APF Firewall – Comandos indispensables

Actualizado el sábado, 11 enero, 2020

APF (Advanced Policy Firewall), es una excelente opción a la hora de proteger un servidor linux. De todos es conocido el firewall básico de linux: Iptables. Es evidente que aunque iptables puede llegar a ser una excelente opción, es un poco lioso para el usuario novato en el mundo Sysadmin, por ello tenemos aplicaciones firewall server, como CSF ​​o el mismo APF, del cual ya vimos en un articulo sobre como instalar y configurar.

Personalmente me quedo con APF, es mucho más ligero y rápido (solo funciona en modo consola / terminal). CSF también es una excelente opción, pero al tener un configurador en pantalla gráfica y un montón de opciones que no vas a usar jamas, se puede convertir en un lastre para un servidor con pocos recursos.

Advance Policy Firewall, realmente es un simple cortafuegos basado en directivas, que solo trabaja con Unix / Linux. La instalación y configuración de APF ya la tratamos en un articulo anterior, revisalo.

 

Comandos con ejemplos:

Iniciar

[root@host ~]# apf -s

apf(1078): {glob} activating firewall
apf(1186): {glob} determined (IFACE_UNTRUSTED) eth0 has address 37.59.105.54
apf(1186): {glob} loading preroute.rules
apf(1186): {resnet} downloading http://cdn.rfxn.com/downloads/reserved.networks
apf(1186): {resnet} parsing reserved.networks into /etc/apf/internals/reserved.networks
apf(1186): {glob} loading reserved.networks
apf(1186): {glob} loading bt.rules
apf(1186): {glob} loading /etc/apf/deny_hosts.rules
apf(1186): {trust} deny all to/from 85.255.10.76
apf(1186): {trust} deny all to/from 103.21.59.168
   ..............................

 

Reiniciar

[root@host ~]# apf -r

apf(3633): {glob} flushing & zeroing chain policies
apf(3633): {glob} firewall offline
apf(3712): {glob} activating firewall
apf(3820): {glob} determined (IFACE_UNTRUSTED) eth0 has address 37.59.105.54
apf(3820): {glob} loading preroute.rules
apf(3820): {resnet} downloading http://cdn.rfxn.com/downloads/reserved.networks
apf(3820): {resnet} parsing reserved.networks into /etc/apf/internals/reserved.networks
apf(3820): {glob} loading reserved.networks
apf(3820): {glob} loading bt.rules
apf(3820): {glob} loading /etc/apf/deny_hosts.rules
apf(3820): {trust} deny all to/from 85.255.10.76
           .........................................

 

Detener

[root@host ~]# apf -f

apf(5944): {glob} flushing & zeroing chain policies
apf(5944): {glob} firewall offline

 

Listar reglas del firewall

apf -l

APF Firewall - Comandos indispensables 1

 

Estado del firewall

[root@host ~]# apf -t

APF Status Log:
sep 27 08:20:03 host apf(8375): {trust} deny all to/from 188.226.187.89
sep 27 08:20:03 host apf(8375): {trust} deny all to/from 45.7.228.115
sep 27 08:20:03 host apf(8375): {trust} deny all to/from 209.237.142.202
sep 27 08:20:03 host apf(8375): {trust} deny all to/from 92.247.99.68
sep 27 08:20:03 host apf(8375): {trust} deny all to/from 185.12.124.84
sep 27 08:20:03 host apf(8375): {trust} deny all to/from 202.142.81.132
sep 27 08:20:03 host apf(8375): {trust} deny all to/from 91.234.195.157
sep 27 08:20:03 host apf(8375): {trust} deny all to/from 74.208.146.132
sep 27 08:20:03 host apf(8375): {trust} deny all to/from 213.32.113.122
sep 27 08:20:03 host apf(8375): {trust} deny all to/from 178.90.250.117
sep 27 08:20:03 host apf(8375): {trust} deny all to/from 178.19.108.114
sep 27 08:20:03 host apf(8375): {trust} deny all to/from 37.215.86.175
sep 27 08:20:03 host apf(8375): {trust} deny all to/from 199.89.54.115
sep 27 08:20:03 host apf(8375): {trust} deny all to/from 176.104.107.3
sep 27 08:20:03 host apf(8375): {trust} deny all to/from 91.200.12.53
sep 27 08:20:03 host apf(8375): {trust} deny all to/from 64.91.228.44
                 .......................................

