The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

apf firewall

Discussion in 'General Discussion' started by anand, May 18, 2003.

  1. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    I know this is not a forum for apf, but thought guys here have done this several times and someone wud surely help me. So here it goes.

    Yesterday i came to know about apf and downloaded and tried to install it on a box. Configured its ports etc. Opened all cpanel ports.

    TCP_CPORTS="22,25,26,37,53,80,110,143,443,465,783,873,993,995,2082,2083,2086,2087,2095,2096,3306,6666,7786"

    UDP_CPORTS="37,53,873"

    Now since i don't have telnet enabled on the server, i edited the files prelog.rules and preroute.rules and commented the lines with the ruleset for telnet. Now the moment of truth.

    /usr/local/sbin/apf -start

    All i get is now:

    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name

    And it get stuck there itself. Nothing else. I am not able to understand how to solve this.

    Any help would be appreciated.
     
  2. internethosting

    internethosting Well-Known Member

    Joined:
    Aug 18, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    I have exactly the same issue. Did you find a solution yet? anyone??

    Tim -



     
  3. gershwin

    gershwin Member

    Joined:
    Nov 16, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    APF Telnet Config

    I'm wondering where you were told to edit prelog.rules and preroute.rules. I installed apf about three weeks ago and only removed port 25 from the list in conf.apf to prevent telnet access, and it worked ok.
     
  4. darksoul

    darksoul Active Member

    Joined:
    Feb 20, 2003
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    That means you don't have all the requiered
    kernel modules for iptables
    (/lib/modules/<kernel version>kernel/net/ipv4/netfilter/)
    or that your kernel doesn't have the ability to
    load modules post boot.
     
  5. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    I installed APF and only configured conf.apf i took out the port that telnet used, to disable access to it. My firewall seems to be running pretty nicely..... never read anywhere about editing prelog.rules and preroute.rules ... Try redoing APF installation but only edit conf.apf to set up what ports u want blocked, and what ports u want opened.. and see what happens...
     
  6. rix

    rix Well-Known Member

    Joined:
    May 1, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Well this is off the topic but related. I wonder how do i make the script to log the packet for antidos use into another file instead of /var/log/messages maybe to something like /var/log/packetlog

    I believe that the antidos will parse the log file slower as lots of unrelated log resides in the the file messages. So, by saperating the logfile maybe it could parse faster.

    I was thinking to edit the syslog settings but im not sure whats the flag for ipchains. so this narrow down to editing the syslog or the apf itself.
     
  7. rfxn

    rfxn Active Member

    Joined:
    Apr 27, 2003
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    antidos greps specifically for only the specific firewall chains then caches those logged chains and runs it' routines based on the cache file rather than always checking the log.

    likewise to the point yes logging packets to there own file would be very well suited but sadly syslog tracks logs based on facilities and not content type -- so it becomes very difficult to seperate logs based on content specifics like iptables logs or otherwise. All you can really do is change the log level (facility) and set syslog to catch that level to a specific file however every log level is used by something or other so you will always end up with mixed logs.
     
  8. rix

    rix Well-Known Member

    Joined:
    May 1, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    I'm not really sure on chaging the settings for the syslog because i don't really understand how it works. I'll to find some pages on the net regarding this. If you could show an example this would fasten up my work.

    The second thing i'm curious is the amount of policies loaded is way too many. What wonders me is, does those policies will have effect on the system resource. Maybe like parsing the packet and it gets slower since theres alot of policies to go trough before letting the daemon receive the packet. I'm just curious...
     
Loading...

Share This Page