Does APF refresh turn off firewall rules during refreshing?

Portal Home > Knowledgebase > Articles Database > Does APF refresh turn off firewall rules during refreshing?

Posted by pmabraham, 09-24-2008, 03:02 PM
Greetings: in /etc/cron.d refresh.apf -> /etc/apf/internals/cron.refresh cat /etc/apf/internals/cron.refresh MAILTO= SHELL=/bin/bash */10 * * * * root /etc/apf/apf --refresh >> /dev/null 2>&1 & Does the refresh in APF turn off iptables or otherwise interfere with blocked ip addresses? Meaning, if an IP is blocked, and the refresh takes place, if the IP is constantly trying to get in, can it get in during a refresh? Thank you.
Posted by FS - Mike, 09-24-2008, 03:51 PM
No it won't be able to get in during a refresh. The only time an IP would be able to get in would be when APF flushes iptables for a reboot, but it takes less than a second on an average sized table for all rules to be reinstated. So it might be able to send out an initial ping in that time but by the time it attempts another request for information, it should be blocked. Hope that helps, Mike
Posted by pmabraham, 09-24-2008, 03:55 PM
Greetings Mike: Thank you for your time and your reply. So aside from a reboot or "service apf stop" or related killing off of apf, "apf --refresh" by itself, does not create any holes, gaps, or otherwise temporarily turns off any pre-existing blocks? Thank you.
Posted by david510, 09-26-2008, 02:26 PM
No, it will not make any holes as you fear
Posted by pmabraham, 09-26-2008, 03:34 PM
Greetings: This is good to read, but on one APF installation, a client shared the following from a test they did: ### I started a continuous ping from one of our computers to the mail server. On the mail server, I issued the command to block the IP of the computer doing continuous pings. The pings responses dropped dead cold, almost immediately upon issues the apf -d command) Then while the pings were still running.... I issued apf --refresh command on the server. Guess what...... Got two responses to ping requests before they stopped again.. .......(my observations of this test suggest that there is a 'hole' opening up when the refresh command is being issued). ### When I do a manual "apf --refresh" myself, I see it appear to rebuild the trust and deny system, hence the concern that during the rebuild if an attack is ongoing, a temporary hole might be created if the attacker can get an established session going before the refresh is complete. Thoughts? Thank you.
Posted by m3gadeth, 11-04-2012, 08:24 AM
I can confirm issues with APF refresh. I'm using Sphinx on my server and I was getting Sphinx timeout errors every 10 minutes lasting for about 30 - 40 seconds, so my sphinx queries failed during this time. I finally figured it was due to APF refresh (/etc/cron.d/refresh.apf) which was running every 10 minutes (DEFAULT value in conf.apf). Btw, it seems it is actually doing apf 'restart' (not 'refresh') every 10 minutes. So that means at least some of the firewall rules don't work during a refresh and your local services like Sphinx won't work during this time. My advice is to change SET_REFRESH value in conf.apf to a higher value, or even set to 0 to disable. If you're using multiple machines and load balancing like I do this could go unnoticed for a long time. Last edited by m3gadeth; 11-04-2012 at 08:30 AM.
Posted by BestServerSupport, 11-05-2012, 09:19 AM
This is something interesting to know. So is there anyway we can disable APF auto refresh to avoid the security hole to get open?
Posted by m3gadeth, 11-05-2012, 10:18 AM
yes, like I said, just set SET_REFRESH="0" in conf.apf and restart APF (apf -r). but you should read the description of the setting - if you are using dynamic dns or downloadable global trust rules you might want to refresh once in a while. another thing I've noticed is that the maximum value of SET_REFRESH is 60, so if you enter 180 it won't run every 3 hours as expected, it will actually run every 60 minutes. This is due to crontab maximum value for minutes field. You can fix this manually by editing /etc/cron.d/refresh.apf: BAD: */180 * * * * root /etc/apf/apf --refresh >> /dev/null 2>&1 & GOOD: 0 */3 * * * root /etc/apf/apf --refresh >> /dev/null 2>&1 &