Advanced Policy Firewall

Overview

Advanced Policy Firewall (APF) v2.0.1 (C) 2002-2026, R-fx Networks <proj@rfxn.com> (C) 2026, Ryan MacDonald <ryan@rfxn.com>

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Introduction:

Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today's Internet deployed servers and the unique needs of custom deployed Linux installations. The configuration of APF is designed to be very informative and present the user with an easy to follow process, from top to bottom of the configuration file. The management of APF on a day-to-day basis is conducted from the command line with the 'apf' command, which includes detailed usage information and all the features one would expect from a current and forward thinking firewall solution.

The technical side of APF is such that it embraces the latest stable features put forward by the iptables(netfilter) project to provide a very robust and powerful firewall. The filtering performed by APF is three fold: 1) Static rule based policies (not to be confused with a "static firewall") 2) Connection based stateful policies 3) Sanity based policies

The first, static rule based policies, is the most traditional method of firewalling — an unchanging set of rules for how traffic should be handled. For example, allowing/denying an address via the trust system or opening a port in conf.apf.

The second, connection based stateful policies, distinguishes legitimate packets by tracking known connections. For example, FTP data transfers are dynamically permitted by relating port 21 control connections to the data channel — no complex static rules needed.

The third, sanity based policies, matches traffic against known attack methods and Internet standards. Forged source addresses are discarded, malformed packets from broken routers are dropped or replied to with TCP Reset.

For a detailed description of all APF features, review conf.apf (under your install path) which has well outlined captions above all options. Below is a point form summary of most APF features:

- detailed and well commented configuration file - granular inbound and outbound network filtering - user id based outbound network filtering - application based network filtering - trust based rule files with an optional advanced syntax - global trust system where rules can be downloaded from a central management server - reactive address blocking (RAB), in-line intrusion prevention with automatic address blocking on sanity violations and port scan detection - debug mode provided for testing new features and configuration setups - fast load feature that allows for 1000+ rules to load in under 1 second - inbound and outbound network interfaces can be independently configured - global tcp/udp port & icmp type filtering with multiple methods of executing filters (drop, reject, prohibit) - configurable policies for each ip on the system with convenience variables to import settings - packet flow rate limiting that prevents abuse on the most widely abused protocol, icmp - prerouting and postrouting rules for optimal network performance - dshield.org block list support to ban networks exhibiting suspicious activity - spamhaus Don't Route Or Peer List support to ban known "hijacked zombie" IP blocks - any number of additional interfaces may be configured as firewalled (untrusted) or trusted (not firewalled) - additional firewalled interfaces can have their own unique firewall policies applied - intelligent route verification to prevent embarrassing configuration errors - advanced packet sanity checks to make sure traffic coming and going meets the strictest of standards - filter attacks such as fragmented UDP, port zero floods, stuffed routing, arp poisoning and more - configurable type of service options to dictate the priority of different types of network traffic - intelligent default settings to meet every day server setups - dynamic configuration of your servers local DNS resolvers into the firewall - optional filtering of common p2p applications - optional filtering of private & reserved IP address space - optional implicit blocks of the ident service - configurable connection tracking settings to scale the firewall to the size of your network - configurable kernel hooks (ties) to harden the system further to syn-flood attacks & routing abuses - advanced network control such as explicit congestion notification and overflow control - special chains that are aware of the state of FTP DATA and SSH connections to prevent client side issues - control over the rate of logged events, want only 30 filter events a minute? 300 a minute? - you are the boss - logging subsystem that allows for logging data to user space programs or standard syslog files - logging that details every rule added and a comprehensive set of error checks to prevent config errors - if you are familiar with netfilter you can create your own rules in any of the policy files - pluggable and ready advanced use of QoS algorithms provided by the Linux kernel - IPv6 dual-stack support: automatic ip6tables rules alongside iptables when USE_IPV6 is enabled, including ICMPv6 filtering and NDP - input validation on all trust system entries (IPv4, IPv6, CIDR, FQDN) - nft backend detection with safe fast load across iptables backend changes - Docker/container compatibility mode for coexistence with Docker, Podman, Kubernetes, and containerd without destroying external chains - ipset block list support for kernel-level high-performance IP matching with O(1) lookup; one iptables rule per list instead of one rule per IP - GRE tunnel management with dedicated chains, protocol 47 rules, lifecycle controls (--gre-up/--gre-down/--gre-status), and persist-across-flush support - automatic dependency checking at startup with OS-aware install hints for missing packages (apt-get, yum, dnf) - ICMPv6 type filtering (IG_ICMPV6_TYPES/EG_ICMPV6_TYPES) with automatic NDP protection for types 133-136 - adaptive connection tracking scaling that auto-grows conntrack_max when usage exceeds 80%, with configurable ceiling and hash table sizing - IPv6 sysctl hardening: disables accept_source_route, accept_redirects, and accept_ra when USE_IPV6=1 - systemd service unit for modern init management

