Toon posts:

[APF Firewall/IPTables] APF configuratie functioneert niet

Pagina: 1
Acties:

zaterdag 14 juni 2008 18:27

Acties:
  • 0 Henk 'm!

Anoniem: 48844

Topicstarter
Ik heb op een nieuwe server APF Firewall geinstalleerd. Dit is een firewall gebaseerd op iptables.

Ik wil poort 22 en 25 ip-restricted maken, echter lijkt dit maar niet te lukken. Op andere servers ging dit steeds goed met dezelfde configuratie.

Dit heb ik al gedaan:
• APF opnieuw geïnstalleerd
• Configuratie van meerdere andere servers gehaald (waar het functioneert)
• Oudere kernel geprobeerd
• Logs in /var/log/apf_log zijn hetzelfde als op andere servers

Op andere Centos-5 servers met dezelfde versie van iptables en APF functioneert alles correct. Ik vraag me dus echt af... waarom poort 25 en 22 niet geblokkeerd zijn op het moment. Gistermiddag leek het even te werken, echter nu weer niet.

zaterdag 14 juni 2008 18:30

Acties:
  • 0 Henk 'm!

Anoniem: 48844

Topicstarter
/var/log/apf_log
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104

[root@srv01 log]# cat apf_log
Jun 14 18:28:39 srv01 apf(13929): {glob} flushing & zeroing chain policies
Jun 14 18:28:39 srv01 apf(13929): {glob} firewall offline
Jun 14 18:28:39 srv01 apf(14000): {glob} activating firewall
Jun 14 18:28:40 srv01 apf(14040): {glob} determined (IFACE_IN) eth0 has address (censored,serverip)
Jun 14 18:28:40 srv01 apf(14040): {glob} determined (IFACE_OUT) eth0 has address (censored,serverip)
Jun 14 18:28:40 srv01 apf(14040): {glob} loading sysctl.rules
Jun 14 18:28:40 srv01 apf(14040): {glob} setting sysctl_logmartians disabled
Jun 14 18:28:40 srv01 apf(14040): {glob} setting sysctl_ecn disabled
Jun 14 18:28:40 srv01 apf(14040): {glob} setting sysctl_syncookies enabled
Jun 14 18:28:40 srv01 apf(14040): {glob} setting sysctl_overflow disabled
Jun 14 18:28:40 srv01 apf(14040): {glob} setting sysctl_tcp enabled
Jun 14 18:28:40 srv01 apf(14040): {glob} setting sysctl_syn enabled
Jun 14 18:28:40 srv01 apf(14040): {glob} loading preroute.rules
Jun 14 18:28:40 srv01 apf(14040): {glob} SET_REFRESH is set disabled
Jun 14 18:28:40 srv01 apf(14040): {glob} loading allow_hosts.rules
Jun 14 18:28:40 srv01 apf(14040): {trust} allow all to/from (censored)
hier nog enkele regels als die hierboven, met de ip's uit /etc/apf/allow_hosts (onze ip's)
Jun 14 18:28:40 srv01 apf(14040): {glob} loading bt.rules
Jun 14 18:28:40 srv01 apf(14040): {dshield} downloading http://feeds.dshield.org/top10-2.txt
Jun 14 18:28:40 srv01 apf(14040): {dshield} parsing top10-2.txt into /etc/apf/ds_hosts.rules
Jun 14 18:28:40 srv01 apf(14040): {dshield} loading ds_hosts.rules
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} set active PKT_SANITY
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny inbound tcp-flag pairs ALL NONE
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny inbound tcp-flag pairs SYN,FIN SYN,FIN
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny inbound tcp-flag pairs SYN,RST SYN,RST
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny inbound tcp-flag pairs FIN,RST FIN,RST
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny inbound tcp-flag pairs ACK,FIN FIN
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny inbound tcp-flag pairs ACK,URG URG
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny inbound tcp-flag pairs ACK,PSH PSH
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny inbound tcp-flag pairs ALL FIN,URG,PSH
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny inbound tcp-flag pairs ALL SYN,RST,ACK,FIN,URG
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny inbound tcp-flag pairs ALL ALL
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny inbound tcp-flag pairs ALL FIN
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny outbound tcp-flag pairs ALL NONE
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny outbound tcp-flag pairs SYN,FIN SYN,FIN
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny outbound tcp-flag pairs SYN,RST SYN,RST
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny outbound tcp-flag pairs FIN,RST FIN,RST
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny outbound tcp-flag pairs ACK,FIN FIN
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny outbound tcp-flag pairs ACK,PSH PSH
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny outbound tcp-flag pairs ACK,URG URG
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny all fragmented udp
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny inbound tcp port 0
Jun 14 18:28:41 srv01 apf(14040): {pkt_sanity} deny outbound tcp port 0
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} set active BLK_P2P
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from tcp port 1214
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from udp port 1214
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from tcp port 2323
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from udp port 2323
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from tcp port 4660:4678
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from udp port 4660:4678
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from tcp port 6257
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from udp port 6257
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from tcp port 6699
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from udp port 6699
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from tcp port 6346
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from udp port 6346
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from tcp port 6347
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from udp port 6347
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from tcp port 6881:6889
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from udp port 6881:6889
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from tcp port 6346
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from udp port 6346
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from tcp port 7778
Jun 14 18:28:41 srv01 apf(14040): {blk_p2p} deny all to/from udp port 7778
Jun 14 18:28:41 srv01 apf(14040): {glob} loading log.rules
Jun 14 18:28:41 srv01 apf(14040): {glob} virtual net subsystem disabled.
Jun 14 18:28:41 srv01 apf(14040): {glob} loading main.rules
Jun 14 18:28:41 srv01 apf(14040): {glob} opening inbound tcp port 21 on 0/0
Jun 14 18:28:41 srv01 apf(14040): {glob} opening inbound tcp port 53 on 0/0
Jun 14 18:28:41 srv01 apf(14040): {glob} opening inbound tcp port 80 on 0/0
Jun 14 18:28:41 srv01 apf(14040): {glob} opening inbound tcp port 106 on 0/0
Jun 14 18:28:41 srv01 apf(14040): {glob} opening inbound tcp port 110 on 0/0
Jun 14 18:28:41 srv01 apf(14040): {glob} opening inbound tcp port 111 on 0/0
Jun 14 18:28:41 srv01 apf(14040): {glob} opening inbound tcp port 113 on 0/0
Jun 14 18:28:41 srv01 apf(14040): {glob} opening inbound tcp port 143 on 0/0
Jun 14 18:28:41 srv01 apf(14040): {glob} opening inbound tcp port 443 on 0/0
Jun 14 18:28:41 srv01 apf(14040): {glob} opening inbound tcp port 465 on 0/0
Jun 14 18:28:41 srv01 apf(14040): {glob} opening inbound tcp port 993 on 0/0
Jun 14 18:28:41 srv01 apf(14040): {glob} opening inbound tcp port 995 on 0/0
Jun 14 18:28:41 srv01 apf(14040): {glob} opening inbound tcp port 2705 on 0/0
Jun 14 18:28:41 srv01 apf(14040): {glob} opening inbound tcp port 3306 on 0/0
Jun 14 18:28:41 srv01 apf(14040): {glob} opening inbound tcp port 8443 on 0/0
Jun 14 18:28:41 srv01 apf(14040): {glob} opening inbound tcp port 32768 on 0/0
Jun 14 18:28:42 srv01 apf(14040): {glob} opening inbound udp port 53 on 0/0
Jun 14 18:28:42 srv01 apf(14040): {glob} opening inbound udp port 111 on 0/0
Jun 14 18:28:42 srv01 apf(14040): {glob} opening inbound udp port 631 on 0/0
Jun 14 18:28:42 srv01 apf(14040): {glob} opening inbound udp port 789 on 0/0
Jun 14 18:28:42 srv01 apf(14040): {glob} opening inbound udp port 32768 on 0/0
Jun 14 18:28:42 srv01 apf(14040): {glob} opening inbound udp port 32769 on 0/0
Jun 14 18:28:42 srv01 apf(14040): {glob} opening inbound icmp type 3 on 0/0
Jun 14 18:28:42 srv01 apf(14040): {glob} opening inbound icmp type 5 on 0/0
Jun 14 18:28:42 srv01 apf(14040): {glob} opening inbound icmp type 11 on 0/0
Jun 14 18:28:42 srv01 apf(14040): {glob} opening inbound icmp type 0 on 0/0
Jun 14 18:28:42 srv01 apf(14040): {glob} opening inbound icmp type 30 on 0/0
Jun 14 18:28:42 srv01 apf(14040): {glob} opening inbound icmp type 8 on 0/0
Jun 14 18:28:42 srv01 apf(14040): {glob} resolv dns discovery for (censored-dns1)
Jun 14 18:28:42 srv01 apf(14040): {glob} resolv dns discovery for (censored-dns2)
Jun 14 18:28:42 srv01 apf(14040): {glob} loading postroute.rules
Jun 14 18:28:42 srv01 apf(14040): {glob} default (egress) output accept
Jun 14 18:28:42 srv01 apf(14040): {glob} default (ingress) input drop
Jun 14 18:28:42 srv01 apf(14000): {glob} firewall initalized
Jun 14 18:28:42 srv01 apf(14000): {glob} fast load snapshot saved
[root@srv01 log]#

