APF Firewall on Ubuntu 7.xx (0.9.6-2)
ATTENTION!!!
This article is outdated! Go here! for the updated patches and information.
APF Firewall is a great firewall solution for Linux. It’s small, really easy to install and configure and it also provides antidos, which is a tool that monitors possible attacks on the server and takes same action. The problem is that the install script is made for RedHat based Linux distro’s and does not work straight away on Debian based ones.
So here is a patch that, when applied to the apf source directory (tested with version 0.9.6-2), will make it install properly under Ubuntu (it’s tested on Feisty and Gutsy but it should actually work on many other types of Ubuntu or even Debian - I have not tested this).
To apply the patch and install do the following from your home directory:
> wget http://www.r-fx.ca/downloads/apf-current.tar.gz > tar -zxvf apf-current.tar.gz > wget http://codeblog.palos.ro/downloads/apf-0.9.6-2-ubuntu.patch > patch -p0 < apf-0.9.6-2-ubuntu.patch > cd apf-0.9.6-2 > sudo ./install.sh
There si also a more advanced firewall similar to apf called CSF+LFD (LFD is similar to antidos). The CSF+LFD system is much more recommended for production servers (ex. you can not filter two network interfaces with apf, you’ll need CSF).
Hope this helps, bye!
Enjoyed this post?, why not subscribe to the RSS feed!
October 6th, 2007 at 2:53 am
hello Palos!
I tried to follow your instructions on kubuntu feisty(german version), but got errors on install procedure. Erraticly your code shows a patch path with *-ubuntu*, but *.ubuntu* is correct. After correcting this I get other errors that are beyond my level of understanding, this is a copy of the console output:
kpf-0.9.6-2/COPYING.GPL
--01:41:48-- http://codeblog.palos.ro/downloads/apf-0.9.6-2.ubuntu7.04.patch
=> `apf-0.9.6-2.ubuntu7.04.patch.2′
Auflösen des Hostnamen »codeblog.palos.ro«…. 85.120.61.71
Verbindungsaufbau zu codeblog.palos.ro|85.120.61.71|:80… verbunden.
HTTP Anforderung gesendet, warte auf Antwort… 200 OK
Länge: 5.695 (5.6K) [text/plain]
100%[==========================================
===============================================
=========>] 5.695 --.--K/s
01:41:48 (60.84 KB/s) - »apf-0.9.6-2.ubuntu7.04.patch.2« gespeichert [5695/5695]
patching file apf-0.9.6-2/apf.init
patching file apf-0.9.6-2/cron.daily
patching file apf-0.9.6-2/files/ad/antidos
patching file apf-0.9.6-2/files/ad/tlog
patching file apf-0.9.6-2/files/apf
patching file apf-0.9.6-2/files/extras/dshield/install
Hunk #1 succeeded at 1 with fuzz 1.
patching file apf-0.9.6-2/files/extras/get_ports
patching file apf-0.9.6-2/files/extras/importconf
patching file apf-0.9.6-2/files/firewall
patching file apf-0.9.6-2/files/vnet/vnetgen
patching file apf-0.9.6-2/importconf
patching file apf-0.9.6-2/install.sh
Hunk #2 FAILED at 53.
1 out of 2 hunks FAILED -- saving rejects to file apf-0.9.6-2/install.sh.rej
Installing APF 0.9.6-2: Completed.
Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/
Other Details:
cp: Aufruf von stat für „/etc/apf.bk.last/vnet/*.rules“ nicht möglich: No such file or directory
Imported options from 0.9.6-2 to 0.9.6-2.
Note: Please review /etc/apf/conf.apf for consistency, install default backed up to /etc/apf/conf.apf.orig
hjh@noname:~/hjh_linux/applications$
Do you have any idea to fix that?
Joe
November 5th, 2007 at 10:22 am
Hey Joe, I had no time lately to update the script for the latest version of APF :( Sorry!
I will take a look and post an update! I suspect that the problem comes from the fact that APF has released new versions since I wrote the script.
Thanks.
November 8th, 2007 at 12:36 pm
I’m so glad I found this! Too much time was wasted with Shorewall on my part and I’ve always loved APF on my Fedora machines. Now I’m running Ubuntu and was looking for a good APF tut.
Just gave it a try on 7.10 and received 1 error when following your directions, if that is any help for your updating the patch.
patching file apf-0.9.6-2/apf.init
patching file apf-0.9.6-2/cron.daily
patching file apf-0.9.6-2/files/ad/antidos
patching file apf-0.9.6-2/files/ad/tlog
patching file apf-0.9.6-2/files/apf
patching file apf-0.9.6-2/files/extras/dshield/install
Hunk #1 succeeded at 1 with fuzz 1.
patching file apf-0.9.6-2/files/extras/get_ports
patching file apf-0.9.6-2/files/extras/importconf
patching file apf-0.9.6-2/files/firewall
patching file apf-0.9.6-2/files/vnet/vnetgen
patching file apf-0.9.6-2/importconf
patching file apf-0.9.6-2/install.sh
Hunk #2 FAILED at 53.
