apf-9.7-1/0000750000000000000000000000000011157715543010777 5ustar rootrootapf-9.7-1/CHANGELOG0000640000000000000000000010717611157713715012225 0ustar rootroot- 9.7 (rev:1) [Fix] added stricter checking of local addresses in the trust system [Fix] if wget disappears while remote rules are being fetched it can cause apf to panic and drop all packets - 9.6 (rev:5) [Change] refresh function now stores old rules in temporary chain while new rules load, temporary chain is cleared upon completion of function [Change] renamed drop list related functions for better consistency [New] added projecthoneypot aggregated block list for harvesters, spammers and dictionary attackers, see conf.apf option DLIST_PHP [Change] all remote drop lists in conf.apf have had variables renamed as DLIST_ [Change] more changes to cli_trust_remove() to better handle rule deletion from all trust chains relative to line number based removals [Fix] issue with cli_trust_remove() was not deleting trust rules in all situations (rev:4) [Change] install.sh will now check against init.d and rc.d/init.d and as a last resort set apf to start from /etc/rc.local [Fix] changed the cron.daily entry to use /etc/apf/apf instead of init script [Fix] Ubntu Linux has changed default pointer of /bin/sh to /bin/dash instead of the traditional /bin/bash, as such for POSIX standards and compat. reasons, all internal pointers to /bin/sh have been updated to /bin/bash [New] Versioning scheme changed as follows: - RELEASE#.VERSION#-REVISION# - 0.9.6-3 becomes 9.6-4 - 5 revisions per version cycle - 10 versions per release cycle - The old versioning scheme had no real value and had become a never ending release tree - 0.9.6 (rev:3) [Fix] the cli_trust_remove() function was not checking global trust rules before passing allow/deny addresses onto the firewall which caused conflicting trust data if the same address was present in more than a single rule file [New] added SET_REFRESH to conf.apf which controls the rate at which trust rules are automatically refreshed, defaults to 10 minutes [New] added SET_TRIM to conf.apf which controls the max allowed entries in the deny trust system, defaults to 50 lines [New] added -e|--refresh flag to apf command that is used to flush & refresh the (global)trust system chains, this will also re-download any global rules and re-resolve any DNS names in the rules [Change] the cli_trust_remove() function has been updated to support the new (global)trust system chains [Change] modified the trust system to load rules into specific chains to better support dynamic refreshing of the rules, the new chains are as follows TALLOW TDENY (standard trust) TGALLOW TGDENY (global trust) [Fix] the cli_trust_remove() function was not using the ALL_STOP variable when matching rules in the firewall for removal, would fail if ALL_STOP was set to anything other than default value [Change] set SYSCTL_ROUTE to default off as it was causing issues with VPS installations [Fix] RAB_LOG_HIT was being enabled even with RAB parent variable disabled causing some noise in the logs [Fix] the p2p drop chains are now implicit that the client side ports must be high ports (1024+) before a drop takes place [Fix] the HELPER_SSH and HELPER_FTP variables in conf.apf were not referenced by the correct variable name in the back end [Change] more netfilter module renaming in 2.6.20+, the ip_conntrack_* modules are now known as nf_conntract_* - compatibility support added [this was a silent compatibility change in previous 0.9.6-2 release] [Change] more complete preload list for iptables modules added [Fix] cli_trust_remove() now better handles situations where addresses appear in multiple trust files [Change] appended /dev/null stdout redirects onto apf calls in the init script to prevent verbose output during boot/init operations [Fix] added a check routine to the fast load feature so snapshots are no longer saved when there are no iptables chains loaded (i.e: double run apf -f) [Change] scrub of APF to remove all ties to antidos, the antidos subsystem has been removed and will be replaced with expanded RAB features [Change] very extensive updates to the README.apf file [Change] a_cli_tr() and d_cli_tr() functions renamed to cli_trust_allow() and cli_trust_deny() [Change] the --unban command flag has been changed to --remove with the former silently being preserved for compatibility [Change] unban() function renamed to cli_trust_remove() [Fix] the optional comment string on --allow|-a and --deny|-d was being cut short in certain circumstances [Change] force disable fast load when devel mode is enabled [Change] cron.daily entry for apf restart has been changed from 'fw' to 'apf', the install.sh will now remove old file and replace with the new [New] added ability to log RAB HIT and TRIP events with variables RAB_LOG_HIT and RAB_LOG_TRIP [Change] reserved.networks file now dynamically updated on the r-fx server daily from http://www.iana.org/assignments/ipv4-address-space (rev:2) [New] added Reactive Address Blocking (RAB), see conf.apf RAB section for detailed information [Change] removed BLK_P2P variable, BLK_P2P_PORTS now self activating string where if no values defined then the feature is simply disabled [Change] modified clamp-mss-to-pmtu rule to load earlier in the firewall [Change] SYSCTL_TCP now sets tcp_sack, tcp_dsack and tcp_fack enabled for more reliable connections, especially over otherwise unreliable links [Fix] SYSCTL_TCP was setting tcp_fin_timeout to an inordinately high value, this was not "that" dangerous as this value only controls FIN-WAIT-2 socket states which eat a maximum of 1.5k of memory - was just bad form [New] added USE_ECNSHAME to set postrouting rules to turn off ECN while communicating with hosts that have known broken TCP/IP implementations from the ECN SHAME list, dependant on SYSCTL_ECN being enabled [Change] structural format of conf.apf modified slightly along with a number of the variable descriptions reworded or expanded [Change] reworded some of the usage descriptions on the apf command [Fix] dns discover chain expanded as some applications such as wget had issues resolving hostnames in isolated situations - to compensate for the relaxed security, packet states on DNS requests are more strictly enforced [Fix] extended tcp/ip packet header logging would only apply to the default drop chains and not custom drop chains like dshield [New] md5sum validation of *.rule & *.networks files for fast load expiration on detected file changes [New] added SET_VERBOSE option to conf.apf to allow for displaying of status log to the console as firewall is used [Change] most rule restrictions against the in/out interfaces have been lifted to better accommodate the SET_ADDIFACE feature [Change] the conf.apf description for the dshield block list has been expanded [New] added Spamhaus Don't Route Or Peer List (DROP), USE_DROP var added to conf.apf with detailed description [Fix] bt.rules referenced an out of date drop target, replaced with ALL_STOP [Change] set BLK_RESNET enabled by default in conf.apf [Change] the conf.apf description of PKT_SANITY_STUFFED var has long been lacking, it has now been more clearly described [Change] set PKT_SANITY_STUFFED enabled by default in conf.apf [Change] set TOS 8 on ports 21,20,80, set TOS 16 on ports 25,110,143 [Change] TOS_DEF_TOS variable changed to TOS_DEF [Fix] the dshield chain was not properly logging under certain circumstances [Change] created line spaces between (rev:#) statements under the same release tree in CHANGELOG file [Fix] install.sh would under certain circumstances create the apf.bk.last link to the incorrect previous APF version causing importconf script to import options from an earlier version than your last version [Fix] typo in the apf command usage help display of --ovars [Change] init script used an old custom flush routine on stops, now set to use the apf flush() function [New] fast load feature added that allows APF to load rules from saved snapshot using iptables-save/restore commands [Fix] some apf operations that would output data to the log file were not properly stating the subsystem they were called from [Fix] the VF_LGATE feature was trying to turn on even when disabled, this had no real implication other than an empty chain being created - just messy [Fix] the P2P block rules were not part of a chain and had no capacity to log like other block rules [Change] all custom filtering chains have been redesigned for more efficent packet flow patterns - this also makes the apf -l (iptables -L) output MUCH cleaner and opens up more feature possibilities in the future [Change] LOG_IA chain updated to reflect HELPER_SSH_PORT value [New] vnet rules now created for addresses on interfaces other than those set by IFACE_* vars - added SET_ADDIFACE to conf.apf for toggling - detailed description of this feature in conf.apf caption for the var [Change] vnet rules now skipped for addresses no longer bound to interfaces [Fix] updated functions.apf to accommodate ipt_state/ipt_multiport now known as xt_ in kern 2.6.15+ [Change] replace DSTOP target with ALL_STOP, antidos and conf.apf updated [Change] modified the statful connection helper chains for SSH and FTP to be togglable through conf.apf as HELPER_SSH/HELPER_FTP - also makes APF more portable when you desire to change these service ports [Fix] The variable naming scheme for interfaces was inconsistent in some rule files, although the old variables for interfaces are backward compatible - it just looks better when things appear as intended [Fix] removed default drops in reserved.networks for now in use networks, these changes auto-propigate to APF installs from the US_RD feature: 7/8 ARIN 46/8 RELIST IANA RESERVED 77/8 RIPE 78/8 RIPE 79/8 RIPE 92/8 RIPE 93/8 RIPE 96/8 ARIN 97/8 ARIN 98/8 ARIN 99/8 ARIN 116/8 APNIC 117/8 APNIC 118/8 APNIC 119/8 APNIC 120/8 APNIC [Change] replace the common drop var CDPORTS with BLK_PORTS, conf.apf updated [Fix] added the missing LOG_DROP/LOG_ACCEPT log prefix onto LD/LA chain targets (rev:1) [New] added unban() function with -u|--unban run flag to unban hosts and remove from rule files/active running firewall [Change] changed RESV_DNS to default enabled [New] added NETBLOCK/NETBLOCK_MASK to conf.antidos for toggling the already in-place feature of banning all seen ip's on the same /24 subnet of an attacking ip; default set to disabled now [Change] modified icmp rate limiting to have a disabled toggle [New] added resnet_download() function to keep reserved.networks updated [Change] modified sanity chains to be more granular for conf.apf toggles; as such the following variable options have been added: PKT_SANITY PKT_SANITY_INV PKT_SANITY_FUDP PKT_SANITY_PZERO PKT_SANITY_STUFFED [Fix] trust system allow function a_cli_tr() for cli banning; rules added only for tcp; removed protocol option from rule [Change] functions gd,ga renamed glob_allow|deny_download [Change] modified traceroute specific rules to have conf.apf toggle var TCR_* [Change] forced ip whois to search only for abuse address [Change] moved ip whois code in antidos; less repetitive [Fix] removed default drops in reserved.networks for now in use networks, these changes auto-propigate to APF installs from the US_RD feature: 041/8 AFRINIC 058/8 APNIC 059/8 APNIC 073/8 ARIN 074/8 ARIN 075/8 ARIN 076/8 ARIN 189/8 LACNIC 190/8 LACNIC [New] added LOG_LEVEL var to conf.apf to denote logging level of firewall logs; all log chains throughout the project have been updated to reflect this feature as applicable [Change] DROP_LOG var in conf.apf changed to LOG_DROP [Change] LGATE_LOG var in conf.apf changed to LOG_LGATE [Change] EXLOG var in conf.apf changed to LOG_EXT [Change] IPTLOG var in conf.apf changed to LOG_APF [Change] LRATE var in conf.apf change to LOG_RATE [Change] renamed README to README.apf [Change] FWPATH var in conf.apf changed to INSTALL_PATH [Fix] removed default drops in reserved.networks for the following netblocks: 089/8 RIPE NCC 090/8 RIPE NCC 091/8 RIPE NCC [Change] DEVM var in conf.apf changed to DEVEL_MODE [Change] EN_VNET var in conf.apf changed to SET_VNET [Change] MONOKERN var in conf.apf changed to SET_MONOKERN [Fix] more /tmp cleanups to prevent possible race conditions [Change] importconf script now copies itself to extras/ folder post-install [Change] changed short switch -st to -t; -st preserved for compat but no longer documented or printed in help output [New] added -o|--ovars to output all configured variables for debug purposes [Fix] INVALID state check removed from postrouting chain [Change] modified a/d_cli_tr to keep comments within single line [New] expanded p2p blocks; conf.apf var BLK_P2P & BLK_P2P_PORTS [Change] increased verbosity of a number of rules to status log [Change] modified sanity bt filters, more verbose status log [Change] moved bulk of TOS declarations in pre/postrouting.rules into functions [New] expanded TOS routines, new TOS_* vars added to conf.apf [New] added conf.apf var to change the default log target; LOG_TARGET [Fix] dshield.org changed block list to feeds.dshield.org/top10-2.txt [Change] changed ordering of version history (this file); revisions now list in reverse order from latest to oldest revision [New] added chain targets GTA,GTD,TA,GD for allocating trust rules to more organized chain policies; will also facilitate features to reload trusts [Change] added OUTPUT reject targets for ident if not opened in *_TCP_CPORTS [New] added SF_TY var to conf.antidos in order to define tcp connection states to look for as syn-flood attacks [Fix] removed default drop of 58-59/8 in reserved.networks 058/8 Apr 04 APNIC 059/8 Apr 04 APNIC - 0.9.5 (rev:1) [Fix] removed default drop of 124-126/8 in reserved.networks 124/8 Jan 05 APNIC 125/8 Jan 05 APNIC 126/8 Jan 05 APNIC [New] added auto-commenting of all allow/deny trust rules with date & time along with custom comment feature as an argument on bans (i.e: apf -a 1.2.1.2 "home lan") [New] added postroute.rules to correspond with preroute.rules TOS settings [Change] modified *route.rules to declare in/out interface in rules [New] added in remote download feature for glob_allow/deny.rules [Change] changed many conf.apf default settings, reverted many options disabled till end user reads/enables the options [New] created importconf script that imports critical conf.apf options from previous install; also copy's trust rules and conf.antidos [Fix] modified RESV_DNS option to ignore # characters in /etc/resolv.conf - 0.9.4 (rev:8) [New] added filter rules for edonky,kazaa,morpheus; recent php-injection exploits install p2p pirating clients [Change] removed UID 0 checks from firewall/apf script, irrelivent as perms enforce root-only access [Fix] chmod permissions on top-level /etc/apf were set 755; changed to 750 [New] global trust rules created; glob_allow/deny.rules, appropriate for an external/maintained ban list [Change] modified install.sh to symlink apf.bk.$UTIME too /etc/apf.bk.last/ (rev:7) [New] added SYSCTL_CONNTRACK var to conf.apf; relative to ip_conntrack_max [Fix] removed default drop of 085-088/8 in reserved.networks 071/8 Aug 04 ARIN (whois.arin.net) 072/8 Aug 04 ARIN (whois.arin.net) 085/8 Apr 04 RIPE NCC (whois.ripe.net) 086/8 Apr 04 RIPE NCC (whois.ripe.net) 087/8 Apr 04 RIPE NCC (whois.ripe.net) 088/8 Apr 04 RIPE NCC (whois.ripe.net) (rev:6) [Fix] cports.common, EGF_UID; error in multi-port routine [Change] modified conf.antidos default values (rev:5) [Change] revised all log chains that did not conform too the DROP_LOG toggle [Change] revised invalid tcp flag order drop rules; into IN/OUT_SANITY chain [Change] merged ingress nmap style scan drop rules; into IN_SANITY chain [Change] revised install.sh script; more verbose install output [Fix] trust based CLI rule insertion cross validates trust files too prevent duplicate/conflicting entries; previously only checked respective mode file (deny file for deny insertions and allow for allow insertions) [Fix] direct path too 'ip' binary was not specified in vnetgen script [Fix] 'stat' command not compatible with debian, replaced with use of 'ls' [Change] cleanup ifconfig/ip binary inconsistencies; revised fallback support between 'ip' & 'ifconfig' [Fix] vnetgen.def referenced invalid storage variable for ip information (rev:4) [Fix] removed default drop of 70/8 in reserved.networks 070/8 Jan 04 ARIN (whois.arin.net) [Fix] fixed outgoing traceroute requests [New] added uid-match egress filtering routine (rev:3) [Fix] invalid wildcard destination address when EN_VNET=0 for cports routine [Fix] sysctl.rules output redirected to /dev/null [Fix] missing '"' (SYSCTL_ROUTE="0) in conf.apf [Change] revised LGATE_MAC routine; added run-time log output for successful loading of the routine. revised logging options for the routine & created an independent log/reject chain for forign MAC addresses. [New] added LGATE_LOG option to toggle forign gateway mac logging (rev:2) [Change] updated ad/tlog; structure cleanup [Change] revised ignore facility for antidos [Fix] corrected protocol missing error in untrusted name server drop chain [Change] added get_ports script to generate in-use ports list during install [Fix] corrected output redirect for antidos lock routine to antidos log file [Fix] set install script to set mode 750 ad/tlog [Fix] corrected log prefix for lock routine in antidos [Fix] identify IN/OUT_IF and declare identified ip in apf_log during init [Fix] addressed issues with local ip discovery on ipv6-enabled systems [Change] added fallback from 'ip' to 'ifconfig' binary for local ip discovery of aliased interafaces in vnet/vnetgen [Change] moved get_ports into extras/ path [Change] added traceroute (33434_33450) to common drop ports [Fix] fixed egress established/related connection rules [New] added EN_VNET var to conf.apf for global toggle of vnet sub-system [Change] modified sysctl.rules; reorganized for tcp, syn, routing, & misc. settings. Disabled syncookies; incrased ip_conntrack_mx. [Change] various entries added to sysctl.rules and/or modified entries. [New] added SYSCTL_TCP SYSCTL_SYN SYSCTL_ROUTE SYSCTL_LOGMARTIANS SYSCTL_ECN SYSCTL_SYNCOOKIES SYSCTL_OVERFLOW vars to conf.apf for sysctl seperation. [Change] revised DEVM so when enabled; log and output warnings are issued. (rev:1) [Fix] modified internals.conf and vnetgen script to be explicit for ipv4 only with ip-fetch routines [New] added multiple interface support with seperation of trusted and untrusted interfaces [Change] revised majority of firewall rules to be explicit for untrusted interface only [New] added extended logging support; logchains can output tcp/ip options using EXLOG var in conf.apf [Fix] DET_SF routine was not parsing ignore file while fetching syn info. - 0.9.3 (rev:5) [New] added tlog script to antidos; track log length; instead of 'tail -n' [New] added lockfile feature to antidos [Fix] added cl_cports function to clear any set cport values between rule files [Fix] export call to PATH var; typo as 'export $PATH' instead of 'export PATH' [New] added check routines for support of linux 2.6 module extentions (.ko); thanks to mmontgomery@theplanet.com [Change] removed use of unclean module; deprecated and breaks ECN [Change] removed calls to 'vnetgen' from apf init script [Change] revised default drop policy rules [New] added RESV_DNS var to conf.apf for dns discovery routine (rev:4) [Change] removed fwmark preroute rules [Change] oversight typo in deny_hosts.rules [Change] reformated sysctl.conf; added GEN_SYSCTL & HARDEN_SYSCTL to conf.apf [Change] revised high port connection fixes [New] dynamic discovery of local resolv.conf nameservers/specific dns rules to such resolv ip's [New] added load check/load 12 run-cap; antidos [Change] removed bandmin execution from cron.daily event; apf already has an internal function to execute bandmin on start sequence [Change] added check-routines to --status for pico, nano and vi as editor (rev:3) [Fix] corrected ip mask in private.networks file; 128.66.0.0/8 -> /16 (rev:2) [Fix] attempted fix of certian state connection fixes [Fix] misplaced '-i $IF' statment in certian rules; results 'lo' if being logged [Change] enforced log chains against $IF device [Fix] error in EG_ICMP_TYPES routine; failed to check if EGF is set [Change] modified default CDPORTS [Change] more sanity checks added to bd.rules; for smurf style attacks (rev:1) [Change] trimmed down firewall code, refined rules, removed duplicate rules [Fix] revised help() output [Fix] typo in the accepted cli arguments for stop & start [Change] all references to r-fx.net changed to r-fx.org [Fix] default drop of ports 137-139 set to tcp & udp (was only tcp by mistake) [Change] renamed addons/ folder to extras/ [Change] added a bit more error checking to install script [Change] exported bulk of operations to functions in 'internals/functions.apf' [Change] removed unroutable net filtering rules; replaced with a more intuitive stand-in that has conf.apf options for mcast,private net, & reserved [Change] refined the cports code; exported to 'internals/cports.common' [New] reimplamented ICMP rate limiting; ICMP_LIM; conf.apf [New] IG/EG_ICMP_TYPES; similar to CPORTS only accepts ICMP types (0-255) [New] IG/EG_* options can now be defined in individual vnet rules [New] filter style for TCP/UDP packet filtering; TCP_STOP, UDP_STOP; conf.apf [New] added RESET/PROHIBIT chains [Change] log format revised; syslog style, eout() function created [Change] revised all rules to make use of applicable TCP/UDP_STOP filter vars [Change] revised all log output for use with eout() [Change] comments added to default vnet rule files [Change] revised invalid packet flag filters, bt.rules [Change] CDPORTS var added to drop/ignore logging of common ports (e.g: netbios) [Fix] corrected a few logic errors with flow control on trust rules syntax [Change] chopped down some of the comments in conf.apf and changed layout of file [Change] changed martian sources to on & ecn to off; sysctl.rules [Change] revised flush routine for init script and apf handler [Change] removed vnet.common; set vnet system to use 'internals/cports.common' [Change] revised antidos IPT_BL routine; use eout() for apf logging [Change] revised preroute.rules; changed TOS values for highports [Change] revised preroute.rules; removed qdisk routines [Change] added more module error checking [Change] revised antidos logging format; syslog style - 0.9.2 (rev:11) [Change] added tcp port 43 to default EG_TCP_CPORTS options for whois [Fix]: removed default drop rules for the following three 8-bit ipv4 blocks 060/8 Apr 03 APNIC (whois.apnic.net) 221/8 Jul 02 APNIC (whois.apnic.net) 222/8 Feb 03 APNIC (whois.apnic.net) [Fix] deprecated TCP_CPORTS option in ident routine (rev:10) [Change] exported trust routines to internals/trust.common [Change] moved main.common file to internals/ path [Change] moved internals.conf to internals/ path [Change] modified TOS vals for highport connections [Change] reverted rev:14 ACK,PSH+established fix to as-was in rev:13 [Change] packaging format changed to name-version_revision.extention [Change] changed all copyright & licensing headers; changed cli output headers [Change] changed cli flag assignment/usage for apf handler script [New] added -a/-d options to apf handler script for trust rules insertion [Change] changed antidos to insert ban rules rather than reload whole firewall [Change] reordered highport connection fix routines [Change] removed deprecated option $STOP [New] added INVALID output filtering for icmp [Change] modified dns(53) tcp output fixes [Change] modified main firewall script; remove '-t filter' usage [New] added more generalized (laxed?) est/rel connection fixes [Change] comment modifications to trust files [Change] exported more vars from conf.apf to internals.conf; smaller conf file [Change] comment modifications to conf.apf [New] range support added to trust rule system; underscore seperator (137_139) [New] added default drop of ports 137-139 to deny_hosts.rules [Change] modified install script; old install copied to /etc/apf.bkMMDDYY-UTIME rather than old format of /etc/apf.bk$$ [Change] removed deprecated option FWRST; antidos (rev:9) [Fix] corrected packet flag sanity checks; ACK,PSH+established issues [Change] set sysctl hook for martian sources to zero (0) value default (off) [Change] set use of reset chain for certian protocol abuses; as opposed to drop (rev:8) [Change] revised log chain routines; more descriptive prefixes [Fix] added egress log chain for default drops [Change] revised chain pattern file for antidos; conform to new prefixes [Change] rewrite to log chain routines; code cleanup (rev:7) [Fix] added PATH definition to vnetgen; fix file not found errors [Fix] made ipt_state & ipt_multiport required modules; fix lockup on init [Fix] modified routines to reload apf [if new bans] after ad() func.; antidos [Change] resorted configuration files setup to be more friendly [Change] more syn-flood routine changes and again tweaked default values [Change] README.antidos definition changes for conf.antidos vars (rev:6) [New] added syn-flood trigger ports option; antidos [Fix] revised syn-flood routine to prevent false positives; antidos [Change] revised config defaults; antidos (rev:5) [Fix] DET_SF error setting val SRC; antidos [Fix] usr.msg syntax error; antidos [Change] revised config defaults, comments and ordering; antidos [Fix] DET_SF error setting DST; antidos [Fix] line-break errors in usr/arin.msg [Change] permissions enforced on new files from last few releases (rev:4) [New] syn-flood detection routine created; antidos [Change] defaults changed in conf.antidos and new syn-flood options added; antidos [Change] revised README.antidos to reflext new options and config vars [Change] removed apf-m dialog menu system; implamentation will be made in 0.9.2 or later [Fix] revised validation routine to prevent duplicate emails; antidos (rev:3) [New] APF-M v0.2; apf-manager is a dialog menu based manager for APF; addon [Change] revised install script to detect ncurses and install apf-m [Change] reordered bt.rules and purged duplicate entries [New] added crafted drop chains to bt.rules to further slow/hinder nmap [Fix] permissions issue with install script for addon package apf-m [Fix] syntax error in rewrite routine for edit_apf.menu; apf-m [Fix] port zero drop chain - invalid flow order (rev:2) [Fix] outbound highport routine; syntax error [New] outbound udp dns routine [Fix] /tmp temp file creation cleanup fix for dshield block.txt parsing (rev:1) [Fix] corrected vnet common ports insertion; error prevented proper completion [Change] increased firewall init logging [Fix] added EGF value check before EG_*_CPORTS is loaded [Change] reordered certian init logging events [Change] various modifications to dshield parser client & install script [Fix] corrected VNET var issue in vnet.common [Change] revised apf.init to log stop sequences - 0.9.1: (rev:10) [New] 'addons/' directory added to apf base path [New] dshield client parser/reporter with install script placed in addons/ path (rev:9) [Change] modified README file to conform with new conf.apf options [New] toggle for egress filtering in conf.apf (rev:8) [Change] modified main.common structure to conform with new CPORTS setup [Change] more commenting changes to conf.apf for new CPORTS setup [Change] egress specific highport fixes added (rev:7) [Change] modified CPORTS structure and conf.apf ordering of cports [Change] modified highport connection fixes to conform with new CPORTS setup [New] egress (outbound) filtering & common ports option added (rev:6) [New] LRATE var added to conf.apf for log rate limiting (rev:5) [New] added monolithic kernel toggle to conf.apf for disabling lkm checks [Change] modified default ignore ports; antidos [Change] modified attack IP/8 comparison to /16; antidos (rev:4) [Fix] bcast syntax error in main firewall script [Change] increased drop chain log limit (rev:3) [Change] reordered bt.rules entries [Change] modified default trust syntax to set bidirectional rules [Change] modified high port connection fixes for UDP (rev:2) [Change] modified log prefix strings in bt.rules; conform to apf log style [Fix] corrected tcp flag sanity check to be bidirectional (rev:1) [Change] modified README file to further explain rules setup - 0.9: (rev:10) [Change] export udp/tcp.rules to central main.rules [Change] exported CPORTS routine for main adapter to main.common (rev:9) [New] added logrotate.d check routine/rotate script for apf log files [New] added fragmented udp drop for input/output (rev:8) [Change] modified app. name output to log files (rev:7) [New] added port zero drop routine for input/output [New] added version/revision tagging to /etc/apf/VERSION [New] added vnetgen execution after install completion [Change] modified README feature list (rev:6) [Fix] CPORTS load routine, syntax error in tcp.rules [Change] exported CPORTS routine for vnet rules to vnet.common [Change] modified default vnet template (rev:5) [Fix] more tweaks to established ftp check in LP_SNORT; antidos [Change] text formating changes to usr.msg/arin.msg; antidos [Change] removed IPTSNORT feature; modified all relivent files [Change] removed ICMP/FTP packet rate limiting; modified all relivent files (rev:4) [Change] modified default udp/tcp drop log prefix [Change] modified default apf cmdline output; more verbose (rev:3) [Change] tweaks to the ident reject chain (rev:2) [Fix] tcp high port connection fixes (rev:1) [Change] modified noncrit.ports default values; antidos [Change] modified arin.msg to note 'whois' server in dynamic fashion; antidos [Fix] usr.msg/arin.msg log tail showing null output in some situations; antidos [Change] modified usr.msg to note whois contact for src attack host; antidos - 0.8.7: [Fix] fixed ml() in main firewall script to properly exit on failed module loads [Change] added comments to conf.apf and README regarding ipt_string.o module [Fix] fixed stdout redirect for trust files to log file [Change] removed stdout null output redirect for init script; show fatal errors [Change] exported misc. conf.apf vars to internals.conf [Fix] fixed ident check routine [Change] revised dshield url parser routine [New] added best-match ip whois for ARIN,RIPE,APNIC, & LACNIC to antidos script [Fix] modified $PREV var placment in antidos to fix looped ip checks [Change] moved certian temp file creation from /tmp to install path [New] added src ip/8 comparison to antidos; filter same network attacks quicker [Fix] DROP_IF function in antidos not ignoring eth0 [Change] modified logging rate limit from 10/minute to 25 for TCP/UDP DROP [New] noncrit.ports file to ignore IF drops based on destination port; antidos [New] src port/dst port loging for antidos events log [Fix] dropped interface log event not being sent with usr email; antidos [Fix] ignore FTP (pasv.) false positives for snort portscan log; antidos [New] ROUTE_REJ ignore routine if SRC attacker equals eth0 IP [New] config var for tcp/udp drop log chain toggling [Fix] suppresed main.vnet error output if no aliased ip's found [Fix] corrected source include path for main.vnet dynamic entries - 0.8.6: [Change] revised vnetgen.def and main.vnet [Change] removed routable network from default drop routes [Change] trust files revised, new syntax support for proto,flow,port,ip [New] ident check routine/reject chain [Change] moved CPORTS inclusions to bottom of respective files [Change] hourly restart cronjob of APF, set/moved to daily [Change] range support added for CPORTS and trust syntax [Fix] added missing escape to log var in vnetgen.def [Change] revised scipt header notes [New] added check routine for bandmin/load badmin ipt rules [Change] revised dns UDP fix in udp.rules - 0.8.5: [New] added default TCP log chain [Change] updated chains table for antidos [Change] added common irc proxy probed ports to antidos ignore file [Fix] fixed FWRST var in conf.antidos [New] set sysctl parm to double ip_conntrack_max [New] created user alert feature; seperated from arin alert [Change] revised arin.msg file; created usr.msg file [Change] added TMZ var to conf.antidos for GMT offset [Change] revised conf.antidos [New] set global ports to log during loading - for user debuging [New] set interface/ip to log during loading - for user debuging [Change] modified dshield.org block list feature; cleaner code [Change] rewrite of README file; moved GPL to COPYING.GPL [Change] rewrite of SRC/DST fetch function in antidos for snort/klog method [New] added hardset $PATH var too apf, firewall, & antidos scripts [Fix] fixed location reference to apf config file in antidos config file [Change] revised install.sh file [Fix] fixed log creation vars [Change] changed drop_hosts.rules to deny_hosts.rules - 0.8.4: [Change] moved default policy for udp to bottom of main firewall script [Change] removed header comments from vnetgen.def [New] added ipt_string.o verification check before loading iptsnort rules [Fix] fixed iptsnort and looping issues; causing init start to never complete [Change] revised whole iptsnort system; now logs chains before drop [Fix] added ipt_limit.o verfication for ftp port; otherwise default no ipt_limit [Fix] corrected typo in DEVM cronjob [Fix] revised DEVM feature to write directly to crontab; cron.d proved unreliable [Change] revised install.sh - 0.8.3: [New] added prelog.rules file; for addition of log chains [Fix] fixed preroute.rules and invalid APF log pointer [Change] disabled ICMP type 8, inbound; by default [Change] set all ports closed by default; 22 (SSH) left open (globally) in conf.apf [New] added ipchains check/removal code [Change] rewrote iptables module insertion code [Fix] fixed CPORTS option relating to FTP_LIM value [Change] made install.sh backup old APF install to /etc/apf.bk$$ [Change] comments modified/changed in variouse files [Change] moved icmp.rules insertion after vnet rules insertion [Fix] fixed typo in global ports code that caused undesired results [Change] revised conf.apf; more comments and better organized [New] created DEVM setting to put APF into devel testing mode [Change] revised README, and install.sh to meet needs of DEVM feature [Fix] fixed cleanup issue with ds_hosts.rules file - 0.8.2: [Change] revised vnet system [Change] made TCP_CPORTS/UDP_CPORTS into for loop; 15+ ports support [Change] revised conf.apf [Change] variouse tweaks to snort string match signatures [Change] variouse tweaks to iptsnort structure [Change] readme file changes [Change] revised install.sh - 0.8.1: [Fix] fixed issues with vnetgen and the adapter variable [Change] changed cron.hourly job to use the init script [Change] reimplamented antidos system with snort portscan.log support [Fix] fixed argument order for ad() function [Change] readme file changes [Fix] changed colum location for src/dst address in kernel log [antidos] [Fix] permissions tightened on all files per default install [New] added rate limiting per/second on ICMP/FTP protocols, configurable via conf.apf [New] added iptables based rules for snort signatures; using string match rules [Fix] removed errored private network ban in main firewall script; was banning valid networks - 0.8: [New] first public release of APF, formerly known as FWMGR apf-9.7-1/apf.init0000750000000000000000000000123110635051451012421 0ustar rootroot#!/bin/bash ## # chkconfig: 345 55 25 # description: Advanced Policy Firewall # # source function library . /etc/rc.d/init.d/functions # import variables . /etc/apf/conf.apf . /etc/apf/internals/internals.conf ipt="/sbin/iptables" inspath="/etc/apf" prog="apf" case "$1" in start) echo -n "Starting APF:" /usr/local/sbin/apf --start >> /dev/null 2>&1 echo_success echo ;; stop) echo -n "Stopping APF:" /usr/local/sbin/apf --stop >> /dev/null 2>&1 echo_success echo ;; restart) $0 stop $0 start ;; *) echo "usage: $0 [start|stop|restart]" esac exit 0 apf-9.7-1/cron.daily0000640000000000000000000000012111043474217012751 0ustar rootroot#!/bin/bash /etc/apf/apf -f >> /dev/null 2>&1 /etc/apf/apf -s >> /dev/null 2>&1 apf-9.7-1/logrotate.d.apf0000640000000000000000000000012607723050646013711 0ustar rootroot/var/log/apfados_log /var/log/apf_log { missingok postrotate endscript } apf-9.7-1/README.apf0000640000000000000000000011264011157714561012430 0ustar rootroot[disclaimer: work in progress still] APF (Advanced Policy Firewall) - 9.7 [apf@r-fx.org] Copyright (C) 1999-2007, R-fx Networks Copyright (C) 2007, Ryan MacDonald This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Contents: 1 ............. Introduction 1.1 ........... Introduction: Supported Systems & Requirements 2 ............. Installation 2.1 ........... Installation: Boot Loading 3 ............. Configuration 3.1 ........... Configuration: Basic Options 3.2 ........... Configuration: Advanced Options 3.3 ........... Configuration: Reactive Address Blocking 3.4 ........... Configuration: Virtual Network Files 3.5 ........... Configuration: Global Variables & Custom Rules 4 ............. General Usage 4.1 ........... General Usage: Trust System 4.2 ........... General Usage: Global Trust System 4.3 ........... General Usage: Advanced Trust Syntax 4.4 ........... General Usage: Dynamic Trust Files 5 ............. License 6 ............. Support Information 1) Introduction: Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today's Internet deployed servers and the unique needs of custom deployed Linux installations. The configuration of APF is designed to be very informative and present the user with an easy to follow process, from top to bottom of the configuration file. The management of APF on a day-to-day basis is conducted from the command line with the 'apf' command, which includes detailed usage information and all the features one would expect from a current and forward thinking firewall solution. The technical side of APF is such that it embraces the latest stable features put forward by the iptables(netfilter) project to provide a very robust and powerful firewall. The filtering performed by APF is three fold: 1) Static rule based policies (not to be confused with a "static firewall") 2) Connection based stateful policies 3) Sanity based policies The first, static rule based policies, is the most traditional method of firewalling. This is when the firewall has an unchanging set of instructions (rules) on how traffic should be handled in certain conditions. An example of a static rule based policy would be when you allow/deny an address access to the server with the trust system or open a new port with conf.apf. So the short of it is rules that infrequently or never change while the firewall is running. The second, connection based stateful policies, is a means to distinguish legitimate packets for different types of connections. Only packets matching a known connection will be allowed by the firewall; others will be rejected. An example of this would be FTP data transfers, in an older era of firewalling you would have to define a complex set of static policies to allow FTA data transfers to flow without a problem. That is not so with stateful policies, the firewall can see that an address has established a connection to port 21 then "relate" that address to the data transfer portion of the connection and dynamically alter the firewall to allow the traffic. The third, sanity based policies, is the ability of the firewall to match various traffic patterns to known attack methods or scrutinize traffic to conform to Internet standards. An example of this would be when a would-be attacker attempts to forge the source IP address of data they are sending to you, APF can simply discard this traffic or optionally log it then discard it. To the same extent another example would be when a broken router on the Internet begins to relay malformed packets to you, APF can simply discard them or in other situations reply to the router and have it stop sending you new packets (TCP Reset). These three key filtering methods employed by APF are simply a generalization of how the firewall is constructed on a technical design level, there are a great many more features in APF that can be put to use. For a detailed description of all APF features you should review the configuration file /etc/apf/conf.apf which has well outlined captions above all options. Below is a point form summary of most APF features for reference and review: - detailed and well commented configuration file - granular inbound and outbound network filtering - user id based outbound network filtering - application based network filtering - trust based rule files with an optional advanced syntax - global trust system where rules can be downloaded from a central management server - reactive address blocking (RAB), next generation in-line intrusion prevention - debug mode provided for testing new features and configuration setups - fast load feature that allows for 1000+ rules to load in under 1 second - inbound and outbound network interfaces can be independently configured - global tcp/udp port & icmp type filtering with multiple methods of executing filters (drop, reject, prohibit) - configurable policies for each ip on the system with convenience variables to import settings - packet flow rate limiting that prevents abuse on the most widely abused protocol, icmp - prerouting and postrouting rules for optimal network performance - dshield.org block list support to ban networks exhibiting suspicious activity - spamhaus Don't Route Or Peer List support to ban known "hijacked zombie" IP blocks - any number of additional interfaces may be configured as firewalled (untrusted) or trusted (not firewalled) - additional firewalled interfaces can have there own unique firewall policies applied - intelligent route verification to prevent embarrassing configuration errors - advanced packet sanity checks to make sure traffic coming and going meets the strictest of standards - filter attacks such as fragmented UDP, port zero floods, stuffed routing, arp poisoning and more - configurable type of service options to dictate the priority of different types of network traffic - intelligent default settings to meet every day server setups - dynamic configuration of your servers local DNS revolvers into the firewall - optional filtering of common p2p applications - optional filtering of private & reserved IP address space - optional implicit blocks of the ident service - configurable connection tracking settings to scale the firewall to the size of your network - configurable kernel hooks (ties) to harden the system further to syn-flood attacks & routing abuses - advanced network control such as explicit congestion notification and overflow control - special chains that are aware of the state of FTP DATA and SSH connections to prevent client side issues - control over the rate of logged events, want only 30 filter events a minute? 300 a minute? - you are the boss - logging subsystem that allows for logging data to user space programs or standard syslog files - logging that details every rule added and a comprehensive set of error checks to prevent config errors - if you are familiar with netfilter you can create your own rules in any of the policy files - pluggable and ready advanced use of QoS algorithms provided by the Linux - 3rd party add-on projects that compliment APF features Still on the feature todo list is: - full support for NAT/MASQ including port forwarding - cluster oriented round-robin packet or port forwarding - in-line firewall reactive address blocking of connction floods - and much more... 1.1) Introduction: Supported Systems & Requirements The APF package is designed to run on Linux based operating systems that have an operational version of the iptables (netfilter) package installed. The iptables (netfilter) package is supported on Linux kernels 2.4 and above, you can find out more details on the netfilter project at: http://www.netfilter.org/ If the version of Linux you are using already has an included copy of iptables then chances are very high it has all the iptables modules that APF will need. If you are configuring iptables in your own custom kernel then you should be sure that the following modules are compiled with the kernel for modular support: ip_tables iptable_filter iptable_mangle ip_conntrack ip_conntrack_irc ip_conntrack_ftp ipt_state ipt_multiport ipt_limit ipt_recent ipt_LOG ipt_REJECT ipt_ecn ipt_length ipt_mac ipt_multiport ipt_owner ipt_state ipt_ttl ipt_TOS ipt_TCPMSS ipt_ULOG If you would like to make sure you support these modules then you can take a look inside of /lib/modules/kernelver/kernel/net/ipv4/netfilter/ directory. # ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ The known Linux platforms that APF will run on are very diverse and it is hard to keep track but here is a short summary: Redhat Enterprise AS/ES 2+ CentOS Any Fedora Core Any Slackware 8.0+ Debian GNU/Linux 3.0+ Suse Linux 8.1+ Unbuntu Any TurboLinux Server 9+ TurboLinux Fuji (Desktop) RedHat Linux 7.3,8,9 The base system specs for APF operating as intended are not set in stone and you can easily scale the package into almost any situation that has a Linux 2.4+ kernel, iptables and bash shell with standard set of gnu-utils (grep, awk, sed and the like). Below is a short table of what is recommended: DEVICE MIN RECOMMENDED CPU: 300Mhz 600Mhz MEM: 64MB 96MB DISK: OS OS NETWORK: Any Any 2) Installation The installation setup of APF is very straight forward, there is an included install.sh script that will perform all the tasks of installing APF for you. Begin Install: # sh install.sh If one so desires they may customize the setup of APF by editing the variables inside the install.sh script followed by also editing the path variables in the conf.apf and internals.conf files. This is however not recommends and the default paths should meet all user needs, they are: Install Path: /etc/apf Bin Path: /usr/local/sbin/apf The package includes two convenience scripts, the first is importconf which will import all the variable settings from your previous version of APF into the new installation. The second is get_ports, a script which will output the systems currently in use 'server' ports for the user during the installation process in an effort to aid in configuring port settings. All previous versions of APF are saved upon the installation of newer versions and stored in /etc/apf.bkDDMMYY-UTIME format. In addition, there is a /etc/apf.bk.last sym-link created to the last version of APF you had installed. After installation is completed the documentation and convenience scripts are copied to /etc/apf/docs and /etc/apf/extras respective. 2.1) Installation: Boot Loading On installation APF will install an init script to /etc/init.d/apf and configure it to load on boot. If you are setting up APF in a more custom situation then you may follow the below instructions. There is really 3 modes of operation for having APF firewall our system and each has no real benifit except tailoring itself to your needs. The first is to setup APF in the init system with chkconfig (done by default during install), as detailed below: chkconfig --add apf chkconfig --level 345 apf on Secondly, you can add the following string too the bottom of the /etc/rc.local file: sh -c "/etc/apf/apf -s" & It is NOT recommended that you use both of these startup methods together, for most systems the init script via chkconfig should be fine. The third and final approuch is to simply run APF in an on-demand fashion. That is, enable it with the 'apf -s' command when desired and disable it with the 'apf -f' when desired. 3) Configuration: On your first installation of APF it will come pretty bare in the way of preconfigured options, this is intentional. The most common issue with many firewalls is that they come configured with so many options that a user may never use or disable, that it leaves systems riddled with firewall holes. Now with that said, APF comes configured with only a single incoming port enabled by default and that is port 22 SSH. Along with a set of common practice filtering options preset in the most compatible fashion for all users. All the real advanced options APF has to offer are by default disabled including outbound (egress) port filtering, reactive address blocking (rab) and the virtual network subsystem to name a few. The main APF configuration file is located at /etc/apf/conf.apf and has detailed usage information above all configuration variables. The file uses integer based values for setting configuration options and they are 0 = disabled 1 = enabled All configuration options use this integer value system unless otherwise indicated in the description of that option. You should put aside 5 minutes and review the configuration file from top to bottom taking the time to read all the captions for the options that are provided. This may seem like a daunting task but a firewall is only as good as it is configured and that requires you, the administrator, to take a few minutes to understand what it is you are setting up. APF is a very powerful firewall that when setup to make use of all the advanced features, will provide a sophisticated and robust level of protection. Please continue reading further along this file for more information or see the support options at the bottom of this file for further assistance if you find yourself lost in the configuration process. 3.1) Configuration: Basic Options This section will cover some of the basic configuration options found inside of the conf.apf configuration file. These options, despite how basic, are the most vital in the proper operation of your firewall. Option: DEVEL_MODE Description: This tells APF to run in a development mode which in short means that the firewall will shut itself off every 5 minutes from a cronjob. When you install any version of APF, upgrade or new install, this feature is by default enabled to make sure the user does not lock themself out of the system with configuration errors. Once you are satisfied that you have the firewall configured and operating as intended then you must disable it. Option: INSTALL_PATH Description: As it implies, this is the installation path for APF and unless you have become a brave surgeon it is unlikely you will ever need to reconfigure this option - on we go. Option: IFACE_IN & IFACE_OUT Description: These variables instruct the firewall as to what interfaces you use for main network communication, such as to the Internet. In most cases these variables are configured to the same values such as eth0 or ppp0. In a more technical capacity these variables control what the firewall considers as the untrusted network interfaces, those which are far beyond the reasonable realm of control of an administrator. Option: IFACE_TRUSTED Description: It is common that you may want to set a specific interface as trusted to be excluded from the firewall, these may be administrative private links, virtualized VPN interfaces or a local area network that is contains trusted resources. This feature is similar to what some term as demilitarized zone or DMZ for short, any interfaces set in this option will be excempt from all firewall rules with an implicit trust rule set early in the firewall load. Option: SET_VERBOSE Description: This option tells the apf script to print very detailed event logs to the screen as you are conducting firewall operations from the command line. This will allow for easier trouble shooting of firewall issues or to assist the user in better understanding what the firewall is doing rule-by-rule. Although the SET_VERBOSE option is new to APF, this level of logging has long been provided in the /var/log/apf_log file and still remains as such. Option: SET_FASTLOAD Description: This tells APF to use a special feature to take saved snap shots of the running firewall. Instead of regenerating every single firewall rule when we stop/start the firewall, APF will use these snap shots to "fast load" the rules in bulk. There are internal features in APF that will detect when configuration has changed and then expire the snap shot forcing a full reload of the firewall. Option: SET_VNET Description: The ever curious option called SET_VNET, to put it brief this option controls the virtual network subsystem of APF also known as VNET. This is a subsystem that generates policy files for all aliased addresses on the IFACE_IN/OUT interfaces. In general this option is not needed for the normal operation of APF but is provided should you want to easily configured unique policies for the aliased addresses on an Interface. Please see topic 3.4 of this document for more advanced details related to this option. Option: SET_ADDIFACE Description: This allows you to have additional untrusted interfaces firewalled by APF and this is done through the VNET system. So for example let assume you have a datacenter provided eth2 interface for local network backups but you know hundreds of other Internet facing servers are also on this network. In such a situation it would be the best course to enable this option (along with SET_VNET) so that the interface is firewalled. Please see topic 3.4 of this document for more advanced details related to this option. Option: IG_TCP_CPORTS Description: This controls what TCP ports are allowed for incoming traffic, this is also known as the "server" or "listening services" ports. You would for example configure here the ports 21,25,80,110,443 if you were operating the FTP, SMTP, HTTP, POP3 & HTTPS services from this host. This is a global context rule and will apply to all addresses on this host unless virtual net rules are set to operate in another fashion. Option: IG_UDP_CPORTS Description: This controls what UDP ports are allowed for incoming traffic, this is also known as the "server" or "listening services" ports. You would for example configure here the ports 20,53 if you were operating the FTP & DNS services from this host. This is a global context rule and will apply to all addresses on this host unless virtual net rules are set to operate in another fashion. Option: IG_ICMP_TYPES Description: This controls what ICMP types are allowed for incoming traffic, these are control messages that the Internet uses to communicate any number of error messages during communication between hosts and networks. The default options should meet most needs however if you wish to filter a specific set of ICMP types you should review the 'internals/icmp.types' file. This is a global context rule and will apply to all addresses on this host unless virtual net rules are set to operate in another fashion. Option: EGF Description: This is a top level control feature for enabling or disabling all the outbound (egress) filtering features of the firewall. In the most basic setup of the firewall from install, this will be set to disabled and we will be operating in a mostly inbound (ingress) only filtering fashion. It is however recommended that you enable the outbound (egress) filtering as it provides a very robust level of protection and is a common practice to filtering outbound traffic. Option: EG_TCP_CPORTS Description: This controls what TCP ports are allowed for outgoing traffic, this is also known as the "client side" communication on a host. Here we would set any ports we wish to communicate with on the Internet, for example if you use many remote RSS feeds on websites then you will want to make sure port 80,443 is defined here so you can access the HTTP/HTTPS service on Internet servers. This is a global context rule and will apply to all addresses on this host unless virtual net rules are set to operate in another fashion. Option: EG_UDP_CPORTS Description: This controls what UDP ports are allowed for outgoing traffic, this is also known as the "client side" communication on a host. Here we would set any ports we wish to communicate with on the Internet, for example if you use many remote RSYNC servers then you will want to make sure port 873 is defined here so you can properly access the RSYNC service on Internet servers. This is a global context rule and will apply to all addresses on this host unless virtual net rules are set to operate in another fashion. Option: EG_ICMP_TYPES Description: This controls what ICMP types are allowed for outgoing traffic, these are control messages that the Internet uses to communicate any number of error messages during communication between hosts and networks. The default options should meet most needs however if you wish to filter a specific set of ICMP types you should review the 'internals/icmp.types' file. This is a global context rule and will apply to all addresses on this host unless virtual net rules are set to operate in another fashion. Option: LOG_DROP Description: The use of this option allows to firewall to perform very detailed firewall logging of packets as they are filtered by the firewall. This can help identify issues with the firewall or provide insightful information on who is taking pokes at the host. Typically however this option is left disabled on production systems as it can get very noisy in the log files which also can increase i/o wait loads to the disk from the heavy logging. 3.2) Configuration: Advanced Options The advanced options, although not required, are those which afford the firewall the ability to be a more robust and encompassing solution in protecting a host. These options should be reviewed on a case-by-case basis and enabled only as you determine there merit to meet a particular need on a host or network. Option: SET_MONOKERN Description: This option tells the system that instead of looking for iptables modules, that we should expect them to be compiled directly into the kernel. So unless you have a custom compiled kernel on your system where modular support is disabled or iptables (netfilter) is compiled in directly, you should not enable this option. There are also exceptions here if you have a unique system setup and APF is unable to find certain iptables modules but you know for a fact they are there, then enable this option. Option: VF_ROUTE Description: This option will make sure that the IP addressess associated to the IFACE_* variables do actually have route entries. If a route entry can not be found then APF will not load as it is likely a configuration error has been made with possible results being a locked-up server. Option: VF_CROND Description: This option will make sure that the cron service is running when the DEVEL_MODE option is enabled. If the cron service is not found to be running then APF will not load as if there is a configuration error it is likely that the server will lock-up. Option: VF_LGATE Description: This option will make sure that all traffic coming into this host is going through this defined MAC address. This is not something you will want enabled in most situations but it is something certain people will desire with servers residing behind a NAT/MASQ gateway for example. Option: RAB Description: This is a top level toggle for the reactive address blocking in APF and does nothing more than either enable or disable it. Option: RAB_SANITY Description: This enables RAB for sanity violations, which is when an address breaks a strict conformity standard such as trying to spoof an address or modify packet flags. When addresses are found to have made such violations they are temporarily banned for the duration of RAB_TIMER value in seconds. Option: RAB_PSCAN_LEVEL Description: This enables RAB for port scan violations, which is when an address attempts to connect to a port that has been classifed as malicious. These types of are those which are not commonly used in today's Internet but are the subject of scrutiny by attackers, such as ports 1,7,9,11. The values for this option are broken into 4 intergers and they are 0 for disabled, 1 for low security, 2 for medium security and 3 for high security. Option: RAB_HITCOUNT Description: This controls the amount of violation hits an address must have before it is blocked. It is a good idea to keep this very low to prevent evasive measures. The default is 0 or 1, meaning instant block on first hit. Option: RAB_TIMER Description: This is the amount of time (in seconds) that an address gets blocked for if a violation is triggered, the default is 300s (5 minutes). This option has a max accepted value of 43200 seconds or 12 hours. Option: RAB_TRIP Description: This allows RAB to 'trip' the block timer back to 0 seconds if an address attempts ANY subsiquent communication while still on the inital block period. This option really is one of the more exciting features of the RAB system as it can cut off an attack at the legs before it ever mounts into something tangible against the system. Option: RAB_LOG_HIT Description: This controls if the firewall should log all violation hits from an address. It is recommended that this be enabled to provide insightful log data on addresses which are attempting to probe or conduct questionable actions against this host. The use of LOG_DROP variable set to 1 will override this to force logging. Option: RAB_LOG_TRIP Description: This controls if the firewall should log all subsiquent traffic from an address that is already blocked for a violation hit, this can generate allot of logs. However, the use of this option despite the depth of log data it may generate could provide valuble information as to the intents of an attacker. The use of LOG_DROP variable set to 1 will override this to force logging. Option: TCP_STOP, UDP_STOP, ALL_STOP Description: These options tell the firewall in which way to go about filtering traffic, the supported values are DROP, RESET, REJECT and PROHIBIT. We will review these options below in short and provide the pro/con's of their uses. - The default is DROP which tells the firewall silently discard packets and not reply to them at all, which some consider to be "stealth" firewall behavoir. The direct benifit is that it saves system resources, especially during a DoS attack in not having to reply to every discarded packet. However the problem is experienced attackers know the way TCP/IP works and it is such that when you try to connect to a service that is unavailable, your server or local router replies with an "icmp-port/host-unreachable" message. So when an attacker probing your IP address receives no reply from the server or local router to the scans, they will instantly know you are running a firewall, possibly peaking curiosity more. - Then we have RESET which allows the firewall to reply to discarded packets in such a way that it trys to make the remote host "reset/terminate" the connection attempts to you. This option is more in-line with TCP/IP standards however in most situations will provide no real benifits or drawbacks. In some really isolated situations you may find that using RESET during DoS attacks will help terminate connections more promptly but in general this does not serve to counter the system resources expended to send back replies to every single packet filtered. - Then we have the REJECT value which is a more common alternative to DROP as it allows the firewall to reply to packets with an error message. This acomplishes the goal of filtering a packet while at the same time not allowing the remote host to know that we are running a firewall, they just think the port/service is closed/unavailable. - Finally we have the PROHIBIT value which is specific for UDP_STOP but can be used as other *_STOP values with similar effect. When we set PROHIBIT we are telling the firewall to reply to the sender of packets with only ICMP error messages instead of like the case with RESET, TCP packets. This is a good alternative to reply to packets with as it does not load the system as "much" during aggressive attacks. This is also the default expected reply for UDP packets that are not accepted by a host, however APF will by default use a DROP value on UDP packets. Option: PKT_SANITY Description: This option controls the way packets are scrutinized as they flow through the firewall. The main PKT_SANITY option is a top level toggle for all SANITY options and provides general packet flag sanity as a pre-scrub for the other sanity options. In short, this makes sure that all packets coming and going conform to strict TCP/IP standards. In doing so we make it very difficult for attackers to inject raw/custom packets into this host. Now onto the sanity filters, these are options that allow APF to scrutinize traffic coming into and out of the server so it conforms to TCP/IP standards and also filters common attack characteristics. There are a number of sanity options and each one has a well detailed captain in hte configuration file. In addition, these options comes preconfigured to suite most situation needs and provide the best protection possible. With that, I will defer the PKT_SANITY details to the conf.apf file where you can find ample information on each option. Moving forward we now have the Type of Service (TOS) settings which provide a simple classification system to dictate traffic priority based on port numbers. The use of TOS in it respective capacities can have a wide ranging impact on the performance of your services, both positive and negative depending on settings. That is why it is very important that you understand and study the impact of any changes to TOS values and then act accordingly, as no two networks are alike. A very good rule of thumb with TOS configuration is to look at the name of the TOS value and apply some good judgement to how that name applies to certain service based traffic on your network. For example the TOS value Minimize-Cost designed to minimize data transmission generally not be a good setting to improve the responce time or throughput of HTTP connections. A more fitting setting for this would be "Maximum Throughput - Minimum Delay", as set to default for HTTP. The default TOS settings are designed to improve throughput and reliability for FTP,HTTP,SMTP,POP3 and IMAP, please review conf.apf under the TOS_ settings for further details on Type of Service (TOS). Following the TOS settings we find the traceroute settings TCR_ which tell the firewall if and how we should handle traceroute traffic. This is by default enabled in APF, mostly cause of popular demand but really there is no reason to have it enabled or disabled other than personal preference. The TCR_PASS option tells the firwall if we want to accept traceroutes and on the TCR_PORTS 3.3) Configuration: Reactive Address Blocking 3.4) Configuration: Virtual Network Files 3.5) Configuration: Global Variables & Custom Rules 4) General Usage: The /usr/local/sbin/apf command has a number of options that will ease the day-to-day use of your firewall. Here is a quick snap-shot of the options: usage /usr/local/sbin/apf [OPTION] -s|--start ......................... load the firewall rules -r|--restart ....................... stop (flush) & reload firewall rules -f|--stop .......................... stop (flush) all firewall rules -l|--list .......................... list chain rules -t|--status ........................ firewall status -e|--refresh ....................... refresh & resolve dns names in trust rules -a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and immediately load new rule into firewall -d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and immediately load new rule into firewall -u|--remove HOST ................... remove host from [glob_]deny_hosts.rules and immediately remove rule from firewall -o|--ovars ......................... output all configuration options These options explain themselves very clearly such as the start/stop/restart operations. The -l|--list option will list all the firewall rules you currently have loaded, this is more of a feature intended for experienced users but nevertheless can be insightful for any administrator to peak at. As for the -t|--status option, this will simply show you page-by-page the APF status log that tracks any operations you perform with APF - if something is not working properly, this is what you want to run. The -e|--refresh option will flush the trust system chains and reload them from the rule files, this will also cause any dns names in the rules to re-resolve. This feature is ideal if you have dynamic dns names in the trust system, apart from that it has few other uses. If you need to quickly allow or deny someone access on the system then the -a|--allow and -d|--deny options are your champions. If you need to quickly remove an allow or deny entry from the firewall then the -u|--remove option is there for it. These options are immediate in action and do NOT require the firewall to be restarted. Please the below sections of this file for more information on the trust system. Finally the -o|--ovars options is a debug feature, if something is not working the way it was intended and you need help them please send me an email to apf@r-fx.org and be sure to include the output of this option with your email. 4.1) General Usage: Trust System: The trust system in APF is a very traditional setup with two basic trust levels; allow and deny. These two basic trust levels are also extended with two global trust levels that can be imported from a remote server to assist with central trust management in a large scale deployment. We will first look at the basic trust levels then have a look at the extended global trust system in the following section 4.2 then the advanced trust syntax in 4.3. The two basic trust level files are located at: /etc/apf/allow_hosts.rules /etc/apf/deny_hosts.rules These files by nature are static, meaning that once you add an entry to them, they will remain in the files till you remove them yourself. The trust files accept both FQDN (fully qualified domain names) and IP addresses with optional bit masking. Examples of these formats are: yourhost.you.com (FQDN) 192.168.2.102 (IP Address) 192.168.1.0/24 (IP Address with 24 bit mask) The definition of IP bit masking is slightly out of the scope of this document but some common bit masks that are used would be: /24 (192.168.1.0 to 192.168.1.255) /16 (192.168.0.0 to 192.168.255.255) If you have common abuse from a network of addresses you can whois that address then determine the network operators assigned address space and ban the network with bit masking. There are two methods for adding entries to the trust files and they are first and formost by using an editor or interface of some type to edit the two files manually, such as nano (pico clone) or vi (old school editor). The second is by using the 'apf' command with the options --allow (-a for short), --deny (-d for short) and --remove (-u for short). The --allow|-a and --deny|-d flags both accept a comment option which is simply a string at the end of the command that you would like added to the trust rule files for reference. Here are some operating examples of these commands: Trust an address: apf -a ryanm.dynip.org "my home dynamic-ip" Deny an address: apf -d 192.168.3.111 "keeps trying to bruteforce" Remove an address: apf -u ryanm.dynip.org Please take note that the --remove|-u option does not accept a comment string for obvious reason and that it will remove entries that match from allow_hosts.rules, deny_hosts.rules and the global extensions of these files. 4.2) General Usage: Global Trust System 4.3) General Usage: Advanced Trust Syntax Advanced trust usage; The trust rules can be made in advanced format with 4 options (proto:flow:port:ip); 1) protocol: [packet protocol tcp/udp] 2) flow in/out: [packet direction, inbound or outbound] 3) s/d=port: [packet source or destination port] 4) s/d=ip(/xx) [packet source or destination address, masking supported] Flow assumed as Input if not defined. Protocol assumed as TCP if not defined. When defining rules with protocol, flow is required. Syntax: proto:flow:[s/d]=port:[s/d]=ip(/mask) s - source , d - destination , flow - packet flow in/out Examples: inbound to destination port 22 from 24.202.16.11 tcp:in:d=22:s=24.202.16.11 outbound to destination port 23 to destination host 24.2.11.9 out:d=23:d=24.2.11.9 inbound to destination port 3306 from 24.202.11.0/24 d=3306:s=24.202.11.0/24 4.4) General Usage: Dynamic Trust Files dyn_allow_hosts.rules dyn_deny_hosts.rules 5) License: APF is developed and supported on a volunteer basis by Ryan MacDonald [ryan@r-fx.org] APF (Advanced policy firewall) is distributed under the GNU General Public License (GPL) without restrictions on usage or redistribution. The APF copyright statement, and GNU GPL, "COPYING.GPL" are included in the top-level directory of the distribution. Credit must be given for derivative works as required under GNU GPL. 6) Support Information: If you require any assistance with APF you may refer to the R-fx Networks community forums located at http://forums.rfxnetworks.com. You may also send an e-mail to support@r-fx.org. The offical home page for APF is located at: http://www.rfxnetworks.com/apf.php All bugs or feature requests should be sent to apf@r-fx.org and please be sure to include as much information as possible or conceptual ideas of how you think a new feature should work. apf-9.7-1/install.sh0000750000000000000000000000744311157714561013013 0ustar rootroot#!/bin/bash # # APF 9.7 [apf@r-fx.org] ### # Copyright (C) 1999-2007, R-fx Networks # Copyright (C) 2007, Ryan MacDonald # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ### # INSTALL_PATH="/etc/apf" BINPATH="/usr/local/sbin/apf" COMPAT_BINPATH="/usr/local/sbin/fwmgr" install() { mkdir $INSTALL_PATH cp -fR files/* $INSTALL_PATH chmod -R 640 $INSTALL_PATH/* chmod 750 $INSTALL_PATH/apf chmod 750 $INSTALL_PATH/firewall chmod 750 $INSTALL_PATH/vnet/vnetgen chmod 750 $INSTALL_PATH/extras/get_ports chmod 750 $INSTALL_PATH/extras/dshield/install chmod 750 $INSTALL_PATH cp -pf .ca.def importconf $INSTALL_PATH/extras/ cp README.apf CHANGELOG COPYING.GPL $INSTALL_PATH/doc ln -fs $INSTALL_PATH/apf $BINPATH ln -fs $INSTALL_PATH/apf $COMPAT_BINPATH rm -f /etc/cron.d/fwdev rm -f /etc/apf/cron.fwdev if [ -f "/etc/cron.hourly/fw" ]; then rm -f /etc/cron.hourly/fw fi if [ -f "/etc/cron.daily/fw" ]; then rm -f /etc/cron.daily/fw fi if [ -f "/etc/cron.daily/apf" ]; then rm -f /etc/cron.daily/apf cp cron.daily /etc/cron.daily/apf chmod 755 /etc/cron.daily/apf else cp cron.daily /etc/cron.daily/apf chmod 755 /etc/cron.daily/apf fi if [ -d "/etc/rc.d/init.d" ]; then cp -f apf.init /etc/rc.d/init.d/apf elif [ -d "/etc/init.d" ]; then cp -f apf.init /etc/init.d/apf else if [ -f "/etc/rc.local" ]; then val=`grep -i apf /etc/rc.local` if [ "$val" == "" ]; then echo "/etc/apf/apf -s >> /dev/null 2>&1" >> /etc/rc.local fi fi fi if [ -f "/var/log/apf_log" ] || [ -f "/var/log/apfados_log" ]; then rm -f /var/log/apf_log /var/log/apfados_log fi if [ -d "/etc/logrotate.d" ] && [ -f "logrotate.d.apf" ]; then cp logrotate.d.apf /etc/logrotate.d/apf fi if [ -f "/sbin/chkconfig" ]; then /sbin/chkconfig --add apf /sbin/chkconfig --level 345 apf on fi /etc/apf/vnet/vnetgen if [ -f "/usr/bin/dialog" ] && [ -d "/etc/apf/extras/apf-m" ]; then last=`pwd` cd /etc/apf/extras/apf-m/ sh install -i cd $last fi chmod 750 $INSTALL_PATH } VER=`cat files/VERSION | grep version | awk '{print$2}'` if [ -d "$INSTALL_PATH" ]; then DVAL=`date +"%d%m%Y-%s"` cp -R $INSTALL_PATH $INSTALL_PATH.bk$DVAL rm -f /etc/apf.bk.last ln -fs $INSTALL_PATH.bk$DVAL /etc/apf.bk.last rm -rf $INSTALL_PATH echo -n "Installing APF $VER: " install else echo -n "Installing APF $VER: " install fi sleep 1 echo "Completed." echo "" echo "Installation Details:" echo " Install path: $INSTALL_PATH/" echo " Config path: $INSTALL_PATH/conf.apf" echo " Executable path: $BINPATH" echo "" echo "Other Details:" if [ -d "/etc/apf.bk.last" ]; then ./importconf echo " Note: Please review /etc/apf/conf.apf for consistency, install default backed up to /etc/apf/conf.apf.orig" else . $INSTALL_PATH/extras/get_ports echo " Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options." fi rm -f .conf.apf apf-9.7-1/files/0000750000000000000000000000000011157714561012100 5ustar rootrootapf-9.7-1/files/apf0000750000000000000000000001433411157714500012572 0ustar rootroot#!/bin/bash # # APF 9.7 [apf@r-fx.org] ### # Copyright (C) 1999-2007, R-fx Networks # Copyright (C) 2007, Ryan MacDonald # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ### # VER="9.7" CNF="/etc/apf/conf.apf" head() { echo "APF version $VER " echo "Copyright (C) 1999-2007, R-fx Networks " echo "Copyright (C) 2007, Ryan MacDonald " echo "This program may be freely redistributed under the terms of the GNU GPL" echo "" } if [ -f "$CNF" ] && [ ! "$CNF" == "" ]; then source $CNF else head echo "\$CNF not found, aborting." exit 1 fi if [ ! -f $LOG_APF ]; then touch $LOG_APF chmod 600 $LOG_APF eout "{glob} status log not found, created" fi start() { ## # Fast Load ## if [ "$SET_FASTLOAD" == "1" ]; then # is this our first startup? # if so we certainly do not want fast load if [ ! -f "$INSTALL_PATH/internals/.last.full" ]; then SKIP_FASTLOAD_FIRSTRUN=1 fi # Is our last full load more than 12h ago? # if so we are going to full load if [ -f "$INSTALL_PATH/internals/.last.full" ]; then LAST_FULL=`cat $INSTALL_PATH/internals/.last.full` CURRENT_LOAD=`date +"%s"` LOAD_DIFF=$[CURRENT_LOAD-LAST_FULL] if [ ! "$LOAD_DIFF" -lt "43200" ]; then SKIP_FASTLOAD_EXPIRED=1 fi fi # has our configuration changed since full load? # if so full we go MD5_FILES="$ADR $INSTALL_PATH/*.rules $INSTALL_PATH/internals/*.networks $INSTALL_PATH/vnet/*.rules" if [ ! -f "$INSTALL_PATH/internals/.md5.cores" ]; then SKIP_FASTLOAD_VARS=1 MD5_FIRSTRUN=1 else EMPTY_MD5=`cat $INSTALL_PATH/internals/.md5.cores` if [ "$EMPTY_MD5" == "" ]; then $MD5 $MD5_FILES > $INSTALL_PATH/internals/.md5.cores 2> /dev/null fi $MD5 $MD5_FILES > $INSTALL_PATH/internals/.md5.cores.new 2> /dev/null VARS_DIFF=`$DIFF $INSTALL_PATH/internals/.md5.cores.new $INSTALL_PATH/internals/.md5.cores` if [ ! "$VARS_DIFF" == "" ]; then $MD5 $MD5_FILES > $INSTALL_PATH/internals/.md5.cores 2> /dev/null SKIP_FASTLOAD_VARS=1 fi fi if [ "$DEVEL_ON" == "1" ]; then SKIP_FASTLOAD_VARS=1 fi if [ ! -f "$INSTALL_PATH/internals/.md5.cores.new" ] && [ -f "$INSTALL_PATH/internals/.md5.cores" ]; then cp $INSTALL_PATH/internals/.md5.cores $INSTALL_PATH/internals/.md5.cores.new fi if [ ! -f "$INSTALL_PATH/internals/.last.vars" ]; then $INSTALL_PATH/apf -o > $INSTALL_PATH/internals/.last.vars SKIP_FASTLOAD_VARS=1 else $INSTALL_PATH/apf -o > $INSTALL_PATH/internals/.last.vars.new VARS_DIFF=`$DIFF $INSTALL_PATH/internals/.last.vars.new $INSTALL_PATH/internals/.last.vars` if [ ! "$VARS_DIFF" == "" ]; then $INSTALL_PATH/apf -o > $INSTALL_PATH/internals/.last.vars SKIP_FASTLOAD_VARS=1 fi fi # check uptiime is greater than 5 minutes (300s) UPSEC=`cat /proc/uptime | tr '.' ' ' | awk '{print$1}'` if [ "$UPSEC" -lt "300" ]; then SET_FASTLOAD_UPSEC=1 fi # check if we are flagged to skip fast load, otherwise off we go if [ "$SKIP_FASTLOAD_FIRSTRUN" == "" ] && [ "$SKIP_FASTLOAD_EXPIRED" == "" ] && [ "$SKIP_FASTLOAD_VARS" == "" ] && [ "$SET_FASTLOAD_UPSEC" == "" ]; then devm eout "{glob} activating firewall, fast load" $IPTR $INSTALL_PATH/internals/.apf.restore eout "{glob} firewall initalized" if [ "$SET_VERBOSE" == "1" ] && [ "$DEVEL_ON" == "1" ]; then eout "{glob} !!DEVELOPMENT MODE ENABLED!! - firewall will flush every 5 minutes." fi exit 0 elif [ "$SKIP_FASTLOAD_FIRSTRUN" == "1" ]; then eout "{glob} first run? fast load skipped [internals/.last.full not present]" elif [ "$SKIP_FASTLOAD_EXPIRED" == "1" ]; then eout "{glob} fast load snapshot more than 1h old, going full load" elif [ "$SKIP_FASTLOAD_VARS" == "1" ]; then eout "{glob} config. or .rule file has changed since last full load, going full load" elif [ "$SET_FASTLOAD_UPSEC" == "1" ]; then eout "{glob} uptime less than 5 minutes, going full load" fi fi ## # Full Load ## eout "{glob} activating firewall" # record our last full load date +"%s" > $INSTALL_PATH/internals/.last.full if [ ! -f "$DS_HOSTS" ]; then touch $DS_HOSTS chmod 600 $DS_HOSTS fi if [ ! -f "$DENY_HOSTS" ]; then touch $DENY_HOSTS chmod 600 $DENY_HOSTS fi if [ ! -f "$ALLOW_HOSTS" ]; then touch $ALLOW_HOSTS chmod 600 $ALLOW_HOSTS fi # check devel mode devm # generate vnet rules $INSTALL_PATH/vnet/vnetgen # start main firewall script $INSTALL_PATH/firewall # check for/load bandmin LOAD=`cat /proc/loadavg | tr '.' ' ' | awk '{print$1}'` if [ ! "$LOAD" -gt "10" ]; then bandmin fi eout "{glob} firewall initalized" if [ "$MD5_FIRSTRUN" == "1" ]; then $MD5 $MD5_FILES > $INSTALL_PATH/internals/.md5.cores 2> /dev/null fi firewall_on=`iptables -L --numeric | grep -vE "Chain|destination"` if [ ! "$DEVEL_ON" == "1" ] && [ ! "$firewall_on" == "" ]; then $IPTS > $INSTALL_PATH/internals/.apf.restore eout "{glob} fast load snapshot saved" fi if [ "$SET_VERBOSE" == "1" ] && [ "$DEVEL_ON" == "1" ]; then eout "{glob} !!DEVELOPMENT MODE ENABLED!! - firewall will flush every 5 minutes." fi } case "$1" in -s|--start) start ;; -f|--flush|--stop) flush ;; -l|--list) list ;; -t|-st|--status) status ;; -r|--restart) $0 --flush $0 --start ;; -a|--allow) cli_trust_allow $2 $3 $4 $5 $6 $7 $8 $9 ;; -d|--deny) cli_trust_deny $2 $3 $4 $5 $6 $7 $8 $9 ;; -u|--remove|--unban) cli_trust_remove $2 >> /dev/null 2>&1 eout "{trust} removed $2 from trust system" if [ ! "$SET_VERBOSE" == "1" ]; then echo "Removed $2 from trust system." fi ;; -e|--refresh) refresh ;; -o|--ovars) head ovars ;; *) head help esac exit 0 apf-9.7-1/files/bt.rules0000640000000000000000000005066011120373511013553 0ustar rootrooteout "{glob} loading bt.rules" # Load our Deny Hosts rules glob_deny_download glob_deny_hosts deny_hosts # Load our projecthoneypot drop list dlist_php dlist_php_hosts # Load our dshield drop list dlist_dshield dlist_dshield_hosts # Load our Spamhaus Don't Route Or Peer List dlist_spamhaus dlist_spamhaus_hosts # Block common drop ports cdports # Filter all traffic not from local gateway if [ ! "$VF_LGATE" == "" ]; then lgate_mac fi if [ "$RAB" == "1" ] && [ "$RAB_SANITY" == "1" ]; then eout "{rab} set active RAB_SANITY" RAB_SANITY_FLAGS="-m recent --set" else RAB_SANITY_FLAGS="" fi if [ "$PKT_SANITY" == "1" ]; then eout "{pkt_sanity} set active PKT_SANITY" # Drop packets With invalid flag order eout "{pkt_sanity} deny inbound tcp-flag pairs ALL NONE" eout "{pkt_sanity} deny inbound tcp-flag pairs SYN,FIN SYN,FIN" eout "{pkt_sanity} deny inbound tcp-flag pairs SYN,RST SYN,RST" eout "{pkt_sanity} deny inbound tcp-flag pairs FIN,RST FIN,RST" eout "{pkt_sanity} deny inbound tcp-flag pairs ACK,FIN FIN" eout "{pkt_sanity} deny inbound tcp-flag pairs ACK,URG URG" eout "{pkt_sanity} deny inbound tcp-flag pairs ACK,PSH PSH" eout "{pkt_sanity} deny inbound tcp-flag pairs ALL FIN,URG,PSH" eout "{pkt_sanity} deny inbound tcp-flag pairs ALL SYN,RST,ACK,FIN,URG" eout "{pkt_sanity} deny inbound tcp-flag pairs ALL ALL" eout "{pkt_sanity} deny inbound tcp-flag pairs ALL FIN" $IPT -N IN_SANITY if [ "$LOG_DROP" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags ALL NONE -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi if [ "$RAB_LOG_HIT" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags ALL NONE -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " fi $IPT -A IN_SANITY -p tcp --tcp-flags ALL NONE $RAB_SANITY_FLAGS -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi if [ "$RAB_LOG_HIT" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " fi $IPT -A IN_SANITY -p tcp --tcp-flags SYN,FIN SYN,FIN $RAB_SANITY_FLAGS -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi if [ "$RAB_LOG_HIT" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " fi $IPT -A IN_SANITY -p tcp --tcp-flags SYN,RST SYN,RST $RAB_SANITY_FLAGS -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi if [ "$RAB_LOG_HIT" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " fi $IPT -A IN_SANITY -p tcp --tcp-flags FIN,RST FIN,RST $RAB_SANITY_FLAGS -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags ACK,FIN FIN -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi if [ "$RAB_LOG_HIT" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags ACK,FIN FIN -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " fi $IPT -A IN_SANITY -p tcp --tcp-flags ACK,FIN FIN $RAB_SANITY_FLAGS -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags ACK,URG URG -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi if [ "$RAB_LOG_HIT" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags ACK,URG URG -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " fi $IPT -A IN_SANITY -p tcp --tcp-flags ACK,URG URG $RAB_SANITY_FLAGS -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags ACK,PSH PSH -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi if [ "$RAB_LOG_HIT" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags ACK,PSH PSH -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " fi $IPT -A IN_SANITY -p tcp --tcp-flags ACK,PSH PSH $RAB_SANITY_FLAGS -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi if [ "$RAB_LOG_HIT" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " fi $IPT -A IN_SANITY -p tcp --tcp-flags ALL FIN,URG,PSH $RAB_SANITY_FLAGS -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi if [ "$RAB_LOG_HIT" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " fi $IPT -A IN_SANITY -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG $RAB_SANITY_FLAGS -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags ALL ALL -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi if [ "$RAB_LOG_HIT" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags ALL ALL -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " fi $IPT -A IN_SANITY -p tcp --tcp-flags ALL ALL $RAB_SANITY_FLAGS -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags ALL FIN -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi if [ "$RAB_LOG_HIT" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-flags ALL FIN -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " fi $IPT -A IN_SANITY -p tcp --tcp-flags ALL FIN $RAB_SANITY_FLAGS -j $TCP_STOP eout "{pkt_sanity} deny outbound tcp-flag pairs ALL NONE" eout "{pkt_sanity} deny outbound tcp-flag pairs SYN,FIN SYN,FIN" eout "{pkt_sanity} deny outbound tcp-flag pairs SYN,RST SYN,RST" eout "{pkt_sanity} deny outbound tcp-flag pairs FIN,RST FIN,RST" eout "{pkt_sanity} deny outbound tcp-flag pairs ACK,FIN FIN" eout "{pkt_sanity} deny outbound tcp-flag pairs ACK,PSH PSH" eout "{pkt_sanity} deny outbound tcp-flag pairs ACK,URG URG" $IPT -N OUT_SANITY if [ "$LOG_DROP" == "1" ]; then $IPT -A OUT_SANITY -p tcp --tcp-flags ALL NONE -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi $IPT -A OUT_SANITY -p tcp --tcp-flags ALL NONE -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A OUT_SANITY -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi $IPT -A OUT_SANITY -p tcp --tcp-flags SYN,FIN SYN,FIN -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A OUT_SANITY -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi $IPT -A OUT_SANITY -p tcp --tcp-flags SYN,RST SYN,RST -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A OUT_SANITY -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi $IPT -A OUT_SANITY -p tcp --tcp-flags FIN,RST FIN,RST -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A OUT_SANITY -p tcp --tcp-flags ACK,FIN FIN -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi $IPT -A OUT_SANITY -p tcp --tcp-flags ACK,FIN FIN -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A OUT_SANITY -p tcp --tcp-flags ACK,PSH PSH -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi $IPT -A OUT_SANITY -p tcp --tcp-flags ACK,PSH PSH -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A OUT_SANITY -p tcp --tcp-flags ACK,URG URG -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi $IPT -A OUT_SANITY -p tcp --tcp-flags ACK,URG URG -j $TCP_STOP if [ "$PKT_SANITY_INV" == "1" ]; then # Block Traffic With Invalid Flags eout "{pkt_sanity} check inbound for INVALID states" eout "{pkt_sanity} check outbound for INVALID states" eout "{pkt_sanity} deny inbound tcp-option 64" eout "{pkt_sanity} deny inbound tcp-option 128" if [ "$LOG_DROP" == "1" ]; then $IPT -A IN_SANITY -m state --state INVALID -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi $IPT -A IN_SANITY -m state --state INVALID -j $ALL_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-option 64 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi $IPT -A IN_SANITY -p tcp --tcp-option 64 -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A IN_SANITY -p tcp --tcp-option 128 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi $IPT -A IN_SANITY -p tcp --tcp-option 128 -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A OUT_SANITY -m state --state INVALID -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi $IPT -A OUT_SANITY -m state --state INVALID -j $ALL_STOP fi if [ "$PKT_SANITY_STUFFED" == "1" ]; then # Block Packets With Stuffed Routing eout "{pkt_sanity} deny all to/from 255.255.255.255" eout "{pkt_sanity} deny all to/from 0.0.0.255/0.0.0.255" if [ "$LOG_DROP" == "1" ]; then $IPT -A IN_SANITY -s 255.255.255.255 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi $IPT -A IN_SANITY -s 255.255.255.255 -j $ALL_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A IN_SANITY -d 0.0.0.0 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi $IPT -A IN_SANITY -d 0.0.0.0 -j $ALL_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A IN_SANITY -p icmp -d 0.0.0.255/0.0.0.255 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi $IPT -A IN_SANITY -p icmp -d 0.0.0.255/0.0.0.255 -j $ALL_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A OUT_SANITY -d 0.0.0.255/0.0.0.255 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi $IPT -A OUT_SANITY -d 0.0.0.255/0.0.0.255 -j $ALL_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A OUT_SANITY -s 255.255.255.255 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi $IPT -A OUT_SANITY -s 255.255.255.255 -j $ALL_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A OUT_SANITY -d 0.0.0.0 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SANITY ** " fi $IPT -A OUT_SANITY -d 0.0.0.0 -j $ALL_STOP fi $IPT -A OUTPUT -j OUT_SANITY $IPT -A INPUT -j IN_SANITY if [ "$PKT_SANITY_FUDP" == "1" ]; then # Block fragmented UDP eout "{pkt_sanity} deny all fragmented udp" $IPT -N FRAG_UDP if [ "$LOG_DROP" == "1" ]; then $IPT -A FRAG_UDP -p udp -f -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** UDP Frag ** " fi if [ "$RAB_LOG_HIT" == "1" ]; then $IPT -A FRAG_UDP -p udp -f -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** RABHIT ** " fi $IPT -A FRAG_UDP -p udp -f $RAB_SANITY_FLAGS -j $UDP_STOP $IPT -A INPUT -j FRAG_UDP $IPT -A OUTPUT -j FRAG_UDP fi if [ "$PKT_SANITY_PZERO" == "1" ]; then # Block port zero traffic eout "{pkt_sanity} deny inbound tcp port 0" eout "{pkt_sanity} deny outbound tcp port 0" $IPT -N PZERO if [ "$LOG_DROP" == "1" ]; then $IPT -A PZERO -p tcp --dport 0 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** Port Zero ** " fi $IPT -A PZERO -p