Controlling the Adaptive Firewall with `afctl`

For those of you that don't know, afctl controls (is?) Leopard Server's Adaptive Firewall. Its a really cool program, you give it an IP address, and a time-to-live in minutes, and that ip instantly gets firewalled for about that many minutes.
Here is the man page for the program:
http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/afctl.8. html
And here is the man page for it's config file:
http://developer.apple.com/documentation/Darwin/Reference/ManPages/man5/af.plist .5.html
At first it seems like the perfect program. But I'm having big problems with it, all regarding rule numbers.
afctl's first firewall rule is number 1700. Its next rule is 1705. And so on and so on. Now my rules come from a script I have running on my server, that automatically 'detects' abusers and blocks them. Rules last for 1 hour. So after the first hour of running, rule 1700 will expire, then 1705 and so on. New rules that are constantly getting generated, are up to maybe lets just say 1840.
So even though rules only last an hour, the rule numbers keep going up and up and up. This becomes a big problem because once the rules get to 12300, the overlap and then pass existing rules in ipfw. Once they surpass this, incoming packets are matched and accepted before they get to their block rule (generated by afctl). So every second or so, another and another and another firewall rule gets added to block that same IP. But the rules are so high they don't work. Multiply this by 30 or 40 IPs at a time and you can see how once my afctl rules get to 12300, total chaos ensues.
If I totally disable my script for two hours, and let all my afctl rules expire. Then I can re-enable the script and it will start generating rules again at 1700. But this can be a problem, some times I'm getting more traffic than I can handle during those two hours. After about 250 requests per second, things start to get sketchy.
I need a way to manage these rule numbers without having to turn off the script that makes these rules.
One thing that confuses me is the 'default_set' setting in the af.plist file. I'm not sure what this means, but does this somehow let me put my afctl rules into their own 'group'? The default setting for 'default_set' in my plist file is 17. That means nothing to me though. Reading the ipfw man page, it refers to it's whole configuration as it's 'ruleset'. So I'm not sure what this setting is, or if it can help me.
As it stands now, I have to 'reset' my rules (by way of disabling my script and letting all afctl created rules expire) about every other day. If I could have afctl rules increment by 1 instead of 5, that would give me about 10 days. Still a bandaid, but a better bandaid. If there was a way to make afctl choose rules that are the lowest available rule number greater than 1699, so as rules expired, their numbers would be recycled. That would also work. Although i'd feel better if my dymanic rules also had a greater range to life in, than 1700-12300. But I'd have to be under one **** of an attack for that not to be enough.

Well I found a solution, but it's not great. I run the following commands daily (nightly).
sudo rm /var/db/af/blacklist;
sudo ipfw delete set 17;
sudo /usr/libexec/afctl;
This deletes any memory afctl has of it's rules. Then it manually deletes all the rules it's made. Then it recreates it's database file.
This will make your rules start over every night so you won't get 'rule number overflow' headaches.
OF COURSE the whole point of afctl is auto-expiring firewall rules. So if you're going to do this, I might as well have my server firewall addresses directly to ipfw instead of bothering with afctl. I'm going to leave it using afctl now only because its already set up and running. At least I can be away from my server now without having a rule number overflow which for several different reasons brings my server to it's knees.

Similar Messages

  • Unable to enable the adaptive firewall: No ALTQ support in kernel ALTQ related functions disabled

    No ALTQ support in kernel ALTQ related functions disabled
    OS X Server: How to enable the adaptive firewall - Apple Support
    Recently ran the latest OS X Yosemite Server Updates: OS X v10.10.3 and Server v4.1.  Tried to enable the "adaptive firewall" by following the steps in Apple's article (see above) and encountered the error after the second line of commands
    Charlie$ sudo pfctl -f /etc/pf.conf
    pfctl: Use of -f option, could result in flushing of rules
    present in the main ruleset added by the system at startup.
    See /etc/pf.conf for further details.
    No ALTQ support in kernel
    ALTQ related functions disabled
    server:~ Charlie$

    I'm not sure that is an error, it is a warning.
    The Mac kernel is not compiled with support for ALTQ so you can't use those features.
    Carry on & test your firewall is working as you expect.

  • TS1741 I have lost the original remote for my Apple TV. I went to install it at my fiancés house, and cannot use the remote app on my ipad or iPhone. Can I still control the Apple TV with the apps?

    I have lost the original remote for my Apple TV. I went to install it at my fiancés house, and cannot use the remote app on my ipad or iPhone. Can I still control the Apple TV with the apps?

    Welcome to the Apple Community.
    Your Apple TV may have become paired with another remote. Hold the remote close to and pointed at the Apple TV, hold down the menu and Rewind buttons together for 6 seconds or until you see a broken chain icon on screen.

  • HT1947 There are 5 of us in this house with IPhones and we all want to control the apple tv with our phones.    We all have separate iTunes accounts.   How do we do this?

