How to install APF Firewall on Your System

In this article we will explain how you can install and configure APF , which lets you easily configure a full featured firewall to secure servers your servers. In this guide we describes an example installation on a server with cPanel but APF can be used on any system.

First, download the current version of the firewall:

wget www.rfxn.com/downloads/apf-current.tar.gz

Next, uncompressed the archive, and enter the directory.

tar -xzvf apf-current.tar.gz ; cd apf-*

Run the install.sh script, and make sure to check the ports marked as Listening TCP Ports:

sh install.sh

After running install, You’ll receive output such as below :

# sh install.sh
Installing APF 9.7-2: Completed.
Installation Details:
  Install path:         /etc/apf/
  Config path:          /etc/apf/conf.apf
  Executable path:      /usr/local/sbin/apf
Other Details:
  Listening TCP ports: 21,25,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,2222,3306
  Listening UDP ports:
  Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.
root@cpanel#

In this example, the ports we’ll be allowing within the configuration are : 21,25,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,2222,3306 
Open basic configuration file /etc/apf/conf.apf with your preferred text editor :

nano /etc/apf/conf.apf

Scroll and find the section with IG_TCP_CPORTS, these are the allowed inbound TCP ports where you will be pasting the existing opened ports on your server, see below for the original configuration.

# Common inbound (ingress) TCP ports
IG_TCP_CPORTS="22"

Replace port 22 and paste the ports that APF returned as currently listening TCP ports during installation.

# Common inbound (ingress) TCP ports
IG_TCP_CPORTS="21,25,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,2222,3306"

If your install returned any UDP ports, such as 53, add them to IG_UDP_CPORTS, which is directly below IG_TCP_CPORTS.

Next, search for the term monokern to change the Monolithic Kernel option to ‘1’ so the kernel works same with our Cloud Kernel.

# This allows the firewall to work around modular kernel issues by assuming
# that the system has all required firewall modules compiled directly into
# kernel. This mode of operation is not generally recommended but can be used
# scale APF to unique situations.
SET_MONOKERN="1"

Save the file, and start APF with /etc/apf/apf -r

root@cpanel# /etc/apf/apf -r

Once the firewall has been loaded you will see a Development Mode message. Make sure that all connectivity is working correctly on your server before turning off Development Mode, it will flush the firewall every 5 minutes as a fail-safe so you do not lose access to your server.
 
Once you’ve confirmed the firewall is working properly, open /etc/apf/conf.apf, and change DEVEL_MODE at top to 0.

# When set to enabled; 5 minute cronjob is set to stop the firewall. Set
# this off (0) when firewall is determined to be operating as desired.
DEVEL_MODE="0"

Save and close the file, then restart APF with /etc/apf/apf -r to start your firewall without development mode.

root@cpanel# /etc/apf/apf -r

Additionally you can use the following parameters:

-s - start APF
-r - restart APF
-f - stop APF
-l - list statistics
-st - status of APF
-a host - allow connections from "host"
-d host - deny connections from "host"

APF Firewall is now installed and now we make sure APF started at boot time, so using setup command we go to System Services, tick APF and save the settings. After restarting the system APF should start automatically server.