#!/bin/sh
#
# APF 0.9.4 [apf@r-fx.org]
DEVM="1"
##
# [Main]
##
# Path of firewall installation
FWPATH="/etc/apf"
# subject to all firewall rules. This should be your internet exposed
# interface. Only one interface is accepted for this value.
IF="eth0"
# Trusted Network interface(s); all traffic on defined interface(s) will by-pass
# ALL firewall rules (white space or comma seperated list; e.g: TIF="eth1 eth2").
TIF=""
# Local gateway mac address [optional]; when a value is present, only traffic
# from the local gateway will be permitted. It is quite trivial to forge a MAC
# address and as such this is provided as another layer of route verification.
LGATE_MAC=""
# Log all forign gateway traffic
# [0 = Disabled / 1 = Enabled]
LGATE_LOG="0"
# Enable virtual network subsystem; creats independent policy ruleset for each
# ip on a system (pulls data from 'ip addr list') to /etc/apf/vnet/ip.rules
# Template is located in the vnet/ folder for rule files. This feature can
# reduce apf start/stop performance and is not recommend for systems with more
# than 255 (/24) ip's. [0 = Disabled / 1 = Enabled]
EN_VNET="0"
# Support Monolithic kernel builds [no LKM's]. This mode of operation is
# not really supported and you use at your own risk.
MONOKERN="0"
##
# [Packet Filtering/Handling]
##
# Default Type of Service (TOS)
#
# 8: Maximum Throughput - Minimum Delay
# 4: Minimize Delay - Maximize Reliability
# 16: No Delay - Moderate Throughput - High Reliability
DEF_TOS="4"
# How to handle TCP packet filtering?
#
# RESET (sends a tcp-reset; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
TCP_STOP="DROP"
# How to handle UDP packet filtering?
#
# RESET (sends a icmp-port-unreachable; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
UDP_STOP="DROP"
# How to handle all other packet filtering? (icmp,arp,igmp)
#
# DROP (drop the packet)
# REJECT (reject the packet)
DSTOP="DROP"
# Set a reasonable packet/time ratio for ICMP packets; exceeding
# such packet flow ratio will result in dropped packets.
# pkt/s (packets/seconds), pkt/m (packets/minutes)
ICMP_LIM="14/s"
# Use a dynamic discovery routine to parse and create rules based
# on the local name servers defined in /etc/resolv.conf.
# [0 = Disabled / 1 = Enabled]
RESV_DNS="0"
# With RESV_DNS enabled; all untrusted name server traffic can fill
# the logs with sport 53 traffic. This can be suppressed with an
# implicit drop of all such traffic (sport 53 ingress) as so to avoid
# the log chain.
RESV_DNS_DROP="1"
# You need multicasting if you intend to participate in the MBONE, a
# high bandwidth network on top of the Internet which carries audio
# and video broadcasts. More about MBONE at: www-itg.lbl.gov/mbone/,
# this is generally safe to enable. [0 = Disabled / 1 = Enabled]
BLK_MCATNET="0"
# Block all private ipv4 addresses; this is address space reserved
# for private networks; or otherwise unroutable on the internet.
# If this host resides behind a firewall with NAT or routing scheme
# that otherwise uses private addressing; leave this option off.
# Refer to the 'internals/private.networks' file for listing of
# address space. [0 = Disabled / 1 = Enabled]
BLK_PRVNET="0"
# Block all ipv4 address space marked reserved for future use or
# unassigned; such networks have no business communicating with us.
# However they may at some point become live address space. Refer to
# the 'internals/reserved.networks' file for listing of address space.
# [0 = Disabled / 1 = Enabled]
BLK_RESNET="0"
# This is the maximum number of "sessions" (connection tracking entries)
# that can be handled simultaneously by the firewall in kernel memory.
# Increasing this value too high will simply waste memory; setting it
# too low may result in some or all connections being refused, in paticular
# during denial of service attacks.
SYSCTL_CONNTRACK="24576"
# These are sysctl hook changes to further harden the kernel from
# network attack trends by lowering standard time-out values and other
# time based packet responces. [0 = Disabled / 1 = Enabled]
SYSCTL_TCP="1"
