- 论坛徽章:
- 0
|
最近在用apf防火墙,配置文件很详细,就是英文不好。
自己简单加了一点中文注释,在这抛砖引玉,求指正 求共同翻译
APF version 9.7
[OPTION]
-s --start 启动apf防火墙
-r --restart 重启apf防火墙
-f --stop 停止apf防火墙
-l --list 列出所有apf配置规则
-t --status output firewall status log(/var/log/apf_log)
-e --refresh refresh & resolve dns names in trust rules
-a --allow HOST 将ip/ip段加入白名单
-d --deny HOST 将ip/ip段加入黑名单
-u --remove HOST 将ip/ip段剔出白/黑名单
-o --ovars 打印所有配置项到标准输出
# indicated. This means value of 0 = disabled and 1 = enabled.
# [Main]
# !!! Do not leave set to (1) !!!
# When set to enabled; 5 minute cronjob is set to stop the firewall. Set
# this off (0) when firewall is determined to be operating as desired.
# 设置成1(真),每5分钟自动停止(调试模式)。0为正常模式 (没有测试出来)
DEVEL_MODE="0"
# The installation path of APF; this can be changed but it is not recommended.
INSTALL_PATH="/etc/apf-firewall"
# Untrusted Network interface(s); all traffic on defined interface will be
# subject to all firewall rules. Only one interface is accepted for each value.
# 监听那个端口,此端口为外网口
IFACE_IN="eth0"
IFACE_OUT="eth0"
# 可以信任的网络接口,将不受到防火墙过滤。空格或逗号分割
IFACE_TRUSTED=""
# 此选项为真时将允许在执行apf命令时输出的状态信息同步显示在标准输出中
# 这些状态信息通常会默认记录到日志文件 /var/log/apf_log 中
SET_VERBOSE="1"
# The fast load feature makes use of the iptables-save/restore facilities to do
# a snapshot save of the current firewall rules on an APF stop then when APF is
# instructed to start again it will restore the snapshot. This feature allows
# APF to load hundreds of rules back into the firewall without the need to
# regenerate every firewall entry.
# Note: a) if system uptime is below 5 minutes, the snapshot is expired
# b) if snapshot age exceeds 12 hours, the snapshot is expired
# c) if conf or a .rule has changed since last load, snapshot is expired
# d) if it is your first run of APF since install, snapshot is generated
# - an expired snapshot means APF will do a full start rule-by-rule
SET_FASTLOAD="0"
# Virtual Network Sub-System (虚拟子网络系统) creates independent policy rule
# set for each IP on a system to /etc/apf-firewall/vnet/IP.rules. These rule files
# can be configured with conf.apf variables for unique but convenient firewall
# policies or custom iptables entries for even greater flexibility.
SET_VNET="0"
# This feature firewalls any additional interfaces on the server as untrusted
# through the VNET sub-system. Excluded are interfaces that have already been
# defined by IFACE_* variables. This feature is ideal for systems running
# private interfaces where not all hosts on the private network are trusted or
# are otherwise exposed to "open" networks through this private interface
# (i.e: the Internet, network accessible storage LAN, corporate WAN, etc..)
SET_ADDIFACE="0"
# 直接编译安装的iptables 设置成1,若已模块方式加载的设置成0
SET_MONOKERN="1"
# deny条目的最大限制阀值,超过阀值后将自动清理最旧的规则。
# [value is max lines, 0 为无限制]
SET_TRIM="150"
# This controls how often, if at all, we want the trust system to refresh rules.
# The firewall will flush & reload all static rules, redownload global rules and
# re-resolve any dns names in the rules. This is ideal when using dynamic dns
# names or downloadable global trust rules. [value in minutes, 0 to disable]
# 刷新加载所有静态规则,并从新下载全球规则并加载。 测试没成功
SET_REFRESH="10"
# Verifies that the IFACE_* and IFACE_TRUSTED interfaces are actually routed
# to something. If configured interfaces are found with no routes setup then
# APF will exit with an error to prevent further issues (such as being locked
# out of the system).
VF_ROUTE="1"
# Verifies that crond is running when DEVEL_MODE=1; if not then APF will not
# try to load as if lock-up occurs no cron service to flush firewall.
VF_CROND="1"
