APF：修订间差异

2010年5月2日 (日) 23:56的最新版本

APF是Linux服务器常用的免费防火墙。

APF安装[ ]

下载APF源码

# wget http://www.rfxn.com/downloads/apf-current.tar.gz

解压缩

# tar -xvzf apf-current.tar.gz

# cd apf-0.9.7-1/ or whatever the latest version is.

运行安装文件

# ./install.sh

APF配置[ ]

修改配置文件[ ]

# vi /etc/apf/conf.apf

端口设置 (INGRES)[ ]

cPanel的设置

     # Common ingress (inbound) TCP ports
     IG_TCP_CPORTS=" 20,21,22,25,26,53,80,110,143,443,465,993,995,2082,
     2083,2086,2087,2095,2096,3306,6666"\
     # Common ingress (inbound) UDP ports
     IG_UDP_CPORTS="21,53,465,873"

DirectAdmin 面板的设置

     # Common ingress (inbound) TCP ports
     IG_TCP_CPORTS=" 21,22,25,53,80,110,111,143,443,587953,2222,3306,32769"
     # Common ingress (inbound) UDP ports
     IG_UDP_CPORTS="53,111,631,724,5353,32768,32809"

让APF监控外出流量[ ]

修改: EGF="0" 为 EGF="1"

Tell APF what ports to monitor
Common egress (outbound) TCP ports (for Cpanel servers)

EG_TCP_CPORTS="21,22,25,26,37,43,53,80,110,113,443,465,873,2089,3306"

Common egress (outbound) UDP ports

EG_UDP_CPORTS="20,21,53,465,873"

Common ICMP (outbound) types
'internals/icmp.types' for type definition; 'all' is wildcard for any

EG_ICMP_TYPES="all"

Save your changes! Ctrl+X then press Y
Start APF
/usr/local/sbin/apf -s
If all works edit the config file and change the developer mode to 0
pico /etc/apf/conf.apf

修改 DEVM="1" 为 DEVM="0"

重启 APF[ ]

# /usr/local/sbin/apf -r

查看APF日志[ ]

查看日志 tail -f /var/log/apf_log

输出类似下面的内容:

   Aug 23 01:25:55 ocean apf(31448): (insert) deny all to/from 185.14.157.123
   Aug 23 01:39:43 ocean apf(32172): (insert) allow all to/from 185.14.157.123

让APF随服务器自动启动[ ]

让APF随服务器自动启动，运行下面的命令:

chkconfig --level 2345 apf on

禁止APF自动启动，运行下面的命令:

chkconfig --del apf

通过APF禁止IP[ ]

可通过下面两种方法禁止IP

通过命令：

/etc/apf/apf -d IPHERE COMMENTHERENOSPACES

>-d 表示禁止IP

> IPHERE 要禁止的IP地址

> COMMENTSHERENOSPACES 注释该IP被封的原因

该命令是立即生效的

例子:

./apf -d 185.14.157.123 TESTING

vi /etc/apf/deny_hosts.rules

文件中多出来:

   # added 185.14.157.123 on 08/23/05 01:25:55
   # TESTING
   185.14.157.123

通过编辑文件 deny_hosts.rules

vi /etc/apf/deny_hosts.rules

然后在该文件中添加要过滤的IP. 需要重新APF设置才会生效：

/etc/apf/apf -r

解禁IP[ ]

从deny_hosts.rules文件中移除IP就可以解禁该IP.

