How to install APF (Advanced Policy Firewall)

[domino]

What is APF (Advanced Policy Firewall)? APF Firewall
APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux. APF is developed and maintained by R-fx Networks: http://www.rfxnetworks.com/apf.php

How-To: http://www.webhostgear.com/61_print.html

[Tenaka]

please allow a silly little question: why would I block outgoing traffic/ports? I do understand that I want to restrict incoming ports due to security issues, but outgoing? I mean this is not a windows home pc where I might have spyware or whatever installed? And how do I know what outgoing ports are used/needed ?

[domino]

Sorry for the late reply. I got hung up on VMware Player the past week os so.

I can think one of many good reason why you would also deny outbound traffic. You can pretty much relate it to a Windows OS or apps that run in Windows. They also call home for one strange reason or another. So on your server, if you or someone on your account installed a script that routes outbound traffic on an abnormal port, you would know.

[decibel]

The first thing in a good firewall configuration is to drop everything -in out forward- and then open only needed ports for in-out and forward.

In example if u want to open http requests to your server u have to open for input the port 80 and also the output for port 80.

[Tenaka]

ok, I finally set up the apf firewall with the ad plugin. I realized I can use it for inbound traffic without bothering with the outbound module...

nevertheless maybe someone can help me a little bit with outgoing traffic rules. basically all ports opened for incoming which send back data like 21,25,80,81,443 need to be opened but what about ftp? I thought that was flowing out through different ports?

can someone explain this auto resetting of rules after 5mins? what exactly happens after 5 min? if I make changes I have 5 mins to try them out afterwards they are reset? if I did not manage to try it out in 5 mins I just have to restart apf to get 5 more mins?

[tobiasly]

Hello Tenaka, when you apply rules to outboud traffic, it looks at the ports you're trying to connect *to*, not the ports you're connecting *from*. So for example you may need to open outbound port 80 (HTTP) if you use wget to download files. You'll need to open all the FTP ports if you want to use an ftp client or wget to connect to FTP sites from your box.

The 5-minute test period is in case you are connected remotely, and you really screw up your firewall so that you can't even connect via SSH. Ordinarily you would be screwed in that scenario, but with the 5-minute "trial" period, if you find your SSH is blocked, just wait 5 minutes and try again.

After the 5 minutes, *ALL* rules are dropped and your machine is wide open again just like you had no firewall. So if this is on a machine you have physical access to, you don't need the test mode and you can turn it off, because you can still connect through the console.

Of course once everything is working correctly, you'll need to take it out of test mode!