Install APF (Advanced Policy Firewall)
APF Site Description of the software: APF is a policy based
iptables firewall system designed for ease of use and
configuration. It employs a subset of features to satisfy the
veteran Linux user and the novice alike. Packaged in tar.gz
format and RPM formats, make APF ideal for deployment in many
server environments based on Linux.
Summary of features: - global ports configurtion via simple
config file - configurable policies for each ip on the system
[global config overrides] - powerfull postrouting rules for
FWMARK and TOS - plug-in friendly for QoS [CBQ/HTB] - antidos
subsystem to stop attacks before they become a significant
threat - dshield.org block list support to ban networks
exhibiting suspicious activity - advanced set of sysctl
parameters for TCP stack hardening - advanced set of filter
rules to remove undesired traffic - easy to use firewall
managment script - trust based rule files (allow/deny); with
advanced syntax support
1. Login to your server via SSH as root.
2. Make /usr/src the current working directory. Type: cd /usr/src
3. Obtain the most curent verison of APF. Type: wget
http://rfxnetworks.com/downloads/apf-current.tar.gz
4. Expand the APF tar.gz file. Type: tar -xvzf apf-current.tar.gz
5. Remove the tar.gz file. Type: rm -f apf-current.tar.gz
6. Locate the APF directory. Type: ls -la Look for a directory
named apf-#.#/ where #.# represents the version of APF being
installed (APF version 0.8.7 would be in a directory apf-0.8.7/
and version 0.9 would be in a directory named apf-0.9).
7. Make the APF directory the current working directory. Use the
directory name you located in step 5. Note that the numbers will
change as new versions are released. Type: cd apf-0.9
8. Run the APF install. Type: sh ./install.sh
9. Make /etc/apf the current working directory. Type: cd /etc/apf
10. Edit the conf.apf file as desired. Type: pico -w conf.apf
In order for this firewall to work properly you have to
edit/add/delete ports. These ports will allow services such as
mail, ftp, and ssh to come in and out of the server. If you have
changed any ports, please modify them below and add/remove as
needed.
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,
993,995,2082,2083,2086,2087,2095,2096,3306, 10000,35000_35999"
Please note that ports 2082 to port 2095 is mostly used by
cpanel, and port 19638 is only use in ensim.
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="20,21,53,1040"
10. After you have finished editing the ports save the file and
test APF. CTRL-X, Y to save enter to confirm
11. Start APF. Type: ./apf --start or Type: service apf start
12. If APF is functioning properly and you are not locked out
edit the conf.apf again Type: pico -w conf.apf
13. Set the DEVM parameter to 0 DEVM="0"
14. Once done Exit and save the file. CTRL-X, Y to save enter to
confirm
15. Restart APF Type: service apf restart
Enabling connections for server monitoring. Some service
providers that offer monitoring need access to your server, and
access without setting off alarms, firewalls etc. is a good
thing. Just becareful which IP(s) you put in here.
1. To allow connections from xx.xx.xx.xx/24 Type: pico -w
/etc/apf/allow_hosts.rules
2. At the very end of the file add this line xx.xx.xx.xx/24 Of
course replace the xx.xx.xx.xx with the IP address provided to
you.
Original:
http://www.ukwebmasterforums.com/t4910-install-apf-advanced-polic
y-firewall.html
Web Hosting UK
(http://www.session9.co.uk/ )
Webmaster
Forums ( http://www.ukwebmasterforums.com/ )
Web
Hosting Affiliate (
http://www.session9.co.uk/web-hosting-affiliate/ )
Domain Reseller (
http://www.domainvendor.co.uk/ )