APF - Advanced Policy Firewall is an netfilter (Iptables) based firewall tool, you can configure a full featured firewall to secure servers and workstations connected to a network.
Follows the steps to Install and configure the APF
- Installation
Run the following command to downlaod and extarct the archive with APF
# wget http://www.rfxn.com/downloads/apf-current.tar.gz
# tar -zxvf http://www.rfxn.com/downloads/apf-current.tar.gz
# cd apf-9.7-2
# sh ./install.sh
After installing the APF on VPS/server, you have to configure as per your need.
- Configuration
You can find the APF configuration file in /etc/apf/conf.apf , you need to edit this by using file editor
# sudo nano /etc/apf/conf.apf
Let’s work out on basic configuration of APF.
DEVEL_MODE="1" - be sure to set this option to 1 until You're satisfied with the settings.
Development mode sets a cron job to deactivate APF every 5 minutes. This really lets You install it on a remote machine without the risk of cutting Yourself out.
SET_MONOKERN="0" - APF supports monolithic kernels. If IPTables was not compiled as a module (APF then complains about IPTables even without setting up a firewall for example: Starting APF:Unable to load iptables module (ip_tables), aborting.)
IFACE_IN="eth0" and IFACE_OUT="eth0" - untrusted interfaces connected to the network, mostly the Internet
IG_TCP_CPORTS="20,21,22,25,26,37,43,53,80,110,113,143,443,465,873,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306,6666" - inbound TCP ports to open
IG_UDP_CPORTS="53,6277" - inbound UDP ports to open
IG_ICMP_TYPES="3,5,11,30" - inbound ICMP port numbers. I've removed ports 0 and 8 so the server won't answer any pings, what partially hides it on the network. Leave them in place if You or Your datacenter is using ping packets (ex. network monitoring).
EG_TCP_CPORTS="21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703" - outbound TCP ports to open. At this point by blocking certain services like SSH we gain the possibility of stopping hackers that would break into our system and want to connect to other servers
EG_UDP_CPORTS="20,21,53,873,953,6277" - outbound UDP port numbers
TCP_STOP="DROP" - defines a reaction in case of TCP connections that violate the rules
UDP_STOP="DROP" - defines a reaction in case of UDP connections that violate the rules
ALL_STOP="DROP" - defines a reaction to any other connections
We can send a TCP/IP reset (RESET), drop the packet without answering (DROP), reject it (REJECT) or send icmp-host-prohibited answer (PROHIBIT) in case of UDP.
BLK_PRVNET="1" - blocks all private ipv4 addresses. If Your machine is behind NAT then set this to 0
- Testing APF
You can start the fireall by running the below command:
# /usr/local/sbin/apf -s
And use the following parameters:
-s - start APF
-r - restart APF
-f - stop APF
-l - list statistics
-st - status of APF
-a host - allow connections from "host"
-d host - deny connections from "host"
- Final Step to make APF live
Now that we are sure that the firewall is working and isn't blocking ports that we need, we can change DEVEL_MODE="1" option in the configuration file to 0 and restart APF.
Next we make sure APF is started at boot time, so using setup command we go to System Services, tick APF and save the settings. After restarting the system APF should start automatically.
- 0 Usuários acharam útil
