Re: [RFR] apf-firewall package
Giuseppe Iuculano wrote:
> Justin B Rye ha scritto:
>>> * fast load feature that allows for 1000+ rules to load in under 1 second
>>
>> Does this mean there's a special "apf --quick-and-dirty-mode" or is
>> it just saying it's _always_ fast?
>
> # The fast load feature makes use of the iptables-save/restore facilities to do
[...]
> SET_FASTLOAD="0"
I seem to have dropped this feature entirely from my munged list.
It should probably go back, though I'd suggest saying something like
* rules cache for fast reloading (1000+ rules in under a second);
>> Is it still talking about checking for misconfigured
>> firewall rules, or what?
>
> From conf.apf:
>
> # The sanity options control the way packets are scrutinized as they flow
> # through the firewall. The main PKT_SANITY option is a top level toggle for
> # all SANITY options and provides general packet flag sanity as a pre-scrub
> # for the other sanity options. In short, this makes sure that all packets
> # coming and going conform to strict TCP/IP standards. In doing so we make it
> # very difficult for attackers to inject raw/custom packets into the server.
Ah, so it's nothing to do with the neighbouring feature (about
config sanity-checking), it's saying "supports filtering of misshapen
packets". In that case it would make sense to keep it alongside the
"filtering of attacks such as fragmented UDP" item.
>> Description: Advanced Policy Firewall
>> Advanced Policy Firewall (APF) provides an easy-to-use firewall system
>> for today's Linux servers. Its configuration file is designed to be
>> informative and easy to follow; day-to-day administration is conducted
>> via the 'apf' command.
I've just noticed we're mixing 'single quotes' (above) and "double
quotes" (below), which we usually recommend against; on the other
hand, this seems to be using them for two different functions
(effectively <tt></tt> and <q></q>).
>> .
>> Features include:
>> * default configuration well-suited to ordinary server setups;
>> * debug mode for testing new features and configuration setups;
* rules cache for fast reloading (1000+ rules in under a second);
>> * route sanity-checking to prevent embarrassing configuration errors;
>> * trust-management system for downloading rules from a central server;
>> * support for configuring interfaces as "trusted" or "firewalled";
>> * granular inbound and outbound network filtering;
>> * support for separate policies for each firewalled interface;
>> * IP address labeling support for convenient handling of separate
>> policies;
>> * filtering on the basis of UIDs or applications;
>> * TCP/UDP port and ICMP type filtering, with drop, reject, and prohibit
>> modes;
>> * filtering of attacks such as fragmented UDP, port zero flooding, or
>> ARP poisoning;
* optional advanced sanity-checking and filtering of misshapen packets;
>> * packet flow rate limiting to prevent ICMP abuse;
>> * traffic shaping, assigning higher priority to important traffic;
>> * advanced intrusion protection via Reactive Address Blocking;
>> * dshield.org block list support, to identify and ban botnets;
>> * support for spamhaus.org DROP lists, to identify spammer netblocks;
>> * Dynamic DNS support;
>> * optional filtering of common P2P protocols.
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
Reply to: