[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFR] apf-firewall package



Giuseppe Iuculano wrote:
> Justin B Rye ha scritto:
>>>    * fast load feature that allows for 1000+ rules to load in under 1 second
>> 
>> Does this mean there's a special "apf --quick-and-dirty-mode" or is
>> it just saying it's _always_ fast?
> 
> # The fast load feature makes use of the iptables-save/restore facilities to do
[...]
> SET_FASTLOAD="0"

I seem to have dropped this feature entirely from my munged list.
It should probably go back, though I'd suggest saying something like

 * rules cache for fast reloading (1000+ rules in under a second);
 
>> Is it still talking about checking for misconfigured
>> firewall rules, or what?
> 
> From conf.apf:
> 
> # The sanity options control the way packets are scrutinized as they flow
> # through the firewall. The main PKT_SANITY option is a top level toggle for
> # all SANITY options and provides general packet flag sanity as a pre-scrub
> # for the other sanity options. In short, this makes sure that all packets
> # coming and going conform to strict TCP/IP standards. In doing so we make it
> # very difficult for attackers to inject raw/custom packets into the server.

Ah, so it's nothing to do with the neighbouring feature (about
config sanity-checking), it's saying "supports filtering of misshapen
packets".  In that case it would make sense to keep it alongside the
"filtering of attacks such as fragmented UDP" item.

>>   Description: Advanced Policy Firewall
>>    Advanced Policy Firewall (APF) provides an easy-to-use firewall system
>>    for today's Linux servers. Its configuration file is designed to be
>>    informative and easy to follow; day-to-day administration is conducted
>>    via the 'apf' command.

I've just noticed we're mixing 'single quotes' (above) and "double
quotes" (below), which we usually recommend against; on the other
hand, this seems to be using them for two different functions
(effectively <tt></tt> and <q></q>).

>>    .
>>    Features include:
>>     * default configuration well-suited to ordinary server setups;
>>     * debug mode for testing new features and configuration setups;
       * rules cache for fast reloading (1000+ rules in under a second);
>>     * route sanity-checking to prevent embarrassing configuration errors;
>>     * trust-management system for downloading rules from a central server;
>>     * support for configuring interfaces as "trusted" or "firewalled";
>>     * granular inbound and outbound network filtering;
>>     * support for separate policies for each firewalled interface;
>>     * IP address labeling support for convenient handling of separate
>>       policies;
>>     * filtering on the basis of UIDs or applications;
>>     * TCP/UDP port and ICMP type filtering, with drop, reject, and prohibit
>>       modes;
>>     * filtering of attacks such as fragmented UDP, port zero flooding, or
>>       ARP poisoning;
       * optional advanced sanity-checking and filtering of misshapen packets;
>>     * packet flow rate limiting to prevent ICMP abuse;
>>     * traffic shaping, assigning higher priority to important traffic;
>>     * advanced intrusion protection via Reactive Address Blocking;
>>     * dshield.org block list support, to identify and ban botnets;
>>     * support for spamhaus.org DROP lists, to identify spammer netblocks;
>>     * Dynamic DNS support;
>>     * optional filtering of common P2P protocols.
-- 
JBR	with qualifications in linguistics, experience as a Debian
	sysadmin, and probably no clue about this particular package


Reply to: