How to install APF (Advanced Policy Firewall)

Iptables is a great Linux firewall but it might be difficult to configure if you are new to it. APF (Advanced Policy Firewall) is based on iptables and is easy to configure using a simple configuration file. It offers the latest features of iptables and performs the following filtering techniques:

  • Static rules
  • Connection based
  • “Sanity” based

Static rules are very easy, these are the simple “permit” or “deny” entries that we have. These could be a certain port number that you want to open or close. Connection-based means that the firewall will dynamically permit or deny traffic. For example, when a client connects to an FTP server the firewall will keep track of the connection and temporarily allow the traffic.

The sanity-based policies allow the firewall to match certain traffic patterns/signatures to recognize known attack methods. An example could be an IP packet with the source IP address of the server or a router that sends malformed packets to you. APF can either drop the packets or kill the TCP connection by sending a TCP reset.

APF can also be configured to use lists from projects like Project Honeypot, Spamhaus, and Dshield to block all “dodgy” IP addresses. Having said that, let me show you how to install APF on your server. Make sure iptables is already installed on your machine before continuing…

First, we will download the latest version:

[root@VPS1 ~]#  wget http://rfxnetworks.com/downloads/apf-current.tar.gz

Let’s extract it:

[root@VPS1 ~]#  tar -xzvf apf-current.tar.gz
[root@VPS1 ~]#  cd apf-9.7.2

Now we can install it using a simple script:

[root@VPS1 apf-9.7-2]# ./install

Now before we start APF, we should configure it:

[root@VPS1 apf-9.7-2]# cd /etc/apf
[root@VPS1 apf]# vim conf.apf

I would recommend reading everything in the config file, as there are quite some options. If you make any changes make sure that the following option is enabled:

DEVEL_MODE="1" 

This setting will flush your firewall rules every 5 minutes so if you lock yourself out, you know you can get back in after 5 minutes. Don’t forget to disable it once you are done with your configuration.

Make sure APF is configured for the correct interface:

IFACE_IN 

IFACE_OUT

With the following options, you can open the inbound ports:

IG_TCP_CPORTS
IG_UDP_CPORTS

Above, you can configure the inbound TCP and UDP ports. You need to use a “,” between the port numbers. If you want to allow HTTP  (TCP 80) and HTTPS (TCP 443) you should type IG_TCP_CPORTS=”80,443″

By default, all outbound ports are allowed. If you are running a web server with shared hosting, I can highly recommend you block all unnecessary outgoing traffic. If you want this you first have to set the following option:

EGF="1"

Now you can configure the outbound ports that you want to allow:

EG_TCP_CPORTS

EG_UDP_CPORTS

So if you want to allow access to an external SSH server (TCP 22) and an external web server (TCP 80) you should type “22,80”.

Some other options that I like are:

DLIST_SPAMHAUS="1"
DLIST_DSHIELD="1"

This will configure APF to download the blacklists from Spamhaus and Dshield and block those IP addresses.

Once you are done with the configuration, you should start it:

[root@VPS1 apf]# apf -s

Don’t forget to enable it on startup. If you are using CentOS, you can use chkconfig for this:

[root@VPS1 apf]# chkconfig apf on

That’s all for now. I hope this helps you to secure your Linux server(s) further. If you have any questions or suggestions, please let me know!