--- apf-firewall-9.7+rev1.orig/debian/apf-firewall.init
+++ apf-firewall-9.7+rev1/debian/apf-firewall.init
@@ -0,0 +1,70 @@
+#!/bin/sh
+#
+### BEGIN INIT INFO
+# Provides: apf-firewall
+# Required-Start: $network $local_fs $remote_fs
+# Required-Stop: $network $local_fs $remote_fs
+# Should-Start:
+# Should-Stop:
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Start apf-firewall at boot time
+### END INIT INFO
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+DAEMON=/usr/sbin/apf
+INAME="apf-firewall"
+DESC="easy iptables based firewall system"
+LOGDIR=/var/log # Log directory to use
+
+test -x $DAEMON || exit 0
+
+. /lib/lsb/init-functions
+
+
+# Include defaults if available
+if [ -f /etc/default/$INAME ] ; then
+ . /etc/default/$INAME
+fi
+
+# Use this if you want the user to explicitly set 'RUN' in
+# /etc/default/
+if [ "x$RUN" != "xyes" ] ; then
+ log_failure_msg "$INAME disabled, please adjust the configuration to your needs "
+ log_failure_msg "and then set RUN to 'yes' in /etc/default/$INAME to enable it."
+ exit 0
+fi
+
+set -e
+
+case "$1" in
+ start)
+ log_daemon_msg "Starting $DESC " "$INAME"
+ /usr/sbin/apf --start >> /dev/null 2>&1
+ log_end_msg $?
+ ;;
+ stop)
+ log_daemon_msg "Stopping $DESC" "$INAME"
+ /usr/sbin/apf --stop >> /dev/null 2>&1
+ log_end_msg $?
+ ;;
+ restart|force-reload)
+ log_daemon_msg "Restarting $DESC" "$INAME"
+ log_end_msg $?
+ $0 stop
+ $0 start
+ ;;
+ reload)
+ log_daemon_msg "Reloading $DESC configuration files" "$iNAME"
+ /usr/sbin/apf --refresh >> /dev/null 2>&1
+ log_end_msg $?
+ ;;
+ *)
+ N=/etc/init.d/$INAME
+ echo "Usage: $N {start|stop|restart|force-reload|reload}" >&2
+ exit 1
+ ;;
+esac
+
+exit 0
--- apf-firewall-9.7+rev1.orig/debian/apf-firewall.default
+++ apf-firewall-9.7+rev1/debian/apf-firewall.default
@@ -0,0 +1,8 @@
+# Defaults for apf-firewall initscript
+# sourced by /etc/init.d/apf-firewall
+# installed at /etc/default/apf-firewall by the maintainer scripts
+
+# Configure APF editing /etc/apf-firewall files (conf.apf is the principal config files)
+# Modify to RUN="yes" when you are ready
+RUN="no"
+
--- apf-firewall-9.7+rev1.orig/debian/apf-firewall.install
+++ apf-firewall-9.7+rev1/debian/apf-firewall.install
@@ -0,0 +1,3 @@
+files/apf usr/sbin
+files/* etc/apf-firewall
+.ca.def usr/share/doc/apf-firewall/extras
--- apf-firewall-9.7+rev1.orig/debian/changelog
+++ apf-firewall-9.7+rev1/debian/changelog
@@ -0,0 +1,49 @@
+apf-firewall (9.7+rev1-2) unstable; urgency=low
+
+ * [979a674] Updated my email address
+ * [a64f71f] Bump Standards-Version, no changes needed
+ * [f8d719f] init: Added $network $local_fs $remote_fs in Required-Stop
+ * [cc35d15] Added a README.source
+
+ -- Giuseppe Iuculano <iuculano@debian.org> Wed, 03 Mar 2010 15:38:09 +0100
+
+apf-firewall (9.7+rev1-1) unstable; urgency=low
+
+ * [2a35eda] Imported Upstream version 9.7+rev1
+ * [99a4772] Refreshing patches
+ * [00800d6] debian/control: Updated homepage field
+ * [9e8cb5e] Updated to standards version 3.8.2 (No changes needed)
+ * [b0e956e] Added wget in Depends
+
+ -- Giuseppe Iuculano <giuseppe@iuculano.it> Tue, 14 Jul 2009 17:46:08 +0200
+
+apf-firewall (9.6+rev5-3) unstable; urgency=low
+
+ * [ee70a07] Do not run cron.daily if /etc/default/apf-firewall hasn't
+ RUN=yes. (Closes: #517961)
+
+ -- Giuseppe Iuculano <giuseppe@iuculano.it> Tue, 03 Mar 2009 21:47:15 +0100
+
+apf-firewall (9.6+rev5-2) unstable; urgency=low
+
+ * [a5773ac] debian/rules: Use dh_prep instead of dh_clean -k and fix
+ dh-clean-k-is-deprecated lintian warning
+ * [79ba2e5] debian/copyright: Use © symbol and fix copyright-with-old-
+ dh-make-debian-copyright lintian warning
+ * [623ba1e] debian/apf-firewall.init: Added log_end_msg to avoid bad
+ formatting
+ * [0c18b65] Switch to quilt
+ * [ade7c24] debian/patches/01_fix_path.patch: Use /usr/sbin/apf
+ instead of /etc/apf-firewall/apf
+ * [928ef93] debian/rules: Do not install /etc/apf-firewall/apf
+ * [cb21d95] debian/apf-firewall.logrotate: Added weekly, rotate 7, and
+ compress options
+
+ -- Giuseppe Iuculano <giuseppe@iuculano.it> Wed, 25 Feb 2009 15:30:31 +0100
+
+apf-firewall (9.6+rev5-1) unstable; urgency=low
+
+ * Initial release (Closes: #495284)
+
+ -- Giuseppe Iuculano <giuseppe@iuculano.it> Fri, 29 Aug 2008 10:43:29 +0200
+
--- apf-firewall-9.7+rev1.orig/debian/postrm
+++ apf-firewall-9.7+rev1/debian/postrm
@@ -0,0 +1,43 @@
+#!/bin/sh
+
+set -e
+
+# summary of how this script can be called:
+# * <postrm> `remove'
+# * <postrm> `purge'
+# * <old-postrm> `upgrade' <new-version>
+# * <new-postrm> `failed-upgrade' <old-version>
+# * <new-postrm> `abort-install'
+# * <new-postrm> `abort-install' <old-version>
+# * <new-postrm> `abort-upgrade' <old-version>
+# * <disappearer's-postrm> `disappear' <r>overwrit>r> <new-version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+ purge)
+
+ rm -rf /etc/apf-firewall/
+ rm -f /var/log/apf_log
+ rm -f /etc/cron.d/refresh.apf
+ ;;
+ remove)
+
+ rm -f /var/log/apf_log
+ rm -f /etc/cron.d/refresh.apf
+ ;;
+ upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+
+
+ ;;
+
+ *)
+ echo "postrm called with unknown argument \`$1'" >&2
+ exit 1
+
+esac
+
+
+#DEBHELPER#
+
--- apf-firewall-9.7+rev1.orig/debian/docs
+++ apf-firewall-9.7+rev1/debian/docs
@@ -0,0 +1,2 @@
+README.apf
+files/extras
--- apf-firewall-9.7+rev1.orig/debian/README.Debian
+++ apf-firewall-9.7+rev1/debian/README.Debian
@@ -0,0 +1,30 @@
+apf-firewall for Debian
+-----------------------
+
+On your first installation of APF it will come pretty bare in the way of
+preconfigured options, this is intentional. The most common issue with many
+firewalls is that they come configured with so many options that a user may
+never use or disable, that it leaves systems riddled with firewall holes.
