APF(1) General Commands Manual APF(1)NAME
apf - easy iptables based firewall system
SYNOPSIS
apf
DESCRIPTION
This manual page documents briefly the apf command. This manual page was written for the Debian distribution because the original program
does not have a manual page.
Advanced Policy Firewall (APF) is an iptables (netfilter) based firewall system designed around the essential needs of today's Internet
deployed servers and the unique needs of custom deployed Linux installations. The configuration of APF is designed to be very informative
and present the user with an easy to follow process, from top to bottom of the configuration file. The management of APF on a day-to-day
basis is conducted from the command line with the 'apf' command, which includes detailed usage information and all the features one would
expect from a current and forward thinking firewall solution.
OPTIONS
apf follow the usual GNU command line syntax, with long options starting with two dashes (`-'). A summary of options is included below.
-s|--start
load all firewall rules
-r|--restart
stop (flush) & reload firewall rules
-l|--list
list all firewall rules
-t|--status
output firewall status log
-e|--refresh
refresh & resolve dns names in trust rules
-a <HOST CMT|--allow <HOST COMMENT>
add host (IP/FQDN) to allow_hosts.rules and immediately load new rule into firewall
-d <HOST CMT|--deny <HOST COMMENT>
add host (IP/FQDN) to deny_hosts.rules and immediately load new rule into firewall
-u <HOST>|--remove <HOST>
remove host from [glob]*_hosts.rules and immediately remove rule from firewall
-o|--ovars
output all configuration options
COPYRIGHT
Copyright (C) 1999-2007, R-fx Networks <proj@r-fx.org>
Copyright (C) 2007, Ryan MacDonald <ryan@r-fx.org> This program may be freely redistributed under the terms of the GNU GPL
This manual page was written by Giuseppe Iuculano <giuseppe@iuculano.it>, for the Debian project (but may be used by others).
August 17, 2008 APF(1)
Check Out this Related Man Page
PYROMAN(8) System Manager's Manual PYROMAN(8)NAME
pyroman - a firewall configuration utility
SYNOPSIS
pyroman
[ -hvnspP ] [ -r RULESDIR ] [ -t SECONDS ]
[ --help ] [ --version ] [ --safe ] [ --no-act ]
[ --print ] [ --print-verbose ] [ --rules=RULESDIR ]
[ --timeout=SECONDS ] [ safe ]
DESCRIPTION
pyroman is a firewall configuration utility.
It will compile a set of configuration files to iptables statements to setup IP packet filtering for you.
While it is not necessary for operating and using Pyroman, you should have understood how IP, TCP, UDP, ICMP and the other commonly used
Internet protocols work and interact. You should also have understood the basics of iptables in order to make use of the full
functionality.
pyroman does not try to hide all the iptables complexity from you, but tries to provide you with a convenient way of managing a complex
networks firewall. For this it offers a compact syntax to add new firewall rules, while still exposing access to add arbitrary iptables
rules.
OPTIONS -r RULESDIR,--rules=RULES
Load the rules from directory RULESDIR instead of the default directory (usually /etc/pyroman )
-t SECONDS,--timeout=SECONDS
Wait SECONDS seconds after applying the changes for the user to type OK to confirm he can still access the firewall. This implies
--safe but allows you to use a different timeout.
-h, --help
Print a summary of the command line options and exit.
-V, --version
Print the version number of pyroman and exit.
-s, --safe, safe
When the firewall was committed, wait 30 seconds for the user to type OK to confirm, that he can still access the firewall (i.e. the
network connection wasn't blocked by the firewall). Otherwise, the firewall changes will be undone, and the firewall will be
restored to the previous state. Use the --timeout=SECONDS option to change the timeout.
-n, --no-act
Don't actually run iptables. This can be used to check if pyroman accepts the configuration files.
-p, --print
Instead of running iptables, output the generated rules.
-P, --print-verbose
Instead of running iptables, output the generated rules. Each statement will have one comment line explaining how this rules was
generated. This will usually include the filename and line number, and is useful for debugging.
CONFIGURATION
Configuration of pyroman consists of a number of files in the directory /etc/pyroman. These files are in python syntax, although you do
not need to be a python programmer to use these rules. There is only a small number of statements you need to know:
add_host
Define a new host or network
add_interface
Define a new interface (group)
add_service
Add a new service alias (note that you can always use e.g. www/tcp to reference the www tcp service as defined in /etc/services)
add_nat
Define a new NAT (Network Address Translation) rule
allow Allow a service, client, server combination
reject Reject access for this service, client, server combination
drop Drop packets for this service, client, server combination
add_rule
Add a rule for this service, client, server and target combination
iptables
Add an arbitrary iptables statement to be executed at beginning
iptables_end
Add an arbitrary iptables statement to be executed at the end
Detailed parameters for these functions can be looked up by caling
cd /usr/share/pyroman
pydoc ./commands.py
BUGS
None known as of pyroman-0.4 release
AUTHOR
pyroman was written by Erich Schubert <erich@debian.org>
SEE ALSO iptables(8), iptables-restore(8)iptables-load(8)PYROMAN(8)