1 out of 2 hunks FAILED -- saving rejects to file apf-0.9.6-2/install.sh.rej
Is that a major failure from your side?
All in all, great job and please keep it up! APF is a great little system that I’d love to have up and running on all my Ubuntu boxes.
November 8th, 2007 at 1:29 pm
In response to: Mike and Joe Heckert
Thanks for your input guys! Ok, I finally got some time to look at this problem! There were two issues here:
1 - The “Hunk #2 FAILED at 53.” part, was a real problem that caused APF not to install properly (the patch is now fixed).
2 - The “cp: Aufruf von stat fur „/etc/apf.bk.last/vnet/*.rules“ nicht moglich: No such file or directory” part, is just a dummy error. It just says that it could not find some comfig files to import over the default ones, and that’s because there are no files there to begin with. It’s OK to ignore this one.
So, now the patch is fixed, and I also got to test it on Ubuntu 7.10 (Gutsy) (just as Mike did) which is actually identical from APFs point of view.
Cheers.
November 8th, 2007 at 5:27 pm
Just finished with the new patch and it worked like a charm, thanks Valeriu! Have you had any experience installing BFD (Brute Force Detection), also from the maker of APF, on 7.xx?
November 8th, 2007 at 5:42 pm
Glad I could help Mike! About BFD, the answer is no!
As far as I know, APF itself comes with Antidos which does brute force detection!
I have not used this BFD at all! But I’m intrigued I have to say! I wouldn’t mind installing it on my server if it proves interesting. I’ll take a look and post something here if I have something…
Thanks :)
January 21st, 2008 at 8:23 pm
Valeriu,
Thanks for the patch. Worked fine on 7.04. You saved me a ton of time man! Thanks again.
January 23rd, 2008 at 10:13 am
Awesome Paul! Glad I could help!
January 26th, 2008 at 7:19 pm
Well just want to say: Thank you! I’m using APF for a long time now, think it’s great.
This was my first use of Ubuntu, but without this wasn’t able to install it. This patch was really helpful!
February 6th, 2008 at 6:56 pm
apf 0.9.6-3 is out now. can you update this patch?
February 9th, 2008 at 7:04 pm
Hallo Valeriu.
I just install the apf 0.9.6-3 on my computer. I run 7.10. I change some thinks like if condition on the install.sh to reflect the /etc/init.d/apf and the vi path on the function file, plus some linux daemon starting shell. This is my proposal and probably you can test it also on 7.04.
Nice blog.
Proposal:
diff -rc apf-0.9.6-3/apf.init apf-0.9.6-3-ubuntu7.10/apf.init
*** apf-0.9.6-3/apf.init 2007-06-16 23:16:25.000000000 +0200
— apf-0.9.6-3-ubuntu7.10/apf.init 2008-02-09 16:41:31.000000000 +0100
***************
*** 5,11 ****
#
# source function library
! . /etc/rc.d/init.d/functions
# import variables
. /etc/apf/conf.apf
. /etc/apf/internals/internals.conf
— 5,12 —-
#
# source function library
! #. /etc/rc.d/init.d/functions
! . /lib/lsb/init-functions
# import variables
. /etc/apf/conf.apf
. /etc/apf/internals/internals.conf
***************
*** 17,30 ****
case “$1″ in
start)
echo -n “Starting APF:”
! /usr/local/sbin/apf --start >> /dev/null 2>&1
! echo_success
echo
;;
stop)
echo -n “Stopping APF:”
! /usr/local/sbin/apf --stop >> /dev/null 2>&1
! echo_success
echo
;;
restart)
— 18,33 —-
case “$1″ in
start)
echo -n “Starting APF:”
! start-stop-daemon --start --exec /usr/local/sbin/apf -- “--start” >> /dev/null 2>&1
! log_end_msg 0
! # echo_success
echo
;;
stop)
echo -n “Stopping APF:”
! start-stop-daemon --start --exec /usr/local/sbin/apf -- “--stop” >> /dev/null 2>&1
! log_end_msg 0
! # echo_success
echo
;;
restart)
***************
*** 32,37 ****
$0 start
;;
*)
! echo “usage: $0 [start|stop|restart]”
esac
exit 0
— 35,41 —-
$0 start
;;
*)