    There are 5 of us in this house with IPhones and we all want to control the apple tv with our phones.    We all have separate iTunes accounts.   How do we do this?

    I have 3 iPhones in my house and 1 apple tv.
    I do NOT set a password on my apple tv, so any iPhone can send video to the tv.
    Any iPhone can use the apple remote option also.
    Just play a video and click that square with an arrow and play on apple tv. The video comes up from any iPhone in my house.
    Same goes for pics, etc

  • Control the clipping mask with mousemove

    I would like to allow the user to control the clipping mask with mouse or finger, is there a tutorial that will help me?

    How true, MTSTUNER.
    KMcAl, if you post a screenshot please make sure that the Layers Panel is visible.

  • Problem using the adaptive firewall :  "Firewall management disabled"

    I am facing a problem that Google and man pages cannot solve : it seems that af is disabled; I don't know why and cannot enable it.
    In /var/log/system.log, I can see entries like this :
    Aug 19 08:07:14 arda emond[14295]: Host at 202.99.122.136 will be blocked for at least 15.00 minutes
    Aug 19 08:07:14 arda emond[21852]: DoRunAction (child): setting the uid/gid to 0/0
    But ipfw tells me otherwise :
    $ ipfw list
    00001 allow udp from any 626 to any dst-port 626
    01000 allow ip from any to any via lo0
    01010 deny log ip from any to 127.0.0.0/8
    01020 deny log ip from 224.0.0.0/4 to any in
    01030 deny log tcp from any to 224.0.0.0/4 in
    01040 allow udp from 192.168.0.0/16 to 192.168.0.0/16 dst-port 514 in
    01050 allow udp from 212.27.38.253 to 192.168.0.0/16 in
    01060 allow tcp from any to 192.168.0.0/16 dst-port 6881-6889 in
    12300 allow ip from any to any
    12301 allow tcp from 192.168.0.0/16 to any dst-port 25
    12301 allow udp from 192.168.0.0/16 to any dst-port 25
    65534 deny log ip from any to any
    65535 allow ip from any to any
    afctl refuses to run, giving an explicit message that i cannot find anywhere on the web :
    $ /usr/libexec/afctl -v 1 -a 202.99.122.136
    Tue Aug 19 08:09:53 arda.private afctl[22253] <Notice>: Firewall management disabled
    And of course, no new rules added in ipfw.
    Do you have any idea on what is wrong ? afctl is loaded durong boot (I didn(t change anything), but not working :
    $ launchctl list | grep afctl
    - 0 com.apple.afctl

    OK, thanks. Situation is getting better.
    Now af is enabled, and I can add IP to black and white list. I had also to enable the rule set with the -e option (not sure it will stay after reboot; man page is silent on this).
    The rules set 17 appears in ipfw list, but it seems there is still some problem for automatic blacklisting.
    I will continue to investigate the situation, but Apple provides very little documentation on this.

  • Controlling the BBC iPlayer with the Apple Remote

    I watch programmes on the BBc iPlayer on my TV sreen by connecting my MacBook to the television. I'd dearly love to control the MacBook using my Apple remote. but it's only applicable to iTunes,iPhoto and the DVD player.
    Anyone out there with ideas about a workaround?

    If you do not mind spending a few $, you can check out Sofa Control http://gravityapps.com/sofacontrol/overview/
    I use it and it works great to fill in the gaps. Feel free to do a quick Google search to see if there are some free solutions. I haven't looked recently, so there may be some new ones out there.
    Hope I could Help,
    Stephen
    <edited by host - see [Terms of Use|http://discussions.apple.com/help.jspa#terms ] section 2.6.3>

  • How can I control the delay pedal with a MIDI keyboard?

    Okay, I'm looking to perform the song 'Are You In?' by Incubus with some friends, and here's what I want to do...
    I have my guitar plugged into a Behringer UCG102 Guitar Link
    The link is then plugged into my MacBook running GarageBand
    I have an amp preset saved in the program with the 'Blue Echo' delay pedal
    While playing, I want to be able to use my external MIDI USB keyboard (Akai MPK25) to control the 'Time' and 'Repeats' knobs on the virtual pedal.
    Otherwise, i'm gonna have to keep switching between playing guitar and clicking on the screen and then moving the mouse around frantically.
    How can I do this? And is it even possible in GarageBand?
    If not in GarageBand, is it possible to do the same in Logic Pro?
    My Akai keyboard did come with a piece of software to control the keyboard from the computer. It allows me to save different presets and upload them to it. For the knobs on my keyboard, the software has the option to enter numbers next to each knob for 'CC', 'Low' and 'Hi'
    Sorry if i'm not very clear or I don't make much sense, not really sure how to explain everything.

