Results 1 to 39 of 39
  1. #1
    Join Date
    Mar 2003
    Location
    New York City
    Posts
    7,391

    Lightbulb APF FireWall Installation [Easy]

    Hi,

    This is a pretty simple How-to for installing APF Firewall.

    1) Install:
    wget http://www.rfxnetworks.com/downloads/apf-current.rpm
    rpm -Uvh apf-current.rpm

    2) Edit:
    /etc/apf/conf.apf

    DEVM="0" - set to 0 only if you are sure that firewall works good

    (Common Cpanel Ports, please re-configure for your use)
    TCP_CPORTS=" 21,22,25,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306,7786" (in one line!)

    UDP_CPORTS="37,53,873"

    Many other options in which you can enable inside the config. Please take time to configure.

    3) Restart APF


    To Enable Pings:

    pico -w /etc/apf/icmp.rules
    Uncomment:

    # Uncomment to enable pings
    # $IPT -t filter -A INPUT -p icmp --icmp-type 8 -m limit --limit $ICMP_LIM/s -j ACCEPT
    Then restart APF

    ------------------------------
    commands:
    /etc/rc.d/init.d/apf stop
    /etc/rc.d/init.d/apf start
    /etc/rc.d/init.d/apf restart

    Thanks to EV1 Forum for much info on this.
    Last edited by eBoundary; 01-19-2004 at 10:18 AM.

  2. #2
    Join Date
    Jan 2001
    Location
    Illinois, USA
    Posts
    7,147
    Thanks for the How-To!

    Hopefully someone can follow this up with a detailed tutorial on how to configure APF

    <edit>signature removed</edit>
    Last edited by choon; 02-17-2004 at 03:29 PM.

  3. #3
    Join Date
    Apr 2001
    Posts
    2,588
    3 things,

    1. I believe Ryan ( APF Author ) has recommended against the rpm.. and it may be outdated.

    2. Why reboot?

    3. This how-to seems to be fairly outdated, compared to the most recent APF versions.

    Edit: I should also note for future readers that the above seems to be targeted towards cpanel / whm systems.

    <edit>signature removed</edit>
    Last edited by choon; 02-09-2004 at 09:16 PM.

  4. #4
    Join Date
    Mar 2003
    Location
    New York City
    Posts
    7,391
    Originally posted by Haze
    3 things,

    1. I believe Ryan ( APF Author ) has recommended against the rpm.. and it may be outdated.

    2. Why reboot?

    3. This how-to seems to be fairly outdated, compared to the most recent APF versions.

    Edit: I should also note for future readers that the above seems to be targeted towards cpanel / whm systems.
    Sorry, I meant by restart apf, not reboot..
    It be great if you can contribute a How-To for APF. (No RPM)
    Also, these arent targeted towards only cpanel systems.

    Cheers.

    <edit>signature removed</edit>
    Last edited by choon; 02-09-2004 at 09:16 PM.

  5. #5
    Join Date
    May 2003
    Posts
    1,664
    The documentation for APF is very clear and it is a very simple install. Basically untar it and run ./install.sh. The version outlined above is an old one as the port defining sections have changed in 0.9.3. In Ryan's forums there are sections of what he leaves open for different panels.

    <edit>signature removed</edit>
    Last edited by choon; 02-09-2004 at 09:17 PM.

  6. #6
    Join Date
    Mar 2003
    Location
    New York City
    Posts
    7,391
    Hi,

    Ok anyways, here's installing without using RPM, this is a newer version of APF.


    wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

    tar -xzf apf-current.tar.gz

    cd /apf-0.9.3_3
    ./install.sh

    Your set
    Remember to edit config etc..and read the README.

    <edit>signature removed</edit>
    Last edited by choon; 02-09-2004 at 09:17 PM.

