Justin B Rye ha scritto: >> * debug mode provided for testing new features and configuration setups > > Is this separate from DEVEL_MODE? No, it's the same > >> * fast load feature that allows for 1000+ rules to load in under 1 second > > Does this mean there's a special "apf --quick-and-dirty-mode" or is > it just saying it's _always_ fast? From conf.apf # The fast load feature makes use of the iptables-save/restore facilities to do # a snapshot save of the current firewall rules on an APF stop then when APF is # instructed to start again it will restore the snapshot. This feature allows # APF to load hundreds of rules back into the firewall without the need to # regenerate every firewall entry. # Note: a) if system uptime is below 5 minutes, the snapshot is expired # b) if snapshot age exceeds 12 hours, the snapshot is expired # c) if conf or a .rule has changed since last load, snapshot is expired # d) if it is your first run of APF since install, snapshot is generated # - an expired snapshot means APF will do a full start rule-by-rule SET_FASTLOAD="0" > it mean? Is it still talking about checking for misconfigured > firewall rules, or what? From conf.apf: # The sanity options control the way packets are scrutinized as they flow # through the firewall. The main PKT_SANITY option is a top level toggle for # all SANITY options and provides general packet flag sanity as a pre-scrub # for the other sanity options. In short, this makes sure that all packets # coming and going conform to strict TCP/IP standards. In doing so we make it # very difficult for attackers to inject raw/custom packets into the server. > Description: Advanced Policy Firewall > Advanced Policy Firewall (APF) provides an easy-to-use firewall system > for today's Linux servers. Its configuration file is designed to be > informative and easy to follow; day-to-day administration is conducted > via the 'apf' command. > . > Features include: > * default configuration well-suited to ordinary server setups; > * debug mode for testing new features and configuration setups; > * route sanity-checking to prevent embarrassing configuration errors; > * trust-management system for downloading rules from a central server; > * support for configuring interfaces as "trusted" or "firewalled"; > * granular inbound and outbound network filtering; > * support for separate policies for each firewalled interface; > * IP address labeling support for convenient handling of separate > policies; > * filtering on the basis of UIDs or applications; > * TCP/UDP port and ICMP type filtering, with drop, reject, and prohibit > modes; > * filtering of attacks such as fragmented UDP, port zero flooding, or > ARP poisoning; > * packet flow rate limiting to prevent ICMP abuse; > * traffic shaping, assigning higher priority to important traffic; > * advanced intrusion protection via Reactive Address Blocking; > * dshield.org block list support, to identify and ban botnets; > * support for spamhaus.org DROP lists, to identify spammer netblocks; > * Dynamic DNS support; > * optional filtering of common P2P protocols. > Thanks! Giuseppe.
Attachment:
signature.asc
Description: OpenPGP digital signature