Archive for the 'General' Category

SBDavid
May 11th, 2009

APF - Advanced Policy Firewall

Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Internet deployed servers and the unique needs of custom deployed Linux installations.

The offical home page for APF is located at:

http://www.rfxnetworks.com/apf.php

If you are configuring iptables in your own custom kernel then you
should be sure that the following modules are compiled with the kernel for
modular support:

ip_tables
iptable_filter
iptable_mangle
ip_conntrack
ip_conntrack_irc
ip_conntrack_ftp
ipt_state
ipt_multiport
ipt_limit
ipt_recent
ipt_LOG
ipt_REJECT
ipt_ecn
ipt_length
ipt_mac
ipt_multiport
ipt_owner
ipt_state
ipt_ttl
ipt_TOS
ipt_TCPMSS
ipt_ULOG

If you would like to make sure you support these modules then you can take a look inside of /lib/modules/kernelver/kernel/net/ipv4/netfilter/ directory.

Installation

The installation setup of APF is very straight forward, there is an included
install.sh script that will perform all the tasks of installing APF for you.

Install

# sh install.sh

If one so desires they may customize the setup of APF by editing the variables inside the install.sh script followed by also editing the path variables in the conf.apf and internals.conf files. This is however not recommends and the default paths should meet all user needs, they are:

Install Path: /etc/apf
Bin Path: /usr/local/sbin/apf

The first is to setup APF in the init system with chkconfig (done by
default during install), as detailed below:

chkconfig –add apf
chkconfig –level 345 apf on

General Usage:

The /usr/local/sbin/apf command has a number of options that will ease the
day-to-day use of your firewall. Here is a quick snap-shot of the options:

usage /usr/local/sbin/apf [OPTION]
-s|–start ……………………. load the firewall rules
-r|–restart ………………….. stop (flush) & reload firewall rules
-f|–stop …………………….. stop (flush) all firewall rules
-l|–list …………………….. list chain rules
-t|–status …………………… firewall status
-e|–refresh ………………….. refresh & resolve dns names in trust rules
-a HOST CMT|–allow HOST COMMENT … add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|–deny HOST COMMENT …. add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall
-u|–remove HOST ………………. remove host from [glob_]deny_hosts.rules
and immediately remove rule from firewall
-o|–ovars ……………………. output all configuration options

Trust an address:
apf -a ryanm.dynip.org “my home dynamic-ip”
Deny an address:
apf -d 192.168.3.111 “keeps trying to bruteforce”
Remove an address:
apf -u ryanm.dynip.org
SBDavid
May 8th, 2009

Restrict the number of parallel connections to a server

Restrict the number of parallel connections to a server

connlimit

Allows you to restrict the number of parallel connections to a server per client IP address (or client address block).

[!] –connlimit-above n
Match if the number of existing connections is (not) above n.

–connlimit-mask prefix_length
Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32. For IPv6, between 0 and 128.

Examples:

# allow 2 telnet connections per client host
iptables -A INPUT -p tcp –syn –dport 23 -m connlimit –connlimit-above 2 -j REJECT

# you can also match the other way around:
iptables -A INPUT -p tcp –syn –dport 23 -m connlimit ! –connlimit-above 2 -j ACCEPT

# limit the number of parallel HTTP requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp –syn –dport 80 -m connlimit –connlimit-above 16 –connlimit-mask 24 -j REJECT

# limit the number of parallel HTTP requests to 16 for the link local network (ipv6)
ip6tables -p tcp –syn –dport 80 -s fe80::/64 -m connlimit –connlimit-above 16 –connlimit-mask 64 -j REJECT

SBDavid
May 8th, 2009

Adding comments to iptables.

Adding comments to iptables.

comment

Allows you to add comments (up to 256 characters) to any rule.

–comment comment

Example:

iptables -A INPUT -s 192.168.0.0/16 -m comment –comment “A privatized IP block”
SBDavid
May 7th, 2009

Reducing DNS bandwidth

Reducing DNS bandwidth

*Refresh - 86000 - This is time(in seconds) when the slave DNS server will refresh from the master. This value represents how often a secondary will poll the primary server to see if the serial number for the zone has increased (so it knows to request a new copy of the data for the zone). It can be written as “23h88M” indicating 23 hours and 88 minutes. If you have a regular Internet server, you can keep it between 6 to 24 hours.

There is constant bandwidth usage between primary and secondary(backup DNS) servers. This depends a lot on the Refresh value. If the refresh value is say 3 hours, your secondary server is polling your primary server every 3 hours and updating the cache. Lets assume you have a 1000 zone files, each with 3 hours refresh rate. You can imagine the bandwidth that must be getting used. This is especially true if the servers are on 2 separate physical servers.

An increase in the Refresh rate can effectively reduce bandwidth usage between the primary and secondary server.

BEWARE! Any name or label that appears on either the left or right-hand-side of a resource record that does not have a terminating full stop will have the origin added to the name/label. Missing full stops are one of the most common causes of error in DNS zone files.

SBDavid
May 4th, 2009

MX Record

More about MX Record

  • An MX record or Mail exchanger record is a type of resource record in the Domain Name System (DNS) specifying how Internet e-mail should be routed using the Simple Mail Transfer Protocol (SMTP).
  • Each MX record contains a priority and a host name, so that the collection of MX records for a given domain name point to the servers that should receive e-mail for that domain, and their priority relative to each other.
  • CNAME aliases are prohibited in an MX record data,
  • The host name contained in an MX record must have an address, i.e. an A or AAAA DNS record.
  • Some mailservers will send mail to domains with IP-based MX records, many (most notably Exim) will refuse to do so.
  • The sending mail transfer agent makes a DNS query requesting the MX records.
  • The sending agent then attempts to establish an SMTP connection to one of these servers, starting with the one with the smallest preference number.
  • If there is more than one entry with the same preference number, all of those must be tried before moving on to lower-priority entries.
  • One technique used to distribute the load of incoming mail over an array of servers is to return the same preference number for each server in the set.
  • The MX mechanism does not grant the ability to provide mail service on alternative ports, nor does it provide the ability to distribute mail delivery across a set of equal-priority mail servers .
  • The MX mechanism provides the ability to run multiple mail servers for a single domain, and allows the specification of an order in which they should be tried.

« Prev - Next »