Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Internet deployed servers and the unique needs of custom deployed Linux installations. In this paper I will show you how to install and configure APF firewall to your system. It is one of the best open source firewalls available.

Download APF firewall:

wget http://www.r-fx.ca/downloads/apf-current.tar.gz

Extract & Install:

tar –zxvf apf-current.tar.gz
cd apf-0.9.6-2
./install.sh

After the installation is complete you will receive a message saying it has been installed.  Next we will have to configure the firewall:

vi /etc/apf/conf.apf

Here is the general configuration to make your firewall run and block/open default ports. The rest is up to you to read the README file.

First we will enable the firewall to use the DShield.org block list of networks that are suspicious.  You can change in the config file the option that says: USE_DS=”0” to USE_DS=”1”

Here two configuration ways for firewall to work with: General & CPanel. CPanel configuration is the most well known web hosting package for servers nowadays.

Refer here for a list of ports.

Common ingress (inbound) ports # Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,995″ # # Common ingress (inbound) UDP ports IG_UDP_CPORTS=”53″
# Egress filtering [0 = Disabled / 1 = Enabled] EGF=”1″ # Common egress (outbound) TCP ports EG_TCP_CPORTS=”21,25,80,443,43″ # # Common egress (outbound) UDP ports EG_UDP_CPORTS=”20,21,53″

CPanel Configuration

Common ingress (inbound) ports # Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500″ # # Common ingress (inbound) UDP ports IG_UDP_CPORTS=”53″ Common egress (outbound) ports # Egress filtering [0 = Disabled / 1 = Enabled] EGF=”1″ # Common egress (outbound) TCP ports EG_TCP_CPORTS=”21,25,80,443,43,2089″ # # Common egress (outbound) UDP ports EG_UDP_CPORTS=”20,21,53″

Now start the firewall:

/etc/apf/apf –s

After verifying everything is working fine and without any problem go back to the configuration file to change the DEVM=”1” to DEVM=”0”

Now its time to configure the AntiDos options of APF Firewall:

vi /etc/apf/ad/conf.antidos

You can configure lot of things there but we will just enable the send email option.

Find the following lines and replace them with your details:
# Organization name to display on outgoing alert emails
CONAME=”Your Company”
# Send out user defined attack alerts [0=off,1=on]
USR_ALERT=”0″
#
# User for alerts to be mailed to
USR=you@yourco.com

You should replace USR_ALERT from “0” to “1”

Save and restart the firewall:

/etc/apf/apf –r

To make the firewall start with the Operating System:

chkconfig –level 2345 apf on

Tips:

To deny an ip use:

/etc/apf/apf –d ip notes

You can do that also from vi /etc/apf/deny_hosts.rules to deny hosts
To allow an ip use:

/etc/apf/apf –a ip notes

You can do that also from vi /etc/apf/allow_hosts.rules to allow hosts.