Knowledge Base

How to install and configure Advanced Policy Firewall

This article describes how to install and configure the Advanced Policy Firewall (APF). You can use APF on a semi-managed VPS, Cloud VPS, or semi-managed Flex Dedicated Server to help secure your system. APF enables you to explicitly grant and deny access to selected IP addresses, as well as to selected services running on the server.

Installing Advanced Policy Firewall

To install Advanced Policy Firewall on your system, follow these steps:

  1. Log in to your system using SSH.
  2. Type the following command to download the application files to your server:
    wget http://www.rfxn.com/downloads/apf-current.tar.gz
  3. To extract the application files, type the following command:

    tar xvzf apf-current.tar.gz
  4. Type the following command:

    cd apf-9.7-2

    The extracted directory name may vary based on the version number you download.

  5. Type the following command:

    ./install.sh

    When you run install.sh, you may receive the following error message:

    eth0: error fetching interface information: Device not found

    This is expected behavior. You can safely disregard this message.

Configuring Advanced Policy Firewall

After Advanced Policy Firewall is installed, you must configure it for your system.

Basic configuration

The following procedure describes the minimum steps to get APF working correctly:

  1. At the command prompt, open the /etc/apf/conf.apf file in your preferred text editor.
  2. Locate each of the following settings in the /etc/apf/conf.apf file:
    IFACE_IN="eth0"
    IFACE_OUT="eth0"
    SET_MONOKERN="0"
    HELPER_SSH_PORT="22"
    IG_TCP_CPORTS="22"
  3. Modify the settings listed in step 2 as follows:

    IFACE_IN="venet0"
    IFACE_OUT="venet0"
    SET_MONOKERN="1"
    HELPER_SSH_PORT="7822"
    IG_TCP_CPORTS="80,7822,8000"

    You can add to the IG_TCP_CPORTS setting any other port numbers that you want to allow. (For security reasons, A2 Hosting servers use port 7822 for SSH, not the default port of 22.) To view a list of assigned port numbers, please visit http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers.

  4. Save the changes to the /etc/apf/conf.apf file, and then exit the text editor.

  5. Type the following command to start APF in development mode:

    apf --start

    In development mode, APF drops all firewall rules five minutes after you start it. This is a safety feature—if the firewall is misconfigured, you could be blocked from accessing your own system. Development mode saves you from this unpleasant scenario. (If this happens, though, you can still log in using the console feature in the SolusVM control panel.)

  6. Test the connections that you want to allow (for example, SSH and HTTP) to make sure they work correctly. For example, make sure your web site loads in a browser, and make sure you can connect to the system using SSH.

  7. After you verify that the connections are working correctly, modify the /etc/apf/conf.apf file to disable development mode. To do this, edit the following line as shown:

    DEVEL_MODE="0"
  8. Save the changes to the /etc/apf/conf.apf file, and then restart the system. The firewall is now active.

Granting access

APF regulates traffic to and from the server by using a “whitelist” and a “blacklist”. The whitelist contains IP addresses and networks that are specifically granted access. The blacklist contains IP addresses and networks that are specifically denied access. These lists are stored in the /etc/apf/allow_hosts.rules and /etc/apf/deny_hosts.rules files.

APF automatically bans any IP address that has too many failed login attempts within a certain time period. To make sure you do not lock yourself out, you can add your IP address to the whitelist. To do this, add the following lines to the /etc/apf/allow_hosts.rules file:

# Use this comment to describe why you're adding the rule, as well as the date and time, etc.
tcp:in:d=7822:s=xxx.xxx.xxx.xxx

Replace xxx.xxx.xxx.xxx with the IP address from where you connect to the server. The comment on the first line is a good standard practice so you can keep track of when you added a rule and why.

If you do not know your IP address, you can visit http://ipfinder.us.

To add multiple IP addresses to the whitelist, make a separate rule entry on each line. When you are done adding rules, save the /etc/apf/allow_hosts.rules file, and then restart the firewall by typing the following command:

apf --restart
Denying access

You may want to deny access to specific IP addresses, particularly if you notice suspicious behavior in log files or a large amount of traffic from a particular IP address. To quickly block an IP address, type the following command:

apf --deny xxx.xxx.xxx.xxx comment

Replace xxx.xxx.xxx.xxx with the IP address that you want to block. You can also optionally add a comment for the new rule (make sure there are no spaces in the comment). The -d option automatically adds a rule to the /etc/apf/deny_hosts.rules file and restarts APF, so the change takes effect immediately.

To block an entire network, use CIDR notation. For example, to block the 192.168.100.0 network, you would use 192.168.100.0/24. For more information about CIDR notation, please visit http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation.

To unblock an IP address, simply delete (or comment out) the relevant line in the /etc/apf/deny_hosts.rules file, and then restart APF:

apf --restart

More Information

For more information about Advanced Policy Firewall, please visit http://www.rfxn.com/projects/advanced-policy-firewall.