# Verifies that all inbound traffic is sourced from a defined local gateway MAC
# address. All other traffic that does not match this MAC address will be
# rejected as untrusted traffic. It is quite easy to forge a MAC address and as
# such this feature executes NO default accept policy. Leave this option empty
# to disable or enter a 48-bit MAC address to enable.
VF_LGATE=""
# [Reactive Address Blocking 动态地址阻塞]
# The use of RAB is such that it allows the firewall to track an address as it
# traverses the firewall rules and subsequently associate that address across
# any number of violations. This allows the firewall to react to critical
# policy violations by blocking addresses temporarily on the assumed precaution
# that we are protecting the host from what the address may do on the pretext
# of what the address has already done. The interface that allows RAB to work
# resides inside the kernel and makes use of the iptables 'ipt_recent' module,
# so there is no external programs causing any additional load. 是否开启
RAB="1"
# This enables RAB for sanity violations, which is when an address breaks a
# strict conformity standard such as trying to spoof an address or modify
# packet flags. It is strongly recommended that this option NOT be disabled.
RAB_SANITY="1"
# This enables RAB for port scan violations, which is when an address attempts
# to connect to a port that has been classified as malicious. These types of
# ports are those which are not commonly used in today's Internet but are
# the subject of scrutiny by attackers, such as ports 1,7,9,11. Each security
# level defines the amount of ports that RAB will react against. The port
# security groups can be customized in 'internals/rab.ports'. 防端口扫描机制
# 0 = 关闭 | 1 = 低安全 | 2 = 中档 | 3 = 高安全
RAB_PSCAN_LEVEL="3"
# This controls the amount of violation hits an address must have before it
# is blocked. It is a good idea to keep this very low to prevent evasive
# measures. The default is 0 or 1, meaning instant block on first violation.
RAB_HITCOUNT="1"
# 触发规则后的阻断时间(默认是300秒)
RAB_TIMER="300"
# This allows RAB to 'trip' the block timer back to 0 seconds if an address
# attempts ANY subsiquent communication while still on the inital block period.
RAB_TRIP="1"
# This controls if the firewall should log all violation hits from an address.
# The use of LOG_DROP variable set to 1 will override this to force logging.
RAB_LOG_HIT="1"
# This controls if the firewall should log all subsiqent traffic from an address
# that is already blocked for a violation hit, this can generate allot of logs.
# The use of LOG_DROP variable set to 1 will override this to force logging.
RAB_LOG_TRIP="0"
# [Packet Filtering/Handling] 数据包过滤和处理
# 如何处理TCP数据包?
# RESET (sends a tcp-reset; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
TCP_STOP="DROP"
# 如何处理UDP数据包?
# RESET (sends a icmp-port-unreachable; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
# PROHIBIT (send an icmp-host-prohibited)
UDP_STOP="DROP"
# 如何处理其他的数据包?
# DROP (drop the packet)
# REJECT (reject the packet)
ALL_STOP="DROP"
# The sanity options control the way packets are scrutinized as they flow
# through the firewall. The main PKT_SANITY option is a top level toggle for
# all SANITY options and provides general packet flag sanity as a pre-scrub
# for the other sanity options.
# 开启此选项后将只允许符合TCP/IP标准的正常数据包进出。
PKT_SANITY="1"
# Block any packets that do not conform as VALID, this feature is safe for most
# but some may experience protocol issues with broken remote clients. This is
# very similar to PKT_SANITY but has a wider scope and as such has the ability
# to affect many application protocols in undesirable ways.
# 类似PKT_SANITY但范围更广泛。有可能影响一些远程服务,但很少。
PKT_SANITY_INV="0"
# 防御UDP碎片攻击。安全
PKT_SANITY_FUDP="1"
# 阻止目的端口为0的数据包。安全
PKT_SANITY_PZERO="1"
# 阻塞一个目的或源地址为已知的错误(不良)广播地址。在正常情况下不会
# 影响服务器的运转
PKT_SANITY_STUFFED="0"
# Default Type of Service (TOS 的缺省值);
# Set the default TOS value [0,2,4,8,16]
TOS_DEF="0"
# Set the default TOS port range 受影响的端口
TOS_DEF_RANGE="512:65535"
# 0: Ports for Normal-Service 默认
TOS_0=""
# 2: Ports for Minimize-Cost 最小费用
TOS_2=""
# 4: Ports for Minimize Delay - Maximize Reliability 最高可靠性
TOS_4="22"
# 8: Ports for Maximum Throughput - Minimum Delay 最大吞吐量
TOS_8="21,20,80"
# 16: Ports for No Delay - Moderate Throughput - High Reliability 最小延迟
TOS_16="25,110,143"
