Security

Use APF to manage your firewall

Vincent Danen shares one option for managing your Linux firewall, the Advanced Policy Firewall (AFP). Here are some tips on installation and configuration.

When it comes to managing a firewall on Linux, there are a number of options. You can use GUI tools that come with your distribution (such as system-config-firewall on Fedora); you can use third-party packages such as Shorewall; or you can write iptables rules yourself, usually in a place like /etc/sysconfig/iptables. For those familiar with iptables and its syntax, the latter is indeed an option, but for those without knowledge of iptables, the former two are the more likely choices.

If you run a server, you can use the text-mode equivalent to system-config-firewall (system-config-firewall-tui, again on Fedora) or you can opt for a third-party package that attempts to make management of the firewall easier. For years, I looked to Shorewall as that third party tool and while it makes understanding the firewall rules easier, it doesn't really make the configuration of the firewall any simpler.

Lately I have been enjoying the Advanced Policy Firewall (APF), which is similar to Shorewall in many respects, but is easier to configure.

On Debian you can install APF via apt; the package is named apf-firewall. For most other distributions you may need to install it manually, which isn't difficult. It can be done using:

$ curl -OL http://www.rfxn.com/downloads/apf-current.tar.gz
$ tar xvzf apf-current.tar.gz
$ cd apf-9.7-1
# sudo ./install.sh

You must run the installation as root because configuration files are placed in /etc/. Once this is done, you will have an initscript to start APF in /etc/init.d/ and the configuration files located in /etc/apf/. The primary configuration file is /etc/apf/conf.apf.

To configure the firewall, edit /etc/apf/conf.apf. A few important variables to set include:

EGF="1"  # enable outbound packet filtering
IFACE_IN="eth0" # inbound interface to filter
IFACE_OUT="eth0" # outbound interface to filter
DEVEL_MODE="1"

The DEVEL_MODE option should only be used during testing. This sets up a cronjob that runs every five minutes to disable the firewall -- useful if you muck something up. When the firewall is working, you must set DEVEL_MODE="0". Change the IFACE_IN and IFACE_OUT ports to suit your system; on a VPS it might be "venet0", for instance.

Next, you will need to define which ports are allowed. You can do this for both TCP and UDP:

IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2077,2078,2082,2083,2086,2087,2095,2096,5666,30000_30100"
IG_UDP_CPORTS="21,53,465,873"

The above might be typical for a cPanel/WHM setup. This allows a number of inbound ports: those necessary for cPanel and WHM, as well as FTP, SSH, SMTP, DNS, HTTP, IMAP(S), POP3(S), and others. Specify port ranges using an underscore delimiter (e.g., "30000_301000" opens ports 30000 through to and including 301000). To define permitted outbound ports, use EG_TCP_CPORTS and EG_UDP_CPORTS (similar in syntax to the ingress (IG) definitions).

There are a lot of other entries in the configuration file and it's likely worth reading them over and tweaking as necessary. For the most part, the defined defaults are fine. The only exception is if you are using a kernel with the iptables module compiled into the kernel, rather than available as a loadable module, which is often the case for a VPS. In that case you will need to also set SET_MONOKERN="1" in the configuration file as well.

Once this is done, you can use the initscript to start apf, or the apf command itself (typically located in /usr/local/sbin/):

# /etc/init.d/apf start

Use the output of "iptables -L" to judge if the rules are suitable and of course test from a remote computer to ensure that what you want opened is open, and that the rest are closed (nmap is a good way to check for open ports). Also check /var/log/apf_log while you have DEVEL_MODE enabled so you can see what APF is doing.

APF is fairly straightforward and is pretty easy to use for defining a basic firewall. There is also a lot of power under the hood that allows APF to respond dynamically to potential threats and can be easily used by other scripts to block IPs that are making too many connections to the system or are having a lot of failed logins, such as when used with something like fail2ban or other similar scripts.

If you're looking for a simple yet powerful firewall management system, consider APF. I've found it to work extremely well, and definitely find it easier to use than Shorewall.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

2 comments
m.immer
m.immer

Port range ???30000_301000??? is not it too high ? I guess a 0 extra ;o)

Photogenic Memory
Photogenic Memory

For the most part system-config-firewall on CentOS 5.5 has been what I rely on and is simple enough for my needs. I'm a home PC Linux user. Sometimes I'll look at /sbin/iptables --list and try to understand how the chain of rules process the connections. Since I don't configure firewalls on a regular in that manner; it makes me cringe to think of how much time it would take for me to configure something on the fly. It probably wouldn't take me long but I like to get things done like yesterday. I've never configured shorewall; but your article on APF really makes firewall configuration appear more straight forward if not kinda fun to do! I think I'll give it a go.Thank you, Vincent.

Editor's Picks