 |
 |
Adaptive Firewall, afctl, problem with rule numbers
|
|
|
|
|
Addicted to MacNN
Join Date: Jan 2000
Location: Stoneham, MA, USA
Status:
Offline
|
|
Finally after much research I found what I was looking for. The cli program that lets you pop custom temporary firewall rules into the adaptive firewall. That would be afctl. You just tell it the IP, and the time to live in minutes, and it takes care of the rest. So I set up a script on my web site that automatically firewalls site abusers for an hour. Meanwhile tons of thousands of legit users load the site every day. It was working great, I'd even say perfect. Load averages were single digits (like 0.04 etc). For about 4 days.
You see these adaptive firewall rules start at number 01700. Every new rule increments by 5. There are no options that I can see for afctl to set the rule number, its generated automatically. So my rules only last for an hour, so while at any given time i only have about 50 active rules, I still have thousands of rules rotating through over a short amount of time. So the problem is that after 4 days, the dynamic rule numbers caught up to the regular rules. The default ones that are built into the firewall. 12300 and up. So the adaptive rules would go in after those rules. Which means the adaptive rules were ignored. Which ALSO means that when an abuser is hitting my website every second, and the rules don't count, that means my script is adding a new rule for the same ip every second, a rule that is getting ignore because the rule number is so high.
There is very little info on the adaptive firewall, on the internet. And very few people seem to know anything about it. But hopefully someone will know a way I can get the rule numbers under control, and start protecting my server again. I had to disable my system since it wasn't working, and now my server is getting slammed.
|
|
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jan 2000
Location: Stoneham, MA, USA
Status:
Offline
|
|
SO
If I disable my script, or in other words if I don't run afctl for about two hours... long enough for all rules to expire, and then some...
Then if I turn the script back on, it will start again 1700.
So how can I reset the rule numbers, without stopping using afctl?
|
|
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jan 2000
Location: Stoneham, MA, USA
Status:
Offline
|
|
Well I found a solution, but it's not great. I run the following commands daily (nightly).
sudo rm /var/db/af/blacklist;
sudo ipfw delete set 17;
sudo /usr/libexec/afctl;
This deletes any memory afctl has of it's rules. Then it manually deletes all the rules it's made. Then it recreates it's database file.
This will make your rules start over every night so you won't get 'rule number overflow' headaches.
OF COURSE the whole point of afctl is auto-expiring firewall rules. So if you're going to do this, I might as well have my server firewall addresses directly to ipfw instead of bothering with afctl. I'm going to leave it using afctl now only because its already set up and running. At least I can be away from my server now without having a rule number overflow which for several different reasons brings my server to it's knees.
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Top
