How to install APF (Advanced Policy Firewall)

by admin on June 8, 2009
in Servers

Post a Comment

What is APF (Advanced Policy Firewall)? APF Firewall
APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux. APF is developed and maintained by R-fx Networks: http://www.rfxn.com/projects/advanced-policy-firewall/

This guide will show you how to install and configure APF firewall, one of the better known Linux firewalls available.

Requirements:
- Root SSH access to your server

Lets begin!
Login to your server through SSH and su to the root user.

  1. Download the APF Source
    # wget http://www.rfxn.com/downloads/apf-current.tar.gz
  2. Extract the tar.gz
    # tar -xvzf apf-current.tar.gz
  3. Enter the APF directory
    # cd apf-0.9.7-1/ or whatever the latest version is.
  4. Run the install file:
    # ./install.sh
  5. Modify the APF config File
    # pico /etc/apf/conf.apf
  6. Add in the ports you want to open for inbound (INGRES).
    • The following is for a Cpanel Servers
      # Common ingress (inbound) TCP ports
      IG_TCP_CPORTS=" 20,21,22,25,26,53,80,110,143,443,465,993,995,2082,
      2083,2086,2087,2095,2096,3306,6666"\
      # Common ingress (inbound) UDP ports
      IG_UDP_CPORTS="21,53,465,873"
    • The following is for a Directadmin Servers
      # Common ingress (inbound) TCP ports
      IG_TCP_CPORTS=" 21,22,25,53,80,110,111,143,443,587953,2222,3306,32769"
      # Common ingress (inbound) UDP ports
      IG_UDP_CPORTS="53,111,631,724,5353,32768,32809"
  7. Tell APF to monitor out going (EGRESS) also
    Change the line:
    EGF=”0″
    to
    EGF=”1″
  8. Tell APF what ports to monitor
    # Common egress (outbound) TCP ports (for Cpanel servers)
    EG_TCP_CPORTS="21,22,25,26,37,43,53,80,110,113,443,465,873,2089,3306"
    # Common egress (outbound) UDP ports
    EG_UDP_CPORTS="20,21,53,465,873"
    # Common ICMP (outbound) types
    # 'internals/icmp.types' for type definition; 'all' is wildcard for any
    EG_ICMP_TYPES="all"
  9. Save your changes! Ctrl+X then press Y
  10. Start APF
    # /usr/local/sbin/apf -s
  11. If all works edit the config file and change the developer mode to 0
    # pico /etc/apf/conf.apf
    Change
    DEVM=”1″
    to
    DEVM=”0″

    Save your changes! Ctrl+X then press Y

  12. Restart APF
    # /usr/local/sbin/apf -r
  13. Checking the APF Log

    Will show any changes to allow and deny hosts among other things.
    tail -f /var/log/apf_log

    Example output:

    Aug 23 01:25:55 ocean apf(31448): (insert) deny all to/from 185.14.157.123
    Aug 23 01:39:43 ocean apf(32172): (insert) allow all to/from 185.14.157.123

  14. Make APF Start automatically at boot time
    To autostart apf on reboot, run this:
    chkconfig --level 2345 apf on

    To remove it from autostart, run this:
    chkconfig --del apf

  15. Denying IPs with APF Firewall (Blocking)
    Now that you have your shiny new firewall you probably want to block a host right, of course you do! With this new version APF now supports comments as well. There are a few ways you can block an IP, I’ll show you 2 of the easier methods.

    A) /etc/apf/apf -d IPHERE COMMENTHERENOSPACES
    > The -d flag means DENY the IP address
    > IPHERE is the IP address you wish to block
    > COMMENTSHERENOSPACES is obvious, add comments to why the IP is being blocked
    These rules are loaded right away into the firewall, so they’re instantly active.
    Example:

    ./apf -d 185.14.157.123 TESTING

    pico /etc/apf/deny_hosts.rules

    Shows the following:

    # added 185.14.157.123 on 08/23/05 01:25:55
    # TESTING
    185.14.157.123

    B) pico /etc/apf/deny_hosts.rules

    You can then just add a new line and enter the IP you wish to block. Before this becomes active though you’ll need to reload the APF ruleset.

    /etc/apf/apf -r

  16. Allowing IPs with APF Firewall (Unblocking)

    I know I know, you added an IP now you need it removed right away! You need to manually remove IPs that are blocked from deny_hosts.rules.

    A) pico /etc/apf/deny_hosts.rules

    Find where the IP is listed and remove the line that has the IP.
    After this is done save the file and reload apf to make the new changes active.

    /etc/apf/apf -r

    B) If the IP isn’t already listed in deny_hosts.rules and you wish to allow it, this method adds the entry to allow_hosts.rules

    /etc/apf/apf -a IPHERE COMMENTHERENOSPACES
    > The -a flag means ALLOW the IP address
    > IPHERE is the IP address you wish to allow
    > COMMENTSHERENOSPACES is obvious, add comments to why the IP is being removed These rules are loaded right away into the firewall, so they’re instantly active.
    Example:

    ./apf -a 185.14.157.123 UNBLOCKING

    pico /etc/apf/allow_hosts.rules

    # added 185.14.157.123 on 08/23/05 01:39:43
    # UNBLOCKING
    185.14.157.123

Tags: , ,

Post a Comment