Noob Centos Admin wrote: > > > On Thu, Aug 7, 2008 at 1:54 AM, Sorin Srbu <sorin.srbu at gmail.com > <mailto:sorin.srbu at gmail.com>> wrote: > > Seen this? > > http://www.askbjoernhansen.com/2007/09/18/safely_change_firewall_rules_remotely.html > > Unfortunately, only after you pointed it out :( > But thankfully whoever wrote APF apparently knows this, hence it does > insert an automatic reset of the firewall after 5 minutes Hi, My US$0.02 on this.....I'm a fan of apf as a front-end to iptables...but it takes some reading to understand the switches and the entire RAB (reactive address blocking) configuration options. Sadly, RAB is poorly documented, but with a bit of tinkering, I've enjoyed this feature tremendously as it cuts down on the hammering I used to get to port 22 by the bots and script kiddies. If you've a static IP at your workstation, add your IP address to the apf nicely formed 'allow_hosts.rules' file, usually located in /etc/apf. This is a simple IP address or IP block list (using slash notation, i.e. 192.168.1.0/24) to allow access to an IP or range of IPs. Further, the deny_hosts.rules list is the same format for hosts to always deny. /usr/local/sbin/apf -a <ip address || ip block> will add to the allow list *and* flush and reload the iptables back-end so you don't have to restart apf likewise /usr/local/sbin/apf -d <ip address || ip block> will add to the deny list *and* flush and reload the iptables back-end so you don't have to restart apf Once the firewall is configured properly, set DEVEL to 0 in the conf.apf file, then restart apf. The authors rightly include DEVEL mode which crons a shutdown every 5 mins so you're not locked out for long. Trust me, I've been bitten by this (more than I care to admit) There are other CLI switches, all well documented on the apf site (http://rfxnetworks.com/apf.php) http://rfxnetworks.com/appdocs/README.apf HTH, -Ray -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.