1.1) Introduction: Supported Systems & Requirements The APF package is designed to run on Linux based operating systems that have an operational version of the iptables (netfilter) package installed. Both the traditional iptables-legacy and the newer iptables-nft backends are supported. You can find out more details on the netfilter project at:

https://www.netfilter.org/

Most modern Linux distributions include all required iptables/netfilter modules by default. If you are building a custom kernel, ensure the following modules are available (built-in or modular):

iptable_filter iptable_mangle nf_conntrack nf_conntrack_ftp nf_conntrack_irc xt_state (or nf_conntrack with CT target) xt_multiport xt_limit xt_recent xt_LOG (or nf_log_syslog) xt_REJECT (ipt_REJECT / ip6t_REJECT) xt_ecn xt_length xt_mac xt_owner xt_TCPMSS

For IPv6 support (USE_IPV6=1), also ensure: ip6table_filter ip6table_mangle nf_conntrack_ipv6 (on kernels < 4.19; merged into nf_conntrack on 4.19+)

APF will attempt to load each module at startup and report any that are missing. You can check available modules with:

ls /lib/modules/$(uname -r)/kernel/net/netfilter/

APF is tested and supported on the following platforms:

RHEL / Rocky Linux / AlmaLinux 8, 9 CentOS 7 (legacy support) Debian 10, 11, 12 Ubuntu 20.04, 22.04, 24.04 Fedora (current releases)

APF will generally run on any Linux distribution that provides iptables (legacy or nft backend) and a bash shell with standard GNU utilities (grep, awk, sed, etc.).

APF includes automatic dependency checking at startup. Critical dependencies (iptables, ip, modprobe, ip6tables when USE_IPV6=1) will prevent the firewall from starting if missing. Optional dependencies (wget, iptables-save, iptables-restore, diff, ipset) produce warnings but allow startup to continue. Install hints are OS-aware and suggest the correct package manager command (apt-get, yum, or dnf) for your distribution.

Installation

The installation setup of APF is very straight forward, there is an included install.sh script that will perform all the tasks of installing APF for you.

Begin Install:

sh install.sh

or

INSTALL_PATH=/etc/yourpath sh install.sh

If one so desires they may customize the setup of APF by editing the variables inside the install.sh script followed by also editing the path variables in the conf.apf and internals.conf files. This is however not recommended and the default paths should meet all user needs, they are:

Install Path: /etc/apf Bin Path: /usr/local/sbin/apf

The package includes two convenience scripts, the first is importconf which will import all the variable settings from your previous version of APF into the new installation. The second is get_ports, a script which will output the systems currently in use 'server' ports for the user during the installation process in an effort to aid in configuring port settings.

All previous versions of APF are saved upon the installation of newer versions and stored in /etc/apf.bkDDMMYY-UTIME format (e.g., /etc/apf.bk190226-1771538400). In addition, there is a /etc/apf.bk.last sym-link created to the last version of APF you had installed.

After installation is completed the documentation and convenience scripts are copied to /etc/apf/doc and /etc/apf/extras respectively.

Note: APF ships with DEVEL_MODE="1" enabled by default. This safety feature automatically flushes the firewall every 5 minutes to prevent lockout during initial configuration. Set DEVEL_MODE="0" in conf.apf once your configuration is verified and you are ready for persistent operation.