+
+APF comes configured with only a single incoming port
+enabled by default and that is port 22 (SSH)
+
+The main APF configuration file is located at /etc/apf-firewall/conf.apf and has
+detailed usage information above all configuration variables. The file uses
+integer based values for setting configuration options and they are
+0 = disabled
+1 = enabled
+
+DEVEL_MODE
+----------
+This tells APF to run in a development mode which in short means
+that the firewall will shut itself off every 5 minutes from a cronjob. When
+you install any version of APF, upgrade or new install, this feature is by
+default enabled to make sure the user does not lock themself out of the
+system with configuration errors. Once you are satisfied that you have the
+firewall configured and operating as intended then you must disable it.
+
+When you are ready, you should edit /etc/default/apf-firewall and APF will start
+at boot.
+
+ -- Giuseppe Iuculano <giuseppe@iuculano.it> Tue, 18 Aug 2008 11:21:41 +0200
--- apf-firewall-9.7+rev1.orig/debian/README.source
+++ apf-firewall-9.7+rev1/debian/README.source
@@ -0,0 +1,58 @@
+This package uses quilt to manage all modifications to the upstream
+source. Changes are stored in the source package as diffs in
+debian/patches and applied during the build.
+
+To configure quilt to use debian/patches instead of patches, you want
+either to export QUILT_PATCHES=debian/patches in your environment
+or use this snippet in your ~/.quiltrc:
+
+ for where in ./ ../ ../../ ../../../ ../../../../ ../../../../../; do
+ if [ -e ${where}debian/rules -a -d ${where}debian/patches ]; then
+ export QUILT_PATCHES=debian/patches
+ break
+ fi
+ done
+
+To get the fully patched source after unpacking the source package, cd to
+the root level of the source package and run:
+
+ quilt push -a
+
+The last patch listed in debian/patches/series will become the current
+patch.
+
+To add a new set of changes, first run quilt push -a, and then run:
+
+ quilt new <patch>
+
+where <patch> is a descriptive name for the patch, used as the filename in
+debian/patches. Then, for every file that will be modified by this patch,
+run:
+
+ quilt add <file>
+
+before editing those files. You must tell quilt with quilt add what files
+will be part of the patch before making changes or quilt will not work
+properly. After editing the files, run:
+
+ quilt refresh
+
+to save the results as a patch.
+
+Alternately, if you already have an external patch and you just want to
+add it to the build system, run quilt push -a and then:
+
+ quilt import -P <patch> /path/to/patch
+ quilt push -a
+
+(add -p 0 to quilt import if needed). <patch> as above is the filename to
+use in debian/patches. The last quilt push -a will apply the patch to
+make sure it works properly.
+
+To remove an existing patch from the list of patches that will be applied,
+run:
+
+ quilt delete <patch>
+
+You may need to run quilt pop -a to unapply patches first before running
+this command.
--- apf-firewall-9.7+rev1.orig/debian/control
+++ apf-firewall-9.7+rev1/debian/control
@@ -0,0 +1,64 @@
+Source: apf-firewall
+Section: net
+Priority: optional
+Maintainer: Giuseppe Iuculano <iuculano@debian.org>
+Build-Depends: quilt (>= 0.40), debhelper (>= 7)
+Standards-Version: 3.8.4
+Homepage: http://www.rfxn.com/projects/advanced-policy-firewall/
+Vcs-Git: git://git.debian.org/git/users/derevko-guest/apf-firewall.git
+Vcs-Browser: http://git.debian.org/?p=users/derevko-guest/apf-firewall.git
+
+Package: apf-firewall
+Architecture: all
+Depends: ${misc:Depends}, iptables, lsb-base, wget
+Description: easy iptables based firewall system
+ Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall
+ system designed around the essential needs of today's Internet deployed
+ servers and the unique needs of custom deployed Linux installations. The
+ configuration of APF is designed to be very informative and present the
+ user with an easy to follow process, from top to bottom of the
+ configuration file. The management of APF on a day-to-day basis is
+ conducted from the command line with the 'apf' command, which includes
+ detailed usage information and all the features one would expect from a
+ current and forward thinking firewall solution.
+ .
