apf on FC5 and configuration for nfs, cups, samba...Notes about my installation of the apf (ak advance packet filter) firewall on fedora core 5 (version 0.9.6-1 at time of this writing). The settup is far from perfect. More specifically, some of the open ports (samba, nfs, cups...) should only be opened to the local network (and not the rest of the world). This is possible using the vnet optional configuration of apf. But since my machine is behind a NAT router forwarding only needed ports, I didn't dig into that. My will was just to install apf in conjuction with bfd (brute force detection) to somewhat prevent most of the ssh bruteforce attacks on my machine.
Installation
wget http://www.r-fx.ca/downloads/apf-current.tar.gz
tar zxf apf-current.tar.gz
cd apf-0.9.6-1
sudo ./install.sh
Fedora core 5 hack (might as well be the case for core 4)apf tries to load some kernel modules that have apparently been renamed. The symptom(s): error message when you /etc/init.d/apf start
Unable to load iptables module (ipt_state), aborting.
and/or
Unable to load iptables module (ipt_multiport), aborting.
The fix: edit the file /etc/apf/internals/functions.apf and change the following 2 lines
ml ipt_state 1
ml ipt_multiport
to this
ml xt_state
ml xt_multiport
ConfigurationEdit the /etc/apf/conf.apf. Should be more or less enough self-documented... While testing, you should set the following value in there (should be the default value in the original file):
DEVEL_MODE="1"
Don't forget to stop iptables if it is running before you start your tests
/etc/init.d/iptables stop
Here are little more specific details for given services
NFS sharingThis is how I managed to allow the server running apf to export nfs share to other clients.
Assigning fixed ports to the nfs servicesThe problem is that, by default, some services used by nfs (statd, mountd, lockd) use random ports. Fortunately, modern version of nfs can be tuned to use a fixed port. Create (or modify) the file /etc/sysconfig/nfs and add the followin lines:
STATD_PORT=4000
MOUNTD_PORT=4002
RQUOTAD_PORT=4003
Add the following line to /etc/modprobe.conf (still needed since there is a port line in nfs file above ??)
options lockd nlm_udpport=4001 nlm_tcpport=4001
Added the following 2 lines in /etc/services
rquotad 4003/tcp
rquotad 4003/udp
Restart all nfs services and kernel modules (a quick and dirty way to make sure all restarts ok is too reboot your machine). Check that everything is in place with rpcinfo -p. The output should more or less look like this:
[root@home ~]# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 4000 status
100024 1 tcp 4000 status
100011 1 udp 4003 rquotad
100011 2 udp 4003 rquotad
100011 1 tcp 4003 rquotad
100011 2 tcp 4003 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 udp 4001 nlockmgr
100021 3 udp 4001 nlockmgr
100021 4 udp 4001 nlockmgr
100021 1 tcp 4001 nlockmgr
100021 3 tcp 4001 nlockmgr
100021 4 tcp 4001 nlockmgr
100005 1 udp 4002 mountd
100005 1 tcp 4002 mountd
100005 2 udp 4002 mountd
100005 2 tcp 4002 mountd
100005 3 udp 4002 mountd
100005 3 tcp 4002 mountd
Configuring the firewallWe now need to configure apf to open ports 111, 2049 and 4000 to 4003 (both udp and udp). In /etc/apf/conf.apf modify the CDPORTS configuration value. In the default setup, port 111 (portmapper) is droped by default. This should be changed.
# This is the default value when apf is installed
CDPORTS="135_139,111,513,520,445,1433,1434,1234,1524,3127"
# Port 111 should be allowed
CDPORTS="135_139,513,520,445,1433,1434,1234,1524,3127"
Also in there, we must open the inbound ports for all nfs related services (the following is an extract of my own config file with some other ports enabled like ssh, dns, apache....)
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="22, 53, 80, 111, 443, 631, 2049, 4000_4003"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53, 111, 2049, 4000_4003"
Sharing printer(s) with cups (ipp).That one is trivial: in the ingress section of the config file open the 631 tcp port
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="22, 53, 80, 111, 139, 443, 445, 631, 2049, 4000_4003"
Samba sharingIn the ingress section of the configuration file, you need to open the following ports:
- udp: 137 and 138
- tcp: 139 and 445
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="22, 53, 80, 111, 139, 443, 445, 631, 2049, 4000_4003"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53, 111, 137, 138, 2049, 4000_4003"
You also need to exclude those ports from the default common drop ports (CDPORTS) in the out-of-the-box config file.
# Make sure samba ports are not included in this line
CDPORTS="135,136,513,520,1433,1434,1234,1524,3127"
Post configOnce everything seems ok and your happy with your firewall operation, you should:
- Disable the DEVEL_MODE in /etc/apf/conf.apf (DEVEL_MODE="0")
- Disable iptables at boot time
chkconfig --level 2345 iptables off
- Enable apf at boot time if not already done: check with
chkconfig --list apf
and if needed
chkconfig --level 345 apf on
If chkconfig complains about an unknown service you should issue the following command first
chkconfig --add apf
ReferencesThese are (some of) the pages I consulted (and I did not forget to list before I lost the url) to set all this up. http://forum.server4you.net/viewtopic.php?p=684&sid=9a466a4048e00b26adfe3c21662f3745 http://www.lowth.com/LinWiz/nfs_help.html
|