# Allow traceroute requests on the defined range of ports. This feature
# is not required for normal operations and some even prefer it disabled.
# Enable Traceroute # Traceroute 端口
TCR_PASS="2" TCR_PORTS="33434:33534"
# 设置icmp包相应速度,超过这个阀值后将阻断icmp数据包。
# 可以设置成 :pkt/s (packets/seconds), pkt/m (packets/minutes)
# 设置 0 给禁用,任何其他值均为启用。
ICMP_LIM="30/s"
# 基于 /etc/resolv.conf中配置的DNS地址,生成信任规则。
RESV_DNS="1"
# When RESV_DNS is enabled, all the untrusted name server traffic can fill the
# logs with client DNS traffic. This can be suppressed with an implicit drop
# of all such traffic (sport 53 inbound) as so to avoid log chains. If you run
# applications that have unique name servers configured, this may break them.
# 避免上条设置生效时,不信任的DNS访问造成的日志堆积。(猜测)
RESV_DNS_DROP="1"
# A common set of known Peer-To-Peer (p2p) protocol ports that are often
# considered undesirable traffic on public Internet servers. These ports
# are also often abused on web hosting servers where clients upload p2p
# client agents for the purpose of distributing or downloading pirated media.
# Format is comma separated for single ports and an underscore separator for
# ranges (4660_467 . 禁止常用p2p端口
BLK_P2P_PORTS="1214,2323,4660_4678,6257,6699,6346,6347,6881_6889,6346,7778"
# These are common Internet service ports that are understood in the wild
# services you would not want logged under normal circumstances. All ports
# that are defined here will be implicitly dropped with no logging for
# TCP/UDP traffic inbound or outbound. Format is comma separated for single
# ports and an underscore separator for ranges (135_139). 常用阻断端口
BLK_PORTS="135_139,111,513,520,445,1433,1434,1234,1524,3127"
# You need multicasting if you intend to participate in the MBONE, a high
# bandwidth network on top of the Internet which carries audio and video
# broadcasts. More about MBONE at: www-itg.lbl.gov/mbone/, this is generally
# safe to enable. 多播
BLK_MCATNET="0"
# Block all private ipv4 addresses, this is address space reserved for private
# networks or otherwise unroutable on the Internet. If this host resides behind
# a router with NAT or routing scheme that otherwise uses private addressing,
# leave this option OFF. Refer to the 'internals/private.networks' file for
# listing of private address space. 禁止所有私网ip地址
BLK_PRVNET="0"
# 禁止所有IPv4保留的地址(未分配),这些地址不会出现在internat上。
# However they may at some point become live address space. The USE_RD
# option further in this file allows for dynamic updating of this list on every full
# restart of APF. Refer to the 'internals/reserved.networks' file for listing of
# address space.
BLK_RESNET="1"
# Block all ident (tcp 113) requests in and out of the server IF the port is not
# already opened in *_TCP_CPORTS. This uses a REJECT target to make sure
# the ident requests terminate quickly. You can see an increase in irc and
# other connection performance with this feature.
BLK_IDENT="0"
# This is the maximum number of "sessions" (connection tracking entries) that
# can be handled simultaneously by the firewall in kernel memory. Increasing
# this value too high will simply waste memory - setting it too low may result
# in some or all connections being refused, in particular during denial of
# service attacks. 链接跟踪器的最大条目限制数
SYSCTL_CONNTRACK="34576"
# These are system control (sysctl) option changes to disable TCP features
# that can be abused in addition to tweaking other TCP features for increased
# performance and reliability.
SYSCTL_TCP="1"
# These are system control (sysctl) option changes intended to help mitigate
# syn-flood attacks by lowering syn retry, syn backlog & syn time-out values.
# 降低SYN重试,减轻syn-flood攻击
SYSCTL_SYN="1"
# These are system control (sysctl) option changes to provide protection from
# spoofed packets and ip/arp/route redirection. If you are performing advanced
# routing policies on this host such as NAT/MASQ you should disable this.
SYSCTL_ROUTE="0"