+ Summary of features:
+ * detailed and well commented configuration file
+ * granular inbound and outbound network filtering
+ * user id based outbound network filtering
+ * application based network filtering
+ * trust based rule files with an optional advanced syntax
+ * global trust system where rules can be downloaded from a central
+ management server
+ * reactive address blocking (RAB), next generation in-line intrusion
+ prevention
+ * debug mode provided for testing new features and configuration setups
+ * fast load feature that allows for 1000+ rules to load in under 1 second
+ * inbound and outbound network interfaces can be independently configured
+ * global tcp/udp port & icmp type filtering with multiple methods of
+ executing filters (drop, reject, prohibit)
+ * configurable policies for each ip on the system with convenience variables
+ to import settings
+ * packet flow rate limiting that prevents abuse on the most widely abused
+ protocol, icmp
+ * prerouting and postrouting rules for optimal network performance
+ * dshield.org block list support to ban networks exhibiting suspicious
+ activity
+ * spamhaus Don't Route Or Peer List support to ban known "hijacked zombie"
+ IP blocks
+ * any number of additional interfaces may be configured as firewalled
+ (untrusted) or trusted (not firewalled)
+ * additional firewalled interfaces can have there own unique firewall
+ policies applied
+ * intelligent route verification to prevent embarrassing configuration
+ errors
+ * advanced packet sanity checks to make sure traffic coming and going meets
+ the strictest of standards
+ * filter attacks such as fragmented UDP, port zero floods, stuffed routing,
+ arp poisoning and more
+ * configurable type of service options to dictate the priority of different
+ types of network traffic
+ * intelligent default settings to meet every day server setups
+ * dynamic configuration of your servers local DNS revolvers into the firewall
+ * optional filtering of common p2p applications
+ * optional filtering of private & reserved IP address space
--- apf-firewall-9.7+rev1.orig/debian/copyright
+++ apf-firewall-9.7+rev1/debian/copyright
@@ -0,0 +1,37 @@
+This package was debianized by Giuseppe Iuculano <giuseppe@iuculano.it> on
+Sun, 17 Aug 2008 17:45:41 +0200.
+
+It was downloaded from http://www.r-fx.org/apf.php
+
+Upstream Author: R-fx Networks <proj@r-fx.org>
+
+Copyright:
+ Copyright (C) 1999-2007, R-fx Networks <proj@r-fx.org>
+ Copyright (C) 2007, Ryan MacDonald <ryan@r-fx.org>
+
+License:
+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this package; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+
+On Debian systems, the complete text of the GNU General
+Public License can be found in `/usr/share/common-licenses/GPL'.
+
+The Debian packaging is © 2008, Giuseppe Iuculano <giuseppe@iuculano.it> and
+is licensed under the GPL, see above.
+
+files/extras/dshield/dshield-3.2.tar.gz:
+ Copyright (c) 2001, 2002 Eelco Lempsink (eelcolempsink@gmx.net)
+ and Andrew R. Jones (arjones@simultan.dyndns.org)
+ License: GPL (See above)
--- apf-firewall-9.7+rev1.orig/debian/apf-firewall.cron.daily
+++ apf-firewall-9.7+rev1/debian/apf-firewall.cron.daily
@@ -0,0 +1,10 @@
+#! /bin/sh
+
+. /etc/default/apf-firewall
+if [ "x$RUN" != "xyes" ] ; then
+ exit 0
+fi
+
+/usr/sbin/apf -f >> /dev/null 2>&1
+/usr/sbin/apf -s >> /dev/null 2>&1
+
--- apf-firewall-9.7+rev1.orig/debian/apf.1
+++ apf-firewall-9.7+rev1/debian/apf.1
@@ -0,0 +1,77 @@
+.TH APF 1 "August 17, 2008"
+.\" Please adjust this date whenever revising the manpage.
+.\"
+.\" Some roff macros, for reference:
+.\" .nh disable hyphenation
+.\" .hy enable hyphenation
+.\" .ad l left justify
+.\" .ad b justify to both left and right margins
+.\" .nf disable filling
+.\" .fi enable filling
+.\" .br insert line break
+.\" .sp <n> insert n+1 empty lines
+.\" for manpage-specific macros, see man(7)
+.SH NAME
+apf \- easy iptables based firewall system
+.SH SYNOPSIS
+.B apf
+.SH DESCRIPTION
+This manual page documents briefly the
+.B apf
+command.
+This manual page was written for the Debian distribution
+because the original program does not have a manual page.
+.PP
+Advanced Policy Firewall (\fBAPF\fP) is an iptables (netfilter) based firewall
+system designed around the essential needs of today's Internet deployed
+servers and the unique needs of custom deployed Linux installations. The
+configuration of APF is designed to be very informative and present the
+user with an easy to follow process, from top to bottom of the
+configuration file. The management of APF on a day-to-day basis is
+conducted from the command line with the 'apf' command, which includes
+detailed usage information and all the features one would expect from a
+current and forward thinking firewall solution.
+.SH OPTIONS
+.B apf
+follow the usual GNU command line syntax, with long
+options starting with two dashes (`-').
+A summary of options is included below.
+.TP
+.TP
+.B \-s|\-\-start
+load all firewall rules
+.TP
+.B \-r|\-\-restart
+stop (flush) & reload firewall rules
+.TP
+.B \-l|\-\-list
+list all firewall rules
+.TP
+.B \-t|\-\-status
+output firewall status log
+.TP
+.B \-e|\-\-refresh
+refresh & resolve dns names in trust rules
+.TP
+.B \-a <HOST CMT|\-\-allow <HOST COMMENT>
+add host (IP/FQDN) to allow_hosts.rules and
+immediately load new rule into firewall
+.TP
+.B \-d <HOST CMT|\-\-deny <HOST COMMENT>
+add host (IP/FQDN) to deny_hosts.rules and
+immediately load new rule into firewall
+.TP
+.B \-u <HOST>|\-\-remove <HOST>
+remove host from [glob]*_hosts.rules
+and immediately remove rule from firewall
+.TP
+.B \-o|\-\-ovars
+output all configuration options
+.SH COPYRIGHT
+Copyright \(co 1999-2007, R-fx Networks <proj@r-fx.org>
+.br
+Copyright \(co 2007, Ryan MacDonald <ryan@r-fx.org>
+This program may be freely redistributed under the terms of the GNU GPL
+.PP
+This manual page was written by Giuseppe Iuculano <giuseppe@iuculano.it>,
+for the Debian project (but may be used by others).
