Advanced Policy Firewall
- Login to your server via shell as the root user.
- Download the APF version 0.9.7-1 (most current version todate) to your system
- Now you have to extract the tar file
- Go to the APF directory
- Run the code for installation
- Modify the APF config file according to your user defined requirements.
- Add in the ports you want to open for inbound (INGRES).
- You have to particularly instruct APF to monitor outgoing (EGRESS) ports as well.
- Specify the outbound ports to monitor.
-
Specify the ports you want to block, if any.
The allow and deny trust files are located at:
/etc/apf/allow_hosts.rules
/etc/apf/deny_hosts.rules
You just have to list the ip's that you specifically wish to allow or deny in the respective files.
The format of these files are line-separated addresses, IP masking is supported.
Example:
24.202.16.11
24.202.11.0/24
Save and exit - hit 'esc' :wq 'enter' - Start APF
- If all goes well, edit the config file and change the developer mode to 0
- Restart APF
bash# wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
bash# tar -zxf apf-current.tar.gz
bash# cd apf-0.9.7-1
bash# ./install.sh
You will be alerted when the installation is complete.
Install path : /etc/apf
Config path : /etc/apf/conf.apf
Executable path : /usr/local/sbin/apf
bash# vi /etc/apf/conf.apf
(Hit i to enter the INSERT mode)
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,
995,2082,2083,2086,2087,2095,2096,3306,6666"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,465,873"
# Common ICMP (inbound) types
IG_ICMP_TYPES="3,5,11,0,30,8"
The variables mentioned above are already present in the configuration file. You can customize the ports.
Change the line: EGF="0" to EGF="1"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,22,25,26,37,43,53,80,110,113,443,465,873,2089,3306"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53,465,873"
# Common ICMP (outbound) types
EG_ICMP_TYPES="all"
bash# /usr/local/sbin/apf -s
bash# vi /etc/apf/conf.apf
(Hit i to enter insert mode)
Change DEVM="1" to DEVM="0"
Save and quit - Hit 'esc' :wq 'enter'
bash# /usr/local/sbin/apf -r
This is a list of ports you may want to exclude as they are required for the usage of Cpanel
- 1 & 111 Portscanner (to detect scans)
- 20 ftp tcp inbound/outbound
- 21 ftp tcp,udp inbound/outbound
- 22 ssh tcp inbound
- 25 smtp tcp inbound/outbound
- 26 smtp tcp inbound/outbound
- (this port is only needed to be open if the option in cpanel to run exim on port 26 is used.)
- 37 rdate tcp outbound
- 43 whois tcp outbound
- 53 DNS tcp/udp inbound/outbound
- (inbound is only needed if you run your own public DNS server)
- 80 http tcp inbound/outbound
- 110 pop3 tcp inbound
- 113 ident tcp outbound
- 143 imap4 tcp inbound
- 443 https tcp inbound
- 465 smtp tls/ssl tcp/udp inbound/outbound
- 873 rsync tcp/udp outbound
- 993 imap4 ssl tcp inbound
- 995 pop3 ssl tcp inbound
- 2082 cpanel tcp inbound
- 2083 cpanel ssl tcp inbound
- 2086 whm tcp inbound/(outbound for DNS cluster)
- 2087 whm ssl tcp inbound/(outbound for DNS cluster)
- 2089 cp licence tcp outbound (see below*)
- 2095 Webmail tcp inbound
- 2096 Webmail SSL tcp inbound
- 3306 mysql tcp (only if you need to connect remotely)
- 6666 chat tcp inbound
- 9898 AIM tcp outbound
