APF:Linux下强大的防火墙组件
2010-12-22 13:53
537 查看
什么是APF?
APF(Advanced Policy Firewall)是 Rf-x Networks 出品的Linux环境下的软件防火墙,被大部分Linux服务器管理员所采用,使用iptables的规则,易于理解及使用.可算是Linux使用较多的防火墙.APF的配置参数众多,有效利用这些配置参数可加强你的服务器安全,APF应该在每一台Linux服务器中得到应用.安装APF
1.下载最新的安装包并解压缩,APF项目详细信息.#cd /usr/local/src #wget http://www.rfxn.com/downloads/apf-current.tar.gz #tar -zxf apf-current.tar.gz #cd apf-9.7-1/
2.执行安装
#sh ./install.sh
结束安装好你会得到一些信息:
... Installation Details: Install path: /etc/apf/ Config path: /etc/apf/conf.apf Executable path: /usr/local/sbin/apf ...
3.进行详细配置
#vi /etc/apf/conf.apf
默认的参数适合大多数场合,按照需要进行修改即可
DEVEL_MODE="1" >> DEVEL_MODE="0" RAB="0" >> RAB="1" RAB_PSCAN_LEVEL="2" >> RAB_PSCAN_LEVEL="3" TCR_PASS="1" >> TCR_PASS="0" DLIST_PHP="0" >> DLIST_PHP="1" DLIST_SPAMHAUS="0" >> DLIST_SPAMHAUS="1" DLIST_DSHIELD="0" >> DLIST_DSHIELD="1" DLIST_RESERVED="0" >> DLIST_RESERVED="1"
流入端口过滤
# Common ingress (inbound) TCP ports IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,3306" # Common ingress (inbound) UDP ports IG_UDP_CPORTS="21,53,465"
流出端口过滤,虚拟主机推荐开启
# Outbound (egress) filtering EGF="1" # Common outbound (egress) TCP ports EG_TCP_CPORTS="21,22,25,26,37,43,53,80,110,113,443,465,3306" # Common outbound (egress) UDP ports EG_UDP_CPORTS="20,21,53,465"
ICMP过滤
# Common ICMP outbound (egress) types # 'internals/icmp.types' for type definition; 'all' is wildcard for any EG_ICMP_TYPES="all"
另外还有两个值得注意的设置文件: /etc/apf/allow_hosts.rules 和 /etc/apf/deny_hosts.rules 可设置目标主机的过滤规则.如添加信任主机操作等.
启动APF
#/usr/local/sbin/apf -s
重启APF
#/usr/local/sbin/apf -r
查看运行日志
#tail -f /var/log/apf_log
添加为系统启动
#vi /etc/rc.local
在其中添加 "/usr/local/sbin/apf -s" 即可(不含双引号).
详细参数说明
usage /usr/local/sbin/apf [OPTION] -s|--start ......................... load all firewall rules -r|--restart ....................... stop (flush) & reload firewall rules -f|--stop........ .................. stop (flush) all firewall rules -l|--list .......................... list all firewall rules -t|--status ........................ output firewall status log -e|--refresh ....................... refresh & resolve dns names in trust rules -a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and immediately load new rule into firewall -d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and immediately load new rule into firewall -u|--remove HOST ................... remove host from [glob]*_hosts.rules and immediately remove rule from firewall -o|--ovars ......................... output all configuration options
此外,APF自9.6 (rev:2)版本之后增加了RAB模块.该模块取代了旧版本的antidos模块.可有效减轻拒绝服务攻击带来的影响,但需要iptables的内核模块ipt_recent的支持.如下图我在VPS上启动APF后的屏显,提示RAB模块无法启用.内核模块ipt_recent没有找到.因此建议在内核支持以及iptables模块支持的情况下使用.
Faq
Problem: If you get this error apf(xxxxx): {glob} unable to load iptables module (ip_tables), aborting.Solution: Try changing SET_MONOKERN=”0″ to SET_MONOKERN=”1″ , then apf -r
Problem: If you get this message: apf(xxxxx): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5 minutes.
Solution: you need to change DEVEL_MODE=1 to DEVEL_MODE=0, make sure your config is working first.
Via:http://www.securecentos.com/basic-security/install-firewall/
相关文章推荐
- 免费而强大的linux防火墙:APF
- Linux 防火墙策略——APF
- APF(Advanced Policy Firewall) linux下的高级策略防火墙
- 为Linux加防火墙:APF的安装与设置
- linux下防火墙APF的安装与设置
- 防火墙iptables实现Linux强大的NAT功能
- linux下如何关闭防火墙?如何查看防火墙当前的状态
- Linux 防火墙
- linux iptables 防火墙 设置
- 推荐一个简单、轻量、功能非常强大的C#/ASP.NET定时任务执行管理器组件–FluentScheduler
- Linux系统关闭防火墙
- linux平台下防火墙iptables原理(转) 分类: Linux 2015-05-17 21:51 35人阅读 评论(0) 收藏
- 大公司业务流程审批组件【部门的员工—部门经理—部门副总—人力经理—人力副总】实现参考,强大的基础数据管理工具-C#.NET通用权限管理系统组件
- linux下mysql开启远程访问权限及防火墙开放3306端口
- 修改linux的防火墙
- Linux 防火墙开放特定端口
- linux 防火墙
- linux 防火墙的设置
- linux防火墙iptables详细教程
- [Linux]CentOS防火墙iptables的配置