Home

Configure APF Firewall

Posted April 2nd, 2005 by eth00

A firewall is a very good idea for a server. Though many people think that a firewall is instant protection that will do everything it really is not. A firewall will help prevent some things but it is not going to stop everything. It is just one piece of the security network that is being woven. I recommend advanced protection firewall (APF) by rfxnetworks. APF will block unused outgoing and incoming ports. It can also be configured to use information from some block lists. The below port list will work for cPanel. For the other control panels you will need to add in the administration ports.


http://www.rfxnetworks.com/apf.php

-----command-----
cd /usr/local/src
wget http://rfxnetworks.com/downloads/apf-current.tar.gz
tar -zxf apf-current.tar.gz
cd apf-0.*
./install.sh
-----command-----

 

Now edit config file
-----command-----
pico -w /etc/apf/conf.apf
-----command-----

Scroll down to the "Common ingress (inbound) TCP ports section. At this point you need to find the correct configuration for your control panel.

 

-----cPanel -----
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096"
IG_UDP_CPORTS="21,53,873"

EGF="1"
EG_TCP_CPORTS="21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089"
EG_UDP_CPORTS="20,21,37,53,873"



----Ensim -----
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,19638"
IG_UDP_CPORTS="53"

EGF="1"
EG_TCP_CPORTS="21,22,25,53,80,110,443"
EG_UDP_CPORTS="20,21,53"



----Plesk -----

IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,8443"
IG_UDP_CPORTS="37,53,873"

EGF="1"
EG_TCP_CPORTS="20,21,22,25,53,37,43,80,113,443,465,873,5224"
EG_UDP_CPORTS="53,873"





Save the file and start apf via.
-----command-----
apf -s
-----command-----

If everything still works then edit the config file and turn dev mode off. Make sure you can start a new ssh session before changing dev mode off. If you are kicked out you need to go back and look at what caused the problem!
DEVEL_MODE="0"

Now restart APF
-----command-----
apf -r
-----command-----

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

add urchin ports

On May 20th, 2005 JLChafardet says:

Remember to add to your apf configuration file the port for urchin (usually 9999) or any statistic software you use in non standard ports.

regards,

JLChafardet

blocking port issue

On August 11th, 2005 dorpby23 says:

this is my nmap output
[code]
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1583 ports scanned but not shown below are in state: closed)
Port State Service
1/tcp open tcpmux
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
26/tcp open unknown
53/tcp open domain
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
143/tcp open imap2
443/tcp open https
465/tcp open smtps
631/tcp open ipp
783/tcp open hp-alarm-mgr
953/tcp open rndc
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql

Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
[/code]
ports 631 and 3306 aren't in my apf config file but these ports are open how can i block these ports

this is my apf config file

[code]# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096"

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,873"

# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"

# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089"

# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,37,53,873"

nmap

On August 12th, 2005 eth00 says:

You need to do nmap from a remote host, nto localhost. The problem is the firewall is blocking connections from remote ips but not from localhost.

DEVEL_MODE="0"

On January 5th, 2006 shadeaux says:

Slight change:
DEVM="0"
Is now called
DEVEL_MODE="0"
Regards,
Craig craig@shadeaux.net

dev mode

On January 5th, 2006 eth00 says:

Thanks again, guide updated.

What about DirectAdmin and

On January 12th, 2006 JesusVirtuoso says:

What about DirectAdmin and VHCS? :)

DA and VHCS

On January 12th, 2006 eth00 says:

I have never used them, if I have time later I can go research the ports needed.

Lots of errors when entering apf -s

On January 19th, 2006 bplinson says:

I installed exactly by the instuctsions above but am getting all kinds of errors when I run apf -s. I am running Suse 9.3

apf is looking for iptables in /sbin but I have it installed in /usr/sbin

Is there anyway to change this?

I installed apf before I installed iptables.

suse

On January 19th, 2006 eth00 says:

never used it in suse but you can always just sym link them

ln -s /usr/sbin/iptables /sbin/iptables
(or it may be)
ln -s /sbin/iptables /usr/sbin/iptables

I always mess that up, one will work heh

DNS Clustering

On February 19th, 2006 dreamwiz says:

Remember to add port 2087 to # Common egress (outbound) TCP ports,
otherwise you will not be able establish trust relationship / join Cpanel's DNS Cluster.

Problem! Server lock down

On March 9th, 2006 lauxanh says:

I Installed APF as the instruction for my Server with Plesk options.

After i restart or start apf. I got disconnected.

So how could i fix this issue?

I have RedhatES4 installed with Plesk 7.5 reloaded

And conf.apf:
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,8443"

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="37,53,873"

# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"

# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="20,21,22,25,53,37,43,80,113,443,465,873"

# Common egress (outbound) UDP ports
EG_UDP_CPORTS="53,873"

Thanks

make sure you configure the

On March 11th, 2006 XLinux says:

make sure you configure the correct ethernet device... (u can check which one your server uses with ifconfig)

I got them running

On March 26th, 2006 lauxanh says:

i got APF running after changing the ethernet device

Thanks ;)

plesk licence key update port 5224

On May 11th, 2006 nexe says:

you need to add the port 5224 to EG_TCP_CPORTS to allow plesk to update its licence key

plesk port 5224

On May 13th, 2006 eth00 says:

updated, thank you! :)

Egress filtering

On August 20th, 2006 JesusVirtuoso says:

If I turn on egress filtering, EGF="1" bind fails to start / restart correctly and shows this error:

"error sending response: host unreachable"

My apf.conf file:

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,25,53,80,110,143,443,2083,2086,2087,2096,3000_5000,5432,22305"

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"

# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"

# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"

# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"

Talk Jesus Forums & Live Chat!
www.talkjesus.com

pureftp and NAT

On September 3rd, 2006 1ONE says:

Hello,

First, add ports for pureftp in /etc/apf/conf.apf

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3000_3500,30000_35000"

Edit pureftp .conf :
pico /etc/pure-ftpd.conf

and
uncomment & change :

PassivePortRange 30000 35000

This will allow you to connect using FTP PASV mode if you are using NAT.

DirectAdmin setup?

On November 16th, 2006 mega says:

Does anyone has port setup for DirectAdmin

I know that I should unlock port 2222 for DirectAdmin, any other port?

thanks

Powered by Drupal - Theme created by Danger4k