2.1) Installation: Boot Loading On installation APF will install a systemd service unit (apf.service) on systems with systemd, or an init script to /etc/init.d/apf on older systems, and configure it to load on boot. If you are setting up APF in a more custom situation then you may follow the below instructions.

There are three modes of operation for having APF firewall your system and each has no real benefit except tailoring itself to your needs.

The first and recommended approach on modern systems is systemd:

systemctl enable apf systemctl start apf

On older systems without systemd, use chkconfig (done by default during install on SysV-init systems):

chkconfig --add apf chkconfig --level 345 apf on

Secondly, you can add the following string to the bottom of the /etc/rc.local file:

sh -c "/etc/apf/apf -s" &

It is NOT recommended that you use multiple startup methods together.

The third and final approach is to simply run APF in an on-demand fashion. That is, enable it with the 'apf -s' command when desired and disable it with the 'apf -f' when desired.

Configuration:

APF ships with minimal preconfigured options by design. Only port 22 (SSH) is open by default, with advanced features like outbound filtering, reactive address blocking, and the virtual network subsystem disabled.

The main configuration file is conf.apf (under your install path, /etc/apf by default). It uses integer values (0 = disabled, 1 = enabled) for most options unless otherwise noted. Each option has detailed usage information directly above it in the file — review it from top to bottom before starting the firewall.

3.1) Configuration: Basic Options This section will cover some of the basic configuration options found inside of the conf.apf configuration file. These options, despite how basic, are the most vital in the proper operation of your firewall.

DEVEL_MODE - Development/testing mode. The firewall shuts itself off every 5 minutes via cronjob to prevent lockout from configuration errors. Enabled by default on new installs; disable once you are satisfied with your configuration.

INSTALL_PATH - Installation path for APF (default: /etc/apf).

IFACE_UNTRUSTED - The Internet-facing interface that firewall rules are applied against (WAN interface).

IFACE_TRUSTED - Interfaces to exempt from all firewall rules with an implicit trust rule. Use for administrative private links, VPN interfaces, or trusted LANs (similar to a DMZ).

SET_VERBOSE - Print detailed event logs to the screen during command line firewall operations for easier troubleshooting.

USE_IPV6 - Enable IPv6 dual-stack support. APF will load IPv6 kernel modules and apply ip6tables rules alongside iptables. Includes IPv6 chain creation, port filtering, trust system support, packet sanity checks, and ICMPv6 filtering. NDP types 133-136 are always permitted for IPv6 connectivity. When enabled, IG_ICMPV6_TYPES and EG_ICMPV6_TYPES control which ICMPv6 types are allowed. IPv6 sysctl hardening is applied when SYSCTL_ROUTE=1. IPv6 addresses in advanced trust syntax use bracket notation (e.g., d=22:s=[2001:db8::1]). The VNET subsystem does not currently support IPv6.

SET_FASTLOAD - Save and restore firewall snapshots for fast startup. Instead of regenerating every rule, APF loads from a saved snapshot. Configuration changes and iptables backend changes (legacy vs nft) are detected automatically, forcing a full reload when needed.

SET_VNET - Enable the virtual network subsystem (VNET) which generates per-IP policy files for aliased addresses. See section 3.4.

SET_ADDIFACE - Firewall additional untrusted interfaces through the VNET system. See section 3.4.

Port filtering variables (global context, overridable via VNET per-IP rules):

IG_TCP_CPORTS - inbound TCP ports ("server" ports, e.g., 22,80,443) IG_UDP_CPORTS - inbound UDP ports (e.g., 53 for DNS) IG_ICMP_TYPES - inbound ICMP types (see internals/icmp.types) EGF - top level toggle for outbound (egress) filtering; recommended to enable for robust protection EG_TCP_CPORTS - outbound TCP ports ("client" ports, e.g., 80,443) EG_UDP_CPORTS - outbound UDP ports (e.g., 53,873) EG_ICMP_TYPES - outbound ICMP types (see internals/icmp.types)

EG_DROP_CMD - Comma-separated executable names blocked from outbound network access (e.g., "eggdrop,psybnc,bitchx"). Uses iptables --cmd-owner match. Requires EGF="1". Depends on kernel xt_owner command support, detected at runtime and skipped gracefully if unavailable.

