The Server Pages

»

TheServerPages Articles

»

Servers

»

CPanel

»

Security

How-to setup an APF Firewall

Author: Wojjie     Posted: 2004-06-13     Viewed: 71,429

Introduction:

This is a thorough how-to that covers the basics (and some more advanced topics) of installing and configuring an APF Firewall.


Downloading / Installation:
1. Download the software from: http://www.rfxnetworks.com/apf.php
(the newest version at the time of writting this article was: 0.9.3_3)

2. Extract the download on the server.

Ex.
tar -xzvf apf-current.tar.gz
3. Run the install script.

Ex.
./install.sh
You should get something like this after executing:
.: APF installed
Install path:    /etc/apf
Config path:     /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
	
This tells you that it was successfully installed into '/etc/apf', the config file is located at '/etc/apf/conf.apf', and the executable is at '/usr/local/sbin/apf' (you do not have to worry about where the executable is for now).

Configuration:
4. Open the '/etc/apf/conf.apf' configuration file in your favorite editor.

Ex.
vi /etc/apf/conf.apf
5. For initial testing purposes, make sure DEVM="1". When we are sure the firewall is setup correctly, we will set this to "0".
6. I will list all the available options here and a breif description, it is your duty to put the approriate value in.

Option: Change: Description:
DEVM Yes When set to "1", a 5 minute cronjob is set that will flush the firewall.

When first configuring your firewall, leave this as enabled("1"), and when you are sure everything is set up properly, set this to disabled("0").
FWPATH Rarely Path of firewall installation

Rarely do you have to change this value.
IF Sometimes Network interface to firewall.

If the network interface you wish to firewall is not on 'eth0', then you will have to change this to the correct interface.
MONOKERN Rarely Support Monolithic kernel builds [no LKM's]

You should change this value if iptables is not compiled as a module. (If you have iptables installed, and APF complains about iptables without setting up the firewall)
TCP_STOP Rarely How to handle TCP packet filtering

You should leave this value as "DROP"
UDP_STOP Rarely How to handle UDP packet filtering

You should leave this value as "DROP"
DSTOP Rarely How to handle all other packet filtering

You should leave this value as "DROP"
ICMP_LIM Rarely Packet/time ratio for ICMP packets before dropping packets.

If there is a chance that host may legitimately ping you more frequently then you may need to change this value. This option reduces the amount of traffic being sent out if someone attacks you through ICMP.
BLK_MCATNET Yes Block multicasting

Unless you need multicasting, you should set this to enable("1"), just in case.
BLK_PRVNET Yes Block all private ipv4 addresses

Unless the server resides behind a firewall with NAT, you should enable("1") this. Setting this option to enable reduces the chance of spoof attacks.
BLK_RESNET Sometimes Block all ipv4 address space marked reserved for future use

There is a chance that some of the address space listed may become live ips, so either enable("1"), and make sure your '/etc/apf/internals/ reserved.networks' file is up to date, or just leave it disabled("0").
USE_DS Sometimes Use DShield.org's "block" list of top networks that have exhibited suspicious activity

This top list is a list of the top 20 attacking class C subnets over a 3 day period. It is safe to enable("1") this option. If you are interested in seeing this list, you can find it here: http://feeds.dshield.org/block.txt
USE_AD Sometimes Import our ad.rules ban list generated by antidos

This essentially enables the antidos section of the APF firewall, and requires you to modify the '/etc/apf/ad/conf.antidos' file.
CDPORTS Sometimes Common drop ports; these ports do not get logged
Ingress (inbound)
IG_TCP_CPORTS Yes Common ingress (inbound) TCP ports

The default value for this is 22 (SSH Port). You may want to add (seperated by a comma ','):
- FTP port (21)
- DNS (53)
- HTTP port (80)
- HTTP SSL port (443)
- SMTP (25) SSL (465)
- POP (110) SSL (995)
- IMAP (143) SSL (993)
- CPANEL (2082) SSL (2083)
- WHM (2086) SSL (2087)
- CPANEL WebMail (2095) SSL (2096)
- for FTP connections (6000_7000)
(to indicate a range, you indicate with a '_' character. ie: 6000_7000)

For a more complete list of ports and services located on them, check your '/etc/services' file.
IG_UDP_CPORTS Yes Common ingress (inbound) UDP ports

