How To Install And Configure Advanced Policy Firewall (APF) On CentOS 5.3

Want to support HowtoForge? Become a subscriber!
 
Submitted by Leszek (Contact Author) (Forums) on Wed, 2009-09-16 16:29. :: CentOS | Security

How To Install And Configure Advanced Policy Firewall (APF) On CentOS 5.3

Author: Leszek Taczkowski

This tutorial explains how you can install and configure APF - an interface to IPTables which lets you easily configure a full featured firewall to secure servers and workstations connected to a network. This guide describes an example installation on a server with cPanel but it's only a matter of port numbers which must be open for everything to work. APF can be used on any system.

The makers of cPanel recommend CentOS to be the base for their software. That's why I've used this distribution for my example. Any distribution with IPTables will do.

From Advanced Policy Firewall's website:

"Advanced Policy Firewall (APF) is an IPTables(Netfilter) based firewall system designed around the essential needs of today's Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the 'apf' command, which includes detailed usage information on all the features."

 

Installation

We will begin with downloading and extracting the archive with APF:

wget http://www.rfxn.com/downloads/apf-current.tar.gz
tar -zxvf http://www.rfxn.com/downloads/apf-current.tar.gz
cd apf-9.7-1

and installing it:

sh ./install.sh

After the installation finishes APF will display locations of it's executable and configuration files as well as ports detected as being used on our system. You have to verify that the numbers are correct to avoid mistakes.

More information about ports used by cPanel can be found here: http://docs.cpanel.net/twiki/bin/view/AllDocumentation/AllFAQ/LinuxFAQ#Which_ports_should_be_open_if_I

 

Configuration

APF's basic configuration file is /etc/apf/conf.apf so we edit it like this:

nano -w /etc/apf/conf.apf

The configuration file is pretty well commented so it's not hard to understand which options are responsible for certain functions. What You should remember is that by default everything is locked and You have to configure APF to open ports You need to use.

Let's get to work!

DEVEL_MODE="1" - be sure to set this option to 1 until You're satisfied with the settings.
Development mode sets a cron job to deactivate APF every 5 minutes. This really lets You install it on a remote machine without the risk of cutting Yourself out.

SET_MONOKERN="0" - APF supports monolithic kernels. If IPTables was not compiled as a module (APF then complains about IPTables even without setting up a firewall for example: Starting APF:Unable to load iptables module (ip_tables), aborting.)

IFACE_IN="eth0" and IFACE_OUT="eth0" - untrusted interfaces connected to the network, mostly the Internet

IG_TCP_CPORTS="20,21,22,25,26,37,43,53,80,110,113,143,443,465,873,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306,6666" - inbound TCP ports to open

IG_UDP_CPORTS="53,6277" - inbound UDP ports to open

IG_ICMP_TYPES="3,5,11,30" - inbound ICMP port numbers. I've removed ports 0 and 8 so the server won't answer any pings, what partially hides it on the network. Leave them in place if You or Your datacenter is using ping packets (ex. network monitoring).

EG_TCP_CPORTS="21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703" - outbound TCP ports to open. At this point by blocking certain services like SSH we gain the possibility of stopping hackers that would break into our system and want to connect to other servers

EG_UDP_CPORTS="20,21,53,873,953,6277" - outbound UDP port numbers

TCP_STOP="DROP" - defines a reaction in case of TCP connections that violate the rules

UDP_STOP="DROP" - defines a reaction in case of UDP connections that violate the rules

ALL_STOP="DROP" - defines a reaction to any other connections

We can send a TCP/IP reset (RESET), drop the packet without answering (DROP), reject it (REJECT) or send icmp-host-prohibited answer (PROHIBIT) in case of UDP.

BLK_PRVNET="1" - blocks all private ipv4 addresses. If Your machine is behind NAT then set this to 0

It's worth spending some more time to get familiar with more configuration options as APF is very feature rich.

 

Testing

Keeping in mind the DEVEL_MODE option we start APF like that:

/usr/local/sbin/apf -s

We can use the following parameters:

-s - start APF

-r - restart APF

-f - stop APF

-l - list statistics

-st - status of APF

-a host - allow connections from "host"

-d host - deny connections from "host"

Now we can test our firewall with a port scanner like nmap or any other tool. If we run into any problems we will be able to fix it remotly because Cron will flush the rules every 5 minutes.

 

Final Preparation

Now that we are sure that the firewall is working and isn't blocking ports that we need, we can change DEVEL_MODE="1" option in the configuration file to 0 and restart APF.

Next we make sure APF is started at boot time, so using setup command we go to System Services, tick APF and save the settings. After restarting the system APF should start automatically.

 

Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by yalnark (not registered) on Tue, 2010-01-19 15:05.

Also, you can do these changes at your APF settings:

To remove "ping: sendmsg: Operation not permitted" & "Connection timed out" issues on your server, you have to do following:

Change BLK_RESNET="1" to BLK_RESNET="0"

Restart APF.

apf -r OR service apf restart

 

Submitted by yalnark (not registered) on Tue, 2010-01-19 14:57.

It will be really nice to see if somebody can post some nice learning resources [books, pdf's,etc] for the APF apart from the links mentioned below:

http://www.rfxn.com/projects/advanced-policy-firewall/

http://www.rfxn.com/appdocs/README.apf


Submitted by Leszek (registered user) on Thu, 2009-09-17 10:35.
Looks ok to me. Maybe it was temporary.
Submitted by Anonymous (not registered) on Wed, 2009-09-16 21:59.
Seems that the http://www.rfxn.com is down. Also, the tar extraction line should probably omit the website.