03-09-2006, 09:15 AM
|
|
Newbie
|
|
Join Date: Feb 2006
Posts: 10
|
|
I've tried to run APF on my server, but I've got this error:
[root@noohost root]# apf -s
Użycie: grep [OPCJA]... WZORZEC [PLIK] ...
Napisz `grep --help' żeby dowiedzieć się więcej.
grep: 127.0.0.1: Nie ma takiego pliku ani katalogu
(Usage: ... blah bla, grep: 127.0.0.1: No such file or directory)
What I did wrong?  (Tellll meee baby, where I diddd go wrong, haha  )
|
03-09-2006, 02:07 PM
|
|
Disabled
|
|
Join Date: Dec 2004
Location: Minneapolis, MN
Posts: 106
|
|
Quote:
|
Originally Posted by nookie_pl
I've tried to run APF on my server, but I've got this error:
[root@noohost root]# apf -s
Użycie: grep [OPCJA]... WZORZEC [PLIK] ...
Napisz `grep --help' żeby dowiedzieć się więcej.
grep: 127.0.0.1: Nie ma takiego pliku ani katalogu
What I did wrong? (Tellll meee baby, where I diddd go wrong, haha ) |
If I were you, I wouldn't worry about APF and I wouldn't install it on any of my servers. APF can cause more network and other technical damage than security. There are several ways to secure and harden your server. Good luck!
|
03-09-2006, 10:00 PM
|
|
Aspiring Evangelist
|
|
Join Date: Mar 2005
Posts: 399
|
|
Quote:
|
Originally Posted by andyreed
If I were you, I wouldn't worry about APF and I wouldn't install it on any of my servers. APF can cause more network and other technical damage than security. There are several ways to secure and harden your server. Good luck!
|
Why exactly do you say that, I have had no issues with APF and I find it doesn't cause ANY issues whatsoever if configured correctly. Also, it is best to have a firewall to close non-required ports. Furthermore, I find that your post did not help the poster at all.
Anyways, nookie_pl it would probably help if you also posted your current configuration on APF, you might have configured it incorrectly. This command would probably be pretty helpful:
cat /etc/apf/conf.apf | grep 127.0.0.1
That command will spit out every line that has "127.0.0.1" in your APF configuration.
|
03-15-2006, 07:42 AM
|
|
Newbie
|
|
Join Date: Feb 2006
Posts: 10
|
|
Quote:
|
Originally Posted by Servax
Anyways, nookie_pl it would probably help if you also posted your current configuration on APF, you might have configured it incorrectly. This command would probably be pretty helpful:
cat /etc/apf/conf.apf | grep 127.0.0.1
That command will spit out every line that has "127.0.0.1" in your APF configuration.
|
On cat /etc... nothing appears.
Here is my config.
Quote:
#!/bin/sh
#
# APF 0.9.5 [apf@r-fx.org]
#
# NOTE: This file should be edited with word/line wrapping off,
# if your using pico please start it with the -w switch.
# (e.g: pico -w filename)
#
##
# [Dev. Mode]
# !!! Do not leave set to (1) !!!
# When set to enabled; 5 minute cronjob is set to flush the firewall; set
# this mode off (0) when firewall determined to be operating as desired.
##
# Set firewall dev cronjob
# 1 = enabled / 0 = disabled
DEVM="1"
##
# [Main]
##
# Path of firewall installation
FWPATH="/etc/apf"
# Untrusted Network interface; all traffic on defined interface will be
# subject to all firewall rules. This should be your internet exposed
# interface. Only one interface is accepted for this value.
IF="eth0"
# Trusted Network interface(s); all traffic on defined interface(s) will by-pass
# ALL firewall rules (white space or comma seperated list; e.g: TIF="eth1 eth2").
TIF=""