The default value for this is nothing. You may want to add (seperated by a comma ','):
- FTP data port (20)
- FTP (21)
- DNS (53)
(to indicate a range, you indicate with a '_' character. ie: 6000_7000)

For a more complete list of ports and services located on them, check your '/etc/services' file.
IG_ICMP_CPORTS Sometimes Common ICMP (inbound) types

The default value should be enough, but if you want to block certain ICMP types, look at the '/etc/apf/internals/icmp.types' file to find out what each code means.
Egress (outbound)
EGF Sometimes Egress filtering [0 = Disabled / 1 = Enabled]

If you wish to enable Egress filtering, set this to enabled(1). If you set this to disabled, skip the whole Egress section. Egress filtering will block all outgoing ports, so the server will only be able to connect outwards on the ports provided in the next variables.
EG_TCP_CPORTS Sometimes Common egress (outbound) TCP ports

The FAQ section in the Cpanel website suggests the following ports:
21, 25, 26, 37, 43, 53, 80, 113, 465, 873, 2089, 3306

(873 and 2089 are supposidely used for the cpanel update script)

For a more complete list of ports and services located on them, check your '/etc/services' file.
EG_UDP_CPORTS Sometimes Common egress (outbound) UDP ports

The FAQ section in the Cpanel website suggests the following ports:
20, 21, 53, 465, 873

(873 is supposidely used for the cpanel update script)

For a more complete list of ports and services located on them, check your '/etc/services' file.
EG_ICMP_CPORTS Sometimes Common ICMP (outbound) types

The default value should be enough, but if you want to block certain ICMP types, look at the '/etc/apf/internals/icmp.types' file to find out what each code means.
Log paths and control settings
IPTLOG Rarely Status log path

The location and file name of the log file to be used.
DROP_LOG Rarely Log TCP/UDP DROP chains [required for antidos]. Data logged to kernel log

The default value of enabled("1") should be good for most situations, unless you do not want your kernel log file to get clogged with this type of data. Remeber, this is required to be enabled if you enable antidos.
LRATE Rarely Max firewall events to log per/minute. Log events exceeding these limits will be lost!

The default value should be sufficent. Altering this value may alter the efficency of the antidos.


Testing:
7. Make sure you have DEVM set to enabled("1"), just incase you made a mistake during configuration and end up getting locked out of the server.

Now run:
/etc/init.d/apf start
Immediately check if you can SSH into the server when the firewall has finished loading. If for some reason you are unable to, make sure that port 22 is added to the Common ingress TCP ports section (IG_TCP_CPORTS).

If the firewall does not load, and complains of iptables not being loaded, then set MONOKERN to "1".

Ie. (if APF gives this message, set MONOKERN to "1")
Starting APF:Unable to load iptables module (ip_tables), aborting.
8. Once you made sure you can still SSH into the server, set DEVM to disabled("0"), and restart the firewall by executing:
/etc/init.d/apf restart

Just to make certain, try to SSH into the server again while keeping your current SSH connection open. If for some reason you are unable to, quickly execute:
/etc/init.d/apf stop
Then make sure that port 22 is added to the Common ingress TCP ports section (IG_TCP_CPORTS).
9. Now test the usual services that should not be blocked, and have been listed in the Common ingress TCP ports section (IG_TCP_CPORTS).

If you enabled Egress filtering, make sure to test the Cpanel update script (if you are running CPanel):
/scripts/upcp
Also test 'up2date' (if you are running some flavor of RedHat):
up2date -update


Rest of the testing is up to you, just make sure you do not firewall yourself out.i

More advanced: /etc/apf/allow_hosts.rules
10. As a safety precaution, you might want to add your ip to the '/etc/apf/allow_hosts.rules' file.

Open the file in your favorite editor.
11. Add the ip of your computer to the end of the file. This will cause all traffic to and from that ip not to be filtered. You can also add the ip's of other servers.

If you want to specify what kind of traffic to allow from those ips that is not covered with the current firewall rules (ie. you blocked all traffic to SSH and only want a few ips to be able to access the SSH port), then this is the format you would use:
Protocol : direction/flow : source/destination port : s/d ip
[tcp/udp] : [in/out] : [s=/d=]PORT : [s=/d=]IP
Ex (let the ip 192.168.0.100 access to port 22):
tcp:in:d=22:s=192.168.0.100

Comments

Copyright © 2004-2015: TheServerPages.com