    There are two types of sustain pedal... One's with  + polarity and ones with - polarity
    The sustain pedal you are using, has the oppostie polarity from the standard.. which means when you press it it acts as if it is not pressed and vice versa...
    Unfortunately, unlike a lot of keyboards...  the Launchkey doesn't provide a setting that allows you to correct this issue... which means that unless the pedal you are using has a built in polarity switch...(In which case power down your keyboard, unplug the pedal and select the opposite setting to what is set now and then plug it back in and power up your keyboard) your sustain pedal is the wrong type and is not compatible with the Launchkey....
    Failing that, here is an example of a sustain pedal that has a polarity switch so you can use it with any keyboard....
    http://www.amazon.com/gp/product/B00063678K/ref=oh_aui_search_detailpage?ie=UTF8 &psc=1

  • Is it possible to control the parallel port with Lookout 5.0

    I want a simple demo setup on a PC, so I can control the 8 data bits of the parallel port. Example, to use START p/b that would toggle bit 0 and data returned on bit 1.

    It is possible to send bytes to the parallel port using the ASCII object within Lookout. However, it is presently not possible to control the state of the individual bits on the parallel port with Lookout.
    If you need to control the individual bits on a parallel port, consider using LabVIEW. It is much more powerful when programming serial and parallel ports.

  • How can I control the visual affect with Camera class?

    I've checked the document:
    http://help.adobe.com/en_US/AS3LCR/Flash_10.0/flash/media/Camera.html
    But still don't find info on how to control the visual affect(like lightness, saturation and so on) of my pc camera.
    Is that kind of job possible with actionscript?

    Andrei1 , I'm worried I won't be able to see anything in the dark without setting the camera directly.
    Will BitmapData manipulations manage to brighten the darkness exactly?

  • Can I control the print copies with Adobe forms in WD

    Hi Friends,
    I had one pages in my adobe form designed in SFP transaction.
    And I  had created a Interactive Forms include that  in WDA.
    My requirement is.   >>>
    I want to control the printing of the pages according to my requirement.
    How can I do when I push the print button in the printing from ?
    Please help me,
    Thanks in advance... Q_Q
    Edited by: DDT CHOU on Jun 4, 2010 3:44 AM

    Can you explain how you achieved it with Java, please?
    Best regards

  • Controlling the Zarlink ZL62044 with NI-4851

    Hi
    We are using the Zarlink ZL62044 device which is a 2 wire but non standard I2C.
    I am am tryng to read and to write to the Zarlink ZL62044 with the NI-8451 using the Labview with the I2C read & write vi's.
    From the scope we found that the NI-8451 is sending the ACK signal. However our device should not receive a ACK.
    Please advice how should we control the START, ACK, NACK AND STOP.
    Thanks...Eran
    Solved!
    Go to Solution.

    Eran,
    Actually, looking into this more I realized that that 8451 can send an ACK signal if another master is writing data to it. However, we are still unable to make it so the 8451 cannot send an ACK signal because the hardware on the 8451 follows the I2C protocol, which automatically sends those signals.
    Message Edited by Justin_E on 07-21-2009 04:13 PM
    Justin E
    National Instruments R&D

  • How can i control the Tektronix AFG3022 with LabView 7.0

    I am trying to control the Tektronix AFG3022 Function Generator with LabView 7.0. Is there a premade program I can download and use?

    If it is not in 7.0 make new thread and ask nice if someone can convert to labview 7.0.
    Besides which, my opinion is that Express VIs Carthage must be destroyed deleted
    (Sorry no Labview "brag list" so far)

  • How can i control the I2C bus with Labview

    Hi
    How can i control the k8000 from http://www.velleman.be ( I2C bus) with
    Labview.
    all info is welcome.
    [email protected]

    if you are using Linux (and the Linux version of LabVIE W) it should be
    fairly easy to use the lm_sensors ( http://www.netroedge.com/~lm78/ )
    libraries and source code to control a device connected to a PC's I2C bus.
    Go here http://www.netroedge.com/~lm78/hardhack.html to see how to tap into
    the I2C bus of your PC. You may be able to apply info here to roll-your-own
    on a MS Windows 98 / 2000 OS.
    Chris
    "Wouters V" wrote in message
    news:39fff2de$0$4493$[email protected]..
    > Hi
    >
    > How can i control the k8000 from http://www.velleman.be ( I2C bus)
    with
    > Labview.
    > all info is welcome.
    >
    > [email protected]
    >
    >
    >
    >
    >

  • How can I control the FAQ title with CSS when using the Ajax effect

    I am calling the FAQ module with the Ajax effect.
    I would like to set different states with CSS to the title;
    I have tried to use :hover, :active and :focus on the div.
    It would be nice with a different styling when the item is "open"
    (I know there is a problem with the stacking, but I posted that in another thread)
    link

    Hi
    There is one thing You might miss in iDVD - So do I - the ability to re-arrange in the DVD map (block diagram)
    The order things will be pplayed or addrssed is same as the order each item is introduced into iDVD.
    To my knowledge ther is no way around this.
    Yours Bengt W

Maybe you are looking for