APF (Advanced Policy Firewall) for Linux Install and Configuration

Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Internet deployed servers and the unique needs of custom deployed Linux installations. The configuration of APF is designed to be very informative and present the user with an easy to follow process, from top to bottom of the configuration file. The management of APF on a day-to-day basis is conducted from the command line with the ‘apf’ command, which includes detailed usage information and all the features one would expect from a current and forward thinking firewall solution.

For more details and readme plus changelogs or download see: http://www.rfxn.com/projects/advanced-policy-firewall/

 

Installation with Debian Squeeze:

Pre-Reqs:
– install chkconfig for debian as the APF install script expects chkconfig.

 sudo aptitude install chkconfig 

Now get the latest package with wget from rfxn.com website (current release as of writing is 0.9.7-1)

 wget http://www.rfxn.com/downloads/apf-current.tar.gz 

Extract the tar with

 tar -zxvf apf-current.tar.gz 

Change to the extracted directory

 cd apf-9.7.1
apf-9.7.1$ 

Run the install script (install.sh)

 sudo apf-9.7.1$ sudo ./install.sh

Installing APF 9.7-1: Completed.
Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf

Other Details:
Listening TCP ports: 22,25,111,44482
Listening UDP ports: 111,973,57678
Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.

* Note: In some cases on Debian I’ve noticed that the installer doesn’t correctly configure APF to start when he system is started or rebooted, in this case create a script named apf.sh in /etc directory and make it executable and add this code to the scirpt file:

#!/bin/sh

sh -c "/etc/apf/apf -s" &

Now edit the interfaces file in /etc/network/interfaces and add a pre-up command under iface “pre-up /etc/apf.sh” as shown here:

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
pre-up /etc/apf.sh
address 10.1.0.38
netmask 255.255.255.0
network 10.1.o.0
broadcast 10.1.0.255
gateway 10.1.0.254
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 10.1.0.30 10.1.0.29
dns-search mydomain.local

Configuration:

Edit the configuation file conf.apf located in /etc/apf/conf.apf

To start with, change a few things and test first, so lets enable RAB [Reactive Address Blocking] by changing

 RAB="1" 

Now lets add some more ports open for our server under Configure inbound (ingress) – SSH port 22 is already open, let’s open port 80 and port 443 for our web server.

Change IG_TCP_CPORTS=”22″ to:

 IG_TCP_CPORTS="22,80,443" 

We can configure the egress filtering after we have tested these changes first.
Save the configuration file and exit

Now start the firewall:

 sudo /usr/local/sbin/apf -s 

Once verified that those settings worked, edit the configuration file conf.apf again located in /etc/apf/conf.apf and go over all options available, they are very well documented within the configuration file and enable or disable the options that you want. In this example below we will enable Dshield and add some known IP blocks that you want to block always with the deny_hosts.rules file.

The components that will be changed are listed here, everything else is left as is:

DEVEL_MODE="1"

SET_FASTLOAD="1"

# Note you may want to set this to minutes if using global trust rules 0=never 10=10 mins
SET_REFRESH="0"

SET_TRIM="0"

RAB="1"

# Egress outbound filtering

EGF="1"

RG_TCP_CPORTS="21,25,53,80,443,43"

#Enable DShield in the Remote Rule Imports section - from the configuration file description:
#DShield collects data about malicious activity from across the Internet. This data is cataloged, summarized and can #be used to discover trends in activity, confirm #widespread attacks, or assist in preparing better firewall rules. #This is a list of top networks that have exhibited suspicious activity.
#So change DLIST_DSHIELD="0" to:

DLIST_DSHIELD="1"

# logging

LOG_DROP="1"

**Note Make sure when everything is set and tested to change the DEVEL_MODE=”1″ to DEVEL_MODE=”0″. Otherwise all the configuration file changes will  be lost after 5 minutes of running, this is a safety net via a cron job and this option is located at the top if the file under [Main].

deny_hosts.rules file:
Edit the deny_hosts.rules file and add some known malicious IP addresses or address blocks, or as a test add a workstation or device on your network and test it out. The deny_hosts.rules file will accept both FQDN (fully qualified domain names) and IP addresses with optional bit masking. Examples of these formats are:

  • yourhost.you.com (FQDN)
  • 192.168.2.102 (IP Address)
  • 192.168.1.0/24 (IP Address with 24 bit mask)

Restart the firewall and test the rules.

 sudo /usr/local/sbin/apf -r 

 

General Usuage:

The /usr/local/sbin/apf command has a number of options that will ease the day-to-day use of your firewall. Here is a quick snap-shot of the options:

usage /usr/local/sbin/apf [OPTION]

-s|–start ……………………. load the firewall rules

-r|–restart ………………….. stop (flush) & reload firewall rules

-f|–stop …………………….. stop (flush) all firewall rules

-l|–list …………………….. list chain rules

-t|–status …………………… firewall status

-e|–refresh ………………….. refresh & resolve dns names in trust rules

-a HOST CMT|–allow HOST COMMENT … add host (IP/FQDN) to allow_hosts.rules and immediately load new rule into firewall

-d HOST CMT|–deny HOST COMMENT …. add host (IP/FQDN) to deny_hosts.rules and immediately load new rule into firewall

-u|–remove HOST ………………. remove host from [glob_]deny_hosts.rules and immediately remove rule from firewall

-o|–ovars ……………………. output all configuration options

 

Securing (Windows) Wireless Network Traffic Article

A nine part series article at http://www.windowsnetworking.com on securing Windows Wireless Networks.
If you have a network with Windows servers in a domain and Windows clients then you can also setup the MS implementation of 802.1x wireless authentication using certificates.
http://www.windowsnetworking.com/articles_tutorials/Securing-Wireless-Network-Traffic-Part1.html

HTTrack website copier

HTTrack is a free offline browser utility. It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site’s relative link-structure. Simply open a page of the “mirrored” website in your browser, and you can browse the site from link to link, as if you were viewing it online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. HTTrack is fully configurable, and has an integrated help system.

Works on 2000/XP/Vista/Seven and Linux/Unix/BSD.

http://www.httrack.com

Linux disk bench test with bonnie++

I recently wanted to run some stress bench tests on a new small KVM virtual host running CentOS 6 and found bonnie++ was exactly what I needed.

To install and run bonnie++ was as easy this on CentOS:

sudo yum install bonnie++

Example command syntax of bonnie++

bonnie++ -s 5g -m hostname -f -b -d /tmp

Or just run bonnie++:

bonnie++

usage:
bonnie++ [-d scratch-dir] [-c concurrency] [-s size(MiB)[:chunk-size(b)]]
[-n number-to-stat[:max-size[:min-size][:num-directories[:chunk-size]]]]
[-m machine-name] [-r ram-size-in-MiB]
[-x number-of-tests] [-u uid-to-use:gid-to-use] [-g gid-to-use]
[-q] [-f] [-b] [-p processes | -y] [-z seed | -Z random-file]
[-D]

Version: 1.96

On Debian/Ubuntu it’s obviously just a apt-get install bonnie++ or aptitude install bonnie++