Portal Home > Knowledgebase > Articles Database > Kernel, Iptables and APF firewall problem
Kernel, Iptables and APF firewall problem
Posted by SecondSight, 10-21-2009, 12:43 PM |
Hello !
I've got problems with my APF firewall. Here is are the errors I get :
[root@ks123456 ~]# apf -r
apf(6493): {glob} flushing & zeroing chain policies
apf(6493): {glob} firewall offline
apf(6530): {glob} activating firewall
Opening /proc/modules: No such file or directory
apf(6570): {glob} unable to load iptables module (ip_tables), aborting.
apf(6530): {glob} firewall initalized
apf(6530): {glob} fast load snapshot saved
The /var/log/apf_log file is full of these errors.
I've been told that it was a compatibility issue with the server's kernel. So I upgraded the kernel to the last version, but the problem still remains and I get the same errors...
Can you advise about what I should do now ?
Thank you !
|
Posted by rwxguru, 10-21-2009, 12:58 PM |
I think your using a monolithic kernel edit /etc/apf/conf.apf and change "SET_MONOKERN" to 1 and try restarting apf.
|
Posted by SecondSight, 10-21-2009, 03:26 PM |
Hello !
This is what it returned :
[root@ks123456 ~]# apf -r
apf(26438): {glob} flushing & zeroing chain policies
apf(26438): {glob} firewall offline
apf(26475): {glob} activating firewall
Opening /proc/modules: No such file or directory
apf(26515): {glob} determined (IFACE_IN) eth0 has address xxx.xxx.xxx.xxx
apf(26515): {glob} determined (IFACE_OUT) eth0 has address xxx.xxx.xxx.xxx
apf(26515): {glob} loading preroute.rules
apf(26515): {resnet} downloading http://r-fx.ca/downloads/reserved.networks
apf(26515): {resnet} parsing reserved.networks into /etc/apf/internals/reserved.networks
apf(26515): {glob} loading reserved.networks
apf(26515): {glob} SET_REFRESH is set to 10 minutes
apf(26515): {glob} loading allow_hosts.rules
apf(26515): {trust} allow all to/from xxx.xxx.xxx.xxx
apf(26515): {trust} allow all to/from xxx.xxx.xxx.xxx
apf(26515): {trust} allow all to/from xxx.xxx.xxx.xxx
apf(26515): {rab} force set RAB disabled, kernel module ipt_recent not found.
apf(26515): {glob} loading bt.rules
apf(26515): {glob} loading deny_hosts.rules
apf(26515): {trust} deny all to/from xxx.xxx.xxx.xxx
apf(26515): {trust} deny all to/from xxx.xxx.xxx.xxx
apf(26515): {trust} deny all to/from xxx.xxx.xxx.xxx
apf(26515): {dshield} downloading http://feeds.dshield.org/top10-2.txt
apf(26515): {dshield} parsing top10-2.txt into /etc/apf/ds_hosts.rules
apf(26515): {dshield} loading ds_hosts.rules
apf(26515): {sdrop} downloading http://www.spamhaus.org/drop/drop.lasso
apf(26515): {sdrop} parsing drop.lasso into /etc/apf/sdrop_hosts.rules
apf(26515): {sdrop} loading sdrop_hosts.rules
apf(26515): {glob} loading common drop ports
apf(26515): {blk_ports} deny all to/from tcp port 135:139
apf(26515): {blk_ports} deny all to/from udp port 135:139
apf(26515): {blk_ports} deny all to/from tcp port 111
apf(26515): {blk_ports} deny all to/from udp port 111
apf(26515): {blk_ports} deny all to/from tcp port 513
apf(26515): {blk_ports} deny all to/from udp port 513
apf(26515): {blk_ports} deny all to/from tcp port 520
apf(26515): {blk_ports} deny all to/from udp port 520
apf(26515): {blk_ports} deny all to/from tcp port 445
