Noob Centos Admin wrote:
On Thu, Aug 7, 2008 at 1:54 AM, Sorin Srbu <sorin.srbu@xxxxxxxxx
<mailto:sorin.srbu@xxxxxxxxx>> wrote:
Seen this?
http://www.askbjoernhansen.com/2007/09/18/safely_change_firewall_rules_remotely.html
Unfortunately, only after you pointed it out :(
But thankfully whoever wrote APF apparently knows this, hence it does
insert an automatic reset of the firewall after 5 minutes
Hi,
My US$0.02 on this.....I'm a fan of apf as a front-end to iptables...but
it takes some reading to understand the switches and the entire RAB
(reactive address blocking) configuration options. Sadly, RAB is poorly
documented, but with a bit of tinkering, I've enjoyed this feature
tremendously as it cuts down on the hammering I used to get to port 22
by the bots and script kiddies.
If you've a static IP at your workstation, add your IP address to the
apf nicely formed 'allow_hosts.rules' file, usually located in
/etc/apf. This is a simple IP address or IP block list (using slash
notation, i.e. 192.168.1.0/24) to allow access to an IP or range of
IPs. Further, the deny_hosts.rules list is the same format for hosts to
always deny.
/usr/local/sbin/apf -a <ip address || ip block>
will add to the allow list *and* flush and reload the iptables back-end
so you don't have to restart apf
likewise
/usr/local/sbin/apf -d <ip address || ip block>
will add to the deny list *and* flush and reload the iptables back-end
so you don't have to restart apf
Once the firewall is configured properly, set DEVEL to 0 in the conf.apf
file, then restart apf. The authors rightly include DEVEL mode which
crons a shutdown every 5 mins so you're not locked out for long. Trust
me, I've been bitten by this (more than I care to admit)
There are other CLI switches, all well documented on the apf site
(http://rfxnetworks.com/apf.php)
http://rfxnetworks.com/appdocs/README.apf
HTH,
-Ray
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
