SecureCentos.com

Guide for installing CSF Firewall will come later..
APF is used because its the site admins favorite, and its stable and simple to setup. Might be better for new guys? Fuel for discussion




Product Name: APF (Advanced Firewall Policy)
Product Version: 0.9.7 rev:1
Homepage: http://www.rfxn.com/projects/advanced-policy-firewall/
Description: Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of todays Internet deployed servers and the unique needs of custom deployed Linux installations. The configuration of APF is designed to be very informative and present the user with an easy to follow process, from top to bottom of the configuration file. The management of APF on a day-to-day basis is conducted from the command line with the apf command, which includes detailed usage information and all the features one would expect from a current and forward thinking firewall solution.


Pre Setup: Make sure iptables are installed

yum install iptables* -y

Step 1: Download, unpack, install of APF from source.

cd /usr/local/src
wget http://www.rfxn.com/downloads/apf-current.tar.gz
tar -zxf apf-current.tar.gz
cd apf-9*
./install.sh

Step 1.1: Cleanup source install files.

rm -Rf /usr/local/src/apf-9* && cd

Step 2: Backup orginal apf config

cp /etc/apf/conf.apf /etc/apf/conf.apf.bak

Step 3: Edit current APF Config

nano -w /etc/apf/conf.apf

Change:

* RAB="0" to RAB="1"
* RAB_PSCAN_LEVEL="2" to RAB_PSCAN_LEVEL="3"
* TCR_PASS="1" to TCR_PASS="0"
* DLIST_PHP="0" to DLIST_PHP="1"
* DLIST_SPAMHAUS="0" to DLIST_SPAMHAUS="1"
* DLIST_DSHIELD="0" to DLIST_DSHIELD="1"
* DLIST_RESERVED="0" to DLIST_RESERVED="1"

Step 3.1: Find IFACE_IN= and IFACE_OUT= in /etc/apf/conf.apf and verify that they match your network interface
Step 3.2: Locate HELPER_SSH_PORT=”22″ and change it to your SSH port IF you changed it in your sshd_config:
Step 3.3: Locate IG_TCP_CPORTS=”22″ and change it to your SSH port IF you changed it in your sshd_config:


REMEMBER MAKE SURE YOU TO CHANGE YOUR SSHD PORT IN APF, IF YOU CHANGED IT IN SSHD_CONFIG
You can run this command “cat /etc/ssh/sshd_config |grep Port” to see what port your SSHD uses


Step 4: Restart the APF

/usr/local/sbin/apf -r

Step 5: Now relogin though ssh again, to verify that you still can login into your server
Step 6: When your happy with your firewall and everything works fine, Edit /apf.conf find DEVEL_MODE=”1″ and change it to DEVEL_MODE=”0″





Step 7: Restart APF again

/usr/local/sbin/apf -r

Step 8: Make sure APF starts automatic after restart

chkconfig --add apf
chkconfig --level 345 apf on

You should NOW have a firewall up and running! Enjoy

Port setting example for different Hosting control panels:


Directadmin:
IG_TCP_CPORTS=”21,22,25,53,80,110,111,143,443,587,953,2222,3306,32769″
IG_UDP_CPORTS=”53,111,631,724,5353,32768,32809″

EGF=”1″
EG_TCP_CPORTS=”21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089″
EG_UDP_CPORTS=”20,21,37,53,873″

Cpanel:
IG_TCP_CPORTS=”20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096″
IG_UDP_CPORTS=”21,53,873″

EGF=”1″
EG_TCP_CPORTS=”21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089″
EG_UDP_CPORTS=”20,21,37,53,873″

Troubleshooting:


Problem: If you get this error apf(xxxxx): {glob} unable to load iptables module (ip_tables), aborting.
Solution: Try changing SET_MONOKERN=”0″ to SET_MONOKERN=”1″ , then apf -r


Problem: If you get this message: apf(xxxxx): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5 minutes.
Solution: you need to change DEVEL_MODE=1 to DEVEL_MODE=0, make sure your config is working first.