0

So, I've been actively banning IPs of malicious users. Previously, I only used IPtables to do this, but since giving APF a whirl, I've been having issues. It appears that there is a limit to the number of rules you can set with APF.

I've got a list of about 200 IPs to block, but after entering apf -d , only the most recent added are in the deny list.

Looking at hosts.deny, it is empty, so I suppose I could add them there, but it seems to make APF useless if I have to use other methods to so what I expect it to do.

APF is a wrapper for iptables, and in looking at iptables, I see 102 IPs being blocked there.

Does anyone know of what would be limiting the number of TDENY rules?

Exit
  • 141
  • 1
  • 1
  • 9

1 Answers1

0

Within the APF config file, usually located at /etc/apf/conf.apf, search for SET_TRIM. Default appears to be 150, which can be changed to unlimited or a specific number.

Also, the refresh value can be changed to change the how long between refreshing of the rules. When this is active, it will issue a iptables flush, clearing any rules that you set directly with iptables. 

# This controls how often, if at all, we want the trust system to refresh rules.
# The firewall will flush & reload all static rules, redownload global rules and
# re-resolve any dns names in the rules. This is ideal when using dynamic dns
# names or downloadable global trust rules. [value in minutes, 0 to disable]
SET_REFRESH="10"

# This is the total amount of rules allowed inside of the deny trust system.
# When this limit is reached, the deny rule files will begin to purge older
# entries to maintain the set limit. [value is max lines, 0 for unlimited]
SET_TRIM="150"
Exit
  • 141
  • 1
  • 1
  • 9