I tried to install APF (Advanced Policy Firewall) on my Debian 4 server just now, and found out that most tutorials I've seen online doesn't work "out-of-the-box", so I'm writing this one for myself in the future. Anyone reading this entry and have no idea what APF is, you can read more about it here: http://www.rfxnetworks.com/apf.php
You should be warned; before we continue, if you mess up your configurations, you can and WILL lock yourself out of your server. Be very careful when you continue with the rest of this memo. Make sure you have someone who is physically at the server, and can help you regain access to it should you mess up. Management services are usually expensive, I'm not responsible for any bills incurred as result of this. You have been warned.
1) Login to your server via SSH, root preferred.
2) Go to a directory where you can download, save, and keep things organized (in my case: ~/installs/ ), and issue these command:
3) Now go into the directory you just extracted, in my case, with this command:
4) We'd need to edit a few files now before we install it:
i) because Debian does not have /etc/rc.d/init.d/..., but just /etc/init.d/ we'd need to remove the rc.d reference from the files. There are five instances of them in the version I'm working with, may be more in the future:
ii) because there is no /etc/init.d/functions (or /etc/rc.d/init.d/functions for that matter) in Debian, we need to comment that line in apf.init out; simply add a # infront of it would do.
5) Run the install script:
You should eventually see something like these:
6) Configure the firewall by editing /etc/apf/conf.apf
Few things you want to note:
7) Start the firewall:
Other available parameters can be seen here:
8) Check and make sure everything is working... Test your firewall by banning a friend's IP (or another server you've got access to's IP), and verify that it is actually banned, you can remove the ban with -u afterwards.
9) When you're ready, set the DEVM="1" to DEVM="0"
10) Make it so APF launches automagically when your server starts:
And you should be set!
You should be warned; before we continue, if you mess up your configurations, you can and WILL lock yourself out of your server. Be very careful when you continue with the rest of this memo. Make sure you have someone who is physically at the server, and can help you regain access to it should you mess up. Management services are usually expensive, I'm not responsible for any bills incurred as result of this. You have been warned.
1) Login to your server via SSH, root preferred.
2) Go to a directory where you can download, save, and keep things organized (in my case: ~/installs/ ), and issue these command:
SSH Command
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -zxvf apt-current.tar.gz
tar -zxvf apt-current.tar.gz
3) Now go into the directory you just extracted, in my case, with this command:
SSH Command
cd apf-0.9.6-3/
4) We'd need to edit a few files now before we install it:
i) because Debian does not have /etc/rc.d/init.d/..., but just /etc/init.d/ we'd need to remove the rc.d reference from the files. There are five instances of them in the version I'm working with, may be more in the future:
SSH Command
./apf.init:. /etc/rc.d/init.d/functions
./cron.daily:/etc/rc.d/init.d/apf restart >> /dev/null 2>&1
./install.sh: if [ -f "/etc/rc.d/init.d/apf" ]; then
./install.sh: cp -f apf.init /etc/rc.d/init.d/apf
./install.sh: cp -f apf.init /etc/rc.d/init.d/apf
./cron.daily:/etc/rc.d/init.d/apf restart >> /dev/null 2>&1
./install.sh: if [ -f "/etc/rc.d/init.d/apf" ]; then
./install.sh: cp -f apf.init /etc/rc.d/init.d/apf
./install.sh: cp -f apf.init /etc/rc.d/init.d/apf
ii) because there is no /etc/init.d/functions (or /etc/rc.d/init.d/functions for that matter) in Debian, we need to comment that line in apf.init out; simply add a # infront of it would do.
5) Run the install script:
SSH Command
./install.sh
You should eventually see something like these:
SSH Command
Installing APF 0.9.5-1: Completed.
Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/
6) Configure the firewall by editing /etc/apf/conf.apf
SSH Command
nano /etc/apf/conf.apf
Few things you want to note:
- DEVM = "1" is good for now, but you should change it to DEVM = "0" when you're done all the edits so it doesn't clear the bans every 5 minutes.
- I found that my server did not have iptables configured as a kernel module, so I needed to set SET_MONOKERN="1"
- Common TCP Ingress (incoming) ports on cPanel servers are: 21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500
- Common TCP Ingress (incoming) ports on Ensim servers are: 21,22,25,53,80,110,143,443,19638
- Common UDP Ingress (incoming) ports are: 53
- You can choose to filter Egress (outbound) by setting EGF="1", but I prefer to not do it so I don't find myself puzzled when I'm trying to wget / ftp / torrent things.
7) Start the firewall:
SSH Command
/usr/local/sbin/apf -s
Other available parameters can be seen here:
SSH Command
usage /usr/local/sbin/apf [OPTION]
-s|--start ......................... load all firewall rules
-r|--restart ....................... stop (flush) & reload firewall rules
-f|--stop........ .................. stop (flush) all firewall rules
-l|--list .......................... list all firewall rules
-t|--status ........................ output firewall status log
-e|--refresh ....................... refresh & resolve dns names in trust rules
-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall
-u|--remove HOST ................... remove host from [glob]*_hosts.rules
and immediately remove rule from firewall
-o|--ovars ......................... output all configuration options
-s|--start ......................... load all firewall rules
-r|--restart ....................... stop (flush) & reload firewall rules
-f|--stop........ .................. stop (flush) all firewall rules
-l|--list .......................... list all firewall rules
-t|--status ........................ output firewall status log
-e|--refresh ....................... refresh & resolve dns names in trust rules
-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall
-u|--remove HOST ................... remove host from [glob]*_hosts.rules
and immediately remove rule from firewall
-o|--ovars ......................... output all configuration options
8) Check and make sure everything is working... Test your firewall by banning a friend's IP (or another server you've got access to's IP), and verify that it is actually banned, you can remove the ban with -u afterwards.
9) When you're ready, set the DEVM="1" to DEVM="0"
10) Make it so APF launches automagically when your server starts:
SSH Command
update-rc.d apf defaults
And you should be set!
