Install APF (Advanced Policy Firewall)

APF Site Description of the software: APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux. Summary of features: - global ports configurtion via simple config file - configurable policies for each ip on the system [global config overrides] - powerfull postrouting rules for FWMARK and TOS - plug-in friendly for QoS [CBQ/HTB] - antidos subsystem to stop attacks before they become a significant threat - dshield.org block list support to ban networks exhibiting suspicious activity - advanced set of sysctl parameters for TCP stack hardening - advanced set of filter rules to remove undesired traffic - easy to use firewall managment script - trust based rule files (allow/deny); with advanced syntax support 1. Login to your server via SSH as root. 2. Make /usr/src the current working directory. Type: cd /usr/src 3. Obtain the most curent verison of APF. Type: wget http://rfxnetworks.com/downloads/apf-current.tar.gz 4. Expand the APF tar.gz file. Type: tar -xvzf apf-current.tar.gz 5. Remove the tar.gz file. Type: rm -f apf-current.tar.gz 6. Locate the APF directory. Type: ls -la Look for a directory named apf-#.#/ where #.# represents the version of APF being installed (APF version 0.8.7 would be in a directory apf-0.8.7/ and version 0.9 would be in a directory named apf-0.9). 7. Make the APF directory the current working directory. Use the directory name you located in step 5. Note that the numbers will change as new versions are released. Type: cd apf-0.9 8. Run the APF install. Type: sh ./install.sh 9. Make /etc/apf the current working directory. Type: cd /etc/apf 10. Edit the conf.apf file as desired. Type: pico -w conf.apf In order for this firewall to work properly you have to edit/add/delete ports. These ports will allow services such as mail, ftp, and ssh to come in and out of the server. If you have changed any ports, please modify them below and add/remove as needed. # Common ingress (inbound) TCP ports IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465, 993,995,2082,2083,2086,2087,2095,2096,3306, 10000,35000_35999" Please note that ports 2082 to port 2095 is mostly used by cpanel, and port 19638 is only use in ensim. # Common ingress (inbound) UDP ports IG_UDP_CPORTS="20,21,53,1040" 10. After you have finished editing the ports save the file and test APF. CTRL-X, Y to save enter to confirm 11. Start APF. Type: ./apf --start or Type: service apf start 12. If APF is functioning properly and you are not locked out edit the conf.apf again Type: pico -w conf.apf 13. Set the DEVM parameter to 0 DEVM="0" 14. Once done Exit and save the file. CTRL-X, Y to save enter to confirm 15. Restart APF Type: service apf restart Enabling connections for server monitoring. Some service providers that offer monitoring need access to your server, and access without setting off alarms, firewalls etc. is a good thing. Just becareful which IP(s) you put in here. 1. To allow connections from xx.xx.xx.xx/24 Type: pico -w /etc/apf/allow_hosts.rules 2. At the very end of the file add this line xx.xx.xx.xx/24 Of course replace the xx.xx.xx.xx with the IP address provided to you. Original: http://www.ukwebmasterforums.com/t4910-install-apf-advanced-polic y-firewall.html Web Hosting UK (http://www.session9.co.uk/ ) Webmaster Forums ( http://www.ukwebmasterforums.com/ ) Web Hosting Affiliate ( http://www.session9.co.uk/web-hosting-affiliate/ )

Domain Reseller ( http://www.domainvendor.co.uk/ )