直接编辑文件

vi /etc/apf/deny_hosts.rules

找到IP并删除掉，然后重启APF：

/etc/apf/apf -r

使用命令

如果IP不在deny_hosts.rules, 使用该命令可以将IP添加到APF的白名单中allow_hosts.rules

/etc/apf/apf -a IPHERE COMMENTHERENOSPACES

> -a 表示允许IP

> IPHERE 要允许的IP地址

>COMMENTHERENOSPACES 注释

例子:

./apf -a 185.14.157.123 UNBLOCKING

vi /etc/apf/allow_hosts.rules

   # added 185.14.157.123 on 08/23/05 01:39:43
   # UNBLOCKING
   185.14.157.123

APF自定义Iptables命令[ ]

/etc/apf下有2个配置文件postroute.rules和preroute.rules。把Iptables的POSTROUTE和 PREROUTE命令放入对应的配置文件，APF在启动时就会自动调用实现NAT转发。其他Iptables自定义命令可以直接写入/etc/apf/firewall里面。

APF常用操作命令[ ]

apf -s # 启动APF防火墙

apf -r # 重启APF防火墙

apf -f # 刷新APF防火墙配置文件

apf -l # 列出APF的配置信息，与iptables -nL类似

apf -st # APF信息统计。主要包括白名单，黑名单信息。

apf -a IP地址/IP段(FQDN) "注释" # 将IP/IP段添加到白名单

apf -d IP地址/IP段(FQDN) "注释" # 将IP/IP段添加到黑名单

apf -u # 将IP/IP段从白/黑名单中删除

@@ 第13行： / 第13行： @@
 == APF配置 ==
-* 修改配置文件
+===修改配置文件===
-  # pico /etc/apf/conf.apf
+  # vi /etc/apf/conf.apf
-* 端口设置 (INGRES).
+===端口设置 (INGRES)===
-** [[cPanel]]的设置
+* [[cPanel]]的设置
        # Common ingress (inbound) TCP ports
        IG_TCP_CPORTS=" 20,21,22,25,26,53,80,110,143,443,465,993,995,2082,
@@ 第23行： / 第23行： @@
        # Common ingress (inbound) UDP ports
        IG_UDP_CPORTS="21,53,465,873"
-** [[DirectAdmin]] 面板的设置
+* [[DirectAdmin]] 面板的设置
        # Common ingress (inbound) TCP ports
        IG_TCP_CPORTS=" 21,22,25,53,80,110,111,143,443,587953,2222,3306,32769"
@@ 第29行： / 第29行： @@
        IG_UDP_CPORTS="53,111,631,724,5353,32768,32809"
-*让APF监控外出流量
+===让APF监控外出流量===
-Change the line:
+修改:
-EGF=”0″
+EGF="0"
-to
+为
-EGF=”1″
+EGF="1"
 # Tell APF what ports to monitor
 # Common egress (outbound) TCP ports (for Cpanel servers)
@@ 第47行： / 第47行： @@
 # If all works edit the config file and change the developer mode to 0
 # pico /etc/apf/conf.apf
-Change
+修改
-DEVM=”1″
+DEVM="1"
-to
+为
-DEVM=”0″
+DEVM="0"
-Save your changes! Ctrl+X then press Y
+===重启 APF===
-* 重启 APF
   # /usr/local/sbin/apf -r
-* 查看APF Log
+===查看APF日志===
-Will show any changes to allow and deny hosts among other things.
+查看日志
 tail -f /var/log/apf_log
-Example output:
+输出类似下面的内容:
      Aug 23 01:25:55 ocean apf(31448): (insert) deny all to/from 185.14.157.123
      Aug 23 01:39:43 ocean apf(32172): (insert) allow all to/from 185.14.157.123
-*让APF随服务器自动启动
+===让APF随服务器自动启动===
+让APF随服务器自动启动，运行下面的命令:
-To autostart apf on reboot, run this:
 chkconfig --level 2345 apf on
-To remove it from autostart, run this:
+禁止APF自动启动，运行下面的命令:
 chkconfig --del apf
-*通过APF禁止IP
+===通过APF禁止IP===
+可通过下面两种方法禁止IP
+* 通过命令：
+/etc/apf/apf -d IPHERE COMMENTHERENOSPACES
-Now that you have your shiny new firewall you probably want to block a host right, of course you do! With this new version APF now supports comments as well. There are a few ways you can block an IP, I’ll show you 2 of the easier methods.