tcp --dport 0 $RAB_SANITY_FLAGS -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A PZERO -p udp --dport 0 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** Port Zero ** " fi $IPT -A PZERO -p udp --dport 0 $RAB_SANITY_FLAGS -j $UDP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A PZERO -p tcp --sport 0 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** Port Zero ** " fi $IPT -A PZERO -p tcp --sport 0 $RAB_SANITY_FLAGS -j $TCP_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A PZERO -p udp --sport 0 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** Port Zero ** " fi $IPT -A PZERO -p udp --sport 0 $RAB_SANITY_FLAGS -j $UDP_STOP $IPT -A INPUT -j PZERO $IPT -A OUTPUT -j PZERO fi fi if [ "$BLK_IDENT" = "1" ]; then eout "{blk_ident} set active BLK_IDENT" # Reject ident request if not defined in IG_TCP_CPORTS if [ "$(echo $IG_TCP_CPORTS | tr ',' '\n' | grep -w 113)" == "" ]; then eout "{blk_ident} reject all to/from tcp port 113" $IPT -N IDENT if [ "$LOG_DROP" == "1" ]; then $IPT -A IDENT -p tcp -s 0/0 -d 0/0 --dport 113 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** IDENT ** " fi $IPT -A IDENT -p tcp -s 0/0 -d 0/0 --dport 113 -j REJECT if [ "$LOG_DROP" == "1" ]; then $IPT -A IDENT -p tcp -s 0/0 -d 0/0 --sport 113 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** IDENT ** " fi $IPT -A IDENT -p tcp -s 0/0 -d 0/0 --sport 113 -j REJECT if [ "$LOG_DROP" == "1" ]; then $IPT -A IDENT -p udp -s 0/0 -d 0/0 --dport 113 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** IDENT ** " fi $IPT -A IDENT -p udp -s 0/0 -d 0/0 --dport 113 -j REJECT if [ "$LOG_DROP" == "1" ]; then $IPT -A IDENT -p udp -s 0/0 -d 0/0 --sport 113 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** IDENT ** " fi $IPT -A IDENT -p udp -s 0/0 -d 0/0 --sport 113 -j REJECT $IPT -A INPUT -j IDENT $IPT -A OUTPUT -j IDENT fi fi if [ "$BLK_MCATNET" == "1" ]; then eout "{blk_mcat} set active BLK_MCATNET" # Block Multicast eout "{blk_mcat} deny all from 224.0.0.0/8" eout "{blk_mcat} deny all to 224.0.0.0/8" $IPT -N MCAST if [ "$LOG_DROP" == "1" ]; then $IPT -A MCAST -s 224.0.0.0/8 -d 0/0 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** MCAST ** " fi $IPT -A MCAST -s 224.0.0.0/8 -d 0/0 -j $ALL_STOP if [ "$LOG_DROP" == "1" ]; then $IPT -A MCAST -s 0/0 -d 224.0.0.0/8 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** MCAST ** " fi $IPT -A MCAST -s 0/0 -d 224.0.0.0/8 -j $ALL_STOP $IPT -A INPUT -j MCAST $IPT -A OUTPUT -j MCAST fi if [ ! "$BLK_P2P_PORTS" == "" ]; then eout "{blk_p2p} set active BLK_P2P" # Drop traffic to/from common p2p networks # winmx,napster,bittorrent,gnutella,edonkey,kazaa,morpheus $IPT -N P2P for i in `echo $BLK_P2P_PORTS | tr ',' ' '`; do MVAL=`echo $i | grep "_"` PORT=$i if [ "$MVAL" == "" ]; then eout "{blk_p2p} deny all to/from tcp port $i" eout "{blk_p2p} deny all to/from udp port $i" if [ "$LOG_DROP" == "1" ]; then $IPT -A P2P -p tcp -s 0/0 -d 0/0 --sport 1024:65534 --dport $PORT -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** P2P ** " fi $IPT -A P2P -p tcp -s 0/0 -d 0/0 --dport $PORT -j REJECT if [ "$LOG_DROP" == "1" ]; then $IPT -A P2P -p tcp -s 0/0 -d 0/0 --dport 1024:65534 --sport $PORT -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** P2P ** " fi $IPT -A P2P -p tcp -s 0/0 -d 0/0 --dport 1024:65534 --sport $PORT -j REJECT if [ "$LOG_DROP" == "1" ]; then $IPT -A P2P -p udp -s 0/0 -d 0/0 --sport 1024:65534 --dport $PORT -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** P2P ** " fi $IPT -A P2P -p udp -s 0/0 -d 0/0 --sport 1024:65534 --dport $PORT -j REJECT if [ "$LOG_DROP" == "1" ]; then $IPT -A P2P -p udp -s 0/0 -d 0/0 --dport 1024:65534 --sport $PORT -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** P2P ** " fi $IPT -A P2P -p udp -s 0/0 -d 0/0 --dport 1024:65534 --sport $PORT -j REJECT else PORT_BEG=`echo $i | tr '_' ' ' | awk '{print$1}'` PORT_END=`echo $i | tr '_' ' ' | awk '{print$2}'` PORTST="$PORT_BEG:$PORT_END" eout "{blk_p2p} deny all to/from tcp port $PORTST" eout "{blk_p2p} deny all to/from udp port $PORTST" if [ "$LOG_DROP" == "1" ]; then $IPT -A P2P -p tcp -s 0/0 -d 0/0 --sport 1024:65534 --dport $PORTST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** P2P ** " fi $IPT -A P2P -p tcp -s 0/0 -d 0/0 --sport 1024:65534 --dport $PORTST -j REJECT if [ "$LOG_DROP" == "1" ]; then $IPT -A P2P -p tcp -s 0/0 -d 0/0 --dport 1024:65534 --sport $PORTST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** P2P ** " fi $IPT -A P2P -p tcp -s 0/0 -d 0/0 --dport 1024:65534 --sport $PORTST -j REJECT if [ "$LOG_DROP" == "1" ]; then $IPT -A P2P -p udp -s 0/0 -d 0/0 --sport 1024:65534 --dport $PORTST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** P2P ** " fi $IPT -A P2P -p udp -s 0/0 -d 0/0 --sport 1024:65534 --dport $PORTST -j REJECT if [ "$LOG_DROP" == "1" ]; then $IPT -A P2P -p udp -s 0/0 -d 0/0 --dport 1024:65534 --sport $PORTST -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** P2P ** " fi $IPT -A P2P -p udp -s 0/0 -d 0/0 --dport 1024:65534 --sport $PORTST -j REJECT fi done $IPT -A INPUT -j P2P $IPT -A OUTPUT -j P2P fi apf-9.7-1/files/internals/0000750000000000000000000000000011157714561014077 5ustar rootrootapf-9.7-1/files/internals/icmp.types0000640000000000000000000000365007767333620016127 0ustar rootroot########## # icmp types # # 0 Echo Reply [RFC792] # 1 Unassigned [JBP] # 2 Unassigned [JBP] # 3 Destination Unreachable [RFC792] # 4 Source Quench [RFC792] # 5 Redirect [RFC792] # 6 Alternate Host Address [JBP] # 7 Unassigned [JBP] # 8 Echo [RFC792] # 9 Router Advertisement [RFC1256] # 10 Router Solicitation [RFC1256] # 11 Time Exceeded [RFC792] # 12 Parameter Problem [RFC792] # 13 Timestamp [RFC792] # 14 Timestamp Reply [RFC792] # 15 Information Request [RFC792] # 16 Information Reply [RFC792] # 17 Address Mask Request [RFC950] # 18 Address Mask Reply [RFC950] # 19 Reserved (for Security) [Solo] # 20-29 Reserved (for Robustness Experiment) [ZSu] # 30 Traceroute [RFC1393] # 31 Datagram Conversion Error [RFC1475] # 32 Mobile Host Redirect [David Johnson] # 33 IPv6 Where-Are-You [Bill Simpson] # 34 IPv6 I-Am-Here [Bill Simpson] # 35 Mobile Registration Request [Bill Simpson] # 36 Mobile Registration Reply [Bill Simpson] # 37 Domain Name Request [Simpson] # 38 Domain Name Reply [Simpson] # 39 SKIP [Markson] # 40 Photuris [Simpson] # 41-255 Reserved [JBP] ########## apf-9.7-1/files/internals/functions.apf0000640000000000000000000016350211157714561016607 0ustar rootroot#!/bin/bash # # APF 9.7 [apf@r-fx.org] ### # Copyright (C) 1999-2007, R-fx Networks # Copyright (C) 2007, Ryan MacDonald # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ### # eout() { arg=$1 if [ ! "$arg" == "" ]; then echo "$(date +"%b %d %H:%M:%S") $(hostname -s) $APPN($$): $arg" >> $LOG_APF if [ "$SET_VERBOSE" == "1" ]; then echo "$APPN($$): $arg" fi fi } devm() { # Is dev mode on or off ? TMP_CJ="$INSTALL_PATH/.cj" CRON="/etc/crontab" if [ "$DEVEL_MODE" == "1" ]; then DEVEL_ON=1 if [ ! "$SET_VERBOSE" == "1" ]; then eout "{glob} !!DEVELOPMENT MODE ENABLED!! - firewall will flush every 5 minutes." echo "!!DEVELOPMENT MODE ENABLED!! - firewall will flush every 5 minutes." fi APF_CJ=`cat $CRON | grep -w /etc/init.d/apf` if [ "$APF_CJ" == "" ]; then cp -f $CRON $CRON.bk cat > $TMP_CJ <> /dev/null 2>&1 EOF cat $TMP_CJ >> $CRON rm -f $TMP_CJ fi elif [ "$DEVEL_MODE" == "0" ]; then APF_CJ=`cat $CRON | grep -w /etc/init.d/apf` if [ ! "$APF_CJ" == "" ]; then cat $CRON | grep -vw "/etc/init.d/apf" > $CRON.tmp cp -f $CRON $CRON.bk mv $CRON.tmp $CRON chmod 644 $CRON fi fi } ml() { MOD=$1 VALMOD=$2 if [ "$KREL" == "2.4" ]; then MEXT="o" elif [ "$KREL" == "2.6" ]; then MEXT="ko" elif [ ! "$KREL" == "2.4" ] && [ ! "$KREL" == "2.6" ]; then if [ ! "$SET_VERBOSE" == "1" ]; then echo "Kernel version not equal to 2.4.x or 2.6.x, aborting." fi eout "{glob} kernel version not equal to 2.4.x or 2.6.x, aborting." exit 1 else if [ ! "$SET_VERBOSE" == "1" ]; then echo "Kernel version not equal to 2.4.x or 2.6.x, aborting." fi eout "{glob} kernel version not equal to 2.4.x or 2.6.x, aborting." exit 1 fi if [ "$VALMOD" == "1" ] && [ ! -f "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/$1.$MEXT" ]; then if [ ! "$SET_VERBOSE" == "1" ]; then echo "Unable to load iptables module ($1), aborting." fi eout "{glob} unable to load iptables module ($1), aborting." exit 1 fi if [ -f "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/$1.$MEXT" ] || [ -f "/lib/modules/$(uname -r)/kernel/net/netfilter/$1.$MEXT" ]; then $MPB $1 >> /dev/null 2>&1 & fi } modinit() { # Remove ipchains module if loaded IPC_VAL=`$LSM | grep ipchains` if [ ! "$IPC_VAL" == "" ]; then $RMM ipchains fi if [ ! "$SET_MONOKERN" == "1" ]; then # Loading Kernel Modules ml ip_tables 1 ml iptable_filter ml iptable_mangle ml ip_conntrack ml ip_conntrack_irc ml ip_conntrack_ftp ml ipt_state ml ipt_multiport ml ipt_limit ml ipt_recent ml ipt_LOG ml ipt_REJECT ml ipt_ecn ml ipt_length ml ipt_mac ml ipt_multiport ml ipt_owner ml ipt_state ml ipt_ttl ml ipt_TOS ml ipt_TCPMSS ml ipt_ULOG ml xt_conntrack ml xt_conntrack_irc ml xt_conntrack_ftp ml xt_state ml xt_multiport ml xt_limit ml xt_recent ml xt_LOG ml xt_REJECT ml xt_ecn ml xt_length ml xt_mac ml xt_multiport ml xt_owner ml xt_state ml xt_ttl ml xt_TOS ml xt_TCPMSS ml xt_ULOG ml nf_conntrack ml nf_conntrack_irc ml nf_conntrack_ftp fi } check_rab() { if [ "$RAB" == "1" ] && [ ! -f "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_recent.$MEXT" ]; then RAB="0" eout "{rab} force set RAB disabled, kernel module ipt_recent not found." fi } get_state() { if [ -f "$LOCK" ]; then OVAL=`cat $LOCK` DIFF=$[UTIME-OVAL] if [ "$DIFF" -gt "$LOCK_TIMEOUT" ]; then echo "$UTIME" > $LOCK eout "{glob} cleared stale lock file file." else eout "{glob} locked subsystem, already running ? ($LOCK is $DIFF seconds old), aborting." exit 1 fi else echo "$UTIME" > $LOCK fi } crondcheck() { if [ "$VF_CROND" == "1" ]; then if [ -f "/etc/crontab" ]; then eout "{glob} /etc/crontab not found; unset VF_CROND or check setting for CRONTAB_PATH, aborting." exit 1 fi cron_psval=`grep -ri crond /proc/[0-9]*/status| sed 's/Name://'` if [ "$cron_psval" == "" ]; then eout "{glob} crond process not found; start crond, unset VF_CROND or check setting for CRONTAB_PS, aborting." exit 1 fi fi } trim() { FILE=$1 MAXLINES=$2 if [ "$MAXLINES" == "" ]; then MAXLINES=0 fi if [ ! "$MAXLINES" == "0" ] && [ -f "$FILE" ]; then LINES=`cat $FILE | grep -v "#" | grep -c ""` if [ "$LINES" -gt "$MAXLINES" ]; then eout "{glob} triming $FILE to $MAXLINES lines" CHK_CMT=`tail -n 50 $FILE | grep -c "#"` MAXLINES=$[CHK_CMT+MAXLINES] CHK_SCMT=`tail -n $MAXLINES $FILE | tac | tail -n 1 | grep "#"` if [ "$CHK_SCMT" == "" ]; then MAXLINES=$[1+MAXLINES] fi tail -n $MAXLINES $FILE > $FILE.new mv $FILE.new $FILE fi fi } cli_trust_remove() { DIP=$1 $IPT -D INPUT -s $DIP -j ACCEPT $IPT -D OUTPUT -d $DIP -j ACCEPT $IPT -D INPUT -s $DIP -j $ALL_STOP $IPT -D OUTPUT -d $DIP -j $ALL_STOP $IPT -D TALLOW -s $DIP -j ACCEPT $IPT -D TALLOW -d $DIP -j ACCEPT $IPT -D TDENY -s $DIP -j $ALL_STOP $IPT -D TDENY -d $DIP -j $ALL_STOP $IPT -D TGALLOW -s $DIP -j ACCEPT $IPT -D TGALLOW -d $DIP -j ACCEPT $IPT -D TGDENY -s $DIP -j $ALL_STOP $IPT -D TGDENY -d $DIP -j $ALL_STOP val=`cat /etc/apf/allow_hosts.rules | grep "$DIP"` if [ ! "$val" == "" ]; then cat /etc/apf/allow_hosts.rules | grep -v "$DIP" > /etc/apf/allow_hosts.rules.new mv /etc/apf/allow_hosts.rules.new /etc/apf/allow_hosts.rules fi val=`cat /etc/apf/deny_hosts.rules | grep "$DIP"` if [ ! "$val" == "" ]; then cat /etc/apf/deny_hosts.rules | grep -v "$DIP" > /etc/apf/deny_hosts.rules.new mv /etc/apf/deny_hosts.rules.new /etc/apf/deny_hosts.rules fi val=`cat /etc/apf/glob_allow_hosts.rules | grep "$DIP"` if [ ! "$val" == "" ]; then cat /etc/apf/glob_allow_hosts.rules | grep -v "$DIP" > /etc/apf/glob_allow_hosts.rules.new mv /etc/apf/glob_allow_hosts.rules.new /etc/apf/glob_allow_hosts.rules fi val=`cat /etc/apf/glob_deny_hosts.rules | grep "$DIP"` if [ ! "$val" == "" ]; then cat /etc/apf/glob_deny_hosts.rules | grep -v "$DIP" > /etc/apf/glob_deny_hosts.rules.new mv /etc/apf/glob_deny_hosts.rules.new /etc/apf/glob_deny_hosts.rules fi dil=`$IPT --numeric --list INPUT --line-numbers | grep $DIP | awk '{print$1}'` dol=`$IPT --numeric --list OUTPUT --line-numbers | grep $DIP | awk '{print$1}'` $IPT -D INPUT $dil >> /dev/null 2>&1 $IPT -D OUTPUT $dol >> /dev/null 2>&1 dil=`$IPT --numeric --list TALLOW --line-numbers | grep $DIP | tac | awk '{print$1}'` dol=`$IPT --numeric --list TDENY --line-numbers | grep $DIP | tac | awk '{print$1}'` for i in `echo $dil`; do $IPT -D TALLOW $i >> /dev/null 2>&1 done for i in `echo $dol`; do $IPT -D TDENY $i >> /dev/null 2>&1 done dil=`$IPT --numeric --list TGALLOW --line-numbers | grep $DIP | tac | awk '{print$1}'` dol=`$IPT --numeric --list TGDENY --line-numbers | grep $DIP | tac | awk '{print$1}'` for i in `echo $dil`; do $IPT -D TGALLOW $i >> /dev/null 2>&1 done for i in `echo $dol`; do $IPT -D TGDENY $i >> /dev/null 2>&1 done } cli_trust_allow() { HOST=$1 CMT="$2 $3 $4 $5 $6 $7 $8 $9" if [ ! "$HOST" == "" ]; then val=`cat $DENY_HOSTS | grep -w $HOST` val_rev=`cat $ALLOW_HOSTS | grep -w $HOST` val_rev2=`cat $GALLOW_HOSTS | grep -w $HOST` val_rev3=`cat $GDENY_HOSTS | grep -w $HOST` val_rev4=`/sbin/ip addr list $IFACE_IN | grep -w inet | grep -v inet6 | tr '/' ' ' | awk '{print$2}' | grep -w $HOST` if [ ! "$val" == "" ]; then echo "$HOST already exists in $DENY_HOSTS" elif [ ! "$val_rev" == "" ]; then echo "$HOST already exists in $ALLOW_HOSTS" elif [ ! "$val_rev2" == "" ]; then echo "$HOST already exists in $GALLOW_HOSTS" elif [ ! "$val_rev3" == "" ]; then echo "$HOST already exists in $GDENY_HOSTS" elif [ ! "$val_rev4" == "" ]; then echo "$HOST is a local address and can not be added to the trust system" else TIME=`date +"%D %H:%M:%S"` echo -n "# added $HOST on $TIME" >> $ALLOW_HOSTS if [ ! "$CMT" == "" ]; then echo " with comment: $CMT" >> $ALLOW_HOSTS else echo "" >> $ALLOW_HOSTS fi echo "$HOST" >> $ALLOW_HOSTS echo "" >> $ALLOW_HOSTS $IPT -I TALLOW -s $HOST -j ACCEPT $IPT -I TALLOW -d $HOST -j ACCEPT eout "(trust) added allow all to/from $HOST" if [ ! "$SET_VERBOSE" == "1" ]; then echo "Inserted into firewall: Allow all to/from $HOST" fi fi else echo "an FQDN or IP address is required for this option" fi } cli_trust_deny() { HOST=$1 CMT="$2 $3 $4 $5 $6 $7 $8 $9" if [ ! "$HOST" == "" ]; then val=`cat $DENY_HOSTS | grep -w $HOST` val_rev=`cat $ALLOW_HOSTS | grep -w $HOST` val_rev2=`cat $GALLOW_HOSTS | grep -w $HOST` val_rev3=`cat $GDENY_HOSTS | grep -w $HOST` val_rev4=`/sbin/ip addr list $IFACE_IN | grep -w inet | grep -v inet6 | tr '/' ' ' | awk '{print$2}' | grep -w $HOST` if [ ! "$val" == "" ]; then echo "$HOST already exists in $DENY_HOSTS" elif [ ! "$val_rev" == "" ]; then echo "$HOST already exists in $ALLOW_HOSTS" elif [ ! "$val_rev2" == "" ]; then echo "$HOST already exists in $GALLOW_HOSTS" elif [ ! "$val_rev2" == "" ]; then echo "$HOST already exists in $GDENY_HOSTS" elif [ ! "$val_rev4" == "" ]; then echo "$HOST is a local address and can not be added to the trust system" else TIME=`date +"%D %H:%M:%S"` echo -n "# added $HOST on $TIME" >> $DENY_HOSTS if [ ! "$CMT" == "" ]; then echo " with comment: $CMT" >> $DENY_HOSTS else echo "" >> $DENY_HOSTS fi echo "$HOST" >> $DENY_HOSTS $IPT -I TDENY -s $HOST -j $ALL_STOP $IPT -I TDENY -d $HOST -j $ALL_STOP eout "(trust) added deny all to/from $HOST" if [ ! "$SET_VERBOSE" == "1" ]; then echo "Inserted into firewall: Deny all to/from $HOST" fi fi else echo "an FQDN or IP address is required for this option" fi } flush() { firewall_on=`iptables -L --numeric | grep -vE "Chain|destination"` if [ "$SET_FASTLOAD" == "1" ] && [ ! "$1" == "1" ] && [ ! "$DEVEL_ON" == "1" ] && [ ! "$firewall_on" == "" ]; then $IPTS > $INSTALL_PATH/internals/.apf.restore eout "{glob} fast load snapshot saved" fi if [ ! "$1" = "1" ]; then eout "{glob} flushing & zeroing chain policies" fi chains=`cat /proc/net/ip_tables_names 2>/dev/null` for i in $chains; do $IPT -t $i -F; done for i in $chains; do $IPT -t $i -X; done $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT if [ ! "$1" = "1" ]; then eout "{glob} firewall offline" fi } list() { echo "Loading chain rules..." iptc=/etc/apf/.ipt.chains :> $iptc ; chmod 600 $iptc $IPT --verbose --numeric --line-numbers --list >> $iptc echo "Opening editor" if [ -f "/usr/bin/pico" ]; then /usr/bin/pico -w $iptc elif [ -f "/usr/bin/nano" ]; then /usr/bin/nano -w $iptc elif [ -f "/bin/vi" ]; then /bin/vi $iptc fi clear rm -f $iptc } status() { echo "$NAME Status Log:" tac $LOG_APF | more } help() { echo "usage $0 [OPTION]" echo "-s|--start ......................... load all firewall rules" echo "-r|--restart ....................... stop (flush) & reload firewall rules" echo "-f|--stop........ .................. stop (flush) all firewall rules" echo "-l|--list .......................... list all firewall rules" echo "-t|--status ........................ output firewall status log" echo "-e|--refresh ....................... refresh & resolve dns names in trust rules" echo "-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and" echo " immediately load new rule into firewall" echo "-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and" echo " immediately load new rule into firewall" echo "-u|--remove HOST ................... remove host from [glob]*_hosts.rules" echo " and immediately remove rule from firewall" echo "-o|--ovars ......................... output all configuration options" } tospreroute() { # Type of Service (TOS) parameters # 0: Normal-Service # 2: Minimize-Cost # 4: Minimize Delay - Maximize Reliability # 8: Maximum Throughput - Minimum Delay # 16: No Delay - Moderate Throughput - High Reliability # if [ ! "$TOS_0" == "" ]; then for i in `echo $TOS_0 | tr ',' ' '`; do i=`echo $i | tr '_' ':'` $IPT -t mangle -A PREROUTING -p tcp --sport $i -j TOS --set-tos 0 done fi if [ ! "$TOS_2" == "" ]; then for i in `echo $TOS_2 | tr ',' ' '`; do i=`echo $i | tr '_' ':'` $IPT -t mangle -A PREROUTING -p tcp --sport $i -j TOS --set-tos 2 done fi if [ ! "$TOS_4" == "" ]; then for i in `echo $TOS_4 | tr ',' ' '`; do i=`echo $i | tr '_' ':'` $IPT -t mangle -A PREROUTING -p tcp --sport $i -j TOS --set-tos 4 done fi if [ ! "$TOS_8" == "" ]; then for i in `echo $TOS_8 | tr ',' ' '`; do i=`echo $i | tr '_' ':'` $IPT -t mangle -A PREROUTING -p tcp --sport $i -j TOS --set-tos 8 done fi if [ ! "$TOS_16" == "" ]; then for i in `echo $TOS_16 | tr ',' ' '`; do i=`echo $i | tr '_' ':'` $IPT -t mangle -A PREROUTING -p tcp --sport $i -j TOS --set-tos 16 done fi if [ ! "$TOS_DEF_RANGE" == "" ]; then for i in `echo $TOS_DEF_RANGE | tr ',' ' '`; do i=`echo $i | tr '_' ':'` $IPT -t mangle -A PREROUTING -p tcp --sport $i -j TOS --set-tos $TOS_DEF done fi } tospostroute() { # Type of Service (TOS) parameters # 0: Normal-Service # 2: Minimize-Cost # 4: Minimize Delay - Maximize Reliability # 8: Maximum Throughput - Minimum Delay # 16: No Delay - Moderate Throughput - High Reliability # if [ ! "$TOS_0" == "" ]; then for i in `echo $TOS_0 | tr ',' ' '`; do i=`echo $i | tr '_' ':'` $IPT -t mangle -A POSTROUTING -p tcp --dport $i -j TOS --set-tos 0 done fi if [ ! "$TOS_2" == "" ]; then for i in `echo $TOS_2 | tr ',' ' '`; do i=`echo $i | tr '_' ':'` $IPT -t mangle -A POSTROUTING -p tcp --dport $i -j TOS --set-tos 2 done fi if [ ! "$TOS_4" == "" ]; then for i in `echo $TOS_4 | tr ',' ' '`; do i=`echo $i | tr '_' ':'` $IPT -t mangle -A POSTROUTING -p tcp --dport $i -j TOS --set-tos 4 done fi if [ ! "$TOS_8" == "" ]; then for i in `echo $TOS_8 | tr ',' ' '`; do i=`echo $i | tr '_' ':'` $IPT -t mangle -A POSTROUTING -p tcp --dport $i -j TOS --set-tos 8 done fi if [ ! "$TOS_16" == "" ]; then for i in `echo $TOS_16 | tr ',' ' '`; do i=`echo $i | tr '_' ':'` $IPT -t mangle -A POSTROUTING -p tcp --dport $i -j TOS --set-tos 16 done fi if [ ! "$TOS_DEF_RANGE" == "" ]; then for i in `echo $TOS_DEF_RANGE | tr ',' ' '`; do i=`echo $i | tr '_' ':'` $IPT -t mangle -A POSTROUTING -p tcp --dport $i -j TOS --set-tos $TOS_DEF done fi } ovars() { nice -n 16 cat /etc/apf/conf.apf /etc/apf/internals/internals.conf | grep -v "#" | grep "=" | tr '=' ' ' | awk '{print""$"$1"}' } allow_hosts() { if [ ! "`cat $ALLOW_HOSTS | grep -v "#"`" == "" ]; then eout "{glob} loading allow_hosts.rules" # # for i in `cat $ALLOW_HOSTS | grep -v "#" | grep -v ":" | grep -v "="`; do val=`/sbin/ip addr list $IFACE_IN | grep -w inet | grep -v inet6 | tr '/' ' ' | awk '{print$2}' | grep -w $i` if [ ! "$val" ]; then if [ ! "$i" == "" ] && [ -f "$ALLOW_HOSTS" ]; then eout "{trust} allow all to/from $i" $IPT -A TALLOW -s $i -d 0/0 -j ACCEPT $IPT -A TALLOW -d $i -s 0/0 -j ACCEPT fi fi done # # for i in `cat $ALLOW_HOSTS | grep -v "#" | grep ":" | grep "=" | grep -vw in | grep -vw out | grep -v tcp | grep -v udp`; do if [ ! "$i" == "" ] && [ -f "$ALLOW_HOSTS" ]; then PFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$1}'` if [ "$PFLOW" == "s" ]; then PFLOW="sport" PFLOW_T="from" elif [ "$PFLOW" == "d" ]; then PFLOW="dport" PFLOW_T="to" fi PPORT=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$2}'` if [ ! "$(echo $PPORT | grep _)" == "" ]; then PPORT_BEG=`echo $PPORT | tr '_' ' ' | awk '{print$1}'` PPORT_END=`echo $PPORT | tr '_' ' ' | awk '{print$2}'` PPORT="$PPORT_BEG:$PPORT_END" fi IPFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$3}'` if [ "$IPFLOW" == "s" ]; then IPFLOW="s" elif [ "$IPFLOW" == "d" ]; then IPFLOW="d" fi PIP=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$4}'` if [ ! "$IPFLOW" == "" ] && [ ! "$PIP" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PPORT" == "" ]; then eout "{trust} allow $PIP $PFLOW_T port $PPORT" $IPT -A TALLOW -p tcp -$IPFLOW $PIP --$PFLOW $PPORT -j ACCEPT fi fi done # # for i in `cat $ALLOW_HOSTS | grep -v "#" | grep ":" | grep "=" | grep -v "tcp" | grep -v "udp"`; do if [ ! "$i" == "" ] && [ -f "$ALLOW_HOSTS" ]; then NFLOW=`echo $i | tr ':' ' ' | tr '=' ' '| awk '{print$1}'` if [ "$NFLOW" == "in" ]; then NFLOW="INPUT" NFLOW_T="inbound" elif [ "$NFLOW" == "out" ]; then NFLOW="OUTPUT" NFLOW_T="outbound" fi PFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$2}'` if [ "$PFLOW" == "s" ]; then PFLOW="sport" PFLOW_T="from" elif [ "$PFLOW" == "d" ]; then PFLOW="dport" PFLOW_T="to" fi PPORT=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$3}'` if [ ! "$(echo $PPORT | grep _)" == "" ]; then PPORT_BEG=`echo $PPORT | tr '_' ' ' | awk '{print$1}'` PPORT_END=`echo $PPORT | tr '_' ' ' | awk '{print$2}'` PPORT="$PPORT_BEG:$PPORT_END" fi IPFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$4}'` if [ "$IPFLOW" == "s" ]; then IPFLOW="s" elif [ "$IPFLOW" == "d" ]; then IPFLOW="d" fi PIP=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$5}'` if [ ! "$NFLOW" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PIP" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PPORT" == "" ]; then eout "{trust} allow $NFLOW_T $PIP $PFLOW_T port $PPORT" $IPT -A TALLOW -p tcp -$IPFLOW $PIP --$PFLOW $PPORT -j ACCEPT fi fi done # # for i in `cat $ALLOW_HOSTS | grep -v "#" | grep ":" | grep "="`; do if [ ! "$i" == "" ] && [ -f "$ALLOW_HOSTS" ]; then PTYPE=`echo $i | tr ':' ' ' | tr '=' ' '| awk '{print$1}'` if [ "$PTYPE" == "tcp" ]; then PTYPE="tcp" elif [ "$PTYPE" == "udp" ]; then PTYPE="udp" fi NFLOW=`echo $i | tr ':' ' ' | tr '=' ' '| awk '{print$2}'` if [ "$NFLOW" == "in" ]; then NFLOW="INPUT" NFLOW_T="inbound" elif [ "$NFLOW" == "out" ]; then NFLOW="OUTPUT" NFLOW_T="outbound" fi PFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$3}'` if [ "$PFLOW" == "s" ]; then PFLOW="sport" PFLOW_T="from" elif [ "$PFLOW" == "d" ]; then PFLOW="dport" PFLOW_T="to" fi PPORT=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$4}'` if [ ! "$(echo $PPORT | grep _)" == "" ]; then PPORT_BEG=`echo $PPORT | tr '_' ' ' | awk '{print$1}'` PPORT_END=`echo $PPORT | tr '_' ' ' | awk '{print$2}'` PPORT="$PPORT_BEG:$PPORT_END" fi IPFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$5}'` if [ "$IPFLOW" == "s" ]; then IPFLOW="s" elif [ "$IPFLOW" == "d" ]; then IPFLOW="d" fi PIP=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$6}'` if [ ! "$PTYPE" == "" ] && [ ! "$NFLOW" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PIP" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PPORT" == "" ]; then eout "{trust} allow $NFLOW_T $PTYPE $PIP $PFLOW_T port $PPORT" $IPT -A TALLOW -p $PTYPE -$IPFLOW $PIP --$PFLOW $PPORT -j ACCEPT fi fi done fi } glob_allow_hosts() { if [ ! "`cat $GALLOW_HOSTS | grep -v "#"`" == "" ]; then eout "{glob} loading glob_allow.rules" # # for i in `cat $GALLOW_HOSTS | grep -v "#" | grep -v ":" | grep -v "="`; do if [ ! "$i" == "" ] && [ -f "$GALLOW_HOSTS" ]; then eout "{trust} allow all to/from $i" $IPT -A TGALLOW -s $i -d 0/0 -j ACCEPT $IPT -A TGALLOW -d $i -s 0/0 -j ACCEPT fi done # # for i in `cat $GALLOW_HOSTS | grep -v "#" | grep ":" | grep "=" | grep -vw in | grep -vw out | grep -v tcp | grep -v udp`; do if [ ! "$i" == "" ] && [ -f "$GALLOW_HOSTS" ]; then PFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$1}'` if [ "$PFLOW" == "s" ]; then PFLOW="sport" PFLOW_T="from" elif [ "$PFLOW" == "d" ]; then PFLOW="dport" PFLOW_T="to" fi PPORT=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$2}'` if [ ! "$(echo $PPORT | grep _)" == "" ]; then PPORT_BEG=`echo $PPORT | tr '_' ' ' | awk '{print$1}'` PPORT_END=`echo $PPORT | tr '_' ' ' | awk '{print$2}'` PPORT="$PPORT_BEG:$PPORT_END" fi IPFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$3}'` if [ "$IPFLOW" == "s" ]; then IPFLOW="s" elif [ "$IPFLOW" == "d" ]; then IPFLOW="d" fi PIP=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$4}'` if [ ! "$IPFLOW" == "" ] && [ ! "$PIP" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PPORT" == "" ]; then eout "{trust} allow $PIP $PFLOW_T port $PPORT" $IPT -A TGALLOW -p tcp -$IPFLOW $PIP --$PFLOW $PPORT -j ACCEPT fi fi done # # for i in `cat $GALLOW_HOSTS | grep -v "#" | grep ":" | grep "=" | grep -v "tcp" | grep -v "udp"`; do if [ ! "$i" == "" ] && [ -f "$GALLOW_HOSTS" ]; then NFLOW=`echo $i | tr ':' ' ' | tr '=' ' '| awk '{print$1}'` if [ "$NFLOW" == "in" ]; then NFLOW="INPUT" NFLOW_T="inbound" elif [ "$NFLOW" == "out" ]; then NFLOW="OUTPUT" NFLOW_T="outbound" fi PFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$2}'` if [ "$PFLOW" == "s" ]; then PFLOW="sport" PFLOW_T="from" elif [ "$PFLOW" == "d" ]; then PFLOW="dport" PFLOW_T="to" fi PPORT=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$3}'` if [ ! "$(echo $PPORT | grep _)" == "" ]; then PPORT_BEG=`echo $PPORT | tr '_' ' ' | awk '{print$1}'` PPORT_END=`echo $PPORT | tr '_' ' ' | awk '{print$2}'` PPORT="$PPORT_BEG:$PPORT_END" fi IPFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$4}'` if [ "$IPFLOW" == "s" ]; then IPFLOW="s" elif [ "$IPFLOW" == "d" ]; then IPFLOW="d" fi PIP=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$5}'` if [ ! "$NFLOW" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PIP" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PPORT" == "" ]; then eout "{trust} allow $NFLOW_T $PIP $PFLOW_T port $PPORT" $IPT -A TGALLOW -p tcp -$IPFLOW $PIP --$PFLOW $PPORT -j ACCEPT fi fi done # # for i in `cat $GALLOW_HOSTS | grep -v "#" | grep ":" | grep "="`; do if [ ! "$i" == "" ] && [ -f "$GALLOW_HOSTS" ]; then PTYPE=`echo $i | tr ':' ' ' | tr '=' ' '| awk '{print$1}'` if [ "$PTYPE" == "tcp" ]; then PTYPE="tcp" elif [ "$PTYPE" == "udp" ]; then PTYPE="udp" fi NFLOW=`echo $i | tr ':' ' ' | tr '=' ' '| awk '{print$2}'` if [ "$NFLOW" == "in" ]; then NFLOW="INPUT" NFLOW_T="inbound" elif [ "$NFLOW" == "out" ]; then NFLOW="OUTPUT" NFLOW_T="outbound" fi PFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$3}'` if [ "$PFLOW" == "s" ]; then PFLOW="sport" PFLOW_T="from" elif [ "$PFLOW" == "d" ]; then PFLOW="dport" PFLOW_T="to" fi PPORT=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$4}'` if [ ! "$(echo $PPORT | grep _)" == "" ]; then PPORT_BEG=`echo $PPORT | tr '_' ' ' | awk '{print$1}'` PPORT_END=`echo $PPORT | tr '_' ' ' | awk '{print$2}'` PPORT="$PPORT_BEG:$PPORT_END" fi IPFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$5}'` if [ "$IPFLOW" == "s" ]; then IPFLOW="s" elif [ "$IPFLOW" == "d" ]; then IPFLOW="d" fi PIP=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$6}'` if [ ! "$PTYPE" == "" ] && [ ! "$NFLOW" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PIP" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PPORT" == "" ]; then eout "{trust} allow $NFLOW_T $PTYPE $PIP $PFLOW_T port $PPORT" $IPT -A TGALLOW -p $PTYPE -$IPFLOW $PIP --$PFLOW $PPORT -j ACCEPT fi fi done fi } deny_hosts() { if [ ! "`cat $DENY_HOSTS | grep -v "#"`" == "" ]; then eout "{glob} loading deny_hosts.rules" # # for i in `cat $DENY_HOSTS | grep -v "#" | grep -v ":" | grep -v "="`; do val=`/sbin/ip addr list $IFACE_IN | grep -w inet | grep -v inet6 | tr '/' ' ' | awk '{print$2}' | grep -w $i` if [ ! "$val" ]; then if [ ! "$i" == "" ] && [ -f "$DENY_HOSTS" ]; then eout "{trust} deny all to/from $i" $IPT -A TDENY -s $i -d 0/0 -j $ALL_STOP $IPT -A TDENY -d $i -s 0/0 -j $ALL_STOP fi fi done # # for i in `cat $DENY_HOSTS | grep -v "#" | grep ":" | grep "=" | grep -vw in | grep -vw out | grep -v tcp | grep -v udp`; do if [ ! "$i" == "" ] && [ -f "$DENY_HOSTS" ]; then PFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$1}'` if [ "$PFLOW" == "s" ]; then PFLOW="sport" PFLOW_T="from" elif [ "$PFLOW" == "d" ]; then PFLOW="dport" PFLOW_T="to" fi PPORT=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$2}'` if [ ! "$(echo $PPORT | grep _)" == "" ]; then PPORT_BEG=`echo $PPORT | tr '_' ' ' | awk '{print$1}'` PPORT_END=`echo $PPORT | tr '_' ' ' | awk '{print$2}'` PPORT="$PPORT_BEG:$PPORT_END" fi IPFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$3}'` if [ "$IPFLOW" == "s" ]; then IPFLOW="s" elif [ "$IPFLOW" == "d" ]; then IPFLOW="d" fi PIP=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$4}'` if [ ! "$IPFLOW" == "" ] && [ ! "$PIP" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PPORT" == "" ]; then eout "{trust} deny $PIP $PFLOW_T port $PPORT" $IPT -A TDENY -p tcp -$IPFLOW $PIP --$PFLOW $PPORT -j $TCP_STOP $IPT -A TDENY -p udp -$IPFLOW $PIP --$PFLOW $PPORT -j $UDP_STOP fi fi done # # for i in `cat $DENY_HOSTS | grep -v "#" | grep ":" | grep "=" | grep -v "tcp" | grep -v "udp"`; do if [ ! "$i" == "" ] && [ -f "$DENY_HOSTS" ]; then NFLOW=`echo $i | tr ':' ' ' | tr '=' ' '| awk '{print$1}'` if [ "$NFLOW" == "in" ]; then NFLOW="INPUT" NFLOW_T="inbound" elif [ "$NFLOW" == "out" ]; then NFLOW="OUTPUT" NFLOW_T="outbound" fi PFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$2}'` if [ "$PFLOW" == "s" ]; then PFLOW="sport" PFLOW_T="from" elif [ "$PFLOW" == "d" ]; then PFLOW="dport" PFLOW_T="to" fi PPORT=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$3}'` if [ ! "$(echo $PPORT | grep _)" == "" ]; then PPORT_BEG=`echo $PPORT | tr '_' ' ' | awk '{print$1}'` PPORT_END=`echo $PPORT | tr '_' ' ' | awk '{print$2}'` PPORT="$PPORT_BEG:$PPORT_END" fi IPFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$4}'` if [ "$IPFLOW" == "s" ]; then IPFLOW="s" elif [ "$IPFLOW" == "d" ]; then IPFLOW="d" fi PIP=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$5}'` if [ ! "$NFLOW" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PIP" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PPORT" == "" ]; then eout "{trust} deny ($NFLOW_T) $PIP $PFLOW_T port $PPORT" $IPT -A TDENY -p tcp -$IPFLOW $PIP --$PFLOW $PPORT -j $TCP_STOP $IPT -A TDENY -p udp -$IPFLOW $PIP --$PFLOW $PPORT -j $UDP_STOP fi fi done # # for i in `cat $DENY_HOSTS | grep -v "#" | grep ":" | grep "="`; do if [ ! "$i" == "" ] && [ -f "$DENY_HOSTS" ]; then PTYPE=`echo $i | tr ':' ' ' | tr '=' ' '| awk '{print$1}'` if [ "$PTYPE" == "tcp" ]; then PTYPE="tcp" elif [ "$PTYPE" == "udp" ]; then PTYPE="udp" fi NFLOW=`echo $i | tr ':' ' ' | tr '=' ' '| awk '{print$2}'` if [ "$NFLOW" == "in" ]; then NFLOW="INPUT" NFLOW_T="inbound" elif [ "$NFLOW" == "out" ]; then NFLOW="OUTPUT" NFLOW_T="outbound" fi PFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$3}'` if [ "$PFLOW" == "s" ]; then PFLOW="sport" PFLOW_T="from" elif [ "$PFLOW" == "d" ]; then PFLOW="dport" PFLOW_T="to" fi PPORT=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$4}'` if [ ! "$(echo $PPORT | grep _)" == "" ]; then PPORT_BEG=`echo $PPORT | tr '_' ' ' | awk '{print$1}'` PPORT_END=`echo $PPORT | tr '_' ' ' | awk '{print$2}'` PPORT="$PPORT_BEG:$PPORT_END" fi IPFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$5}'` if [ "$IPFLOW" == "s" ]; then IPFLOW="s" elif [ "$IPFLOW" == "d" ]; then IPFLOW="d" fi PIP=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$6}'` if [ ! "$PTYPE" == "" ] && [ ! "$NFLOW" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PIP" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PPORT" == "" ]; then eout "{trust} deny $NFLOW_T $PTYPE $PIP $PFLOW_T port $PPORT" if [ "$PTYPE" == "tcp" ]; then $IPT -A TDENY -p $PTYPE -$IPFLOW $PIP --$PFLOW $PPORT -j $TCP_STOP elif [ "$PTYPE" == "udp" ]; then $IPT -A TDENY -p $PTYPE -$IPFLOW $PIP --$PFLOW $PPORT -j $UDP_STOP fi fi fi done fi } glob_deny_hosts() { if [ ! "`cat $GDENY_HOSTS | grep -v "#"`" == "" ]; then eout "{glob} loading glob_deny.rules" # # for i in `cat $GDENY_HOSTS | grep -v "#" | grep -v ":" | grep -v "="`; do if [ ! "$i" == "" ] && [ -f "$GDENY_HOSTS" ]; then eout "{trust} deny all to/from $i" $IPT -A TGDENY -s $i -d 0/0 -j $ALL_STOP $IPT -A TGDENY -d $i -s 0/0 -j $ALL_STOP fi done # # for i in `cat $GDENY_HOSTS | grep -v "#" | grep ":" | grep "=" | grep -vw in | grep -vw out | grep -v tcp | grep -v udp`; do if [ ! "$i" == "" ] && [ -f "$GDENY_HOSTS" ]; then PFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$1}'` if [ "$PFLOW" == "s" ]; then PFLOW="sport" PFLOW_T="from" elif [ "$PFLOW" == "d" ]; then PFLOW="dport" PFLOW_T="to" fi PPORT=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$2}'` if [ ! "$(echo $PPORT | grep _)" == "" ]; then PPORT_BEG=`echo $PPORT | tr '_' ' ' | awk '{print$1}'` PPORT_END=`echo $PPORT | tr '_' ' ' | awk '{print$2}'` PPORT="$PPORT_BEG:$PPORT_END" fi IPFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$3}'` if [ "$IPFLOW" == "s" ]; then IPFLOW="s" elif [ "$IPFLOW" == "d" ]; then IPFLOW="d" fi PIP=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$4}'` if [ ! "$IPFLOW" == "" ] && [ ! "$PIP" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PPORT" == "" ]; then eout "{trust} deny $PIP $PFLOW_T port $PPORT" $IPT -A TGDENY -p tcp -$IPFLOW $PIP --$PFLOW $PPORT -j $TCP_STOP $IPT -A TGDENY -p udp -$IPFLOW $PIP --$PFLOW $PPORT -j $UDP_STOP fi fi done # # for i in `cat $GDENY_HOSTS | grep -v "#" | grep ":" | grep "=" | grep -v "tcp" | grep -v "udp"`; do if [ ! "$i" == "" ] && [ -f "$GDENY_HOSTS" ]; then NFLOW=`echo $i | tr ':' ' ' | tr '=' ' '| awk '{print$1}'` if [ "$NFLOW" == "in" ]; then NFLOW="INPUT" NFLOW_T="inbound" elif [ "$NFLOW" == "out" ]; then NFLOW="OUTPUT" NFLOW_T="outbound" fi PFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$2}'` if [ "$PFLOW" == "s" ]; then PFLOW="sport" PFLOW_T="from" elif [ "$PFLOW" == "d" ]; then PFLOW="dport" PFLOW_T="to" fi PPORT=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$3}'` if [ ! "$(echo $PPORT | grep _)" == "" ]; then PPORT_BEG=`echo $PPORT | tr '_' ' ' | awk '{print$1}'` PPORT_END=`echo $PPORT | tr '_' ' ' | awk '{print$2}'` PPORT="$PPORT_BEG:$PPORT_END" fi IPFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$4}'` if [ "$IPFLOW" == "s" ]; then IPFLOW="s" elif [ "$IPFLOW" == "d" ]; then IPFLOW="d" fi PIP=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$5}'` if [ ! "$NFLOW" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PIP" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PPORT" == "" ]; then eout "{trust} deny ($NFLOW_T) $PIP $PFLOW_T port $PPORT" $IPT -A TGDENY -p tcp -$IPFLOW $PIP --$PFLOW $PPORT -j $TCP_STOP $IPT -A TGDENY -p udp -$IPFLOW $PIP --$PFLOW $PPORT -j $UDP_STOP fi fi done # # for i in `cat $GDENY_HOSTS | grep -v "#" | grep ":" | grep "="`; do if [ ! "$i" == "" ] && [ -f "$GDENY_HOSTS" ]; then PTYPE=`echo $i | tr ':' ' ' | tr '=' ' '| awk '{print$1}'` if [ "$PTYPE" == "tcp" ]; then PTYPE="tcp" elif [ "$PTYPE" == "udp" ]; then PTYPE="udp" fi NFLOW=`echo $i | tr ':' ' ' | tr '=' ' '| awk '{print$2}'` if [ "$NFLOW" == "in" ]; then NFLOW="INPUT" NFLOW_T="inbound" elif [ "$NFLOW" == "out" ]; then NFLOW="OUTPUT" NFLOW_T="outbound" fi PFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$3}'` if [ "$PFLOW" == "s" ]; then PFLOW="sport" PFLOW_T="from" elif [ "$PFLOW" == "d" ]; then PFLOW="dport" PFLOW_T="to" fi PPORT=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$4}'` if [ ! "$(echo $PPORT | grep _)" == "" ]; then PPORT_BEG=`echo $PPORT | tr '_' ' ' | awk '{print$1}'` PPORT_END=`echo $PPORT | tr '_' ' ' | awk '{print$2}'` PPORT="$PPORT_BEG:$PPORT_END" fi IPFLOW=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$5}'` if [ "$IPFLOW" == "s" ]; then IPFLOW="s" elif [ "$IPFLOW" == "d" ]; then IPFLOW="d" fi PIP=`echo $i | tr ':' ' ' | tr '=' ' ' | awk '{print$6}'` if [ ! "$PTYPE" == "" ] && [ ! "$NFLOW" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PIP" == "" ] && [ ! "$IPFLOW" == "" ] && [ ! "$PPORT" == "" ]; then eout "{trust} deny $NFLOW_T $PTYPE $PIP $PFLOW_T port $PPORT" if [ "$PTYPE" == "tcp" ]; then $IPT -A TGDENY -p $PTYPE -$IPFLOW $PIP --$PFLOW $PPORT -j $TCP_STOP elif [ "$PTYPE" == "udp" ]; then $IPT -A TGDENY -p $PTYPE -$IPFLOW $PIP --$PFLOW $PPORT -j $UDP_STOP fi fi fi done fi } dlist_resnet() { if [ -f "$RESNET" ]; then cp $RESNET $RESNET.bk chmod 600 $RESNET $RESNET.bk fi if [ -f "$WGET" ] && [ -f "$RESNET" ]; then URL_TMP="/etc/apf/.apf-$$" rm -rf $URL_TMP URL_FILE=`echo $DLIST_RESERVED_URL | tr '/' '\n' | grep "." | tail -n 1` RD_CON="$DLIST_RESERVED_URL_PROT://$DLIST_RESERVED_URL" mkdir $URL_TMP cd $URL_TMP eout "{resnet} downloading $DLIST_RESERVED_URL_PROT://$DLIST_RESERVED_URL" $WGET -t 1 -T 4 $DLIST_RESERVED_URL_PROT://$DLIST_RESERVED_URL >> /dev/null 2>&1 if [ -f "$URL_TMP/$URL_FILE" ]; then eout "{resnet} parsing $URL_FILE into $RESNET" cat $URL_TMP/$URL_FILE > $RESNET else eout "{resnet} download of $DLIST_RESERVED_URL_PROT://$DLIST_RESERVED_URL failed" if [ -f "$RESNET" ]; then cp $RESNET.bk $RESNET chmod 600 $RESNET $RESNET.bk fi fi rm -rf $URL_TMP cd /etc/apf else if [ -f "$RESNET" ]; then cp $RESNET.bk $RESNET chmod 600 $RESNET $RESNET.bk fi fi } dlist_php() { if [ ! "$DLIST_PHP_URL_PROT" == "" ] && [ ! "$DLIST_PHP_URL" == "" ] && [ "$DLIST_PHP" == "1" ] && [ -f "$WGET" ]; then URL_TMP="/etc/apf/.apf-$$" rm -rf $URL_TMP /etc/apf/.apf-* URL_FILE=`echo $DLIST_PHP_URL | tr '/' '\n' | grep "." | tail -n 1` URL_CON="$DLIST_PHP_URL_PROT://$DLIST_PHP_URL" mkdir $URL_TMP cd $URL_TMP eout "{php} downloading $DLIST_PHP_URL_PROT://$DLIST_PHP_URL" $WGET -t 1 -T 4 $DLIST_PHP_URL_PROT://$DLIST_PHP_URL >> /dev/null 2>&1 if [ -f "$URL_TMP/$URL_FILE" ]; then eout "{php} parsing $URL_FILE into $PHP_HOSTS" if [ -f "$PHP_HOSTS" ]; then :> $PHP_HOSTS fi for str in `cat $URL_TMP/$URL_FILE | grep -v "#" | grep -e '[0-9]' | awk '{print$1}'`; do if [ ! "$str" == "" ]; then echo "$str" >> $PHP_HOSTS fi done else eout "{php} download of $DLIST_PHP_URL_PROT://$DLIST_PHP_URL failed" fi rm -rf $URL_TMP cd /etc/apf else rm -f $PHP_HOSTS touch $PHP_HOSTS chmod 600 $PHP_HOSTS fi } dlist_php_hosts() { if [ ! "`cat $PHP_HOSTS | grep -v "#"`" == "" ]; then eout "{php} loading php_hosts.rules" $IPT -N PHP for i in `cat $PHP_HOSTS | grep -v "#"`; do if [ ! "$i" == "" ] && [ -f "$PHP_HOSTS" ]; then if [ "$LOG_DROP" == "1" ]; then $IPT -A PHP -s $i -d 0/0 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** PHP ** " $IPT -A PHP -d $i -s 0/0 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** PHP ** " fi $IPT -A PHP -s $i -d 0/0 -j $ALL_STOP $IPT -A PHP -d $i -s 0/0 -j $ALL_STOP fi done $IPT -A INPUT -j PHP $IPT -A OUTPUT -j PHP fi } dlist_dshield() { if [ ! "$DLIST_DSHIELD_URL_PROT" == "" ] && [ ! "$DLIST_DSHIELD_URL" == "" ] && [ "$DLIST_DSHIELD" == "1" ] && [ -f "$WGET" ]; then URL_TMP="/etc/apf/.apf-$$" rm -rf $URL_TMP /etc/apf/.apf-* URL_FILE=`echo $DLIST_DSHIELD_URL | tr '/' '\n' | grep "." | tail -n 1` URL_CON="$DLIST_DSHIELD_URL_PROT://$DLIST_DSHIELD_URL" mkdir $URL_TMP cd $URL_TMP eout "{dshield} downloading $DLIST_DSHIELD_URL_PROT://$DLIST_DSHIELD_URL" $WGET -t 1 -T 4 $DLIST_DSHIELD_URL_PROT://$DLIST_DSHIELD_URL >> /dev/null 2>&1 if [ -f "$URL_TMP/$URL_FILE" ]; then eout "{dshield} parsing $URL_FILE into $DS_HOSTS" if [ -f "$DS_HOSTS" ]; then :> $DS_HOSTS fi for str in `cat $URL_TMP/$URL_FILE | grep -v "#" | grep -e '[0-9]' | awk '{print$1}'`; do if [ ! "$str" == "" ]; then echo "$str/24" >> $DS_HOSTS fi done else eout "{dshield} download of $DLIST_DSHIELD_URL_PROT://$DLIST_DSHIELD_URL failed" fi rm -rf $URL_TMP cd /etc/apf else rm -f $DS_HOSTS touch $DS_HOSTS chmod 600 $DS_HOSTS fi } dlist_dshield_hosts() { if [ ! "`cat $DS_HOSTS | grep -v "#"`" == "" ]; then eout "{dshield} loading ds_hosts.rules" $IPT -N DSHIELD for i in `cat $DS_HOSTS | grep -v "#"`; do if [ ! "$i" == "" ] && [ -f "$DS_HOSTS" ]; then if [ "$LOG_DROP" == "1" ]; then $IPT -A DSHIELD -s $i -d 0/0 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** DSHIELD ** " $IPT -A DSHIELD -d $i -s 0/0 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** DSHIELD ** " fi $IPT -A DSHIELD -s $i -d 0/0 -j $ALL_STOP $IPT -A DSHIELD -d $i -s 0/0 -j $ALL_STOP fi done $IPT -A INPUT -j DSHIELD $IPT -A OUTPUT -j DSHIELD fi } dlist_spamhaus() { if [ ! "$DLIST_SPAMHAUS_URL_PROT" == "" ] && [ ! "$DLIST_SPAMHAUS_URL" == "" ] && [ "$DLIST_SPAMHAUS" == "1" ] && [ -f "$WGET" ]; then URL_TMP="/etc/apf/.apf-$$" rm -rf $URL_TMP /etc/apf/.apf-* URL_FILE=`echo $DLIST_SPAMHAUS_URL | tr '/' '\n' | grep "." | tail -n 1` URL_CON="$DLIST_SPAMHAUS_URL_PROT://$DLIST_SPAMHAUS_URL" mkdir $URL_TMP cd $URL_TMP eout "{sdrop} downloading $DLIST_SPAMHAUS_URL_PROT://$DLIST_SPAMHAUS_URL" $WGET -t 1 -T 4 $DLIST_SPAMHAUS_URL_PROT://$DLIST_SPAMHAUS_URL >> /dev/null 2>&1 if [ -f "$URL_TMP/$URL_FILE" ]; then eout "{sdrop} parsing $URL_FILE into $DROP_HOSTS" if [ -f "$DROP_HOSTS" ]; then :> $DROP_HOSTS fi for str in `cat $URL_TMP/$URL_FILE | grep -v "#" | grep "/" | awk '{print$1}' | tr -d ';'`; do if [ ! "$str" == "" ]; then echo "$str" >> $DROP_HOSTS fi done else eout "{sdrop} download of $DLIST_SPAMHAUS_URL_PROT://$DLIST_SPAMHAUS_URL failed" fi rm -rf $URL_TMP cd /etc/apf else rm -f $DROP_HOSTS touch $DROP_HOSTS chmod 600 $DROP_HOSTS fi } dlist_spamhaus_hosts() { if [ ! "`cat $DROP_HOSTS | grep -v "#"`" == "" ]; then eout "{sdrop} loading sdrop_hosts.rules" $IPT -N SDROP for i in `cat $DROP_HOSTS | grep -v "#"`; do if [ ! "$i" == "" ] && [ -f "$DROP_HOSTS" ]; then if [ "$LOG_DROP" == "1" ]; then $IPT -A SDROP -s $i -d 0/0 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SDROP ** " $IPT -A SDROP -d $i -s 0/0 -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** SDROP ** " fi $IPT -A SDROP -s $i -d 0/0 -j $ALL_STOP $IPT -A SDROP -d $i -s 0/0 -j $ALL_STOP fi done $IPT -A INPUT -j SDROP $IPT -A OUTPUT -j SDROP fi } dlist_ecnshame() { if [ ! "$DLIST_ECNSHAME_URL_PROT" == "" ] && [ ! "$DLIST_ECNSHAME_URL" == "" ] && [ "$DLIST_ECNSHAME" == "1" ] && [ -f "$WGET" ]; then URL_TMP="/etc/apf/.apf-$$" rm -rf $URL_TMP /etc/apf/.apf-* URL_FILE=`echo $DLIST_ECNSHAME_URL | tr '/' '\n' | grep "." | tail -n 1` URL_CON="$DLIST_ECNSHAME_URL_PROT://$DLIST_ECNSHAME_URL" mkdir $URL_TMP cd $URL_TMP eout "{ecnshame} downloading $DLIST_ECNSHAME_URL_PROT://$DLIST_ECNSHAME_URL" $WGET -t 1 -T 4 $DLIST_ECNSHAME_URL_PROT://$DLIST_ECNSHAME_URL >> /dev/null 2>&1 if [ -f "$URL_TMP/$URL_FILE" ]; then eout "{ecnshame} parsing $URL_FILE into $ECNSHAME_HOSTS" if [ -f "$ECNSHAME_HOSTS" ]; then :> $ECNSHAME_HOSTS fi for str in `cat $URL_TMP/$URL_FILE`; do if [ ! "$str" == "" ]; then echo "$str" >> $ECNSHAME_HOSTS fi done else eout "{ecnshame} download of $DLIST_ECNSHAME_URL_PROT://$DLIST_ECNSHAME_URL failed" fi rm -rf $URL_TMP cd /etc/apf else rm -f $ECNSHAME_HOSTS touch $ECNSHAME_HOSTS chmod 600 $ECNSHAME_HOSTS fi } dlist_ecnshame_hosts() { if [ ! "`cat $ECNSHAME_HOSTS | grep -v "#"`" == "" ]; then eout "{ecnshame} loading ecnshame_hosts.rules" for i in `cat $ECNSHAME_HOSTS | grep -v "#"`; do if [ ! "$i" == "" ] && [ -f "$ECNSHAME_HOSTS" ]; then $IPT -t mangle -A POSTROUTING -p tcp -d $i -j ECN --ecn-tcp-remove fi done fi } glob_allow_download() { if [ ! "$GA_URL_PROT" == "" ] && [ ! "$GA_URL" == "" ] && [ "$USE_RGT" == "1" ] && [ -f "$WGET" ]; then URL_TMP="/etc/apf/.apf-$$" rm -rf $URL_TMP URL_FILE=`echo $GA_URL | tr '/' '\n' | grep "." | tail -n 1` GA_URL_CON="$GA_URL_PROT://$GA_URL" mkdir $URL_TMP cd $URL_TMP eout "{trust} downloading $GA_URL_PROT://$GA_URL" $WGET -t 1 -T 4 $GA_URL_PROT://$GA_URL >> /dev/null 2>&1 if [ -f "$URL_TMP/$URL_FILE" ]; then eout "{trust} parsing $URL_FILE into $GALLOW_HOSTS" cat $URL_TMP/$URL_FILE > $GALLOW_HOSTS else eout "{trust} download of $GA_URL_PROT://$GA_URL failed" fi rm -rf $URL_TMP cd /etc/apf else rm -f $GALLOW_HOSTS touch $GALLOW_HOSTS chmod 600 $GALLOW_HOSTS fi } glob_deny_download() { if [ ! "$GD_URL_PROT" == "" ] && [ ! "$GD_URL" == "" ] && [ "$USE_RGT" == "1" ] && [ -f "$WGET" ]; then URL_TMP="/etc/apf/.apf-$$" rm -rf $URL_TMP URL_FILE=`echo $GD_URL | tr '/' '\n' | grep "." | tail -n 1` GD_URL_CON="$GD_URL_PROT://$GD_URL" mkdir $URL_TMP cd $URL_TMP eout "{trust} downloading $GD_URL_PROT://$GD_URL" $WGET -t 1 -T 4 $GD_URL_PROT://$GD_URL >> /dev/null 2>&1 if [ -f "$URL_TMP/$URL_FILE" ]; then eout "{trust} parsing $URL_FILE into $GDENY_HOSTS" cat $URL_TMP/$URL_FILE > $GDENY_HOSTS else eout "{trust} download of $GD_URL_PROT://$GD_URL failed" fi rm -rf $URL_TMP cd /etc/apf else rm -f $GDENY_HOSTS touch $GDENY_HOSTS chmod 600 $GDENY_HOSTS fi } dnet() { FILE="$1" if [ -f "$FILE" ]; then FNAME=`echo $FILE | tr '/' '\n' | tail -n 1` eout "{glob} loading $FNAME" for i in `cat $FILE | grep -v "#"`; do if [ ! "$i" == "" ]; then $IPT -A INPUT -s $i -j $ALL_STOP $IPT -A OUTPUT -d $i -j $ALL_STOP fi done fi } bandmin() { if [ -f "/usr/local/bandmin/bandmin" ]; then /usr/local/bandmin/bandmin >> /dev/null 2>&1 /usr/local/bandmin/ipaddrmap >> /dev/null 2>&1 fi } cdports() { if [ ! "$BLK_PORTS" == "" ]; then eout "{glob} loading common drop ports" for i in `echo $BLK_PORTS | tr ',' ' '`; do if [ "$(echo $i | grep "_")" == "" ]; then if [ ! "$i" == "" ]; then $IPT -A INPUT -p tcp --dport $i -j $TCP_STOP $IPT -A INPUT -p udp --dport $i -j $UDP_STOP $IPT -A OUTPUT -p tcp --dport $i -j $TCP_STOP $IPT -A OUTPUT -p udp --dport $i -j $UDP_STOP eout "{blk_ports} deny all to/from tcp port $i" eout "{blk_ports} deny all to/from udp port $i" fi else i=`echo $i | tr '_' ':'` if [ ! "$i" == "" ]; then $IPT -A INPUT -p tcp --dport $i -j $TCP_STOP $IPT -A INPUT -p udp --dport $i -j $UDP_STOP $IPT -A OUTPUT -p tcp --dport $i -j $TCP_STOP $IPT -A OUTPUT -p udp --dport $i -j $UDP_STOP eout "{blk_ports} deny all to/from tcp port $i" eout "{blk_ports} deny all to/from udp port $i" fi fi done fi } lgate_mac() { $IPT -N LMAC for mac in `echo $LGATE_MAC | tr ',' ' '`; do MAC=$mac if [ ! "$MAC" == "" ]; then $IPT -A INPUT -m mac ! --mac-source "$MAC" -j LMAC eout "{glob} gateway ($MAC) route verification enabled" fi done if [ "$LOG_LGATE" == "1" ]; then $IPT -A LMAC -m limit --limit $LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix=" ** DROP FORIGN MAC ** " fi $IPT -A LMAC -j REJECT --reject-with icmp-net-prohibited } cl_cports() { IG_TCP_CPORTS="" IG_UDP_CPORTS="" IG_ICMP_TYPES="" EG_TCP_CPORTS="" EG_UDP_CPORTS="" EG_ICMP_TYPES="" EG_TCP_UID="" EG_UDP_UID="" } refresh() { eout "{glob} refreshing trust system rules." /sbin/iptables-save | grep -E "TDENY|TGDENY" | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk '{print$4}' | sort -n | uniq | sort > /etc/apf/internals/refresh.drop.temp $IPT -F TMP_DROP for i in `cat /etc/apf/internals/refresh.drop.temp | grep -v "#"`; do if [ ! "$i" == "" ]; then $IPT -A TMP_DROP -s $i -d 0/0 -j $ALL_STOP $IPT -A TMP_DROP -d $i -s 0/0 -j $ALL_STOP fi done trim $DENY_HOSTS $SET_TRIM trim $GDENY_HOSTS $SET_TRIM $IPT -F TALLOW $IPT -F TDENY $IPT -F TGALLOW $IPT -F TGDENY glob_allow_download glob_allow_hosts allow_hosts deny_hosts glob_deny_download glob_deny_hosts $IPT -F TMP_DROP } cron_refresh() { if [ ! "$SET_REFRESH" == "0" ] && [ ! "$SET_REFRESH" == "" ]; then cat< $INSTALL_PATH/internals/cron.refresh MAILTO= SHELL=/bin/bash */$SET_REFRESH * * * * root /etc/apf/apf --refresh >> /dev/null 2>&1 & EOF chmod 644 $INSTALL_PATH/internals/cron.refresh ln -fs $INSTALL_PATH/internals/cron.refresh /etc/cron.d/refresh.apf eout "{glob} SET_REFRESH is set to $SET_REFRESH minutes" else rm -f /etc/cron.d/refresh.apf eout "{glob} SET_REFRESH is set disabled" fi } apf-9.7-1/files/internals/internals.conf0000640000000000000000000000327611157714561016756 0ustar rootroot## # [Misc. Configuration] ## # PATH=/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin:$PATH ; export PATH VER="9.7" APPN="apf" ifconfig=/sbin/ifconfig ip=/sbin/ip IPT="/sbin/iptables" MPB="/sbin/modprobe" LSM="/sbin/lsmod" RMM="/sbin/rmmod" IPTS="/sbin/iptables-save" IPTR="/sbin/iptables-restore" DIFF="/usr/bin/diff" WGET="/usr/bin/wget" MD5="/usr/bin/md5sum" UNAME="/bin/uname" IF="$IFACE_IN" IN_IF="$IFACE_IN" OUT_IF="$IFACE_OUT" ALL_STOP="DROP" LSTOP="LD" LACCEPT="LA" TOS_DEF_TOS="$TOS_DEF" NET=`$ifconfig $IF | grep -vw inet6 | grep -w inet | cut -d : -f 2 | cut -d \ -f 1` NAME=`echo $APPN | tr '[:lower:]' '[:upper:]'` TIME=`date +"%D %H:%M:%S"` UTIME=`date +"%s"` KREL=`$UNAME -r | cut -d\. -f 1,2` LOCK_TIMEOUT="360" LOCK="$INSPATH/lock.utime" ADR="$INSTALL_PATH/ad/ad.rules" ALLOW_HOSTS="$INSTALL_PATH/allow_hosts.rules" DENY_HOSTS="$INSTALL_PATH/deny_hosts.rules" GALLOW_HOSTS="$INSTALL_PATH/glob_allow.rules" GDENY_HOSTS="$INSTALL_PATH/glob_deny.rules" DS_HOSTS="$INSTALL_PATH/ds_hosts.rules" PHP_HOSTS="$INSTALL_PATH/php_hosts.rules" DROP_HOSTS="$INSTALL_PATH/sdrop_hosts.rules" ECNSHAME_HOSTS="$INSTALL_PATH/ecnshame_hosts.rules" RABP="$INSTALL_PATH/internals/rab.ports" MD5_FILES="$ADR $INSTALL_PATH/*.rules $INSTALL_PATH/internals/*.networks $INSTALL_PATH/vnet/*.rules $RABP" MCATNET="$INSTALL_PATH/internals/multicast.networks" PRVNET="$INSTALL_PATH/internals/private.networks" RESNET="$INSTALL_PATH/internals/reserved.networks" PRERT="$INSTALL_PATH/preroute.rules" POSTRT="$INSTALL_PATH/postroute.rules" DSTOP=$ALL_STOP if [ "$LOG_EXT" == "1" ]; then LEXT="--log-tcp-options --log-ip-options" else LEXT="" fi . $RABP CNF_FUNC="$INSTALL_PATH/internals/functions.apf" . $CNF_FUNC apf-9.7-1/files/internals/multicast.networks0000640000000000000000000000157507767331707017724 0ustar rootroot# multicast # # http://www.iana.org/assignments/ipv4-address-space # http://www-itg.lbl.gov/mbone/www-itg.lbl.gov/mbone/ # # 224/8 Sep 81 IANA - Multicast # 225/8 Sep 81 IANA - Multicast # 226/8 Sep 81 IANA - Multicast # 227/8 Sep 81 IANA - Multicast # 228/8 Sep 81 IANA - Multicast # 229/8 Sep 81 IANA - Multicast # 230/8 Sep 81 IANA - Multicast # 231/8 Sep 81 IANA - Multicast # 232/8 Sep 81 IANA - Multicast # 233/8 Sep 81 IANA - Multicast # 234/8 Sep 81 IANA - Multicast # 235/8 Sep 81 IANA - Multicast # 236/8 Sep 81 IANA - Multicast # 237/8 Sep 81 IANA - Multicast # 238/8 Sep 81 IANA - Multicast # 239/8 Sep 81 IANA - Multicast # 224.0.0.0/8 225.0.0.0/8 226.0.0.0/8 227.0.0.0/8 228.0.0.0/8 229.0.0.0/8 230.0.0.0/8 231.0.0.0/8 232.0.0.0/8 233.0.0.0/8 234.0.0.0/8 235.0.0.0/8 236.0.0.0/8 237.0.0.0/8 238.0.0.0/8 239.0.0.0/8 apf-9.7-1/files/internals/cports.common0000640000000000000000000001470010627407102016615 0ustar rootrootif [ ! "$IG_TCP_CPORTS" == "" ]; then IG_TCP_CPORTS=`echo "$IG_TCP_CPORTS" | tr ',' ' '` PROTO="tcp" for i in `echo $IG_TCP_CPORTS`; do if [ "$(echo $i | grep "_")" == "" ]; then if [ ! "$i" == "" ]; then $IPT -A INPUT -p $PROTO -s 0/0 -d $VNET --dport $i -j ACCEPT eout "{glob} opening inbound $PROTO port $i on $VNET" fi else i=`echo $i | tr '_' ':'` if [ ! "$i" == "" ]; then $IPT -A INPUT -p $PROTO -s 0/0 -d $VNET --dport $i -j ACCEPT eout "{glob} opening inbound $PROTO port $i on $VNET" fi fi done fi if [ ! "$IG_UDP_CPORTS" == "" ]; then IG_UDP_CPORTS=`echo "$IG_UDP_CPORTS" | tr ',' ' '` PROTO="udp" for i in `echo $IG_UDP_CPORTS`; do if [ "$(echo $i | grep "_")" == "" ]; then if [ ! "$i" == "" ]; then $IPT -A INPUT -p $PROTO -s 0/0 -d $VNET --dport $i -j ACCEPT eout "{glob} opening inbound $PROTO port $i on $VNET" fi else i=`echo $i | tr '_' ':'` if [ ! "$i" == "" ]; then $IPT -A INPUT -p $PROTO -s 0/0 -d $VNET --dport $i -j ACCEPT eout "{glob} opening inbound $PROTO port $i on $VNET" fi fi done fi if [ "$EGF" == "1" ]; then if [ ! "$EG_TCP_CPORTS" == "" ]; then EG_TCP_CPORTS=`echo "$EG_TCP_CPORTS" | tr ',' ' '` PROTO="tcp" for i in `echo $EG_TCP_CPORTS`; do if [ "$(echo $i | grep "_")" == "" ]; then if [ ! "$i" == "" ]; then $IPT -A OUTPUT -p $PROTO -s $VNET --dport $i -j ACCEPT eout "{glob} opening outbound $PROTO port $i on $VNET" fi else i=`echo $i | tr '_' ':'` if [ ! "$i" == "" ]; then $IPT -A OUTPUT -p $PROTO -s $VNET --dport $i -j ACCEPT eout "{glob} opening outbound $PROTO port $i on $VNET" fi fi done fi fi if [ "$EGF" == "1" ]; then if [ ! "$EG_UDP_CPORTS" == "" ]; then EG_UDP_CPORTS=`echo "$EG_UDP_CPORTS" | tr ',' ' '` PROTO="udp" for i in `echo $EG_UDP_CPORTS`; do if [ "$(echo $i | grep "_")" == "" ]; then if [ ! "$i" == "" ]; then $IPT -A OUTPUT -p $PROTO -s $VNET --dport $i -j ACCEPT eout "{glob} opening outbound $PROTO port $i on $VNET" fi else i=`echo $i | tr '_' ':'` if [ ! "$i" == "" ]; then $IPT -A OUTPUT -p $PROTO -s $VNET --dport $i -j ACCEPT eout "{glob} opening outbound $PROTO port $i on $VNET" fi fi done fi fi if [ ! "$IG_ICMP_TYPES" == "" ]; then PROTO="icmp" if [ "$ICMP_LIM" == "" ]; then ICMP_LIM=0 fi if [ "$(echo $ICMP_LIM | tr '/' ' ' | awk '{print$1}')" -gt "0" ]; then ICMP_EARGS="-m limit --limit $ICMP_LIM" else ICMP_EARGS="" fi IG_ICMP_TYPES=`echo $IG_ICMP_TYPES | tr ',' ' '` for i in `echo $IG_ICMP_TYPES`; do if [ ! "$i" == "" ]; then i=`echo $i | tr '[:upper:]' '[:lower:]'` if [ "$i" == "all" ]; then $IPT -A INPUT -p icmp -d $VNET -s 0/0 $ICMP_EARGS -j ACCEPT eout "{glob} opening inbound $PROTO all on $VNET" else $IPT -A INPUT -p icmp --icmp-type $i -d $VNET -s 0/0 $ICMP_EARGS -j ACCEPT eout "{glob} opening inbound $PROTO type $i on $VNET" fi fi done fi if [ "$EGF" == "1" ]; then if [ ! "$EG_ICMP_TYPES" == "" ]; then PROTO="icmp" if [ "$ICMP_LIM" == "" ]; then ICMP_LIM=0 fi if [ "$(echo $ICMP_LIM | tr '/' ' ' | awk '{print$1}')" -gt "0" ]; then ICMP_EARGS="-m limit --limit $ICMP_LIM" else ICMP_EARGS="" fi EG_ICMP_TYPES=`echo $EG_ICMP_TYPES | tr ',' ' '` for i in `echo $EG_ICMP_TYPES`; do if [ ! "$i" == "" ]; then i=`echo $i | tr '[:upper:]' '[:lower:]'` if [ "$i" == "all" ]; then $IPT -A OUTPUT -p icmp -s $VNET -d 0/0 $ICMP_EARGS -j ACCEPT eout "{glob} opening outbound $PROTO all on $VNET" else $IPT -A OUTPUT -p icmp --icmp-type $i -s $VNET -d 0/0 $ICMP_EARGS -j ACCEPT eout "{glob} opening outbound $PROTO type $i on $VNET" fi fi done fi fi if [ "$EGF" == "1" ]; then if [ ! "$EG_TCP_UID" == "" ]; then EG_TCP_UID=`echo "$EG_TCP_UID" | tr ',' ' '` PROTO="tcp" for i in `echo $EG_TCP_UID`; do uid=`echo $i | tr ':' ' ' | awk '{print$1}'` port=`echo $i | tr ':' ' ' | awk '{print$2}'` if [ "$(echo $port | grep "_")" == "" ]; then if [ ! "$port" == "" ]; then $IPT -A OUTPUT -p $PROTO -s $VNET --dport $port --match owner --uid-owner $uid -j ACCEPT eout "{glob} opening outbound $PROTO port $port for uid $uid from $VNET" fi else i=`echo $port | tr '_' ':'` if [ ! "$i" == "" ]; then $IPT -A OUTPUT -p $PROTO -s $VNET --dport $i --match owner --uid-owner $uid -j ACCEPT eout "{glob} opening outbound $PROTO port $i for uid $uid from $VNET" fi fi done fi fi if [ "$EGF" == "1" ]; then if [ ! "$EG_UDP_UID" == "" ]; then EG_UDP_UID=`echo "$EG_UDP_UID" | tr ',' ' '` PROTO="udp" for i in `echo $EG_UDP_UID`; do uid=`echo $i | tr ':' ' ' | awk '{print$1}'` port=`echo $i | tr ':' ' ' | awk '{print$2}'` if [ "$(echo $port | grep "_")" == "" ]; then if [ ! "$port" == "" ]; then $IPT -A OUTPUT -p $PROTO -s $VNET --dport $port --match owner --uid-owner $uid -j ACCEPT eout "{glob} opening outbound $PROTO port $port for uid $uid from $VNET" fi else i=`echo $port | tr '_' ':'` if [ ! "$i" == "" ]; then $IPT -A OUTPUT -p $PROTO -s $VNET --dport $i --match owner --uid-owner $uid -j ACCEPT eout "{glob} opening outbound $PROTO port $i for uid $uid from $VNET" fi fi done fi fi if [ "$EGF" == "1" ]; then if [ "$EG_DROP_CMD" == "1" ]; then $IPT -N DEG for i in `echo $EG_DROP_CMD | tr ',' ' '`; do si=`echo $i | cut -c 1-6` if [ "LOG_DROP" == "1" ]; then $IPT -A DEG -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** DEG_$si ** " fi $IPT -A DEG -s 0/0 -d 0/0 -m owner --cmd-owner=$i -j $ALL_STOP done $IPT -A OUTPUT -j DEG fi fi apf-9.7-1/files/internals/compat.0.9.50000640000000000000000000000047010626720473015756 0ustar rootrootDEVM => DEVEL_MODE FWPATH => INSTALL_PATH IF => IFACE_IN / IFACE_OUT TIF => IFACE_TRUSTED EN_VNET => SET_VNET MONOKERN => SET_MONOKERN LGATE_MAC => VF_LGATE DEF_TOS => TOS_DEF DSTOP => ALL_STOP CDPORTS => BLK_PORTS IPTLOG => LOG_APF LGATE_LOG => LOG_LGATE DROP_LOG => LOG_DROP EXLOG => LOG_EXT LRATE => LOG_RATE apf-9.7-1/files/internals/reserved.networks0000640000000000000000000000147510627045631017520 0ustar rootroot# Unassigned/reserved address space # refer to: http://www.iana.org/assignments/ipv4-address-space # 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/8 37.0.0.0/8 39.0.0.0/8 42.0.0.0/8 46.0.0.0/8 94.0.0.0/8 95.0.0.0/8 100.0.0.0/8 101.0.0.0/8 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 114.0.0.0/8 115.0.0.0/8 173.0.0.0/8 174.0.0.0/8 175.0.0.0/8 176.0.0.0/8 177.0.0.0/8 178.0.0.0/8 179.0.0.0/8 180.0.0.0/8 181.0.0.0/8 182.0.0.0/8 183.0.0.0/8 184.0.0.0/8 185.0.0.0/8 186.0.0.0/8 187.0.0.0/8 197.0.0.0/8 223.0.0.0/8 240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8 apf-9.7-1/files/internals/private.networks0000640000000000000000000000062310632276241017344 0ustar rootroot# The Internet Assigned Numbers Authority (IANA) has reserved the # following three blocks of the IP address space for private internets: # # 10.0.0.0 - 10.255.255.255 (10/8 prefix) # 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) # 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) # http://www.faqs.org/rfcs/rfc1918.html 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 apf-9.7-1/files/internals/rab.ports0000640000120000000000000000036510631102137015022 0ustar root# Low security ports RAB_PSCAN_LEVEL_1="1,7,9,11,15,69,70" # Medium security ports RAB_PSCAN_LEVEL_2="$RAB_PSCAN_LEVEL_1,79,109,119,512,513,517,518" # High security ports RAB_PSCAN_LEVEL_3="$RAB_PSCAN_LEVEL_2,13,17,19,540,635,640,641,666,700" apf-9.7-1/files/doc/0000750000000000000000000000000007723050646012646 5ustar rootrootapf-9.7-1/files/conf.apf0000640000000000000000000005536211157714461013530 0ustar rootroot#!