Install / Configure APF Firewall - Best Suite For Webservers

Advanced Policy Firewall (APF).

Advanced Policy Firewall (APF) is an iptable (netfilter) based firewall system designed for Linux machines. This robust and powerful firewall can be considered as an interface to iptables which can be easily managed using ‘apf’ command.

Installation.

1. Download the source file.

cd /usr/src
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

2. Extract the file.

tar -xvzf apf-current.tar.gz

3. Run the installer file.

cd apf*
./install.sh

4. Setup APF in chkconfig. This is required to startup APF during system reboot.

chkconfig --add apf
chkconfig --level 345 apf on

Configuration.

All the configuration files are located in /etc/apf folder. You need to edit the configuration file “/etc/apf/conf.apf” as per the system requirements. We can go through the configuration variables that we may need to modify for the proper operation of the firewall.

1. DEVEL_MODE=”1”.

This tells APF to run in a development mode which in short means that the firewall will shut itself off every 5 minutes from a cronjob to make sure the user does not lock themselves out of the system with configuration errors. Once you are satisfied that you have the firewall configured and operating as intended then you must disable it.

2. IFACE_IN & IFACE_OUT.

IFACE_IN="eth0"
IFACE_OUT="eth0"

These variables instruct the firewall as to what interfaces you use for main network communication such as to the Internet.

3. IG_TCP_CPORTS.

This controls what TCP ports are allowed for incoming traffic and is also known as the "server" or "listening services" ports.

IG_TCP_CPORTS="21,22,25,53,80,110,143,443,465,993,995,3306,30000_35000"

4. IG_UDP_CPORTS.

This controls what UDP ports are allowed for incoming traffic and is also known as the "server" or "listening services" ports.

IG_UDP_CPORTS="21,53,465,873"

5. EGF.

It is recommended that you enable the outbound (egress) filtering as it provides a very robust level of protection and is a common practice to filtering outbound traffic.

EGF="1"

6. SET_MONOKERN.

This option tells the system that instead of looking for iptables modules that we should expect them to be compiled directly into the kernel. If the APF produces error like “unable to load iptables module” you need to enable this. After configuring APF properly, you need to restart it using the command:

/etc/init.d/apf restart
Or
apf –r

Common APF usages.

1. Deny an IP address.

apf –d IPADDRESS

This will add the IP address to the file /etc/apf/deny_hosts.rules.

2. Allow (Trust) an IP address.

apf –a IPaddress

This will add the IP address to the file /etc/apf/allow_hosts.rules.

3. Remove an IP address.

apf –u IPaddress

This will remove entries that match from allow_hosts.rules, deny_hosts.rules and the global extensions of these files.

Bobbin Zachariah 2:15 pm

About Bobbin Zachariah

Founder of LinOxide, passionate lover of Linux and technology writer. Started his career in Linux / Opensource from 2000. Love traveling, blogging and listening music. Reach Bobbin Zachariah about me page and google plus page.

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.