APF strange problem
I usually am helping but hey... maybe I can get something back huh?Basically while APF is running I cant WGET or even load any webpages. Can anyone help at all. I checked this over time and time again. Ports are right... I cant think of anything I have done wrong.
#!/bin/sh
#
# APF 0.9.4 [apf@r-fx.org]
#
# NOTE: This file should be edited with word/line wrapping off,
# if your using pico please start it with the -w switch.
# (e.g: pico -w filename)
#
##
# [Dev. Mode]
# !!! Do not leave set to (1) !!!
# When set to enabled; 5 minute cronjob is set to flush the firewall; set
# this mode off (0) when firewall determined to be operating as desired.
##
# Set firewall dev cronjob
# 1 = enabled / 0 = disabled
DEVM="0"
##
# [Main]
##
# Path of firewall installation
FWPATH="/etc/apf"
# Untrusted Network interface; all traffic on defined interface will be
# subject to all firewall rules. This should be your internet exposed
# interface. Only one interface is accepted for this value.
IF="eth0"
# Trusted Network interface(s); all traffic on defined interface(s) will by-pass
# ALL firewall rules (white space or comma seperated list; e.g: TIF="eth1 eth2").
TIF=""
# Local gateway mac address [optional]; when a value is present, only traffic
# from the local gateway will be permitted. It is quite trivial to forge a MAC
# address and as such this is provided as another layer of route verification.
LGATE_MAC=""
# Log all forign gateway traffic
# [0 = Disabled / 1 = Enabled]
LGATE_LOG="0"
# Enable virtual network subsystem; creats independent policy ruleset for each
# ip on a system (pulls data from 'ip addr list') to /etc/apf/vnet/ip.rules
# Template is located in the vnet/ folder for rule files. This feature can
# reduce apf start/stop performance and is not recommend for systems with more
# than 255 (/24) ip's. [0 = Disabled / 1 = Enabled]
EN_VNET="0"
# Support Monolithic kernel builds [no LKM's]. This mode of operation is
# not really supported and you use at your own risk.
MONOKERN="0"
##
# [Packet Filtering/Handling]
##
# Default Type of Service (TOS)
#
# 8: Maximum Throughput - Minimum Delay
# 4: Minimize Delay - Maximize Reliability
# 16: No Delay - Moderate Throughput - High Reliability
DEF_TOS="4"
# How to handle TCP packet filtering?
#
# RESET (sends a tcp-reset; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
TCP_STOP="DROP"
# How to handle UDP packet filtering?
#
# RESET (sends a icmp-port-unreachable; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
# PROHIBIT (send an icmp-host-prohibited)
UDP_STOP="DROP"
# How to handle all other packet filtering? (icmp,arp,igmp)
#
# DROP (drop the packet)
# REJECT (reject the packet)
DSTOP="DROP"
# Set a reasonable packet/time ratio for ICMP packets; exceeding
# such packet flow ratio will result in dropped packets.
# pkt/s (packets/seconds), pkt/m (packets/minutes)
ICMP_LIM="12/s"
# Use a dynamic discovery routine to parse and create rules based
# on the local name servers defined in /etc/resolv.conf.
# [0 = Disabled / 1 = Enabled]
RESV_DNS="0"
# With RESV_DNS enabled; all untrusted name server traffic can fill
# the logs with sport 53 traffic. This can be suppressed with an
# implicit drop of all such traffic (sport 53 ingress) as so to avoid
# the log chain.
RESV_DNS_DROP="1"
# You need multicasting if you intend to participate in the MBONE, a
# high bandwidth network on top of the Internet which carries audio
# and video broadcasts. More about MBONE at: www-itg.lbl.gov/mbone/,
# this is generally safe to enable. [0 = Disabled / 1 = Enabled]
BLK_MCATNET="0"
# Block all private ipv4 addresses; this is address space reserved
# for private networks; or otherwise unroutable on the internet.
# If this host resides behind a firewall with NAT or routing scheme
# that otherwise uses private addressing; leave this option off.
# Refer to the 'internals/private.networks' file for listing of
# address space. [0 = Disabled / 1 = Enabled]
BLK_PRVNET="0"
# Block all ipv4 address space marked reserved for future use or
# unassigned; such networks have no business communicating with us.
# However they may at some point become live address space. Refer to
# the 'internals/reserved.networks' file for listing of address space.
# [0 = Disabled / 1 = Enabled]
BLK_RESNET="0"
# These are sysctl hook changes to further harden the kernel from
# network attack trends by lowering standard time-out values and other
# time based packet responces. [0 = Disabled / 1 = Enabled]
SYSCTL_TCP="1"
