Install Firewall



Guide for installing CSF Firewall will come later..
APF is used because its the site admins favorite, and its stable and simple to setup. Might be better for new guys? Fuel for discussion ;)




Product Name: APF (Advanced Firewall Policy)
Product Version: 0.9.7 rev:1
Homepage: http://www.rfxn.com/projects/advanced-policy-firewall/
Description: Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of todays Internet deployed servers and the unique needs of custom deployed Linux installations. The configuration of APF is designed to be very informative and present the user with an easy to follow process, from top to bottom of the configuration file. The management of APF on a day-to-day basis is conducted from the command line with the apf command, which includes detailed usage information and all the features one would expect from a current and forward thinking firewall solution.


Pre Setup: Make sure iptables are installed

yum install iptables* -y



Step 1: Download, unpack, install of APF from source.

cd /usr/local/src
wget http://www.rfxn.com/downloads/apf-current.tar.gz
tar -zxf apf-current.tar.gz
cd apf-9*
./install.sh



Step 1.1: Cleanup source install files.

rm -Rf /usr/local/src/apf-9* && cd



Step 2: Backup orginal apf config

cp /etc/apf/conf.apf /etc/apf/conf.apf.bak



Step 3: Edit current APF Config

nano -w /etc/apf/conf.apf



Change:

* RAB="0" to RAB="1"
* RAB_PSCAN_LEVEL="2" to RAB_PSCAN_LEVEL="3"
* TCR_PASS="1" to TCR_PASS="0"
* DLIST_PHP="0" to DLIST_PHP="1"
* DLIST_SPAMHAUS="0" to DLIST_SPAMHAUS="1"
* DLIST_DSHIELD="0" to DLIST_DSHIELD="1"
* DLIST_RESERVED="0" to DLIST_RESERVED="1"



Step 3.1: Find IFACE_IN= and IFACE_OUT= in /etc/apf/conf.apf and verify that they match your network interface
Step 3.2: Locate HELPER_SSH_PORT=”22″ and change it to your SSH port IF you changed it in your sshd_config:
Step 3.3: Locate IG_TCP_CPORTS=”22″ and change it to your SSH port IF you changed it in your sshd_config:


REMEMBER MAKE SURE YOU TO CHANGE YOUR SSHD PORT IN APF, IF YOU CHANGED IT IN SSHD_CONFIG
You can run this command “cat /etc/ssh/sshd_config |grep Port” to see what port your SSHD uses


Step 4: Restart the APF

/usr/local/sbin/apf -r



Step 5: Now relogin though ssh again, to verify that you still can login into your server
Step 6: When your happy with your firewall and everything works fine, Edit /apf.conf find DEVEL_MODE=”1″ and change it to DEVEL_MODE=”0″





Step 7: Restart APF again

/usr/local/sbin/apf -r



Step 8: Make sure APF starts automatic after restart

chkconfig --add apf
chkconfig --level 345 apf on



You should NOW have a firewall up and running! Enjoy

Port setting example for different Hosting control panels:


Directadmin:
IG_TCP_CPORTS=”21,22,25,53,80,110,111,143,443,587,953,2222,3306,32769″
IG_UDP_CPORTS=”53,111,631,724,5353,32768,32809″

EGF=”1″
EG_TCP_CPORTS=”21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089″
EG_UDP_CPORTS=”20,21,37,53,873″

Cpanel:
IG_TCP_CPORTS=”20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096″
IG_UDP_CPORTS=”21,53,873″

EGF=”1″
EG_TCP_CPORTS=”21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089″
EG_UDP_CPORTS=”20,21,37,53,873″



Troubleshooting:


Problem: If you get this error apf(xxxxx): {glob} unable to load iptables module (ip_tables), aborting.
Solution: Try changing SET_MONOKERN=”0″ to SET_MONOKERN=”1″ , then apf -r


Problem: If you get this message: apf(xxxxx): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5 minutes.
Solution: you need to change DEVEL_MODE=1 to DEVEL_MODE=0, make sure your config is working first.

Comment (RSS)  |  Trackback
  • Dimitar Ivanov

    Hi there,

    I’m getting this error: apf(xxxxx): {glob} unable to load iptables module (ip_tables), aborting.
    So I have to try changing…, but what?

    Cheers

  • admin

    Try setting SET_MONOKERN=”0″ to SET_MONOKERN=”1″

  • tsj5j

    If you don’t want APF to block the wrong networks, do this:

    Change:
    DLIST_RESERVED=”0″ to DLIST_RESERVED=”1″

    What’s DLIST_RESERVED?

