Advanced Policy Firewall (APF).
Advanced Policy Firewall (APF) is an iptable (netfilter) based firewall system designed for Linux machines. This robust and powerful firewall can be considered as an interface to iptables which can be easily managed using ‘apf’ command.
1. Download the source file.
2. Extract the file.
tar -xvzf apf-current.tar.gz
3. Run the installer file.
4. Setup APF in chkconfig. This is required to startup APF during system reboot.
chkconfig --add apf
chkconfig --level 345 apf on
All the configuration files are located in /etc/apf folder. You need to edit the configuration file “/etc/apf/conf.apf” as per the system requirements. We can go through the configuration variables that we may need to modify for the proper operation of the firewall.
This tells APF to run in a development mode which in short means that the firewall will shut itself off every 5 minutes from a cronjob to make sure the user does not lock themselves out of the system with configuration errors. Once you are satisfied that you have the firewall configured and operating as intended then you must disable it.
2. IFACE_IN & IFACE_OUT.
These variables instruct the firewall as to what interfaces you use for main network communication such as to the Internet.
This controls what TCP ports are allowed for incoming traffic and is also known as the "server" or "listening services" ports.
This controls what UDP ports are allowed for incoming traffic and is also known as the "server" or "listening services" ports.
It is recommended that you enable the outbound (egress) filtering as it provides a very robust level of protection and is a common practice to filtering outbound traffic.
This option tells the system that instead of looking for iptables modules that we should expect them to be compiled directly into the kernel. If the APF produces error like “unable to load iptables module” you need to enable this. After configuring APF properly, you need to restart it using the command:
Common APF usages.
1. Deny an IP address.
apf –d IPADDRESS
This will add the IP address to the file /etc/apf/deny_hosts.rules.
2. Allow (Trust) an IP address.
apf –a IPaddress
This will add the IP address to the file /etc/apf/allow_hosts.rules.
3. Remove an IP address.
apf –u IPaddress
This will remove entries that match from allow_hosts.rules, deny_hosts.rules and the global extensions of these files.