Allow, Deny and Remove with Advanced Policy Firewall (APF)

I noticed a few requests for this, so I’m going to make a quick post about it. There are a few ways of manipulating APF (Advanced Policy Firewall by R-fx Networks) to allow and deny who you want.

If you’re looking for information on how to configure APF, this isn’t the post for you. Check out Linux Software Firewalls which covers some of the key configuration settings you’ll need to consider when setting it up. Alternatively, check out APF documentation – it’s rather good. If you’re still stuck, leave a comment.

Direct Command Line

Using the apf command via SSH has to be my preferred method of adjusting the firewall. To deny a source you can simply type:

apf -d <source> [comment]
apf -d 123.45.67.89 Keepings dosing the server

If you have a default deny policy and only want to allow on an individual basis then you can use a command like this:

apf -a <source> [comment]
apf -a 123.45.67.89 Melbourne office allow complete access

Another handy parameter I didn’t learn about until later (much regretted) is the -u one. It will remove the IP source from either allow or denied if it exists. Saves you modifying the rule files directly and restarting the firewall. So to remove a source use:

apf -u <source>
apf -u 123.45.67.89

A catch with remove though, if you have denied 123.45.0.0/16 and you want to remove 123.45.1.56 from the deny rules, it won’t work like this. You can’t apf -u 123.45.1.56 and expect it to work – the tool searches for the parameter you’ve provided and searches any matching rules. These obviously won’t match. If you want to deny 123.45.0.0/16 but suddenly want to allow 123.45.1.56, I’d try apf -d 123.45.0.0/16 and then apf -a 123.45.1.56. I think the results will vary depending on your default policy (not 100% sure on that though).

After using these commands you do not need to restart or reload your firewall. They are invoked straight away as a part of the command. Using apf -r will be pointless in this case.

Looking for example of <source>? I’ve explained it more below.

Direct Rule File Modification

So firstly, your base directory is /etc/apf/ – you’ll find all the configuration files and rules in there.

There are the two main rule files you need to worry about. Don’t worry about the others:

$ ls /etc/apf/{allow,deny}*.rules
/etc/apf/allow_hosts.rules  /etc/apf/deny_hosts.rules

If you open either of these files, there should be rather in-depth instructions contained within:

# Format of this file is line-seperated addresses, IP masking is supported.
# Example:
# 192.168.2.1
# 192.168.5.0/24
#
# advanced usage
#
# The trust rules can be made in advanced format with 4 options
# (proto:flow:port:ip);
# 1) protocol: [packet protocol tcp/udp]
# 2) flow in/out: [packet direction, inbound or outbound]
# 3) s/d=port: [packet source or destination port]
# 4) s/d=ip(/xx) [packet source or destination address, masking supported]
#
# Syntax:
# proto:flow:[s/d]=port:[s/d]=ip(/mask)
# s – source , d – destination , flow – packet flow in/out
#
# Examples:
# inbound to destination port 22 from 192.168.2.1
# tcp:in:d=22:s=192.168.2.1
#
# outbound to destination port 23 to destination host 192.168.2.1
# out:d=23:d=192.168.2.1
#
# inbound to destination port 3306 from 192.168.5.0/24
# d=3306:s=192.168.5.0/24

The developer has done very well explaining the possible syntax and formats you can use. The only thing I can add to it is keep it simple where possible. If you just want to completely drop, firewall, deny or block an IP address from interacting with your server, just add the IP on a new line in the /etc/apf/deny_hosts.rules file (see post changes section below).

If you want to allow your Perth based office to access SSH on your server which is closed by default, you could add something like this on a new line to /etc/apf/allow_hosts.rules (also see post changes section below):

# Perth Office SSH
d=22:s=123.45.1.56

Note that the # is a comment, and everything after it will have no bearing on the rule you’ve added.

Post Changes to Rule/Config Files

After you make a change to your rule or configuration files, you must invoke them by loading them into your firewall. You do this by restarting your firewall:

apf -r

When you restart APF, all rules will be flushed or removed and then re-added effectively implementing the new rule changes you’ve added.

What can I block or allow? What types of Source can I use?

In the above examples I’ve used <source>. Source can equal a single IP address, a IP block in Classless Inter-Domain Routing (CIDR) notation or a fully qualified domain name (FQDN). Examples of each:

Single IP – 123.45.67.89

IP Block (CIDR) – 123.45.0.0/16 (which equates to 123.45.0.0 to 123.45.255.255)

FQDN – nyoffice.domain.com or 13371.dnshost.net

How do I Allow/Block an IP Range?

I’ve also seen a heap of requests specifically about allowing/blocking a range of IP addresses in APF. You can’t do this as “block A to B” – it needs to be in the form of CIDR notation. I use this IP Address Range Calculator to CIDR tool to calculate the CIDR notation for me. I’m lazy and its reasonably accurate.

If you’re looking to block 123.45.67.89 to 123.45.67.91, I’d personally just add them manually. IP’s fit into CIDR specially and you won’t cleanly be able to block 123.45.67.89 to 123.45.67.91 without blocking other IP addresses surrounding them. Don’t be surprised if you’re given multiple CIDR blocks in the results either – it means your supplied IP range crosses multiple blocks.

Similar Posts:

VN:F [1.9.22_1171]
Rating: 5.0/5 (2 votes cast)
VN:F [1.9.22_1171]
Rating: +2 (from 2 votes)
Allow, Deny and Remove with Advanced Policy Firewall (APF), 5.0 out of 5 based on 2 ratings
This entry was posted in Security, Server Administration. Bookmark the permalink.

4 Responses to Allow, Deny and Remove with Advanced Policy Firewall (APF)

  1. Pingback: APF(Advanced Policy Firewall) Instalação Configuração | PCFlex T.I.

What are your thoughts?