Hi chaps.
Has anyone used this?
http://www.configserver.com/cp/csf.html
According to a few people, it’s MUCH better than APF+BFD. What do you think? See if someone from the development team could answer this…
Any chance of getting a temporary licence for Interworx to test compatibility and crash a box without major porblems to clients? Thanks!
Dan
Anyone can have ONE free single domain license for testing and development purposes. If you don’t have one or had yours updated to a full license when you bought or if you are not a direct client (bought from a resller), contact sales at interworx.com and greg will get you one ASAP
Please provide
Name
Company
Full Street Address (including city state, zip, country)
Telephone Number
Make sure to report back here telling us how it goes.
Thanks Tim, I do actually think I have one of those, so I’ll check and see how it goes…Anyone had any experience installing csf before? Any tips?
I want to run this firewall (CSF) on a server. So I had APF stopped via Nodeworx and turned off in chkconfig, installed and started CSF and then in Nodeworx, APF shows as started. So I stop it again via Nodeworx, restart CSF and then APF shows as started again. I cannot remove APF via rpm -e. It is still turned off in chkconfig.
Just wondering if both of these firewalls are running or if Nodeworx is just reading the iptables to show the status On, and then reading the port config in conf.apf because it shows different ports being open than what is in CSF config. I just want one firewall to run not both. 
Thanks.
You are correct. 
Yes, we simply determine “Firewall On” by checking to see if there are rules defined in iptables. And, regardless of if APF is running or not, we read the conf.apf config for port information.
The core of CSF firewall is a stripped down version of APF. From a firewalling stand point CSF provides far less features and default filter rules. So as it stands CSF will not provide you any greater firewalling protection. As to regards with lfd vs bfd, that is simply a matter of opinion but i can say BFD is undergoing a rewrite and if there is any undesirable pickles about it now, they will swiftly be washed away shortly.
As for APF, it current release is at 0.9.6-2 with some major improvements and fixes including new features such as Reactive Address Blocking (RAB).
http://www.r-fx.ca/apf.php
http://www.r-fx.ca/downloads/conf.apf.0.9.6-2
http://www.r-fx.ca/appdocs/CHANGELOG.apf.release
For the interworx dev guys, http://r-fx.ca/downloads/compat.0.9.5 a list of the variables that have changed since 0.9.5. Likewise the packaged install.sh script will migrate older versions with success and retain the most vital config information such as port settings.
Thanks for the update, rfxn! That will be extremely useful for when we upgrade the APF package.
[QUOTE=rfxn;13334]The core of CSF firewall is a stripped down version of APF. From a firewalling stand point CSF provides far less features and default filter rules. So as it stands CSF will not provide you any greater firewalling protection. As to regards with lfd vs bfd, that is simply a matter of opinion but i can say BFD is undergoing a rewrite and if there is any undesirable pickles about it now, they will swiftly be washed away shortly.
As for APF, it current release is at 0.9.6-2 with some major improvements and fixes including new features such as Reactive Address Blocking (RAB).
http://www.r-fx.ca/apf.php
http://www.r-fx.ca/downloads/conf.apf.0.9.6-2
http://www.r-fx.ca/appdocs/CHANGELOG.apf.release
For the interworx dev guys, http://r-fx.ca/downloads/compat.0.9.5 a list of the variables that have changed since 0.9.5. Likewise the packaged install.sh script will migrate older versions with success and retain the most vital config information such as port settings.[/QUOTE]
Hi rfxn
Cool to see you here !
Today there is a problem with the 0.9.5 APF firewall and a LVS cluster setup on a lan with direct routing
Don’t know why exactly but even if the ARP is blocked with sysconfig rules, it looks like APF does something with ARP requests and so I have some ARP packets on the nodes.
The result is that on the node, when APF is on, we lost requests and for example all MySQL request:3306 from the node to the cluster manager are blocked. If I set APF off then it works
I have migrated a long time ago to APF 0.9.6.1 but the prblem is the same
Do you thhink APF 0.9.6.2 is better to allow a LVS directrouting on a lan ?
If I migrate from 0.9.6.1 to 0.9.6.2 do I have to use the compat ?
I’d also like to say that Paul from Interworx knows these problems and should better explain than me. My English is not so good… !
Thanls a ton
Pascal
I also let everybody knows that I have changed the way APF -a works
Today if a host is already in the allow_hosts_rules then nothing is done.
The problem was that we block all ssh/mysl connexions from outside but allows somes from the allow_hosts_rules and some of these hosts doesn’t have an STATIC public ip !
We told them to use something like dyndns or no-ip services and us, we do a APF -a with these domains name every 1 hour
As the IP adress changed, but the domain is the same, our tweak APF -a remove the hosts from iptable, allow_hosts_rules and then do a normal APF -a
basicly we do something like this in a hourly cron job
apf -a host hostname.no-ip.info | awk '{print $4}' refresh-dynip
and in the apf scritps we track the refresh_dynip comments to do our stuff
If some of you are interested, ask and I’d give you the changes.
The best would be than rfx network allow this by default, something as the APF -u, but just for the allow
Pascal
LFD rocks my socks!
If you are upgrading APF just run the included install.sh script in the tar.gz and then review /etc/apf/conf.apf is all, the compat file is for the interworx dev guys.
As for your cluser issue, please check that the following option is disabled in conf.apf:
SYSCTL_ROUTE=“0”
With regards to dyanmic addresses, you can use the apf -u command to remove any trust rule based entry be it allow or deny entries. So for example if you have an address inside of allow_hosts.rules such as me.mydynip.com you can remove it with apf -u me.mydynip.com. The -u option will remove any matching trust rule from any of the trust files, was designed like that.
In the next APF release there will be specific trust files for handling dyn-ip host names that will update at user definable eintervals however this release may not be for a few weeks yet.
[QUOTE=rfxn;13363]If you are upgrading APF just run the included install.sh script in the tar.gz and then review /etc/apf/conf.apf is all, the compat file is for the interworx dev guys.
As for your cluser issue, please check that the following option is disabled in conf.apf:
SYSCTL_ROUTE=“0”[/QUOTE]
It is !
On the node we have set a minimal APF settings
PKT_SANITY=“1”
PKT_SANITY_INV=“0”
PKT_SANITY_FUDP=“1”
PKT_SANITY_PZERO=“1”
PKT_SANITY_STUFFED=“0”
RESV_DNS=“1”
RESV_DNS_DROP=“1”
BLK_P2P=“1”
BLK_MCATNET=“1”
BLK_PRVNET=“0”
BLK_RESNET=“0”
BLK_IDENT=“1”
SYSCTL_CONNTRACK=“64480”
SYSCTL_TCP=“1”
SYSCTL_SYN=“1”
SYSCTL_ROUTE=“0”
SYSCTL_LOGMARTIANS=“0”
SYSCTL_ECN=“0”
SYSCTL_SYNCOOKIES=“0”
SYSCTL_OVERFLOW=“0”
I know that Paul should explain much better than me what is going on with the ARP and what exactkly happens when we set APF on a node (only with a LAN directrouting cluster and only one the node)
Pascal