Kernel, Iptables and APF firewall problem

Portal Home > Knowledgebase > Articles Database > Kernel, Iptables and APF firewall problem

Posted by SecondSight, 10-21-2009, 12:43 PM
Hello ! I've got problems with my APF firewall. Here is are the errors I get : [root@ks123456 ~]# apf -r apf(6493): {glob} flushing & zeroing chain policies apf(6493): {glob} firewall offline apf(6530): {glob} activating firewall Opening /proc/modules: No such file or directory apf(6570): {glob} unable to load iptables module (ip_tables), aborting. apf(6530): {glob} firewall initalized apf(6530): {glob} fast load snapshot saved The /var/log/apf_log file is full of these errors. I've been told that it was a compatibility issue with the server's kernel. So I upgraded the kernel to the last version, but the problem still remains and I get the same errors... Can you advise about what I should do now ? Thank you !
Posted by rwxguru, 10-21-2009, 12:58 PM
I think your using a monolithic kernel edit /etc/apf/conf.apf and change "SET_MONOKERN" to 1 and try restarting apf.
Posted by SecondSight, 10-21-2009, 03:26 PM
Hello ! This is what it returned : [root@ks123456 ~]# apf -r apf(26438): {glob} flushing & zeroing chain policies apf(26438): {glob} firewall offline apf(26475): {glob} activating firewall Opening /proc/modules: No such file or directory apf(26515): {glob} determined (IFACE_IN) eth0 has address xxx.xxx.xxx.xxx apf(26515): {glob} determined (IFACE_OUT) eth0 has address xxx.xxx.xxx.xxx apf(26515): {glob} loading preroute.rules apf(26515): {resnet} downloading http://r-fx.ca/downloads/reserved.networks apf(26515): {resnet} parsing reserved.networks into /etc/apf/internals/reserved.networks apf(26515): {glob} loading reserved.networks apf(26515): {glob} SET_REFRESH is set to 10 minutes apf(26515): {glob} loading allow_hosts.rules apf(26515): {trust} allow all to/from xxx.xxx.xxx.xxx apf(26515): {trust} allow all to/from xxx.xxx.xxx.xxx apf(26515): {trust} allow all to/from xxx.xxx.xxx.xxx apf(26515): {rab} force set RAB disabled, kernel module ipt_recent not found. apf(26515): {glob} loading bt.rules apf(26515): {glob} loading deny_hosts.rules apf(26515): {trust} deny all to/from xxx.xxx.xxx.xxx apf(26515): {trust} deny all to/from xxx.xxx.xxx.xxx apf(26515): {trust} deny all to/from xxx.xxx.xxx.xxx apf(26515): {dshield} downloading http://feeds.dshield.org/top10-2.txt apf(26515): {dshield} parsing top10-2.txt into /etc/apf/ds_hosts.rules apf(26515): {dshield} loading ds_hosts.rules apf(26515): {sdrop} downloading http://www.spamhaus.org/drop/drop.lasso apf(26515): {sdrop} parsing drop.lasso into /etc/apf/sdrop_hosts.rules apf(26515): {sdrop} loading sdrop_hosts.rules apf(26515): {glob} loading common drop ports apf(26515): {blk_ports} deny all to/from tcp port 135:139 apf(26515): {blk_ports} deny all to/from udp port 135:139 apf(26515): {blk_ports} deny all to/from tcp port 111 apf(26515): {blk_ports} deny all to/from udp port 111 apf(26515): {blk_ports} deny all to/from tcp port 513 apf(26515): {blk_ports} deny all to/from udp port 513 apf(26515): {blk_ports} deny all to/from tcp port 520 apf(26515): {blk_ports} deny all to/from udp port 520 apf(26515): {blk_ports} deny all to/from tcp port 445 apf(26515): {blk_ports} deny all to/from udp port 445 apf(26515): {blk_ports} deny