Linux服务器免费防火墙APF的安装与配置
Posted on 星期日, 四月 11th, 2010 at 8:28 下午APF是Linux服务器常用的免费防火墙,下面将介绍它在Linux服务器上的安装于配置方法。
APF安装
- 下载APF源码
# wget http://www.rfxn.com/downloads/apf-current.tar.gz
- 解压缩
# tar -xvzf apf-current.tar.gz
- 进入 APF目录
# cd apf-0.9.7-1/ or whatever the latest version is.
- 运行安装文件
# ./install.sh
APF配置
- 修改配置文件
# pico /etc/apf/conf.apf
- 端口设置 (INGRES).
-
- cPanel的设置
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=" 20,21,22,25,26,53,80,110,143,443,465,993,995,2082,
2083,2086,2087,2095,2096,3306,6666"\
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,465,873"
-
- DirectAdmin 面板的设置
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=" 21,22,25,53,80,110,111,143,443,587953,2222,3306,32769"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53,111,631,724,5353,32768,32809"
- 让APF监控外出流量
Change the line: EGF=”0″ to EGF=”1″
- Tell APF what ports to monitor
- Common egress (outbound) TCP ports (for Cpanel servers)
EG_TCP_CPORTS=”21,22,25,26,37,43,53,80,110,113,443,465,873,2089,3306″
- Common egress (outbound) UDP ports
EG_UDP_CPORTS=”20,21,53,465,873″
- Common ICMP (outbound) types
- ‘internals/icmp.types’ for type definition; ‘all’ is wildcard for any
EG_ICMP_TYPES=”all”
- Save your changes! Ctrl+X then press Y
- Start APF
- /usr/local/sbin/apf -s
- If all works edit the config file and change the developer mode to 0
- pico /etc/apf/conf.apf
Change DEVM=”1″ to DEVM=”0″
Save your changes! Ctrl+X then press Y
- 重启 APF
# /usr/local/sbin/apf -r
- 查看APF Log
Will show any changes to allow and deny hosts among other things. tail -f /var/log/apf_log
Example output:
Aug 23 01:25:55 ocean apf(31448): (insert) deny all to/from 185.14.157.123 Aug 23 01:39:43 ocean apf(32172): (insert) allow all to/from 185.14.157.123
- 让APF随服务器自动启动
To autostart apf on reboot, run this: chkconfig –level 2345 apf on
To remove it from autostart, run this: chkconfig –del apf
- 通过APF禁止IP
Now that you have your shiny new firewall you probably want to block a host right, of course you do! With this new version APF now supports comments as well. There are a few ways you can block an IP, I’ll show you 2 of the easier methods.
A) /etc/apf/apf -d IPHERE COMMENTHERENOSPACES > The -d flag means DENY the IP address > IPHERE is the IP address you wish to block > COMMENTSHERENOSPACES is obvious, add comments to why the IP is being blocked These rules are loaded right away into the firewall, so they’re instantly active. Example:
./apf -d 185.14.157.123 TESTING
pico /etc/apf/deny_hosts.rules
Shows the following:
# added 185.14.157.123 on 08/23/05 01:25:55 # TESTING 185.14.157.123
B) pico /etc/apf/deny_hosts.rules
You can then just add a new line and enter the IP you wish to block. Before this becomes active though you’ll need to reload the APF ruleset.
/etc/apf/apf -r
- 设置许可IP(Unblocking)
I know I know, you added an IP now you need it removed right away! You need to manually remove IPs that are blocked from deny_hosts.rules.
A) pico /etc/apf/deny_hosts.rules
Find where the IP is listed and remove the line that has the IP. After this is done save the file and reload apf to make the new changes active.
/etc/apf/apf -r
B) If the IP isn’t already listed in deny_hosts.rules and you wish to allow it, this method adds the entry to allow_hosts.rules
/etc/apf/apf -a IPHERE COMMENTHERENOSPACES > The -a flag means ALLOW the IP address > IPHERE is the IP address you wish to allow > COMMENTSHERENOSPACES is obvious, add comments to why the IP is being removed These rules are loaded right away into the firewall, so they’re instantly active. Example:
./apf -a 185.14.157.123 UNBLOCKING
pico /etc/apf/allow_hosts.rules
# added 185.14.157.123 on 08/23/05 01:39:43 # UNBLOCKING 185.14.157.123
蛮不错的免费防火墙介绍,赞一下~~~