  7. #7
    Join Date
    Apr 2002
    Location
    Troy, MI
    Posts
    309
    http://www.webhostgear.com/61.html

    <edit>signature removed</edit>
    Last edited by choon; 02-09-2004 at 09:18 PM.

  8. #8
    Join Date
    Mar 2003
    Location
    New York City
    Posts
    7,391
    Originally posted by rfxn
    http://www.webhostgear.com/61.html
    Yea just saw that one posted on burst's forum, pretty good how-to as well

    <edit>signature removed</edit>
    Last edited by choon; 02-09-2004 at 09:18 PM.

  9. #9
    Join Date
    Dec 2003
    Location
    Canada
    Posts
    791
    lsmod: QM_MODULES: Function not implemented

    Unable to load iptables module (ip_tables), aborting.

    Any ideas?

    <edit>signature removed</edit>
    Last edited by choon; 02-09-2004 at 09:18 PM.

  10. #10
    Join Date
    Dec 2003
    Location
    Canada
    Posts
    791
    Nevermind, I got it running.

    <edit>signature removed</edit>
    Last edited by choon; 02-09-2004 at 09:19 PM.

  11. #11
    and how to remove APF ? I'v install a rpm (old one ) and how to remove it to install a new one ?

  12. #12
    Join Date
    Mar 2003
    Location
    New York City
    Posts
    7,391
    Try rpm -e apf

    <edit>signature removed</edit>
    Last edited by choon; 02-09-2004 at 09:19 PM.

  13. #13
    Join Date
    Jun 2002
    Posts
    233
    Originally posted by 93.3
    lsmod: QM_MODULES: Function not implemented

    Unable to load iptables module (ip_tables), aborting.

    Any ideas?

    <edit>signature removed</edit>
    If your kernel is compiled with iptables statically instead of as a module you need to do this in the conf.apf MONOKERN="0" Set it to "1" and then try start APF again.

  14. #14
    Join Date
    Mar 2003
    Location
    New York City
    Posts
    7,391
    Originally posted by SynHost
    If your kernel is compiled with iptables statically instead of as a module you need to do this in the conf.apf MONOKERN="0" Set it to "1" and then try start APF again.
    Yep, that should take care of it. Older version though don't have this option.

  15. #15

    lsmod: QM_MODULES: Function not implemented

    I am only getting the following error: lsmod: QM_MODULES: Function not implemented wil making the same change to the config file work as well?

    Thanks, Kevin

  16. #16
    @ 93.3

    How did you solve that problem?

    *
    lsmod: QM_MODULES: Function not implemented

    Unable to load iptables module (ip_tables), aborting.
    *

  17. #17
    Join Date
    Feb 2003
    Location
    Kuala Lumpur, Malaysia
    Posts
    4,974
    [email protected] [/etc/apf]# ./apf -s
    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name

    Any idea what does that mean?

    <edit>signature removed</edit>
    Last edited by choon; 03-29-2004 at 07:37 PM.

  18. #18
    could you please post how to block Ips using this firewall.
    I have tried and it is flushed in a few minutes,I am using these commands and have tried stoping and restarting APF

    iptables -A INPUT -s 3x.144.19x.32 -j DROP

    iptables -A INPUT -s 3x.144.19x.32 -j REJECT

    <edit>signature removed</edit>
    Last edited by choon; 03-29-2004 at 07:37 PM.

  19. #19
    Join Date
    Nov 2001
    Posts
    79
    Also please add outbond port 2089 for cpanel license checking if you enable outbond filtering or you will get a License Expired error in 2 weeks.

    <edit>signature removed</edit>
    Last edited by choon; 03-29-2004 at 07:37 PM.

  20. #20
    Join Date
    May 2003
    Posts
    472
    grace5 - add the IP's to the deny_hosts.rules file.

    <edit>signature removed</edit>
    Last edited by choon; 03-29-2004 at 07:37 PM.