vrijdag 20 juni 2008 10:07

Acties:
  • 0 Henk 'm!

Anoniem: 211534

Staat dev options op 0?

vrijdag 20 juni 2008 12:04

Acties:
  • 0 Henk 'm!
  • BarthezZ
  • Registratie: Juli 2004
  • Niet online

BarthezZ

anti voetbal en slechte djs!

Waarom maak je gebruik van APF als je (volgens je TS iig) alleen 2 poorten wilt blocken?
-A INPUT -p tcp -m tcp --dport 25 -s address[/mask] -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -s address[/mask] -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j REJECT
-A INPUT -p tcp -m tcp --dport 22 -j REJECT

Dit zijn trouwens rules voor direct iptables, apf ken ik niet
En je bent klaar met wat je wilt in principe

[ Voor 8% gewijzigd door BarthezZ op 20-06-2008 12:05 ]

Reageer

Apple iPhone 16e LG OLED evo G5 Google Pixel 10 Samsung Galaxy S25 Star Wars: Outlaws Nintendo Switch 2 Apple AirPods Pro (2e generatie) Sony PlayStation 5 Pro

Tweakers is onderdeel van DPG Media B.V.
Alle rechten voorbehouden - Auteursrecht © 1998 - 2025 Hosting door TrueFullstaq