Actualizar y resolver dns
[root@host ~]# apf -e

apf(11753): {glob} refreshing trust system rules
apf(11753): {glob} loading /etc/apf/deny_hosts.rules
apf(11753): {trust} deny all to/from 85.255.10.76
apf(11753): {trust} deny all to/from 103.21.59.168
apf(11753): {trust} deny all to/from 120.37.220.117
apf(11753): {trust} deny all to/from 62.210.88.190
apf(11753): {trust} deny all to/from 185.85.239.0/24
apf(11753): {trust} deny all to/from 91.228.167.0/24
apf(11753): {trust} deny all to/from 91.200.0.0/16
apf(11753): {trust} deny all to/from 192.169.227.243
apf(11753): {trust} deny all to/from 103.74.119.9
apf(11753): {trust} deny all to/from 202.91.83.70
apf(11753): {trust} deny all to/from 77.38.159.74
             .............................................

 

Muestra la configuración de las reglas

[root@host ~]# apf -o

Advanced Policy Firewall (APF) v1.7.5-2 <apf@rfxn.org>
      Copyright (C) 2002-2014, R-fx Networks <proj@rfxn.org>
      Copyright (C) 2014, Ryan MacDonald <ryan@rfxn.org>
This program may be freely redistributed under the terms of the GNU GPL

DEVEL_MODE "0"
INSTALL_PATH "/etc/apf"
IFACE_UNTRUSTED "eth0"
IFACE_TRUSTED ""
USE_IPV6 "0"
SET_VERBOSE "1"
SET_FASTLOAD "0"
SET_VNET "0"
SET_ADDIFACE "0"
SET_MONOKERN "0"
SET_EXPIRE "0"
SET_REFRESH "10"
SET_REFRESH_MD5 "0"
SET_TRIM "250"
VF_ROUTE "1"
VF_LGATE ""
RAB "1"
RAB_SANITY "1"
RAB_PSCAN_LEVEL "1"
RAB_HITCOUNT "1"
RAB_TIMER "300"
 ............................

 

Borrar el host de [glob] * _ hosts.rules y eliminar la regla del firewall

apf -u

# Sin ejemplo

 

Agregar ip a la lista blanca

nano /etc/apf/allow_hosts.rules

#
# allow_hosts
#
# Trust based rule file to define addresses that are granted all or specific
# access through the firewall.
#
# Format of this file is line-seperated addresses, IP masking is supported.
# Example:
# 192.168.2.1
# 192.168.5.0/24
#
# advanced usage
#
# The trust rules can be made in advanced format with 4 options
# (proto:flow:port:ip);
# 1) protocol: [packet protocol tcp/udp]
# 2) flow in/out: [packet direction, inbound or outbound]
# 3) s/d=port: [packet source or destination port]
# 4) s/d=ip(/xx) [packet source or destination address, masking supported]
#
# Syntax:
# proto:flow:[s/d]=port:[s/d]=ip(/mask)
# s - source , d - destination , flow - packet flow in/out
#
# Examples:
# inbound to destination port 22 from 192.168.2.1
# tcp:in:d=22:s=192.168.2.1
            ................................

Recuerda reiniciar el firewall cuando agregues una ip.

 

Agregar ip a la lista negra

nano /etc/apf/deny_hosts.rules

##
# deny_hosts
#
# Trust based rule file to define addresses that are implicitly denied.
#
# Format of this file is line-seperated addresses, IP masking is supported.
# Example:
# 192.168.2.1
# 192.168.5.0/24
#
# advanced usage
#
# The trust rules can be made in advanced format with 4 options
# (proto:flow:port:ip);
# 1) protocol: [packet protocol tcp/udp]
# 2) flow in/out: [packet direction, inbound or outbound]
# 3) s/d=port: [packet source or destination port]
# 4) s/d=ip(/xx) [packet source or destination address, masking supported]
#
# Syntax:
# proto:flow:[s/d]=port:[s/d]=ip(/mask)
# s - source , d - destination , flow - packet flow in/out
#
# Examples:
# inbound to destination port 22 from 192.168.2.1
# tcp:in:d=22:s=192.168.2.1
#
# outbound to destination port 23 to destination host 192.168.2.1
# out:d=23:d=192.168.2.1
          ....................................

Recuerda reiniciar el firewall cuando agregues una ip.

Para ver como permitir o bloquear IPs, revisa este articulo.

 

Agregar comentario