LOG_DROP - Enable detailed firewall packet logging. Typically left disabled on production systems due to log volume and disk I/O impact.

3.2) Configuration: Advanced Options The advanced options, although not required, are those which afford the firewall the ability to be a more robust and encompassing solution in protecting a host. These options should be reviewed on a case-by-case basis and enabled only as you determine their merit to meet a particular need on a host or network.

SET_MONOKERN - Expect iptables modules compiled directly into the kernel instead of loadable modules. Only enable for custom kernels with modular support disabled.

VF_ROUTE - Verify that IFACE_* addresses have route entries before loading. Prevents lockout from configuration errors.

VF_LGATE - Require all traffic to arrive via a specific MAC address. Useful for servers behind a NAT/MASQ gateway.

TCP_STOP, UDP_STOP, ALL_STOP - Control how filtered packets are handled:

DROP - silent discard (default); low resource use but reveals firewall presence to experienced attackers who expect ICMP unreachable replies RESET - TCP RST reply; standards-compliant but uses resources to reply REJECT - ICMP error reply; port appears closed, not firewalled PROHIBIT - ICMP-only reply; lighter than RESET, default expected behavior for UDP

PKT_SANITY - Top level toggle for packet sanity checks. Ensures all packets conform to strict TCP/IP standards, making it very difficult for attackers to inject raw/custom packets. Sub-options (PKT_SANITY_INV, PKT_SANITY_FUDP, PKT_SANITY_PZERO, PKT_SANITY_STUFFED) are preconfigured to suit most situations. See conf.apf for details on each sub-option.

Type of Service (TOS) - The TOS_* settings classify traffic priority based on port numbers. Default settings improve throughput and reliability for FTP, HTTP, SMTP, POP3 and IMAP. TOS configuration can have wide-ranging impact on service performance — review conf.apf for detailed TOS options.

Traceroute (TCR_*) - TCR_PASS controls whether traceroutes are accepted. TCR_PORTS defines the UDP port range used for detection.

SYSCTL_CONNTRACK - connection tracking table size (default 131072) SYSCTL_CONNTRACK_ADAPTIVE - auto-scale conntrack_max at 80% usage SYSCTL_TCP - TCP performance/security tweaks (timestamps, SACK) SYSCTL_TCP_NOSACK - disable TCP SACK (CVE-2019 mitigations) SYSCTL_SYN - syn-flood mitigation (backlog, retry, timeout) SYSCTL_ROUTE - spoofing/redirect protection (rp_filter, etc.) SYSCTL_LOGMARTIANS - log impossible source addresses SYSCTL_ECN - Explicit Congestion Notification SYSCTL_SYNCOOKIES - SYN cookie flood protection SYSCTL_OVERFLOW - overflow control

See conf.apf for detailed descriptions of each setting and their sub-options.

3.3) Configuration: Reactive Address Blocking The Reactive Address Blocking (RAB) system provides in-line intrusion prevention by automatically blocking addresses that trigger sanity violations or port scan detection. RAB is configured through the RAB_* variables in conf.apf.

RAB - master toggle for reactive address blocking.

RAB_SANITY - enable RAB for packet sanity violations (spoofed addresses, modified flags). Offenders are temporarily blocked for RAB_TIMER seconds.

RAB_PSCAN_LEVEL - port scan detection level: 0 disabled, 1 low, 2 medium, 3 high. Triggers on connections to known malicious ports (1, 7, 9, 11, etc.).

RAB_HITCOUNT - violation hits before blocking (default: 1, instant block).

RAB_TIMER - block duration in seconds (default: 300, max: 43200).

RAB_TRIP - reset block timer on any subsequent traffic from a blocked address.

RAB_LOG_HIT - log violation hits (recommended; LOG_DROP=1 overrides to force).

RAB_LOG_TRIP - log all traffic from already-blocked addresses. Verbose but useful for understanding attacker behavior. LOG_DROP=1 overrides to force.

