Install and Configure APF ( Advanced Policy Firewall ) to Secure Linux/UNIX System
Advanced Policy Firewall (APF) is an netfilter (Iptalbes) based firewall tools. We can configure APF easily with full featured firewall to secure and protect server and desktop connected to a internet and network. It is designed around the essential needs of today’s Linux and UNIX servers.
In this tutorial I am going to explain how we can install and configure Advanced Policy Firewall (APF) to secure Linux/UNINX Systems.
Install Advanced Policy Firewall (APF)
Follow the below steps to download and install Advanced Policy Firewall.
# wget http://www.rfxn.com/downloads/apf-current.tar.gz # tar -zxvf http://www.rfxn.com/downloads/apf-current.tar.gz
Now install it
# cd apf-9.7-2 # sh ./install.sh Installing APF 0.9.7-2: Completed. Installation Details: Install path: /etc/apf/ Config path: /etc/apf/conf.apf Executable path: /usr/local/sbin/apf AntiDos install path: /etc/apf/ad/ AntiDos config path: /etc/apf/ad/conf.antidos DShield Client Parser: /etc/apf/extras/dshield/ Other Details: Listening TCP ports: 1,21,22,25,53,80,110,111,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306 Listening UDP ports: 53,55880
You will get some output like above. Above ports are not auto-configured.These are simply presented for information purpose. you will need to configure all port manually. APF is only accessible by ssh and there is no other way to make changes in APF if your are using through cPanel or WHM.
You can see all of the APF configuration files in the /etc/apf directory on the server. In this directory the allow_hosts.rules file contains all white-listed IP address for the server, deny_hosts.rules file contains all blocked IP address on the server, in deny_hosts.rules file each IP that is being blocked should also include a reason behind the block. Most of them blocked by bfd, which blocks IPs attempting to brute force the server.
Block IP in Firewall
Simply run the below command to bock an IP in the firewall.
# apf -d 192.168.0.10
You will get error if the IP has previously been white-listed.
192.168.0.10 already exists in /etc/apf/allow_hosts.rules
Remove the IP before you can block it in the firewall, you will need to edit /etc/apf/allow_hosts.rules in your preferred editor. You can also use below command to get the IP out of allow_hosts.rules.
# apf -u 192.168.0.10
Follow the below command to start the APF if it is not running.
# apf -s
Follow the below command to stop and and flush all rules from the Firewall.
# apf -f
Follow the below command to restart APF.
# apf -r
List APF Statistics
Follow the below command to list APF statistics
# apf -l
Status of APF
Follow the below command to show APF status.
# apf -st
White List IP
If you want to white listing IP permanently and you would like never to be added to firewall. Simply run below command
# apf -a 192.168.0.10
If you get below output like below it means the IP address is currently being blocked by firewall.
192.168.0.10 already exists in /etc/apf/deny_hosts.rules
In this situation you will need to edit /etc/apf/deny_hosts.rules and remove the IP address before it can be added to the white-list. Follow the below command to remove the IP address from deny_hosts.rules.
# apf -u 192.168.0.10
Open Port in the Firewall
By default apf block all ports besides the ones specifically allowed to be open to the world. You will need to edit main apf configuration file to allow additional ports.
# vim /etc/apf/conf.apf
DEVEL_MODE="1" - Set this option to 1 until you're satisfied with settings. 1 means apf is on development mode and there is a cron set to deactivate APF every 5 minutes. SET_MONOKERN="0" - APF support monolithic kernels. If IPtables was not complied as a module. You will get below error. apf: Unable to load iptables module (ip_tables) If you are getting this error in your firewall logs at apf -t on your server, means your kernel is compiled with iptables statically instead of as a module, and you will need to change this in the /etc/apf/conf.apf MONOKERN=”0? Set it to “1” IFACE_IN="eth0" OR IFACE_OUT="eth0" - Untrusted interfaces which is connected to the network. IG_TCP_CPORTS="20,21,22,25,26,37,43,53,80,110,113,143,443,465,873,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306,6666" - inbound TCP ports which is open in APF IG_UDP_CPORTS="53,6277" - inbound UDP ports which is open in firewall. IG_ICMP_TYPES="3,5,11,30" - Inbound ICMP ports.You can remove 0 and 8 port so that server can't answer any pings. Leave them in place if you want to check the ping request in your data-centre. EG_TCP_CPORTS="21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703" - Outbound TCP posts to open in firewall. EG_UDP_CPORTS="20,21,53,873,953,6277" - Outbound UDP ports numbers. TCP_STOP="DROP" - Set a reaction in case of TCP connections that violate the rules. UDP_STOP="DROP" - Set a reaction in case of UDP connections that violate the rules. ALL_STOP="DROP" - Set a reaction to any other connections. BLK_PRVNET="1" - To blocks all private ipv4 addresses. If Your machine is behind Network Address Translation (NAT).
You can test your firewall with the a port scanner like NMAP and any other tool. If you faces any issue with firewall you will be able to fix it remotely because cron will flush your all configured rules every 5 minutes.
Final Step to Make APF Live
If you are sure that the firewall is working fine and it is working as you expect, now you can change DEVEL_MODE=”1″ option in the configuration file to DEVEL_MODE=”0″ and restart APF.
I hope this article will be helpful to Install and Configure APF ( Advanced Policy Firewall ) to Secure Linux/UNIX System. Read our another article Top 20 Crontab Examples to Schedule Tasks and Protect Apache Server From Dos (Denial-of-Service) Attack. If you have any queries and problem please comment in comment section or you can also ask your question.