all to/from tcp port 1433 apf(26515): {blk_ports} deny all to/from udp port 1433 apf(26515): {blk_ports} deny all to/from tcp port 1434 apf(26515): {blk_ports} deny all to/from udp port 1434 apf(26515): {blk_ports} deny all to/from tcp port 1234 apf(26515): {blk_ports} deny all to/from udp port 1234 apf(26515): {blk_ports} deny all to/from tcp port 1524 apf(26515): {blk_ports} deny all to/from udp port 1524 apf(26515): {blk_ports} deny all to/from tcp port 3127 apf(26515): {blk_ports} deny all to/from udp port 3127 apf(26515): {pkt_sanity} set active PKT_SANITY apf(26515): {pkt_sanity} deny inbound tcp-flag pairs ALL NONE apf(26515): {pkt_sanity} deny inbound tcp-flag pairs SYN,FIN SYN,FIN apf(26515): {pkt_sanity} deny inbound tcp-flag pairs SYN,RST SYN,RST apf(26515): {pkt_sanity} deny inbound tcp-flag pairs FIN,RST FIN,RST apf(26515): {pkt_sanity} deny inbound tcp-flag pairs ACK,FIN FIN apf(26515): {pkt_sanity} deny inbound tcp-flag pairs ACK,URG URG apf(26515): {pkt_sanity} deny inbound tcp-flag pairs ACK,PSH PSH apf(26515): {pkt_sanity} deny inbound tcp-flag pairs ALL FIN,URG,PSH apf(26515): {pkt_sanity} deny inbound tcp-flag pairs ALL SYN,RST,ACK,FIN,URG apf(26515): {pkt_sanity} deny inbound tcp-flag pairs ALL ALL apf(26515): {pkt_sanity} deny inbound tcp-flag pairs ALL FIN apf(26515): {pkt_sanity} deny outbound tcp-flag pairs ALL NONE apf(26515): {pkt_sanity} deny outbound tcp-flag pairs SYN,FIN SYN,FIN apf(26515): {pkt_sanity} deny outbound tcp-flag pairs SYN,RST SYN,RST apf(26515): {pkt_sanity} deny outbound tcp-flag pairs FIN,RST FIN,RST apf(26515): {pkt_sanity} deny outbound tcp-flag pairs ACK,FIN FIN apf(26515): {pkt_sanity} deny outbound tcp-flag pairs ACK,PSH PSH apf(26515): {pkt_sanity} deny outbound tcp-flag pairs ACK,URG URG apf(26515): {pkt_sanity} deny all fragmented udp apf(26515): {pkt_sanity} deny inbound tcp port 0 apf(26515): {pkt_sanity} deny outbound tcp port 0 apf(26515): {blk_p2p} set active BLK_P2P apf(26515): {blk_p2p} deny all to/from tcp port 1214 apf(26515): {blk_p2p} deny all to/from udp port 1214 apf(26515): {blk_p2p} deny all to/from tcp port 2323 apf(26515): {blk_p2p} deny all to/from udp port 2323 apf(26515): {blk_p2p} deny all to/from tcp port 4660:4678 apf(26515): {blk_p2p} deny all to/from udp port 4660:4678 apf(26515): {blk_p2p} deny all to/from tcp port 6257 apf(26515): {blk_p2p} deny all to/from udp port 6257 apf(26515): {blk_p2p} deny all to/from tcp port 6699 apf(26515): {blk_p2p} deny all to/from udp port 6699 apf(26515): {blk_p2p} deny all to/from tcp port 6346 apf(26515): {blk_p2p} deny all to/from udp port 6346 apf(26515): {blk_p2p} deny all to/from tcp port 6347 apf(26515): {blk_p2p} deny all to/from udp port 6347 apf(26515): {blk_p2p} deny all to/from tcp port 6881:6889 apf(26515): {blk_p2p} deny all to/from udp port 6881:6889 apf(26515): {blk_p2p} deny all to/from tcp port 6346 apf(26515): {blk_p2p} deny all to/from udp port 6346 apf(26515): {blk_p2p} deny all to/from tcp port 7778 apf(26515): {blk_p2p} deny all to/from udp port 7778 apf(26515): {glob} loading log.rules apf(26515): {glob} virtual net subsystem disabled. apf(26515): {glob} loading main.rules apf(26515): {glob} opening inbound tcp port 20 on 0/0 apf(26515): {glob} opening inbound tcp port 21 on 0/0 apf(26515): {glob} opening inbound tcp port 