BuycPanel Blog

BuycPanel Blog

Latest news and updates

2/24/2015 – Install APF Firewall with cPanel

Posted by Jamison on 24 02 2015.

What is APF (Advanced Policy Firewall)?

 

APF is a policy-based iptables firewall system designed for ease of use and configuration. It uses a subset of features to complement both the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, APF is ideal for deployment in many server environments based on Linux. APF is developed and maintained by R-fx Networks that can be found on this website:

 

http://www.rfxnetworks.com/apf.php

 

Here’s how to install APF Firewall for cPanel:

 

Don’t forget that you can access your server via console inside VPS Manager should you get locked-out yourself due to incorrect configuration.

 

1) Login to your server as root

 

2) Download the APF Source (current version 9.7-3)

 

CODE

# wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

 

3) Extract the tar.gz

CODE

# tar -zxf apf-current.tar.gz

 

4) Enter the APF directory

CODE

# cd apf-9.7-2

 

5) Run install code

CODE

./install.sh

 

6) Modify the APF config File

CODE

#nano /etc/apf/conf.apf

 

Note that OpenVZ uses venet0:0 and XEN using standard eth0 interface.

 

7) Add in the ports you want to open for inbound (INGRES). The following is for a cPanel box

CODE

# Common ingress (inbound) TCP ports

IG_TCP_CPORTS=” 20,21,22,25,26,53,80,110,143,443,465,993,995,2082,

2083,2086,2087,2095,2096,3306,6666″

# Common ingress (inbound) UDP ports

IG_UDP_CPORTS=”21,53,465,873″

# Common ICMP (inbound) types

# ‘internals/icmp.types’ for type definition; ‘all’ is wildcard for any

IG_ICMP_TYPES=”3,5,11,0,30,8″

 

Please note that the above variables are already there, I placed what should be in there

 

8) Tell APF to monitor out going (EGRESS) also

CODE

Change the line:

EGF=”0″

to

EGF=”1″

 

9) Tell APF what ports to monitor

CODE

# Common egress (outbound) TCP ports

EG_TCP_CPORTS=”21,22,25,26,37,43,53,80,110,113,443,465,873,2089,3306″

# Common egress (outbound) UDP ports

EG_UDP_CPORTS=”20,21,53,465,873″

# Common ICMP (outbound) types

# ‘internals/icmp.types’ for type definition; ‘all’ is wildcard for any

EG_ICMP_TYPES=”all”

 

10) Save and exit – hit ‘esc’ :wq ‘enter’

 

11) Start APF

CODE

# /usr/local/sbin/apf -s

 

You may or may not get output after this. If not, leave a message at the forums so you can get good advice. If all goes well then you can go back to the command line. You now want to verify everything is working: you can still get into SSH, cPanel works, you can view a page, etc. before you move on to the next steps.

 

12) If everything works edit the config file and change the developer mode to 0

CODE

# vi /etc/apf/conf.apf

Hit i to enter insert mode

CODE

Change

DEVM=”1″

to

DEVM=”0″

Save and quit

Hit ‘esc’ :wq ‘enter’

 

13) Restart APF

CODE

# /usr/local/sbin/apf -r

 

APF is now installed and monitoring your server.