/bin/bash # # APF 9.7 [apf@r-fx.org] # Copyright (C) 1999-2007, R-fx Networks # Copyright (C) 2007, Ryan MacDonald # This program may be freely redistributed under the terms of the GNU GPL # # NOTE: This file should be edited with word/line wrapping off, # if your using pico/nano please start it with the -w switch # (e.g: pico -w filename) # NOTE: All options in this file are integer values unless otherwise # indicated. This means value of 0 = disabled and 1 = enabled. ## # [Main] ## # !!! Do not leave set to (1) !!! # When set to enabled; 5 minute cronjob is set to stop the firewall. Set # this off (0) when firewall is determined to be operating as desired. DEVEL_MODE="1" # The installation path of APF; this can be changed but it is not recommended. INSTALL_PATH="/etc/apf" # Untrusted Network interface(s); all traffic on defined interface will be # subject to all firewall rules. This should be your internet exposed # interfaces. Only one interface is accepted for each value. IFACE_IN="eth0" IFACE_OUT="eth0" # Trusted Network interface(s); all traffic on defined interface(s) will by-pass # ALL firewall rules, format is white space or comma separated list. IFACE_TRUSTED="" # This option will allow for all status events to be displayed in real time on # the console as you use the firewall. Typically, APF used to operate silent # with all logging piped to $LOG_APF. The use of this option will not disable # the standard log file displayed by apf --status but rather compliment it. SET_VERBOSE="1" # The fast load feature makes use of the iptables-save/restore facilities to do # a snapshot save of the current firewall rules on an APF stop then when APF is # instructed to start again it will restore the snapshot. This feature allows # APF to load hundreds of rules back into the firewall without the need to # regenerate every firewall entry. # Note: a) if system uptime is below 5 minutes, the snapshot is expired # b) if snapshot age exceeds 12 hours, the snapshot is expired # c) if conf or a .rule has changed since last load, snapshot is expired # d) if it is your first run of APF since install, snapshot is generated # - an expired snapshot means APF will do a full start rule-by-rule SET_FASTLOAD="0" # Virtual Network Sub-System (VNET) creates independent policy rule set for # each IP on a system to /etc/apf/vnet/IP.rules. These rule files can be # configured with conf.apf variables for unique but convenient firewall # policies or custom iptables entries for even greater flexibility. SET_VNET="0" # This feature firewalls any additional interfaces on the server as untrusted # through the VNET sub-system. Excluded are interfaces that have already been # defined by IFACE_* variables. This feature is ideal for systems running # private interfaces where not all hosts on the private network are trusted or # are otherwise exposed to "open" networks through this private interface # (i.e: the Internet, network accessible storage LAN, corporate WAN, etc..) SET_ADDIFACE="0" # This allows the firewall to work around modular kernel issues by assuming # that the system has all required firewall modules compiled directly into # kernel. This mode of operation is not generally recommended but can be used # scale APF to unique situations. SET_MONOKERN="0" # This controls how often, if at all, we want the trust system to refresh rules. # The firewall will flush & reload all static rules, redownload global rules and # re-resolve any dns names in the rules. This is ideal when using dynamic dns # names or downloadable global trust rules. [value in minutes, 0 to disable] SET_REFRESH="10" # This is the total amount of rules allowed inside of the deny trust system. # When this limit is reached, the deny rule files will begin to purge older # entries to maintain the set limit. [value is max lines, 0 for unlimited] SET_TRIM="150" # Verifies that the IFACE_* and IFACE_TRUSTED interfaces are actually routed # to something. If configured interfaces are found with no routes setup then # APF will exit with an error to prevent further issues (such as being locked # out of the system). VF_ROUTE="1" # Verifies that crond is running when DEVEL_MODE=1; if not then APF will not # try to load as if lock-up occurs no cron service to flush firewall. VF_CROND="1" # Verifies that all inbound traffic is sourced from a defined local gateway MAC # address. All other traffic that does not match this MAC address will be # rejected as untrusted traffic. It is quite easy to forge a MAC address and as # such this feature executes NO default accept policy. Leave this option empty # to disable or enter a 48-bit MAC address to enable. VF_LGATE="" ## # [Reactive Address Blocking] ## # The use of RAB is such that it allows the firewall to track an address as it # traverses the firewall rules and subsequently associate that address across # any number of violations. This allows the firewall to react to critical # policy violations by blocking addresses temporarily on the assumed precaution # that we are protecting the host from what the address may do on the pretext # of what the address has already done. The interface that allows RAB to work # resides inside the kernel and makes use of the iptables 'ipt_recent' module, # so there is no external programs causing any additional load. RAB="0" # This enables RAB for sanity violations, which is when an address breaks a # strict conformity standard such as trying to spoof an address or modify # packet flags. It is strongly recommended that this option NOT be disabled. RAB_SANITY="1" # This enables RAB for port scan violations, which is when an address attempts # to connect to a port that has been classified as malicious. These types of # ports are those which are not commonly used in today's Internet but are # the subject of scrutiny by attackers, such as ports 1,7,9,11. Each security # level defines the amount of ports that RAB will react against. The port # security groups can be customized in 'internals/rab.ports'. # 0 = disabled | 1 = low security | 2 = medium security | 3 = high security RAB_PSCAN_LEVEL="2" # This controls the amount of violation hits an address must have before it # is blocked. It is a good idea to keep this very low to prevent evasive # measures. The default is 0 or 1, meaning instant block on first violation. RAB_HITCOUNT="1" # This is the amount of time (in seconds) that an address gets blocked for if # a violation is triggered, the default is 300s (5 minutes). RAB_TIMER="300" # This allows RAB to 'trip' the block timer back to 0 seconds if an address # attempts ANY subsiquent communication while still on the inital block period. RAB_TRIP="1" # This controls if the firewall should log all violation hits from an address. # The use of LOG_DROP variable set to 1 will override this to force logging. RAB_LOG_HIT="1" # This controls if the firewall should log all subsiqent traffic from an address # that is already blocked for a violation hit, this can generate allot of logs. # The use of LOG_DROP variable set to 1 will override this to force logging. RAB_LOG_TRIP="0" ## # [Packet Filtering/Handling] ## # How to handle TCP packet filtering? # # RESET (sends a tcp-reset; TCP/IP default) # DROP (drop the packet; stealth ?) # REJECT (reject the packet) TCP_STOP="DROP" # How to handle UDP packet filtering? # # RESET (sends a icmp-port-unreachable; TCP/IP default) # DROP (drop the packet; stealth ?) # REJECT (reject the packet) # PROHIBIT (send an icmp-host-prohibited) UDP_STOP="DROP" # How to handle all other packet filtering? # # DROP (drop the packet) # REJECT (reject the packet) ALL_STOP="DROP" # The sanity options control the way packets are scrutinized as they flow # through the firewall. The main PKT_SANITY option is a top level toggle for # all SANITY options and provides general packet flag sanity as a pre-scrub # for the other sanity options. In short, this makes sure that all packets # coming and going conform to strict TCP/IP standards. In doing so we make it # very difficult for attackers to inject raw/custom packets into the server. PKT_SANITY="1" # Block any packets that do not conform as VALID, this feature is safe for most # but some may experience protocol issues with broken remote clients. This is # very similar to PKT_SANITY but has a wider scope and as such has the ability # to affect many application protocols in undesirable ways. PKT_SANITY_INV="0" # Block any fragmented UDP packets, this is safe as no UDP packets should # ever be fragmented. PKT_SANITY_FUDP="1" # Block packets with a source or destination of port 0, this is safe as # nothing should ever communicate on port 0 (technically does not exist). PKT_SANITY_PZERO="1" # Block traffic that has a destination or source of a known bad broadcast # addresses - that under normal circumstances a server has no business # communicating with. PKT_SANITY_STUFFED="0" # Default Type of Service (TOS); These values should be set to a comma # separated list of ports which you would like marked with the given TOS level. # # Set the default TOS value [0,2,4,8,16] TOS_DEF="0" # Set the default TOS port range TOS_DEF_RANGE="512:65535" # 0: Ports for Normal-Service TOS_0="" # 2: Ports for Minimize-Cost TOS_2="" # 4: Ports for Minimize Delay - Maximize Reliability TOS_4="" # 8: Ports for Maximum Throughput - Minimum Delay TOS_8="21,20,80" # 16: Ports for No Delay - Moderate Throughput - High Reliability TOS_16="25,110,143" # Allow traceroute requests on the defined range of ports. This feature # is not required for normal operations and some even prefer it disabled. # Enable Traceroute # Traceroute ports TCR_PASS="1" TCR_PORTS="33434:33534" # Set a reasonable packet/time ratio for ICMP packets, exceeding this flow # will result in dropped ICMP packets. Supported values are in the form of: # pkt/s (packets/seconds), pkt/m (packets/minutes) # Set value to 0 for unlimited, anything above is enabled. ICMP_LIM="30/s" # Creates firewall rules based on the local name servers as defined in the # /etc/resolv.conf file. This is the preferred secure method for client side # name server requests. This option has no bearing on a locally hosted DNS # service. RESV_DNS="1" # When RESV_DNS is enabled, all the untrusted name server traffic can fill the # logs with client DNS traffic. This can be suppressed with an implicit drop # of all such traffic (sport 53 inbound) as so to avoid log chains. If you run # applications that have unique name servers configured, this may break them. RESV_DNS_DROP="1" # A common set of known Peer-To-Peer (p2p) protocol ports that are often # considered undesirable traffic on public Internet servers. These ports # are also often abused on web hosting servers where clients upload p2p # client agents for the purpose of distributing or downloading pirated media. # Format is comma separated for single ports and an underscore separator for # ranges (4660_4678). BLK_P2P_PORTS="1214,2323,4660_4678,6257,6699,6346,6347,6881_6889,6346,7778" # These are common Internet service ports that are understood in the wild # services you would not want logged under normal circumstances. All ports # that are defined here will be implicitly dropped with no logging for # TCP/UDP traffic inbound or outbound. Format is comma separated for single # ports and an underscore separator for ranges (135_139). BLK_PORTS="135_139,111,513,520,445,1433,1434,1234,1524,3127" # You need multicasting if you intend to participate in the MBONE, a high # bandwidth network on top of the Internet which carries audio and video # broadcasts. More about MBONE at: www-itg.lbl.gov/mbone/, this is generally # safe to enable. BLK_MCATNET="0" # Block all private ipv4 addresses, this is address space reserved for private # networks or otherwise unroutable on the Internet. If this host resides behind # a router with NAT or routing scheme that otherwise uses private addressing, # leave this option OFF. Refer to the 'internals/private.networks' file for # listing of private address space. BLK_PRVNET="0" # Block all ipv4 address space marked reserved for future use (unassigned), # such networks have no business talking on the Internet. However they may at # some point become live address space. The USE_RD option further in this file # allows for dynamic updating of this list on every full restart of APF. Refer # to the 'internals/reserved.networks' file for listing of address space. BLK_RESNET="1" # Block all ident (tcp 113) requests in and out of the server IF the port is # not already opened in *_TCP_CPORTS. This uses a REJECT target to make sure # the ident requests terminate quickly. You can see an increase in irc and # other connection performance with this feature. BLK_IDENT="0" # This is the maximum number of "sessions" (connection tracking entries) that # can be handled simultaneously by the firewall in kernel memory. Increasing # this value too high will simply waste memory - setting it too low may result # in some or all connections being refused, in particular during denial of # service attacks. SYSCTL_CONNTRACK="34576" # These are system control (sysctl) option changes to disable TCP features # that can be abused in addition to tweaking other TCP features for increased # performance and reliability. SYSCTL_TCP="1" # These are system control (sysctl) option changes intended to help mitigate # syn-flood attacks by lowering syn retry, syn backlog & syn time-out values. SYSCTL_SYN="1" # These are system control (sysctl) option changes to provide protection from # spoofed packets and ip/arp/route redirection. If you are performing advanced # routing policies on this host such as NAT/MASQ you should disable this. SYSCTL_ROUTE="0" # This system control (sysctl) option will log all network traffic that is # from impossible source addresses. This option can discover attacks or issues # on your network you may otherwise not be aware of. SYSCTL_LOGMARTIANS="0" # This system control (sysctl) option will allow you to control ECN support # (Explicit Congestion Notification). This feature provides an improved method # for congestion avoidance by allowing the network to mark packets for # transmission later, rather than dropping them from the queue. Please also # see related USE_ECNSHAME option further down in this file. SYSCTL_ECN="0" # This system control (sysctl) option will allow you to make use of SynCookies # support. This feature will send out a 'syn-cookie' when the syn backlog for a # socket becomes overflowed. The cookie is used to interrupt the flow of syn # transmissions with a hashed sequence number that must be correlated with the # sending host. The hash is made up of the sending host address, packet flags # etc..; if the sending host does not validate against the hash then the tcp # hand-shake is terminated. In short, this helps to mitigate syn-flood attacks. # Note: syncookies seriously violates TCP protocol and can result in serious # degradation of some services (i.e. SMTP); visible not by you, but your # clients and relays whom are contacting your system. SYSCTL_SYNCOOKIES="1" # This system control (sysctl) option allows for the use of Abort_On_Overflow # support. This feature will help mitigate burst floods if a listening service # is too slow to accept new connections. This option is an alternative for # SynCookies and both should NEVER be enabled at once. # Note: This option can harm clients contacting your system. Enable option only # if you are sure that the listening daemon can not be tuned to accept # connections faster. SYSCTL_OVERFLOW="0" # The helper chains are designed to assist applications in working with the # stateful firewall in a more reliable fashion. You should keep these settings # current with the ports SSH and FTP are operating on. Please DO NOT CONFUSE # these settings with opening the SSH/FTP port as they have no bearing on # actually connecting to the services. They are only for helping maintain your # connection to the services [ESTABLISHED,RELATED connection states, not NEW]. HELPER_SSH="1" HELPER_SSH_PORT="22" HELPER_FTP="1" HELPER_FTP_PORT="21" HELPER_FTP_DATA="20" # Configure inbound (ingress) accepted services. This is an optional # feature; services and customized entries may be made directly to an ip's # virtual net file located in the vnet/ directory. Format is comma separated # and underscore separator for ranges. # # Example: # IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000" # IG_UDP_CPORTS="20,21,53,123" # IG_ICMP_TYPES="3,5,11,0,30,8" # Common inbound (ingress) TCP ports IG_TCP_CPORTS="22" # Common inbound (ingress) UDP ports IG_UDP_CPORTS="" # Common ICMP inbound (ingress) types # 'internals/icmp.types' for type definition; 'all' is wildcard for any IG_ICMP_TYPES="3,5,11,0,30,8" # Configure outbound (egress) accepted services. This is an optional # feature; services and customized entries may be made directly to an ip's # virtual net file located in the vnet/ directory. # # Outbound (egress) filtering is not required but makes your firewall setup # complete by providing full inbound and outbound packet filtering. You can # toggle outbound filtering on or off with the EGF variable. Format is comma # separated and underscore separator for ranges. # # Example: # EG_TCP_CPORTS="21,25,80,443,43" # EG_UDP_CPORTS="20,21,53" # EG_ICMP_TYPES="all" # Outbound (egress) filtering EGF="0" # Common outbound (egress) TCP ports EG_TCP_CPORTS="21,25,80,443,43" # Common outbound (egress) UDP ports EG_UDP_CPORTS="20,21,53" # Common ICMP outbound (egress) types # 'internals/icmp.types' for type definition; 'all' is wildcard for any EG_ICMP_TYPES="all" # Configure user-id specific outbound (egress) port access. This is a more # granular feature to limit the scope of outbound packet flows with user-id # conditioning. Format is comma separated and underscore separator for ranges. # This is NOT A FILTERING FEATURE, this is an ACCESS CONTROL feature. That # means EG_TCP_UID and EG_UDP_UID are intended to ALLOW outbound access for # specified users, not DENY. # # Format: EG_[TCP|UDP]_UID="uid:port" # Example: # Allow outbound access to destination port 22 for uid 0 # EG_TCP_UID="0:22" # UID-Match outbound (egress) TCP ports EG_TCP_UID="" # UID-Match outbound (egress) UDP ports EG_UDP_UID="" # Configure executable specific outbound (egress) filtering. This is a more # granular feature to limit the scope of outbound packet flows with executable # conditioning. The packet filtering is based on the CMD process field being # passed along to iptables. All logged events for these rules will also include # the executable CMD name in the log chain. This is A FILTERING FEATURE, not an # ACCESS CONTROL feature. That means EG_DROP_CMD is intended to DENY outbound # access for specified programs, not ALLOW. # # Format is comma separated list of executable names you wish to ban from being # able to transmit data out of your server. # CMD-Match outbound (egress) denied applications EG_DROP_CMD="eggdrop psybnc bitchx BitchX init udp.pl" ## # [Remote Rule Imports] ## # Project Honey Pot is the first and only distributed system for identifying # spammers and the spambots they use to scrape addresses from your website. # This aggregate list combines Harvesters, Spammers and SMTP Dictionary attacks # from the PHP IP Data at: http://www.projecthoneypot.org/list_of_ips.php DLIST_PHP="0" DLIST_PHP_URL="rfxn.com/downloads/php_list" DLIST_PHP_URL_PROT="http" # The Spamhaus Don't Route Or Peer List (DROP) is an advisory "drop all # traffic" list, consisting of stolen 'zombie' netblocks and netblocks # controlled entirely by professional spammers. For more information please # see http://www.spamhaus.org/drop/. DLIST_SPAMHAUS="0" DLIST_SPAMHAUS_URL="www.spamhaus.org/drop/drop.lasso" DLIST_SPAMHAUS_URL_PROT="http" # DShield collects data about malicious activity from across the Internet. # This data is cataloged, summarized and can be used to discover trends in # activity, confirm widespread attacks, or assist in preparing better firewall # rules. This is a list of top networks that have exhibited suspicious activity. DLIST_DSHIELD="0" DLIST_DSHIELD_URL="feeds.dshield.org/top10-2.txt" DLIST_DSHIELD_URL_PROT="http" # The reserved networks list is addresses which ARIN has marked as reserved # for future assignement and have no business as valid traffic on the internet. # Such addresses are often used as spoofed (Fake) hosts during attacks, this # will update the reserved networks list in order to prevent new ip assignments # on the internet from getting blocked; this option is only important when # BLK_RESNET is set to enabled. DLIST_RESERVED="0" DLIST_RESERVED_URL="rfxn.com/downloads/reserved.networks" DLIST_RESERVED_URL_PROT="http" # ECN is an extension which helps reduce congestion. Unfortunately some # clueless software/hardware vendors have setup their sites or implemented # TCP/IP in a very broken manner. If you try to talk to these sites with ECN # turned on, they will drop all packets from you. This feature uses the ECN # hall of shame list to turn off ECN in packets to these hosts so your traffic # is accepted as intended. This option is dependent on setting SYSCTL_ECN="1" # otherwise it stays disabled. DLIST_ECNSHAME="0" DLIST_ECNSHAME_URL="rfxn.com/downloads/ecnshame.lst" DLIST_ECNSHAME_URL_PROT="http" ## # Global Trust ## # This is an implementation of the trust rules (allow/deny_hosts) but # on a global perspective. You can define below remote addresses from # which the glob_allow/deny.rules files should be downloaded from on # a daily basis. The files can be maintained in a static fashion by # leaving USE_RGT=0, ideal for a host serving the files. USE_RGT="0" GA_URL="yourhost.com/glob_allow.rules" GA_URL_PROT="http" GD_URL="yourhost.com/glob_deny.rules" GD_URL_PROT="http" ## # [Logging and control settings] ## # Log all traffic that is filtered by the firewall LOG_DROP="0" # What log level should we send all log data too? # refer to man syslog.conf for levels LOG_LEVEL="crit" # Where should we send all the logging data? # ULOG (Allow ulogd to handle the logging) # LOG (Default; sends logging to kernel log) LOG_TARGET="LOG" # Log interactive access over telnet & ssh; uses # custom log prefix of ** SSH ** & ** TELNET ** LOG_IA="1" # Log all foreign gateway traffic LOG_LGATE="0" # Extended logging information; this forces the output of tcp options and # ip options for packets passing through the log chains LOG_EXT="0" # Max firewall events to log per/minute. Log events exceeding these limits # will be lost (1440 minutes/day * 30 events/minute = 43200 events per/day) LOG_RATE="30" # Location of the apf status log; all startup, shutdown and runtime status # sends outputs to this file LOG_APF="/var/log/apf_log" ## # [Import misc. conf] ## # Internal variable file CNFINT="$INSTALL_PATH/internals/internals.conf" . $CNFINT apf-9.7-1/files/ecnshame_hosts.rules0000640000000000000000000000000010630563074016142 0ustar rootrootapf-9.7-1/files/preroute.rules0000640000000000000000000000025010247644071015014 0ustar rootrooteout "{glob} loading preroute.rules" # load TOS prerouting function # do not remove or TOS vars will not function tospreroute # place your custom routing rules below apf-9.7-1/files/extras/0000750000000000000000000000000011157714561013406 5ustar rootrootapf-9.7-1/files/extras/dshield/0000750000000000000000000000000011043474217015015 5ustar rootrootapf-9.7-1/files/extras/dshield/dshield-3.2.tar.gz0000644000000000000000000007225207723061766020110 0ustar rootroot‹öcL?ä;kwÛ6²ýì_:›Ci+Ó’&½jÜTë8±züº–Üœlâ“C‘Äš¹hEÝí¿3€QVÜîí~YœƒÁ`0/ #5yíõ'þºÝgÝß~ »ÝÏŸÑ_ø¹¿¦ýâÅÁa÷yïù3xßë~žý3‰r¿\é@2öU-b±N¦©þOÐóþEvÿíß?eŽn¯ûðþ÷z½çÏaÿŸ¿èö^ô°¿wðüEï+ÖýS¨Yûý—ïÿ“¯Ù~®äþ$û\ܳl¥ç©ØÙyÂv_H$ülµ V@üTÎØH¤RwX "v‹ü3‹³pÄBíÇ™& W,Ig, ¤ârç ŒþË0ê(²Uçžú]ÿÀƺÝÃýîóýî Öý®ßëõŸ=cü%€ääsÆþB㯕¢Aœ`«˜{÷SÉjs·¦2]0=ç F"ï¸{ Ü|ªÚ{ÊZö½ãµ¯€óºEd¶?Ünî?¼m#ˇ Äx5O—À/””0#§Ø,I' Q÷Œ…ãpE¶àÕŽS´Ñ$Ž€ª ¸ã”mµO¡‚¬vì,R¡ç ÿéý¯ïu{^‡yoøÛØ>$¶±=ȨýÌô¯°ý-¶ÊiìsÓN°ý‚àó¶¿ÃöˆgØþl_†Ú½.¶/Ò{lÓ¼¯yˆíï·:šÎ©H§øá¨KO¹Nŵ^*¤Ì¼ciŽú[§¨ 8C· Ã–ó8œ3çLÆ„{À &Ž‹™Ñ)9Y1‡}‰ð˜•™QBpràÎî0\z*žÙÀ¸Lå³?ì%;)4dDúl‹pÁ=7:-PÖ²Õfᜇw³)O´Qü°nÉ÷¸Àí$áLaqŸ §ì=Ø‚%(/„eI0h f  RÌyW 6êRwF]ÿÕ2B³¢’ƒÂÄþ)X=cL@oà2•þN<-V`[)’OI f±˜¦^Û]ó·-3- 쟜ÁÏ(‚¤”Êߨy#ëAMÏx lrïÐâÄÿÌCd*;öƒE]¡ÂÍ6øÛùåÅ'8«·oO⯠þ’œfƒö.â6¡]›¢˜g‡'Š÷×H5 ÐÌŸ¢ $Z–Â]LvAjÏ™Fká:„Œˆp<%K:ÍEˆ6RjÃñöàév¬Nų†LZÙÍ3Ÿ^X( d1úd‚Ö´'©î’‹`1P58`;@¤šÕÔ l…髨ÛW¨—)þ2`±f»7Bò0’I¬8jt”oŒÇ×ß­\çR]ÑD/2,pƒ­òwجKPÓ `ÀA­bÈÕÒ –üYC!ëÜÅ_xˆvb¼óÁÑÓáÉÙkv3:¹¾#ÀÆÇÿ>¹ //°ùT‘HÙÝøà¡šŠ#,AÑ…'êWì1v¨ãÜ";-¾öCà»VÛ‰î°ñfÑü[M93†\ã‘xÛÛ«$á¢Ä`Aþg•#3AË0§ãÝà¼OóYN–GäËÑ«:&¢ãÅœ[ð“U´oËØÛ«·lAιàèȇ!Wª²oÕuªƒ3‘ãÎ+Ç‚ù’½Û’à¡q¿Tù’£0”»ˆ¸j{èдk#bAÆ+ëÿ¿Ñ‚ºk ®0¾¶ê°‘´”s€K$é $ˆöSò¬ˆpÁ§—üF´I èAwOÁoRèe–”ÓááèùÔÎÒY„]À•‰'ŸFDpKµÑB=õ{SpJÂTDàÒ-g_µüW‡ÐØÓa)ìØÅ£µ™TëY6«PZ×£VÛ¶ªN‹¹[Qz•Ñí~cAG߃Y:N'1p¬e5c9®Ž¿®go £Ó¸cÒÚFsÕ÷ì÷»UHäÐÚŒMÝ9ItEPËÓV Æ,‰N½Ûb|sMV‘áï‰ „@ÄÐÑ ÀøZ—’^¥~‹jÇŸ » ÙP:–5€úþs‘Ù‡. Ù“Ô¼ô}0ÿÆoª;-ÖÚݽFKç\Ê…÷’=3I'äu˜.ØÆ9:Ö‰P&ÅDËæÓ O´2n,RÌjQ0[Íí*YYXÀ:̈—íøÀ/@ °/=XÒÁ©e ^BÂîŽa=Ú„ì c¯Béå‡cªÂ³[-¥qWÖdW–)'’ÜÔl‰Ë»íii|[öÒyÓ?RVø×ö®ÓÜl³oNOûçç¸Ü=jª¢¢‚!‹Y0Šb¡\J¼Ï"€–¢‡X{ŠBWs—Ѧì?ü]ˆèÐÝcë?ÅE-–¥ûtXR¬x2ô°1“•Óî@(Ĉ~/ˆ¾nÀÑùø PË{¼Ÿ¦h¬”ãO­±bÈ{ä-¾Á}ÎöÇg##ø¤} ¶t¸êxàªT€ÀWñ4çF|›,y-D{ˆ~ª »]Ràœ9ö²X)'I¤rLÕêØ,rbãRJtýdèñds¨G ú(JdÆ-\;—.Á Ã(˶¦ÍHë(¹„ÿÝvR ÃÑæ>ƒv˹#"ÎAWƒñ)1gï®cÑ.WXÃ1T""÷¡aÞ¡æ$LYÇ‘fçeÉ‘ªÜÁ” 0m•i‡÷ {[Ì*Ò žö£Éºnû#óÍ5 &YìÁQ”x:‚"yóx*eœá5žÕŠ²â׺‰üÇÎt#ÀÔÈ`h.™ èT(ÁJÔh)™¾t“ð2ioG𒼕¬Õ£éá‹L¯ Œµ™Ï^BËL]tá¿{*SÞ@Q¹Ë956G Cª1Zá-²¹­‡×|À6ØÝL9j&Âø?[hª&hB»7˜ÔbÌû«Ç<¶FÀº­àv"{'tî ,x‹ŽF‡—‡aª©ñÍŸVáþõú·æMû«¾êç}ÝçýE?LûóŸïã~Ò—}Ñ÷:6§u„¹,4(Ô@ÍN ãQ“ì×Q‘û:*“_Ô¤lBÇe ¨ 9‡íZm“rð`á Ñ“±³ÔÛlæ&å뚨ݩíTpñ`Ô§£T5­fsm‡ÉjM¨eN¡mïK©¤GçRf¡—c»³täÝUÃÕ÷Z&‹BØGTá®ÖÒ°­Ó¼Þ^H‘} [î­%î‹p„^b@B±h%q^A7¯¡£joJwÛø¢öÅ‹Žu«½÷Ï5Ünó7¢w¢•Ê›ß5ÕýúT$\1¦Ìd7y³~ñøбÀQ!‰{ŒÁ†Ð°yÒ k7ÓøéZª<Ü–W)… òá8v3Ñö( E˜ä‘ó Ë4[I|5Aëç¨z,$) Ûøz§øè ¼±wµC&J&ý¹ |“ç2X;q×\r¿vèÐv,0o7Þ­]`ɘ‡ÅpT0Áõ×å¥Ðf©îµe­€M$ÞwQÕW˜ »u%ŒiÀ—¤[²/Aa)%"™¤ààaåŠqËéºÖn¢ÑÙy Ý6{HÄU;)s·¡WÏí…&$K ›—ŸÕ£Z°’%ÝÀ«"ÓÚ\}ÅÝ©Ø#G¤cùÁ §^e<„‚G[Öÿ„¿ôÙ)—Tðe Ä\…Úl*ø*ÊÏ\Q˜Ê§š â³Xðg\;WGéACTì- 7eI𫉗©céÒ·8xÒg­!à†èOÑü8»"µ(5£€–7› t ꪋy‡`™šò83 ‹Ê^±¡©Î]rÖ‹ÌÖAB‹ &i^] „Þ!Ÿá*Ë;b‹oȘbú‡p×IñýêzÞñ$锑­e°ƒ5ìAn à_0ã(¶aÂíe¡ˆ ܼwÖØ2-*së·aYXeuWNþ(e[ïtJ…*­à"8,Î2ÿ%TËi ¿â‚3®ÙðüôÒ­æfÑ¡T¹4e~Tã aB`Â5KSpŠ:³c¶÷ˆ1_*`L³´¥P…ø+O ©ÒªÕl7ÃLÒ=ÅGnVOCë¥#ÅèG)‚ ìaª ä&ˬ‚ZÓ:_$°òÇ,‡oÑ §éäi|:ÑážÊ$Ì@À_±ÖhÉÁŒ4S\N˜Õ ‚¬ëþâšã!skQ¾}ôÝ¿eÀ°Iì)W›m*ù«®¸± sMtK®GƒˆµB‡în}MÒ6Yè×6X„“—Q‚ í=(Hõá‚I[ýN[ÜCTƒ ò?Š+Ð$”o"v}2x}~â=6ƒW“—ß2 OêT®Áq*€#9êIwï­Ñd¹Õ¨ÀøB¥ÇÖX\Ay§°ï¶‚¤,¯×Ù_¼µÎ®°µkB¡ÝÛ5‘i¹@h·Ý i7ª’&}6ì}wñª·æ‡Ö]ÍÍ[ì¤KòÁ%YÛ:·z:†”€ŽÌÜ$^¾çN%y«í- 7u\‰¿AM{Ú†ßUçôƒG5äŸP«¼³ÁÊSò[«!¡î¢Ð—*båJ 5«cÂOÙTóÁÔ<È2.0+!ù®›ô2³_½¸¤ RQ¸Ðä:„“Ò¹÷öαVIŸtqyæCg,õ•7X%f¿Ü¨›9+ŸqTÎß@N6/u´m*N¬ÎPáV¯Ì+›æ†–ŠMÁ|`jÑŠ¦Æä(eîÀ^w[òÄÚLò½bi€‚Ç J¯ã]áÜD)Yò,ö 7ùÏ“´Õ¦ò|š ŠJ|Çb)¢ÌÞLbðÈ$V…Å <`ùÉóæÆy2_?˜OÕX`ñ† ·5>Ÿã¬Ô‡~â”z?*Ê^§dÍ"\o¥f«c–Rð¸¬ÊeÆ"B׈>Uò6(?.1Õs‘ù¾ÍwÌ®lJñ•$±8€îÏZ´¼Ñxp=Ÿ¼6A¸O*$¦‘,{Ö 6’…àf%Õdǃ¾aÓgª«î‚Þb‹x:¬e6Ñ´›RWå‡k7Sÿ8“on¶]@[˜‹Ê}Iéµ9Ó³» W‹…Û;ôø'múæ±öõOïðóèD…ŽõFdhŽ|f= e¾)´N|F¡@ ˜.²@à½où½[¡êåEÑ´"*-\›±òz4ü(©ÜŒO–Ø$ÅÄ^£º¾¶û4¤µ°ÎæÈ~Ý\7¬Ï v1¶f„Ö6`°íÍ–ªï~iÂê‚ñNsÚ<6ek÷v bÙjÔ-ÙÇí>øC[É/s‘ý݇°­‘nŽ ÄÇàADîP?æ’üŽ>•š›*IJ Òò<ÕëNZæÃqJVá—¸ª@nŠlÁáŽ3“KÆ/¹ýj/ÀĖ·Лï[&Q$XtÚöËÏ°qÀèÞÜ& ÊŠï¡j†å6ÿÞØ-üXKúºH¦ ü¬ô£ü(Æ©ûÀŸê~‘©ò¬ž Wm\é²@m¶A§n›ò÷LW~ÁÝZæ6å*y™O±Sµ¬HôüoÙTÂŽDÿ×Þ»¶·q\é¢ùš~öèP™€€/’MK¶! ²0¡HIYѶ=ÚM Iv 1h@“ñùíg½ëRUÝ()qœ}æ3±$ »îµîë]#uš»±è_îÇg"øÚhH-™µºW´‹û’Y…/Ý0”¼Âiа ;1üÙAÜùòáVì<ø ÃQ4Ž™ŒCBÌñïƒÓÃg¤Óf3±H/Ì‚TdMq0‹Q"VoS®ðÖTLÐì”Íç_ ¬Gïø¾PA®¸âVh#Îúÿ»÷ø߆²òjx¸Jçø¹ùŸÖe”Nê28ü«ãE´ [æÐzx£u‚Û`¦04ú " ,¤æЉj_T$ÍÁxXßxÑíÆÏN_ì¯J‚s'I'ÞXÅð?¾ý•7œY„µÉGßÄÛ{[K È«kpVhÕYÍA/¼‚ì.Àí«®)]tÀìÿ4Y;5 |…|CÇ-tWUU™ót4ZêÆtsM#b„áÁˆâ”1Žòw¢G96¾ÕV¬Tïí„äôk3¯^çÙ`:¯¯¸èÿðš²~÷)+êiÚ'.éÇÞY;T¡|¬Áß#ˆ®]¦U<åî[²#!Hoç¤!J _ýìôÀgýžÓ÷œ¬Ë¤ªâ²K¼¥UêÛqWD™q>fµOÂ#'#‰óeiXˆvA¢È ¡žv¢Q*j•TèIC,%2øÝÕº--Ód–ŒÓ9\î.Ú²äy•4ÅÐfÀ³TQŸfµŸŠ/šô¿ZsùÅ@`Ø<èšòÛ’ Hócùb2Çò!í¤_`ge²½Š+› §Šñ¡iÈôïä–”i 㾚1wvvrÞDöý;9=>?nÆϻߟ5Õ’eêÌ!J œ2ï ºÎþS{és/Ö¡HçË7 IŸÁb/&oîñ¡Åæ·Ê+ÍÒ[š¨Dû“|ƒ¼žyN„Í£õ–´Î-,+ ½„¶D[XÞþ]Ú]úí‚ØØÛ¥ou}Ž}®‹Ø˜4o江¦fçº<ñº=ò¸œH~jø26Ìuq…ÞG+Cwñ¾wŒÔVÚöy9åÆËSkmü_'Èçv!{â½tùòügµ“ä 쟗†ù_Á‰Tçk#üGËk߯8l?ÑÜÉך8ô±”Î sÄáé”.ü¬Åÿ¯¦©ùþgf« ã¿|Õ¼³Ãà¸ÅúÈû")ã-É‘¯;B ü¢Ù8Ñz­^çnW¦èŸì&Ðø¸õo¿ývc?ñ?ãŸ~:ªXºí'úï×áûOËï?]ÿ¾üDÿ fA$è]*¶YLer5‚’9/ת|EGüµ¶µ†ú^f¤ý(ÑÛxµÑ€€ßZA€]Cú—ûqgûËi³÷)m>Øý˜&_~J“;ÛÓd÷“fþàcš<ù”&?j)O?¥ÅZɳOiñ£òÙ'-dpÀÏó<¾H†Š¡Ù¦«9“Ìó Üé¹… ¨£;s1 Ü.‘N“ÿØ–?vä]Â!ÜŽéL­$ð=ÅQØun¨?zoïÂ4í¿Ýæo;Êßîð·_²MÛ¾Û Ú&b†qÑÛòÇŽü±4.¦zåq {ѾÐÐò¸Ðîò¸ÐMu\è³dúcâÚΊavËF…fð¯Ô;8ÿ½â /=½Ò!êšÐÝ„j<ËçùÅ-ãUå†Õ®"ϧ«÷ –„ÝbJÂÇÉfË-ÑDôC9|FsŒW4eø»WÜ$ø›ïÆÉàšùÞ戋 7rk†Ãr+ŒBÀsä#ÑdÎÏLH³ïcI·¾D,t{ä[[ù3ÛNIÙv•Ïhç *–‚MñH†C Ï{ 7x”ÎU1€ie KªÄ›rE[n{[DÐÏN6šE­_wˆ‚>ßù•Wdõ$4½±n3Ž7²é»-V¢%R¾€“vc—â›RaL{—Â&$vщâ9sr!vHpmÌ˶œ;yOíNL\æ9Ók‹{ ?îÊ,¦S V0#ÇB,ŸQ|ÜñßÛZú¥ÍåÆhù>ÔVgE[«€ÉJoµ:ºÈ“”¬Î²À³òu"ÇÇO5^~Eðÿ0-mp `Sç¶^nÉIVš fÀ—ýèåá¡[Ó³tÉ!!!±Ò¨¬’ÅýVÖJž`làð3 ZÕf$¾ø®fšˆõ$_B^w²=ýc¨B|øçÐ ö$Öÿ´r'ïöGÌYG,˜›Aˆ] (£kÒT)À鶔½÷IsÓ§~ÛÉÝ9)­j2»†`£.a—ªM⤊œêCO ´f劲ˆM7¹r‹b?~†”tf7THRÈ\ÌÞñ˜N 6Ä ïŒ,_À!›E0üf9¼Ì™ˆG]3²Ë%½£ ¥ïç³ÄÁK {Fùœ‘ý½]J\¿Î#gú3ÃVKcOÒ"¦þÈ™6¹Ù€¹:¡×|R’™Û–¦Ø6Ô!Þ(1Q)~%Ô¥&ÿ¿(ÈÕ#Á¬Vk6â/â~âcíIÁ‹ùÅ©¶=åƧ«[ŸróSnÊL¹‡©v1Õ>¦+:Ñ%;M¯Ð}Ó÷Ó™DZ«4ð@v…ŒQÕÝF‘ÄÛ¨­XqoÄ„¥„ñ"]*ºáRÕ°ÁmÛJƒª›¥Wé{­o1”#Iò»¹•«?$MÄy\ó‰°äÇ \›€ø r!/néN@æ_N­- x"tÙDÞJ³™èÍLϱ®8Q£Œ†¸ñäðøàO­þÑãççç'æv”viošÏ!ò¹"Á9j™ž¤9ýcÌþ]çœÞ`Lôecl9 ¦äˆ§ßfiGÌ[º õY­þc·õ¿“Ö_¾OÂý§áß:Íí_qýÇ­ÖWû?ÿíKúûÿÿ|_ë•ìÇí¿m5·¿ú…f#ß¿<ç¿}×_tô¯/è>æFÚh™Î ÿ×ÿyòóýù/Îããzû‹ÆU†Gº½¨õåÓ\™Ç4J4éþ¶ôæ¼úæùÁê7ëg½ÿxL‹»â?_¼ê==~Åÿ8í=ÞzQw[Ï’Ö%M¶ÎËõóßv~¡G/—zΪ=÷^œÄç¯OzÚãÁñÓ^yØ+ö°”©TÙÃ[ÖÿÁ=÷¦ qfÅ ™ ¾ÖqìÒ£KQe²U6åy×’¯ Šî¤X‘wÉ(VÚ(‹bÛAEhŸÎyüQ4ˆŽ·ùßõåH¼{z¹.µSV«ªÆ%D6‰¬c€°V2ØE×(^LY´£ó>XVèîy"gEºP=QæÔœ®@~¶KÊŠ ÷´î©G6õyµ%÷ g­z¾ÑX ]¡<¬çÜ·¯fùbŠ2Ûë]z™E1±ÍUßÙkÆ‚ø¢êf3T^¨Û]máac¹Ãàl/Vëú¡¤ÉH‰OOà窭|X¤Ô“p4/w¿ÞÂàÞž»yÍ?a^Õ¹ÍW÷â應gX=©u›Û¹zø”(œê5é(½‚jC—£…³7s–ço׶™õr”0bQ¹LRu<»k·ë§Ê™ÔÔ‘A·p§ë×OæØ{OcÄ<€h]°F·F`äľ\ÜÞ:%äqÏ`~Ë9Œ7–C8xuÊ—·wл»Úw¼øNPáÉÝ¿ê­È©~l¡Ì™ ï¯|oý1æñØþdî(gŸx”uZ¾¥»Ç_½²,×ßYû¬:âÙú»ûq“Çç^|t/WÄçí­³Çµã@‘ò×¾ýöÛÚÝ[ëìþ«Î°ˆë6Ê>ªÒ3®a}0ýc™Ò:™À+ÂÓ¼—¶G¼LP1zƒºv——)£ÙJïE\OÛWm' ¯ Zq+ýPÞ¡ZMÚYlfÔnüy•ºC´»ƒ~­Su¸•!‘˳dµTĺHƒ:ú{Eó8,wpñK+i÷£œÅŸ « Eºîf€S+YRiáà©®Él‘oK¥hˆ˜…ï]—wj]0ä*K³sS|¢…yõxìÄ-Ÿ4¿Õþ?Ý´½‚¬õ½,1˜¥_þ¼ïƒè¬ÂÍ(Ñã'—p—{´³œÓÛ‘=1¹Õ÷oR«ÂcƦòaý”ÃùÁø|ø>tØ>êpý«@}_¥j{ #sãWìj*94çXÎ5Q$—'¿õn°>ÄÖ ñ&›ˆÚ ?B‘"(°Qf†‚XÐÍ@Cáj8e•mÄŒ# »IhKú¶+ÖÀѺU:C¨´t°òi îݯ•Llü*M`]à÷f@8áÉÿZ$C_¥<™ŽoB™9­ŒòÁ?èøâ–SÝyGìšCû¶¸•bêÑÃvËà2kWôœ¸£<`8Ë7  0´¹[jLJ)ÜJzùQC6-r$ÉÿkÁqP¿ÒZ •2ªã?¾þ¸§ÚU…½¾²LVÇJà¨ñD™ÜêyÝÙÙz,wØâºcY2„Ɇgy R̯Å/´¾F¢qV+K²V¦§ÃAˆw^¾(üë£x ¤üã›øÁÞÞÎÞß9²‹t~“Ù’D[n©)ÉúEö.ýÀxÙ~»šL=½˜K¦:P†6kJfW‹±«ütŒKäÛJë®þö̺]˜9ìr1iÇGé¯yO‚ìN{{§½ûÕ}® kSšÊ7xäáq÷©¤étãÅdÜÙ„‘2ã ˜¶ ÷$Ðð‚Hɧ½H Æ¡Ô`s× §( ¿³(¼ïyQ°i›4¿„ƒÁ‘A›Ïj4ÌúóÕâ4E|Z6÷Ë·rNºþ¼ìàKAÏmh6a,¸´Ö/i,S`ÓÂ) /sY¢ˆËgnQ7í³QqÄ4¹ÈFXNæÎÊïºEÊŸÒ`…Îô|64Ú9ˆ»' ‰§YI·Å|YCÂÑŽŸ§*¾KQÍWº'ÈXÈ4É-õyriE,âu•<í!ï2 _ Ê ß‹ƒ´´vSI¦¦•MÒ÷1¾P;®Õ N߶éÛÀ §þ)}ºš–,>±r2²±†ñ”M w7h_‡U‡ïY°08íÉ´¼Âj÷ÿl¶eè.Ü™œ÷>Nlýéd`“ÙiÉõãq;Oƶ “ã XÚÑÊÉlü4ùQpH~þiÂ¥Z$:G¿³Qݱjéâ„·gXb$ê5òŽ4jGßðèŸ- ¸RqA$Ü"æ ¦›ä¶Ò C¤ ] ƒsu5'qp4„Í­v™aÒÞé/QSNè-Éd\ÿíç¦T‚–“,IˆÕfS´ÍéíFSj‰êØÞhE´ðBÜ}×øTNURYàH`“ìýÇô•ý7ãßvJz•mÜÇ\v*CQ’µþq;.TÂ…@¨Ä¡Ã>Hìüž¿TÅùÎÖîîJÖÎìHAœÒØEáÐ(9„ÞãèÓÏYq|›Þ6šÔž¾<{Núhÿ‡þaïûÞYÍ¡"}]TKÓNô>÷çHÄ‘MéOaG–2®—ßé?e”^bÔà+ Éà·®)D&M¤A×cYL‘‚+pœ««ŒMÞpJ¼Ôâ³gWŸÒªD£Û|~;M×îkDƒÂ°^.›œ ÓŠ¨UZ #!_c¦KÛr'åâVNš‡ÆÆü)sŠ>ô‚>ìî¦Fx’ˆ…ˆa_/ø$Ÿ.¸ª×»d–I GKãþÓ‚!ÕÂÅ£Åá®A»\8Œˆn–››Aвq×i°ÃÆ«=U¼^ʺw¿ïW–ÆÞ^ÌŠ|&¼PlËWžc˜Å3t³ÙInÄ‚4g ƒ:‘6³ê2w±žÛR×)­×Îz‡½ƒó˜DH/Ù"¾zÞ;íñR>öáå_—bÁüúÉ4¤ÝKâ×9xzèÌúûºÕpôr·~£þ9Ýòæ—útÇáîõú®†Ä=ö1»Úg6D4$©¥3Rl5ýIÔSØBõÓDÀcض Šz™üèy3s‘¤9Àõrir4 µÈMX.]qtóëOn8a>‡: ©¡$,-ßL8S˜Ý§Lg´g2§H“ÈŠqÑ^ι¿nÉÌ q «‹U®£Þ^FIþ­¯/ '‰•´"CòtL*Íìö#nåFUAì=#F)µFúGçÇñy÷ ý[\,L¤ýÆ®N$JyLëu·Ððq"C2C•ìÿCÂʯÜï+z)u7Î5ñë×Õ7NÓ)ÙÅ~,q”ñÓùíÃý‘±ñÙÛl:uÿÒöìa’ÝH¨®§’…¤Îg'DZ¯ssprê§ûçv£Ñ¸Xlc’o¬”¹*‹¤P6õ¢±’OßÓ¬és竼Xpd 7ÔS¬Í;×$µü}€wE|B Äu6l—Â}iŠ µ¶ÛÞjïPk†ßƒÌ Ž`iù mÇÕ¿d=&ê•1qEÃýÌØÏX$·l"h¯?MçÀ–@â ÷§#‡T*.œ6usÍóá¨Ô &RÞ_¬ùfýlW+QÀ0δB£ä"JëA+vt|.]u_ž¿éœö^ôŽÎ㺄º#Ÿðv ŽT/}*ífØŒí÷‰–>Å#«¿Ú±³EЂ‘h:-Ñ ’¶P#Ó>#ÉT‰~÷ùóÉGñ7˵¼Ý>¶:[[vw·EŸ‡äOúØŸ»{¿Ûzøp{gëAçá6ýÞÙí<ìü.Þúu‡±ú³Rxÿi.“;žƒ¡æ·ÏoüùñiïY÷åáùÏQtèa:$£e¸³qê;6-Ái9íÇñ&Iø›£üjS¡‹HËd?^U;ºç~½Íß sä  Ká;É(Òª×ÜþVtO+Kw€†Úœç›òå°m9÷Ô ÊOeÓö¨+ö½¬ÈCò8Ž3½OÇ•(&pÈÂuBkŸq˜e÷´dõãØ_¬{Z²ûq|kk‹Ž¿Þ~oommÿ3Ùå2ý§uû•ûøýßÝÛ!úÿ`çáƒÛ»{Aÿ·ö|¦ÿ¿Å‡$ÆîyeÐ'ݳ^ììÁ_G/ËÿÔ'CU/®Å~ÒÿžtÀøåÑYÿû£ÞÓµ2éÉiÿE÷ôuü§Þk¢©´êã)ºí÷_ôÜK¤ÈÌñÊöè'Ò¨Î^tË¿óoD¬×½6¼ã5¡ŽÏûG¯×¼,¡óËðNµzöÊW}<è]½ôžöþgÃ÷úh]ãn‚_Z°Në~MóÆüêCx èo¥ßøú®QÙ=ë%»cPwn3—º§Ï»§õÎV#˜Êb6r¿ìáú–úïõNÏÅZ ÝÿÐ=|Ù;‹ëòž7ì5?åµÊÑ߯çóéþææÍÍM{bø)?67>ª)±´•Ûáï\ÿê«úOùý7°db\Iæ×ìãôŸä~úîáÞîÎÎîîÃÓÿÝÏôÿ·ù´Z­8Ø{`ýþl1‰_$$íÅÛ;û{_íïm‰rÿþýàáÒsý­ýݯä¹ï¾‹[»›âûô߇ñwßEjD€9Õú/È€€“Ó^“At_ÿ!^â(Žâ7oHŒz󆄡7Jåo6š«±½õ‡S΀*Òà…’-KßFÍŠÓô"¨{Q‘‹ò÷[ÙnH aŽždgçËæ—Úa¥Û_kþ•AÝ_7ŠÔºED]§7'‡Ýþâø/•_N»/Þ¼xº‡ð÷ý}#úŸÉ˜£ÓÿòÁæ?«­­]bï{U¾oÊßÕþ·÷žëtðx¼÷ÏPø1þÿ!þþ?”ÿ‡ûO2ûÑ÷½Ããïå>î–ÿHÙßü÷àáÖýýä¿Îögùï·ø¦W$jì#î‡ðº}0Zàp“± 6ãVüdqu™½oƈò9É?þÌqô9ÁËR‘´×ñ©øÓàë‚Ëh§½×Æÿ¾˜¤´¡Åüb0#5NQÀH)®5r_‚¢8 KbøK‘»‰KÖAÔ³vÚ^fÚh´ã—È+™/&\_V1üÕ=x“ÜZÖXcO:$͆ …Y*°MCìÀØ}NÌ Jö(¿º²b×_ÄϨL_qí^ G€kÍC|&\î÷†„ˆd¤5Y¬’ŠÌI‡ÔjQ;­ù`Ú*ŒŒ@aNÉç wEƒW¹×·¿$™|6¸.