  21. #21
    Join Date
    Mar 2002
    Posts
    189

    Re: APF FireWall Installation [Easy]

    [/B]To Enable Pings:

    pico -w /etc/apf/icmp.rules
    Uncomment:

    # Uncomment to enable pings
    # $IPT -t filter -A INPUT -p icmp --icmp-type 8 -m limit --limit $ICMP_LIM/s -j ACCEPT
    Then restart APF
    [/B]
    The latest version has no icmp.rules file. So where can I enable pings?

  22. #22
    Join Date
    Dec 2001
    Location
    Franklin, TN, USA
    Posts
    1,322
    I believe Ping should be enabled by default.
    Linux. Problems Solved. | Built for the Hosting Industry
    Server Management. Helpdesk Management. Business Management.
    ( AcuNett, Est. 15 Years, RateLobby 5 Stars )

  23. #23
    Pings are disabled by default.

  24. #24
    Anyone got it to work on VPS? Tested on both UML and Virtuoso without success.
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  25. #25
    Join Date
    Mar 2002
    Posts
    189
    yes. Pings are enabled by default.

  26. #26
    Join Date
    Dec 2004
    Location
    India, USA
    Posts
    363
    Hi,

    I installed it and then came to know that i can't have this on a VPS. Please tell me how to un-install it ? I tried rpm -e apf but it did not worked.

    Thanks.

  27. #27
    Join Date
    Jul 2005
    Location
    Beverly Hills, CA.
    Posts
    242
    Originally posted by Tapan
    Hi,

    I installed it and then came to know that i can't have this on a VPS. Please tell me how to un-install it ? I tried rpm -e apf but it did not worked.

    Thanks.
    rpm -qa | grep AFP or apf (look for the RPM)

    once you find the rpm

    rpm -e <name>

    Done. If you cant find it, PM me and ill help you.

  28. #28
    IG_TCP_CPORTS is that the one i should change ports in?

  29. #29
    Join Date
    Aug 2004
    Posts
    54
    Hi!

    i have installed apf on cpanel. the current settings open all the konwn ports and allow connection from all ips.


    what i want,

    i want to allow port 80 to be open for whole world


    and all the other ports available for only local 192.168.0.* and certain other ips.

    what changes should i do ?

  30. #30
    Join Date
    Apr 2002
    Location
    Troy, MI
    Posts
    309
    Originally posted by tsook
    @ 93.3

    How did you solve that problem?

    *
    lsmod: QM_MODULES: Function not implemented

    Unable to load iptables module (ip_tables), aborting.
    *
    enable mono kern option in conf.apf
    Ryan MacDonald
    Lead Administrator | TotalChoice Hosting
    Choice Does Matter! | Serving over 26,000 clients

  31. #31
    Does anybody have a tutorial on installing APF under Debian?

    When I ran the installer, it gave an error message about /etc/rc.d not existing.

    Also when I run /usr/local/sbin/apf -s I do not see a process running that would correlate, which seems to indicate to me that it's not running?

    And I do not see an init script in /etc/init.d/ as the documentation says their should be.

    Any ideas?

  32. #32
    Does anyone know what's the deal with the ./firewall executable in /etc/apf ?

  33. #33
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,526
    Quote Originally Posted by Necroist
    Does anyone know what's the deal with the ./firewall executable in /etc/apf ?
    It's not an exe, it's a standard shell script, which is made +x
    The file is the handler for most of the firewall rules out there. It defines what ports are open, what are closed, and it's called on startup. Don't play in here unless you know what you're doing
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Linux Problems? WHMCS Issues? +1-866-546-8914 (linux-14) or @whmcsguru on twitter!

  34. #34
    Join Date
    Sep 2005
    Location
    In canada
    Posts
    3,213
    Quote Originally Posted by OneBinary
    Does anybody have a tutorial on installing APF under Debian?

    When I ran the installer, it gave an error message about /etc/rc.d not existing.

