APF - Advanced Policy Firewall

Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Internet deployed servers and the unique needs of custom deployed Linux installations.

The offical home page for APF is located at:

http://www.rfxnetworks.com/apf.php

If you are configuring iptables in your own custom kernel then you
should be sure that the following modules are compiled with the kernel for
modular support:

ip_tables
iptable_filter
iptable_mangle
ip_conntrack
ip_conntrack_irc
ip_conntrack_ftp
ipt_state
ipt_multiport
ipt_limit
ipt_recent
ipt_LOG
ipt_REJECT
ipt_ecn
ipt_length
ipt_mac
ipt_multiport
ipt_owner
ipt_state
ipt_ttl
ipt_TOS
ipt_TCPMSS
ipt_ULOG

If you would like to make sure you support these modules then you can take a look inside of /lib/modules/kernelver/kernel/net/ipv4/netfilter/ directory.

Installation

The installation setup of APF is very straight forward, there is an included
install.sh script that will perform all the tasks of installing APF for you.

Install

# sh install.sh

If one so desires they may customize the setup of APF by editing the variables inside the install.sh script followed by also editing the path variables in the conf.apf and internals.conf files. This is however not recommends and the default paths should meet all user needs, they are:

Install Path: /etc/apf
Bin Path: /usr/local/sbin/apf

The first is to setup APF in the init system with chkconfig (done by
default during install), as detailed below:

chkconfig –add apf
chkconfig –level 345 apf on

General Usage:

The /usr/local/sbin/apf command has a number of options that will ease the
day-to-day use of your firewall. Here is a quick snap-shot of the options:

usage /usr/local/sbin/apf [OPTION]
-s|–start ……………………. load the firewall rules
-r|–restart ………………….. stop (flush) & reload firewall rules
-f|–stop …………………….. stop (flush) all firewall rules
-l|–list …………………….. list chain rules
-t|–status …………………… firewall status
-e|–refresh ………………….. refresh & resolve dns names in trust rules
-a HOST CMT|–allow HOST COMMENT … add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|–deny HOST COMMENT …. add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall
-u|–remove HOST ………………. remove host from [glob_]deny_hosts.rules
and immediately remove rule from firewall
-o|–ovars ……………………. output all configuration options

Trust an address:
apf -a ryanm.dynip.org “my home dynamic-ip”
Deny an address:
apf -d 192.168.3.111 “keeps trying to bruteforce”
Remove an address:
apf -u ryanm.dynip.org

Tags: , ,

Trackback URI | Comments RSS

Leave a Reply

You must be logged in to post a comment.