Noob Centos Admin wrote:
On Thu, Aug 7, 2008 at 1:54 AM, Sorin Srbu <sorin.srbu@gmail.com mailto:sorin.srbu@gmail.com> wrote:
Seen this? http://www.askbjoernhansen.com/2007/09/18/safely_change_firewall_rules_remotely.htmlUnfortunately, only after you pointed it out :( But thankfully whoever wrote APF apparently knows this, hence it does insert an automatic reset of the firewall after 5 minutes
Hi,
My US$0.02 on this.....I'm a fan of apf as a front-end to iptables...but it takes some reading to understand the switches and the entire RAB (reactive address blocking) configuration options. Sadly, RAB is poorly documented, but with a bit of tinkering, I've enjoyed this feature tremendously as it cuts down on the hammering I used to get to port 22 by the bots and script kiddies.
If you've a static IP at your workstation, add your IP address to the apf nicely formed 'allow_hosts.rules' file, usually located in /etc/apf. This is a simple IP address or IP block list (using slash notation, i.e. 192.168.1.0/24) to allow access to an IP or range of IPs. Further, the deny_hosts.rules list is the same format for hosts to always deny.
/usr/local/sbin/apf -a <ip address || ip block> will add to the allow list *and* flush and reload the iptables back-end so you don't have to restart apf
likewise /usr/local/sbin/apf -d <ip address || ip block> will add to the deny list *and* flush and reload the iptables back-end so you don't have to restart apf
Once the firewall is configured properly, set DEVEL to 0 in the conf.apf file, then restart apf. The authors rightly include DEVEL mode which crons a shutdown every 5 mins so you're not locked out for long. Trust me, I've been bitten by this (more than I care to admit)
There are other CLI switches, all well documented on the apf site (http://rfxnetworks.com/apf.php) http://rfxnetworks.com/appdocs/README.apf
HTH, -Ray