This tutorial explains how you can install and configure APF - an
interface to IPTables which lets you easily configure a full featured
firewall to secure servers and workstations connected to a network. This
guide describes an example installation on a server with cPanel but
it's only a matter of port numbers which must be open for everything to
work. APF can be used on any system.
The makers of cPanel recommend CentOS to be the base for their software. That's why I've used this distribution for my example. Any distribution with IPTables will do.
From Advanced Policy Firewall's website:
"Advanced Policy Firewall (APF) is an IPTables(Netfilter) based firewall system designed around the essential needs of today's Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the 'apf' command, which includes detailed usage information on all the features."
Installation
We will begin with downloading and extracting the archive with APF:
wget http://www.rfxn.com/downloads/apf-current.tar.gz
tar -zxvf http://www.rfxn.com/downloads/apf-current.tar.gz
cd apf-9.7-1
and installing it:
sh ./install.sh
After the installation finishes APF will display locations of it's executable and configuration files as well as ports detected as being used on our system. You have to verify that the numbers are correct to avoid mistakes.
More information about ports used by cPanel can be found here: http://docs.cpanel.net/twiki/bin/view/AllDocumentation/AllFAQ/LinuxFAQ#Which_ports_should_be_open_if_I
Configuration
APF's basic configuration file is /etc/apf/conf.apf so we edit it like this:
nano -w /etc/apf/conf.apf
The configuration file is pretty well commented so it's not hard to understand which options are responsible for certain functions. What You should remember is that by default everything is locked and You have to configure APF to open ports You need to use.
Let's get to work!
DEVEL_MODE="1" - be sure to set this option to 1 until You're satisfied with the settings.
Development mode sets a cron job to deactivate APF every 5 minutes. This really lets You install it on a remote machine without the risk of cutting Yourself out.
SET_MONOKERN="0" - APF supports monolithic kernels. If IPTables was not compiled as a module (APF then complains about IPTables even without setting up a firewall for example: Starting APF:Unable to load iptables module (ip_tables), aborting.)
IFACE_IN="eth0" and IFACE_OUT="eth0" - untrusted interfaces connected to the network, mostly the Internet
IG_TCP_CPORTS="20,21,22,25,26,37,43,53,80,110,113,143,443,465,873,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306,6666" - inbound TCP ports to open
IG_UDP_CPORTS="53,6277" - inbound UDP ports to open
IG_ICMP_TYPES="3,5,11,30" - inbound ICMP port numbers. I've removed ports 0 and 8 so the server won't answer any pings, what partially hides it on the network. Leave them in place if You or Your datacenter is using ping packets (ex. network monitoring).
EG_TCP_CPORTS="21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703" - outbound TCP ports to open. At this point by blocking certain services like SSH we gain the possibility of stopping hackers that would break into our system and want to connect to other servers
EG_UDP_CPORTS="20,21,53,873,953,6277" - outbound UDP port numbers
TCP_STOP="DROP" - defines a reaction in case of TCP connections that violate the rules
UDP_STOP="DROP" - defines a reaction in case of UDP connections that violate the rules
ALL_STOP="DROP" - defines a reaction to any other connections
We can send a TCP/IP reset (RESET), drop the packet without answering (DROP), reject it (REJECT) or send icmp-host-prohibited answer (PROHIBIT) in case of UDP.
BLK_PRVNET="1" - blocks all private ipv4 addresses. If Your machine is behind NAT then set this to 0
It's worth spending some more time to get familiar with more configuration options as APF is very feature rich.
Testing
Keeping in mind the DEVEL_MODE option we start APF like that:
/usr/local/sbin/apf -s
We can use the following parameters:
-s - start APF
-r - restart APF
-f - stop APF
-l - list statistics
-st - status of APF
-a host - allow connections from "host"
-d host - deny connections from "host"
Now we can test our firewall with a port scanner like nmap or any other tool. If we run into any problems we will be able to fix it remotly because Cron will flush the rules every 5 minutes.
Final Preparation
Now that we are sure that the firewall is working and isn't blocking ports that we need, we can change DEVEL_MODE="1" option in the configuration file to 0 and restart APF.
Next we make sure APF is started at boot time, so using setup command we go to System Services, tick APF and save the settings. After restarting the system APF should start automatically.