# These are sysctl hook changes intended to help mitigate syn-flood
# attacks by lowering syn retry, syn backlog & syn time-out values.
# [0 = Disabled / 1 = Enabled]
SYSCTL_SYN="1"
# These are sysctl hook changes to provide protection from spoofed
# packets, and arp/route redirection. [0 = Disabled / 1 = Enabled]
SYSCTL_ROUTE="0"
# This sysctl hook will log all internal traffic that is otherwise
# not to/from a local interface and not multicast.
# [0 = Disabled / 1 = Enabled]
SYSCTL_LOGMARTIANS="0"
# This sysctl hook will allow you to enable or disable ECN support
# (Explicit Congestion Notification); this feature provides an
# improved method for congestion avoidance by allowing the network
# to mark packets for transmission later, rather than dropping them
# from the queue. [0 = Disabled / 1 = Enabled]
SYSCTL_ECN="0"
# This sysctl hook will allow you to enable or disable SynCookies
# support; this feature will send out a 'syn-cookie' when the syn
# backlog for a socket becomes overflowed. The cookie is used to
# interrupt the flow of syn transmissions with a hashed sequence
# number that must be corrilated with the sending host. The hash
# is made up of the sending host address, packet flags etc...;
# if the sending host does not validate against the hash then the
# tcp hand-shake is terminated. [0 = Disabled / 1 = Enabled]
# Note: syncookies seriously violates TCP protocol and can result
# in serious degradation of some services (i.e. SMTP);
# visible not by you, but your clients and relays whom are
# contacting your system.
SYSCTL_SYNCOOKIES="0"
# This sysctl hook will allow you to toggle Abort_On_Overflow support;
# This feature will help mitigate burst floods if a listening service
# is too slow to accept new connections. This option is an alternative
# for SynCookies and both should NEVER be enabled at once.
# [0 = Disabled / 1 = Enabled]
# Note: This option can harm clients contacting your system. Enable
# option only if you are sure that the listening daemon can not
# be tunned to accept connections faster.
SYSCTL_OVERFLOW="0"
# DShield.org's "block" list of top networks that have exhibited
# suspicious activity. [0 = Disabled / 1 = Enabled]
USE_DS="1"
# Import our ad.rules ban list generated by antidos;
# this is essentialy a quick enable/disable feature for
# the insertion of such bans. [0 = Disabled / 1 = Enabled]
USE_AD="1"
# Common drop ports; these are implicit ports you do not want logged
# with the default drop chains. Format is comma seperated and underscore
# seperator for ranges (135_139). Ports are droped and ignored for both
# TCP & UDP as well as inbound and outbound.
CDPORTS="135_139,111,513,445,1433,1434,1234,1524,3127"
##
# [Ingress]
# Configure ingress (inbound) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory. Format is comma seperated
# and underscore seperator for ranges.
#
# Example:
# IG_TCP_CPOR
#old version IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000"
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096"
# IG_UDP_CPORTS="20,21,53,123"
IG_ICMP_TYPES="3,5,11,0,30,8"
##
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="22"
IG_UDP_CPORTS="21,53,465,873"
# Common ingress (inbound) UDP ports
#old version IG_UDP_CPORTS=""
# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
##
# [Egress]
# Configure egress (outbound) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory.
#
# Egress filtering is not required but makes your firewall setup complete
# by providing full inbound and outbound packet filtering. You can toggle
# egress filtering on or off with the EGF variable. Format is comma seperated
# and underscore seperator for ranges.
#
# Example:
# EG_TCP_CPORTS="21,25,80,443,43"
# EG_UDP_CPORTS="20,21,53"
# EG_ICMP_TYPES="all"
##
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"
# Common egress (outbound) TCP ports
#old version EG_TCP_CPORTS="21,25,80,443,43"
# Common egress (outbound) UDP ports
#old version EG_UDP_CPORTS="20,21,53"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53,123,465,873"
# Common ICMP egress (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"
##
# [Logs]
# Log paths and control settings.
##
# Status log path
IPTLOG="/var/log/apf_log"
# Log TCP/UDP DROP chains [required for antidos]. Data logged to kernel log
# [often default is /var/log/messages]
DROP_LOG="1"
# Extended logging information; this forces the output of tcp options and
# ip options for packets passing through the log chains
EXLOG="1"
# Max firewall events to log per/minute. Log events exceeding these limits
# will be lost!
LRATE="45"
##
# [Import misc. vars]
##
#
# Internal vars file
CNFINT="$FWPATH/internals/internals.conf"
# Import internal vars file
. $CNFINT
LinkBack URL
About LinkBacks
apf 9.4 configuration
Reply With Quote
Originally Posted by picoyak
problem is live 
