How to:- Install and Configure APF on CentOS/Redhat/Fedora or Ubuntu

What is APF Firewall?

Advanced Policy Firewall (APF) is an netfilter (Iptalbes) based firewall tools. We can configure APF easily with full featured firewall to secure and protect server and desktop connected to a internet and network. It is designed around the essential needs of today’s Linux and UNIX servers.

In this tutorial I am going to explain how we can install and configure Advanced Policy Firewall (APF) to secure Linux/UNINX Systems.

Install Advanced Policy Firewall (APF)

Follow the below steps to download and install Advanced Policy Firewall.

# wget http://www.rfxn.com/downloads/apf-current.tar.gz
# tar -zxvf http://www.rfxn.com/downloads/apf-current.tar.gz

Now install it

# cd apf-9.7-2
# sh ./install.sh

Installing APF 0.9.7-2: Completed.
Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/
Other Details:
Listening TCP ports: 1,21,22,25,53,80,110,111,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306
Listening UDP ports: 53,55880

You will get some output like above. Above ports are not auto-configured.These are simply presented for information purpose. you will need to configure all port manually. APF is only accessible by ssh and there is no other way to make changes in APF if your are using through cPanel or WHM.

You can see all of the APF configuration files in the /etc/apf directory on the server. In this directory the allow_hosts.rules file contains all white-listed IP address for the server, deny_hosts.rules file contains all blocked IP address on the server, in deny_hosts.rules file each IP that is being blocked should also include a reason behind the block. Most of them blocked by bfd, which blocks IPs attempting to brute force the server.

Block IP in Firewall

Simply run the below command to bock an IP in the firewall.

# apf -d 192.168.0.10

You will get error if the IP has previously been white-listed.

192.168.0.10 already exists in /etc/apf/allow_hosts.rules

Remove the IP before you can block it in the firewall, you will need to edit /etc/apf/allow_hosts.rules in your preferred editor. You can also use below command to get the IP out of allow_hosts.rules.

# apf -u 192.168.0.10

Start APF

Follow the below command to start the APF if it is not running.

# apf -s

Stop APF

Follow the below command to stop and and flush all rules from the Firewall.

# apf -f

Rstart APF

Follow the below command to restart APF.

# apf -r

List APF Statistics

Follow the below command to list APF statistics

# apf -l

Status of APF

Follow the below command to show APF status.

# apf -st

White List IP

If you want to white listing IP permanently and you would like never to be added to firewall. Simply run below command

# apf -a 192.168.0.10

If you get below output like below it means the IP address is currently being blocked by firewall.

192.168.0.10 already exists in /etc/apf/deny_hosts.rules

In this situation you will need to edit /etc/apf/deny_hosts.rules and remove the IP address before it can be added to the white-list. Follow the below command to remove the IP address from deny_hosts.rules.

# apf -u 192.168.0.10

Open Port in the Firewall

By default apf block all ports besides the ones specifically allowed to be open to the world. You will need to edit main apf configuration file to allow additional ports.

# vim /etc/apf/conf.apf

DEVEL_MODE="1" - Set this option to 1 until you're satisfied with settings. 1 means apf is on development
mode and there is a cron set to deactivate APF every 5 minutes.

SET_MONOKERN="0" - APF support monolithic kernels. If IPtables was not complied as a module. You will get below error.

apf: Unable to load iptables module (ip_tables)

If you are getting this error in your firewall logs at apf -t on your server, means your kernel is compiled with iptables statically instead of as a module,
and you will need to change this in the /etc/apf/conf.apf

MONOKERN=”0? Set it to “1”

IFACE_IN="eth0" OR IFACE_OUT="eth0" - Untrusted interfaces which is connected to the network.

IG_TCP_CPORTS="20,21,22,25,26,37,43,53,80,110,113,143,443,465,873,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306,6666" - inbound TCP ports which is open in APF

IG_UDP_CPORTS="53,6277" - inbound UDP ports which is open in firewall.

IG_ICMP_TYPES="3,5,11,30" - Inbound ICMP ports.You can remove 0 and 8 port so that server can't answer any pings. Leave them in place if you want to check the ping request in your data-centre.

EG_TCP_CPORTS="21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703" - Outbound TCP posts to open in firewall.

EG_UDP_CPORTS="20,21,53,873,953,6277" - Outbound UDP ports numbers.

TCP_STOP="DROP" - Set a reaction in case of TCP connections that violate the rules.

UDP_STOP="DROP" - Set a reaction in case of UDP connections that violate the rules.

ALL_STOP="DROP" - Set a reaction to any other connections.

BLK_PRVNET="1" - To blocks all private ipv4 addresses. If Your machine is behind Network Address Translation (NAT).

Test APF

You can test your firewall with the a port scanner like NMAP and any other tool. If you faces any issue with firewall you will be able to fix it remotely because cron will flush your all configured rules every 5 minutes.

Final Step to Make APF Live

If you are sure that the firewall is working fine and it is working as you expect, now you can change DEVEL_MODE=”1″ option in the configuration file to DEVEL_MODE=”0″ and restart APF.

I hope this article will be helpful to Install and Configure APF ( Advanced Policy Firewall ) to Secure Linux/UNIX or Ubuntu/Debian system.