APF：修订间差异

APF是Linux服务器常用的免费防火墙。

APF安装

• 下载APF源码

# wget http://www.rfxn.com/downloads/apf-current.tar.gz

• 解压缩

# tar -xvzf apf-current.tar.gz

• 进入 APF目录

# cd apf-0.9.7-1/ or whatever the latest version is.

• 运行安装文件

# ./install.sh

APF配置

修改配置文件

# vi /etc/apf/conf.apf

端口设置 (INGRES)

• cPanel的设置

     # Common ingress (inbound) TCP ports
     IG_TCP_CPORTS=" 20,21,22,25,26,53,80,110,143,443,465,993,995,2082,
     2083,2086,2087,2095,2096,3306,6666"\
     # Common ingress (inbound) UDP ports
     IG_UDP_CPORTS="21,53,465,873"

• DirectAdmin 面板的设置

     # Common ingress (inbound) TCP ports
     IG_TCP_CPORTS=" 21,22,25,53,80,110,111,143,443,587953,2222,3306,32769"
     # Common ingress (inbound) UDP ports
     IG_UDP_CPORTS="53,111,631,724,5353,32768,32809"

让APF监控外出流量

修改: EGF="0" 为 EGF="1"

1. Tell APF what ports to monitor
2. Common egress (outbound) TCP ports (for Cpanel servers)

EG_TCP_CPORTS="21,22,25,26,37,43,53,80,110,113,443,465,873,2089,3306"

1. Common egress (outbound) UDP ports

EG_UDP_CPORTS="20,21,53,465,873"

1. Common ICMP (outbound) types
2. 'internals/icmp.types' for type definition; 'all' is wildcard for any

EG_ICMP_TYPES="all"

1. Save your changes! Ctrl+X then press Y
2. Start APF
3. /usr/local/sbin/apf -s
4. If all works edit the config file and change the developer mode to 0
5. pico /etc/apf/conf.apf

修改 DEVM="1" 为 DEVM="0"

重启 APF

# /usr/local/sbin/apf -r

查看APF日志

查看日志 tail -f /var/log/apf_log

输出类似下面的内容:

   Aug 23 01:25:55 ocean apf(31448): (insert) deny all to/from 185.14.157.123
   Aug 23 01:39:43 ocean apf(32172): (insert) allow all to/from 185.14.157.123

让APF随服务器自动启动

让APF随服务器自动启动，运行下面的命令:

chkconfig --level 2345 apf on

禁止APF自动启动，运行下面的命令:

chkconfig --del apf

通过APF禁止IP

可通过下面两种方法禁止IP

• 通过命令：

/etc/apf/apf -d IPHERE COMMENTHERENOSPACES

>-d 表示禁止IP

> IPHERE 要禁止的IP地址 > COMMENTSHERENOSPACES 注释该IP被封的原因

该命令是立即生效的

例子:

./apf -d 185.14.157.123 TESTING

vi /etc/apf/deny_hosts.rules

文件中多出来:

   # added 185.14.157.123 on 08/23/05 01:25:55
   # TESTING
   185.14.157.123

• 通过编辑文件 deny_hosts.rules

vi /etc/apf/deny_hosts.rules

然后在该文件中添加要过滤的IP. 需要重新APF设置才会生效：

/etc/apf/apf -r

• 设置许可IP(Unblocking)

I know I know, you added an IP now you need it removed right away! You need to manually remove IPs that are blocked from deny_hosts.rules.

A) pico /etc/apf/deny_hosts.rules

Find where the IP is listed and remove the line that has the IP. After this is done save the file and reload apf to make the new changes active.

/etc/apf/apf -r

B) If the IP isn’t already listed in deny_hosts.rules and you wish to allow it, this method adds the entry to allow_hosts.rules

/etc/apf/apf -a IPHERE COMMENTHERENOSPACES > The -a flag means ALLOW the IP address > IPHERE is the IP address you wish to allow > COMMENTSHERENOSPACES is obvious, add comments to why the IP is being removed These rules are loaded right away into the firewall, so they’re instantly active. Example:

./apf -a 185.14.157.123 UNBLOCKING

pico /etc/apf/allow_hosts.rules

   # added 185.14.157.123 on 08/23/05 01:39:43
   # UNBLOCKING
   185.14.157.123

APF自定义Iptables命令

/etc/apf下有2个配置文件postroute.rules和preroute.rules。把Iptables的POSTROUTE和 PREROUTE命令放入对应的配置文件，APF在启动时就会自动调用实现NAT转发。 其他Iptables自定义命令可以直接写入/etc/apf/firewall里面。

APF常用操作命令

apf -s # 启动APF防火墙

apf -r # 重启APF防火墙

apf -f # 刷新APF防火墙配置文件

apf -l # 列出APF的配置信息，与iptables -nL类似

apf -st # APF信息统计。主要包括白名单，黑名单信息。

apf -a IP地址/IP段(FQDN) "注释" # 将IP/IP段添加到白名单

apf -d IP地址/IP段(FQDN) "注释" # 将IP/IP段添加到黑名单

apf -u # 将IP/IP段从白/黑名单中删除

相关条目

iptables DDoS-Deflate