Hi,

This is a pretty simple How-to for installing APF Firewall.

1) Install:
wget http://www.rfxnetworks.com/downloads/apf-current.rpm
rpm -Uvh apf-current.rpm

2) Edit:
/etc/apf/conf.apf

DEVM="0" - set to 0 only if you are sure that firewall works good

(Common Cpanel Ports, please re-configure for your use)
TCP_CPORTS=" 21,22,25,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306,7786" (in one line!)

UDP_CPORTS="37,53,873"

Many other options in which you can enable inside the config. Please take time to configure.

3) Restart APF


To Enable Pings:

pico -w /etc/apf/icmp.rules
Uncomment:

# Uncomment to enable pings
# $IPT -t filter -A INPUT -p icmp --icmp-type 8 -m limit --limit $ICMP_LIM/s -j ACCEPT
Then restart APF

------------------------------
commands:
/etc/rc.d/init.d/apf stop
/etc/rc.d/init.d/apf start
/etc/rc.d/init.d/apf restart

Thanks to EV1 Forum for much info on this.

Thanks for the How-To!

Hopefully someone can follow this up with a detailed tutorial on how to configure APF

<edit>signature removed</edit>

3 things,

1. I believe Ryan ( APF Author ) has recommended against the rpm.. and it may be outdated.

2. Why reboot?

3. This how-to seems to be fairly outdated, compared to the most recent APF versions.

Edit: I should also note for future readers that the above seems to be targeted towards cpanel / whm systems.

<edit>signature removed</edit>

Originally posted by Haze
3 things,

1. I believe Ryan ( APF Author ) has recommended against the rpm.. and it may be outdated.

2. Why reboot?

3. This how-to seems to be fairly outdated, compared to the most recent APF versions.

Edit: I should also note for future readers that the above seems to be targeted towards cpanel / whm systems.

Sorry, I meant by restart apf, not reboot..
It be great if you can contribute a How-To for APF. (No RPM)
Also, these arent targeted towards only cpanel systems.

Cheers.

<edit>signature removed</edit>

The documentation for APF is very clear and it is a very simple install. Basically untar it and run ./install.sh. The version outlined above is an old one as the port defining sections have changed in 0.9.3. In Ryan's forums there are sections of what he leaves open for different panels.

<edit>signature removed</edit>

Hi,

Ok anyways, here's installing without using RPM, this is a newer version of APF.

wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

tar -xzf apf-current.tar.gz

cd /apf-0.9.3_3
./install.sh

Your set :cool:
Remember to edit config etc..and read the README.

<edit>signature removed</edit>

http://www.webhostgear.com/61.html

<edit>signature removed</edit>

Originally posted by rfxn
http://www.webhostgear.com/61.html

Yea just saw that one posted on burst's forum, pretty good how-to as well :)

<edit>signature removed</edit>

lsmod: QM_MODULES: Function not implemented

Unable to load iptables module (ip_tables), aborting.

Any ideas?

<edit>signature removed</edit>

Nevermind, I got it running. :)

<edit>signature removed</edit>

and how to remove APF ? I'v install a rpm (old one ) and how to remove it to install a new one ?

Try rpm -e apf

<edit>signature removed</edit>

Originally posted by 93.3
lsmod: QM_MODULES: Function not implemented

Unable to load iptables module (ip_tables), aborting.

Any ideas?

<edit>signature removed</edit>

If your kernel is compiled with iptables statically instead of as a module you need to do this in the conf.apf MONOKERN="0" Set it to "1" and then try start APF again.

Originally posted by SynHost
If your kernel is compiled with iptables statically instead of as a module you need to do this in the conf.apf MONOKERN="0" Set it to "1" and then try start APF again.

Yep, that should take care of it. Older version though don't have this option.

I am only getting the following error: lsmod: QM_MODULES: Function not implemented wil making the same change to the config file work as well?

Thanks, Kevin

@ 93.3

How did you solve that problem?

*
lsmod: QM_MODULES: Function not implemented

Unable to load iptables module (ip_tables), aborting.
*

root@paragon [/etc/apf]# ./apf -s
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name

Any idea what does that mean?

<edit>signature removed</edit>

could you please post how to block Ips using this firewall.
I have tried and it is flushed in a few minutes,I am using these commands and have tried stoping and restarting APF

iptables -A INPUT -s 3x.144.19x.32 -j DROP

iptables -A INPUT -s 3x.144.19x.32 -j REJECT

<edit>signature removed</edit>

Also please add outbond port 2089 for cpanel license checking if you enable outbond filtering or you will get a License Expired error in 2 weeks.

<edit>signature removed</edit>

grace5 - add the IP's to the deny_hosts.rules file.

<edit>signature removed</edit>

[/B]To Enable Pings:

pico -w /etc/apf/icmp.rules
Uncomment:

# Uncomment to enable pings
# $IPT -t filter -A INPUT -p icmp --icmp-type 8 -m limit --limit $ICMP_LIM/s -j ACCEPT
Then restart APF
[/B]

The latest version has no icmp.rules file. So where can I enable pings?

I believe Ping should be enabled by default.

Pings are disabled by default.

Anyone got it to work on VPS? Tested on both UML and Virtuoso without success.

yes. Pings are enabled by default.