+>-d 表示禁止IP
-A) /etc/apf/apf -d IPHERE COMMENTHERENOSPACES
+> IPHERE 要禁止的IP地址
-> The -d flag means DENY the IP address
-> IPHERE is the IP address you wish to block
+> COMMENTSHERENOSPACES 注释该IP被封的原因
-> COMMENTSHERENOSPACES is obvious, add comments to why the IP is being blocked
-These rules are loaded right away into the firewall, so they’re instantly active.
+该命令是立即生效的
-Example:
+例子:
 ./apf -d 185.14.157.123 TESTING
-pico /etc/apf/deny_hosts.rules
+vi /etc/apf/deny_hosts.rules
-Shows the following:
+文件中多出来:
      # added 185.14.157.123 on 08/23/05 01:25:55
@@ 第96行： / 第103行： @@
 .14.157.123
-B) pico /etc/apf/deny_hosts.rules
+*通过编辑文件 deny_hosts.rules
+vi /etc/apf/deny_hosts.rules
-You can then just add a new line and enter the IP you wish to block. Before this becomes active though you’ll need to reload the APF ruleset.
+然后在该文件中添加要过滤的IP. 需要重新APF设置才会生效：
 /etc/apf/apf -r
-*设置许可IP(Unblocking)
+===解禁IP===
-I know I know, you added an IP now you need it removed right away! You need to manually remove IPs that are blocked from deny_hosts.rules.
+从deny_hosts.rules文件中移除IP就可以解禁该IP.
-A) pico /etc/apf/deny_hosts.rules
+* 直接编辑文件
-Find where the IP is listed and remove the line that has the IP.
+vi /etc/apf/deny_hosts.rules
-After this is done save the file and reload apf to make the new changes active.
+找到IP并删除掉，然后重启APF：
 /etc/apf/apf -r
-B) If the IP isn’t already listed in deny_hosts.rules and you wish to allow it, this method adds the entry to allow_hosts.rules
+*使用命令
+如果IP不在deny_hosts.rules, 使用该命令可以将IP添加到APF的白名单中allow_hosts.rules
 /etc/apf/apf -a IPHERE COMMENTHERENOSPACES
-> The -a flag means ALLOW the IP address
-> IPHERE is the IP address you wish to allow
+>  -a 表示允许IP
-> COMMENTSHERENOSPACES is obvious, add comments to why the IP is being removed These rules are loaded right away into the firewall, so they’re instantly active.
-Example:
+> IPHERE 要允许的IP地址
+>COMMENTHERENOSPACES 注释
+例子:
 ./apf -a 185.14.157.123 UNBLOCKING
-pico /etc/apf/allow_hosts.rules
+vi /etc/apf/allow_hosts.rules
      # added 185.14.157.123 on 08/23/05 01:39:43
      # UNBLOCKING
 .14.157.123
+===APF自定义Iptables命令===
+/etc/apf下有2个配置文件postroute.rules和preroute.rules。把Iptables的POSTROUTE和 PREROUTE命令放入对应的配置文件，APF在启动时就会自动调用实现NAT转发。
+其他Iptables自定义命令可以直接写入/etc/apf/firewall里面。
 ==APF常用操作命令==
 apf -s  # 启动APF防火墙
@@ 第144行： / 第164行： @@
 apf -u # 将IP/IP段从白/黑名单中删除
 ==相关条目==
-[[iptables]] [[DDoS-Deflate]]
+[[iptables]] [[DDoS-Deflate]] [[CSF]]
 [[category:服务器]] [[category:防火墙]]

WIKI使用导航

站长百科导航

站长专题

APF：修订间差异

2010年5月2日 (日) 23:56的最新版本

目录

APF安装[ ]

APF配置[ ]

修改配置文件[ ]

端口设置 (INGRES)[ ]

让APF监控外出流量[ ]

重启 APF[ ]

查看APF日志[ ]

让APF随服务器自动启动[ ]

通过APF禁止IP[ ]

解禁IP[ ]

APF自定义Iptables命令[ ]

APF常用操作命令[ ]

相关条目[ ]