    # The reserved networks list is addresses which ARIN has marked as reserved
    # for future assignement and have no business as valid traffic on the internet.
    # Such addresses are often used as spoofed (Fake) hosts during attacks, this
    # will update the reserved networks list in order to prevent new ip assignments
    # on the internet from getting blocked; this option is only important when
    # BLK_RESNET is set to enabled.

    The default APF package comes with outdated (or incorrect, beats me) reserved networks that have been assigned to people.
    APF will refuse connections from users using this newly allocated IP blocks.

    For example, the default reserved networks contain IPs from a major datacenter, SoftLayer.

  • Justin

    Great Tutorial! :) Thank You

  • Baris

    Good point on reserved networks.

  • Utn

    Could we get a version of this for CSF?

    Thank you

  • art

    I’ve got

    >> iptables: Unknown error 18446744073709551615

    The same error for afp and firehol. My VPS using openvz@parallels.
    Can you help with some advice?

  • jeffatrackaid

    While APF, CSF and similar firewalls are nice and provide a lot of features. I’ve found a very simple strategy of block everything and open only what is needed works very well. Combine this with some rate-limiting via IPtables (http://www.rackaid.com/resources/how-to-block-ssh-brute-force-attacks/) works very well. I’ve found some of these advanced firewall scripts to cause performance issues as the rules chains grow overly long if not checked. This is mostly an issue on high traffic servers, but I’ve often replaced APF/CSF with a simple IPTables script.

    Also, you have to be careful of some of these programs as they are vulnerable against log injection attacks. I’ve not checked APF but BFD from the same author was (is?) vulnerable to a log injection attack. Since the processing of log data is not sanitized, you can spoof IPs and get BFD to block IPs. See: http://www.ossec.net/main/attacking-log-analysis-tools for a good discussion of this issue.

  • Pingback: Firewall installation | Cheap WebHosting Directory

  • Pingback: Firewall installation | HostGator Coupon Code

  • WebAlfa

    Plesk
    IG_TCP_CPORTS=” 20,21,22,25,26,53,80,110,143,443,465,993,995,3389,8443,8880,30000,61001,65535″
    EG_TCP_CPORTS=” 21,22,25,26,27,37,43,53,80,110,113,443,465,873,3389,8443,8880,30000″

  • 1234homie

    great site, thanks for apf! working very well ;]

  • 1234homie

    how can I scan centos to find viruses?

  • geelee

    ————–
    conf.apf :
    IFACE_IN=”eth0″
    IFACE_OUT=”eth0″

    Then ,THIS HAPPEND IF reboot. or unplug network cable.

    “”"
    apf -r
    apf(32093): {glob} flushing & zeroing chain policies
    apf(32093): {glob} firewall offline
    apf(32127): {glob} activating firewall
    apf(32167): {glob} could not verify that interface eth0 is routed to a network, aborting.
    apf(32127): {glob} firewall initalized

    iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    “”"

    why this happend?
    what can i do?

    ——————
    IF i set this values in conf.apf :
    IFACE_IN=”"
    IFACE_OUT=”"

    then this happend:

    apf -r
    apf(32245): {glob} flushing & zeroing chain policies
    apf(32245): {glob} firewall offline
    apf(32278): {glob} activating firewall
    apf(32318): {glob} determined (IFACE_IN) has address 127.0.0.1
    apf(32318): {glob} determined (IFACE_OUT) has address 127.0.0.1

    iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT all — anywhere anywhere
    DROP all — default/8 anywhere
    DROP all — 39.0.0.0/8 anywhere
    DROP all — 102.0.0.0/8 anywhere
    DROP all — 103.0.0.0/8 anywhere
    DROP all — 106.0.0.0/8 anywhere
    DROP all — loopback/8 anywhere
    ^C

    This is OK?

  • John

    When I start APF for the first time it frezes at the line below:
    apf(1632): {php} parsing php_list into /etc/apf/php_hosts.rules

    Then the server crashes or goes into total lock-down because ssh or apache wont respond.

    Any ideas guys?

  • minos

    For the life of me for the last two hours i could not find or figure out why (copied from the example above)
    G_TCP_CPORTS=”21,22,25,53,80,110,111,143,443,587,953,2222,3306″

    Didn’t work for opening 3306, but all the other ports worked fine, then I finally noticed that from your example that I copied it used the damn MS quote (″)

    Please change your examples above to rid them of this headache causing quote. I am sure I am not the only person that had this happen.

    Really enjoyed your tutorials and have recommended them to everyone else that is setting up centos boxes.