HostsVault BlogHostsVault Blog

What is APF ?

Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Internet deployed servers and the unique needs of custom deployed Linux installations. The configuration of APF is designed to be very informative and present the user with an easy to follow process, from top to bottom of the configuration file. The management of APF on a day-to-day basis is conducted from the command line with the ‘apf’ command, which includes detailed usage information and all the features one would expect from a current and forward thinking firewall solution

We are going to show you in this tutorial how to install it on your server.

* You need root access to install this

* The configured Ports here are for Cpanel servers.

cd /usr/src/
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
cd apf-0.9.6*
./install.sh

You should get responses similar to that :

Installation Details:
Install path:         /etc/apf/
Config path:          /etc/apf/conf.apf
Executable path:      /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path:  /etc/apf/ad/conf.antidos
DShield Client Parser:  /etc/apf/extras/dshield/

Other Details:
Listening TCP ports: 1,21,22,25,53,80,110,111,143,443,465,993,995,2082
,2083,2086,2087,2095,2096,3306
Listening UDP ports: 53,55880
Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.</pre>
<p>Now configure APF :</p>
<pre lang="bash">pico  /etc/apf/conf.apf</pre>
<pre lang="bash">Change USE_DS="0"
to USE_DS="1"

This uses a list of networks that have exhibited suspicious activity captured from DShield.org

Now lets configure the ports to block/open

configure IG_TCP_CPORTS and IG_UDP_CPORTS (Incoming TCP/UDP connections)

IG_TCP_CPORTS="20,21,22,25,26,37,53,80,110,143,443,465,783,993,995,2077,2078,2082
,2083,2086,2087,2095,2096,3306"
IG_UDP_CPORTS="21,37,53,873"

configure EG_TCP_CPORTS and EG_UDP_CPORTS (Outgoing TCP/UDP connections)

EGF="1"
EG_TCP_CPORTS="21,22,25,37,43,53,80,443,873,2082,2083,2086
,2087,2089,3306"
EG_UDP_CPORTS="20,21,37,53,123,873"

Save your changes and exit the editor and then restart the firewall :

/etc/init.d/apf restart
OR
apf -r

Here is a list of other possible commands :

usage ./apf [OPTION]
-s|--start ......................... load firewall policies
-r|--restart ....................... flush & load firewall
-f|--flush|--stop .................. flush firewall
-l|--list .......................... list chain rules
-st|--status ....................... firewall status
-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules
and immediately load new rule into firewall
-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules
and immediately load new rule into firewall

After checking everything is fine and nothing is messed you should change
APF from running in development mode (default) as it restarts itself
every 5 minutes through cron.

pico /etc/apf/conf.apf

Change: DEVM=”1″
To: DEVM=”0″

Exit and restart the firewall.

Enjoy