22 on 0/0 apf(26515): {glob} opening inbound tcp port 25 on 0/0 apf(26515): {glob} opening inbound tcp port 53 on 0/0 apf(26515): {glob} opening inbound tcp port 80 on 0/0 apf(26515): {glob} opening inbound tcp port 110 on 0/0 apf(26515): {glob} opening inbound tcp port 143 on 0/0 apf(26515): {glob} opening inbound tcp port 443 on 0/0 apf(26515): {glob} opening inbound tcp port 465 on 0/0 apf(26515): {glob} opening inbound tcp port 953 on 0/0 apf(26515): {glob} opening inbound tcp port 993 on 0/0 apf(26515): {glob} opening inbound tcp port 995 on 0/0 apf(26515): {glob} opening inbound tcp port 2082 on 0/0 apf(26515): {glob} opening inbound tcp port 2083 on 0/0 apf(26515): {glob} opening inbound tcp port 2086 on 0/0 apf(26515): {glob} opening inbound tcp port 2087 on 0/0 apf(26515): {glob} opening inbound tcp port 2095 on 0/0 apf(26515): {glob} opening inbound tcp port 2096 on 0/0 apf(26515): {glob} opening inbound tcp port 3306 on 0/0 apf(26515): {glob} opening inbound tcp port 3000:3500 on 0/0 apf(26515): {glob} opening inbound udp port 21 on 0/0 apf(26515): {glob} opening inbound udp port 53 on 0/0 apf(26515): {glob} opening inbound udp port 873 on 0/0 apf(26515): {glob} opening outbound tcp port 21 on 0/0 apf(26515): {glob} opening outbound tcp port 25 on 0/0 apf(26515): {glob} opening outbound tcp port 27 on 0/0 apf(26515): {glob} opening outbound tcp port 37 on 0/0 apf(26515): {glob} opening outbound tcp port 43 on 0/0 apf(26515): {glob} opening outbound tcp port 53 on 0/0 apf(26515): {glob} opening outbound tcp port 80 on 0/0 apf(26515): {glob} opening outbound tcp port 110 on 0/0 apf(26515): {glob} opening outbound tcp port 113 on 0/0 apf(26515): {glob} opening outbound tcp port 123 on 0/0 apf(26515): {glob} opening outbound tcp port 443 on 0/0 apf(26515): {glob} opening outbound tcp port 465 on 0/0 apf(26515): {glob} opening outbound tcp port 873 on 0/0 apf(26515): {glob} opening outbound tcp port 953 on 0/0 apf(26515): {glob} opening outbound tcp port 2087 on 0/0 apf(26515): {glob} opening outbound tcp port 2089 on 0/0 apf(26515): {glob} opening outbound tcp port 3306 on 0/0 apf(26515): {glob} opening outbound tcp port 22 on 0/0 apf(26515): {glob} opening outbound udp port 20 on 0/0 apf(26515): {glob} opening outbound udp port 21 on 0/0 apf(26515): {glob} opening outbound udp port 53 on 0/0 apf(26515): {glob} opening outbound udp port 37 on 0/0 apf(26515): {glob} opening outbound udp port 873 on 0/0 apf(26515): {glob} opening outbound udp port 953 on 0/0 apf(26515): {glob} opening inbound icmp type 3 on 0/0 apf(26515): {glob} opening inbound icmp type 5 on 0/0 apf(26515): {glob} opening inbound icmp type 11 on 0/0 apf(26515): {glob} opening inbound icmp type 0 on 0/0 apf(26515): {glob} opening inbound icmp type 30 on 0/0 apf(26515): {glob} opening inbound icmp type 8 on 0/0 apf(26515): {glob} opening outbound icmp all on 0/0 apf(26515): {glob} resolv dns discovery for xxx.xxx.xxx.xxx apf(26515): {glob} loading postroute.rules apf(26515): {glob} default (egress) output drop apf(26515): {glob} default (ingress) input drop apf(26475): {glob} firewall initalized apf(26475): {glob} fast load snapshot saved I still have error messages, it seems, and I don't understand very well the result and consequences of this. What do you think of it ? Thank you !