    Also when I run /usr/local/sbin/apf -s I do not see a process running that would correlate, which seems to indicate to me that it's not running?

    And I do not see an init script in /etc/init.d/ as the documentation says their should be.

    Any ideas?

    Type iptables -L and look at the list of rules if its blank than its not running,

    Just to make sure u understand by blank type /usr/local/sbin/apf -f and type iptables -L

    And than type /usr/local/sbin/apf -s and again type iptables -L .

    If both outputs are same that means its not running but if output are differnt its running.

    And do not use the rules as defined by Hoob as you will end up blocking yourself out of ssh.

    If you want to be able to access SSH in UDP port instead of 37 use 22 , cause seems like he is using 37 for ssh port.

    cheers


    Quote Originally Posted by Hoobastank68
    Hi,


    UDP_CPORTS="37,53,873"

    Many other options in which you can enable inside the config. Please take time to configure.
    Last edited by Energizer Bunny; 05-03-2006 at 08:55 PM.

  35. #35

    * Problems with APF / BFD

    I recently installed APF/BFD on our linux boxes. The installation went through very well without any issues.The website and other services on the servers were also functioning very well.

    However at 2:00 AM the following day, I got a alert that the website is down and I tried to SSH to the server. Unfortunately the server did not allow me that. I realised that I was completely locked out and I had the datacenter personnel to logon at the console and have him uninstall BFD and reboot the server. After the server reboot I was able to SSH to the server. I removed the apf from chkconfig and rebooted the server again. Everything looked good until 2:00 AM the next day. Again the website was down and the server became inaccessible. Agian I had the datacenter personnel to restart the server and evrything backup normal.

    Later I realised that there was a cron job fw. ( I guess it was running at 2:00 AM).. After removing the cron job everthing is working normally , but still having SSH brute force attack.

    Could anyone help me to implement APF/BFD on my linux boxes? I am not sure where I am going wrong in configuring the firewall.

    I appreciate your help

    thanks

    gspai

  36. #36
    Join Date
    Nov 2005
    Posts
    76
    I am getting this when trying to run APF:

    [root@ip- apf]# ./apf -s
    eth0: error fetching interface information: Device not found
    eth0: error fetching interface information: Device not found
    eth0: error fetching interface information: Device not found
    Development mode enabled!; firewall will flush every 5 minutes.
    Opening /proc/modules: No such file or directory
    Unable to load iptables module (ip_tables), aborting.

    How to fix it?

  37. #37
    I've been running APF 0.92 after installing it normally. My server is located in a server farm about 40 miles from me.

    All went well for months, but then I rebooted the machine. Mistake.
    It wouldn't come up.

    I had to visit my machine in person and boot it up interactively, saying "NO" to have APF activated on the boot up.

    That was the trick, and the machine then booted normally.

    So, how do I change the config so as to either not include APF on the bootup or otherwise whitelist my own server farm port/ip/whatever issues so the machine boots up remotely???

    (I think I can remember enough of the config to make sure it's not in the bootup sequence, but I'll have to read on that.)

    But the issue of not being able to boot up cold with APF in the sequence bugs me, because at the moment that means I can't reboot with APF installed.

    Any help?

  38. #38
    Join Date
    Oct 2004
    Location
    Ohio
    Posts
    1,640
    Look for the line VF_UTIME="0", change that to say a 60 seconds or so and it should be fine. This option will tell APF not to start till the server has been up for a set amount of time. If you still have problems after changing it, increase the time and try again. Hope this helps.

  39. #39
    Quote Originally Posted by Chris_M
    Look for the line VF_UTIME="0", change that to say a 60 seconds or so and it should be fine. This option will tell APF not to start till the server has been up for a set amount of time. If you still have problems after changing it, increase the time and try again. Hope this helps.
    Aha! Thank you! I'll try that... although it may be a while before I'm close enough to the server to make sure it'll boot if things go wrong!

    Appreciate that tip!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •