13 easy steps to install APF firewall

1) Login as root to your system

2) Download the APF version 0.9.3.3 (current) to your system

bash# wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

3) Now you have to extract the tar file

bash# tar -zxf apf-current.tar.gz

4) Go to the APF directory

bash# cd apf-0.9.3_3

5) Run the code for installation

bash# ./install.sh

You will be alerted when the installation is complete.

Install path : /etc/apf
Config path : /etc/apf/conf.apf
Executable path : /usr/local/sbin/apf

6) Modify the APF config file according to your user defined requirements.

bash# vi /etc/apf/conf.apf

(Hit i to enter the INSERT mode)

7) Add in the ports you want to open for inbound (INGRES).

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=” 20,21,22,25,26,53,80,110,143,443,465,993,995,2082,
2083,2086,2087,2095,2096,3306,6666″

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS=”21,53,465,873″

# Common ICMP (inbound) types
# ‘internals/icmp.types’ for type definition; ‘all’ is wildcard for any
IG_ICMP_TYPES=”3,5,11,0,30,8″

The variables mentioned above are already present in the config file. You can customize the ports.

8) You have to particularly instruct APF to monitor outgoing (EGRESS) ports as well.

Change the line: EGF=”0″ to EGF=”1″

9) Specify the outbound ports to monitor.

# Common egress (outbound) TCP ports
EG_TCP_CPORTS=”21,22,25,26,37,43,53,80,110,113,443,465,873,2089,3306″

# Common egress (outbound) UDP ports
EG_UDP_CPORTS=”20,21,53,465,873″

# Common ICMP (outbound) types
# ‘internals/icmp.types’ for type definition; ‘all’ is wildcard for any
EG_ICMP_TYPES=”all”

10) Specify the ports you want to block, if any.

- The allow and deny trust files are located at:
/etc/apf/allow_hosts.rules
/etc/apf/deny_hosts.rules
You just have to list the ip’s that you specifically wish to allow or deny in the respective files.

- The format of these files are line-separated addresses, IP masking is supported.
Example:
24.202.16.11
24.202.11.0/24

Save and exit - hit ‘esc’ :wq ‘enter’

11) Start APF

bash# /usr/local/sbin/apf -s

If everything goes as planned, you’ll go back to the command line.

12) If all goes well, edit the config file and change the developer mode to 0

bash# vi /etc/apf/conf.apf

(Hit i to enter insert mode)

Change DEVM=”1″ to DEVM=”0″

Save and quit - Hit ‘esc’ :wq ‘enter’

13) Restart APF

bash# /usr/local/sbin/apf -r

APF is now installed and monitoring your system.