You Are Here: Home »Tutorials»General »   Installing apf Friday September 3rd 2010

Installing APF (Advanced Policy Firewall)

APF is a decent, free linux firewall script that's very easy to manage, if you're running an unmanaged dedicated server or even a server from home a firewall is essential, this is just a quick guide to installing and setting up APF.

Installation

It's a good idea to have a directory dedicated to scripts that you want to download and install from root, keeps everything nice and tidy, so if you don't already have one: 

mkdir downloads
cd downloads

Then you can fetch and unpack the latest version of APF:

wget http://rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz

Then cd to the directory that was unpacked, it'll be something like apf-0.9.3 with the last part changing depending on the current version.

Run the installer:

./install.sh

Configuation

How you configure APF will depend alot on what type of software and services you're running, take some time to study the README for more information.

To begin editing the config file:

pico -w /etc/apf/conf.apf

APF makes use of dshield, this is a little like spam blocklists such as spews and lists the most commonly abused networks and those most often used in denial of service attacks and similar. If you want to make use of the dshield list and block traffic from these networks find the following: 

USE_DS="0"

and change to:

USE_DS="1"

Now you'll want to configure the Common ingress (inbound) ports and Common egress (outbound) ports, this is where your needs will vary most depending on which control panel you have on your server (if any) and what services you're running, again the README file has more information.

After you're done with the configuration, you can start the firewall:

/usr/local/sbin/apf -s

If everything seems ok, you'll want to go back to the config file and make one final edit, find the following:

DEVM="1"

This option is set to clear the firewall rules every 5 minutes, stopping you from locking yourself out by making an error in the original config, so you need to change that option:

DEVM="0"

and then restart APF:

/usr/local/sbin/apf -r