! log_action_msg “Usage: /etc/init.d/apf {start|stop|reload}”
! exit 1
esac
exit 0
Only in apf-0.9.6-3/: .ca.def
diff -rc apf-0.9.6-3/cron.daily apf-0.9.6-3-ubuntu7.10/cron.daily
*** apf-0.9.6-3/cron.daily 2004-02-20 09:37:55.000000000 +0100
— apf-0.9.6-3-ubuntu7.10/cron.daily 2008-02-09 14:51:26.000000000 +0100
***************
*** 1,2 ****
! #!/bin/sh
! /etc/rc.d/init.d/apf restart >> /dev/null 2>&1
— 1,2 —-
! #!/bin/bash
! /etc/init.d/apf restart >> /dev/null 2>&1
diff -rc apf-0.9.6-3/files/apf apf-0.9.6-3-ubuntu7.10/files/apf
*** apf-0.9.6-3/files/apf 2008-01-31 18:01:33.000000000 +0100
— apf-0.9.6-3-ubuntu7.10/files/apf 2008-02-09 15:15:37.000000000 +0100
***************
*** 1,4 ****
! #!/bin/sh
#
# APF 0.9.6 [apf@r-fx.org]
###
— 1,4 —-
! #!/bin/bash
#
# APF 0.9.6 [apf@r-fx.org]
###
diff -rc apf-0.9.6-3/files/internals/functions.apf apf-0.9.6-3-ubuntu7.10/files/internals/functions.apf
*** apf-0.9.6-3/files/internals/functions.apf 2008-01-31 20:51:30.000000000 +0100
— apf-0.9.6-3-ubuntu7.10/files/internals/functions.apf 2008-02-09 15:15:10.000000000 +0100
***************
*** 1,4 ****
! #!/bin/sh
#
# APF 0.9.6 [apf@r-fx.org]
###
— 1,4 —-
! #!/bin/bash
#
# APF 0.9.6 [apf@r-fx.org]
###
***************
*** 379,386 ****
/usr/bin/pico -w $iptc
elif [ -f “/usr/bin/nano” ]; then
/usr/bin/nano -w $iptc
! elif [ -f “/bin/vi” ]; then
! /bin/vi $iptc
fi
clear
rm -f $iptc
— 379,386 —-
/usr/bin/pico -w $iptc
elif [ -f “/usr/bin/nano” ]; then
/usr/bin/nano -w $iptc
! elif [ -f “/usr/bin/vi” ]; then
! /usr/bin/vi $iptc
fi
clear
rm -f $iptc
***************
*** 1433,1439 ****
if [ ! “$SET_REFRESH” == “0″ ] && [ ! “$SET_REFRESH” == “” ]; then
cat $INSTALL_PATH/internals/cron.refresh
MAILTO=
! SHELL=/bin/sh
*/$SET_REFRESH * * * * root /etc/apf/apf --refresh >> /dev/null 2>&1 &
EOF
chmod 644 $INSTALL_PATH/internals/cron.refresh
— 1433,1439 —-
if [ ! “$SET_REFRESH” == “0″ ] && [ ! “$SET_REFRESH” == “” ]; then
cat $INSTALL_PATH/internals/cron.refresh
MAILTO=
! SHELL=/bin/bash
*/$SET_REFRESH * * * * root /etc/apf/apf --refresh >> /dev/null 2>&1 &
EOF
chmod 644 $INSTALL_PATH/internals/cron.refresh
diff -rc apf-0.9.6-3/importconf apf-0.9.6-3-ubuntu7.10/importconf
*** apf-0.9.6-3/importconf 2007-01-14 11:28:32.000000000 +0100
— apf-0.9.6-3-ubuntu7.10/importconf 2008-02-09 14:51:58.000000000 +0100
***************
*** 1,4 ****
! #!/bin/sh
#
# APF 0.9.6 [apf@r-fx.org]
###
— 1,4 —-
! #!/bin/bash
#
# APF 0.9.6 [apf@r-fx.org]
###
diff -rc apf-0.9.6-3/install.sh apf-0.9.6-3-ubuntu7.10/install.sh
*** apf-0.9.6-3/install.sh 2008-01-31 21:05:00.000000000 +0100
— apf-0.9.6-3-ubuntu7.10/install.sh 2008-02-09 14:57:56.000000000 +0100
***************
*** 1,4 ****
! #!/bin/sh
#
# APF 0.9.6 [apf@r-fx.org]
###
— 1,4 —-
! #!/bin/bash
#
# APF 0.9.6 [apf@r-fx.org]
###
***************
*** 54,63 ****
cp cron.daily /etc/cron.daily/apf
chmod 755 /etc/cron.daily/apf
fi
! if [ -f “/etc/rc.d/init.d/apf” ]; then
! cp -f apf.init /etc/rc.d/init.d/apf
else
! cp -f apf.init /etc/rc.d/init.d/apf
fi
if [ -f “/var/log/apf_log” ] || [ -f “/var/log/apfados_log” ]; then
rm -f /var/log/apf_log /var/log/apfados_log
— 54,63 —-
cp cron.daily /etc/cron.daily/apf
chmod 755 /etc/cron.daily/apf
fi
! if [ -f “/etc/init.d/apf” ]; then
! cp -f apf.init /etc/init.d/apf
else
! cp -f apf.init /etc/init.d/apf
fi
if [ -f “/var/log/apf_log” ] || [ -f “/var/log/apfados_log” ]; then
rm -f /var/log/apf_log /var/log/apfados_log
Multzam pentru initiativa de a te ocupa de apf.
February 15th, 2008 at 7:30 pm
Fails for me :(
on a fresh gutsy install:
root@lhc-voipgate:/usr/src# patch -p0
February 27th, 2008 at 9:01 pm
Can you please update the patch for 0.9.6-3?
February 28th, 2008 at 11:54 am
Sorry for the delay guys, I had no time for it until this morning. See here for updates.