3.4) Configuration: Virtual Network Files When SET_VNET=1, APF generates per-IP policy files under the vnet/ directory for each aliased address on the IFACE_UNTRUSTED interface. Each file (e.g., vnet/192.168.1.100.rules) can override the global port filtering variables (IG_TCP_CPORTS, EG_TCP_CPORTS, etc.) for that specific IP address. This allows fine-grained control over which ports are open on each address. Run 'apf -s' after editing VNET files to apply changes. Note that the VNET subsystem operates on IPv4 addresses only.

3.5) Configuration: Global Variables & Custom Rules All variables defined in conf.apf are available for use in VNET per-IP rule files, allowing you to import global settings and selectively override them. For custom iptables rules beyond what conf.apf provides, you can add rules directly to the preroute.rules file which is loaded early in the firewall chain. Any valid iptables syntax can be used in these files, as they are sourced directly into the firewall's bash execution environment.

3.6) Configuration: Docker/Container Compatibility When running APF alongside Docker, Podman, Kubernetes, or other container runtimes, the default flush behavior (which wipes all iptables rules and chains) will destroy the container runtime's networking rules. The DOCKER_COMPAT option solves this by switching APF to a surgical flush mode.

DOCKER_COMPAT - When set to "1", APF's flush operation only removes APF-owned chains from the filter table, leaving all external chains intact. Specifically:

- FORWARD chain policy and rules are preserved (Docker routing) - nat table is left untouched (Docker port mapping and MASQUERADE rules) - raw table is left untouched - External INPUT and OUTPUT rules (non-APF) are saved before flush and restored afterward, protecting rules from Docker Swarm, kube-proxy, Calico CNI, and similar tools - DOCKER, DOCKER-USER, DOCKER-ISOLATION, and container-runtime chains in all tables are preserved - mangle PREROUTING/POSTROUTING are still flushed (APF-managed)

When DOCKER_COMPAT is enabled, SET_FASTLOAD is automatically disabled because iptables-restore would overwrite the external chains that DOCKER_COMPAT is designed to protect. Snapshot saving is also skipped in compat mode.

Enable this option if you see Docker containers losing network connectivity after running 'apf -s' or 'apf -r'.

3.7) Configuration: ipset Block Lists The ipset subsystem uses kernel-level hash tables for high-performance IP matching. Instead of creating one iptables rule per blocked IP address (which scales linearly), ipset creates a single iptables rule per block list that references a kernel hash set, providing O(1) lookup performance regardless of list size.

USE_IPSET - Set to "1" to enable ipset block list support. Requires the 'ipset' utility to be installed (apt-get install ipset / yum install ipset). When disabled or ipset is not installed, the ipset.rules file is ignored.

IPSET_LOG_RATE - Default log rate limit (per minute) for ipset blocklist matches. Individual lists can control their own logging via the log field in ipset.rules.

The block lists are defined in the ipset.rules file. Each line defines a set with the format: name:flow:ipset_type:log:file_or_url

CLI: Run 'apf --ipset-update' to hot-reload all ipset block lists without restarting the firewall. A cron job (cron.d.apf_ipset) is installed automatically to perform periodic updates.

3.8) Configuration: GRE Tunnels APF can manage GRE (Generic Routing Encapsulation) point-to-point tunnels with dedicated firewall chains and protocol 47 rules. This is useful for servers that need encapsulated point-to-point links to remote endpoints.

USE_GRE - Set to "1" to enable GRE tunnel management. Requires the 'ip' utility (iproute2 package). When disabled, gre.rules is ignored.

GRE_PERSIST - When set to "1", tunnel interfaces are kept alive when the firewall is flushed or stopped. Only firewall rules are removed. When set to "0", tunnel interfaces are also torn down on flush. Default is "1".

GRE_KEEPALIVE - Keepalive interval (seconds) and retry count before declaring a tunnel dead. Format: "interval retries" (e.g., "10 3"). Set to "0 0" to disable keepalive. Requires kernel >= 3.x.

GRE_MTU - Tunnel MTU. Leave empty for auto-calculation (parent interface MTU minus 24 bytes GRE overhead). Set explicitly for double-encapsulation scenarios (e.g., "1400").

GRE_TTL - IP TTL for GRE tunnel packets. Default is "255".