­ó‹¬ÈŸ0Á¥o°ábü‹3óX2¥¢@²¶w E‹5¨®YçÒ§9zM<ŠÊ%°“n-Jæb„Ä®âPÎ҃׎ŸhL¾åzé0ÏRœ¤\Š!múÂË â=RÞŽ‹ä›Nöáa^Zñ3LŽ£““Azc»k}© ‡&íb–ÁOáõ¸ãíÊq}:Ó3~š¢#-°7[q½C—æ]ʱˆÐ“dwp¥ì9 ­¢ggƒ~‡þ¤×¾ŒÏßRy±æᩲ¨¬0ZžsÞ´Œ¿¤÷\Cè«Ìuü§©)Š‘:ÕâXZhPÂò¬kCJ7|›n8Z?DëÍŠÜb÷Ï&Ö‘ýJ„7£+=%ý¥çl¦­û½ºÑ–¯àÞè,úzŒ.N5Š:wIg)"ÍN%zIÀË©IJe¨w‡Þus_zýŽHYŽ8_Ú;‹ÀL“ka^¥RŸ!J²?¾¤àt½DŽ6hÌ+ç;#Û€ Išþ…^F˜.YцÐÎ÷Ónû l…Ãg@ûBÍJ;÷#ÄÂs•“ùÜâ¬|„_0CÉÂ"ó5’ÓC”«³ã„»§+¡j 4šÙ ”–½9>K‚)§/Þ½öü©Kj{kuqú§¯fW¸ÂXëÏðÙá&ª1—ë÷®}<¬c+É©ëÞZš#ê`Æ\íþ¨ÒI¼) ¢îiÚÏ7VßÔŠºË´tIß"!´È%÷…3h•ž"ðöj–ÌÙ<_,Ý"ä%TwTêÞbžâҒ‚R/7ŒHWÏ',°&É2œ(ÈyûÚ’¯ãJâËdI±WtÝ}Tc*“ô†íSί(SP@òÕ˜&‹iÑ´ú6a8˜B´ IF­N‰Œq9m#¯-¸rL1º¥~¿œ9„FCéK™±J1‹¼4o²÷b½È&Xq¢ @(0>ÁŒ¶žßÎâÎÃk@guFãÓxB<»òI9VX¾Úsþk$ö¤S9åt—掽¹´EŒ§{n»ÕFß[Ú÷^éz¿Fhibùjñ_㩤!IJÌHã¼¹¾m›˜©ƒ9æ(Nµã3DbáR´Äu¡î ·‚ ßDtnN¿ÒÔ” À_Pïô ‰– Šð1Ùd®T#áëiµÏ¹¯‰'9Ñßv0\¦Õ›J¶Ó-w¿­§ì™ïÚœ~è ù¡{ú˜ÿÁñ[6ÎSŽe ÞÔò˜j½˜’8ö‡†‰ÃNûK;ˆÛ¥sHâaÞn·‰ѧÍ.?ödq‹¸‡HÆEý£Ç.°@I_%±2T—  xò:!¦IsŽ(ðÕ@é½h@±É§.lÚN,£ÕÒ¨9®<,w¥z·”ùñÛèëÝ°N*¸‰P‘â(§¤ó=±¢kõei)¿?íy°öúîÆ“R± | ·ñ ®ÿ;-e™*œ¥¨SÎ,¢¶Õ©Åo²âM|‘])â/}K_Ö‹ùbš¡Ø3m-·µן¦ƒx{uŒzÞQoÉÖ «¹‘¬EX¥2¬ÞŠô£º€Þ’“,ú'…»â.jÕ|†À0>ÿÇä–iämõ®ŒZ£µ…d”0º\Œ™ÐäNŠ+Vi{ˆM|¹¼i»U»okÍ上K")I‹¢ƒaiwtÛ¥A’Å ,C€Â¦^RÂòir-¡ÄxeRön«uŽ¦Z€Ê¾ìqøŒò G}¤`ÁÀŠ- B ²¢‹ÏußÏÝ–­)2õ–êmª9Ƨ½îÓ=žþ¶L¿|°ú'túGgÆlþ@c¤µ$8Û8Cø*»ücQõ¸v–%u,•’¼|ñP’3éæýpfTó8ϯA«¤üG2F ´Ô~öÙ·mÛô×ùBËã âdÊ•ˆYHò«Tð1ƒ›'HfVDS=J)•8(iñöW¥Áž¬I*šÐí´QóüÊ<¢È‹d{Ø´R…; ‡i 0:*Š‘9@.tÆ-zÞîà Îû•™Ér’K-Ïó`KBó ]É%|ëFÞò<•´i$=;~TG¡lŠ&“:§»µˆ¯Nt‡õFÂÞÞ £ËvÀ–é~@Aäâ4õ "÷—Awÿ[z#(±·`O½Í¬²u»3ÌÔ}…=ëÊuÞ]Ìs4(©ö¨ÕTHÝ8kã¯ù$u qS‰§”ëöGÔ»µg™31£ÚŒ[?”$KÓ'ê° 4<[ᦪRŸÜC^—ï,Ï-p>ž»Áñü"~2¸Xzâ(\fžd&W¼NHÙÓ]ûQ«+Ïóügdž:¦ëËr|*«Ã˜òµK–l’Ë´f¯µçWC¹ú+qO‡X¦ §,n†*{‰Ó_6åéVå>ç 3>Ŷ¾ü"Qˆ¸?4çZH2é$;ÿaZÞ–$>8>yÝ?úžg©ë‚Ň¢/Ð÷ ±3ì&Ï3Þ•‹xàhƱ'hM)“~¬a¹ÀpÉ}HntGÝ.íô‚"3©BµÀ%&>@û6\hÊ D!?ɉ3yí1y—†Ò[_äĬ:fšŽ]ù“îìŒýì¯.SDU„*ò4·eš;¥Y5] Ò`@§¨"cØ„yÇêE4ÒDv®:ÖÛ‡J Ô1¡c’Ž*„ý™\ó¾øMŸ2Ó2íÙ`K%·Dö&ËþÌ£•Fù6Hö3í[È:<¦›ô¯öM|þüó?%ÿŸPœ_½»ý»;N%þ‹¾zøÙÿ÷[|~ÿ{Їï^Æß÷Žz§ÝÃøäå“ÃþALÿëõ"y€>?(§ÛnŠ™¶óÕWÀã; Î-(õƒ}ùåWMþ)~ÌY~9¿ë~†Ta5õ'ƒµÅ{_Åç)g§ž@>hÆg d ïìl5ã'y1Çû/ºq¼µÝétZ­‡qüò¬Å=0B-+Çès­ÙÅ‚K.æ¿cõý‚V?e›z®@ª#bŸ“§kýnpkfQs3r1Êkf¿—:!‘l|1b ¸5µ%ñö±5¥°µÀÿ†©1g½ˆËêÀ4.]Ò s–•Šk~ÞiD4€v?aD$RÉ uÅñö©‘ódqA]G‡:†òõÆ}YtßÕ~‹lÌ­–Y~ ¨Â*u:YÁÏŠBÚ7ªÅ#è§hÇœñ•‡ÛÐ’)1Eq¦Œ½™¿|n"n€êæVp"åØ&·Vñ@ËÝ\#yCà˜ ä2°ÿH¯^=ÀÑ^wFK“ ©ƒ}^‘-öavÁÀTkff’L#fåI$˜ìm,ƒá¥× ÃD§æ•"„qÕL¬¯ª„±±†¢ºDŽ‰øtÙðMg©ùÕ#+–Î^¸§ Á¢k·‚Óܹ2Kã‹ëzvfW|"¾O°*/ô°›¬¸n4]WPˆS_Rebp¬0.ÐÒ²yd/B°dÌ*{Ïøº†~ *FbNFMó(ÑÈ„]<^[÷¯Õ}¬Í½…Šhísu8)\ ßéÜÜŸru˜æ bœÞn-g570à„] wÐaÍÅzû*eÚZ.ó8L&Î\O ÌŽ8#Pñ¢;ΉI¿à]6\äã…U 'Ï¥1ÏqòVUZ× B—fYJ25¼vL4éLLí¯¸@DÍÙ”£#¤%Ð Éõ»p2TF@›^Sqƒ]å3­I¥ÏqÒ¨m2Øûïn.ó'TDñQX¸(ŒËQŠí ”Ó60-¤½vô¿¢ŠËôëyïôÅYÜ=z=íŸ÷ÎâgǧfÑiÆOûgç§ý'/ñ?øâøiÿYÿ ‹/0ø-Ù\!*éqäÅv€6\ÙÊN°mE”pé¢mjh»¸US“‘ë|4dëÊ­Š¶ã‘)F Çd MN^-^´eÙ7ÞŦSZ¸fÄ2‹>³…`bä «xƒ§‚˜¤¡]#k-‚ ²ˆµ‚tðKÌ!Z0¦Ï²w NË‚Èàý„GÉ;ÜéŒÇR "‘guÙÌB¶Ì |8,L4#€Ó!0Ð÷ðÈFro &P2á‹Ft7É–¬þœÃwf®é^à Ã"vXè"_ଓH«?O"Û™x#ì}’g¤\o†Äʼn‘פˆ7ˆwlÐEé¢@·¹®+«u÷¢4Iõ-Í#/!ËéÐãðµX–Êsv4ƒ(Ôº•„]£Ñl1YZz%Ê&éÀ”o¨(bš÷ñUúJ놦‰±·Ì˜ŒfsæˆñÒA‹¬ç:‘Át ÑkÂZÉ5Ç < .šçŠ7ÚÑ+pbwÈf ˆÛh QŠŽï¸IÂ/ËäªÓ!&¹ý…Õd5m¦V„r ¶7®!6Ã6<;{˜-ÆÈGd>õòo„¥™fƒE¾(FÒ;Ѧå/OqщÁÐ$XFÐA†OEþ¦)åÑI FI6ÿ«qþ¯ã·i:Å•À Pé.’× ãX—ê6,QBÑü0ùä¢àH·\@þ]Óža!Òë‡ P^:óaÓ~¢¶gï“Õ§i«Ü.‰¦Ã« @š^ß3—¨Ë—ÙÔ5éI¼[m%Q9Q}À"ó9ñ(¿Àtß›fnB3ŸœmrT¾ãeV³ÕÆ(¦R¶H(=±`¾8–á®%ÅMå¥rNCA“I{™*W°’3\'J.èÞ®8—Z88Må¸H@ÏÇ÷(ix%@â>8¸ÇdFq-C4¦µå…¥9âzë‘ã6Š¹Æç93 õÎé0‹(O)0ÒÅÒ8ølb\³ÁzÑâèÍRÕVƒGnˆ9ó¯Õ:wl¿+„Õa^¨Ëmð{,vç—M Éö’ƒïr/ VÁγhã.̆® u’€±~-ÕÝ0ÑÝ-½1z‡‡ßeaN61OÍ°¡Tª7k1 tBYJœQþ6[°T£Â×i5уYHT›Ø˜fCâ´3P V ÏŒ^§M!AéÖê¡'“I¾ êÂþkaÂ-R¼x%Å“`yýb½îübè/M“ÀÜùÐ[ ãp/4¼Á‚­k|ã±>µ ^mÞ.n¡za”¦£‘ñ/ÎÇde7ßeéM…&r+^«»tÚ}­¯äYöœ]lYiSaAå&‚­; ²øb%˜”–¼)D¬Dl6Ë‚F¶¸í¬4Önänv~v,F¶ÉYªWîÓ_VF#ÃÇä‰"UËÈË+" ­½šMæK (#¸øŒΛ ¸~(w°+ÅQpÎÐA¡ò°ïÞACLqéÊÎBâá+Ú„‹mÕ~ž9±67|¾J‚ÄöŽ¤¨t £óbî^ˆ*‡Ž o¹f“BHë˜Bb]ÈT¢*Sa œÊ´¤ S õ-£BQyÄìÍ!¢ç‰`Âp< Ô ¶v¦Ý˜¹`n!扺ÙeZ³ô*™ ¹BškºÒ`Ób“*ÞM€‘²ý}3#FýÕb…¦#˜ˆ‘FNíÄ2X1Ðs_Ç´K׬8ø®X½‰Ò÷éLÔ_3œi‘ƒù,­\ì@Êg$Î`Í0uªX) Ðœûì?ÎÄ·3æ­WWX%kVu™CÇ®h(ªÊZL %Îs½$ÒL­wùhÁia²¶ò)VJÓýüDöõTèbfô/M>ÓÐRVr¹»Eõꪣ‡ )ÌÔÄŸmÄŹŠš \ÀW Wy¼‚ÿFgvã:<†í˜¥¨uBƒÜãþ:HS/?u(9q%›—¢ìªRRvL7ƒ$¨–E‰å•¦Þy»µQáIPxMy:¼Áºyj-'³ltë.#!˜ŽHc_Ó6D¶<³ÄÝ'¹›Z·„%kÒ±SdEp7X,vÔxµ‚$&·MÈU‚šä”ÄŠ4;ôX0R—ià~éÌdm]¸ð¼6™ ËÚs ÕxtusJûàÓ}>rÖ¯¿Ìäï؃ÁºÓÄÒ…:+˧ʘyƒ„÷WüPk¦ …­g ò+'BÏTŒQ·­˜.Ù|8á˜H¢”¤¶-™;ÌŒ`Aän|¡¬õáËËóujâNÔò`剳Ņq‡ Y}] ¹”d—ž¨ˆELÆÂnAÙŽ±ãœxÎ8µÔ–53ÄhÂ#úŒ•†pÐb‘sW_z¸wéÒü1Kã¢ï%´«^ÑZP€nÁ¢¤(òAf1ºÉ€k|d“Ll­ãóós—ì v#ã_\¦v2{`!’Ppð3¢Y>§ç\ Èv×& w(áÍ¥ù„×…]|ÜÏö8xó$êÎL=N¨ _«Cms¡¶LktÁH„}jø›0Nþ"y>t¢Y:­Ë 1â·tŒÓ‘ˆ&ÈxCgåh p[ÌItc#oyþДŠ¦Uvâ1»®"Û½¡lh.¯1ùË%i!h"Vpà­Q;tdVY ÈÐŒqEói˜J¼KµöV qH3FYi`éô™¸ÍÂ(7&ølH£Ube‰JÂIùXŠ*mÏÒ"0rŽ§ Á¼jsQ°ðÄñ®—pŠÄ$æš&²F&¿†RKI–ˆR<ô:…!—(eõFÎQÞL˜PÂi±ŒsÃÒ`¾¶ûõ½ƒ~¯`n'¥ ep‘ Yò{®Väî¡-0Dhv 9â*6+^ s³óö‚C˜„ØÿÍ"²™¿qã«ÃÛõ´Ø0à-›Ø.‘®?ÐHÖˆ{{²u¦Þ…Ú&Žät^ÑÁ¤†—9§ùèh¸[7}Å|Äáü‚Š/fÛ²+WMzDÂ×l ìAó¢êûØh¼‰Ï˜…“î:»È4{”Ü8ï½*ŠËó‘vfÈP:ú­8ÆØ^Q°+Æûº×ÙbÜq€é|j¤ÿDº¥=–bbpSÃâhaFŸâØ“»áG•E¬¨8êð -~äå.Qÿ3ž‡A • ¤‡¿à,m™³‘´ÈÉú‹DŠÈ%.Û¿ËÐæpg§kœ¡B¡ä lj¹¼\ÌØ_U 8QÌÕk±S6-ÑMŸkZ ÉPoG囤*žBp>¿»êR È1Ï£¢‘=lÇýKaìlN±x¶@ ­ý/‹áÛòDH ´Sñ9G$‰‚ã¤öÐ¥î§ù`¯‘’ ìSsS¢úv±HªœB†yù àìÔ5þ“’QqUE8©ËÖ±§Ô ãÓõ£k2WIßuQ¹#Mq·É]»ÐìÇ2Äšw%äBãŸðzhÓÏU/µsÉåC#º¦©8‹ÄA<äJåJOõ£ÐmDë¥Hçùú×”õ/m"Do;˜ký—#“Û]=ã0e$F4žå·¤&ܶ8¤ ¸Üœ`½ñ±7ç0œÜ9ØÔÅ2$¶0˜s­L¦kú/+ÕHó)2åaÅBC>éÆ–÷‚ ³ƒ79, õÍrxÔg`ZÎÄ›|ÇðE† œ>K)úëµÀ±ˆ2ŒHº‰\ÊTÀ6˜õr¸ŒƒÅ(!J›Í‹qÁT[(ÜE2ò$< ›"Q#1Jš?Å Ü•ÈU  œÈŠÂnáAí—LnÓÅŒ)Ø ›íÌBù3ÿKn}}Rø° ÁáAS¶ž±¹ÎõÔV'†d®Š7(bk¶<ùu¹s”8‘qT¡yù4’“¾ši‹s Ãô vi‹Eèo:ûjärî„ÅO%<ÃNÿ”MòX°8~Áû˜æµv!9×ÿ@í.¦:ÚSÅoàŸ±Ñ}KCJ‡‘/LJ—RuŽFTzžOÄà]0á世A ³%$,ñK_«u1-×XÝæÙ€!qŸ!G–r¨U\\ó™0Èì½d,pcµñyb¤ƒ”ð/¡dP9¡âë8ݨ’xA˾“ p‘.s+áªÅ|‰<³ñeÛœkU;ŦF½V(–€¿høÜÊŠÐdL;ÅYñ§ÿâÖ{¶B=]h´G–b‰@Yõ*JãXV˜¢£ *Ûp¸š1Ÿ^³½4Å è…øšøâ"!Än*Ó¤ Ô¦X*/xû˜TÈ/„ŽE¡} h7rá®-&!?Ÿ¡<1&èÁ‘Ã{é Œê~¼È‡KQ,¼|ÕæH˜µ¡èX)‹¾˜¥ï²Br¸±åj¶ZÏ‘îýšt‘ Åâ:e¨”Ÿana|yp0‰Ãg –Í2W)Šgö(é¡äõrMs®Ä$^³ÊÐ…‹ 7DdáÚr(QˆËW&¼…´Ç š4è¢=¡µÃ]|¨éÆVT½ÀDJE?&ʤ2¨SN»âÍvÖÂFÓkq̲-F#¨æ ¨eÚ‚ÄÌChƒ’"Ñ >¥®lƒ}˜ŽC´â8,ÍÝ;4´Üæª%¨8Én] Knr¾½ÂÙ +G³*'CB—¶Ú&NqÉPçm–"´ˆgMÓS /¡#?ôcAÈøUžŒøvóÝ›½s¨,ÉYH8/眀¿² ŸRÞŒ´”s§³#óǃ9)q¯HE0ÒP}ªÓÑqüª{zÚ=:ÍûßiÇOz]Ô‹8Þ‹ON¿?í¾ˆûgû4~vÚëÅÇÏf~ú}¯‰çN{x"l 1²AôÔ1ÿ»÷çs®@Ð;}Ñ??§Öž¼Ž»''Ô8W38ì¾¢Õìýù wrŽâ™GÑ1šÕ§ñœwñBÿ(~uÚ?G:5D îiÿûççñóãç½SŽÖݤÞùÅø¤{zÞïE4ŽúOË“ÚèžÑ°7âWýóçÇ/ÏÝà1¹îÑëøOý£§Í¸×ç†z>9íÑü#j»ÿ‚FÜ{Šú ‡/Ÿr ðj¥û43çù1/=k­Ó`¨ýèEeŽÎ»Oú‡}ê‘ÃÏúçGÔÇweä/»4‰—§'Çg=Øo°„Ô-øiÿìOq÷,Ò…ý—]×­.µñ¢{tÀUÙHL7~}ü\ƒæ}øDöª‡Š½ƒóþ´½ô$usöòEO×ûìœèð0>êÐxQIâ¬wúCÿëöNº}Z~ÄHŸž¢•ã#¡-Ûml’Þ=.SqˆÙžöþã%ÍgÅI@Ýïé´a1ƒ}^õQÓ‚v¨ºùM~…~ð›ÿšŽÑqü¢ûZ³_ëñ aºÈíò© CáOg÷É1Öà §Ïâ`A°EO»/ºß÷Κ‘;ܵ“7㳓ÞA¿ËAèèÑ^ʪÐ-ú—ØEúB‰»´˜Ρnî ÎÚ‘ê»z/ë¾ïÊùù8<>Ãa“ª„ö1áõ±^òIŠÄ 2Ñ­ú¬Hx/TLóÁƃ¦¸ żaÁμý,Ão8q`Ãpü?k@ŠÃ‘|<Ñ…88»±RÈùëiPq.›mj±Úa,M_îq ¬ÍD‚‰>þ ·UN¯~„H„o¨‡‚ÌBÏ7Ò/ë¥AQi¿¿vÙ¥]é×'‡Iå|u¸çªLc™]”äF­·^Pò‰’Xnzg·R/GI7–åçöê]±ª†]#ªg®ëlB—€ûHq(4ÆÜA„ŒÁí20ÔUÈæÝG ZH' Úh¢Ê§iq?‚MŸ¥VïŽe–trÎâå:´:uÖÃsí)Jq"ëÖðˆÀé×òk­D}—ÌïW³ü›w>1ÎLaŒÌhB9´@Ò,!-§U›åšäðY@ö"U˜‚ƒ„§6wêûP¾–*~ÇT’-^ç·ùðërÅÁ/n]GäÀ7ŠR`íœú?Á9¯YÍjÜÆBòy‹XÃTS4œE:ûwŒ&~ ¬SÀGG‚Ìo «ÞÒMË'ß4ã‰j³lÄÀ$Yä‡&à:ŠÌ¼~æ°˜u×P]gdQ·‘7pàü„û˦(HƒuˆÎÇ6 IQí,‡ƒĆq%œ…&²àpNÏÕ_8 J ÉÚö˜Õ ”iãfA¢pc1¢–Ó=Ì›±¥Ï¬€ºˆVC],[6ÿÕÀ6Ÿ?õ ñŸeî×ïãøOÛlUðŸ¶>ü\ÿå7ùTñ—€júÑÒë/B¨oÆÇŸÛoà‰hz<$ýÒcu-®TfÝŽÓUŠ² üþ¶õK|.a…—D­%wWRd»9'm·ñÃevµ`Ë¥å÷%TèwÛ\ ¦@{_ôÅ(œ_E*Tkñó%ZIB뾸Þ°žºr —Ù,½I¤º ç¼ 5Ÿ\ß^E ü%ĹXVT‘Y»¼¾±"óãºôCÑÑFh>`üX°`Šm¸ÀTèÓÞ\¡D? v:ËëÌUØ+± \nÄðòFS{_´õD:à}`6À ©Œ·û<˜.#Ã6c.—bª:¯œ´+‰0þ[‡ÁÝGmê ’‡Ìp?uµÂcå$K·n‘'éldÍ)’(¤¢¨UL‹ü½lÜð^H=ü+›C¸T¬~¢N®8."².ÉØq¶‹2ÊbR‘DŠ t8?ÐÂ÷"å$®†°+‹pWOv”'CS¡³[ê6Õê}=ã ú8k²í"›ŠÒÄî.L r`›f¤¨šM…mâø5ÙÍGÿ%©¯6ãéÍ°©…UDüÏ=b&׃^DbÌ5”ÜÙˆ©+¤FíYR©ÑÁ7/ÙX8áÖ¨x ±*µB\°Z&HÓ}%!ÅNN îÀ\]ù¢¤Û¬%+*ôð¢¤pØp1œ!u#CF:\”͹è‹Ý)ÿ‚miÇŒÇ"ÑnÅœcÿ¨ÕåCÁòmiLR\ ê¹”ê¸`… ’¯†XëEšFË÷wî½¢}=¼ ª±ä…‚h­A%ç­(á‘éb8b—j 47à +¼®bGdeQ‚b,‘6d²í_B N9á,Õ"$®Ò—ol ÒHŠÕc*Ü{l è èþ„Ðém4—¦[yjc§C1ÿÂW•jkIZz(Ñ,2Š(€zUÐ6ƒ¢"¾œ³4a€¹ÓYÜŠw°Ò»6¾ò ? Â-=¡%0¯ÔR_qùµ… j, 9+y¸uTND‘mdV’¾ÇJm:K çj.,ÜÍ~õ5-ôã9ͧÑB‡‹òB‡Un±ûŠ®Wº¾ña0—&c‰Sç:-wá8d"­Ùv•K±½ˆ’‘=T‚Àμܒu¡C ·+ØT›±Ð´<ÇbZn$à&žZI0Ëa-øîí7Ì@%•dAEÂþ.Š*0Âç9Ë9†3Y§wè@F·Žƒ˜öUnÈãÆ£½°GÜ纚€yè*³ƒRkxCMî¨ì„AÃË6­Ît+8ç:”d’£DîéÐUvŽ«ÑmI4£²¤ö•4Sê Ï–2Ú¥”$¿ti9x·ÝjÖàãn{Ŧi2¬TX‹å[à®"•;æÊ,‚L=rJdBõ+!U+lÁ©ÑQ:J®É¡åÆôÜ|ððeÐt1j¬wZ ¦,+AÙ“v»JŠ&p-œ¦c©¿iIõ^éÉÅA+)¬\âÕäH{—Ï W™#rE‡ð©sÝÛ™§jP竞̲ÂÀ³d€+.-Qc;oYšï¼!GŠãÛ´k²(*œ§X.$׋«€YrF³FÒµÐræV8©ÜTÞ5R…<ÍI­zhÐKuìÍ)ÚQyTTø›ê?‰–b¨L¥è%M'®u¾Únw|Ùî´kŠ´È‘¯+[X“ ˯™ÍcÈ5à$ ¡z³,BÕsŸ©'I`®¸ÀÕÎNÛµ¿Ì|u8)t–¤JiÍûø ª¢ÙÒ ØAX¿ÊñK¼+·ÎÂtPþ4Ó¼kŸ¯oZ,*ÅL‹t1Ì[sÀTè:gO±´†Ì^)ÌÌ’Äp–£FÛæ,ý‹”“ (/Ý—+ ÿ—Äd:-åÅwF-t¸5ç Ü g§‰‘V-–o [S|ÉH"TC´ óB Þ_ó”ß“Ò¥‰K0ÑAèÀLJšÐ‰jì~* )´g< T%µÕÅ.Ïp4ÐÑ°Tz+’úúa1Ì̘sFëQ÷•9ˆÐ3)““Zy$¸¼pþˆnÇe-ÿ•óîëz:PkZ.í—*i:äc‹špû[‘D¹1 F.·…´± ÓÚàpôÄ ÜkdÄkX¡—(Ir埭¹ûñ†›' ¶´âíýs›&-6ãà÷¸Une{g»½³½ÓÖ?7Lš«¹EfA¬˜)r£_µ¬ÂuX˜oÆoXs|#Àcó?ÐÖÎGÅÛôVv·;q¥c‰žL4…$ÀpUaý*K7ÃTV3a~ˆ‘5Í”¶ 5Ñ Ö‡Ïƒ¡3F±LÏ ’‡’Ó+›’å:¤<œô^8K¨t»$EÌÄÂ5IËkî´èu´.PGu:¿®.©[éj©_êÕú%Bj_¤Vˆ6 í7"”Ï°5¨NaI 3¸žy6iV¸D¸wÏË÷[MÁ$ m˜-Ó“à`¸Bº<°îËóç¾Ô°O%3€ÜÊ)*ç­”¹¾¾›”g-šAtEEZ?–7õûSÙÓêf•ö§H³”ΣñnáN:woóöäÁÍÊŽìpé,Z"„­éPÚ“«N"Éa½ƒ—§ˆ_;:>ïí» ¿ .X-W¨1T:ÛËÊRèuçHa;rå¨Ù 7¼Ù…m%¦«m¡!9LÐbW`¡ÜÎ ™Î­fIå(È0ÙC¶Be#´«ÒˆÚª‡Qc!FÕŠˆ+7ó`k+®;'>Hšé‘ßLP²xÕY[³," î¬ÑŸWÓ+§Q¸ÃÓÔh!_…]sd™µßÌì¥QhÁd¶À¡êúŸ×T”A½ih#Dâ ¢O´©¬åI÷üy…ÍOÞe¤Úrfü;Ro´Î»úM“Ùà ciÍ8&s5s£A®;ÜÜÄÛl2ƒ¹>V™³…l‘šXÈæÞk% p„te2ÀçI&Ù_«W5ÀÎÉ$ßÍ<n{˜µÐ’èò:âÌñ+!Õ`+îzÑ?¬4Ì‚“ÝÔ•³Ä(¼HäòÒNˆíòm ë‰óm=×k:ÝÒBÛÙ(X´†ÍÀ:u ¤ÞŒr5^ãàÐ þ®~×P¯u<·BÊ>†zU >eRö Ô«r½Ë¤¬D½üšý³HVÕ &„jw|V/ÃÀ0‚f¹ÝŠë!à&¹F…7KÈ¿3˜{K΀SèÈa“ë$˜iEþ0V ¥Â /‡ÛùˤҾá…jVˆA Û"´ç²*\Xãe— „ó•·H<„Î;ˆ~†,8òïç!«VÅ_ÞÀ·þ¶y:Œ'^N²÷ËrtØËÕ†x\‰c)ŠÅX¨ýðÂ]6¥Ä*Q8‡|,HZ«’Ä£dò¶<ׂï(®× ésŽàTÓrÎlKž}—¸.”H‰É`.Ìjcs£¹L›œë5èTÅ ‰Â?ß©wyí†9C:I$ƒ°2NØ`¾ä&ÜŽÍÓ\Oæ‘Ê£´ÞÆu^̱/?îƒ|þŒ* Z¿V>gŒö_Ž»_.D ;ç63ŠùáÒþ#+¯Z`‡Ã½gˆ#8óÕÈ91—Ì—LÈÆ´Zø¨\˜Ô¼^Úã«Ó牔ȱm'ÀS.@µÊuËUŜǵ۴¨-‰ÀÞÚ•í™2,ŸÄ?ÈÂJÆCЃ×z`ÃgÿÄŒ©!pŸÔ¦•þa„¬1\I÷³ÕÝeÓ(-"Þ§v„)%µk~ݬĶ.›{5å ¦WG7H¹ªHW†óª‹j,zs—5ìjh ¿Îw\Y0çÒÌÔ ìßÄ›¨XŒè`á¾`Ûj·ŽÅgLÌ Q #ŸNhÑMq5Ç£– vÙÂ.¦îG®ª§…9%E|Áœãl} Õs™–@öÞ“M„ˆ†¹–ZZóLÊÓ9ÂNà)9 ÞLçƒÀË°Œ" ™þGQ¥¥Võýø´÷¬ûòðüç(º§AvÑ=qöÇ1ùïÌ0IçÑ=î¿l‚/nÎóM=Ñ=qÓO+¼®hÜ¢×¢{ê,äv¶¢{êð+7«Þ÷¶k^+üT6mÏó¶|Óî4ËÿÞŽîM’¹™Ç¾œR›}EÃbÞΦ0$»ïéUùVK)#Þs®j¢{ ÌÁD<µTѨ̻Ak•ò¿5òWÿÍ&~þMMÔ‘ŒÚ"«Þ†èžÚú*kMfšŽùg6|–ÆWò»³ßèžÉ7b«à ‘Ê1èJ¦èÝSUȆ­ÊyØ}Åßó8Ç£A¼í}©ÀÔÇ·^GWOM4sf)Û¶ˆ»yؾÁD.õßÌL¬ÄO&Cbˆ¤èoŽo‹ÿµ!½¡Ãô=í¤’‡Ú$¯™?§hD÷XÈâ6'ytOåý—yŠ¦uáÿœ95¨+릗EÌЗq¨•}  ?…óYÉçøD:Är¹;ÇòhCA-ñÝý­­ý-ºL ñÅöÖÖöò5mšâ^÷ã"É,qŸ©Ïò îîã^4)¹µN@ÿw¯€f·í´!¹›.ê.+ìió‹šC|92âè¥A†YLJ1s… 1f8x[S& ‰™ ŸóݸÈß·ãúQ6HÿàBÉu?¹UÊ9p˜ÒCQ¬®d3ô¡R4Ê %¨u½,hfûá—?Ÿpò>‘Ãc{-þ"n‡oµ”,>â?¿Q s»qEÂP´®€X6“ƒ¥}´w‰ö”˜>²ð‡oLð 3Ä;o!7ñÀMŒÑ„ÝòEºŠ«‹u¾HF¡Ò ÛZ 1¥Ë²¡µdó cAô©ºM¼5q+ÃûJ¢’fSmƒ·"pÒ‰£_ÜÚ J WyÉÏß¡1O€ÉÃhO{pT7U(.o—gMn 1Ù£ˆÊü÷$çQ‰GuÓœ¼îñô†/+5¿óe}¦ú²þðÍå—åÿf+ÇÔ•È<šþ÷Ào„ŠFN3‰KJïm9,œÛ› =e‡´/šÒ¶´éKÃ/L?ñ&L·›ªEŠ¡^Ž…ághP9vùà–ãvÄ”‹ëLJ=´æxS ß#¿qGÌIÔê“Ð ùûÏŸï¿xɶøoÜÔ-šR’iòY’.ë®Ìš,C±rx@Dé5}¸¹š3¶Pú©ª Sq>PÉÈQ#Jô6hPéþ#PüÒøBÝHÔhT(¯lèMŦ˜CXjH.{¥¸Jí¬ôP®lïÎd­ØÆ^wž!wÃÀ‰$Ü4â9ÙVN%dÉŸßÄ¡-øÃMù¶LÊ)}@-! Y.t…4Ê›&=Âm7ÍeQvWÄuUg«¿¡`£<¯MëmSãMV&vIýjÂö­xÓ:P1YAKÓ¦ ‹8Î#¿ ßT åÃT5Úî¶ÖõŠ€P×N£¼†$¹UÈšUóaùGã(Gû™}îãG'•ËKV>NM¯¬¬ÙŒ%ÛiÉn*ÂEi,~ÍoŒU–Œ¦©!n•O¢7n]‹¥žØûˆþ&]»¯àKÿԮļ˒©iáJîq¾®ÓÑtée…[ð_Ž{n½ÃÃ&J/?,‘—òøéôiì^~Ú;N.IÆîƵ/j®l‰wÛ] ´8ÕÚÑ1êÉeÑB¡ñ8›%\¬z¢B‚úºT®åX5/òY–i~¡"ZŒ¥e12û:ŠLG¶q‰µÂD˜ðä¬n»vwã5n]SêI`~°«Û Þ‘g¼1Ì Lÿµ@‚놈ӱ ¤+”ùxÒŠŸ€~J‡šS¥¤0-ÉÍ(ÌÐ!ÉÅqtáKéaü+· $!ĺ ²þIÆœAç/¦W³d( §*Ž;ÿ¢HÂ^Z0)HG’ $T^üᥠ‘“ºa2Uhuìô]&ÐäÚ¬ÈûlmÙ,ÛQšÑŸ¿èU¿­ØmâºI"ÃlÖh–”IìB$I…,Dé Œ™tb+„,Õ ™%ñ)€ÌdcÃm—»ŠÃÜ6gaµmpÑ¢RîbT ¢àœÄqÒI‹‚È·‰®5¶S£ÞÙŒ|ª®OÆ“˜«ˆÑŽ¿euÌfEK,º¹¹i‡¶mýûiæ Ì"ó÷üûs5.iìr¦£ ùo&q .‘Ñð~¤Ó†V÷%~n?8¨ÑÝ0F¿E¹¹ ¢†\;ØxúÙ!¦hÕ^, ÂüéÈoÚù%ÌG§ÓQóÿ¬ñàƒ›éóÝØOdïÖìôâäÁd¯б© @®3ßQÀ'sNOOE .íÛ;I¶Šãg,t(4µS°C!ǹf“¼¾ ’WX*9¥§_QД°³Ï]þú梘m²\¶Öžc‹«ôGi•?ë•;—(°šÎ¼¥{ÕP°R]Øš³…³ø+¨a7Dö_¸; Ó8f¿°€mË,IhMšRÖV2­>ã0\i|Ò½‡Ár²5‹Þß<€öVÅ}i¯¶·ÎcÆz—jaAÌwåè,Ö˜É<ªOò‰ªv¤ A‡ãT"ìÃÞ^¦ˆ0éÐQ× ƒQÀɦ)eDnQŠJnj©¤é[ø@ä‹ÌR7h’g“l:Mµtûø6Ò~÷£²•,ÚÞ‹;Û$B|Áÿu4g­—ĸ–`A‘Þ*Zœ›»‹vúW~ì«2âho[Þí|J·cšÂ5½¼dâ벇ª¦¥Æjá×°RA™„`hû þò†3dÞÄõÎVDW}AŒíÛFù$ºE7:1^:k0ºÇ"^`EÀm&‰€•í¬Yhw7½ä¶â”ºjJÊ(‰\‘‘¸#q\j,’7Õ©nÇòœK©J蘜 Œ ;ým÷ÃõPñPx.',B…cDóthÒ¤à|sè€T¢æ"ú£Ý©DÍ…9Ý‚PÉÜI›DPœ%'³· ò}÷‰C÷k6±¨MšÀŸ‰¢?ö‡ûÚ|ó]¼CT†âÍ­¯6·éîìï>ØßÛ#zò—|B‹Ô{?I þ[ïøÙ/¿:¬Ò2þO{xñ+÷q7þÏÖÎÎÖÃßÑ;<ØÞÝþÏÎ΃ÎgüŸßâSJnµ×‡>Hœ…Ô»PêjBY¨!ºböÌï4}€Ôð¼”®0¹R)PF–˜9°S4(ÏdÌjâ:ñ_dâHjÉÞlëõDÆG{÷+NÍno p±³IX#¼¿Ò0]— "‹²Û~/÷æèpœ`6,†ÍÕ;à‰rï¡öey‡‘»Z®‚ÅPD]ÐP¡fKe(M”Næ‘/!>„î›Ê^®Ó«ó¤ãÖ4~è0ô•”Ö ‰4ô®l%ro8:h¿HÊÄ‚Zt;¬#÷žC´õ X•/n(±»²:¾ˆüRíÖã UÞšå¡…TfÚÅÔðclEú^ªFÈZ#%™ˆþ£1>+‚ç\p½3h™¼e‰Z–)¦8”ÎÐ`Ô‡ù7GÀuœ%'Ñ,ÂÒJ¼Ë³øÅ"¢yÞxeÐ*>BpeP`twP`üÊÐ(Ã$‚¦)tKËq(ý£³Þé9Oá¬wØ;8g‹5­è•sÞ”ÍØ…0 žè”ÂB†’iÌâp%–»U©¹‡—Aû4éT,^Z ¹éåôAR¸¤?š2ÒŽuíMáùâívá‚tÅ]2t†\ÎH-ç\ ™è‘;ÆtY:Ë.—ƒ”Jha[„HgŒm‚ÜH°C îcËà!­Ÿk£¢ôyÀ„c_è[`e‹È°¹Xйì:•/©nË@jF6²e1îëÙed%Ü8?1aHJŽíCìxžÿ#²Q ‘"’ g$ílÒÿoïÒ_÷·ìo=¬HGÿj6úÿÙÏ ùïjzõëöñù¯³û`ø¶ö¶v!ø‘ü··³ûYþû->D`X– XݺfIúS¦Ï< ì–Q>$0‘$€ð?à1MØ.¥ .ã•…%&¶éÑ¢;#%eRZsâÀÝK.`ž\^ bH‘$:²>Ú.ƒf $•ÁKG‰–U !(P ž}€~,ü°UJÿ¿ã©T‘«Ðo LóÑêßÛefC¯Ìm¶7;Í­NÜÙÝßÚÚïüæ6+è?Ýq:j¿b ÿ[¤íWðw·;ŸõÿßäSÒÿ})9¥þ‡É: ô'ꮆìKbÄ­v|Æ4$R³£EqƽËGD)R± A¸æ‰AQj)yMèta^ÂòM•³ùÑF³õêþßÿYqÿÅZò+öñAùoÉþ·»Óù,ÿý&Ū€rä‰ZpaaÕœ#t4ÏÆꎢ…_-„dü´ÛWÍüŒäŒÖ´ñN{XpÀAÎ|‰&`üMdF»Ñ ŒB³QµzE$~€ì¦66e½Ô‹‡Ôñm$ÂYÆkqVlÞöM´ËpÞA\´ª©ó¡³˜êÀ‘4oj‘ k³?ÏÅÃAä2ñÏÃb+8áWð¢iÛü»ÐâÀ,Žÿ°O„.ˆ %\ÜvôDr|oa2ù‹ë»Æ/r§vùkÚ“”kˆD‚s锃%“ä„åPˆwe&!ÌItÛŸíŸ?Ÿ?Ÿ?Ÿ?Ÿ?Ÿ?Ÿ?Ÿ?Ÿ?Ÿ?Ÿ?Ÿ?Ÿ?Ÿ?Ÿ?Ÿ?Ÿ?Ÿ?Ÿ?Ÿ?Ÿ?Ÿ?Ÿ?ÿúü¿ò_qapf-9.7-1/files/extras/dshield/cron.ds0000644000000000000000000000006611043474217016315 0ustar rootroot#!/bin/bash /usr/local/sbin/dshield >> /dev/null 2>&1 apf-9.7-1/files/extras/dshield/README0000644000000000000000000000076507723311576015722 0ustar rootrootRunning the provided install script will setup the dshield client to parse APF iptable logs daily and submit a summary report to dshield.org for inclusion into global attack trends. This feature is directly related to the dsheild drop list as such list is possible by providing the dshield.org site with live world firewall event logs. Simply execute the install script and a preconfigured setup of dshield's python client will be installed; as well, a cronjob will be placed in: /etc/cron.daily/ds apf-9.7-1/files/extras/dshield/install0000744000000000000000000000130411043474217016412 0ustar rootroot#!/bin/bash if [ -d "/usr/local/dshield" ]; then echo "dshield client already installed, aborting." exit 1 fi if [ -f "dshield-3.2.tar.gz" ]; then tar xfz dshield-3.2.tar.gz mv dshield /usr/local ln -s /usr/local/dshield/dshield /usr/local/sbin ln -s /usr/local/dshield/dshieldpy.conf /etc/dshieldpy.conf cp cron.ds /etc/cron.daily/ds chmod 755 /etc/cron.daily/ds fi echo "Installation completed." echo "Binary: /usr/local/sbin/dshield" echo "Config: /usr/local/dshield/dshieldpy.conf" echo "Cronjob: /etc/cron.daily/ds" echo "" echo "Warning: Running the binary from command line will send reports to dshield.org;" echo "repeated execution may result in your IP being banned from the service." apf-9.7-1/files/extras/get_ports0000750000000000000000000000323611157714513015343 0ustar rootroot#!/bin/bash # # APF 9.7 [apf@r-fx.org] ### # Copyright (C) 1999-2007, R-fx Networks # Copyright (C) 2007, Ryan MacDonald # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ### # tcp_ports="" udp_ports="" for ptcp in `netstat -napl | grep LISTEN | grep -v 127.0.0.1 | grep tcp | awk '{print$4}' | grep : | tr ':' ' ' | awk '{print$2}' | sort -n`; do if [ "$tcp_ports" == "" ]; then tcp_ports="$ptcp" else val=`echo $tcp_ports | grep -w $ptcp` if [ "$val" == "" ]; then tcp_ports="$tcp_ports,$ptcp" fi fi done for pudp in `netstat -napl | grep -v 127.0.0.1 | grep udp | awk '{print$4}' | grep : | tr ':' ' ' | awk '{print$2}' | sort -n`; do if [ "$udp_ports" == "" ]; then udp_ports="$pudp" else val=`echo $udp_ports | grep -w $pudp` if [ "$val" == "" ]; then udp_ports="$udp_ports,$pudp" fi fi done echo " Listening TCP ports: $tcp_ports" echo " Listening UDP ports: $udp_ports" apf-9.7-1/files/extras/importconf0000750000000000000000000000271211157714561015516 0ustar rootroot#!/bin/bash # # APF 9.7 [apf@r-fx.org] ### # Copyright (C) 1999-2007, R-fx Networks # Copyright (C) 2007, Ryan MacDonald # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ### # INSTALL_PATH="/etc/apf" DEF=".ca.def" DOUT=".conf.apf" if [ -d "/etc/apf.bk.last" ]; then # get all the vars from current release . /etc/apf/conf.apf # replace with any vars old release had . /etc/apf.bk.last/conf.apf # generate new conf . $DEF cp -f $INSTALL_PATH/conf.apf $INSTALL_PATH/conf.apf.orig cp -f $DOUT $INSTALL_PATH/conf.apf cp -f /etc/apf.bk.last/*_hosts.rules /etc/apf/ cp -f /etc/apf.bk.last/vnet/*.rules /etc/apf/vnet/ OV=`cat /etc/apf.bk.last/VERSION | awk '{print$2}'` NV=`cat /etc/apf/VERSION | awk '{print$2}'` echo " Imported options from $OV to $NV." fi apf-9.7-1/files/postroute.rules0000640000000000000000000000025411040122707015204 0ustar rootrooteout "{glob} loading postroute.rules" # load TOS postrouting function # do not remove or TOS vars will not function tospostroute # place your custom routing rules below apf-9.7-1/files/deny_hosts.rules0000640000000000000000000000164110201555501015320 0ustar rootroot## # deny_hosts # # Trust based rule file to define addresses that are implicitly denied. # # Format of this file is line-seperated addresses, IP masking is supported. # Example: # 192.168.2.1 # 192.168.5.0/24 # # advanced usage # # The trust rules can be made in advanced format with 4 options # (proto:flow:port:ip); # 1) protocol: [packet protocol tcp/udp] # 2) flow in/out: [packet direction, inbound or outbound] # 3) s/d=port: [packet source or destination port] # 4) s/d=ip(/xx) [packet source or destination address, masking supported] # # Syntax: # proto:flow:[s/d]=port:[s/d]=ip(/mask) # s - source , d - destination , flow - packet flow in/out # # Examples: # inbound to destination port 22 from 192.168.2.1 # tcp:in:d=22:s=192.168.2.1 # # outbound to destination port 23 to destination host 192.168.2.1 # out:d=23:d=192.168.2.1 # # inbound to destination port 3306 from 192.168.5.0/24 # d=3306:s=192.168.5.0/24 # ## apf-9.7-1/files/log.rules0000640000000000000000000000075710627407666013755 0ustar rootrooteout "{glob} loading log.rules" if [ "$LOG_DROP" == "1" ]; then if [ "$LOG_IA" == "1" ]; then $IPT -N TELNET_LOG $IPT -A TELNET_LOG -p tcp -s 0/0 -d 0/0 --dport 23 -m state --state NEW -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** TELNET ** " $IPT -N SSH_LOG $IPT -A SSH_LOG -p tcp -s 0/0 -d 0/0 --dport $HELPER_SSH_PORT -m state --state NEW -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** SSH ** " $IPT -A INPUT -j TELNET_LOG $IPT -A INPUT -j SSH_LOG fi fi apf-9.7-1/files/VERSION0000640000000000000000000000001711157714300013136 0ustar rootrootversion: 9.7-1 apf-9.7-1/files/glob_deny.rules0000640000000000000000000000166710203510771015115 0ustar rootroot## # glob_deny_hosts # # Trust based rule file to define addresses that are implicitly denied. # # Format of this file is line-seperated addresses, IP masking is supported. # Example: # 192.168.2.1 # 192.168.5.0/24 # # advanced usage # # The trust rules can be made in advanced format with 4 options # (proto:flow:port:ip); # 1) protocol: [packet protocol tcp/udp] # 2) flow in/out: [packet direction, inbound or outbound] # 3) s/d=port: [packet source or destination port] # 4) s/d=ip(/xx) [packet source or destination address, masking supported] # # Syntax: # proto:flow:[s/d]=port:[s/d]=ip(/mask) # s - source , d - destination , flow - packet flow in/out # # Examples: # inbound to destination port 22 from 192.168.2.1 # tcp:in:d=22:s=192.168.2.1 # # outbound to destination port 23 to destination host 192.168.2.1 # out:d=23:d=192.168.2.1 # # inbound to destination port 3306 from 192.168.5.0/24 # d=3306:s=192.168.5.0/24 # ## charger.xssl.net apf-9.7-1/files/main.rules0000640000000000000000000000024410247644106014075 0ustar rootrooteout "{glob} loading main.rules" # Policy configurable ports -- per policy file basis # # # conf.apf configurable common ports . /etc/apf/internals/cports.common apf-9.7-1/files/sdrop_hosts.rules0000640000000000000000000000000010627223211015476 0ustar rootrootapf-9.7-1/files/glob_allow.rules0000640000000000000000000000171310201555516015270 0ustar rootroot## # glob_allow_hosts # # Trust based rule file to define addresses that are granted all or specific # access through the firewall. # # Format of this file is line-seperated addresses, IP masking is supported. # Example: # 192.168.2.1 # 192.168.5.0/24 # # advanced usage # # The trust rules can be made in advanced format with 4 options # (proto:flow:port:ip); # 1) protocol: [packet protocol tcp/udp] # 2) flow in/out: [packet direction, inbound or outbound] # 3) s/d=port: [packet source or destination port] # 4) s/d=ip(/xx) [packet source or destination address, masking supported] # # Syntax: # proto:flow:[s/d]=port:[s/d]=ip(/mask) # s - source , d - destination , flow - packet flow in/out # # Examples: # inbound to destination port 22 from 192.168.2.1 # tcp:in:d=22:s=192.168.2.1 # # outbound to destination port 23 to destination host 192.168.2.1 # out:d=23:d=192.168.2.1 # # inbound to destination port 3306 from 192.168.5.0/24 # d=3306:s=192.168.5.0/24 # ## apf-9.7-1/files/sysctl.rules0000640000000000000000000000605110630621520014463 0ustar rootrooteout "{glob} loading sysctl.rules" # START SYSCTL config if [ "$SYSCTL_CONNTRACK" == "" ]; then SYSCTL_CONNTRACK = 28000 fi echo $SYSCTL_CONNTRACK > /proc/sys/net/ipv4/ip_conntrack_max echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts if [ "$SYSCTL_LOGMARTIANS" == "1" ]; then eout "{glob} setting sysctl_logmartians enabled" echo 1 > /proc/sys/net/ipv4/conf/$IFACE_IN/log_martians echo 1 > /proc/sys/net/ipv4/conf/$IFACE_OUT/log_martians else eout "{glob} setting sysctl_logmartians disabled" echo 0 > /proc/sys/net/ipv4/conf/$IFACE_IN/log_martians echo 0 > /proc/sys/net/ipv4/conf/$IFACE_OUT/log_martians fi if [ "$SYSCTL_ECN" == "1" ]; then eout "{glob} setting sysctl_ecn enabled" echo 1 > /proc/sys/net/ipv4/tcp_ecn else eout "{glob} setting sysctl_ecn disabled" echo 0 > /proc/sys/net/ipv4/tcp_ecn fi if [ "$SYSCTL_SYNCOOKIES" == "1" ]; then eout "{glob} setting sysctl_syncookies enabled" echo 1 > /proc/sys/net/ipv4/tcp_syncookies else eout "{glob} setting sysctl_syncookies disabled" echo 0 > /proc/sys/net/ipv4/tcp_syncookies fi if [ "$SYSCTL_OVERFLOW" == "1" ]; then eout "{glob} setting sysctl_overflow enabled" echo 1 > /proc/sys/net/ipv4/tcp_abort_on_overflow else eout "{glob} setting sysctl_overflow disabled" echo 0 > /proc/sys/net/ipv4/tcp_abort_on_overflow fi # TCP Parameters if [ "$SYSCTL_TCP" == "1" ]; then eout "{glob} setting sysctl_tcp enabled" echo 0 > /proc/sys/net/ipv4/tcp_timestamps echo 1 > /proc/sys/net/ipv4/tcp_sack echo 1 > /proc/sys/net/ipv4/tcp_dsack echo 1 > /proc/sys/net/ipv4/tcp_fack echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 3 > /proc/sys/net/ipv4/tcp_retries1 else echo 0 > /proc/sys/net/ipv4/tcp_sack echo 0 > /proc/sys/net/ipv4/tcp_dsack echo 0 > /proc/sys/net/ipv4/tcp_fack fi # SYN Parameters if [ "$SYSCTL_SYN" == "1" ]; then eout "{glob} setting sysctl_syn enabled" echo 2 > /proc/sys/net/ipv4/tcp_synack_retries echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog echo 3 > /proc/sys/net/ipv4/tcp_syn_retries fi # Routing Parameters if [ "$SYSCTL_ROUTE" == "1" ]; then eout "{glob} setting sysctl_routing enabled" echo 1 > /proc/sys/net/ipv4/conf/$IFACE_IN/rp_filter echo 1 > /proc/sys/net/ipv4/conf/$IFACE_OUT/rp_filter echo 0 > /proc/sys/net/ipv4/conf/$IFACE_IN/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/$IFACE_OUT/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/all/bootp_relay echo 0 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/secure_redirects echo 0 > /proc/sys/net/ipv4/send_redirects echo 0 > /proc/sys/net/ipv4/proxy_arp else echo 0 > /proc/sys/net/ipv4/conf/$IFACE_IN/rp_filter echo 0 > /proc/sys/net/ipv4/conf/$IFACE_OUT/rp_filter echo 1 > /proc/sys/net/ipv4/conf/all/bootp_relay echo 1 > /proc/sys/net/ipv4/ip_forward fi echo 1 > /proc/sys/net/ipv4/route/flush # END SYSCTL config apf-9.7-1/files/ds_hosts.rules0000640000000000000000000000000007723050646014772 0ustar rootrootapf-9.7-1/files/firewall0000750000000000000000000002472611157715537013652 0ustar rootroot#!/bin/bash # # APF 9.7 [apf@r-fx.org] ### # Copyright (C) 1999-2007, R-fx Networks # Copyright (C) 2007, Ryan MacDonald # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ### # CNF="/etc/apf/conf.apf" if [ -f "$CNF" ] && [ ! "$CNF" == "" ]; then source $CNF else head echo "\$CNF not found; aborting" exit 1 fi if [ ! -f "$ip" ] && [ ! -f "$ifconfig" ]; then eout "{glob} $ip and $ifconfig not found; aborting" exit 1 fi # load our iptables modules modinit # Delete user made chains. Flush and zero the chains. flush 1 if [ ! "$IF" == "" ]; then for i in `echo $IF`; do VAL_IF=`/sbin/route -n | grep -w $i` if [ "$VAL_IF" == "" ]; then eout "{glob} could not verify that interface $IF is routed to a network, aborting." if [ ! "$SET_VERBOSE" == "1" ]; then echo "could not verify that interface $IF is routed to a network, aborting." fi exit 1 fi done fi if [ ! "$IFACE_TRUSTED" == "" ]; then for i in `echo $IFACE_TRUSTED`; do VAL_IFACE_TRUSTED=`/sbin/route -n | grep -w $i` if [ "$VAL_IFACE_TRUSTED" == "" ]; then eout "{glob} could not verify that interface $IFACE_TRUSTED is routed to a network, aborting." if [ ! "$SET_VERBOSE" == "1" ]; then echo "could not verify that interface $IFACE_TRUSTED is routed to a network, aborting." fi exit 1 fi done fi if [ "$DLIST_PHP" == "1" ] || [ "$DLIST_SPAMHAUS" == "1" ] || [ "$DLIST_DSHIELD" == "1" ] || [ "$DLIST_RESERVED" == "1" ] || [ "$DLIST_ECNSHAME" == "1" ] || [ "$USE_RGT" == "1" ]; then if [ ! -f "$WGET" ]; then echo "DLIST_* or RGT enabled but wget binary not found, aborting" exit 1 fi fi if [ "$RAB" == "0" ]; then RAB_LOG_HIT=0 fi eout "{glob} determined (IFACE_IN) $IFACE_IN has address $NET" eout "{glob} determined (IFACE_OUT) $IFACE_OUT has address $NET" # Allow all traffic on the loopback interface $IPT -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT $IPT -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT # Allow all traffic on trusted interfaces if [ ! "$IFACE_TRUSTED" == "" ]; then for i in `echo $IFACE_TRUSTED | tr ',' ' '`; do VAL_IF=`/sbin/ip addr list | grep -w $i` if [ "$VAL_IF" == "" ]; then eout "{glob} unable to verify status of interface $i; assuming untrusted" else eout "{glob} allow all to/from trusted interface $i" $IPT -A INPUT -i $i -s 0/0 -d 0/0 -j ACCEPT $IPT -A OUTPUT -o $i -s 0/0 -d 0/0 -j ACCEPT fi done fi # Create TCP RESET & UDP PROHIBIT chains $IPT -N RESET $IPT -A RESET -p tcp -j REJECT --reject-with tcp-reset $IPT -N PROHIBIT $IPT -A PROHIBIT -j REJECT --reject-with icmp-host-prohibited # Load our SYSCTL rules . $INSTALL_PATH/sysctl.rules >> /dev/null 2>&1 # Fix MTU/MSS Problems $IPT -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # Load our PREROUTE rules . $PRERT # Block common nonroutable IP networks if [ "$BLK_MCATNET" = "1" ]; then dnet $MCATNET fi if [ "$BLK_PRVNET" = "1" ]; then dnet $PRVNET fi if [ "$BLK_RESNET" = "1" ]; then if [ "$DLIST_RESERVED" == "1" ]; then dlist_resnet fi dnet $RESNET fi # Create (glob)trust system chains $IPT -N TALLOW $IPT -N TDENY $IPT -N TGALLOW $IPT -N TGDENY $IPT -N TMP_DROP $IPT -A INPUT -j TMP_DROP $IPT -A OUTPUT -j TMP_DROP $IPT -A INPUT -j TALLOW $IPT -A OUTPUT -j TALLOW $IPT -A INPUT -j TDENY $IPT -A OUTPUT -j TDENY $IPT -A INPUT -j TGALLOW $IPT -A OUTPUT -j TGALLOW $IPT -A INPUT -j TGDENY $IPT -A OUTPUT -j TGDENY # Set refresh cron cron_refresh # Load our Allow Hosts rules glob_allow_download glob_allow_hosts allow_hosts # RAB default drop for events check_rab if [ "$RAB" == "1" ]; then eout "{rab} set active RAB" if [ "$RAB_HITCOUNT" == "0" ]; then RAB_HITCOUNT="1" fi if [ "$RAB_TRIP" == "0" ]; then RAB_TRIP_FLAGS="--rcheck" else RAB_TRIP_FLAGS="--update" fi if [ "$LOG_DROP" == "1" ] || [ "$RAB_LOG_TRIP" == "1" ]; then $IPT -A INPUT -p all -m recent --rcheck --hitcount $RAB_HITCOUNT --seconds $RAB_TIMER -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABTRIP ** " fi $IPT -A INPUT -p all -m recent $RAB_TRIP_FLAGS --hitcount $RAB_HITCOUNT --seconds $RAB_TIMER -j $ALL_STOP # RAB portscan rules if [ ! "$RAB_PSCAN_LEVEL" == "0" ] || [ ! "$RAB_PSCAN_LEVEL" == "" ]; then eout "{rab} set active RAB_PSCAN" case "$RAB_PSCAN_LEVEL" in 1) RAB_PSCAN_PORTS="$RAB_PSCAN_LEVEL_1" ;; 2) RAB_PSCAN_PORTS="$RAB_PSCAN_LEVEL_2" ;; 3) RAB_PSCAN_PORTS="$RAB_PSCAN_LEVEL_3" esac eout "{rab} RAB_PSCAN monitored ports $RAB_PSCAN_PORTS" $IPT -N RABPSCAN for i in `echo $RAB_PSCAN_PORTS | tr ',' ' '`; do if [ "$LOG_DROP" == "1" ] || [ "$RAB_LOG_HIT" == "1" ]; then $IPT -A RABPSCAN -p tcp --dport $i -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " $IPT -A RABPSCAN -p udp --dport $i -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** " fi $IPT -A RABPSCAN -p tcp --dport $i -m recent --set -j $TCP_STOP $IPT -A RABPSCAN -p udp --dport $i -m recent --set -j $UDP_STOP done $IPT -A INPUT -j RABPSCAN fi fi # Load our Blocked Traffic rules trim $DENY_HOSTS $SET_TRIM trim $GDENY_HOSTS $SET_TRIM . $INSTALL_PATH/bt.rules # Load our LOG rules . $INSTALL_PATH/log.rules # Virtual Adapters . $INSTALL_PATH/vnet/main.vnet # Clear any cport values cl_cports . $CNF # Load our main TCP/UDP rules if [ "$SET_VNET" == "1" ]; then VNET="$NET" else VNET="0/0" fi . $INSTALL_PATH/main.rules # Drop NEW tcp connections after this point $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j $ALL_STOP $IPT -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT # DNS if [ -f "/etc/resolv.conf" ] && [ "$RESV_DNS" == "1" ]; then LDNS=`cat /etc/resolv.conf | grep -v "#" | grep -w nameserver | awk '{print$2}' | grep -v 127.0.0.1` if [ ! "$LDNS" == "" ]; then for i in `echo $LDNS`; do eout "{glob} resolv dns discovery for $i" $IPT -A INPUT -p udp -s $i --sport 53 --dport 1023:65535 -j ACCEPT $IPT -A INPUT -p tcp -s $i --sport 53 --dport 1023:65535 -j ACCEPT $IPT -A OUTPUT -p udp -d $i --dport 53 --sport 1023:65535 -j ACCEPT $IPT -A OUTPUT -p tcp -d $i --dport 53 --sport 1023:65535 -j ACCEPT if [ "$RESV_DNS_DROP" == "1" ]; then $IPT -A INPUT -p tcp -s 0/0 --sport 53 --dport 1023:65535 -j $ALL_STOP $IPT -A INPUT -p udp -s 0/0 --sport 53 --dport 1023:65535 -j $ALL_STOP $IPT -A OUTPUT -p udp -d $i --dport 53 --sport 1023:65535 -j ACCEPT $IPT -A OUTPUT -p tcp -d $i --dport 53 --sport 1023:65535 -j ACCEPT fi done fi else $IPT -A INPUT -p udp --sport 53 --dport 1023:65535 -j ACCEPT $IPT -A INPUT -p tcp --sport 53 --dport 1023:65535 -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 --sport 1023:65535 -j ACCEPT $IPT -A OUTPUT -p tcp --dport 53 --sport 1023:65535 -j ACCEPT fi # FTP if [ "$HELPER_FTP" == "1" ]; then $IPT -A INPUT -p tcp --sport 1023:65535 --dport $HELPER_FTP_PORT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -p tcp -m multiport --dport $HELPER_FTP_PORT,$HELPER_FTP_DATA -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p udp -m multiport --dport $HELPER_FTP_PORT,$HELPER_FTP_DATA -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -p tcp --dport 1023:65535 --sport $HELPER_FTP_PORT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp -m multiport --dport $HELPER_FTP_PORT,$HELPER_FTP_DATA -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -p udp -m multiport --dport $HELPER_FTP_PORT,$HELPER_FTP_DATA -m state --state ESTABLISHED,RELATED -j ACCEPT fi # SSH if [ "$HELPER_SSH" == "1" ]; then $IPT -A INPUT -p tcp --sport $HELPER_SSH_PORT --dport 513:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p tcp --sport 1024:65535 --dport $HELPER_SSH_PORT --syn -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p udp --dport $HELPER_SSH_PORT -m state --state ESTABLISHED -j ACCEPT fi # Traceroute if [ "$TCR_PASS" == "1" ]; then $IPT -A INPUT -p udp -m state --state NEW --dport $TCR_PORTS -j ACCEPT $IPT -A OUTPUT -p udp -m state --state NEW --dport $TCR_PORTS -j ACCEPT fi if [ "$LOG_DROP" == "1" ]; then # Default TCP/UDP INPUT log chain $IPT -A INPUT -p tcp -m limit --limit $LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** IN_TCP DROP ** " $IPT -A INPUT -p udp -m limit --limit $LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** IN_UDP DROP ** " fi if [ "$LOG_DROP" == "1" ] && [ "$EGF" == "1" ]; then # Default TCP/UDP OUTPUT log chain $IPT -A OUTPUT -p tcp -m limit --limit $LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** OUT_TCP DROP ** " $IPT -A OUTPUT -p udp -m limit --limit $LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix "** OUT_UDP DROP ** " fi # ECNSHAME if [ "$SYSCTL_ECN" == "1" ]; then dlist_ecnshame dlist_ecnshame_hosts fi # Load our POSTROUTE rules . $POSTRT # Default Output Policies if [ ! "$EGF" == "1" ] || [ "$EGF" == "" ]; then $IPT -A OUTPUT -j ACCEPT eout "{glob} default (egress) output accept" elif [ "$EGF" == "1" ]; then $IPT -A OUTPUT -p tcp -j $TCP_STOP $IPT -A OUTPUT -p udp -j $UDP_STOP $IPT -A OUTPUT -p all -j $ALL_STOP eout "{glob} default (egress) output drop" fi # Default Input Policies eout "{glob} default (ingress) input drop" $IPT -A INPUT -p tcp -j $TCP_STOP $IPT -A INPUT -p udp -j $UDP_STOP $IPT -A INPUT -p all -j $ALL_STOP apf-9.7-1/files/allow_hosts.rules0000640000000000000000000000170610201555341015503 0ustar rootroot## # allow_hosts # # Trust based rule file to define addresses that are granted all or specific # access through the firewall. # # Format of this file is line-seperated addresses, IP masking is supported. # Example: # 192.168.2.1 # 192.168.5.0/24 # # advanced usage # # The trust rules can be made in advanced format with 4 options # (proto:flow:port:ip); # 1) protocol: [packet protocol tcp/udp] # 2) flow in/out: [packet direction, inbound or outbound] # 3) s/d=port: [packet source or destination port] # 4) s/d=ip(/xx) [packet source or destination address, masking supported] # # Syntax: # proto:flow:[s/d]=port:[s/d]=ip(/mask) # s - source , d - destination , flow - packet flow in/out # # Examples: # inbound to destination port 22 from 192.168.2.1 # tcp:in:d=22:s=192.168.2.1 # # outbound to destination port 23 to destination host 192.168.2.1 # out:d=23:d=192.168.2.1 # # inbound to destination port 3306 from 192.168.5.0/24 # d=3306:s=192.168.5.0/24 # ## apf-9.7-1/files/vnet/0000750000000000000000000000000011157714561013054 5ustar rootrootapf-9.7-1/files/vnet/main.vnet0000640000000000000000000000263411157714561014704 0ustar rootroot# # APF 9.7 [apf@r-fx.org] ### # Copyright (C) 1999-2007, R-fx Networks # Copyright (C) 2007, Ryan MacDonald # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ### # INSTALL_PATH="/etc/apf" if [ "$SET_VNET" == "1" ]; then eout "{glob} virtual network enabled, loading vnet rules." for i in `ls $INSTALL_PATH/vnet/ | grep .rules`; do VALIP=`echo $i | sed 's/.rules//'` IFVALIP=`ifconfig | grep -w $VALIP` if [ ! "$IFVALIP" == "" ]; then source $INSTALL_PATH/conf.apf source $INSTALL_PATH/vnet/$i else eout "{glob} $VALIP not bound, skipping $VALIP.rules" fi done else eout "{glob} virtual net subsystem disabled." fi apf-9.7-1/files/vnet/vnetgen.def0000750000000000000000000000121710252157267015205 0ustar rootrootcat > /etc/apf/vnet/$addr.rules < # Copyright (C) 2007, Ryan MacDonald # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ### # CNF="/etc/apf/conf.apf" if [ -f $CNF ]; then source $CNF else echo "$CNF not found, aborting." exit 1 fi if [ "$SET_VNET" == "0" ]; then exit 1 fi if [ ! -f "$INSTALL_PATH/vnet/vnetgen.def" ]; then echo "vnetgen.def not found, aborting." exit 1 fi if [ ! -f "$ip" ] && [ ! -f "$ifconfig" ]; then eout "{glob} $ip and $ifconfig not found; aborting" echo "$ip and $ifconfig not found; aborting" exit 1 elif [ -f "$ip" ]; then for addr in `/sbin/ip addr list | tr '/' ' ' | grep -w inet | grep -w $IF | grep -v 127.0.0.1 | grep -vw $NET | awk '{print$2}'`; do if [ ! -f "$INSTALL_PATH/vnet/$addr.rules" ]; then touch $INSTALL_PATH/vnet/$addr.rules chmod 600 $INSTALL_PATH/vnet/$addr.rules . $INSTALL_PATH/vnet/vnetgen.def fi done elif [ -f "$ifconfig" ]; then for iface in `ifconfig | grep -w $IF | awk '{print$1}'`; do for addr in `ifconfig $iface | grep -w inet | tr ':' ' ' | grep -vw $NET | awk '{print$3}'`; do if [ ! -f "$INSTALL_PATH/vnet/$addr.rules" ]; then touch $INSTALL_PATH/vnet/$addr.rules chmod 600 $INSTALL_PATH/vnet/$addr.rules . $INSTALL_PATH/vnet/vnetgen.def fi done done fi if [ "$SET_ADDIFACE" == "1" ]; then ## associate a vnet rule for ip's on additional interfaces other than the main for anet in `ifconfig | grep Link | grep -vwE "inet|inet6|lo|$IFACE_IN|$IFACE_OUT" | awk '{print$1}'`; do if [ -f "$ip" ]; then valtif=`echo $TIF | grep $anet` if [ "$valtif" == "" ]; then for addr in `/sbin/ip addr list | tr '/' ' ' | grep -w inet | grep -w $anet | grep -v 127.0.0.1 | grep -vw $NET | awk '{print$2}'`; do if [ ! -f "$INSTALL_PATH/vnet/$addr.rules" ]; then touch $INSTALL_PATH/vnet/$addr.rules chmod 600 $INSTALL_PATH/vnet/$addr.rules . $INSTALL_PATH/vnet/vnetgen.def fi done fi elif [ -f "$ifconfig" ]; then for iface in `ifconfig | grep -w $anet | awk '{print$1}'`; do valtif=`echo $TIF | grep $anet` if [ "$valtif" == "" ]; then for addr in `ifconfig $iface | grep -w inet | tr ':' ' ' | grep -vw $NET | awk '{print$3}'`; do if [ ! -f "$INSTALL_PATH/vnet/$addr.rules" ]; then touch $INSTALL_PATH/vnet/$addr.rules chmod 600 $INSTALL_PATH/vnet/$addr.rules . $INSTALL_PATH/vnet/vnetgen.def fi done fi done fi done fi apf-9.7-1/.ca.def0000750000000000000000000005701311157714444012130 0ustar rootrootcat > .conf.apf < # Copyright (C) 2007, Ryan MacDonald # This program may be freely redistributed under the terms of the GNU GPL # # NOTE: This file should be edited with word/line wrapping off, # if your using pico/nano please start it with the -w switch # (e.g: pico -w filename) # NOTE: All options in this file are integer values unless otherwise # indicated. This means value of 0 = disabled and 1 = enabled. ## # [Main] ## # !!! Do not leave set to (1) !!! # When set to enabled; 5 minute cronjob is set to stop the firewall. Set # this off (0) when firewall is determined to be operating as desired. DEVEL_MODE="1" # The installation path of APF; this can be changed but it is not recommended. INSTALL_PATH="$INSTALL_PATH" # Untrusted Network interface(s); all traffic on defined interface will be # subject to all firewall rules. This should be your internet exposed # interfaces. Only one interface is accepted for each value. IFACE_IN="$IFACE_IN" IFACE_OUT="$IFACE_OUT" # Trusted Network interface(s); all traffic on defined interface(s) will by-pass # ALL firewall rules, format is white space or comma separated list. IFACE_TRUSTED="$IFACE_TRUSTED" # This option will allow for all status events to be displayed in real time on # the console as you use the firewall. Typically, APF used to operate silent # with all logging piped to \$LOG_APF. The use of this option will not disable # the standard log file displayed by apf --status but rather compliment it. SET_VERBOSE="$SET_VERBOSE" # The fast load feature makes use of the iptables-save/restore facilities to do # a snapshot save of the current firewall rules on an APF stop then when APF is # instructed to start again it will restore the snapshot. This feature allows # APF to load hundreds of rules back into the firewall without the need to # regenerate every firewall entry. # Note: a) if system uptime is below 5 minutes, the snapshot is expired # b) if snapshot age exceeds 12 hours, the snapshot is expired # c) if conf or a .rule has changed since last load, snapshot is expired # d) if it is your first run of APF since install, snapshot is generated # - an expired snapshot means APF will do a full start rule-by-rule SET_FASTLOAD="$SET_FASTLOAD" # Virtual Network Sub-System (VNET) creates independent policy rule set for # each IP on a system to /etc/apf/vnet/IP.rules. These rule files can be # configured with conf.apf variables for unique but convenient firewall # policies or custom iptables entries for even greater flexibility. SET_VNET="$SET_VNET" # This feature firewalls any additional interfaces on the server as untrusted # through the VNET sub-system. Excluded are interfaces that have already been # defined by IFACE_* variables. This feature is ideal for systems running # private interfaces where not all hosts on the private network are trusted or # are otherwise exposed to "open" networks through this private interface # (i.e: the Internet, network accessible storage LAN, corporate WAN, etc..) SET_ADDIFACE="$SET_ADDIFACE" # This allows the firewall to work around modular kernel issues by assuming # that the system has all required firewall modules compiled directly into # kernel. This mode of operation is not generally recommended but can be used # scale APF to unique situations. SET_MONOKERN="$SET_MONOKERN" # This controls how often, if at all, we want the trust system to refresh rules. # The firewall will flush & reload all static rules, redownload global rules and # re-resolve any dns names in the rules. This is ideal when using dynamic dns # names or downloadable global trust rules. [value in minutes, 0 to disable] SET_REFRESH="$SET_REFRESH" # This is the total amount of rules allowed inside of the deny trust system. # When this limit is reached, the deny rule files will begin to purge older # entries to maintain the set limit. [value is max lines, 0 for unlimited] SET_TRIM="150" # Verifies that the IFACE_* and IFACE_TRUSTED interfaces are actually routed # to something. If configured interfaces are found with no routes setup then # APF will exit with an error to prevent further issues (such as being locked # out of the system). VF_ROUTE="$VF_ROUTE" # Verifies that crond is running when DEVEL_MODE=1; if not then APF will not # try to load as if lock-up occurs no cron service to flush firewall. VF_CROND="$VF_CROND" # Verifies that all inbound traffic is sourced from a defined local gateway MAC # address. All other traffic that does not match this MAC address will be # rejected as untrusted traffic. It is quite easy to forge a MAC address and as # such this feature executes NO default accept policy. Leave this option empty # to disable or enter a 48-bit MAC address to enable. VF_LGATE="$VF_LGATE" ## # [Reactive Address Blocking] ## # The use of RAB is such that it allows the firewall to track an address as it # traverses the firewall rules and subsequently associate that address across # any number of violations. This allows the firewall to react to critical # policy violations by blocking addresses temporarily on the assumed precaution # that we are protecting the host from what the address may do on the pretext # of what the address has already done. The interface that allows RAB to work # resides inside the kernel and makes use of the iptables 'ipt_recent' module, # so there is no external programs causing any additional load. RAB="$RAB" # This enables RAB for sanity violations, which is when an address breaks a # strict conformity standard such as trying to spoof an address or modify # packet flags. It is strongly recommended that this option NOT be disabled. RAB_SANITY="$RAB_SANITY" # This enables RAB for port scan violations, which is when an address attempts # to connect to a port that has been classified as malicious. These types of # ports are those which are not commonly used in today's Internet but are # the subject of scrutiny by attackers, such as ports 1,7,9,11. Each security # level defines the amount of ports that RAB will react against. The port # security groups can be customized in 'internals/rab.ports'. # 0 = disabled | 1 = low security | 2 = medium security | 3 = high security RAB_PSCAN_LEVEL="$RAB_PSCAN_LEVEL" # This controls the amount of violation hits an address must have before it # is blocked. It is a good idea to keep this very low to prevent evasive # measures. The default is 0 or 1, meaning instant block on first violation. RAB_HITCOUNT="$RAB_HITCOUNT" # This is the amount of time (in seconds) that an address gets blocked for if # a violation is triggered, the default is 300s (5 minutes). RAB_TIMER="$RAB_TIMER" # This allows RAB to 'trip' the block timer back to 0 seconds if an address # attempts ANY subsiquent communication while still on the inital block period. RAB_TRIP="$RAB_TRIP" # This controls if the firewall should log all violation hits from an address. # The use of LOG_DROP variable set to 1 will override this to force logging. RAB_LOG_HIT="$RAB_LOG_HIT" # This controls if the firewall should log all subsiqent traffic from an address # that is already blocked for a violation hit, this can generate allot of logs. # The use of LOG_DROP variable set to 1 will override this to force logging. RAB_LOG_TRIP="$RAB_LOG_TRIP" ## # [Packet Filtering/Handling] ## # How to handle TCP packet filtering? # # RESET (sends a tcp-reset; TCP/IP default) # DROP (drop the packet; stealth ?) # REJECT (reject the packet) TCP_STOP="$TCP_STOP" # How to handle UDP packet filtering? # # RESET (sends a icmp-port-unreachable; TCP/IP default) # DROP (drop the packet; stealth ?) # REJECT (reject the packet) # PROHIBIT (send an icmp-host-prohibited) UDP_STOP="$UDP_STOP" # How to handle all other packet filtering? # # DROP (drop the packet) # REJECT (reject the packet) ALL_STOP="$ALL_STOP" # The sanity options control the way packets are scrutinized as they flow # through the firewall. The main PKT_SANITY option is a top level toggle for # all SANITY options and provides general packet flag sanity as a pre-scrub # for the other sanity options. In short, this makes sure that all packets # coming and going conform to strict TCP/IP standards. In doing so we make it # very difficult for attackers to inject raw/custom packets into the server. PKT_SANITY="$PKT_SANITY" # Block any packets that do not conform as VALID, this feature is safe for most # but some may experience protocol issues with broken remote clients. This is # very similar to PKT_SANITY but has a wider scope and as such has the ability # to affect many application protocols in undesirable ways. PKT_SANITY_INV="$PKT_SANITY_INV" # Block any fragmented UDP packets, this is safe as no UDP packets should # ever be fragmented. PKT_SANITY_FUDP="$PKT_SANITY_FUDP" # Block packets with a source or destination of port 0, this is safe as # nothing should ever communicate on port 0 (technically does not exist). PKT_SANITY_PZERO="$PKT_SANITY_PZERO" # Block traffic that has a destination or source of a known bad broadcast # addresses - that under normal circumstances a server has no business # communicating with. PKT_SANITY_STUFFED="$PKT_SANITY_STUFFED" # The implementation of Type of Service (TOS) in APF is such that it allows # you to classify service priorities by port. These priorities are broken down # into 5 groups and they are: # 0 = No Change # 2 = Minimize-Cost # 4 = Minimize Delay - Maximize Reliability # 8 = Maximum Throughput - Minimum Delay # 16 = No Delay - Moderate Throughput - High Reliability # # Set the default TOS value [0,2,4,8,16] TOS_DEF="$TOS_DEF" # Set the default TOS port range TOS_DEF_RANGE="512:65535" # 0: Ports for Normal-Service TOS_0="$TOS_0" # 2: Ports for Minimize-Cost TOS_2="$TOS_2" # 4: Ports for Minimize Delay - Maximize Reliability TOS_4="$TOS_4" # 8: Ports for Maximum Throughput - Minimum Delay TOS_8="$TOS_8" # 16: Ports for No Delay - Moderate Throughput - High Reliability TOS_16="$TOS_16" # Allow traceroute requests on the defined range of ports. This feature # is not required for normal operations and some even prefer it disabled. # Enable Traceroute # Traceroute ports TCR_PASS="$TCR_PASS" TCR_PORTS="33434:33534" # Set a reasonable packet/time ratio for ICMP packets, exceeding this flow # will result in dropped ICMP packets. Supported values are in the form of: # pkt/s (packets/seconds), pkt/m (packets/minutes) # Set value to 0 for unlimited, anything above is enabled. ICMP_LIM="$ICMP_LIM" # Creates firewall rules based on the local name servers as defined in the # /etc/resolv.conf file. This is the preferred secure method for client side # name server requests. This option has no bearing on a locally hosted DNS # service. RESV_DNS="$RESV_DNS" # When RESV_DNS is enabled, all the untrusted name server traffic can fill the # logs with client DNS traffic. This can be suppressed with an implicit drop # of all such traffic (sport 53 inbound) as so to avoid log chains. If you run # applications that have unique name servers configured, this may break them. RESV_DNS_DROP="$RESV_DNS_DROP" # A common set of known Peer-To-Peer (p2p) protocol ports that are often # considered undesirable traffic on public Internet servers. These ports # are also often abused on web hosting servers where clients upload p2p # client agents for the purpose of distributing or downloading pirated media. # Format is comma separated for single ports and an underscore separator for # ranges (4660_4678). BLK_P2P_PORTS="$BLK_P2P_PORTS" # These are common Internet service ports that are understood in the wild # services you would not want logged under normal circumstances. All ports # that are defined here will be implicitly dropped with no logging for # TCP/UDP traffic inbound or outbound. Format is comma separated for single # ports and an underscore separator for ranges (135_139). BLK_PORTS="$BLK_PORTS" # You need multicasting if you intend to participate in the MBONE, a high # bandwidth network on top of the Internet which carries audio and video # broadcasts. More about MBONE at: www-itg.lbl.gov/mbone/, this is generally # safe to enable. BLK_MCATNET="$BLK_MCATNET" # Block all private ipv4 addresses, this is address space reserved for private # networks or otherwise unroutable on the Internet. If this host resides behind # a router with NAT or routing scheme that otherwise uses private addressing, # leave this option OFF. Refer to the 'internals/private.networks' file for # listing of private address space. BLK_PRVNET="$BLK_PRVNET" # Block all ipv4 address space marked reserved for future use (unassigned), # such networks have no business talking on the Internet. However they may at # some point become live address space. The USE_RD option further in this file # allows for dynamic updating of this list on every full restart of APF. Refer # to the 'internals/reserved.networks' file for listing of address space. BLK_RESNET="$BLK_RESNET" # Block all ident (tcp 113) requests in and out of the server IF the port is # not already opened in *_TCP_CPORTS. This uses a REJECT target to make sure # the ident requests terminate quickly. You can see an increase in irc and # other connection performance with this feature. BLK_IDENT="$BLK_IDENT" # This is the maximum number of "sessions" (connection tracking entries) that # can be handled simultaneously by the firewall in kernel memory. Increasing # this value too high will simply waste memory - setting it too low may result # in some or all connections being refused, in particular during denial of # service attacks. SYSCTL_CONNTRACK="$SYSCTL_CONNTRACK" # These are system control (sysctl) option changes to disable TCP features # that can be abused in addition to tweaking other TCP features for increased # performance and reliability. SYSCTL_TCP="$SYSCTL_TCP" # These are system control (sysctl) option changes intended to help mitigate # syn-flood attacks by lowering syn retry, syn backlog & syn time-out values. SYSCTL_SYN="$SYSCTL_SYN" # These are system control (sysctl) option changes to provide protection from # spoofed packets and ip/arp/route redirection. If you are performing advanced # routing policies on this host such as NAT/MASQ you should disable this. SYSCTL_ROUTE="0" # This system control (sysctl) option will log all network traffic that is # from impossible source addresses. This option can discover attacks or issues # on your network you may otherwise not be aware of. SYSCTL_LOGMARTIANS="$SYSCTL_LOGMARTIANS" # This system control (sysctl) option will allow you to control ECN support # (Explicit Congestion Notification). This feature provides an improved method # for congestion avoidance by allowing the network to mark packets for # transmission later, rather than dropping them from the queue. Please also # see related USE_ECNSHAME option further down in this file. SYSCTL_ECN="$SYSCTL_ECN" # This system control (sysctl) option will allow you to make use of SynCookies # support. This feature will send out a 'syn-cookie' when the syn backlog for a # socket becomes overflowed. The cookie is used to interrupt the flow of syn # transmissions with a hashed sequence number that must be correlated with the # sending host. The hash is made up of the sending host address, packet flags # etc..; if the sending host does not validate against the hash then the tcp # hand-shake is terminated. In short, this helps to mitigate syn-flood attacks. # Note: syncookies seriously violates TCP protocol and can result in serious # degradation of some services (i.e. SMTP); visible not by you, but your # clients and relays whom are contacting your system. SYSCTL_SYNCOOKIES="$SYSCTL_SYNCOOKIES" # This system control (sysctl) option allows for the use of Abort_On_Overflow # support. This feature will help mitigate burst floods if a listening service # is too slow to accept new connections. This option is an alternative for # SynCookies and both should NEVER be enabled at once. # Note: This option can harm clients contacting your system. Enable option only # if you are sure that the listening daemon can not be tuned to accept # connections faster. SYSCTL_OVERFLOW="$SYSCTL_OVERFLOW" # The helper chains are designed to assist applications in working with the # stateful firewall in a more reliable fashion. You should keep these settings # current with the ports SSH and FTP are operating on. Please DO NOT CONFUSE # these settings with opening the SSH/FTP port as they have no bearing on # actually connecting to the services. They are only for helping maintain your # connection to the services [ESTABLISHED,RELATED connection states, not NEW]. HELPER_SSH="$HELPER_SSH" HELPER_SSH_PORT="$HELPER_SSH_PORT" HELPER_FTP="$HELPER_FTP" HELPER_FTP_PORT="$HELPER_FTP_PORT" HELPER_FTP_DATA="$HELPER_FTP_DATA" # Configure inbound (ingress) accepted services. This is an optional # feature; services and customized entries may be made directly to an ip's # virtual net file located in the vnet/ directory. Format is comma separated # and underscore separator for ranges. # # Example: # IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000" # IG_UDP_CPORTS="20,21,53,123" # IG_ICMP_TYPES="3,5,11,0,30,8" # Common inbound (ingress) TCP ports IG_TCP_CPORTS="$IG_TCP_CPORTS" # Common inbound (ingress) UDP ports IG_UDP_CPORTS="$IG_UDP_CPORTS" # Common ICMP inbound (ingress) types # 'internals/icmp.types' for type definition; 'all' is wildcard for any IG_ICMP_TYPES="$IG_ICMP_TYPES" # Configure outbound (egress) accepted services. This is an optional # feature; services and customized entries may be made directly to an ip's # virtual net file located in the vnet/ directory. # # Outbound (egress) filtering is not required but makes your firewall setup # complete by providing full inbound and outbound packet filtering. You can # toggle outbound filtering on or off with the EGF variable. Format is comma # separated and underscore separator for ranges. # # Example: # EG_TCP_CPORTS="21,25,80,443,43" # EG_UDP_CPORTS="20,21,53" # EG_ICMP_TYPES="all" # Outbound (egress) filtering EGF="$EGF" # Common outbound (egress) TCP ports EG_TCP_CPORTS="$EG_TCP_CPORTS" # Common outbound (egress) UDP ports EG_UDP_CPORTS="$EG_UDP_CPORTS" # Common ICMP outbound (egress) types # 'internals/icmp.types' for type definition; 'all' is wildcard for any EG_ICMP_TYPES="$EG_ICMP_TYPES" # Configure user-id specific outbound (egress) port access. This is a more # granular feature to limit the scope of outbound packet flows with user-id # conditioning. Format is comma separated and underscore separator for ranges. # This is NOT A FILTERING FEATURE, this is an ACCESS CONTROL feature. That # means EG_TCP_UID and EG_UDP_UID are intended to ALLOW outbound access for # specified users, not DENY. # # Format: EG_[TCP|UDP]_UID="uid:port" # Example: # Allow outbound access to destination port 22 for uid 0 # EG_TCP_UID="0:22" # UID-Match outbound (egress) TCP ports EG_TCP_UID="$EG_TCP_UID" # UID-Match outbound (egress) UDP ports EG_UDP_UID="$EG_UDP_UID" # Configure executable specific outbound (egress) filtering. This is a more # granular feature to limit the scope of outbound packet flows with executable # conditioning. The packet filtering is based on the CMD process field being # passed along to iptables. All logged events for these rules will also include # the executable CMD name in the log chain. This is A FILTERING FEATURE, not an # ACCESS CONTROL feature. That means EG_DROP_CMD is intended to DENY outbound # access for specified programs, not ALLOW. # # Format is comma separated list of executable names you wish to ban from being # able to transmit data out of your server. # CMD-Match outbound (egress) denied applications EG_DROP_CMD="$EG_DROP_CMD" ## # [Remote Rule Imports] ## # Project Honey Pot is the first and only distributed system for identifying # spammers and the spambots they use to scrape addresses from your website. # This aggregate list combines Harvesters, Spammers and SMTP Dictionary attacks # from the PHP IP Data at: http://www.projecthoneypot.org/list_of_ips.php DLIST_PHP="$DLIST_PHP" DLIST_PHP_URL="rfxn.com/downloads/php_list" DLIST_PHP_URL_PROT="http" # The Spamhaus Don't Route Or Peer List (DROP) is an advisory "drop all # traffic" list, consisting of stolen 'zombie' netblocks and netblocks # controlled entirely by professional spammers. For more information please # see http://www.spamhaus.org/drop/. DLIST_SPAMHAUS="$DLIST_SPAMHAUS" DLIST_SPAMHAUS_URL="www.spamhaus.org/drop/drop.lasso" DLIST_SPAMHAUS_URL_PROT="http" # DShield collects data about malicious activity from across the Internet. # This data is cataloged, summarized and can be used to discover trends in # activity, confirm widespread attacks, or assist in preparing better firewall # rules. This is a list of top networks that have exhibited suspicious activity. DLIST_DSHIELD="$DLIST_DSHIELD" DLIST_DSHIELD_URL="feeds.dshield.org/top10-2.txt" DLIST_DSHIELD_URL_PROT="http" # The reserved networks list is addresses which ARIN has marked as reserved # for future assignement and have no business as valid traffic on the internet. # Such addresses are often used as spoofed (Fake) hosts during attacks, this # will update the reserved networks list in order to prevent new ip assignments # on the internet from getting blocked; this option is only important when # BLK_RESNET is set to enabled. DLIST_RESERVED="$DLIST_RESERVED" DLIST_RESERVED_URL="rfxn.com/downloads/reserved.networks" DLIST_RESERVED_URL_PROT="http" # ECN is an extension which helps reduce congestion. Unfortunately some # clueless software/hardware vendors have setup their sites or implemented # TCP/IP in a very broken manner. If you try to talk to these sites with ECN # turned on, they will drop all packets from you. This feature uses the ECN # hall of shame list to turn off ECN in packets to these hosts so your traffic # is accepted as intended. This option is dependent on setting SYSCTL_ECN="1" # otherwise it stays disabled. DLIST_ECNSHAME="$DLIST_ECNSHAME" DLIST_ECNSHAME_URL="rfxn.com/downloads/ecnshame.lst" DLIST_ECNSHAME_URL_PROT="http" ## # Global Trust ## # This is an implementation of the trust rules (allow/deny_hosts) but # on a global perspective. You can define below remote addresses from # which the glob_allow/deny.rules files should be downloaded from on # a daily basis. The files can be maintained in a static fashion by # leaving USE_RGT=0, ideal for a host serving the files. USE_RGT="$USE_RGT" GA_URL="$GA_URL" # glob_allow.rules url (no *://) GA_URL_PROT="http" # protocol for use with wget GD_URL="$GD_URL" # glob_deny.rules url (no *://) GD_URL_PROT="http" # protocol for use with wget ## # [Logging and control settings] ## # Log all traffic that is filtered by the firewall LOG_DROP="$LOG_DROP" # What log level should we send all log data too? # refer to man syslog.conf for levels LOG_LEVEL="$LOG_LEVEL" # Where should we send all the logging data? # ULOG (Allow ulogd to handle the logging) # LOG (Default; sends logging to kernel log) LOG_TARGET="$LOG_TARGET" # Log interactive access over telnet & ssh; uses # custom log prefix of ** SSH ** & ** TELNET ** LOG_IA="$LOG_IA" # Log all foreign gateway traffic LOG_LGATE="$LOG_LGATE" # Extended logging information; this forces the output of tcp options and # ip options for packets passing through the log chains LOG_EXT="$LOG_EXT" # Max firewall events to log per/minute. Log events exceeding these limits # will be lost (1440 minutes/day * 30 events/minute = 43200 events per/day) LOG_RATE="$LOG_RATE" # Location of the apf status log; all startup, shutdown and runtime status # sends outputs to this file LOG_APF="$LOG_APF" ## # [Import misc. conf] ## # Internal variable file CNFINT="\$INSTALL_PATH/internals/internals.conf" . \$CNFINT EOF apf-9.7-1/importconf0000750000000000000000000000271211157714561013106 0ustar rootroot#!/bin/bash # # APF 9.7 [apf@r-fx.org] ### # Copyright (C) 1999-2007, R-fx Networks # Copyright (C) 2007, Ryan MacDonald # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ### # INSTALL_PATH="/etc/apf" DEF=".ca.def" DOUT=".conf.apf" if [ -d "/etc/apf.bk.last" ]; then # get all the vars from current release . /etc/apf/conf.apf # replace with any vars old release had . /etc/apf.bk.last/conf.apf # generate new conf . $DEF cp -f $INSTALL_PATH/conf.apf $INSTALL_PATH/conf.apf.orig cp -f $DOUT $INSTALL_PATH/conf.apf cp -f /etc/apf.bk.last/*_hosts.rules /etc/apf/ cp -f /etc/apf.bk.last/vnet/*.rules /etc/apf/vnet/ OV=`cat /etc/apf.bk.last/VERSION | awk '{print$2}'` NV=`cat /etc/apf/VERSION | awk '{print$2}'` echo " Imported options from $OV to $NV." fi apf-9.7-1/COPYING.GPL0000640000000000000000000004365507723050646012471 0ustar rootroot GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.