# Local gateway mac address [optional]; when a value is present, only traffic
# from the local gateway will be permitted. It is quite trivial to forge a MAC
# address and as such this is provided as another layer of route verification.
LGATE_MAC=""
# Enable virtual network subsystem; creats independent policy ruleset for each
# ip on a system (pulls data from 'ip addr list') to /etc/apf/vnet/ip.rules
# Template is located in the vnet/ folder for rule files. This feature can
# reduce apf start/stop performance and is not recommend for systems with more
# than 255 (/24) ip's. [0 = Disabled / 1 = Enabled]
EN_VNET="0"
# Support Monolithic kernel builds [no LKM's]. This mode of operation is
# not really supported and you use at your own risk.
MONOKERN="1"
##
# [Packet Filtering/Handling]
##
# Default Type of Service (TOS)
#
# 8: Maximum Throughput - Minimum Delay
# 4: Minimize Delay - Maximize Reliability
# 16: No Delay - Moderate Throughput - High Reliability
DEF_TOS="4"
# How to handle TCP packet filtering?
#
# RESET (sends a tcp-reset; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
TCP_STOP="DROP"
# How to handle UDP packet filtering?
#
# RESET (sends a icmp-port-unreachable; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
# PROHIBIT (send an icmp-host-prohibited)
UDP_STOP="DROP"
# How to handle all other packet filtering? (icmp,arp,igmp)
#
# DROP (drop the packet)
# REJECT (reject the packet)
DSTOP="DROP"
# Set a reasonable packet/time ratio for ICMP packets; exceeding
# such packet flow ratio will result in dropped packets.
# pkt/s (packets/seconds), pkt/m (packets/minutes)
ICMP_LIM="14/s"
# Use a dynamic discovery routine to parse and create rules based
# on the local name servers defined in /etc/resolv.conf.
# [0 = Disabled / 1 = Enabled]
RESV_DNS="0"
# With RESV_DNS enabled; all untrusted name server traffic can fill
# the logs with sport 53 traffic. This can be suppressed with an
# implicit drop of all such traffic (sport 53 ingress) as so to avoid
# the log chain.
RESV_DNS_DROP="1"
# You need multicasting if you intend to participate in the MBONE, a
# high bandwidth network on top of the Internet which carries audio
# and video broadcasts. More about MBONE at: www-itg.lbl.gov/mbone/,
# this is generally safe to enable. [0 = Disabled / 1 = Enabled]
BLK_MCATNET="0"
# Block all private ipv4 addresses; this is address space reserved
# for private networks; or otherwise unroutable on the internet.
# If this host resides behind a firewall with NAT or routing scheme
# that otherwise uses private addressing; leave this option off.
# Refer to the 'internals/private.networks' file for listing of
# address space. [0 = Disabled / 1 = Enabled]
BLK_PRVNET="0"
# Block all ipv4 address space marked reserved for future use or
# unassigned; such networks have no business communicating with us.
# However they may at some point become live address space. Refer to
# the 'internals/reserved.networks' file for listing of address space.
# [0 = Disabled / 1 = Enabled]
BLK_RESNET="0"
# This is the maximum number of "sessions" (connection tracking entries)
# that can be handled simultaneously by the firewall in kernel memory.
# Increasing this value too high will simply waste memory; setting it
# too low may result in some or all connections being refused, in paticular
# during denial of service attacks.
SYSCTL_CONNTRACK="34576"
# These are sysctl hook changes to further harden the kernel from
# network attack trends by lowering standard time-out values and other
# time based packet responces. [0 = Disabled / 1 = Enabled]
SYSCTL_TCP="1"
# These are sysctl hook changes intended to help mitigate syn-flood
# attacks by lowering syn retry, syn backlog & syn time-out values.
# [0 = Disabled / 1 = Enabled]
SYSCTL_SYN="1"
# These are sysctl hook changes to provide protection from spoofed
# packets, and arp/route redirection. [0 = Disabled / 1 = Enabled]
SYSCTL_ROUTE="0"
# This sysctl hook will log all internal traffic that is otherwise
# not to/from a local interface and not multicast.
# [0 = Disabled / 1 = Enabled]
SYSCTL_LOGMARTIANS="0"
# This sysctl hook will allow you to enable or disable ECN support
# (Explicit Congestion Notification); this feature provides an
# improved method for congestion avoidance by allowing the network
# to mark packets for transmission later, rather than dropping them
# from the queue. [0 = Disabled / 1 = Enabled]
SYSCTL_ECN="0"
