Advanced Policy Firewall (APF)

Advanced Policy Firewall is a popular firewall used on Linux servers, installing APF firewall is simple.

Following commands will install APF on your server.

cd /usr/local/src
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -zxvf apf-current.tar.gz
cd apf-*
./install.sh

On installation, APF will copy files in following locations

Install path:         /etc/apf/
Config path:          /etc/apf/conf.apf
Executable path:      /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path:  /etc/apf/ad/conf.antidos
DShield Client Parser:  /etc/apf/extras/dshield/

Before you start APF, you need to configure it, by default access to SSH port is allowed, all other ports are blocked and you need to open required ports.

Configuration of APF is done by editing configuration file /etc/apf/conf.apf

# vi /etc/apf/conf.apf

inbound Ports

inbound ports can be opend by adding port to IG_TCP_CPORTS or IG_UDP_CPORTS available. Following is recommended value for Cpanel Servers.

IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087,2095,2096,3333,30000_35000"

IG_UDP_CPORTS="53,123"

outbound ports

EG_TCP_CPORTS="21,25,80,443,43,2089"
EG_UDP_CPORTS="20,21,53,123"

PORTS

21 - FTP Server
22 - SSH
25 - SMTP server
53 - TCP and UDP DNS Server
110 - pop3 server
123 - used by NTP (time server)
2089 - is used by cpanel licence server.
3306 - used by MySQL
30000_35000 - Passive Mode FTP

Testing APF

By default APF work in DEVEL_MODE. That is when you start the firewall, the rules will be flushed after 5 minutes. This way, if some firewall rule blocked you from accessing the server, you can get back after 5 minutes.

After you have tested firewall, make it active by disabling DEVEL_MODE. This is done by editing /etc/apf/conf.apf

FIND: 

DEVEL_MODE="1"

REPLACE WITH: 

DEVEL_MODE="0"

Using APF Firewall

apf -s           start firewall
apf -f           stop firewall
apf -d IPADDR    block an IP

Unable to load iptables module (ipt_state), aborting.