APF and BFD Update Yes/No?

**lloyd_tennison** · 03-03-2005 10:19 PM

Is there any more input on the new verions of BFD? That last comments I saw was that the rules are iffy (chrirpy sepcifaclly mention the exim rules) - and the fact that their forums and contact pages have been down for well over a week has me a little concerned about updating it at all.

**JP-HOST** · 03-03-2005 11:03 PM

I wouldn't see a problem with doing it, just make sure you backup your current installs just in case it doesn't work you can go back to your old versions. I had a problem with the sshd rule in BFD because my server doesn't log sshd info in the /var/log/messages log. I solved it by rewriting the rule and posted it in this thread. If anyone knows why mine doesn't log sshd info to the messages log I would like to know...

**chirpy** · 03-04-2005 05:12 AM

You can simply delete the exim rule by removing the file /usr/local/bfd/rules/exim

Just be careful when upgradin APF, especially if you run SSH on a non-standard port

**lloyd_tennison** · 03-04-2005 06:10 AM

What are your thoughts on the exim rule? You said you did not like it, but not why.

**chirpy** · 03-04-2005 11:29 AM

Hi Lloyd,

In addition to:
http://forums.cpanel.net/showthread.php?p=169820

I also don't like breaking RFC's, which the exim BFD block could be argued as doing.

**webits** · 05-04-2005 05:49 AM

Anyone know of an Easy way of updating Apf/BFD than downloading the file and Config everything. If there is way could you please share.

**chirpy** · 05-04-2005 10:28 AM

Not seen an easy way - it's not friendly that way. Just make a backup of the various conf files, upgrade and then run a diff with the new/old ones for changes. The most obvious being the 4 main port listings in conf/apf.

**verdon** · 05-04-2005 06:11 PM

Originally Posted by chirpy

You can simply delete the exim rule by removing the file /usr/local/bfd/rules/exim

Just be careful when upgradin APF, especially if you run SSH on a non-standard port

I'm currently running APF .9.4-7 and have been thinking I should upgrade.

Deleting the rule seems simple enough. Is there something to be careful of in regards to non-standard SSH ports, other than being sure to have said port in the config's allowed inbound ports?

As to BFD, I've avoided that as I've read it's problematic if I don't have a fixed IP at my local workstation. I'm a laptop user and am limited to dial-up at my rural home and ADSL at the office, where the IP can also change under some circumstances.

salut,

**chirpy** · 05-05-2005 03:59 AM

The only thin you have to watch is as mentioned, that the alternative SSH port is in the firewall

You can go th extra steps of changing /etc/apf/firewall and pre* and post* scripts to have their settings applied to the new SSH port, but it's not required.

**verdon** · 05-05-2005 07:52 AM

@chirpy The only thin you have to watch is as mentioned, that the alternative SSH port is in the firewall

Thanks, I thought you might have been hinting there was something new

@chirpy You can go th extra steps of changing /etc/apf/firewall and pre* and post* scripts to have their settings applied to the new SSH port, but it's not required.
That got me looking around. In /etc/apf/firewall (.9.4-7) I find the following lines around 174

Code:

# SSH
$IPT -A INPUT -i $IN_IF -p tcp --sport 22 --dport 513:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i $IN_IF -p tcp --sport 1024:65535 --dport 22 --syn -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i $IN_IF -p udp --dport 22 -m state --state ESTABLISHED -j ACCEPT

... is changing 22 to my custom port an added measure then? I've had to leave 22 open in my outgoing in the conf, because sometimes I do have to SSH to this box, and then use it to SSH to another one, which does use 22 for SSH. I'd have to be careful not to interfere with that. I'm not sure what you're referring to by 'pre* and post* scripts'?

One last thing... am I correct in my understanding that I can easily lock myself out and shouldn't use BFD if I don't have a fixed IP at my local workstation?

salut,

**chirpy** · 05-05-2005 10:42 AM

The rules in the firewall script are for incoming connections and won't affect your outgoing port.

The other two files are:

log.rules (which will log all connections to your SSH/new SSH port)

preroute.rules (which adds modifiers to the iptables rules for the SSH port)

Thanks, I thought you might have been hinting there was something new

If I had a dollar for every person I've helped out who have forgotten that simple step (the changed SSH port in conf.apf)...etc.

As for BFD, I think that the benefits it can provide may outweigh the risk of locking yourself out. Maybe if you consider how helpful your datacentre would be in shutting down your firewall or using an alternative source to ssh into the server from (like another server) would be a better guide as to whether to use it incase you block yourself.

**verdon** · 05-06-2005 02:15 PM

Thanks for the tips... that seems to have gone well. APF's install script did a pretty good job of importing my old settings into the new conf and also created good back-ups for me (in case I hadn't already done it myself

LinkBack

Thread Tools

APF and BFD Update Yes/No?

APF and BFD Install

APF and BFD issues...

APF+BFD+2.6.10 Kernel

BFD without APF?

BFD and APF