The Advanced Policy Firewall (APF) installation and configuration steps are covered in this article. On an unmanaged VPS or unmanaged Dedicated Server, you can use APF to enhance system security. With the aid of APF, you are able to specifically grant and refuse access to particular IP addresses and server services.
Installing Advanced Policy Firewall
To install Advanced Policy Firewall on your system, follow these steps:
- Log in to your system using SSH.
- Type the following command to download the application files to your server:
wget http://www.rfxn.com/downloads/apf-current.tar.gz
-
To extract the application files, type the following command:
tar xvzf apf-current.tar.gz
-
Type the following command:
cd apf-9.7-2
-
Type the following command:
./install.sh
Configuring Advanced Policy Firewall
After Advanced Policy Firewall is installed, you must configure it for your system.
Basic configuration
The following procedure describes the minimum steps to get APF working correctly:
- At the command prompt, open the /etc/apf/conf.apf file in your preferred text editor.
- Locate each of the following settings in the /etc/apf/conf.apf file:
IFACE_IN="eth0" IFACE_OUT="eth0" SET_MONOKERN="0" HELPER_SSH_PORT="22" IG_TCP_CPORTS="22"
-
Modify the settings listed in step 2 as follows:
IFACE_IN="venet0" IFACE_OUT="venet0" SET_MONOKERN="1" HELPER_SSH_PORT="7822" IG_TCP_CPORTS="80,7822,8000"
- Save the changes to the /etc/apf/conf.apf file, and then exit the text editor.
-
Type the following command to start APF in development mode:
apf --start
- Test the connections that you want to allow (for example, SSH and HTTP) to make sure they work correctly. For example, make sure your web site loads in a browser, and make sure you can connect to the system using SSH.
-
After you verify that the connections are working correctly, modify the /etc/apf/conf.apf file to disable development mode. To do this, edit the following line as shown:
DEVEL_MODE="0"
- Save the changes to the /etc/apf/conf.apf file, and then restart the system. The firewall is now active.
Granting access
APF regulates traffic to and from the server by using a “whitelist” and a “blacklist”. The whitelist contains IP addresses and networks that are specifically granted access. The blacklist contains IP addresses and networks that are specifically denied access. These lists are stored in the /etc/apf/allow_hosts.rules and /etc/apf/deny_hosts.rules files.
APF automatically bans any IP address that has too many failed login attempts within a certain time period. To make sure you do not lock yourself out, you can add your IP address to the whitelist. To do this, add the following lines to the /etc/apf/allow_hosts.rules file:
Replace xxx.xxx.xxx.xxx with the IP address from where you connect to the server.
To add multiple IP addresses to the whitelist, make a separate rule entry on each line. When you are done adding rules, save the /etc/apf/allow_hosts.rules file, and then restart the firewall by typing the following command:
apf --restart
Denying access
You may want to deny access to specific IP addresses, particularly if you notice suspicious behavior in log files or a large amount of traffic from a particular IP address. To quickly block an IP address, type the following command:
apf --deny xxx.xxx.xxx.xxx comment
Replace xxx.xxx.xxx.xxx with the IP address that you want to block. You can also optionally add a comment for the new rule (make sure there are no spaces in the comment). The -d option automatically adds a rule to the /etc/apf/deny_hosts.rules file and restarts APF, so the change takes effect immediately.
To unblock an IP address, simply delete (or comment out) the relevant line in the /etc/apf/deny_hosts.rules file, and then restart APF:
apf --restart