--- apf-firewall-9.7+rev1.orig/debian/rules
+++ apf-firewall-9.7+rev1/debian/rules
@@ -0,0 +1,53 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+
+
+include /usr/share/quilt/quilt.make
+
+build: build-stamp
+
+build-stamp: $(QUILT_STAMPFN)
+ dh_testdir
+ touch $@
+
+clean: unpatch
+ dh_testdir
+ dh_testroot
+ rm -f build-stamp
+ dh_clean
+
+install: build
+ dh_testdir
+ dh_testroot
+ dh_prep
+ dh_installdirs
+
+
+# Build architecture-independent files here.
+binary-indep: build install
+ dh_testdir
+ dh_testroot
+ dh_installchangelogs CHANGELOG
+ dh_installdocs
+ dh_installexamples
+ dh_install -Xfiles/extras -Xfiles/doc
+ chmod 750 debian/apf-firewall/etc/apf-firewall/internals/functions.apf debian/apf-firewall/etc/apf-firewall/conf.apf
+ rm -f debian/apf-firewall/etc/apf-firewall/apf
+ dh_installlogrotate
+ dh_installinit
+ dh_installcron
+ dh_installman debian/apf.1
+ dh_link
+ dh_strip
+ dh_compress
+ dh_fixperms
+ dh_installdeb
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb
+
+binary: binary-indep
+.PHONY: build clean binary-indep binary install
--- apf-firewall-9.7+rev1.orig/debian/apf-firewall.logrotate
+++ apf-firewall-9.7+rev1/debian/apf-firewall.logrotate
@@ -0,0 +1,9 @@
+/var/log/apfados_log /var/log/apf_log {
+ missingok
+ weekly
+ rotate 7
+ compress
+ postrotate
+ endscript
+}
+
--- apf-firewall-9.7+rev1.orig/debian/watch
+++ apf-firewall-9.7+rev1/debian/watch
@@ -0,0 +1,3 @@
+# apf-firewall upstream uses a distribution mechanism that cannot be meaningfully monitored by
+# uscan and the Debian External Health Status project.
+# Latest version is always: http://www.r-fx.ca/downloads/apf-current.tar.gz
--- apf-firewall-9.7+rev1.orig/debian/compat
+++ apf-firewall-9.7+rev1/debian/compat
@@ -0,0 +1 @@
+7
--- apf-firewall-9.7+rev1.orig/debian/dirs
+++ apf-firewall-9.7+rev1/debian/dirs
@@ -0,0 +1,2 @@
+usr/sbin
+etc/apf-firewall
--- apf-firewall-9.7+rev1.orig/debian/patches/series
+++ apf-firewall-9.7+rev1/debian/patches/series
@@ -0,0 +1,2 @@
+01_fix_path.patch
+02_make_interpreter.patch
--- apf-firewall-9.7+rev1.orig/debian/patches/02_make_interpreter.patch
+++ apf-firewall-9.7+rev1/debian/patches/02_make_interpreter.patch
@@ -0,0 +1,23 @@
+Author: Giuseppe Iuculano <giuseppe@iuculano.it>
+Description: Add #!/bin/sh interpreter
+--- a/.ca.def
++++ b/.ca.def
+@@ -1,3 +1,4 @@
++#!/bin/sh
+ cat > .conf.apf <<EOF
+ #!/bin/sh
+ #
+--- a/files/vnet/vnetgen
++++ b/files/vnet/vnetgen
+@@ -1,3 +1,4 @@
++#! /bin/bash
+ #
+ # APF 9.7 [apf@r-fx.org]
+ ###
+--- a/files/vnet/vnetgen.def
++++ b/files/vnet/vnetgen.def
+@@ -1,3 +1,4 @@
++#! /bin/sh
+ cat > /etc/apf-firewall/vnet/$addr.rules <<EOF
+ eout "{glob} loading $addr.rules"
+
--- apf-firewall-9.7+rev1.orig/debian/patches/01_fix_path.patch
+++ apf-firewall-9.7+rev1/debian/patches/01_fix_path.patch
@@ -0,0 +1,436 @@
+Author: Giuseppe Iuculano <giuseppe@iuculano.it>
+Description: Use /etc/apt-firewall
+--- a/files/apf
++++ b/files/apf
+@@ -21,7 +21,7 @@
+ ###
+ #
+ VER="9.7"
+-CNF="/etc/apf/conf.apf"
++CNF="/etc/apf-firewall/conf.apf"
+
+ head() {
+ echo "APF version $VER <apf@r-fx.org>"
+@@ -92,13 +92,13 @@ if [ ! -f "$INSTALL_PATH/internals/.md5.
+ fi
+
+ if [ ! -f "$INSTALL_PATH/internals/.last.vars" ]; then
+- $INSTALL_PATH/apf -o > $INSTALL_PATH/internals/.last.vars
++ /usr/sbin/apf -o > $INSTALL_PATH/internals/.last.vars
+ SKIP_FASTLOAD_VARS=1
+ else
+- $INSTALL_PATH/apf -o > $INSTALL_PATH/internals/.last.vars.new
++ /usr/sbin/apf -o > $INSTALL_PATH/internals/.last.vars.new
+ VARS_DIFF=`$DIFF $INSTALL_PATH/internals/.last.vars.new $INSTALL_PATH/internals/.last.vars`
+ if [ ! "$VARS_DIFF" == "" ]; then
+- $INSTALL_PATH/apf -o > $INSTALL_PATH/internals/.last.vars
++ /usr/sbin/apf -o > $INSTALL_PATH/internals/.last.vars
+ SKIP_FASTLOAD_VARS=1
+ fi
+ fi
+--- a/files/conf.apf
++++ b/files/conf.apf
+@@ -20,7 +20,7 @@
+ DEVEL_MODE="1"
+
+ # The installation path of APF; this can be changed but it is not recommended.
