search

rfxn / advanced-policy-firewall

Advanced Policy Firewall (APF)
GNU General Public License v2.0
93 stars 46 forks source link

ipv6 not working #33

Open Anan5a opened 4 years ago

Anan5a commented 4 years ago

I'm trying to enable ipv6 firewal. But it shows warning/error

root@Debian-102-buster-64-minimal ~ # apf -r
# Warning: iptables-legacy tables present, use iptables-legacy to see them
apf(32178): {glob} flushing & zeroing chain policies
apf(32178): {glob} firewall offline
apf(32271): {glob} activating firewall
# Warning: iptables-legacy tables present, use iptables-legacy to see them
apf(32373): {glob} determined (IFACE_UNTRUSTED) enp35s0 has address 116.202.155.233
apf(32373): {glob} loading preroute.rules
apf(32373): {resnet} downloading http://cdn.rfxn.com/downloads/reserved.networks
apf(32373): {resnet} parsing reserved.networks into /etc/apf/internals/reserved.networks
apf(32373): {glob} loading reserved.networks
apf(32373): {glob} loading bt.rules
apf(32373): {php} downloading http://cdn.rfxn.com/downloads/php_list
apf(32373): {php} parsing php_list into /etc/apf/php_hosts.rules
apf(32373): {php} loading php_hosts.rules
apf(32373): {dshield} downloading http://feeds.dshield.org/top10-2.txt
apf(32373): {dshield} parsing top10-2.txt into /etc/apf/ds_hosts.rules
apf(32373): {dshield} loading ds_hosts.rules
apf(32373): {sdrop} downloading http://www.spamhaus.org/drop/drop.lasso
apf(32373): {sdrop} parsing drop.lasso into /etc/apf/sdrop_hosts.rules
apf(32373): {sdrop} loading sdrop_hosts.rules
apf(32373): {glob} loading common drop ports
apf(32373): {blk_ports} deny all to/from tcp port 135:139
apf(32373): {blk_ports} deny all to/from udp port 135:139
apf(32373): {blk_ports} deny all to/from tcp port 111
apf(32373): {blk_ports} deny all to/from udp port 111
apf(32373): {blk_ports} deny all to/from tcp port 513
apf(32373): {blk_ports} deny all to/from udp port 513
apf(32373): {blk_ports} deny all to/from tcp port 520
apf(32373): {blk_ports} deny all to/from udp port 520
apf(32373): {blk_ports} deny all to/from tcp port 445
apf(32373): {blk_ports} deny all to/from udp port 445
apf(32373): {blk_ports} deny all to/from tcp port 1433
apf(32373): {blk_ports} deny all to/from udp port 1433
apf(32373): {blk_ports} deny all to/from tcp port 1434
apf(32373): {blk_ports} deny all to/from udp port 1434
apf(32373): {blk_ports} deny all to/from tcp port 1234
apf(32373): {blk_ports} deny all to/from udp port 1234
apf(32373): {blk_ports} deny all to/from tcp port 1524
apf(32373): {blk_ports} deny all to/from udp port 1524
apf(32373): {blk_ports} deny all to/from tcp port 3127
apf(32373): {blk_ports} deny all to/from udp port 3127
apf(32373): {rab} set active RAB_SANITY
apf(32373): {pkt_sanity} set active PKT_SANITY
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs ALL NONE
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs SYN,FIN SYN,FIN
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs SYN,RST SYN,RST
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs FIN,RST FIN,RST
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs ACK,FIN FIN
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs ACK,URG URG
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs ACK,PSH PSH
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs ALL FIN,URG,PSH
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs ALL SYN,RST,ACK,FIN,URG
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs ALL ALL
apf(32373): {pkt_sanity} deny inbound tcp-flag pairs ALL FIN
apf(32373): {pkt_sanity} deny outbound tcp-flag pairs ALL NONE
apf(32373): {pkt_sanity} deny outbound tcp-flag pairs SYN,FIN SYN,FIN
apf(32373): {pkt_sanity} deny outbound tcp-flag pairs SYN,RST SYN,RST
apf(32373): {pkt_sanity} deny outbound tcp-flag pairs FIN,RST FIN,RST
apf(32373): {pkt_sanity} deny outbound tcp-flag pairs ACK,FIN FIN
apf(32373): {pkt_sanity} deny outbound tcp-flag pairs ACK,PSH PSH
apf(32373): {pkt_sanity} deny outbound tcp-flag pairs ACK,URG URG
apf(32373): {pkt_sanity} deny all fragmented udp
apf(32373): {pkt_sanity} deny inbound tcp port 0
apf(32373): {pkt_sanity} deny outbound tcp port 0
apf(32373): {blk_p2p} set active BLK_P2P
apf(32373): {blk_p2p} deny all to/from tcp port 1214
apf(32373): {blk_p2p} deny all to/from udp port 1214
apf(32373): {blk_p2p} deny all to/from tcp port 2323
apf(32373): {blk_p2p} deny all to/from udp port 2323
apf(32373): {blk_p2p} deny all to/from tcp port 4660:4678
apf(32373): {blk_p2p} deny all to/from udp port 4660:4678
apf(32373): {blk_p2p} deny all to/from tcp port 6257
apf(32373): {blk_p2p} deny all to/from udp port 6257