# This system control (sysctl) option will log all network traffic that is
# from impossible source addresses. This option can discover attacks or issues
# on your network you may otherwise not be aware of.
# 记录非法的源地址
SYSCTL_LOGMARTIANS="0"
# This system control (sysctl) option will allow you to control ECN support
# (Explicit Congestion Notification). This feature provides an improved method
# for congestion avoidance by allowing the network to mark packets for
# transmission later, rather than dropping them from the queue. Please also
# see related USE_ECNSHAME option further down in this file.
# TCP直接拥塞通告功能
SYSCTL_ECN="0"
# This system control (sysctl) option will allow you to make use of SynCookies
# support. 开始 syn-cookies功能,防止tcp-flood 攻击。
# Note: syncookies seriously violates TCP protocol and can result in serious
# degradation of some services (i.e. SMTP); visible not by you, but your
# clients and relays whom are contacting your system.
SYSCTL_SYNCOOKIES="1"
# This system control (sysctl) option allows for the use of Abort_On_Overflow
# support. 开启overflow功能,在守护进程太忙而不能接收新的连接时,就发送
# reset 消息。除非确信守护进程真的无法完成请求在设置,应为影响用户使用。
SYSCTL_OVERFLOW="0"
# The helper chains are designed to assist applications in working with the
# stateful firewall in a more reliable fashion.
# 应当确保此设置玉ssh和ftp开放端口相同
# 请不要混淆这些设置于开放SSH/FTP端口,他们无任何关系。他们只负责帮助
# 保持ESTABLISHED,RELATED 链接状态, 而于NEW无关。
HELPER_SSH="1"
HELPER_SSH_PORT="22"
HELPER_FTP="1"
HELPER_FTP_PORT="21"
HELPER_FTP_DATA="20"
# Configure inbound (ingress) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory. Format is comma separated
# and underscore separator for ranges.
# 配置开放的端口(允许入站即本机监听的端口)
# Example:
# IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000"
# IG_UDP_CPORTS="20,21,53,123"
# IG_ICMP_TYPES="3,5,11,0,30,8"
# 可以入站的TCP端口
IG_TCP_CPORTS="22"
# 可以入站的UDP端口
IG_UDP_CPORTS=""
# 可以入站的ICMP 类型(type)
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
# Configure outbound (egress) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory.
# 配置出站出口过滤
# Outbound (egress) filtering is not required but makes your firewall setup
# complete by providing full inbound and outbound packet filtering. You can
# toggle outbound filtering on or off with the EGF variable. Format is comma
# separated and underscore separator for ranges.
# Example:
# EG_TCP_CPORTS="21,25,80,443,43"
# EG_UDP_CPORTS="20,21,53"
# EG_ICMP_TYPES="all"
# Outbound (egress) filtering 出口过滤,默认关闭
EGF="0"
# Common outbound (egress) TCP ports
EG_TCP_CPORTS="21,25,80,443,43"
# Common outbound (egress) UDP ports
EG_UDP_CPORTS="20,21,53"
# Common ICMP outbound (egress) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"
# Configure user-id specific outbound (egress) port access.
# 配置 UID 出站限制,这是一个精细的配置,用以限定uid和特定的端口号。
# Format is comma separated and underscore separator for ranges.
# This is NOT A FILTERING FEATURE, this is an ACCESS CONTROL feature.
# That means EG_TCP_UID and EG_UDP_UID are intended to ALLOW outbound
# access for specified users, not DENY.
# Format: EG_[TCP|UDP]_UID="uid:port"
# Example:
# Allow outbound access to destination port 22 for uid 0
# EG_TCP_UID="0:22"
# UID-Match outbound (egress) TCP ports
EG_TCP_UID=""
# UID-Match outbound (egress) UDP ports
EG_UDP_UID=""
# Configure executable specific outbound (egress) filtering. This is a more
# granular feature to limit the scope of outbound packet flows with executable
# conditioning. The packet filtering is based on the CMD process field being
# passed along to iptables. All logged events for these rules will also include
# the executable CMD name in the log chain. This is A FILTERING FEATURE, not
# an ACCESS CONTROL feature. That means EG_DROP_CMD is intended to
# DENY outbound access for specified programs, not ALLOW.
# 禁止特定程序的出站数据
#
# Format is comma separated list of executable names you wish to ban from
# being able to transmit data out of your server.
# CMD-Match outbound (egress) denied applications
EG_DROP_CMD="eggdrop psybnc bitchx BitchX init udp.pl"
|
|
免费注册
发表于 2011-12-20 14:46