# This sysctl hook will allow you to enable or disable SynCookies
# support; this feature will send out a 'syn-cookie' when the syn
# backlog for a socket becomes overflowed. The cookie is used to
# interrupt the flow of syn transmissions with a hashed sequence
# number that must be corrilated with the sending host. The hash
# is made up of the sending host address, packet flags etc...;
# if the sending host does not validate against the hash then the
# tcp hand-shake is terminated. [0 = Disabled / 1 = Enabled]
# Note: syncookies seriously violates TCP protocol and can result
# in serious degradation of some services (i.e. SMTP);
# visible not by you, but your clients and relays whom are
# contacting your system.
SYSCTL_SYNCOOKIES="1"
# This sysctl hook will allow you to toggle Abort_On_Overflow support;
# This feature will help mitigate burst floods if a listening service
# is too slow to accept new connections. This option is an alternative
# for SynCookies and both should NEVER be enabled at once.
# [0 = Disabled / 1 = Enabled]
# Note: This option can harm clients contacting your system. Enable
# option only if you are sure that the listening daemon can not
# be tunned to accept connections faster.
SYSCTL_OVERFLOW="0"
# Common drop ports; these are implicit ports you do not want logged
# with the default drop chains. Format is comma seperated and underscore
# seperator for ranges (135_139). Ports are droped and ignored for both
# TCP & UDP as well as inbound and outbound.
CDPORTS="135_139,111,513,445,1433,1434,1234,1524,3127"
##
# [Ingress]
# Configure ingress (inbound) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory. Format is comma seperated
# and underscore seperator for ranges.
#
# Example:
# IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000"
# IG_UDP_CPORTS="20,21,53,123"
# IG_ICMP_TYPES="3,5,11,0,30,8"
##
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2222,3389,8443,8880,10000,30000,61001_65535"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,465,873"
# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
##
# [Egress]
# Configure egress (outbound) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory.
#
# Egress filtering is not required but makes your firewall setup complete
# by providing full inbound and outbound packet filtering. You can toggle
# egress filtering on or off with the EGF variable. Format is comma seperated
# and underscore seperator for ranges.
#
# Example:
# EG_TCP_CPORTS="21,25,80,443,43"
# EG_UDP_CPORTS="20,21,53"
# EG_ICMP_TYPES="all"
##
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="0"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS=" 21,22,25,26,27,37,43,53,80,110,113,443,465,873,2222,3389,8443,8880,10000,30000"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53,123,465,873"
# Common ICMP egress (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"
##
# [Egress UID match]
# Configure user-id specific egress (outbound) port access. This is a
# more granular feature to limit the scope of egress packet flows with uid
# conditioning. Format is comma seperated and underscore seperator for ranges.
#
# Format: EG_[TCP|UDP]_UID="uid:port"
# Example:
# Allow outbound access to destination port 22 for uid 0
# EG_TCP_UID="0:22"
##
# UID-Match egress (outbound) TCP ports
EG_TCP_UID=""
# UID-Match egress (outbound) UDP ports
EG_UDP_UID=""
##
# [Imports]
# Configure importable rules
##
# DShield.org's "block" list of top networks that have exhibited
# suspicious activity. [0 = Disabled / 1 = Enabled]
USE_DS="0"
DS_URL="feeds.dshield.org/block.txt" # block.txt url (no *://)
DS_URL_PROT="http" # protocol to use for wget
# Import /etc/apf/ad/ad.rules ban list generated by antidos;
# this is essentialy a quick enable/disable feature for
# the insertion of such bans. [0 = Disabled / 1 = Enabled]
USE_AD="1"
