How to install and configure Advanced Policy Firewall

The Advanced Policy Firewall (APF) installation and configuration procedures are covered in this article. On an unmanaged VPS or unmanaged dedicated server, you can use APF to strengthen system security. APF gives you the ability to specifically permit or refuse access to specific IP addresses and server services.

Installing Advanced Policy Firewall

To install Advanced Policy Firewall on your system, follow these steps:

1. Log in to your system using SSH.
2. Type the following command to download the application files to your server:Copywget http://www.rfxn.com/downloads/apf-current.tar.gz
3. To extract the application files, type the following command:
   Copytar xvzf apf-current.tar.gz
4. Type the following command:
   Copycd apf-9.7-2The extracted directory name may vary based on the version number you download.
5. Type the following command:
   Copy./install.shWhen you run install.sh, you may receive the following error message:
   eth0: error fetching interface information: Device not foundThis is expected behavior. You can safely disregard this message.

Configuring Advanced Policy Firewall

After Advanced Policy Firewall is installed, you must configure it for your system.

Basic configuration

The following procedure describes the minimum steps to get APF working correctly:

1. At the command prompt, open the /etc/apf/conf.apf file in your preferred text editor.
2. Locate each of the following settings in the /etc/apf/conf.apf file:IFACE_IN=”eth0″ IFACE_OUT=”eth0″ SET_MONOKERN=”0″ HELPER_SSH_PORT=”22″ IG_TCP_CPORTS=”22″
3. Modify the settings listed in step 2 as follows:
   IFACE_IN=”venet0″ IFACE_OUT=”venet0″ SET_MONOKERN=”1″ HELPER_SSH_PORT=”7822″ IG_TCP_CPORTS=”80,7822,8000″You can add to the IG_TCP_CPORTS setting any other port numbers that you want to allow. (For security reasons, Hostvento Hosting servers use port 7822 for SSH, not the default port of 22.) To view a list of assigned port numbers, please visit http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers.
4. Save the changes to the /etc/apf/conf.apf file, and then exit the text editor.
5. Type the following command to start APF in development mode:
   Copyapf –startIn development mode, APF drops all firewall rules five minutes after you start it. This is a safety feature—if the firewall is misconfigured, you could be blocked from accessing your own system. Development mode saves you from this unpleasant scenario. (If this happens, though, you can still log in using the console feature in the SolusVM control panel.)
6. Test the connections that you want to allow (for example, SSH and HTTP) to make sure they work correctly. For example, make sure your web site loads in a browser, and make sure you can connect to the system using SSH.
7. After you verify that the connections are working correctly, modify the /etc/apf/conf.apf file to disable development mode. To do this, edit the following line as shown:
   DEVEL_MODE=”0″
8. Save the changes to the /etc/apf/conf.apf file, and then restart the system. The firewall is now active.

Granting access

APF regulates traffic to and from the server by using a “whitelist” and a “blacklist”. The whitelist contains IP addresses and networks that are specifically granted access. The blacklist contains IP addresses and networks that are specifically denied access. These lists are stored in the /etc/apf/allow_hosts.rules and /etc/apf/deny_hosts.rules files.

APF automatically bans any IP address that has too many failed login attempts within a certain time period. To make sure you do not lock yourself out, you can add your IP address to the whitelist. To do this, add the following lines to the /etc/apf/allow_hosts.rules file:

# Use this comment to describe why you're adding the rule, as well as the date and time, etc.
tcp:in:d=7822:s=xxx.xxx.xxx.xxx

Replace xxx.xxx.xxx.xxx with the IP address from where you connect to the server. The comment on the first line is a good standard practice so you can keep track of when you added a rule and why.

If you do not know your IP address, you can visit http://ipfinder.us.

To add multiple IP addresses to the whitelist, make a separate rule entry on each line. When you are done adding rules, save the /etc/apf/allow_hosts.rules file, and then restart the firewall by typing the following command:

Copyapf --restart

Denying access

You may want to deny access to specific IP addresses, particularly if you notice suspicious behavior in log files or a large amount of traffic from a particular IP address. To quickly block an IP address, type the following command:

Copyapf --deny xxx.xxx.xxx.xxx comment

Change the IP address that you wish to ban to xxx.xxx.xxx.xxx. For the new rule, you can optionally add a comment. Just make sure the comment is space-free. The change is instantaneous because the -d option instantly adds a rule to the /etc/apf/deny_hosts.rules file and restarts APF.

Use CIDR notation to block an entire network. For instance, 192.168.100.0/24 would be used to block the 192.168.100.0 network. Please check http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation for additional details on CIDR notation.

To unblock an IP address, simply delete (or comment out) the relevant line in the /etc/apf/deny_hosts.rules file, and then restart APF:

Copyapf --restart

How to order a shared web hosting package