# These are sysctl hook changes intended to help mitigate syn-flood
# attacks by lowering syn retry, syn backlog & syn time-out values.
# [0 = Disabled / 1 = Enabled]
SYSCTL_SYN="1"
# These are sysctl hook changes to provide protection from spoofed
# packets, and arp/route redirection. [0 = Disabled / 1 = Enabled]
SYSCTL_ROUTE="0"
# This sysctl hook will log all internal traffic that is otherwise
# not to/from a local interface and not multicast.
# [0 = Disabled / 1 = Enabled]
SYSCTL_LOGMARTIANS="0"
# This sysctl hook will allow you to enable or disable ECN support
# (Explicit Congestion Notification); this feature provides an
# improved method for congestion avoidance by allowing the network
# to mark packets for transmission later, rather than dropping them
# from the queue. [0 = Disabled / 1 = Enabled]
SYSCTL_ECN="0"
# This sysctl hook will allow you to enable or disable SynCookies
# support; this feature will send out a 'syn-cookie' when the syn
# backlog for a socket becomes overflowed. The cookie is used to
# interrupt the flow of syn transmissions with a hashed sequence
# number that must be corrilated with the sending host. The hash
# is made up of the sending host address, packet flags etc...;
# if the sending host does not validate against the hash then the
# tcp hand-shake is terminated. [0 = Disabled / 1 = Enabled]
# Note: syncookies seriously violates TCP protocol and can result
# in serious degradation of some services (i.e. SMTP);
# visible not by you, but your clients and relays whom are
# contacting your system.
SYSCTL_SYNCOOKIES="0"
# This sysctl hook will allow you to toggle Abort_On_Overflow support;
# This feature will help mitigate burst floods if a listening service
# is too slow to accept new connections. This option is an alternative
# for SynCookies and both should NEVER be enabled at once.
# [0 = Disabled / 1 = Enabled]
# Note: This option can harm clients contacting your system. Enable
# option only if you are sure that the listening daemon can not
# be tunned to accept connections faster.
SYSCTL_OVERFLOW="0"
# DShield.org's "block" list of top networks that have exhibited
# suspicious activity. [0 = Disabled / 1 = Enabled]
USE_DS="0"
# Import our ad.rules ban list generated by antidos;
# this is essentialy a quick enable/disable feature for
# the insertion of such bans. [0 = Disabled / 1 = Enabled]
USE_AD="0"
# Common drop ports; these are implicit ports you do not want logged
# with the default drop chains. Format is comma seperated and underscore
# seperator for ranges (135_139). Ports are droped and ignored for both
# TCP & UDP as well as inbound and outbound.
CDPORTS="53,135_139,111,161,199,513,445,1433,1434,1234,1524,31278"
##
# [Ingress]
# Configure ingress (inbound) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory. Format is comma seperated
# and underscore seperator for ranges.
#
# Example:
# IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000"
# IG_UDP_CPORTS="20,21,53,123"
# IG_ICMP_TYPES="3,5,11,0,30,8"
##
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="3097,21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
##
# [Egress]
# Configure egress (outbound) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory.
#
# Egress filtering is not required but makes your firewall setup complete
# by providing full inbound and outbound packet filtering. You can toggle
# egress filtering on or off with the EGF variable. Format is comma seperated
# and underscore seperator for ranges.
#
# Example:
# EG_TCP_CPORTS="21,25,80,443,43"
# EG_UDP_CPORTS="20,21,53"
# EG_ICMP_TYPES="all"
##
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="0"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
# Common ICMP egress (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"
##
# [Egress UID match]
# Configure user-id specific egress (outbound) port access. This is a
# more granular feature to limit the scope of egress packet flows with uid
# conditioning. Format is comma seperated and underscore seperator for ranges.
#
# Format: EG_[TCP|UDP]_UID="uid:port"
# Example:
# Allow outbound access to destination port 22 for uid 0
# EG_TCP_UID="0:22"
##
# UID-Match egress (outbound) TCP ports
EG_TCP_UID=""
# UID-Match egress (outbound) UDP ports
EG_UDP_UID=""
##
# [Logs]
# Log paths and control settings.
##
# Status log path
IPTLOG="/var/log/apf_log"
# Log TCP/UDP DROP chains [required for antidos]. Data logged to kernel log
# [often default is /var/log/messages]
DROP_LOG="1"
# Extended logging information; this forces the output of tcp options and
# ip options for packets passing through the log chains
EXLOG="1"
