This article describes how to install and configure the Advanced Policy Firewall (APF). You can use APF on an unmanaged VPS, Cloud VPS, or unmanaged Flex Dedicated Server to help secure your system. APF enables you to explicitly grant and deny access to selected IP addresses, as well as to selected services running on the server.
To install Advanced Policy Firewall on your system, follow these steps:
To extract the application files, type the following command:
tar xvzf apf-current.tar.gz
Type the following command:
Type the following command:
When you run install.sh, you may receive the following error message:
eth0: error fetching interface information: Device not found
This is expected behavior. You can safely disregard this message.
After Advanced Policy Firewall is installed, you must configure it for your system.
The following procedure describes the minimum steps to get APF working correctly:
IFACE_IN="eth0" IFACE_OUT="eth0" SET_MONOKERN="0" HELPER_SSH_PORT="22" IG_TCP_CPORTS="22"
Modify the settings listed in step 2 as follows:
IFACE_IN="venet0" IFACE_OUT="venet0" SET_MONOKERN="1" HELPER_SSH_PORT="7822" IG_TCP_CPORTS="80,7822,8000"
Type the following command to start APF in development mode:
After you verify that the connections are working correctly, modify the /etc/apf/conf.apf file to disable development mode. To do this, edit the following line as shown:
APF regulates traffic to and from the server by using a “whitelist” and a “blacklist”. The whitelist contains IP addresses and networks that are specifically granted access. The blacklist contains IP addresses and networks that are specifically denied access. These lists are stored in the /etc/apf/allow_hosts.rules and /etc/apf/deny_hosts.rules files.
APF automatically bans any IP address that has too many failed login attempts within a certain time period. To make sure you do not lock yourself out, you can add your IP address to the whitelist. To do this, add the following lines to the /etc/apf/allow_hosts.rules file:
# Use this comment to describe why you're adding the rule, as well as the date and time, etc. tcp:in:d=7822:s=xxx.xxx.xxx.xxx
Replace xxx.xxx.xxx.xxx with the IP address from where you connect to the server. The comment on the first line is a good standard practice so you can keep track of when you added a rule and why.
To add multiple IP addresses to the whitelist, make a separate rule entry on each line. When you are done adding rules, save the /etc/apf/allow_hosts.rules file, and then restart the firewall by typing the following command:
You may want to deny access to specific IP addresses, particularly if you notice suspicious behavior in log files or a large amount of traffic from a particular IP address. To quickly block an IP address, type the following command:
apf --deny xxx.xxx.xxx.xxx comment
Replace xxx.xxx.xxx.xxx with the IP address that you want to block. You can also optionally add a comment for the new rule (make sure there are no spaces in the comment). The -d option automatically adds a rule to the /etc/apf/deny_hosts.rules file and restarts APF, so the change takes effect immediately.
To unblock an IP address, simply delete (or comment out) the relevant line in the /etc/apf/deny_hosts.rules file, and then restart APF:
For more information about Advanced Policy Firewall, please visit http://www.rfxn.com/projects/advanced-policy-firewall.