Tunnels are defined in the gre.rules file, which is a bash script sourced during firewall startup. Each tunnel is created by setting a role variable and calling the create_gretun function:

role="source" (or "target") create_gretun LINKID LOCAL_IP REMOTE_IP [IPFILE]

Where LINKID is a tunnel ID (1-99, interface = gre${LINKID}), LOCAL_IP is this host's public IP, REMOTE_IP is the remote endpoint, and IPFILE is an optional file of IPs to route through the tunnel (one per line). Addresses are auto-assigned: source=192.168.${LINKID}.1, target=192.168.${LINKID}.2.

Per-tunnel overrides can be set before each create_gretun call: gre_keepalive="10 3" (override GRE_KEEPALIVE) gre_mtu="1400" (override GRE_MTU) gre_ttl="128" (override GRE_TTL) gre_key="12345" (GRE key for tunnel identification)

See the gre.rules file header for complete examples.

When tunnels are created, APF automatically: - Creates GRE_IN and GRE_OUT chains for tunnel traffic - Adds protocol 47 (GRE) ACCEPT rules for each tunnel endpoint - Creates per-tunnel interface ACCEPT rules in INPUT and OUTPUT - Configures MTU, keepalive, and IP addresses as specified

3.9) Configuration: Remote Block Lists APF can automatically download and apply IP block lists from external sources. Each list is loaded into a dedicated iptables chain on full firewall start. The following DLIST_* variables in conf.apf control these lists:

DLIST_PHP - Project Honey Pot harvester/spammer IPs DLIST_SPAMHAUS - Spamhaus DROP list (stolen/zombie netblocks) DLIST_DSHIELD - DShield top suspicious hosts DLIST_RESERVED - IANA reserved/unassigned networks DLIST_ECNSHAME - ECN broken hosts (requires SYSCTL_ECN="1")

Each has a companion _URL variable (e.g., DLIST_PHP_URL) for the download source. Set the toggle to "1" to enable a list. Lists are validated during parsing and backed up before each download. Failed downloads restore from backup to prevent data loss. Note that DLIST_RESERVED interacts with BLK_RESNET — when both are enabled, the downloaded reserved.networks list supplements the built-in private.networks blocking.

3.10) Configuration: Logging & Control APF provides configurable logging of filtered packets through the LOG_* variables in conf.apf:

LOG_DROP - master toggle for firewall packet logging LOG_LEVEL - syslog level for log entries (default: crit) LOG_TARGET - LOG (kernel syslog) or ULOG (ulogd userspace) LOG_IA - log interactive access (SSH/Telnet, requires LOG_DROP="1") LOG_LGATE - log foreign gateway traffic LOG_EXT - extended logging (TCP/IP options in output) LOG_RATE - max logged events per minute (default: 30) LOG_APF - path to APF status log (default: /var/log/apf_log)

For iptables concurrency control, IPT_LOCK_SUPPORT and IPT_LOCK_TIMEOUT configure the -w lock flag behavior for iptables >= 1.4.20. This prevents concurrent iptables modifications from corrupting rule state.

3.11) Configuration: Implicit Blocking The BLK_* variables in conf.apf control implicit blocking of specific traffic patterns without explicit port rules. These apply globally to all interfaces:

BLK_P2P_PORTS - block common P2P protocol ports (e.g., BitTorrent, Kazaa, eDonkey) BLK_PORTS - silently drop common attack ports (NetBIOS, RPC, etc.) without logging BLK_MCATNET - block multicast traffic (224.0.0.0/4, ff00::/8) BLK_PRVNET - block private IPv4 address space (10/8, 172.16/12, 192.168/16, etc.) on untrusted interfaces BLK_RESNET - block reserved/unassigned IPv4 space BLK_TCP_SACK_PANIC - block low-MSS TCP SACK exploit packets (CVE-2019-11477) BLK_IDENT - REJECT ident (TCP 113) requests instead of silently dropping; some services stall without ident response

General Usage:

The /usr/local/sbin/apf command has a number of options that will ease the day-to-day use of your firewall. Here is a quick snap-shot of the options:

Note: --unban is accepted as an alias for -u|--remove.

The -l|--list option shows all loaded iptables rules. The -t|--status option pages through the APF status log at /var/log/apf_log.

