dedicated server help
web hosting guides
dedicated server home dedicated server forums dedicated server reviews dedicated resources partners dedicated server resources contact dedicated servers

dedicated server guides
Getting Started
General Tutorials
cPanel Tutorials
Security Center
Name Servers
Server Monitoring
Server Backups
Hosting Interviews
Web Hosting News
Reviews
For Fun
Linux Tutorials
Hosting Articles
Web Hosting Tutorials
 
 
 
web hosting tutorials
About Us
RSS Feed
Disclaimer
Site Map

 

Install APF (Advanced Policy Firewall)

Last Updated: November 30, 1999

APF Site Description of the software:
APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux.

Summary of features:
- global ports configurtion via simple config file
- configurable policies for each ip on the system [global config overrides]
- powerfull postrouting rules for FWMARK and TOS
- plug-in friendly for QoS [CBQ/HTB]
- antidos subsystem to stop attacks before they become a significant threat
- dshield.org block list support to ban networks exhibiting suspicious activity
- advanced set of sysctl parameters for TCP stack hardening
- advanced set of filter rules to remove undesired traffic
- easy to use firewall managment script
- trust based rule files (allow/deny); with advanced syntax support



1. Login to your server via SSH as root.

2. Make /usr/src the current working directory.
Type: cd /usr/src

3. Obtain the most curent verison of APF.
Type: wget http://rfxnetworks.com/downloads/apf-current.tar.gz

4. Expand the APF tar.gz file.
Type: tar -xvzf apf-current.tar.gz

5. Remove the tar.gz file.
Type: rm -f apf-current.tar.gz

6. Locate the APF directory.
Type: ls -la
Look for a directory named apf-#.#/ where #.# represents the version of APF being installed (APF version 0.8.7 would be in a directory apf-0.8.7/ and version 0.9 would be in a directory named apf-0.9).

7. Make the APF directory the current working directory.
Use the directory name you located in step 5.
Note that the numbers will change as new versions are released.
Type: cd apf-0.9

8. Run the APF install.
Type: sh ./install.sh

9. Make /etc/apf the current working directory.
Type: cd /etc/apf

10. Edit the conf.apf file as desired.
Type: pico -w conf.apf

In order for this firewall to work properly you have to edit/add/delete ports.
These ports will allow services such as mail, ftp, and ssh to come in and out of the server.
If you have changed any ports, please modify them below and add/remove as needed.

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,
993,995,2082,2083,2086,2087,2095,2096,3306,
10000,35000_35999"
Please note that ports 2082 to port 2095 is mostly used by cpanel, and port 19638 is only use in ensim.

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="20,21,53,1040"

10. After you have finished editing the ports save the file and test APF.
CTRL-X, Y to save enter to confirm

11. Start APF.
Type: ./apf --start
or
Type: service apf start

12. If APF is functioning properly and you are not locked out edit the conf.apf again
Type: pico -w conf.apf

13. Set the DEVM parameter to 0
DEVM="0"

14. Once done Exit and save the file.
CTRL-X, Y to save enter to confirm

15. Restart APF
Type: service apf restart


Enabling connections for server monitoring.
Some service providers that offer monitoring need access to your server, and access without setting off alarms, firewalls etc. is a good thing. Just becareful which IP(s) you put in here.

1. To allow connections from xx.xx.xx.xx/24
Type: pico -w /etc/apf/allow_hosts.rules

2. At the very end of the file add this line
xx.xx.xx.xx/24 Of course replace the xx.xx.xx.xx with the IP address provided to you.

cpanel tutorials
cPanel Resources
Dedicated Servers