Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : APF Firewall - Problem Starting

[wscreate]

Hi. I have installed the APF firewall on a RH Linux 9 box with Cpanel and Apache 1.3.31.

When I try to start it, I get this error.

root@ns [~]# service apf start
Starting APF:/usr/local/sbin/apf: $IPTLOG: ambiguous redirect
/usr/local/sbin/apf: $IPTLOG: ambiguous redirect
/etc/apf/firewall: $IPTLOG: ambiguous redirect
/etc/apf/firewall: $IPTLOG: ambiguous redirect
/etc/apf/firewall: $IPTLOG: ambiguous redirect
/etc/apf/firewall: $IPTLOG: ambiguous redirect
/etc/apf/firewall: $IPTLOG: ambiguous redirect
/etc/apf/firewall: $IPTLOG: ambiguous redirect
/etc/apf/firewall: $IPTLOG: ambiguous redirect
/etc/apf/firewall: $IPTLOG: ambiguous redirect
..........

And I have to stop the command via <ctrl> c

What could be the source of this problem? I cannot seem to be able to find the $IPTLOG variable.

[wscreate]

Strange this is, this firewall used to work fine until recently. I do not know what has changed to affect this.

[Rahil]

Check your conf.apf for errors and/or missing lines?

[sprintserve]

What version of APF?

[wscreate]

Quote:

Originally posted by sprintserve
What version of APF?

Version 0.9.3

[wscreate]

I did find the $iptlog variable.... Here is the code from /etc/apf/internals/function.apf

I see the $iptlog variable in the last line of the code below

You know, the only thing I did in the past weeks is I used "./scripts/securetmp" (CPanel server) to secure the /tmp directory on this server. Surely that has not interfered with this firewall?

========== CODE function.apf =============
##
echo "Inserted into firewall: Allow all to/from $HOST"
fi
else
echo "an FQDN or IP address is required for this option"
fi
}

d_cli_tr() {
HOST=$1
if [ ! "$HOST" == "" ]; then
val=`cat /etc/apf/deny_hosts.rules | grep -w $HOST`
if [ ! "$val" == "" ]; then
echo "$HOST already exists in trust system"
else
echo "$HOST" >> /etc/apf/deny_hosts.rules
$IPT -I INPUT -s $HOST -i $IF -j $DSTOP
$IPT -I OUTPUT -d $HOST -o $IF -j $DSTOP
eout "(insert) deny all to/from $HOST"
echo "Inserted into firewall: Deny all to/from $HOST"
fi
else
echo "an FQDN or IP address is required for this option"
fi
}

flush() {
if [ ! "$1" = "1" ]; then
eout "flushing & zeroing chain policies"
fi
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains; do $IPT -t $i -F; done
for i in $chains; do $IPT -t $i -X; done
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
if [ ! "$1" = "1" ]; then
eout "firewall offline"
fi
}

list() {
echo "Loading chain rules..."
:> /tmp/ipt.chains ; chmod 600 /tmp/ipt.chains
$IPT --line-numbers --list >> /tmp/ipt.chains
echo "Opening editor"
/usr/bin/pico -w /tmp/ipt.chains
clear
rm -f /tmp/ipt.chains
}

status() {
echo "$NAME Status Log:"
tac $IPTLOG | more
}

==============================

[BitOMagic]

Try to do the follownig

service apf restart

If you have run /scripts/securetmp while having the firewall running. It may be a smart thing to restart APF.

[wscreate]

Quote:

Originally posted by BitOMagic
Try to do the follownig

service apf restart

If you have run /scripts/securetmp while having the firewall running. It may be a smart thing to restart APF.

Right. I have restarted apf. That's when I noticed that the error happens....


root@ns [~]# service apf restart
Stopping APF:/etc/init.d/apf: $IPTLOG: ambiguous redirect
/etc/init.d/apf: $IPTLOG: ambiguous redirect
[ OK ]
Starting APF:/usr/local/sbin/apf: $IPTLOG: ambiguous redirect
/usr/local/sbin/apf: $IPTLOG: ambiguous redirect
/usr/local/sbin/apf: $IPTLOG: ambiguous redirect
/etc/apf/firewall: $IPTLOG: ambiguous redirect
/etc/apf/firewall: $IPTLOG: ambiguous redirect
/etc/apf/firewall: $IPTLOG: ambiguous redirect
/etc/apf/firewall: $IPTLOG: ambiguous redirect