# Max firewall events to log per/minute. Log events exceeding these limits
# will be lost!
LRATE="45"
##
# [Import misc. vars]
##
#
# Internal vars file
CNFINT="$FWPATH/internals/internals.conf"
# Import internal vars file
. $CNFINT
#
# APF 0.9.4 [apf@r-fx.org]
#
# NOTE: This file should be edited with word/line wrapping off,
# if your using pico please start it with the -w switch.
# (e.g: pico -w filename)
#
##
# [Dev. Mode]
# !!! Do not leave set to (1) !!!
# When set to enabled; 5 minute cronjob is set to flush the firewall; set
# this mode off (0) when firewall determined to be operating as desired.
##
# Set firewall dev cronjob
# 1 = enabled / 0 = disabled
DEVM="0"
##
# [Main]
##
# Path of firewall installation
FWPATH="/etc/apf"
# Untrusted Network interface; all traffic on defined interface will be
# subject to all firewall rules. This should be your internet exposed
# interface. Only one interface is accepted for this value.
IF="eth0"
# Trusted Network interface(s); all traffic on defined interface(s) will by-pass
# ALL firewall rules (white space or comma seperated list; e.g: TIF="eth1 eth2").
TIF=""
# Local gateway mac address [optional]; when a value is present, only traffic
# from the local gateway will be permitted. It is quite trivial to forge a MAC
# address and as such this is provided as another layer of route verification.
LGATE_MAC=""
# Log all forign gateway traffic
# [0 = Disabled / 1 = Enabled]
LGATE_LOG="0"
# Enable virtual network subsystem; creats independent policy ruleset for each
# ip on a system (pulls data from 'ip addr list') to /etc/apf/vnet/ip.rules
# Template is located in the vnet/ folder for rule files. This feature can
# reduce apf start/stop performance and is not recommend for systems with more
# than 255 (/24) ip's. [0 = Disabled / 1 = Enabled]
EN_VNET="0"
# Support Monolithic kernel builds [no LKM's]. This mode of operation is
# not really supported and you use at your own risk.
MONOKERN="0"
##
# [Packet Filtering/Handling]
##
# Default Type of Service (TOS)
#
# 8: Maximum Throughput - Minimum Delay
# 4: Minimize Delay - Maximize Reliability
# 16: No Delay - Moderate Throughput - High Reliability
DEF_TOS="4"
# How to handle TCP packet filtering?
#
# RESET (sends a tcp-reset; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
TCP_STOP="DROP"
# How to handle UDP packet filtering?
#
# RESET (sends a icmp-port-unreachable; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
# PROHIBIT (send an icmp-host-prohibited)
UDP_STOP="DROP"
# How to handle all other packet filtering? (icmp,arp,igmp)
#
# DROP (drop the packet)
# REJECT (reject the packet)
DSTOP="DROP"
# Set a reasonable packet/time ratio for ICMP packets; exceeding
# such packet flow ratio will result in dropped packets.
# pkt/s (packets/seconds), pkt/m (packets/minutes)
ICMP_LIM="12/s"
# Use a dynamic discovery routine to parse and create rules based
# on the local name servers defined in /etc/resolv.conf.
# [0 = Disabled / 1 = Enabled]
RESV_DNS="0"
# With RESV_DNS enabled; all untrusted name server traffic can fill
# the logs with sport 53 traffic. This can be suppressed with an
# implicit drop of all such traffic (sport 53 ingress) as so to avoid
# the log chain.
RESV_DNS_DROP="1"
# You need multicasting if you intend to participate in the MBONE, a
# high bandwidth network on top of the Internet which carries audio
# and video broadcasts. More about MBONE at: www-itg.lbl.gov/mbone/,
# this is generally safe to enable. [0 = Disabled / 1 = Enabled]
BLK_MCATNET="0"
# Block all private ipv4 addresses; this is address space reserved
# for private networks; or otherwise unroutable on the internet.
# If this host resides behind a firewall with NAT or routing scheme
# that otherwise uses private addressing; leave this option off.
# Refer to the 'internals/private.networks' file for listing of
# address space. [0 = Disabled / 1 = Enabled]
BLK_PRVNET="0"
# Block all ipv4 address space marked reserved for future use or
# unassigned; such networks have no business communicating with us.
# However they may at some point become live address space. Refer to
# the 'internals/reserved.networks' file for listing of address space.
# [0 = Disabled / 1 = Enabled]
BLK_RESNET="0"
# These are sysctl hook changes to further harden the kernel from
# network attack trends by lowering standard time-out values and other
# time based packet responces. [0 = Disabled / 1 = Enabled]
SYSCTL_TCP="1"
# These are sysctl hook changes intended to help mitigate syn-flood
# attacks by lowering syn retry, syn backlog & syn time-out values.
# [0 = Disabled / 1 = Enabled]
SYSCTL_SYN="1"
# These are sysctl hook changes to provide protection from spoofed
# packets, and arp/route redirection. [0 = Disabled / 1 = Enabled]
SYSCTL_ROUTE="0"
# This sysctl hook will log all internal traffic that is otherwise
# not to/from a local interface and not multicast.
# [0 = Disabled / 1 = Enabled]
SYSCTL_LOGMARTIANS="0"
# This sysctl hook will allow you to enable or disable ECN support
# (Explicit Congestion Notification); this feature provides an
# improved method for congestion avoidance by allowing the network
# to mark packets for transmission later, rather than dropping them
# from the queue. [0 = Disabled / 1 = Enabled]
SYSCTL_ECN="0"
# This sysctl hook will allow you to enable or disable SynCookies
# support; this feature will send out a 'syn-cookie' when the syn
# backlog for a socket becomes overflowed. The cookie is used to
# interrupt the flow of syn transmissions with a hashed sequence
# number that must be corrilated with the sending host. The hash
# is made up of the sending host address, packet flags etc...;
# if the sending host does not validate against the hash then the
# tcp hand-shake is terminated. [0 = Disabled / 1 = Enabled]
# Note: syncookies seriously violates TCP protocol and can result
# in serious degradation of some services (i.e. SMTP);
# visible not by you, but your clients and relays whom are
# contacting your system.
SYSCTL_SYNCOOKIES="0"
# This sysctl hook will allow you to toggle Abort_On_Overflow support;
# This feature will help mitigate burst floods if a listening service
# is too slow to accept new connections. This option is an alternative
# for SynCookies and both should NEVER be enabled at once.
# [0 = Disabled / 1 = Enabled]
# Note: This option can harm clients contacting your system. Enable
# option only if you are sure that the listening daemon can not
# be tunned to accept connections faster.
SYSCTL_OVERFLOW="0"
# DShield.org's "block" list of top networks that have exhibited
# suspicious activity. [0 = Disabled / 1 = Enabled]
USE_DS="0"
# Import our ad.rules ban list generated by antidos;
# this is essentialy a quick enable/disable feature for
# the insertion of such bans. [0 = Disabled / 1 = Enabled]
USE_AD="0"
# Common drop ports; these are implicit ports you do not want logged
# with the default drop chains. Format is comma seperated and underscore
# seperator for ranges (135_139). Ports are droped and ignored for both
# TCP & UDP as well as inbound and outbound.
CDPORTS="53,135_139,111,161,199,513,445,1433,1434,1234,1524,31278"
##
# [Ingress]
# Configure ingress (inbound) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory. Format is comma seperated
# and underscore seperator for ranges.
#
# Example:
# IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000"
# IG_UDP_CPORTS="20,21,53,123"
# IG_ICMP_TYPES="3,5,11,0,30,8"
##
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="3097,21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
##
# [Egress]
# Configure egress (outbound) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory.
#
# Egress filtering is not required but makes your firewall setup complete
# by providing full inbound and outbound packet filtering. You can toggle
# egress filtering on or off with the EGF variable. Format is comma seperated
# and underscore seperator for ranges.
#
# Example:
# EG_TCP_CPORTS="21,25,80,443,43"
# EG_UDP_CPORTS="20,21,53"
# EG_ICMP_TYPES="all"
##
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="0"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
# Common ICMP egress (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"
##
# [Egress UID match]
# Configure user-id specific egress (outbound) port access. This is a
# more granular feature to limit the scope of egress packet flows with uid
# conditioning. Format is comma seperated and underscore seperator for ranges.
#
# Format: EG_[TCP|UDP]_UID="uid:port"
# Example:
# Allow outbound access to destination port 22 for uid 0
# EG_TCP_UID="0:22"
##
# UID-Match egress (outbound) TCP ports
EG_TCP_UID=""
# UID-Match egress (outbound) UDP ports
EG_UDP_UID=""
##
# [Logs]
# Log paths and control settings.
##
# Status log path
IPTLOG="/var/log/apf_log"
# Log TCP/UDP DROP chains [required for antidos]. Data logged to kernel log
# [often default is /var/log/messages]
DROP_LOG="1"
# Extended logging information; this forces the output of tcp options and
# ip options for packets passing through the log chains
EXLOG="1"
# Max firewall events to log per/minute. Log events exceeding these limits
# will be lost!
LRATE="45"
##
# [Import misc. vars]
##
#
# Internal vars file
CNFINT="$FWPATH/internals/internals.conf"
# Import internal vars file
. $CNFINT