+-INSTALL_PATH="/etc/apf"
++INSTALL_PATH="/etc/apf-firewall"
+
+ # Untrusted Network interface(s); all traffic on defined interface will be
+ # subject to all firewall rules. This should be your internet exposed
+@@ -51,7 +51,7 @@ SET_VERBOSE="1"
+ SET_FASTLOAD="0"
+
+ # Virtual Network Sub-System (VNET) creates independent policy rule set for
+-# each IP on a system to /etc/apf/vnet/IP.rules. These rule files can be
++# each IP on a system to /etc/apf-firewall/vnet/IP.rules. These rule files can be
+ # configured with conf.apf variables for unique but convenient firewall
+ # policies or custom iptables entries for even greater flexibility.
+ SET_VNET="0"
+--- a/files/extras/importconf
++++ b/files/extras/importconf
+@@ -20,24 +20,24 @@
+ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ ###
+ #
+-INSTALL_PATH="/etc/apf"
++INSTALL_PATH="/etc/apf-firewall"
+ DEF=".ca.def"
+ DOUT=".conf.apf"
+
+-if [ -d "/etc/apf.bk.last" ]; then
++if [ -d "/etc/apf-firewall.bk.last" ]; then
+ # get all the vars from current release
+-. /etc/apf/conf.apf
++. /etc/apf-firewall/conf.apf
+ # replace with any vars old release had
+-. /etc/apf.bk.last/conf.apf
++. /etc/apf-firewall.bk.last/conf.apf
+ # generate new conf
+ . $DEF
+
+ cp -f $INSTALL_PATH/conf.apf $INSTALL_PATH/conf.apf.orig
+ cp -f $DOUT $INSTALL_PATH/conf.apf
+-cp -f /etc/apf.bk.last/*_hosts.rules /etc/apf/
+-cp -f /etc/apf.bk.last/vnet/*.rules /etc/apf/vnet/
++cp -f /etc/apf-firewall.bk.last/*_hosts.rules /etc/apf-firewall/
++cp -f /etc/apf-firewall.bk.last/vnet/*.rules /etc/apf-firewall/vnet/
+
+-OV=`cat /etc/apf.bk.last/VERSION | awk '{print$2}'`
+-NV=`cat /etc/apf/VERSION | awk '{print$2}'`
++OV=`cat /etc/apf-firewall.bk.last/VERSION | awk '{print$2}'`
++NV=`cat /etc/apf-firewall/VERSION | awk '{print$2}'`
+ echo " Imported options from $OV to $NV."
+ fi
+--- a/files/firewall
++++ b/files/firewall
+@@ -20,7 +20,7 @@
+ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ ###
+ #
+-CNF="/etc/apf/conf.apf"
++CNF="/etc/apf-firewall/conf.apf"
+
+ if [ -f "$CNF" ] && [ ! "$CNF" == "" ]; then
+ source $CNF
+--- a/files/internals/functions.apf
++++ b/files/internals/functions.apf
+@@ -41,20 +41,20 @@ if [ "$DEVEL_MODE" == "1" ]; then
+ eout "{glob} !!DEVELOPMENT MODE ENABLED!! - firewall will flush every 5 minutes."
+ echo "!!DEVELOPMENT MODE ENABLED!! - firewall will flush every 5 minutes."
+ fi
+-APF_CJ=`cat $CRON | grep -w /etc/init.d/apf`
++APF_CJ=`cat $CRON | grep -w /etc/init.d/apf-firewall`
+ if [ "$APF_CJ" == "" ]; then
+ cp -f $CRON $CRON.bk
+ cat > $TMP_CJ <<EOF
+
+-*/5 * * * * root /etc/init.d/apf stop >> /dev/null 2>&1
++*/5 * * * * root /etc/init.d/apf-firewall stop >> /dev/null 2>&1
+ EOF
+ cat $TMP_CJ >> $CRON
+ rm -f $TMP_CJ
+ fi
+ elif [ "$DEVEL_MODE" == "0" ]; then
+-APF_CJ=`cat $CRON | grep -w /etc/init.d/apf`
++APF_CJ=`cat $CRON | grep -w /etc/init.d/apf-firewall`
+ if [ ! "$APF_CJ" == "" ]; then
+- cat $CRON | grep -vw "/etc/init.d/apf" > $CRON.tmp
++ cat $CRON | grep -vw "/etc/init.d/apf-firewall" > $CRON.tmp
+ cp -f $CRON $CRON.bk
+ mv $CRON.tmp $CRON
+ chmod 644 $CRON
+@@ -230,25 +230,25 @@ DIP=$1
+ $IPT -D TGDENY -s $DIP -j $ALL_STOP
+ $IPT -D TGDENY -d $DIP -j $ALL_STOP
+
+- val=`cat /etc/apf/allow_hosts.rules | grep "$DIP"`
++ val=`cat /etc/apf-firewall/allow_hosts.rules | grep "$DIP"`
+ if [ ! "$val" == "" ]; then
+- cat /etc/apf/allow_hosts.rules | grep -v "$DIP" > /etc/apf/allow_hosts.rules.new
+- mv /etc/apf/allow_hosts.rules.new /etc/apf/allow_hosts.rules
