admin
Site Admin
Joined: 23 Jan 2003
Posts: 256
Location: India
|
 Posted: Thu Aug 04, 2005 7:43 am Post subject: Advanced Policy Firewall APF Installation |
 |
|
Here we are going to install an awesome firewall onto your server - Advanced Policy Firewall
APF
APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux.
Site: http://www.rfxnetworks.com/apf.php
Summary of features:
- simple & well commented configuration files
- layered firewall with independent ingress and egress filtering system
- uid based egress filtering via simple configuration variables
- global tcp/udp ports & icmp types configurtion
- configurable policies for each ip on the system with convenience vars
- prerouting rules for optimal network responce; TOS (type of service)
- icmp based rate limiting to prevent common icmp 'dos' abuses
- antidos subsystem to stop attacks before they become a significant threat
- dshield.org block list support to ban networks exhibiting suspicious activity
- advanced set of sysctl parameters for tcp/ip stack hardening
- advanced set of filter rules to remove undesired traffic
- advanced use of kernel features such as abort_on_overflow & tcp syncookies
- easy to use firewall managment script
- trust based rule files (allow/deny); with advanced syntax support
- 3rd party addon projects that compliment APF features
- and much more...
Installation
1. Make /usr/src the current working directory.
2. Obtain the most curent verison of APF.
3. Expand the APF tar.gz file.
| Quote: |
tar -xvzf apf-current.tar.gz
|
4. Remove the tar.gz file.
| Quote: |
rm -f apf-current.tar.gz
|
5. Change to APF directory
6. Run the APF install.
7. Make /etc/apf the current working directory.
8. Edit the conf.apf file as desired.
In order for this firewall to work properly you have to edit/add/delete ports. These ports will allow services such as mail, ftp, and ssh to come in and out of the server. If you have changed any ports, please modify them below and add/remove as needed.
###############
# Common TCP Ports
TCP_CPORTS="20,21,22,25,53,80,110,143,443,2082,2083,2086,2087,2095"
please note that ports 2082 to port 2095 is mostly used by cpanel, and port 19638 is only use in
ensim.
# Common UDP Ports
UDP_CPORTS="53"
################
After you have finished editing the ports save the file and test APF.
Save and Exit vi editor with :wq command
Start APF by typing.
./apf -start
or
service apf start
If APF is functioning properly and you are not locked out edit the conf.apf again
vi conf.apf
Set the DEVM parameter to 0
DEVM="0"
Once done Exit and save the file.
:wq
Restart APF
service apf restart
Enabling Pings
Load the icmp rules file
pico -w /etc/apf/icmp.rules
You will see near the bottom of the page:
# Uncomment to enable pings
#$IPT -t filter -A INPUT -p icmp --icmp-type 8 -j ACCEPT
Remove the # from the beginning of this line so that it looks like:
# Uncomment to enable pings
$IPT -t filter -A INPUT -p icmp --icmp-type 8 -j ACCEPT
Restart APF and pings are enabled
service apf restart
Enabling connections for server monitoring.
Some service providers that offer monitoring need access to your server, and access without setting off alarms, firewalls etc. is a good thing. Just becareful which IP(s) you put in here.
To allow connections from xx.xx.xx.xx/24
pico -w /etc/apf/allow_hosts.rules
At the very end of the file add this line
xx.xx.xx.xx/24
Of course replace the xx.xx.xx.xx with the IP address provided to you.
_________________
HostOnNet.com - Reseller Hosting
Free Ads Forum, Promote your site
NetFreeHost.com - Free Web Hosting, phpBB Hosting |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
