Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Internet deployed servers and the unique needs of custom deployed Linux installations. The configuration of APF is designed to be very informative and present the user with an easy to follow process, from top to bottom of the configuration file. The management of APF on a day-to-day basis is conducted from the command line with the ‘apf’ command, which includes detailed usage information and all the features one would expect from a current and forward thinking firewall solution.
For more details and readme plus changelogs or download see: http://www.rfxn.com/projects/advanced-policy-firewall/
Installation with Debian Squeeze:
– install chkconfig for debian as the APF install script expects chkconfig.
sudo aptitude install chkconfig
Now get the latest package with wget from rfxn.com website (current release as of writing is 0.9.7-1)
Extract the tar with
tar -zxvf apf-current.tar.gz
Change to the extracted directory
cd apf-9.7.1 apf-9.7.1$
Run the install script (install.sh)
sudo apf-9.7.1$ sudo ./install.sh Installing APF 9.7-1: Completed. Installation Details: Install path: /etc/apf/ Config path: /etc/apf/conf.apf Executable path: /usr/local/sbin/apf Other Details: Listening TCP ports: 22,25,111,44482 Listening UDP ports: 111,973,57678 Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.
* Note: In some cases on Debian I’ve noticed that the installer doesn’t correctly configure APF to start when he system is started or rebooted, in this case create a script named apf.sh in /etc directory and make it executable and add this code to the scirpt file:
#!/bin/sh sh -c "/etc/apf/apf -s" &
Now edit the interfaces file in /etc/network/interfaces and add a pre-up command under iface “pre-up /etc/apf.sh” as shown here:
# The primary network interface allow-hotplug eth0 iface eth0 inet static pre-up /etc/apf.sh address 10.1.0.38 netmask 255.255.255.0 network 10.1.o.0 broadcast 10.1.0.255 gateway 10.1.0.254 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 10.1.0.30 10.1.0.29 dns-search mydomain.local
Edit the configuation file conf.apf located in /etc/apf/conf.apf
To start with, change a few things and test first, so lets enable RAB [Reactive Address Blocking] by changing
Now lets add some more ports open for our server under Configure inbound (ingress) – SSH port 22 is already open, let’s open port 80 and port 443 for our web server.
Change IG_TCP_CPORTS=”22″ to:
We can configure the egress filtering after we have tested these changes first.
Save the configuration file and exit
Now start the firewall:
sudo /usr/local/sbin/apf -s
Once verified that those settings worked, edit the configuration file conf.apf again located in /etc/apf/conf.apf and go over all options available, they are very well documented within the configuration file and enable or disable the options that you want. In this example below we will enable Dshield and add some known IP blocks that you want to block always with the deny_hosts.rules file.
The components that will be changed are listed here, everything else is left as is:
DEVEL_MODE="1" SET_FASTLOAD="1" # Note you may want to set this to minutes if using global trust rules 0=never 10=10 mins SET_REFRESH="0" SET_TRIM="0" RAB="1" # Egress outbound filtering EGF="1" RG_TCP_CPORTS="21,25,53,80,443,43" #Enable DShield in the Remote Rule Imports section - from the configuration file description: #DShield collects data about malicious activity from across the Internet. This data is cataloged, summarized and can #be used to discover trends in activity, confirm #widespread attacks, or assist in preparing better firewall rules. #This is a list of top networks that have exhibited suspicious activity. #So change DLIST_DSHIELD="0" to: DLIST_DSHIELD="1" # logging LOG_DROP="1"
**Note Make sure when everything is set and tested to change the DEVEL_MODE=”1″ to DEVEL_MODE=”0″. Otherwise all the configuration file changes will be lost after 5 minutes of running, this is a safety net via a cron job and this option is located at the top if the file under [Main].
Edit the deny_hosts.rules file and add some known malicious IP addresses or address blocks, or as a test add a workstation or device on your network and test it out. The deny_hosts.rules file will accept both FQDN (fully qualified domain names) and IP addresses with optional bit masking. Examples of these formats are:
- yourhost.you.com (FQDN)
- 192.168.2.102 (IP Address)
- 192.168.1.0/24 (IP Address with 24 bit mask)
Restart the firewall and test the rules.
sudo /usr/local/sbin/apf -r
The /usr/local/sbin/apf command has a number of options that will ease the day-to-day use of your firewall. Here is a quick snap-shot of the options:
usage /usr/local/sbin/apf [OPTION]
-s|–start ……………………. load the firewall rules
-r|–restart ………………….. stop (flush) & reload firewall rules
-f|–stop …………………….. stop (flush) all firewall rules
-l|–list …………………….. list chain rules
-t|–status …………………… firewall status
-e|–refresh ………………….. refresh & resolve dns names in trust rules
-a HOST CMT|–allow HOST COMMENT … add host (IP/FQDN) to allow_hosts.rules and immediately load new rule into firewall
-d HOST CMT|–deny HOST COMMENT …. add host (IP/FQDN) to deny_hosts.rules and immediately load new rule into firewall
-u|–remove HOST ………………. remove host from [glob_]deny_hosts.rules and immediately remove rule from firewall
-o|–ovars ……………………. output all configuration options