Originally Posted by http://www.rfxnetworks.com/apf.php
APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux.
This How-To will explain the installation and configuration of Advanced Policy Firewall for your Linux system. In addition, a sample conf.apf file will be provided for each control panel, CPanel and Plesk; however, the first task at hand is Installation.
Installation of APF
Please note you will need to login to SSH as 'root' or a user with appropriate privileges to accomplish the installation.
Step 1: Preparing for Installation
cd /usr/local/src/ wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz tar -zxvf apf-current.tar.gz; cd apf-* Exception: Ubuntu - sudo apt-get install apf-firewall
Step 2: Installation
Installing APF 0.9.6-1: Completed.
For installation troubleshooting, scroll down to bottom of post
Configuration of APF
Step 1: Opening up the configuration file, conf.apf
Will be using vi in this How-To. Please see the Basic Guide to Vim. You will need to login to the forums to view this, to change your forum password: please login to the portal and via https://control.softlayer.com/account/users, select your user and update your 'forum password' here.
cd /etc/apf; vi conf.apf i Press 'i' to enter Insert Mode
IMPORTANT Configuration Variables
DEVEL_MODE - This variable will tell APF to flush out the current configuration every 5 minutes. This helps when you are testing a new configuration and find yourself locked out of your server. Please remember to set to 0 once a working configuration has been created.
IFACE_IN and IFACE_OUT - By default, these are set to eth0; however, SoftLayer has our eth0 set to private network and our public network set to eth0. Misconfiguring these variables might result in no network connectivity. Set both variables to eth1
IFACE_TRUSTED - This variable tells the firewall to trust the listed interfaces. In our instance, we trust our eth0. Set to eth0
IG_TCP_CPORTS, IG_UDP_CPORTS, and IG_ICMP_TYPES - Lists the ports and types of traffic allowed to be received by the server. Please remember to only list ports and types that you want to allow; remove unnecessary items.
Ports and Types for Cpanel
Ports and Types for Plesk
EG_TCP_CPORTS, EG_UDP_CPORTS, and EG_ICMP_TYPES - Same as the above variables except handle the outbound traffic.
Ports and Types for CPanel
Ports and Types for Plesk
USE_DS - Use dshield.org's black list to protect your server. Set to 1
Step 2: Saving the configuration (while in vim)
Step 3: Testing the configuration
apf -r Development mode enabled!; firewall will flush every 5 minutes.
Please test your server by logging into SSH again. Visit your control panel, website, ftp, etc... Please make adjustments as necessary.
Step 4: Switch DEVEL_MODE to 0 and apf -r
Step 5: Set APF to autostart
chkconfig --level 2345 apf on