++ cat /etc/apf-firewall/allow_hosts.rules | grep -v "$DIP" > /etc/apf-firewall/allow_hosts.rules.new
++ mv /etc/apf-firewall/allow_hosts.rules.new /etc/apf-firewall/allow_hosts.rules
+ fi
+- val=`cat /etc/apf/deny_hosts.rules | grep "$DIP"`
++ val=`cat /etc/apf-firewall/deny_hosts.rules | grep "$DIP"`
+ if [ ! "$val" == "" ]; then
+- cat /etc/apf/deny_hosts.rules | grep -v "$DIP" > /etc/apf/deny_hosts.rules.new
+- mv /etc/apf/deny_hosts.rules.new /etc/apf/deny_hosts.rules
++ cat /etc/apf-firewall/deny_hosts.rules | grep -v "$DIP" > /etc/apf-firewall/deny_hosts.rules.new
++ mv /etc/apf-firewall/deny_hosts.rules.new /etc/apf-firewall/deny_hosts.rules
+ fi
+- val=`cat /etc/apf/glob_allow_hosts.rules | grep "$DIP"`
++ val=`cat /etc/apf-firewall/glob_allow_hosts.rules | grep "$DIP"`
+ if [ ! "$val" == "" ]; then
+- cat /etc/apf/glob_allow_hosts.rules | grep -v "$DIP" > /etc/apf/glob_allow_hosts.rules.new
+- mv /etc/apf/glob_allow_hosts.rules.new /etc/apf/glob_allow_hosts.rules
++ cat /etc/apf-firewall/glob_allow_hosts.rules | grep -v "$DIP" > /etc/apf-firewall/glob_allow_hosts.rules.new
++ mv /etc/apf-firewall/glob_allow_hosts.rules.new /etc/apf-firewall/glob_allow_hosts.rules
+ fi
+- val=`cat /etc/apf/glob_deny_hosts.rules | grep "$DIP"`
++ val=`cat /etc/apf-firewall/glob_deny_hosts.rules | grep "$DIP"`
+ if [ ! "$val" == "" ]; then
+- cat /etc/apf/glob_deny_hosts.rules | grep -v "$DIP" > /etc/apf/glob_deny_hosts.rules.new
+- mv /etc/apf/glob_deny_hosts.rules.new /etc/apf/glob_deny_hosts.rules
++ cat /etc/apf-firewall/glob_deny_hosts.rules | grep -v "$DIP" > /etc/apf-firewall/glob_deny_hosts.rules.new
++ mv /etc/apf-firewall/glob_deny_hosts.rules.new /etc/apf-firewall/glob_deny_hosts.rules
+ fi
+
+ dil=`$IPT --numeric --list INPUT --line-numbers | grep $DIP | awk '{print$1}'`
+@@ -378,7 +378,7 @@ fi
+
+ list() {
+ echo "Loading chain rules..."
+-iptc=/etc/apf/.ipt.chains
++iptc=/etc/apf-firewall/.ipt.chains
+ :> $iptc ; chmod 600 $iptc
+ $IPT --verbose --numeric --line-numbers --list >> $iptc
+ echo "Opening editor"
+@@ -519,7 +519,7 @@ fi
+ }
+
+ ovars() {
+- nice -n 16 cat /etc/apf/conf.apf /etc/apf/internals/internals.conf | grep -v "#" | grep "=" | tr '=' ' ' | awk '{print""$"$1"}'
++ nice -n 16 cat /etc/apf-firewall/conf.apf /etc/apf-firewall/internals/internals.conf | grep -v "#" | grep "=" | tr '=' ' ' | awk '{print""$"$1"}'
+ }
+
+ allow_hosts() {
+@@ -1126,7 +1126,7 @@ dlist_resnet() {
+ chmod 600 $RESNET $RESNET.bk
+ fi
+ if [ -f "$WGET" ] && [ -f "$RESNET" ]; then
+- URL_TMP="/etc/apf/.apf-$$"
++ URL_TMP="/etc/apf-firewall/.apf-$$"
+ rm -rf $URL_TMP
+ URL_FILE=`echo $DLIST_RESERVED_URL | tr '/' '\n' | grep "." | tail -n 1`
+ RD_CON="$DLIST_RESERVED_URL_PROT://$DLIST_RESERVED_URL"
+@@ -1145,7 +1145,7 @@ if [ -f "$WGET" ] && [ -f "$RESNET" ]; t
+ fi
+ fi
+ rm -rf $URL_TMP
+- cd /etc/apf
++ cd /etc/apf-firewall
+ else
+ if [ -f "$RESNET" ]; then
+ cp $RESNET.bk $RESNET
+@@ -1156,8 +1156,8 @@ fi
+
+ dlist_php() {
+ if [ ! "$DLIST_PHP_URL_PROT" == "" ] && [ ! "$DLIST_PHP_URL" == "" ] && [ "$DLIST_PHP" == "1" ] && [ -f "$WGET" ]; then
+- URL_TMP="/etc/apf/.apf-$$"
+- rm -rf $URL_TMP /etc/apf/.apf-*
++ URL_TMP="/etc/apf-firewall/.apf-$$"
++ rm -rf $URL_TMP /etc/apf-firewall/.apf-*
+ URL_FILE=`echo $DLIST_PHP_URL | tr '/' '\n' | grep "." | tail -n 1`
+ URL_CON="$DLIST_PHP_URL_PROT://$DLIST_PHP_URL"
+ mkdir $URL_TMP
+@@ -1178,7 +1178,7 @@ if [ ! "$DLIST_PHP_URL_PROT" == "" ] &&
+ eout "{php} download of $DLIST_PHP_URL_PROT://$DLIST_PHP_URL failed"
+ fi
+ rm -rf $URL_TMP
+- cd /etc/apf
++ cd /etc/apf-firewall
