Setting Up and Configuring Advanced Policy Firewall (APF) for Linux Servers (CentOS)
Advanced Policy Firewall (APF) is one of the advanced iptables based firewall used in Linux servers. Some of the best features of APF are:
- Detailed and easily understandable configuration file.
- Detailed error checking in startup.
- Granular network filtering
- Bruteforce protection
- Intrusion detection etc.
In this tutorial we will go through how APF can be installed and configured in the server.
Change current working directory to installation directory
Download the latest APF package archive with wget
Untar the tar archive
tar -xzvf apf-current.tar.gz
Change the directory to the APF package directory.
Run the install script to install APF.
This will install the APF package and after the installation is completed, the script will return the Install details like Install path,Config path, Executable path etc and other details like listening TCP and UDP ports. Here is a screenshot of the completion of installation.
Configuration of APF
By default the configuration file of APF is /etc/apf/conf.apf By editing the values in the configuration file, we can make APF work the way we need.
Here are some of the basic parameters in the config file.
DEVEL_MODE=”1″ // This is to keep APF in development mode. By default, development mode will be enabled and this will set a cronjob to flush the firewall rules in every 5 minutes and to change this to active mode, set the value to ‘0’ but only after making sure the settings are correct.
IG_TCP_CPORTS=”21,22,25,53,80,443,110,143,6000_7000″ // Inbound TCP ports to be opened by the firewall.
IG_UDP_CPORTS=”20,21,53,123″ // Inbound UDP ports to be opened by the firewall.
IG_ICMP_TYPES=”3,5,11,0,30,8″ // Inbound ICMP ports to be opened by the firewall.
EG_TCP_CPORTS=”21,25,80,443,43″ // Outbound TCP ports to be opened by the firewall.
EG_UDP_CPORTS=”20,21,53″ // Outbound TCP ports to be opened by the firewall.
EG_ICMP_TYPES=”all” // Outbound ICMP ports to be opened by the firewall.
TCP_STOP=”DROP” // This is to define the action taken to the TCP connections that violates the firewall rules.
UDP_STOP=”DROP” // This is to define the action taken to the UDP connections that violates the firewall rules.
ALL_STOP=”DROP” // This is to define the action taken to all the other packets that violates the firewall rules.
BLK_PRVNET=”0″ // This is to block all the private IPV4 addresses. This should be enabled by setting the value to ‘1’ unless the server resides behind a router with NAT.
BLK_MCATNET=”0″ // This is to block multicasting. If you don’t require multicasting, you can enable this option by setting the value to ‘1’.
There are lot of other option in the APF firewall and the explanation of each parameter is given in the configuration file itself. You can disable the development mode after testing and rightly entering the values.
APF command and switches
APF firewall can be managed with the command ‘apf‘. You can simply use apf if the path ‘/usr/local/sbin‘ is exported or you can use the full path (/usr/local/sbin/apf) for running apf.
Here are some of the optionx in apf command.
/usr/local/sbin/apf -s // To start APF /usr/local/sbin/apf -r // To restart APF /usr/local/sbin/apf -f // To stop APF. /usr/local/sbin/apf -l // To list all the firewall rules. /usr/local/sbin/apf -t // To view the output log status. /usr/local/sbin/apf -a <IP Address> // To allow a host in the firewall /usr/local/sbin/apf -d <IP Address> // To deny a host in the firewall /usr/local/sbin/apf -o // To view all the configuration options /usr/local/sbin/apf --help // To view all the options provided by the firewall.
This tutorial only mentions the basic and most important options by APF, you may refer the APF configuration files and play around with it for advanced settings. Make sure you put it in the development mode till you are sure that the settings are correct.
We hope you have found this technote useful on how to secure a Linux server with APF on Centos.
Thanks for reading and leave your questions below to keep the conversation going.