APF = blocking me out

Hey guys,

I have a small problem with my APF.
APF blocks me out of the server which means i cannot connect to any service (mail, www, ftp, ssh,...). How do i get APF to block me out? By uploading lots of files over FTP.

For example, i uploaded some open-source cms system and it had lots of files. During upload over FTP, the transfer stopped, no error message or anything. It continues sometimes after a few minutes. During this no-transfer time, i was blocked from all services.

I then stopped APF and tried to upload same files without APF and guess what. It worked like a charm.

Which means that APF is blocking me out. Question is why on earth?!?!

I haven't made any changes to APF just added some ports and that's about it.

Anyone has any clues?

 

Do you have BFD or any other fw runing with APF? It may be as simple as the bottom of this page.

http://www.webhostgear.com/61_print.html

 

BDF no, any other FW no. Only APF is running. Oh and OSSEC HIDS. Could this be a problem?

I checked ALL the log files right after the 'block' was removed and started working again and nothing.. So basically i have no idea..

Edit: its the same without OSSEC running.. So its something wrong with APF

 

Did you check APF's configuration files?

 

I sure did. I don't really know APF that much but by looking at conf file i coudn't see anything that would do this.

here's the log file, anything that is set wrong?

Code:

#!/bin/sh
DEVEL_MODE="0"
INSTALL_PATH="/etc/apf"

IFACE_IN="eth0" 
IFACE_OUT="eth0"

IFACE_TRUSTED=""

SET_VNET="0"

SET_MONOKERN="1"

VF_LGATE=""

VF_ROUTE="1"

VF_CROND="1"

VF_UTIME="0" 

TCP_STOP="DROP"

UDP_STOP="DROP"

DSTOP="DROP"

PKT_SANITY="1"

PKT_SANITY_INV="0"

PKT_SANITY_FUDP="1"

PKT_SANITY_PZERO="1"

PKT_SANITY_STUFFED="0"

TOS_DEF_TOS="0"

TOS_DEF_RANGE="512:65535"

TOS_0=""

TOS_2=""

TOS_4=""

TOS_8=""

TOS_16=""

TCR_PASS="1"		TCR_PORTS="33434:33534"

ICMP_LIM="30/s"

RESV_DNS="1"

RESV_DNS_DROP="1"

BLK_P2P="1"
BLK_P2P_PORTS="1214,2323,4660_4678,6257,6699,6346,6347,6881_6889,6346,7778"

BLK_MCATNET="0"

BLK_PRVNET="0"

BLK_RESNET="0"

BLK_IDENT="0"

SYSCTL_CONNTRACK="34576"

SYSCTL_TCP="1"

SYSCTL_SYN="1"

SYSCTL_ROUTE="0"

SYSCTL_LOGMARTIANS="0"

SYSCTL_ECN="0"

SYSCTL_SYNCOOKIES="1"

SYSCTL_OVERFLOW="0"

CDPORTS="135_139,111,513,520,445,1433,1434,1234,1524,3127"

IG_TCP_CPORTS="21,22,25,53,80,443,110,143,2222,49152_65534"

IG_UDP_CPORTS="53"

IG_ICMP_TYPES="3,5,11,0,30,8"

EGF="1"

EG_TCP_CPORTS="21,22,25,53,80,443,43"

EG_UDP_CPORTS="21,53"

EG_ICMP_TYPES="all"

EG_TCP_UID=""

EG_UDP_UID=""

EG_DROP_CMD="eggdrop psybnc bitchx BitchX init udp.pl"

USE_DS="0"

DS_URL="feeds.dshield.org/top10-2.txt" 	     # block.txt url (no *://)
DS_URL_PROT="http"                           # protocol to use for wget

USE_RGT="0"

GA_URL="yourhost.com/glob_allow.rules"       # glob_allow.rules url (no *://)
GA_URL_PROT="http" 			     # protocol for use with wget

GD_URL="yourhost.com/glob_deny.rules"        # glob_deny.rules url (no *://)
GD_URL_PROT="http"			     # protocol for use with wget

USE_RD="1"

RD_URL_PROT="http"			     # protocol to use for wget
RD_URL="r-fx.ca/downloads/reserved.networks" # reserved.networks url

USE_AD="0"

LOG_DROP="0"

LOG_LEVEL="crit"

LOG_TARGET="LOG"

LOG_IA="1"

LOG_LGATE="0"

LOG_EXT="0"

LOG_RATE="30"

LOG_APF="/var/log/apf_log"

CNFINT="$INSTALL_PATH/internals/internals.conf"

. $CNFINT

 

Well if it's only you that gets blocked you, have you considered adding yourself to the allow list? have anyone else with a different IP address having the ame issue?

 

Will ask friend to do the same and we will see if it happens to him also. But even if this would happen to me only which i doubt, i still want to know why on earth it does to me. Putting my IP on white list is just wrong cause there is a problem somewhere and that would not solve it.

Edit: Right, friend just tried uploading lots of files and he also got blocked during upload.. So there is a problem with APF, unknown problem

 

Out of curiosity, I install AFP and BFD on CentOS. I'm sorry to say that uploading files through ftp also locks the upload. I can still access any other ports, more importantly, port 22 to disable the damn thing. *sigh*, I have on solution and I'll look into this the next few days. Please post if you get anywhere.

 

Did you try both active and passive transfers in your FTP client?

 

Yup, same thing.

 

Right, i gave up on APF..

Is there any other similar to APF firewall script that is easy to use?

 

Many people use shorewall, although I haven't tried it yet.

 

Shorewall runs oke on my systems with a direct connection to the internet. I have to admit I'm still fighting with Shorewall in a NAT/DNAT setup for a system in another datacenter, but that seems to be my lack of knowledge. Straight forward firewalling is quite easy. Only edit 4 configuration files and it already works.

 

thx guys, i'll give shorewall a try.

 

Hi folks,

One thing to check re: apf and blocking is if the RAB switch is set to 'on'.

Reactive Address Blocking may well be the 'culprit' here if there's a rule for amount of traffic in a given block of time.

It's a guess, but I think one worth investigating.

HTH,
-Ray
PS On my RHEL systems, that's located in /etc/apf/conf.apf