+ else
+ rm -f $PHP_HOSTS
+ touch $PHP_HOSTS
+@@ -1207,8 +1207,8 @@ fi
+
+ dlist_dshield() {
+ if [ ! "$DLIST_DSHIELD_URL_PROT" == "" ] && [ ! "$DLIST_DSHIELD_URL" == "" ] && [ "$DLIST_DSHIELD" == "1" ] && [ -f "$WGET" ]; then
+- URL_TMP="/etc/apf/.apf-$$"
+- rm -rf $URL_TMP /etc/apf/.apf-*
++ URL_TMP="/etc/apf-firewall/.apf-$$"
++ rm -rf $URL_TMP /etc/apf-firewall/.apf-*
+ URL_FILE=`echo $DLIST_DSHIELD_URL | tr '/' '\n' | grep "." | tail -n 1`
+ URL_CON="$DLIST_DSHIELD_URL_PROT://$DLIST_DSHIELD_URL"
+ mkdir $URL_TMP
+@@ -1229,7 +1229,7 @@ if [ ! "$DLIST_DSHIELD_URL_PROT" == "" ]
+ eout "{dshield} download of $DLIST_DSHIELD_URL_PROT://$DLIST_DSHIELD_URL failed"
+ fi
+ rm -rf $URL_TMP
+- cd /etc/apf
++ cd /etc/apf-firewall
+ else
+ rm -f $DS_HOSTS
+ touch $DS_HOSTS
+@@ -1258,8 +1258,8 @@ fi
+
+ dlist_spamhaus() {
+ if [ ! "$DLIST_SPAMHAUS_URL_PROT" == "" ] && [ ! "$DLIST_SPAMHAUS_URL" == "" ] && [ "$DLIST_SPAMHAUS" == "1" ] && [ -f "$WGET" ]; then
+- URL_TMP="/etc/apf/.apf-$$"
+- rm -rf $URL_TMP /etc/apf/.apf-*
++ URL_TMP="/etc/apf-firewall/.apf-$$"
++ rm -rf $URL_TMP /etc/apf-firewall/.apf-*
+ URL_FILE=`echo $DLIST_SPAMHAUS_URL | tr '/' '\n' | grep "." | tail -n 1`
+ URL_CON="$DLIST_SPAMHAUS_URL_PROT://$DLIST_SPAMHAUS_URL"
+ mkdir $URL_TMP
+@@ -1280,7 +1280,7 @@ if [ ! "$DLIST_SPAMHAUS_URL_PROT" == ""
+ eout "{sdrop} download of $DLIST_SPAMHAUS_URL_PROT://$DLIST_SPAMHAUS_URL failed"
+ fi
+ rm -rf $URL_TMP
+- cd /etc/apf
++ cd /etc/apf-firewall
+ else
+ rm -f $DROP_HOSTS
+ touch $DROP_HOSTS
+@@ -1310,8 +1310,8 @@ fi
+
+ dlist_ecnshame() {
+ if [ ! "$DLIST_ECNSHAME_URL_PROT" == "" ] && [ ! "$DLIST_ECNSHAME_URL" == "" ] && [ "$DLIST_ECNSHAME" == "1" ] && [ -f "$WGET" ]; then
+- URL_TMP="/etc/apf/.apf-$$"
+- rm -rf $URL_TMP /etc/apf/.apf-*
++ URL_TMP="/etc/apf-firewall/.apf-$$"
++ rm -rf $URL_TMP /etc/apf-firewall/.apf-*
+ URL_FILE=`echo $DLIST_ECNSHAME_URL | tr '/' '\n' | grep "." | tail -n 1`
+ URL_CON="$DLIST_ECNSHAME_URL_PROT://$DLIST_ECNSHAME_URL"
+ mkdir $URL_TMP
+@@ -1332,7 +1332,7 @@ if [ ! "$DLIST_ECNSHAME_URL_PROT" == ""
+ eout "{ecnshame} download of $DLIST_ECNSHAME_URL_PROT://$DLIST_ECNSHAME_URL failed"
+ fi
+ rm -rf $URL_TMP
+- cd /etc/apf
++ cd /etc/apf-firewall
+ else
+ rm -f $ECNSHAME_HOSTS
+ touch $ECNSHAME_HOSTS
+@@ -1353,7 +1353,7 @@ fi
+
+ glob_allow_download() {
+ if [ ! "$GA_URL_PROT" == "" ] && [ ! "$GA_URL" == "" ] && [ "$USE_RGT" == "1" ] && [ -f "$WGET" ]; then
+- URL_TMP="/etc/apf/.apf-$$"
++ URL_TMP="/etc/apf-firewall/.apf-$$"
+ rm -rf $URL_TMP
+ URL_FILE=`echo $GA_URL | tr '/' '\n' | grep "." | tail -n 1`
+ GA_URL_CON="$GA_URL_PROT://$GA_URL"
+@@ -1368,7 +1368,7 @@ if [ ! "$GA_URL_PROT" == "" ] && [ ! "$G
+ eout "{trust} download of $GA_URL_PROT://$GA_URL failed"
+ fi
+ rm -rf $URL_TMP
+- cd /etc/apf
++ cd /etc/apf-firewall
+ else
+ rm -f $GALLOW_HOSTS
+ touch $GALLOW_HOSTS
+@@ -1378,7 +1378,7 @@ fi
+
+ glob_deny_download() {
+ if [ ! "$GD_URL_PROT" == "" ] && [ ! "$GD_URL" == "" ] && [ "$USE_RGT" == "1" ] && [ -f "$WGET" ]; then
+- URL_TMP="/etc/apf/.apf-$$"
++ URL_TMP="/etc/apf-firewall/.apf-$$"
+ rm -rf $URL_TMP
+ URL_FILE=`echo $GD_URL | tr '/' '\n' | grep "." | tail -n 1`
+ GD_URL_CON="$GD_URL_PROT://$GD_URL"
+@@ -1393,7 +1393,7 @@ if [ ! "$GD_URL_PROT" == "" ] && [ ! "$G
+ eout "{trust} download of $GD_URL_PROT://$GD_URL failed"
+ fi
+ rm -rf $URL_TMP
+- cd /etc/apf
++ cd /etc/apf-firewall
+ else
+ rm -f $GDENY_HOSTS
+ touch $GDENY_HOSTS
+@@ -1479,9 +1479,9 @@ cl_cports() {
+
+ refresh() {
+ eout "{glob} refreshing trust system rules."
