APF 0.9.6-1 released

[Andre]

RFXnetworks has released a new version of APF. We recommend everyone running APF in their VPS to upgrade.

Some features worth noting:
- Their is now a -u|--unban option to remove bans from the real time running firewall.
- The reserved.networks file is now updated on every start operation of apf
- The variables in conf.apf have been revised for consistency
- Traceroute toggles added to conf.apf
- Advanced sanity chains broken up and added number of conf.apf toggles for different filtering methods ...And more - review below
------------------------------------
- 0.9.6
(rev:1)
[New] added unban() function with -u|--unban run flag to unban hosts and remove from rule files/active running firewall [Change] changed RESV_DNS to default enabled [New] added NETBLOCK/NETBLOCK_MASK to conf.antidos for toggling the already in-place feature of banning all seen ip's on the same /24 subnet of an attacking ip; default set to disabled now [Change] modified icmp rate limiting to have a disabled toggle [New] added resnet_download() function to keep reserved.networks updated [Change] modified sanity chains to be more granular for conf.apf toggles; as such the following variable options have been added:
PKT_SANITY
PKT_SANITY_INV
PKT_SANITY_FUDP
PKT_SANITY_PZERO
PKT_SANITY_STUFFED
[Fix] trust system allow function a_cli_tr() for cli banning; rules added only
for tcp; removed protocol option from rule [Change] functions gd,ga renamed glob_allow|deny_download [Change] modified traceroute specific rules to have conf.apf toggle var TCR_* [Change] forced ip whois to search only for abuse address [Change] moved ip whois code in antidos; less repetitive [Fix] removed default drops in reserved.networks for the following netblocks:
041/8 AFRINIC
058/8 APNIC
059/8 APNIC
073/8 ARIN
074/8 ARIN
075/8 ARIN
076/8 ARIN
189/8 LACNIC
190/8 LACNIC
[New] added LOG_LEVEL var to conf.apf to denote logging level of firewall logs; all log chains throughout the project have been updated to reflect this feature as applicable [Change] DROP_LOG var in conf.apf changed to LOG_DROP [Change] LGATE_LOG var in conf.apf changed to LOG_LGATE [Change] EXLOG var in conf.apf changed to LOG_EXT [Change] IPTLOG var in conf.apf changed to LOG_APF [Change] LRATE var in conf.apf change to LOG_RATE [Change] renamed README to README.apf [Change] FWPATH var in conf.apf changed to INSTALL_PATH [Fix] removed default drops in reserved.networks for the following netblocks:
089/8 RIPE NCC
090/8 RIPE NCC
091/8 RIPE NCC
[Change] DEVM var in conf.apf changed to DEVEL_MODE [Change] EN_VNET var in conf.apf changed to SET_VNET [Change] MONOKERN var in conf.apf changed to SET_MONOKERN [Fix] more /tmp cleanups to prevent possible race conditions [Change] importconf script now copies itself to extras/ folder post-install [Change] changed short switch -st to -t; -st preserved for compat but no longer documented or printed in help output [New] added -o|--ovars to output all configured variables for debug purposes [Fix] INVALID state check removed from postrouting chain [Change] modified a/d_cli_tr to keep comments within single line [New] expanded p2p blocks; conf.apf var BLK_P2P & BLK_P2P_PORTS [Change] increased verbosity of a number of rules to status log [Change] modified sanity bt filters, more verbose status log [Change] moved bulk of TOS declarations in pre/postrouting.rules into functions [New] expanded TOS routines, new TOS_* vars added to conf.apf [New] added conf.apf var to change the default log target; LOG_TARGET [Fix] dshield.org changed block list to feeds.dshield.org/top10-2.txt [Change] changed ordering of version history (this file); revisions now list
in reverse order from latest to oldest revision [New] added chain targets GTA,GTD,TA,GD for allocating trust rules to more
organized chain policies; will also facilitate features to reload trusts [Change] added OUTPUT reject targets for ident if not opened in *_TCP_CPORTS [New] added SF_TY var to conf.antidos in order to define tcp connection states
to look for as syn-flood attacks
[Fix] removed default drop of 58-59/8 in reserved.networks
058/8 Apr 04 APNIC
059/8 Apr 04 APNIC

[RaZor Edge]

APF just been installed on my website because we are targeted by a DoS attack. It seems to work very well!!! My server load and process decrease dramaticaly with this program enable.

I have somes questions about APF:

1. I read with a Google search that APF don't restart automaticaly when the server restart. Is it true?
   
   And if that's the case, how can we restart APF? (can this be done automaticaly
   
   
2. How can we add an IP to ban? How can we un-ban an IP (and prevent it to be ban)
   
   
3. Is it a good idea to let APF running all the time? (even if there is not a special attack against us)

And... thanks to the Dehe support staff who helped me with this situation!

[Andre]

Let me answer your questions:

1. No that's not true. In some older versions that sometimes happens but with the latest version it'll start itself automatically.

2. To ban an IP use:

Code:

apf -d ip.here

To unban an IP you would have to manually remove it from the /etc/apf/deny_hosts file and then restart APF.

To whitelist an IP to prevent it from getting banned use:

Code:

apf -a ip.here

3. Absolutely. If you configure APF properly it'll close all the ports that you don't need, which makes you less vulnerable to attacks. If you don't know how to configure APF yourself, you can always ask our support team.