file. This is a
global context rule and will apply to all addresses on this host unless virtual
net rules are set to operate in another fashion.
Option: LOG_DROP
Description: The use of this option allows to firewall to perform very detailed
firewall logging of packets as they are filtered by the firewall. This can help
identify issues with the firewall or provide insightful information on who is
taking pokes at the host. Typically however this option is left disabled on
production systems as it can get very noisy in the log files which also can
increase i/o wait loads to the disk from the heavy logging.
3.2) Configuration: Advanced Options
The advanced options, although not required, are those which afford the firewall
the ability to be a more robust and encompassing solution in protecting a host.
These options should be reviewed on a case-by-case basis and enabled only as
you determine there merit to meet a particular need on a host or network.
Option: SET_MONOKERN
Description: This option tells the system that instead of looking for iptables
modules, that we should expect them to be compiled directly into the kernel. So
unless you have a custom compiled kernel on your system where modular support
is disabled or iptables (netfilter) is compiled in directly, you should not
enable this option. There are also exceptions here if you have a unique system
setup and APF is unable to find certain iptables modules but you know for a
fact they are there, then enable this option.
Option: VF_ROUTE
Description: This option will make sure that the IP addressess associated to
the IFACE_* variables do actually have route entries. If a route entry can not
be found then APF will not load as it is likely a configuration error has been
made with possible results being a locked-up server.
Option: VF_LGATE
Description: This option will make sure that all traffic coming into this host
is going through this defined MAC address. This is not something you will want
enabled in most situations but it is something certain people will desire with
servers residing behind a NAT/MASQ gateway for example.
Option: RAB
Description: This is a top level toggle for the reactive address blocking in
APF and does nothing more than either enable or disable it.
Option: RAB_SANITY
Description: This enables RAB for sanity violations, which is when an address
breaks a strict conformity standard such as trying to spoof an address or modify
packet flags. When addresses are found to have made such violations they are
temporarily banned for the duration of RAB_TIMER value in seconds.
Option: RAB_PSCAN_LEVEL
Description: This enables RAB for port scan violations, which is when an
address attempts to connect to a port that has been classifed as malicious.
These types of are those which are not commonly used in today's Internet but are
the subject of scrutiny by attackers, such as ports 1,7,9,11. The values for
this option are broken into 4 intergers and they are 0 for disabled, 1 for
low security, 2 for medium security and 3 for high security.
Option: RAB_HITCOUNT
Description: This controls the amount of violation hits an address must have
before it is blocked. It is a good idea to keep this very low to prevent
evasive measures. The default is 0 or 1, meaning instant block on first hit.
Option: RAB_TIMER
Description: This is the amount of time (in seconds) that an address gets
blocked for if a violation is triggered, the default is 300s (5 minutes). This
option has a max accepted value of 43200 seconds or 12 hours.
Option: RAB_TRIP
Description: This allows RAB to 'trip' the block timer back to 0 seconds if an
address attempts ANY subsiquent communication while still on the inital block
period. This option really is one of the more exciting features of the RAB
system as it can cut off an attack at the legs before it ever mounts into
something tangible against the system.
Option: RAB_LOG_HIT
Description: This controls if the firewall should log all violation hits from
an address. It is recommended that this be enabled to provide insightful log
data on addresses which are attempting to probe or conduct questionable actions
against this host. The use of LOG_DROP variable set to 1 will override this to
force logging.
Option: RAB_LOG_TRIP
Description: This controls if the firewall should log all subsiquent traffic
from an address that is already blocked for a violation hit, this can generate
allot of logs. However, the use of this option despite the depth of log data it
may generate could provide valuble information as to the intents of an attacker.
The use of LOG_DROP variable set to 1 will override this to force logging.
Option: TCP_STOP, UDP_STOP, ALL_STOP
Description: These options tell the firewall in which way to go about filtering
traffic, the supported values are DROP, RESET, REJECT and PROHIBIT. We will
review these options below in short and provide the pro/con's of their uses.
- The default is DROP which tells the firewall silently discard packets
and not reply to them at all, which some consider to be "stealth" firewall
behavoir. The direct benifit is that it saves system resources, especially
during a DoS attack in not having to reply to every discarded packet. However
the problem is experienced attackers know the way TCP/IP works and it is such
that when you try to connect to a service that is unavailable, your server or
local router replies with an "icmp-port/host-unreachable" message. So when an
attacker probing your IP address receives no reply from the server or local
router to the scans, they will instantly know you are running a firewall,
possibly peaking curiosity more.
- Then we have RESET which allows the firewall to reply to discarded packets
in such a way that it trys to make the remote host "reset/terminate" the
connection attempts to you. This option is more in-line with TCP/IP
standards however in most situations will provide no real benifits or
drawbacks. In some really isolated situations you may find that using RESET
during DoS attacks will help terminate connections more promptly but in
general this does not serve to counter the system resources expended to
send back replies to every single packet filtered.
- Then we have the REJECT value which is a more common alternative to DROP as
it allows the firewall to reply to packets with an error message. This
acomplishes the goal of filtering a packet while at the same time not
allowing the remote host to know that we are running a firewall, they just
think the port/service is closed/unavailable.
- Finally we have the PROHIBIT value which is specific for UDP_STOP but can
be used as other *_STOP values with similar effect. When we set PROHIBIT we
are telling the firewall to reply to the sender of packets with only ICMP
error messages instead of like the case with RESET, TCP packets. This is a
good alternative to reply to packets with as it does not load the system
as "much" during aggressive attacks. This is also the default expected
reply for UDP packets that are not accepted by a host, however APF will by
default use a DROP value on UDP packets.
Option: PKT_SANITY
Description: This option controls the way packets are scrutinized as they flow
through the firewall. The main PKT_SANITY option is a top level toggle for all
SANITY options and provides general packet flag sanity as a pre-scrub for the
other sanity options. In short, this makes sure that all packets coming and
going conform to strict TCP/IP standards. In doing so we make it very difficult
for attackers to inject raw/custom packets into this host.
Now onto the sanity filters, these are options that allow APF to scrutinize
traffic coming into and out of the server so it conforms to TCP/IP standards
and also filters common attack characteristics. There are a number of sanity
options and each one has a well detailed captain in hte configuration file. In
addition, these options comes preconfigured to suite most situation needs and
provide the best protection possible. With that, I will defer the PKT_SANITY
details to the conf.apf file where you can find ample information on each
option.
Moving forward we now have the Type of Service (TOS) settings which provide a
simple classification system to dictate traffic priority based on port numbers.
The use of TOS in it respective capacities can have a wide ranging impact on the
performance of your services, both positive and negative depending on settings.
That is why it is very important that you understand and study the impact of any
changes to TOS values and then act accordingly, as no two networks are alike. A
very good rule of thumb with TOS configuration is to look at the name of the TOS
value and apply some good judgement to how that name applies to certain service
based traffic on your network. For example the TOS value Minimize-Cost designed
to minimize data transmission generally not be a good setting to improve the
responce time or throughput of HTTP connections. A more fitting setting for
this would be "Maximum Throughput - Minimum Delay", as set to default for HTTP.
The default TOS settings are designed to improve throughput and reliability for
FTP,HTTP,SMTP,POP3 and IMAP, please review conf.apf under the TOS_ settings for
further details on Type of Service (TOS).
Following the TOS settings we find the traceroute settings TCR_ which tell the
firewall if and how we should handle traceroute traffic. This is by default
enabled in APF, mostly cause of popular demand but really there is no reason
to have it enabled or disabled other than personal preference. The TCR_PASS
option tells the firwall if we want to accept traceroutes and on the TCR_PORTS
3.3) Configuration: Reactive Address Blocking
3.4) Configuration: Virtual Network Files
3.5) Configuration: Global Variables & Custom Rules
4) General Usage:
The /usr/local/sbin/apf command has a number of options that will ease the
day-to-day use of your firewall. Here is a quick snap-shot of the options:
usage /usr/local/sbin/apf [OPTION]
-s|--start ......................... load the firewall rules
-r|--restart ....................... stop (flush) & reload firewall rules
-f|--stop .......................... stop (flush) all firewall rules
-l|--list .......................... list chain rules
-t|--status ........................ firewall status
-e|--refresh ....................... refresh & resolve dns names in trust rules
-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall
-u|--remove HOST ................... remove host from [glob_]deny_hosts.rules
and immediately remove rule from firewall
-o|--ovars ......................... output all configuration options
These options explain themselves very clearly such as the start/stop/restart
operations.
The -l|--list option will list all the firewall rules you currently have loaded,
this is more of a feature intended for experienced users but nevertheless can be
insightful for any administrator to peak at.
As for the -t|--status option, this will simply show you page-by-page the APF
status log that tracks any operations you perform with APF - if something is
not working properly, this is what you want to run.
The -e|--refresh option will flush the trust system chains and reload them from
the rule files, this will also cause any dns names in the rules to re-resolve.
This feature is ideal if you have dynamic dns names in the trust system, apart
from that it has few other uses.
If you need to quickly allow or deny someone access on the system then the
-a|--allow and -d|--deny options are your champions. If you need to quickly
remove an allow or deny entry from the firewall then the -u|--remove option
is there for it. These options are immediate in action and do NOT require
the firewall to be restarted. Please the below sections of this file for
more information on the trust system.
Finally the -o|--ovars options is a debug feature, if something is not working
the way it was intended and you need help them please send me an email to
[email protected] and be sure to include the output of this option with your email.
4.1) General Usage: Trust System:
The trust system in APF is a very traditional setup with two basic trust levels;
allow and deny. These two basic trust levels are also extended with two global
trust levels that can be imported from a remote server to assist with central
trust management in a large scale deployment. We will first look at the basic
trust levels then have a look at the extended global trust system in the
following section 4.2 then the advanced trust syntax in 4.3.
The two basic trust level files are located at:
/etc/apf/allow_hosts.rules
/etc/apf/deny_hosts.rules
These files by nature are static, meaning that once you add an entry to them,
they will remain in the files till you remove them yourself. The trust files
accept both FQDN (fully qualified domain names) and IP addresses with optional
bit masking. Examples of these formats are:
yourhost.you.com (FQDN)
192.168.2.102 (IP Address)
192.168.1.0/24 (IP Address with 24 bit mask)
The definition of IP bit masking is slightly out of the scope of this document
but some common bit masks that are used would be:
/24 (192.168.1.0 to 192.168.1.255)
/16 (192.168.0.0 to 192.168.255.255)
If you have common abuse from a network of addresses you can whois that address
then determine the network operators assigned address space and ban the network
with bit masking.
There are two methods for adding entries to the trust files and they are first
and formost by using an editor or interface of some type to edit the two files
manually, such as nano (pico clone) or vi (old school editor).
The second is by using the 'apf' command with the options --allow (-a for
short), --deny (-d for short) and --remove (-u for short). The --allow|-a and
--deny|-d flags both accept a comment option which is simply a string at the
end of the command that you would like added to the trust rule files for
reference. Here are some operating examples of these commands:
Trust an address:
apf -a ryanm.dynip.org "my home dynamic-ip"
Deny an address:
apf -d 192.168.3.111 "keeps trying to bruteforce"
Remove an address:
apf -u ryanm.dynip.org
Please take note that the --remove|-u option does not accept a comment string
for obvious reason and that it will remove entries that match from
allow_hosts.rules, deny_hosts.rules and the global extensions of these files.
4.2) General Usage: Global Trust System
4.3) General Usage: Advanced Trust Syntax
Advanced trust usage; The trust rules can be made in advanced format with 4
options (proto:flow:port:ip);
1) protocol: [packet protocol tcp/udp]
2) flow in/out: [packet direction, inbound or outbound]
3) s/d=port: [packet source or destination port]
4) s/d=ip(/xx) [packet source or destination address, masking supported]
Flow assumed as Input if not defined. Protocol assumed as TCP if not defined.
When defining rules with protocol, flow is required.
Syntax:
proto:flow:[s/d]=port:[s/d]=ip(/mask)
s - source , d - destination , flow - packet flow in/out
Examples:
inbound to destination port 22 from 24.202.16.11
tcp:in:d=22:s=24.202.16.11
outbound to destination port 23 to destination host 24.2.11.9
out:d=23:d=24.2.11.9
inbound to destination port 3306 from 24.202.11.0/24
d=3306:s=24.202.11.0/24
4.4) General Usage: Dynamic Trust Files
dyn_allow_hosts.rules
dyn_deny_hosts.rules
5) License:
APF is developed and supported on a volunteer basis by Ryan MacDonald
APF (Advanced policy firewall) is distributed under the GNU General Public
License (GPL) without restrictions on usage or redistribution. The APF
copyright statement, and GNU GPL, "COPYING.GPL" are included in the top-level
directory of the distribution. Credit must be given for derivative works as
required under GNU GPL.
6) Support Information:
If you require any assistance with APF you may refer to the R-fx Networks
community forums located at http://forums.rfxnetworks.com. You may also send
an e-mail to [email protected].
The offical home page for APF is located at:
http://www.rfxnetworks.com/apf.php
All bugs or feature requests should be sent to [email protected] and please be sure
to include as much information as possible or conceptual ideas of how you think
a new feature should work.