Atomicorp

What does /etc/asl/firewall/running.fw actually do? When does it get written to? Read from?

The reason I ask is that I had a situation where an IP was shunned, and it was shown as shunned in running.fw as well as in iptables -L. But when I unblocked it in ASL and whitelisted it, both via the Blocking window), the running.fw file (and the data shown in the firewall window) then showed the IP being shunned and allowed at the same time. Manually removing the shun entry from the firewall window in the ASL GUI removed the shun entry in the file.

[[ The circumstances that led to this may not be typical as I was in the middle of switching a system from APF to the ASL firewall which was turned out to be a bit messy on this occasion for some reason ]]

faris:

Would you mind posting the general procedure you follow to go from APF to the ASL Firewall?

We have one such box that we've been thinking of moving strictly to the ASL Firewall.

Thanks.

i dont think youre supposed to modify that file. it seems like its generated dynamically when you save rules from asl.

The short version is it is a snapshot of the running firewall policy when you are accessing the firewall interface. I don't recommend modifying that file unless you are me.

We are planning conversion tools to automate migrations from other firewall interfaces into the ASL interface. We'll be taking that on after the 4.0 release (which is soon!)

ok....this is what I *think* I did and is somewhat based on http://www.atomicorp.com/forum/viewtopic.php?f=3&t=6695

1) Add allowed IPs (e.g. your own) to the ASL firewall via the GUI (Firewall, add rule, INPUT chain, INSERT, enter IP in SRC box, jump to ACCEPT)

2) Logout of GUI

3) service iptables stop

4) disabled iptables auto-start (using chkconfig or ntsysv)

5) delete /etc/cron.daily/apf

6) Disable APF auto-start (checkcfg or ntsysv)

7) Check for anything related to "refresh" or "apf" in /etc/cron.hourly or /etc/cron.daily or /etc/cron.d/ and remove or comment out.

Delete apf script itself (wherever it might be). This should not be necessary if you have completely killed off cron jobs that start it.

9) Add allowed ports in ASL GUI (main config, not firewall section)
http://www.atomicorp.com/wiki/index.php/ASL_firewall

WARNING: Read what it says in the GUI for what is default setting for each firewall switch. You will find some are enabled when they should be disabled, and vice versa. DROP_INVALID_LOG, for example, needs to be OFF otherwise you may find IPs get shunned for the wrong reason.

10) Stop APF/Flush rules:
apf -f (YOUR FIREWALL IS DOWN AT THIS POINT)


11) aum -u

12) asl -s -f

13) Check to see if APF has been expunged:
iptables -v -n -L | less

Use service asl-firewall-restart if need be

And it was at this point that things got in a mess for me. On one system I had to delete /etc/asl/firewall/running.fw because it had APF firewall rules in it, and nothing I did could get rid of them - they kept re-appearing. So maybe it was because I was logged in to the GUI and things got confused. I really don't know.


WARNING: You could lock yourself out of your system if anything I have written is in the wrong order or just plain wrong. Be warned.

Great, thanks for posting.

Oh, one more thing. If you delete running.fw, you are likely to remove all your "allow IP" rules. This is potentially bad and can lock you out. I suggest allowing port 22 temporarily by adding it to your normally open ports in the main asl config.

FYI, we are working on a migration tool to "suck in" existing rules upon install. As soon as its available well let everyone know.