Configure APF Firewall

A firewall is a very good idea for a server. Although many people think that a firewall provides instant all-encompassing protection it actually doesn't.  A firewall will help prevent some things but it is not going to stop everything. It is just one piece of the security network that is being woven. I recommend advanced protection firewall (APF) by rfxnetworks. APF will block unused outgoing and incoming ports. It can also be configured to use information from some block lists. The below port list will work for cPanel. For the other control panels you will need to add in the administration ports.


http://www.rfxnetworks.com/apf.php

-----command-----
cd /usr/local/src
wget http://rfxnetworks.com/downloads/apf-current.tar.gz
tar -zxf apf-current.tar.gz
cd apf-0.*
./install.sh
-----command-----


Now edit config file
-----command-----
pico -w /etc/apf/conf.apf
-----command-----

Scroll down to the "Common ingress (inbound) TCP ports section. At this point you need to find the correct configuration for your control panel.


-----cPanel -----
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096"
IG_UDP_CPORTS="21,53,873"

EGF="1"
EG_TCP_CPORTS="21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089"
EG_UDP_CPORTS="20,21,37,53,873"



----Ensim -----
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,19638"
IG_UDP_CPORTS="53"

EGF="1"
EG_TCP_CPORTS="21,22,25,53,80,110,443"
EG_UDP_CPORTS="20,21,53"



----Plesk -----

IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,8443"
IG_UDP_CPORTS="37,53,873"

EGF="1"
EG_TCP_CPORTS="20,21,22,25,53,37,43,80,113,443,465,873,5224"
EG_UDP_CPORTS="53,873"





Save the file and start apf via.
-----command-----
apf -s
-----command-----

If everything still works then edit the config file and turn dev mode off. Make sure you can start a new ssh session before changing dev mode off. If you are kicked out you need to go back and look at what caused the problem!
DEVEL_MODE="0"

Now restart APF
-----command-----
apf -r
-----command-----

  • Email, SSL
  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

Can I load balance servers that are behind a firewall?

Yes, in proxy mode your servers can live anywhere and as long as you can get to the real port you...

Howto Install B.F.D Brute Force Detection

wget http://oratoronline.com/how2/BFD/bfd-current.tar.gz tar -xvzf bfd-current.tar.gz cd bfd-0.7...

Ranges to allow through server firewall

Frontend (public) network:Ports to allow:ICMP – ping (for support troubleshooting)All TCP/UDP...

How to install APF (Advanced Policy Firewall)

What is APF (Advanced Policy Firewall)? APF FirewallAPF is a policy based iptables firewall...

Hardware Firewall configuration

A Hardware Firewall is a network device that is connected upstream from a server. The Firewall...