# This is an implamentation of the trust rules (allow/deny_hosts) but
# on a global perspective. You can define below remote addresses from
# which the glob_allow/deny.rules files should be downloaded from on
# a daily basis. The files can be maintained in a static fashion by
# leaving USE_RGT=0, appopriate for host serving the files.
# [0 = Disabled / 1 = Enabled]
USE_RGT="0"
GA_URL="yourhost.com/glob_allow.rules" # glob_allow.rules url (no *://)
GA_URL_PROT="http" # protocol for use with wget
GD_URL="yourhost.com/glob_deny.rules" # glob_deny.rules url (no *://)
GD_URL_PROT="http" # protocol for use with wget
##
# [Logs]
# Logging and control settings
##
# Status log path
IPTLOG="/var/log/apf_log"
LOG_APF="/var/log/apf_log"
# Log all forign gateway traffic
# [0 = Disabled / 1 = Enabled]
LGATE_LOG="0"
# Log TCP/UDP DROP chains (required for antidos); data logged to kernel log
# [0 = Disabled / 1 = Enabled]
DROP_LOG="1"
# Extended logging information; this forces the output of tcp options and
# ip options for packets passing through the log chains
# [0 = Disabled / 1 = Enabled]
EXLOG="0"
# Max firewall events to log per/minute. Log events exceeding these limits
# will be lost!
LRATE="45"
##
# [Import misc. vars]
##
#
# Internal vars file
CNFINT="$FWPATH/internals/internals.conf"
# Import internal vars file
. $CNFINT
|
internals.conf
Quote:
##
# [Misc. Configuration]
##
#
PATH=/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin:$PATH ; export PATH
VER="0.9.6"
APPN="apf"
ifconfig=/sbin/ifconfig
ip=/sbin/ip
IPT="/sbin/iptables"
MPB="/sbin/modprobe"
LSM="/sbin/lsmod"
RMM="/sbin/rmmod"
WGET="/usr/bin/wget"
UNAME="/bin/uname"
IF="$IFACE_IN"
IN_IF="$IFACE_IN"
OUT_IF="$IFACE_OUT"
DSTOP="DROP"
LSTOP="LD"
LACCEPT="LA"
INSTALL_PATH="/etc/apf"
NET=`$ifconfig $IF | grep -vw inet6 | grep -w inet | cut -d : -f 2 | cut -d \ -f 1`
NAME=`echo $APPN | tr '[:lower:]' '[:upper:]'`
TIME=`date +"%D %H:%M:%S"`
UTIME=`date +"%s"`
KREL=`$UNAME -r | cut -d\. -f 1,2`
LOCK_TIMEOUT="360"
LOCK="$INSPATH/lock.utime"
ADR="$INSTALL_PATH/ad/ad.rules"
ALLOW_HOSTS="$INSTALL_PATH/allow_hosts.rules"
DENY_HOSTS="$INSTALL_PATH/deny_hosts.rules"
GALLOW_HOSTS="$INSTALL_PATH/glob_allow.rules"
GDENY_HOSTS="$INSTALL_PATH/glob_deny.rules"
DS_HOSTS="$INSTALL_PATH/ds_hosts.rules"
MCATNET="$INSTALL_PATH/internals/multicast.networks"
PRVNET="$INSTALL_PATH/internals/private.networks"
RESNET="$INSTALL_PATH/internals/reserved.networks"
PRERT="$INSTALL_PATH/preroute.rules"
POSTRT="$INSTALL_PATH/postroute.rules"
CNF_FUNC="$INSTALL_PATH/internals/functions.apf"
. $CNF_FUNC
|
Last edited by nookie_pl; 03-15-2006 at 07:47 AM.
|
03-15-2006, 05:59 PM
|
|
<?require_once("life")?>
|
|
Join Date: Sep 2002
Location: inside your network
Posts: 9,548
|
|
Quote:
|
If I were you, I wouldn't worry about APF and I wouldn't install it on any of my servers. APF can cause more network and other technical damage than security. There are several ways to secure and harden your server. Good luck!
|
Yeah, right, that's why it's so widely used, right?
APF doesn't cause "network problems", poorly configured networks cause "network problems".
APF, as it is is great for what it does. Used in conjunction with BFD, and the like, it's fabulous. As an iptables interface it's THE best out there, bar none. The problem is when kids try to configure networks, not with APF.
As for your problem:
I'd say re-download the installer, make sure you remove everything after turning it off (/etc/init.d/apf stop) , remove /etc/apf , /usr/local/sbin/apf , then re-run the installer. You shouldn't be getting foreign output from that at all. If you've edited the script for your language, then you probably edited something you shouldn't have, causing problems.
__________________
Linux Tech Networks Reliable, Affordable Linux administration and monitoring since 2002
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
| Postbit Selector |
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
|
| Login: |
|
|
| Advertisement: |
|
|
| Web Hosting News: |
|
|
|