Links
CentOS - http://www.centos.org
Advanced Policy Firewall - http://www.rfxn.com/projects/advanced-policy-firewall
cPanel - http://www.cpanel.net
The makers of cPanel recommend CentOS to be the base for their software. That's why I've used this distribution for my example. Any distribution with IPTables will do.
From Advanced Policy Firewall's website:
"Advanced Policy Firewall (APF) is an IPTables(Netfilter) based firewall system designed around the essential needs of today's Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the 'apf' command, which includes detailed usage information on all the features."
Installation
We will begin with downloading and extracting the archive with APF:
wget http://www.rfxn.com/downloads/apf-current.tar.gz
tar -zxvf http://www.rfxn.com/downloads/apf-current.tar.gz
cd apf-9.7-1
and installing it:
sh ./install.sh
After the installation finishes APF will display locations of it's executable and configuration files as well as ports detected as being used on our system. You have to verify that the numbers are correct to avoid mistakes.
More information about ports used by cPanel can be found here: http://docs.cpanel.net/twiki/bin/view/AllDocumentation/AllFAQ/LinuxFAQ#Which_ports_should_be_open_if_I
Configuration
APF's basic configuration file is /etc/apf/conf.apf so we edit it like this:
nano -w /etc/apf/conf.apf
The configuration file is pretty well commented so it's not hard to understand which options are responsible for certain functions. What You should remember is that by default everything is locked and You have to configure APF to open ports You need to use.
Let's get to work!
DEVEL_MODE="1" - be sure to set this option to 1 until You're satisfied with the settings.
Development mode sets a cron job to deactivate APF every 5 minutes. This really lets You install it on a remote machine without the risk of cutting Yourself out.
SET_MONOKERN="0" - APF supports monolithic kernels. If IPTables was not compiled as a module (APF then complains about IPTables even without setting up a firewall for example: Starting APF:Unable to load iptables module (ip_tables), aborting.)
IFACE_IN="eth0" and IFACE_OUT="eth0" - untrusted interfaces connected to the network, mostly the Internet
IG_TCP_CPORTS="20,21,22,25,26,37,43,53,80,110,113,143,443,465,873,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306,6666" - inbound TCP ports to open
IG_UDP_CPORTS="53,6277" - inbound UDP ports to open
IG_ICMP_TYPES="3,5,11,30" - inbound ICMP port numbers. I've removed ports 0 and 8 so the server won't answer any pings, what partially hides it on the network. Leave them in place if You or Your datacenter is using ping packets (ex. network monitoring).
EG_TCP_CPORTS="21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703" - outbound TCP ports to open. At this point by blocking certain services like SSH we gain the possibility of stopping hackers that would break into our system and want to connect to other servers
EG_UDP_CPORTS="20,21,53,873,953,6277" - outbound UDP port numbers
TCP_STOP="DROP" - defines a reaction in case of TCP connections that violate the rules
UDP_STOP="DROP" - defines a reaction in case of UDP connections that violate the rules
ALL_STOP="DROP" - defines a reaction to any other connections
We can send a TCP/IP reset (RESET), drop the packet without answering (DROP), reject it (REJECT) or send icmp-host-prohibited answer (PROHIBIT) in case of UDP.
BLK_PRVNET="1" - blocks all private ipv4 addresses. If Your machine is behind NAT then set this to 0
It's worth spending some more time to get familiar with more configuration options as APF is very feature rich.
Testing
Keeping in mind the DEVEL_MODE option we start APF like that:
/usr/local/sbin/apf -s
We can use the following parameters:
-s - start APF
-r - restart APF
-f - stop APF
-l - list statistics
-st - status of APF
-a host - allow connections from "host"
-d host - deny connections from "host"
Now we can test our firewall with a port scanner like nmap or any other tool. If we run into any problems we will be able to fix it remotly because Cron will flush the rules every 5 minutes.
Final Preparation
Now that we are sure that the firewall is working and isn't blocking ports that we need, we can change DEVEL_MODE="1" option in the configuration file to 0 and restart APF.
Next we make sure APF is started at boot time, so using setup command we go to System Services, tick APF and save the settings. After restarting the system APF should start automatically.
Links
CentOS - http://www.centos.org
Advanced Policy Firewall - http://www.rfxn.com/projects/advanced-policy-firewall
cPanel - http://www.cpanel.net
