The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help with APF

Discussion in 'General Discussion' started by alrock, Sep 28, 2004.

  1. alrock

    alrock Active Member

    Joined:
    May 31, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    I am having problems with APF. My former sys admin installed it and it never worked correctly, so I left it turned off. A few days ago, I hired another tech to go through the server and do a security check and install all of the software that was needed to secure the box.

    He did a great job. He found the problems with the original APF install and corrected it. But... the same problem still exists. For hours everything is fine, then suddenly my sites go down (browser canot find them and email cannot find host). The only way to correct it is to flush the firewall, so it's obviously a firewall problem.

    Here is (some of) the output of the .conf file:

    Are there ports that we are missing here that could be causing the problem?
     
  2. AlexSmithMCP

    AlexSmithMCP Well-Known Member

    Joined:
    May 26, 2004
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    have you tried NMaping your server tofind out what ports it shows as open when u cant see your sites (i assume that you can still ssh in)
     
  3. alrock

    alrock Active Member

    Joined:
    May 31, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Yes, SSH still works even when the sites will not show. Next time this happens I will do as you suggest. Thanks!
     
  4. AlexSmithMCP

    AlexSmithMCP Well-Known Member

    Joined:
    May 26, 2004
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    no probs, when i get home and can SSH (damn company firewall) i'll get the list of ports i have unblocked and post them here for ya
     
  5. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Not that this is the problem but ensure there are no spaces in the port list. The list you should above looks as though it may have spaces, this can issues but not sure if it will cause your exact one.

    IG_TCP_CPORTS="3097,21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"

    And 3097 does not need to be there as it is included in the 3000_3500 range listed already.
     
  6. AlexSmithMCP

    AlexSmithMCP Well-Known Member

    Joined:
    May 26, 2004
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    o and when u edit the config if u use pico make sure u use

    pico -w /etc/apf/conf.apf
    (i think thats the file name) so that it dont wrap lines - i screwed my config cause of linewraping :/
     
  7. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    That's why vi (vim) is a better editor to use. :D
     
  8. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    You have my vote on that.
    In fact i really feel uncomfortable when i have to edit crontab as that opens with pico when i do crontab -e :/

    Anup
     
  9. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    You can change that you know, so vi is the default for all.
     
  10. AlexSmithMCP

    AlexSmithMCP Well-Known Member

    Joined:
    May 26, 2004
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    i used pico ever since i startted with linux so yea lol, cant use anything else :rolleyes:
     
  11. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Manage to edit bashrc file for that :)

    Anup
     
  12. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    Run 'alias' with no switches to see if pico is already aliased (it may be).

    If it is not listed run

    alias pico='pico -w -z'

    Then you do not have to worry about it.
     
  13. alrock

    alrock Active Member

    Joined:
    May 31, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6

    Aha! You may be right. My admin guy overlooked this as well, so I fixed it. Let's see what happens.

    I used nmap and compared the output with APF off and on, and the output is identical. Port 80 is open so I see no reason for my sites to be "unlocatable".

    This is driving me up a wall. :rolleyes:
     
  14. AlexSmithMCP

    AlexSmithMCP Well-Known Member

    Joined:
    May 26, 2004
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    is port 53 open? i know i have blocked it b4 lol and it stopped my sites working.... :s needs 2 be open 2 outgoing too

    [edit]
    4get that lol

    Code:
     # Common egress (outbound) UDP ports
    EG_UDP_CPORTS="20,21,53"
     
    #14 AlexSmithMCP, Sep 28, 2004
    Last edited: Sep 28, 2004
  15. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    Sort of related - we're running APF with Ingress and Egress filtering, and we've had a request (which we'd like to grant) to open TCP port X so the server can communicate with another server Y - but only via that port number.

    Is this possible directly with APF or do we have to use iptables directly (if, can anyone help with the command and will APF 'wipe it' on restart?). Thanks for any assistance!
     
  16. Sinewy

    Sinewy Well-Known Member

    Joined:
    May 15, 2004
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney, Australia
    cPanel Access Level:
    DataCenter Provider
    APF flushes iptables on every restart of the service.


    just except the port in ingress and egress
     
  17. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    That isn't going to limit communications to the remote server to only one port.

    I do not know (I will have to check) if APF offers any facility for loading custom netfilter rules upon loading. If not, it would be a good feature request to make at their forums (for those times Ryan is around).
     
Loading...

Share This Page