APF(1) General Commands Manual APF(1)NAME
apf - easy iptables based firewall system
This manual page documents briefly the apf command. This manual page was written for the Debian distribution because the original program
does not have a manual page.
Advanced Policy Firewall (APF) is an iptables (netfilter) based firewall system designed around the essential needs of today's Internet
deployed servers and the unique needs of custom deployed Linux installations. The configuration of APF is designed to be very informative
and present the user with an easy to follow process, from top to bottom of the configuration file. The management of APF on a day-to-day
basis is conducted from the command line with the 'apf' command, which includes detailed usage information and all the features one would
expect from a current and forward thinking firewall solution.
apf follow the usual GNU command line syntax, with long options starting with two dashes (`-'). A summary of options is included below.
load all firewall rules
stop (flush) & reload firewall rules
list all firewall rules
output firewall status log
refresh & resolve dns names in trust rules
-a <HOST CMT|--allow <HOST COMMENT>
add host (IP/FQDN) to allow_hosts.rules and immediately load new rule into firewall
-d <HOST CMT|--deny <HOST COMMENT>
add host (IP/FQDN) to deny_hosts.rules and immediately load new rule into firewall
-u <HOST>|--remove <HOST>
remove host from [glob]*_hosts.rules and immediately remove rule from firewall
output all configuration options
Copyright (C) 1999-2007, R-fx Networks <email@example.com>
Copyright (C) 2007, Ryan MacDonald <firstname.lastname@example.org> This program may be freely redistributed under the terms of the GNU GPL
This manual page was written by Giuseppe Iuculano <email@example.com>, for the Debian project (but may be used by others).
August 17, 2008 APF(1)
Check Out this Related Man Page
FIAIF(8) Administration and Privileged Commands FIAIF(8)NAME
fiaif - FIAIF is an Intelligent Firewall.
Fiaif deploys a packet-filtering firewall by reading configuration files and setting up IP packet filtering rules using iptables. The
firewall is "zone" based, meaning that each network interface is associated with a defined piece of the "IP universe" on the other side of
that interface from the host. A zone is defined in a text file (the zone configuration file) listing rules for the handling of IP traffic
into, out of, and through the associated interface. The rules spell out which connections to accept, which to reject, which to ignore, and
which to forward through the firewall. It is also possible to setup source and destination NAT for altering the source and/or destination
addresses of packets as they pass through. All non-accepted packets are logged to the system log.
It should be noted that any packet related to an already accepted connection is allowed though the firewall.
start This will save the current state of netfilter, and apply the new firewall as described in the configuration files.
stop Restores the state saved when FIAIF was started.
Same as stop,start
This option is the same as start, although it does not use any previously saved rules, and can be used even if fiaif has already
Start/restart only traffic shaping. Useful if you are playing arround with that part of the fiaf subsystem.
panic Shut off all IP traffic - don't accept any packets from anywhere for any reason. This can be used, for example, if uninvited guests
are discovered on the system to quickly close the firewall and start analyzing log files.
status Lists all rules in the firewall.
test Instead of deploying the firewall, all rules are written to the file specified in the "TEST_FILE" parameter in the global configura-
tion file. This command also runs a sanity check on the networking configuration. Any problems or warnings arising from this check
are printed to STDERR. Refer to http://www.linuxhq.com/kernel/v2.4/doc/networking/ip-sysctl.txt.html for details on settings
tested. When deployed, FIAIF can automatically fix the warnings and/or errors displayed. Please see fiaif.conf(8) for more informa-
Start only traffic shaping. This option ignores the "ENABLE_TC" parameter in the global configuration file.
Stops the traffic shaping. This option ignores the "ENABLE_TC" parameter in the global configuration file.
Lists packet counters for all traffic classes.
The global configuration file. See fiaif.conf(8) for further details.
file containing rules generated by fiaif.
previous netfilter state
previous state of /proc before fiaif was started.
All illegal packets are logged to this file though syslog(3)DIAGNOSTICS
Errors are logged to STDOUT. If any errors is printed, then please recheck your configuration files.
If the NO_CLEANUP variable is set to a non-empty value, then rules are not cleaned up after FIAIF is started. This will speed up FIAIF
startup time, but at the cost of having lots of rules and performance may (on small systems with many zones) be affected. On a three zone
system FIAIF generated in total 310 rules. After cleaning up the rules, the number of rules was down to 241. A reduction of 22%.
The FIAIF_CONF can be used to specify an anternative global configurationfile, rather than using the default /etc/fiaif/fiaif.conf. This
can be used to ease switching between two different firewall configurations.
The test command line option is no guarantee that the firewall will perform as expected, only that the syntax is correct. Only limited
semantic checks of rulesis performed.
Report bugs to <firstname.lastname@example.org>.
Anders Fugmann <anders(at)fugmann.net>
SEE ALSO fiaif.conf(8), zone.conf(8), iptables(8), syslog(3)Linux Dec 2003 FIAIF(8)