APF Common Commands with Examples

Posted at January 1, 2016 at 2:49 pm by Jithin

In this documentation, we can check APF common commands with examples.

 

1) Stop APF.

apf -f

root@localhost [/usr/src/apf-9.7-2]# apf -f

eth0: error fetching interface information: Device not found

apf(9587): {glob} flushing & zeroing chain policies

apf(9587): {glob} firewall offline

root@localhost [/usr/src/apf-9.7-2]#

 

2) Start APF.

apf -s

root@localhost [/usr/src/apf-9.7-2]# apf -s

apf(9773): {glob} activating firewall

apf(9821): {glob} could not verify that interface eth0 is routed to a network, aborting.

apf(9773): {glob} firewall initalized

apf(9773): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5 minutes.

root@localhost [/usr/src/apf-9.7-2]#

3) Restart APF.

apf -r

root@localhost [/usr/src/apf-9.7-2]# apf -r

apf(10209): {glob} flushing & zeroing chain policies

apf(10209): {glob} firewall offline

apf(10248): {glob} activating firewall

apf(10296): {glob} could not verify that interface eth0 is routed to a network, aborting.

apf(10248): {glob} firewall initalized

apf(10248): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5 minutes.

root@localhost [/usr/src/apf-9.7-2]#

 

4) To output all configuration options.

apf -o

root@localhost [/usr/src/apf-9.7-2]# apf -o

APF version 9.7 <apf@r-fx.org>

Copyright (C) 2002-2011, R-fx Networks <proj@r-fx.org>

Copyright (C) 2011, Ryan MacDonald <ryan@r-fx.org>

This program may be freely redistributed under the terms of the GNU GPL

DEVEL_MODE “1”

INSTALL_PATH “/etc/apf”

IFACE_IN “eth0”

IFACE_OUT “eth0”

5) Whitelist IP address.

apf -a

root@localhost [/usr/src/apf-9.7-2]# apf -a 192.168.1.2

iptables: No chain/target/match by that name.

iptables: No chain/target/match by that name.

apf(10852): (trust) added allow all to/from 192.168.1.2

root@localhost [/usr/src/apf-9.7-2]#

 

6) Block IP address.

apf -d

root@localhost [/usr/src/apf-9.7-2]# apf -d 192.168.1.2

iptables: No chain/target/match by that name.

iptables: No chain/target/match by that name.

apf(10903): (trust) added deny all to/from 192.168.1.2

root@localhost [/usr/src/apf-9.7-2]#

 

7) Remove Hosts from [glob]*_hosts.rules

apf -u

root@localhost [/usr/src/apf-9.7-2]# apf -u

apf(11136): {trust} removed  from trust system

root@localhost [/usr/src/apf-9.7-2]#

 

8) List all firewall rules.

apf -l

Chain INPUT (policy ACCEPT 1 packets, 328 bytes)

num   pkts bytes target     prot opt in     out     source               destination

1        1   328 acctboth   all  —  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1 packets, 328 bytes)

num   pkts bytes target     prot opt in     out     source               destination

1        1   328 acctboth   all  —  *      *       0.0.0.0/0            0.0.0.0/0

Chain acctboth (2 references)

num   pkts bytes target     prot opt in     out     source               destination

1        0     0            tcp  —  !lo    *       192.168.35.135           0.0.0.0/0           tcp dpt:80

2        0     0            tcp  —  !lo    *       0.0.0.0/0            192.168.35.135      tcp spt:80

 

9) APF status log.

apf -t

root@localhost [/usr/src/apf-9.7-2]# apf -t

eth0: error fetching interface information: Device not found

APF Status Log:

Dec 16 10:05:02 localhost apf(11565): {glob} firewall offline

Dec 16 10:05:02 localhost apf(11565): {glob} flushing & zeroing chain policies

Dec 16 10:00:02 localhost apf(11330): {glob} firewall offline

Dec 16 10:00:01 localhost apf(11330): {glob} flushing & zeroing chain policies

Dec 16 09:57:43 localhost apf(11136): {trust} removed  from trust system

Dec 16 09:55:01 localhost apf(11038): {glob} firewall offline

Dec 16 09:55:01 localhost apf(11038): {glob} flushing & zeroing chain policies

 

If you are having any doubts or if you need any further help please reach our support department.

 

 

0.00 avg. rating (0% score) - 0 votes

You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply