Actualizado el sábado, 11 enero, 2020
APF (Advanced Policy Firewall), es una excelente opción a la hora de proteger un servidor linux. De todos es conocido el firewall básico de linux: Iptables. Es evidente que aunque iptables puede llegar a ser una excelente opción, es un poco lioso para el usuario novato en el mundo Sysadmin, por ello tenemos aplicaciones firewall server, como CSF o el mismo APF, del cual ya vimos en un articulo sobre como instalar y configurar.
Personalmente me quedo con APF, es mucho más ligero y rápido (solo funciona en modo consola / terminal). CSF también es una excelente opción, pero al tener un configurador en pantalla gráfica y un montón de opciones que no vas a usar jamas, se puede convertir en un lastre para un servidor con pocos recursos.
Advance Policy Firewall, realmente es un simple cortafuegos basado en directivas, que solo trabaja con Unix / Linux. La instalación y configuración de APF ya la tratamos en un articulo anterior, revisalo.
Comandos con ejemplos:
Iniciar
[root@host ~]# apf -s apf(1078): {glob} activating firewall apf(1186): {glob} determined (IFACE_UNTRUSTED) eth0 has address 37.59.105.54 apf(1186): {glob} loading preroute.rules apf(1186): {resnet} downloading http://cdn.rfxn.com/downloads/reserved.networks apf(1186): {resnet} parsing reserved.networks into /etc/apf/internals/reserved.networks apf(1186): {glob} loading reserved.networks apf(1186): {glob} loading bt.rules apf(1186): {glob} loading /etc/apf/deny_hosts.rules apf(1186): {trust} deny all to/from 85.255.10.76 apf(1186): {trust} deny all to/from 103.21.59.168 ..............................
Reiniciar
[root@host ~]# apf -r apf(3633): {glob} flushing & zeroing chain policies apf(3633): {glob} firewall offline apf(3712): {glob} activating firewall apf(3820): {glob} determined (IFACE_UNTRUSTED) eth0 has address 37.59.105.54 apf(3820): {glob} loading preroute.rules apf(3820): {resnet} downloading http://cdn.rfxn.com/downloads/reserved.networks apf(3820): {resnet} parsing reserved.networks into /etc/apf/internals/reserved.networks apf(3820): {glob} loading reserved.networks apf(3820): {glob} loading bt.rules apf(3820): {glob} loading /etc/apf/deny_hosts.rules apf(3820): {trust} deny all to/from 85.255.10.76 .........................................
Detener
[root@host ~]# apf -f apf(5944): {glob} flushing & zeroing chain policies apf(5944): {glob} firewall offline
Listar reglas del firewall
apf -l
Estado del firewall
[root@host ~]# apf -t APF Status Log: sep 27 08:20:03 host apf(8375): {trust} deny all to/from 188.226.187.89 sep 27 08:20:03 host apf(8375): {trust} deny all to/from 45.7.228.115 sep 27 08:20:03 host apf(8375): {trust} deny all to/from 209.237.142.202 sep 27 08:20:03 host apf(8375): {trust} deny all to/from 92.247.99.68 sep 27 08:20:03 host apf(8375): {trust} deny all to/from 185.12.124.84 sep 27 08:20:03 host apf(8375): {trust} deny all to/from 202.142.81.132 sep 27 08:20:03 host apf(8375): {trust} deny all to/from 91.234.195.157 sep 27 08:20:03 host apf(8375): {trust} deny all to/from 74.208.146.132 sep 27 08:20:03 host apf(8375): {trust} deny all to/from 213.32.113.122 sep 27 08:20:03 host apf(8375): {trust} deny all to/from 178.90.250.117 sep 27 08:20:03 host apf(8375): {trust} deny all to/from 178.19.108.114 sep 27 08:20:03 host apf(8375): {trust} deny all to/from 37.215.86.175 sep 27 08:20:03 host apf(8375): {trust} deny all to/from 199.89.54.115 sep 27 08:20:03 host apf(8375): {trust} deny all to/from 176.104.107.3 sep 27 08:20:03 host apf(8375): {trust} deny all to/from 91.200.12.53 sep 27 08:20:03 host apf(8375): {trust} deny all to/from 64.91.228.44 .......................................
