The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

APF and BFD Update Yes/No?

Discussion in 'General Discussion' started by lloyd_tennison, Mar 3, 2005.

  1. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    Is there any more input on the new verions of BFD? That last comments I saw was that the rules are iffy (chrirpy sepcifaclly mention the exim rules) - and the fact that their forums and contact pages have been down for well over a week has me a little concerned about updating it at all.
     
  2. JP-HOST

    JP-HOST Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Roscoe, IL, USA
    I wouldn't see a problem with doing it, just make sure you backup your current installs just in case it doesn't work you can go back to your old versions. I had a problem with the sshd rule in BFD because my server doesn't log sshd info in the /var/log/messages log. I solved it by rewriting the rule and posted it in this thread. If anyone knows why mine doesn't log sshd info to the messages log I would like to know...
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You can simply delete the exim rule by removing the file /usr/local/bfd/rules/exim

    Just be careful when upgradin APF, especially if you run SSH on a non-standard port ;)
     
  4. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    What are your thoughts on the exim rule? You said you did not like it, but not why.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
  6. webits

    webits Well-Known Member

    Joined:
    May 15, 2004
    Messages:
    114
    Likes Received:
    0
    Trophy Points:
    16
    Anyone know of an Easy way of updating Apf/BFD than downloading the file and Config everything. If there is way could you please share.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Not seen an easy way - it's not friendly that way. Just make a backup of the various conf files, upgrade and then run a diff with the new/old ones for changes. The most obvious being the 4 main port listings in conf/apf.
     
  8. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    I'm currently running APF .9.4-7 and have been thinking I should upgrade.

    Deleting the rule seems simple enough. Is there something to be careful of in regards to non-standard SSH ports, other than being sure to have said port in the config's allowed inbound ports?

    As to BFD, I've avoided that as I've read it's problematic if I don't have a fixed IP at my local workstation. I'm a laptop user and am limited to dial-up at my rural home and ADSL at the office, where the IP can also change under some circumstances.

    salut,
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The only thin you have to watch is as mentioned, that the alternative SSH port is in the firewall ;) You can go th extra steps of changing /etc/apf/firewall and pre* and post* scripts to have their settings applied to the new SSH port, but it's not required.
     
  10. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    @chirpy The only thin you have to watch is as mentioned, that the alternative SSH port is in the firewall ;)
    Thanks, I thought you might have been hinting there was something new :rolleyes:

    @chirpy You can go th extra steps of changing /etc/apf/firewall and pre* and post* scripts to have their settings applied to the new SSH port, but it's not required.
    That got me looking around. In /etc/apf/firewall (.9.4-7) I find the following lines around 174
    Code:
    # SSH
    $IPT -A INPUT -i $IN_IF -p tcp --sport 22 --dport 513:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A INPUT -i $IN_IF -p tcp --sport 1024:65535 --dport 22 --syn -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A INPUT -i $IN_IF -p udp --dport 22 -m state --state ESTABLISHED -j ACCEPT
    
    ... is changing 22 to my custom port an added measure then? I've had to leave 22 open in my outgoing in the conf, because sometimes I do have to SSH to this box, and then use it to SSH to another one, which does use 22 for SSH. I'd have to be careful not to interfere with that. I'm not sure what you're referring to by 'pre* and post* scripts'?

    One last thing... am I correct in my understanding that I can easily lock myself out and shouldn't use BFD if I don't have a fixed IP at my local workstation?

    salut,
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The rules in the firewall script are for incoming connections and won't affect your outgoing port.

    The other two files are:

    log.rules (which will log all connections to your SSH/new SSH port)

    preroute.rules (which adds modifiers to the iptables rules for the SSH port)

    If I had a dollar for every person I've helped out who have forgotten that simple step (the changed SSH port in conf.apf)...etc.

    As for BFD, I think that the benefits it can provide may outweigh the risk of locking yourself out. Maybe if you consider how helpful your datacentre would be in shutting down your firewall or using an alternative source to ssh into the server from (like another server) would be a better guide as to whether to use it incase you block yourself.
     
    #11 chirpy, May 5, 2005
    Last edited: May 5, 2005
  12. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Thanks for the tips... that seems to have gone well. APF's install script did a pretty good job of importing my old settings into the new conf and also created good back-ups for me (in case I hadn't already done it myself :)
     

Share This Page