How to Install APF (Advanced Policy Firewall)

APF is a policy based iptables firewall system designed for ease of use and configuration.When it comes to security, there is no such thing without firewall. when you buy a new dedicated or vps server, atleast make sure you install a firewall to protect your server from various intrusion attacks. Within minutes you can set up your firewall up and running. APF firewall is one of the popular and easy to setup IP tables based firewall for Linux servers. It also has additional features like prevention from DoS attacks.APF is developed and maintained by R-fx Networks: http://www.rfxnetworks.com/apf.php
Be careful on setting up the firewall on what ports to open and what not. If youarent sure, you may lock yourself out.

Installation 

1)Login as root user

2)Download the APF Source

For downloading apf source code click here

or in command prompt type the following command,

wget http://www.r-fx.ca/downloads/apf-current.tar.gz

3)Extract the tar.gz

tar -xvf apf-current.tar.gz

4)Enter the APF directory

cd apf-current/

5)Run install code

./install.sh

After installation, you have to manually configure your firewall settings on what ports to open and what to block. You can edit the configuration file located in /etc/apf/conf.apf

Installed paths:

Configuration File: /etc/apf/conf.apf
Binary: /usr/local/sbin/apf
Start/Stop: /etc/init/d/apf (start|stop|restart)
Log: /var/log/apf_log
Antidos conf file: /etc/apf/ad/config.antidos

You can also use commands in the command line

apf -s (start)
apf -r (to restart)
apf -f (to stop)


6)Modify the APF config File

vim /etc/apf/conf.apf

First look for the line that says

Leaving this option as “1″ will disable your firewall after 5 minutes, so make sure to change it to “0″.
So replace 1 eith 0 and it look like this:-
DEVEL_MODE=”0″

Next, take a look at the allowed inbound ports. You should see something like

IG_TCP_CPORTS=”22,80,443″

Notice that port 22, the default SSH port is open. We want to change this to the port we gave SSH earlier. You can leave port 80 (HTTP) and 443 (HTTPS) open if you plan on running a website.

If you want to open any port, you have to give an entry in to the above place.

By default, APF will not filter outbound traffic but if would like to change that look for the following line

EGF=”0″

And change this value to “1″. On the line directly below it you should see the allowed outbound ports

EG_TCP_CPORTS=”21,25,80,443″

Change these if you have enabled outbound filtering and save the firewall config. Now we should add the firewall to start when we reboot our VPS and enable it

chkconfig --add apf
chkconfig --level 345 apf on
/etc/init.d/apf start

APF Firewall for VPS Servers:

If you are running apf firewall in VPS, there is a possibility that you will get "eth0: Device not found". Instead you have to make settings in the configuration file.

Find the following lines and change the values like below.

IFACE_IN = "venet0"
IFACE_OUT = "venet0"
DEVEL_MODE="1"
SET_MONOKERN="1"



SET_MONOKERN="1"
(The above line is important to have "1" if you are in VPS server as otherwise you will get unable to load ip tables module")