apf(26515): {blk_ports} deny all to/from udp port 445
apf(26515): {blk_ports} deny all to/from tcp port 1433
apf(26515): {blk_ports} deny all to/from udp port 1433
apf(26515): {blk_ports} deny all to/from tcp port 1434
apf(26515): {blk_ports} deny all to/from udp port 1434
apf(26515): {blk_ports} deny all to/from tcp port 1234
apf(26515): {blk_ports} deny all to/from udp port 1234
apf(26515): {blk_ports} deny all to/from tcp port 1524
apf(26515): {blk_ports} deny all to/from udp port 1524
apf(26515): {blk_ports} deny all to/from tcp port 3127
apf(26515): {blk_ports} deny all to/from udp port 3127
apf(26515): {pkt_sanity} set active PKT_SANITY
apf(26515): {pkt_sanity} deny inbound tcp-flag pairs ALL NONE
apf(26515): {pkt_sanity} deny inbound tcp-flag pairs SYN,FIN SYN,FIN
apf(26515): {pkt_sanity} deny inbound tcp-flag pairs SYN,RST SYN,RST
apf(26515): {pkt_sanity} deny inbound tcp-flag pairs FIN,RST FIN,RST
apf(26515): {pkt_sanity} deny inbound tcp-flag pairs ACK,FIN FIN
apf(26515): {pkt_sanity} deny inbound tcp-flag pairs ACK,URG URG
apf(26515): {pkt_sanity} deny inbound tcp-flag pairs ACK,PSH PSH
apf(26515): {pkt_sanity} deny inbound tcp-flag pairs ALL FIN,URG,PSH
apf(26515): {pkt_sanity} deny inbound tcp-flag pairs ALL SYN,RST,ACK,FIN,URG
apf(26515): {pkt_sanity} deny inbound tcp-flag pairs ALL ALL
apf(26515): {pkt_sanity} deny inbound tcp-flag pairs ALL FIN
apf(26515): {pkt_sanity} deny outbound tcp-flag pairs ALL NONE
apf(26515): {pkt_sanity} deny outbound tcp-flag pairs SYN,FIN SYN,FIN
apf(26515): {pkt_sanity} deny outbound tcp-flag pairs SYN,RST SYN,RST
apf(26515): {pkt_sanity} deny outbound tcp-flag pairs FIN,RST FIN,RST
apf(26515): {pkt_sanity} deny outbound tcp-flag pairs ACK,FIN FIN
apf(26515): {pkt_sanity} deny outbound tcp-flag pairs ACK,PSH PSH
apf(26515): {pkt_sanity} deny outbound tcp-flag pairs ACK,URG URG
apf(26515): {pkt_sanity} deny all fragmented udp
apf(26515): {pkt_sanity} deny inbound tcp port 0
apf(26515): {pkt_sanity} deny outbound tcp port 0
apf(26515): {blk_p2p} set active BLK_P2P
apf(26515): {blk_p2p} deny all to/from tcp port 1214
apf(26515): {blk_p2p} deny all to/from udp port 1214
apf(26515): {blk_p2p} deny all to/from tcp port 2323
apf(26515): {blk_p2p} deny all to/from udp port 2323
apf(26515): {blk_p2p} deny all to/from tcp port 4660:4678
apf(26515): {blk_p2p} deny all to/from udp port 4660:4678
apf(26515): {blk_p2p} deny all to/from tcp port 6257
apf(26515): {blk_p2p} deny all to/from udp port 6257
apf(26515): {blk_p2p} deny all to/from tcp port 6699
apf(26515): {blk_p2p} deny all to/from udp port 6699
apf(26515): {blk_p2p} deny all to/from tcp port 6346
apf(26515): {blk_p2p} deny all to/from udp port 6346
apf(26515): {blk_p2p} deny all to/from tcp port 6347
apf(26515): {blk_p2p} deny all to/from udp port 6347
apf(26515): {blk_p2p} deny all to/from tcp port 6881:6889
apf(26515): {blk_p2p} deny all to/from udp port 6881:6889
apf(26515): {blk_p2p} deny all to/from tcp port 6346
apf(26515): {blk_p2p} deny all to/from udp port 6346
apf(26515): {blk_p2p} deny all to/from tcp port 7778
apf(26515): {blk_p2p} deny all to/from udp port 7778
apf(26515): {glob} loading log.rules
apf(26515): {glob} virtual net subsystem disabled.