Hi,

I installed it and then came to know that i can't have this on a VPS. Please tell me how to un-install it ? I tried rpm -e apf but it did not worked.

Thanks.

Originally posted by Tapan
Hi,

I installed it and then came to know that i can't have this on a VPS. Please tell me how to un-install it ? I tried rpm -e apf but it did not worked.

Thanks.

rpm -qa | grep AFP or apf (look for the RPM)

once you find the rpm

rpm -e <name>

Done. If you cant find it, PM me and ill help you.

IG_TCP_CPORTS is that the one i should change ports in?

Hi!

i have installed apf on cpanel. the current settings open all the konwn ports and allow connection from all ips.


what i want,

i want to allow port 80 to be open for whole world


and all the other ports available for only local 192.168.0.* and certain other ips.

what changes should i do ?

Originally posted by tsook
@ 93.3

How did you solve that problem?

*
lsmod: QM_MODULES: Function not implemented

Unable to load iptables module (ip_tables), aborting.
*

enable mono kern option in conf.apf

Does anybody have a tutorial on installing APF under Debian?

When I ran the installer, it gave an error message about /etc/rc.d not existing.

Also when I run /usr/local/sbin/apf -s I do not see a process running that would correlate, which seems to indicate to me that it's not running?

And I do not see an init script in /etc/init.d/ as the documentation says their should be.

Any ideas?

Does anyone know what's the deal with the ./firewall executable in /etc/apf ?

Does anyone know what's the deal with the ./firewall executable in /etc/apf ?
It's not an exe, it's a standard shell script, which is made +x
The file is the handler for most of the firewall rules out there. It defines what ports are open, what are closed, and it's called on startup. Don't play in here unless you know what you're doing :)

Does anybody have a tutorial on installing APF under Debian?

When I ran the installer, it gave an error message about /etc/rc.d not existing.

Also when I run /usr/local/sbin/apf -s I do not see a process running that would correlate, which seems to indicate to me that it's not running?

And I do not see an init script in /etc/init.d/ as the documentation says their should be.

Any ideas?


Type iptables -L and look at the list of rules if its blank than its not running,

Just to make sure u understand by blank type /usr/local/sbin/apf -f and type iptables -L

And than type /usr/local/sbin/apf -s and again type iptables -L .

If both outputs are same that means its not running but if output are differnt its running.

And do not use the rules as defined by Hoob as you will end up blocking yourself out of ssh.

If you want to be able to access SSH in UDP port instead of 37 use 22 , cause seems like he is using 37 for ssh port.

cheers


Hi,


UDP_CPORTS="37,53,873"

Many other options in which you can enable inside the config. Please take time to configure.

I recently installed APF/BFD on our linux boxes. The installation went through very well without any issues.The website and other services on the servers were also functioning very well.

However at 2:00 AM the following day, I got a alert that the website is down and I tried to SSH to the server. Unfortunately the server did not allow me that. I realised that I was completely locked out and I had the datacenter personnel to logon at the console and have him uninstall BFD and reboot the server. After the server reboot I was able to SSH to the server. I removed the apf from chkconfig and rebooted the server again. Everything looked good until 2:00 AM the next day. Again the website was down and the server became inaccessible. Agian I had the datacenter personnel to restart the server and evrything backup normal.

Later I realised that there was a cron job fw. ( I guess it was running at 2:00 AM).. After removing the cron job everthing is working normally , but still having SSH brute force attack.

Could anyone help me to implement APF/BFD on my linux boxes? I am not sure where I am going wrong in configuring the firewall.

I appreciate your help

thanks

gspai

I am getting this when trying to run APF:

[root@ip- apf]# ./apf -s
eth0: error fetching interface information: Device not found
eth0: error fetching interface information: Device not found
eth0: error fetching interface information: Device not found
Development mode enabled!; firewall will flush every 5 minutes.
Opening /proc/modules: No such file or directory
Unable to load iptables module (ip_tables), aborting.

How to fix it?

I've been running APF 0.92 after installing it normally. My server is located in a server farm about 40 miles from me.

All went well for months, but then I rebooted the machine. Mistake.
It wouldn't come up.

I had to visit my machine in person and boot it up interactively, saying "NO" to have APF activated on the boot up.

That was the trick, and the machine then booted normally.

So, how do I change the config so as to either not include APF on the bootup or otherwise whitelist my own server farm port/ip/whatever issues so the machine boots up remotely???

(I think I can remember enough of the config to make sure it's not in the bootup sequence, but I'll have to read on that.)

But the issue of not being able to boot up cold with APF in the sequence bugs me, because at the moment that means I can't reboot with APF installed.

Any help?

Look for the line VF_UTIME="0", change that to say a 60 seconds or so and it should be fine. This option will tell APF not to start till the server has been up for a set amount of time. If you still have problems after changing it, increase the time and try again. Hope this helps.

Look for the line VF_UTIME="0", change that to say a 60 seconds or so and it should be fine. This option will tell APF not to start till the server has been up for a set amount of time. If you still have problems after changing it, increase the time and try again. Hope this helps.
Aha! Thank you! I'll try that... although it may be a while before I'm close enough to the server to make sure it'll boot if things go wrong!

Appreciate that tip!