[How To] Install APF (Advanced Policy Firewall)

Advanced Policy Firewall (APF) is an iptables (netfilter) based firewall system designed around the essential needs of today’s Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the ‘apf’ command, which includes detailed usage information on all the features.

This guide will show you how to install and configure APF firewall:

mkdir /root/setup ; cd /root/setup
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -zxf apf*
cd apf* && ./install.sh

Once the installation is completed you may use the following options to perform basic operations:

To start the firewall run: apf -s
To restart the firewall run: apf -r
To flush the firewall run: apf -f

Create a backup of the configuration file and open it using the desired text editor and go over the general configuration to get your firewall running. This isn’t a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.

cd /etc/apf && cp conf.apf conf.apf.bak && nano conf.apf

Take the firewall out of development mode in the file by changing DEVEL_MODE from 1 to 0.

# !!! Do not leave set to (1) !!!
# When set to enabled; 5 minute cronjob is set to stop the firewall. Set
# this off (0) when firewall is determined to be operating as desired.

Enable common egress (outbound) ports by setting the value of the EGF variable to 1:

# Egress filtering [0 = Disabled / 1 = Enabled]

Finally check IG_TCP_CPORTS, IG_UDP_CPORTS, EG_TCP_CPORTS and EG_UDP_CPORTS, and make sure that all the ports that you are relaying on are opened. Below you will find my configuration for a server that is running cPanel:

# Common ingress (inbound) TCP ports

# Common ingress (inbound) UDP ports

# Common egress (outbound) TCP ports

# Common egress (outbound) UDP ports

To see which of your ports are open and which are closed on your server, you can run: netstat -nap
To locate the APF version that you are using:  cat /etc/apf/VERSION

If you did wish to uninstall APF, you should run the following commands:

iptables -F
rm -Rf /etc/apf
rm -Rf /usr/local/sbin/apf
rm -Rf /etc/rc.d/init.d/apf
rm -Rf /var/log/apf_log
rm -Rf /var/log/apfados_log
/sbin/chkconfig –level 345 apf off