Shulou(Shulou.com)06/02 Report--

APF (Advanced Policy Firewall) is a software firewall under the Linux environment produced by Rf-x Networks, which is adopted by most Linux server administrators. It uses the rules of iptables and is easy to understand and use. It is suitable for people who are not very familiar with iptables, because its installation and configuration is relatively simple, but it is still very powerful.

One, download and install apfroot@linux:/home/zhangy# wget http://www.rfxnetworks.com/downloads/apf-current.tar.gzroot@linux:/home/zhangy# tar-xvzf apf-current.tar.gzroot@linux:/home/zhangy# cd apf-9.7-1root@linux:/home/zhangy/apf-9.7-download. / install.sh

The prompt for a successful installation is as follows:

Root@linux:/home/zhangy/apf-9.7-install.shInstalling APF. / etc/apf/Config path: / etc/apf/conf.apfExecutable path: / usr/local/sbin/apfOther Details:Listening TCP ports: 22 Completed.Installation Details:Install path: / etc/apf/Config path: / etc/apf/conf.apfExecutable path: / usr/local/sbin/apfOther Details:Listening TCP ports: 111Listening UDP ports: 53976Listening 53976Listening Note: 11153976Listening Note: 11153976Listening Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options. Second, configure apf

Vim / etc/apf/conf.apf

IG_TCP_CPORTS= "21Magol 225080Power443jing3306j808080" / / set the TCP port allowed to be accessed by the server IG_UDP_CPORTS= "53" / set the UDP port allowed to be accessed by the server EG_TCP_CPORTS= "21Magol 25Magol 443repertory 2089" / set the TCP port EG_UDP_CPORTS= "20Jing 21Magi 53" / / set the server to allow external access Change the UDP port DEVEL_MODE= "1" to DEVEL_MODE= "0" DLIST_SPAMHAUS= "0" to DLIST_SPAMHAUS= "1" DLIST_DSHIELD= "0" to DLIST_DSHIELD= "1"

Pay attention to the following points during configuration:

1. According to the different ports opened by different servers, the ports opened by the root mysql server of the web server must be different.

2Develled mode = "1" means that in debug mode, the configuration is reconfigured every five minutes to avoid crashing the server due to misconfiguration.

3. Set to allow only 192.168.1.139 remote connection to port 22

/ / add the following information to / etc/apf/allow_hosts.rules: tcp:in:d=22:s=192.168.1.139out:d=22:d=192.168.1.139// add the following information to / etc/apf/deny_hosts.rules: tcp:in:d=22:s=0/0out:d=22:d=0/0

At first, I thought it was all right to add it to allow_hosts.rules. After a change, I changed an IP, and I was already able to connect, leaving me speechless. After adding the above rules to deny_hosts.rules, you will be prompted to time out when you connect. After rules have been added to both allow_hosts.rules and deny_hosts.rules, restarting apf will prompt you to configure a successful message, which is found by accident.

Apf (12234): {trust} allow outbound 192.168.1.139 to port 22apf (12234): {trust} allow inbound tcp 192.168.1.139 to port 22 III Apf common commands apf-s / / start APF firewall apf-r / restart APF firewall apf-f / / refresh APF firewall configuration file apf-l / / list APF's worry rule apf-t / / APF log information apf-e / / add domain name interpretation to authentication rule apf-a / / add IP/IP segment to whitelist apf-d / Add IP/IP segment to blacklist apf-u / / remove IP/IP segment from white / blacklist apf-o / / remove IP/IP segment from white / blacklist four List of commonly used ports 21/tcp / / ftp22/tcp / / ssh25/tcp / / smtp53/udp / / dns80/tcp / / http110/tcp / / pop3143/tcp / / imap443/tcp / / https993/tcp / / imaps995/tcp / / pop33306/tcp / / mysql5432/tcp / / postgresql

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.