+- /sbin/iptables-save | grep -E "TDENY|TGDENY" | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk '{print$4}' | sort -n | uniq | sort > /etc/apf/internals/refresh.drop.temp
++ /sbin/iptables-save | grep -E "TDENY|TGDENY" | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk '{print$4}' | sort -n | uniq | sort > /etc/apf-firewall/internals/refresh.drop.temp
+ $IPT -F TMP_DROP
+- for i in `cat /etc/apf/internals/refresh.drop.temp | grep -v "#"`; do
++ for i in `cat /etc/apf-firewall/internals/refresh.drop.temp | grep -v "#"`; do
+ if [ ! "$i" == "" ]; then
+ $IPT -A TMP_DROP -s $i -d 0/0 -j $ALL_STOP
+ $IPT -A TMP_DROP -d $i -s 0/0 -j $ALL_STOP
+@@ -1507,7 +1507,7 @@ if [ ! "$SET_REFRESH" == "0" ] && [ ! "$
+ cat<<EOF > $INSTALL_PATH/internals/cron.refresh
+ MAILTO=
+ SHELL=/bin/bash
+-*/$SET_REFRESH * * * * root /etc/apf/apf --refresh >> /dev/null 2>&1 &
++*/$SET_REFRESH * * * * root /usr/sbin/apf --refresh >> /dev/null 2>&1 &
+ EOF
+ chmod 644 $INSTALL_PATH/internals/cron.refresh
+ ln -fs $INSTALL_PATH/internals/cron.refresh /etc/cron.d/refresh.apf
+--- a/files/main.rules
++++ b/files/main.rules
+@@ -5,4 +5,4 @@ eout "{glob} loading main.rules"
+
+ #
+ # conf.apf configurable common ports
+-. /etc/apf/internals/cports.common
++. /etc/apf-firewall/internals/cports.common
+--- a/files/vnet/main.vnet
++++ b/files/vnet/main.vnet
+@@ -19,7 +19,7 @@
+ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ ###
+ #
+-INSTALL_PATH="/etc/apf"
++INSTALL_PATH="/etc/apf-firewall"
+ if [ "$SET_VNET" == "1" ]; then
+ eout "{glob} virtual network enabled, loading vnet rules."
+ for i in `ls $INSTALL_PATH/vnet/ | grep .rules`; do
+--- a/files/vnet/vnetgen
++++ b/files/vnet/vnetgen
+@@ -19,7 +19,7 @@
+ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ ###
+ #
+-CNF="/etc/apf/conf.apf"
++CNF="/etc/apf-firewall/conf.apf"
+ if [ -f $CNF ]; then
+ source $CNF
+ else
+--- a/files/vnet/vnetgen.def
++++ b/files/vnet/vnetgen.def
+@@ -1,4 +1,4 @@
+-cat > /etc/apf/vnet/$addr.rules <<EOF
++cat > /etc/apf-firewall/vnet/$addr.rules <<EOF
+ eout "{glob} loading $addr.rules"
+
+ # $addr.rules
+--- a/README.apf
++++ b/README.apf
+@@ -84,7 +84,7 @@ These three key filtering methods employ
+ of how the firewall is constructed on a technical design level, there are a
+ great many more features in APF that can be put to use. For a detailed
+ description of all APF features you should review the configuration file
+-/etc/apf/conf.apf which has well outlined captions above all options. Below is
++/etc/apf-firewall/conf.apf which has well outlined captions above all options. Below is
+ a point form summary of most APF features for reference and review:
+
+ - detailed and well commented configuration file
+@@ -227,7 +227,7 @@ inside the install.sh script followed by
+ the conf.apf and internals.conf files. This is however not recommends and the
+ default paths should meet all user needs, they are:
+
+-Install Path: /etc/apf
++Install Path: /etc/apf-firewall
+ Bin Path: /usr/local/sbin/apf
+
+ The package includes two convenience scripts, the first is importconf which will
+@@ -237,11 +237,11 @@ systems currently in use 'server' ports
+ process in an effort to aid in configuring port settings.
+
+ All previous versions of APF are saved upon the installation of newer
+-versions and stored in /etc/apf.bkDDMMYY-UTIME format. In addition, there is a
+-/etc/apf.bk.last sym-link created to the last version of APF you had installed.
++versions and stored in /etc/apf-firewall.bkDDMMYY-UTIME format. In addition, there is a
++/etc/apf-firewall.bk.last sym-link created to the last version of APF you had installed.
+
+ After installation is completed the documentation and convenience scripts are
+-copied to /etc/apf/docs and /etc/apf/extras respective.
++copied to /etc/apf-firewall/docs and /etc/apf-firewall/extras respective.
+
+ 2.1) Installation: Boot Loading
+ On installation APF will install an init script to /etc/init.d/apf
+@@ -260,7 +260,7 @@ chkconfig --level 345 apf on
+ Secondly, you can add the following string too the bottom of the
+ /etc/rc.local file:
+
+-sh -c "/etc/apf/apf -s" &
++sh -c "/etc/apf-firewall/apf -s" &
+
+ It is NOT recommended that you use both of these startup methods together,
+ for most systems the init script via chkconfig should be fine.
+@@ -282,7 +282,7 @@ real advanced options APF has to offer a
+ outbound (egress) port filtering, reactive address blocking (rab) and the
+ virtual network subsystem to name a few.
+
+-The main APF configuration file is located at /etc/apf/conf.apf and has
++The main APF configuration file is located at /etc/apf-firewall/conf.apf and has
+ detailed usage information above all configuration variables. The file uses
+ integer based values for setting configuration options and they are
+ 0 = disabled
+@@ -662,8 +662,8 @@ trust levels then have a look at the ext
+ following section 4.2 then the advanced trust syntax in 4.3.
+
+ The two basic trust level files are located at:
+-/etc/apf/allow_hosts.rules
+-/etc/apf/deny_hosts.rules
++/etc/apf-firewall/allow_hosts.rules
++/etc/apf-firewall/deny_hosts.rules
+
+ These files by nature are static, meaning that once you add an entry to them,
+ they will remain in the files till you remove them yourself. The trust files
![[patchlogo]](http://patch-tracker.debian.org/static/img/swirlpatch.png)