Actualizar y resolver dns
[root@host ~]# apf -e apf(11753): {glob} refreshing trust system rules apf(11753): {glob} loading /etc/apf/deny_hosts.rules apf(11753): {trust} deny all to/from 85.255.10.76 apf(11753): {trust} deny all to/from 103.21.59.168 apf(11753): {trust} deny all to/from 120.37.220.117 apf(11753): {trust} deny all to/from 62.210.88.190 apf(11753): {trust} deny all to/from 185.85.239.0/24 apf(11753): {trust} deny all to/from 91.228.167.0/24 apf(11753): {trust} deny all to/from 91.200.0.0/16 apf(11753): {trust} deny all to/from 192.169.227.243 apf(11753): {trust} deny all to/from 103.74.119.9 apf(11753): {trust} deny all to/from 202.91.83.70 apf(11753): {trust} deny all to/from 77.38.159.74 .............................................
Muestra la configuración de las reglas
[root@host ~]# apf -o Advanced Policy Firewall (APF) v1.7.5-2 <apf@rfxn.org> Copyright (C) 2002-2014, R-fx Networks <proj@rfxn.org> Copyright (C) 2014, Ryan MacDonald <ryan@rfxn.org> This program may be freely redistributed under the terms of the GNU GPL DEVEL_MODE "0" INSTALL_PATH "/etc/apf" IFACE_UNTRUSTED "eth0" IFACE_TRUSTED "" USE_IPV6 "0" SET_VERBOSE "1" SET_FASTLOAD "0" SET_VNET "0" SET_ADDIFACE "0" SET_MONOKERN "0" SET_EXPIRE "0" SET_REFRESH "10" SET_REFRESH_MD5 "0" SET_TRIM "250" VF_ROUTE "1" VF_LGATE "" RAB "1" RAB_SANITY "1" RAB_PSCAN_LEVEL "1" RAB_HITCOUNT "1" RAB_TIMER "300" ............................
Borrar el host de [glob] * _ hosts.rules y eliminar la regla del firewall
apf -u # Sin ejemplo
Agregar ip a la lista blanca
nano /etc/apf/allow_hosts.rules # # allow_hosts # # Trust based rule file to define addresses that are granted all or specific # access through the firewall. # # Format of this file is line-seperated addresses, IP masking is supported. # Example: # 192.168.2.1 # 192.168.5.0/24 # # advanced usage # # The trust rules can be made in advanced format with 4 options # (proto:flow:port:ip); # 1) protocol: [packet protocol tcp/udp] # 2) flow in/out: [packet direction, inbound or outbound] # 3) s/d=port: [packet source or destination port] # 4) s/d=ip(/xx) [packet source or destination address, masking supported] # # Syntax: # proto:flow:[s/d]=port:[s/d]=ip(/mask) # s - source , d - destination , flow - packet flow in/out # # Examples: # inbound to destination port 22 from 192.168.2.1 # tcp:in:d=22:s=192.168.2.1 ................................
Recuerda reiniciar el firewall cuando agregues una ip.
Agregar ip a la lista negra
nano /etc/apf/deny_hosts.rules ## # deny_hosts # # Trust based rule file to define addresses that are implicitly denied. # # Format of this file is line-seperated addresses, IP masking is supported. # Example: # 192.168.2.1 # 192.168.5.0/24 # # advanced usage # # The trust rules can be made in advanced format with 4 options # (proto:flow:port:ip); # 1) protocol: [packet protocol tcp/udp] # 2) flow in/out: [packet direction, inbound or outbound] # 3) s/d=port: [packet source or destination port] # 4) s/d=ip(/xx) [packet source or destination address, masking supported] # # Syntax: # proto:flow:[s/d]=port:[s/d]=ip(/mask) # s - source , d - destination , flow - packet flow in/out # # Examples: # inbound to destination port 22 from 192.168.2.1 # tcp:in:d=22:s=192.168.2.1 # # outbound to destination port 23 to destination host 192.168.2.1 # out:d=23:d=192.168.2.1 ....................................
Recuerda reiniciar el firewall cuando agregues una ip.
Para ver como permitir o bloquear IPs, revisa este articulo.