apf(26515): {glob} loading main.rules
apf(26515): {glob} opening inbound tcp port 20 on 0/0
apf(26515): {glob} opening inbound tcp port 21 on 0/0
apf(26515): {glob} opening inbound tcp port 22 on 0/0
apf(26515): {glob} opening inbound tcp port 25 on 0/0
apf(26515): {glob} opening inbound tcp port 53 on 0/0
apf(26515): {glob} opening inbound tcp port 80 on 0/0
apf(26515): {glob} opening inbound tcp port 110 on 0/0
apf(26515): {glob} opening inbound tcp port 143 on 0/0
apf(26515): {glob} opening inbound tcp port 443 on 0/0
apf(26515): {glob} opening inbound tcp port 465 on 0/0
apf(26515): {glob} opening inbound tcp port 953 on 0/0
apf(26515): {glob} opening inbound tcp port 993 on 0/0
apf(26515): {glob} opening inbound tcp port 995 on 0/0
apf(26515): {glob} opening inbound tcp port 2082 on 0/0
apf(26515): {glob} opening inbound tcp port 2083 on 0/0
apf(26515): {glob} opening inbound tcp port 2086 on 0/0
apf(26515): {glob} opening inbound tcp port 2087 on 0/0
apf(26515): {glob} opening inbound tcp port 2095 on 0/0
apf(26515): {glob} opening inbound tcp port 2096 on 0/0
apf(26515): {glob} opening inbound tcp port 3306 on 0/0
apf(26515): {glob} opening inbound tcp port 3000:3500 on 0/0
apf(26515): {glob} opening inbound udp port 21 on 0/0
apf(26515): {glob} opening inbound udp port 53 on 0/0
apf(26515): {glob} opening inbound udp port 873 on 0/0
apf(26515): {glob} opening outbound tcp port 21 on 0/0
apf(26515): {glob} opening outbound tcp port 25 on 0/0
apf(26515): {glob} opening outbound tcp port 27 on 0/0
apf(26515): {glob} opening outbound tcp port 37 on 0/0
apf(26515): {glob} opening outbound tcp port 43 on 0/0
apf(26515): {glob} opening outbound tcp port 53 on 0/0
apf(26515): {glob} opening outbound tcp port 80 on 0/0
apf(26515): {glob} opening outbound tcp port 110 on 0/0
apf(26515): {glob} opening outbound tcp port 113 on 0/0
apf(26515): {glob} opening outbound tcp port 123 on 0/0
apf(26515): {glob} opening outbound tcp port 443 on 0/0
apf(26515): {glob} opening outbound tcp port 465 on 0/0
apf(26515): {glob} opening outbound tcp port 873 on 0/0
apf(26515): {glob} opening outbound tcp port 953 on 0/0
apf(26515): {glob} opening outbound tcp port 2087 on 0/0
apf(26515): {glob} opening outbound tcp port 2089 on 0/0
apf(26515): {glob} opening outbound tcp port 3306 on 0/0
apf(26515): {glob} opening outbound tcp port 22 on 0/0
apf(26515): {glob} opening outbound udp port 20 on 0/0
apf(26515): {glob} opening outbound udp port 21 on 0/0
apf(26515): {glob} opening outbound udp port 53 on 0/0
apf(26515): {glob} opening outbound udp port 37 on 0/0
apf(26515): {glob} opening outbound udp port 873 on 0/0
apf(26515): {glob} opening outbound udp port 953 on 0/0
apf(26515): {glob} opening inbound icmp type 3 on 0/0
apf(26515): {glob} opening inbound icmp type 5 on 0/0
apf(26515): {glob} opening inbound icmp type 11 on 0/0
apf(26515): {glob} opening inbound icmp type 0 on 0/0
apf(26515): {glob} opening inbound icmp type 30 on 0/0
apf(26515): {glob} opening inbound icmp type 8 on 0/0
apf(26515): {glob} opening outbound icmp all on 0/0
apf(26515): {glob} resolv dns discovery for xxx.xxx.xxx.xxx
apf(26515): {glob} loading postroute.rules
apf(26515): {glob} default (egress) output drop
apf(26515): {glob} default (ingress) input drop
apf(26475): {glob} firewall initalized
apf(26475): {glob} fast load snapshot saved
I still have error messages, it seems, and I don't understand very well the result and consequences of this.
What do you think of it ?
Thank you !
|
Add to Favourites Print this Article
Also Read
Sago down? (Views: 685)