The -e|--refresh option flushes trust chains and reloads them from rule files, re-resolving any DNS names. Useful for dynamic DNS entries in the trust system.

The -o|--ovars option outputs all configured variables and their values — useful for troubleshooting or when reporting problems (see section 6).

The two basic trust level files are located at: /etc/apf/allow_hosts.rules /etc/apf/deny_hosts.rules

These files by nature are static, meaning that once you add an entry to them, they will remain in the files till you remove them yourself. The trust files accept FQDN (fully qualified domain names), IPv4 addresses, and IPv6 addresses with optional bit masking. Examples of these formats are:

yourhost.you.com (FQDN) 192.168.2.102 (IP Address) 192.168.1.0/24 (IP Address with 24 bit mask) 2001:db8::1 (IPv6 Address) 2001:db8::/32 (IPv6 Address with prefix length)

The definition of IP bit masking is slightly out of the scope of this document but some common bit masks that are used would be: /24 (192.168.1.0 to 192.168.1.255) /16 (192.168.0.0 to 192.168.255.255)

If you have common abuse from a network of addresses you can whois that address then determine the network operators assigned address space and ban the network with bit masking.

There are two methods for adding entries to the trust files and they are first and foremost by using an editor or interface of some type to edit the two files manually, such as nano (pico clone) or vi (old school editor).

Please take note that the --remove|-u option does not accept a comment string for obvious reason and that it will remove entries that match from allow_hosts.rules, deny_hosts.rules and the global extensions of these files.

The trust system has several operational controls in conf.apf:

SET_EXPIRE - auto-expire deny entries after N seconds (0 to disable). Use "static" or "noexpire" in a ban comment to exempt it. SET_REFRESH - refresh interval in minutes for trust rules and DNS re-resolution (default: 10) SET_REFRESH_MD5 - skip refresh if trust files are unchanged (1 to enable) SET_TRIM - max deny entries before oldest are purged (default: 250)

4.2) General Usage: Global Trust System The global trust system extends the local trust files with centrally managed allow and deny lists that can be downloaded from a remote server. The files glob_allow.rules and glob_deny.rules are populated by setting the GA_URL and GD_URL variables in conf.apf to the URLs of your remote trust lists. Set USE_RGT="1" in conf.apf to enable automatic downloading of global trust files. APF will periodically download these lists and load them into the TGALLOW and TGDENY chains. This is useful for organizations managing multiple servers that need to share a common set of trusted or blocked addresses. The --remove (-u) option will also remove entries from the global trust files.

4.3) General Usage: Advanced Trust Syntax Advanced trust usage; The trust rules can be made in advanced format with 4 options (proto:flow:port:ip); 1) protocol: [packet protocol tcp/udp] 2) flow in/out: [packet direction, inbound or outbound] 3) s/d=port: [packet source or destination port] 4) s/d=ip(/xx) [packet source or destination address, masking supported]

Flow assumed as Input if not defined. Protocol assumed as TCP if not defined. When defining rules with protocol, flow is required.

outbound to destination port 23 to destination host 198.51.100.9 out:d=23:d=198.51.100.9

inbound to destination port 3306 from 198.51.100.0/24 d=3306:s=198.51.100.0/24

IPv6 addresses use bracket notation to protect colons from the field delimiter parser:

inbound to destination port 22 from IPv6 address 2001:db8::1 d=22:s=[2001:db8::1]

inbound to destination port 443 from IPv6 network 2001:db8::/32 tcp:in:d=443:s=[2001:db8::/32]

Plain (non-advanced) IPv6 addresses can be added directly without brackets: 2001:db8::1

License:

APF is developed and supported on a volunteer basis by Ryan MacDonald [ryan@rfxn.com]

APF (Advanced policy firewall) is distributed under the GNU General Public License (GPL) without restrictions on usage or redistribution. The APF copyright statement, and GNU GPL, "COPYING.GPL" are included in the top-level directory of the distribution. Credit must be given for derivative works as required under GNU GPL.

Support Information:

Bugs, feature requests, and general questions can be filed as GitHub issues or sent to proj@rfxn.com. When reporting issues, include the output of 'apf --ovars' to help diagnose configuration problems.