Security - Install And Configure Advanced Policy Firewall (APF) On CentOS
From Advanced Policy Firewall’s website:
“Advanced Policy Firewall (APF) is an IPTables(Netfilter) based firewall system designed around the essential needs of today’s Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the ‘apf’ command, which includes detailed usage information on all the features.”
Installation
Downloading and extracting.
wget http://www.rfxn.com/downloads/apf-current.tar.gz
tar -zxvf http://www.rfxn.com/downloads/apf-current.tar.gz
cd apf-9.7-1
and Run:
APF will display locations of it’s executable and configuration files as well as ports detected as being used.
Configuration
APF’s basic configuration file is /etc/apf/conf.apf
By default everything is locked and You have to configure APF to open ports You need to use.
DEVEL_MODE=”1″ - be sure to set this option to 1 until You’re satisfied with the settings.
SET_MONOKERN=”0″ - APF supports monolithic kernels.
IFACE_IN=”eth0″ and IFACE_OUT=”eth0″ - untrusted interfaces connected to the network, mostly the Internet.
Testing
Start APF:
We can use the following parameters:
-s - start APF
-r - restart APF
-f - stop APF
-l - list statistics
-st - status of APF
-a host - allow connections from “host”
-d host - deny connections from “host”
Advanced Policy Firewall - http://www.rfxn.com/projects/advanced-policy-firewall
How to disable IPv6 in RHEL 5, Fedora, CentOS?
In Red Hat Enterprise 5 Linux internet protocol version 6 (IPv6) module is turned on by default and if your network is not ready to run IPv6 then you need to turn it off on your Linux server.
Steps to disabled IPv6 on RHEL 5:
1. In Fedora, CentOS or RHEL5 Linux modules are loaded using /etc/modprobe.conf file.
Add these line to disable autloading of IPv6 module in /etc/modprobe.conf
alias net-pf-10 off
alias ipv6 off
2. Next edit /etc/sysconfig/network
# vi /etc/sysconfig/network
Change to the following.
3. Also to disable the IPv6 service.
4. permanently disabling.
# chkconfig ip6tables off
Chkconfig
The chkconfig command can also be used to activate and deactivate services. If you use the chkconfig –list command, you will see a list of system services and whether they are started (on) or stopped (off) in runlevels 0-6 (at the end of the list, you will see a section for the services managed by xinetd.
If you use chkconfig –list to query a service managed by xinetd, you will see whether the xinetd service is enabled (on) or disabled (off). For example, the following command shows that finger is enabled as an xinetd service:
$ chkconfig –list finger
finger on
More importantly, chkconfig can be used to set a service to be started (or not) in a specific runlevel. For example, to turn nscd off in runlevels 3, 4, and 5, use the command:
chkconfig –level 345 nscd off
