This is a thorough how-to that covers the basics (and some more advanced topics) of installing and configuring an APF Firewall.
Downloading / Installation:
|1.||Download the software from: http://www.rfxnetworks.com/apf.php |
(the newest version at the time of writting this article was: 0.9.3_3)
|2.||Extract the download on the server. |
tar -xzvf apf-current.tar.gz
|3.||Run the install script. |
./install.shYou should get something like this after executing:
.: APF installed Install path: /etc/apf Config path: /etc/apf/conf.apf Executable path: /usr/local/sbin/apfThis tells you that it was successfully installed into '/etc/apf', the config file is located at '/etc/apf/conf.apf', and the executable is at '/usr/local/sbin/apf' (you do not have to worry about where the executable is for now).
|4.|| Open the '/etc/apf/conf.apf' configuration file in your favorite editor. |
|5.||For initial testing purposes, make sure DEVM="1". When we are sure the firewall is setup correctly, we will set this to "0".|
|6.|| I will list all the available options here and a breif description, it is your duty to put the approriate value in. |
|7.|| Make sure you have DEVM set to enabled("1"), just incase you made a mistake during configuration and end up getting locked out of the server. |
/etc/init.d/apf startImmediately check if you can SSH into the server when the firewall has finished loading. If for some reason you are unable to, make sure that port 22 is added to the Common ingress TCP ports section (IG_TCP_CPORTS).
If the firewall does not load, and complains of iptables not being loaded, then set MONOKERN to "1".
Ie. (if APF gives this message, set MONOKERN to "1")
Starting APF:Unable to load iptables module (ip_tables), aborting.
|8.|| Once you made sure you can still SSH into the server, set DEVM to disabled("0"), and restart the firewall by executing: |
Just to make certain, try to SSH into the server again while keeping your current SSH connection open. If for some reason you are unable to, quickly execute:
/etc/init.d/apf stopThen make sure that port 22 is added to the Common ingress TCP ports section (IG_TCP_CPORTS).
|9.|| Now test the usual services that should not be blocked, and have been listed in the Common ingress TCP ports section (IG_TCP_CPORTS). |
If you enabled Egress filtering, make sure to test the Cpanel update script (if you are running CPanel):
/scripts/upcpAlso test 'up2date' (if you are running some flavor of RedHat):
Rest of the testing is up to you, just make sure you do not firewall yourself out.i
More advanced: /etc/apf/allow_hosts.rules
|10.|| As a safety precaution, you might want to add your ip to the '/etc/apf/allow_hosts.rules' file. |
Open the file in your favorite editor.
|11.|| Add the ip of your computer to the end of the file. This will cause all traffic to and from that ip not to be filtered. You can also add the ip's of other servers. |
If you want to specify what kind of traffic to allow from those ips that is not covered with the current firewall rules (ie. you blocked all traffic to SSH and only want a few ips to be able to access the SSH port), then this is the format you would use:
Protocol : direction/flow : source/destination port : s/d ip [tcp/udp] : [in/out] : [s=/d=]PORT : [s=/d=]IPEx (let the ip 192.168.0.100 access to port 22):