APF is the abbreviation of Advanced Policy Firewall. It is a policy based firewall system designed to configure firewall (IPTables rules) simply and user friendly. It’s like the firewall manage tool csf.
Configuring iptables is slightly hard without the help of an application like APF or CSF. [APF Installation steps]
It’s simple to open/deny ports (incomming and outgoing) on the server via APF (Advanced Policy Firewall).
It can be done by changing the values in APF configuration file. We can manage this by using the following APF directives: [APF Commands]
IG_TCP_CPORTS : Common inbound (ingress) TCP ports
IG_UDP_CPORTS : Common inbound (ingress) UDP ports
EG_TCP_CPORTS : Common outbound (egress) TCP ports
EG_UDP_CPORTS : Common outbound (egress) UDP ports
The configuration file for APF is : /etc/apf/conf.apf
To open a specific, open the configuration file and add the port to above mentioned directives.
This should be look like;
IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000"
IG_UDP_CPORTS="20,21,53,123"
EG_TCP_CPORTS="21,25,80,443,43"
EG_UDP_CPORTS="20,21,53"
Then restart the APF service.
apf -r
Or
/etc/init.d/apf restart
That’s it!
Have you ever faced these errors?
eth0: error fetching interface information: Device not found
apf(22341): {glob} status log not found, created
eth0: error fetching interface information: Device not found
It’s because you’re using a virtual server with another network interface name. Edit the following lines in APF configuration to fix this!
# Untrusted Network interface(s); all traffic on defined interface will be subject to all firewall rules. This should be your internet exposed interfaces. Only one interface is accepted for each value. IFACE_IN="eth0" IFACE_OUT="eth0"
Modify “eth0” with “venet0”.
Then, got this error:
apf(arun): {glob} flushing & zeroing chain policies
apf(arun): {glob} firewall offline
apf(arun): {glob} activating firewall
apf(23581): {glob} unable to load iptables module (ip_tables), aborting.
apf(arun): {glob} firewall initalized
Please change the value for “SET_MONOKERN” from 0 to 1.
# This allows the firewall to work around modular kernel issues by assuming that the system has all required firewall modules compiled directly into kernel. This mode of operation is not generally recommended but can be used scale APF to unique situations.
SET_MONOKERN="1"
1. What is iptables in Linux?
What is iptables in Linux? We can call, it’s the basics of Firewall for Linux. Iptables is a rule based firewall system and it is normally pre-installed on a Unix operating system which is controlling the incoming and outgoing packets.
By-default the iptables is running without any rules, we can create, add, edit rules into it.
Hope, this topic will give you the basics of iptables. READ MORE..
2. How to block countries accessing server using csf?
Yeah, It is very easy to block countries on your server by using an csf (Config server firewall). There is an option in the csf to block IP range from different countries.
Config Server Firewall is abbreviated as CSF. CSf is the most commonly using firewall application to secure Linux servers. It has wide range of options to manage Linux firewall via comman-line and from the control panel.
CSF helps to configure server firewall easily and simply. READ MORE…