| Option: |
Change: |
Description: |
|
DEVM
|
Yes
|
When set to "1", a 5 minute cronjob is set that will flush the firewall.
When first configuring your firewall, leave this as enabled("1"), and when you are sure everything is set up properly, set this to disabled("0").
|
|
FWPATH
|
Rarely
|
Path of firewall installation
Rarely do you have to change this value.
|
|
IF
|
Sometimes
|
Network interface to firewall.
If the network interface you wish to firewall is not on 'eth0', then you will have to change this to the correct interface.
|
|
MONOKERN
|
Rarely
|
Support Monolithic kernel builds [no LKM's]
You should change this value if iptables is not compiled as a module. (If you have iptables installed, and APF complains about iptables without setting up the firewall)
|
|
TCP_STOP
|
Rarely
|
How to handle TCP packet filtering
You should leave this value as "DROP"
|
|
UDP_STOP
|
Rarely
|
How to handle UDP packet filtering
You should leave this value as "DROP"
|
|
DSTOP
|
Rarely
|
How to handle all other packet filtering
You should leave this value as "DROP"
|
|
ICMP_LIM
|
Rarely
|
Packet/time ratio for ICMP packets before dropping packets.
If there is a chance that host may legitimately ping you more frequently then you may need to change this value. This option reduces the amount of traffic being sent out if someone attacks you through ICMP.
|
|
BLK_MCATNET
|
Yes
|
Block multicasting
Unless you need multicasting, you should set this to enable("1"), just in case.
|
|
BLK_PRVNET
|
Yes
|
Block all private ipv4 addresses
Unless the server resides behind a firewall with NAT, you should enable("1") this. Setting this option to enable reduces the chance of spoof attacks.
|
|
BLK_RESNET
|
Sometimes
|
Block all ipv4 address space marked reserved for future use
There is a chance that some of the address space listed may become live ips, so either enable("1"), and make sure your '/etc/apf/internals/ reserved.networks' file is up to date, or just leave it disabled("0").
|
|
USE_DS
|
Sometimes
|
Use DShield.org's "block" list of top networks that have exhibited suspicious activity
This top list is a list of the top 20 attacking class C subnets over a 3 day period. It is safe to enable("1") this option. If you are interested in seeing this list, you can find it here: http://feeds.dshield.org/block.txt
|
|
USE_AD
|
Sometimes
|
Import our ad.rules ban list generated by antidos
This essentially enables the antidos section of the APF firewall, and requires you to modify the '/etc/apf/ad/conf.antidos' file.
|
|
CDPORTS
|
Sometimes
|
Common drop ports; these ports do not get logged
|
|
Ingress (inbound)
|
|
IG_TCP_CPORTS
|
Yes
|
Common ingress (inbound) TCP ports
The default value for this is 22 (SSH Port). You may want to add (seperated by a comma ','):
- FTP port (21)
- DNS (53)
- HTTP port (80)
- HTTP SSL port (443)
- SMTP (25) SSL (465)
- POP (110) SSL (995)
- IMAP (143) SSL (993)
- CPANEL (2082) SSL (2083)
- WHM (2086) SSL (2087)
- CPANEL WebMail (2095) SSL (2096)
- for FTP connections (6000_7000)
(to indicate a range, you indicate with a '_' character. ie: 6000_7000)
For a more complete list of ports and services located on them, check your '/etc/services' file.
|
|
IG_UDP_CPORTS
|
Yes
|
Common ingress (inbound) UDP ports
The default value for this is nothing. You may want to add (seperated by a comma ','):
- FTP data port (20)
- FTP (21)
- DNS (53)
(to indicate a range, you indicate with a '_' character. ie: 6000_7000)
For a more complete list of ports and services located on them, check your '/etc/services' file.
|
|
IG_ICMP_CPORTS
|
Sometimes
|
Common ICMP (inbound) types
The default value should be enough, but if you want to block certain ICMP types, look at the '/etc/apf/internals/icmp.types' file to find out what each code means.
|
|
Egress (outbound)
|
|
EGF
|
Sometimes
|
Egress filtering [0 = Disabled / 1 = Enabled]
If you wish to enable Egress filtering, set this to enabled(1). If you set this to disabled, skip the whole Egress section. Egress filtering will block all outgoing ports, so the server will only be able to connect outwards on the ports provided in the next variables.
|
|
EG_TCP_CPORTS
|
Sometimes
|
Common egress (outbound) TCP ports
The FAQ section in the Cpanel website suggests the following ports:
21, 25, 26, 37, 43, 53, 80, 113, 465, 873, 2089, 3306
(873 and 2089 are supposidely used for the cpanel update script)
For a more complete list of ports and services located on them, check your '/etc/services' file.
|
|
EG_UDP_CPORTS
|
Sometimes
|
Common egress (outbound) UDP ports
The FAQ section in the Cpanel website suggests the following ports:
20, 21, 53, 465, 873
(873 is supposidely used for the cpanel update script)
For a more complete list of ports and services located on them, check your '/etc/services' file.
|
|
EG_ICMP_CPORTS
|
Sometimes
|
Common ICMP (outbound) types
The default value should be enough, but if you want to block certain ICMP types, look at the '/etc/apf/internals/icmp.types' file to find out what each code means.
|
|
Log paths and control settings
|
|
IPTLOG
|
Rarely
|
Status log path
The location and file name of the log file to be used.
|
|
DROP_LOG
|
Rarely
|
Log TCP/UDP DROP chains [required for antidos]. Data logged to kernel log
The default value of enabled("1") should be good for most situations, unless you do not want your kernel log file to get clogged with this type of data. Remeber, this is required to be enabled if you enable antidos.
|
|
LRATE
|
Rarely
|
Max firewall events to log per/minute. Log events exceeding these limits will be lost!
The default value should be sufficent. Altering this value may alter the efficency of the antidos.
|