apf(32373): {blk_p2p} deny all to/from tcp port 6699
apf(32373): {blk_p2p} deny all to/from udp port 6699
apf(32373): {blk_p2p} deny all to/from tcp port 6346
apf(32373): {blk_p2p} deny all to/from udp port 6346
apf(32373): {blk_p2p} deny all to/from tcp port 6347
apf(32373): {blk_p2p} deny all to/from udp port 6347
apf(32373): {blk_p2p} deny all to/from tcp port 6881:6889
apf(32373): {blk_p2p} deny all to/from udp port 6881:6889
apf(32373): {blk_p2p} deny all to/from tcp port 6346
apf(32373): {blk_p2p} deny all to/from udp port 6346
apf(32373): {blk_p2p} deny all to/from tcp port 7778
apf(32373): {blk_p2p} deny all to/from udp port 7778
apf(32373): {glob} SET_REFRESH is set to 10 minutes
apf(32373): {glob} loading /etc/apf/allow_hosts.rules
apf(32373): {trust} allow all to/from 45.77.241.23/32
apf(32373): {trust} allow all to/from 87.121.98.240/32
apf(32373): {trust} allow all to/from 173.245.48.0/20
apf(32373): {trust} allow all to/from 103.21.244.0/22
apf(32373): {trust} allow all to/from 103.22.200.0/22
apf(32373): {trust} allow all to/from 103.31.4.0/22
apf(32373): {trust} allow all to/from 141.101.64.0/18
apf(32373): {trust} allow all to/from 108.162.192.0/18
apf(32373): {trust} allow all to/from 190.93.240.0/20
apf(32373): {trust} allow all to/from 188.114.96.0/20
apf(32373): {trust} allow all to/from 197.234.240.0/22
apf(32373): {trust} allow all to/from 198.41.128.0/17
apf(32373): {trust} allow all to/from 162.158.0.0/15
apf(32373): {trust} allow all to/from 104.16.0.0/12
apf(32373): {trust} allow all to/from 172.64.0.0/13
apf(32373): {trust} allow all to/from 131.0.72.0/22
apf(32373): {rab} set active RAB
apf(32373): {rab} set active RAB_PSCAN
apf(32373): {rab} RAB_PSCAN monitored ports 1,7,9,11,15,69,70
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9999' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:1010' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9898' not found
Try `iptables -h' or 'iptables --help' for more information.
apf(32373): {glob} loading log.rules
apf(32373): {glob} virtual net subsystem disabled.
apf(32373): {glob} loading main.rules
apf(32373): {glob} opening inbound tcp port 22 on 0/0
apf(32373): {glob} opening inbound icmp type 3 on 0/0
apf(32373): {glob} opening inbound icmp type 5 on 0/0
apf(32373): {glob} opening inbound icmp type 11 on 0/0
apf(32373): {glob} opening inbound icmp type 0 on 0/0
apf(32373): {glob} opening inbound icmp type 30 on 0/0
apf(32373): {glob} opening inbound icmp type 8 on 0/0
apf(32373): {glob} resolv dns discovery for 213.133.100.100
apf(32373): {glob} resolv dns discovery for 213.133.99.99
apf(32373): {glob} resolv dns discovery for 213.133.98.98
apf(32373): {glob} resolv dns discovery for 2a01:4f8:0:1::add:9999
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9999' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9999' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9999' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9999' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9999' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9999' not found
Try `iptables -h' or 'iptables --help' for more information.
apf(32373): {glob} resolv dns discovery for 2a01:4f8:0:1::add:1010
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:1010' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:1010' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:1010' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:1010' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:1010' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:1010' not found
Try `iptables -h' or 'iptables --help' for more information.
apf(32373): {glob} resolv dns discovery for 2a01:4f8:0:1::add:9898
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9898' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9898' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9898' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9898' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9898' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.2 (nf_tables): host/network `2a01:4f8:0:1::add:9898' not found
Try `iptables -h' or 'iptables --help' for more information.
apf(32373): {glob} loading postroute.rules
apf(32373): {glob} default (egress) output accept
apf(32373): {glob} default (ingress) input drop
apf(32271): {glob} firewall initialized
# Warning: iptables-legacy tables present, use iptables-legacy to see them
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
apf(32271): {glob} fast load snapshot saved

How can i enable ipv6 filterin?

jasonwee commented 4 years ago

can you try this?