How to install and configure APF (Advanced Policy Firewall) on CentOS with cPanel

APF (Advanced Policy Firewall) is a policy based iptables firewall application which is pretty easy to configure and use.

The process of installation and configuration on one of our Cloud VPS accounts is quite simple and takes less than 5 minutes to complete.

Log in to your server as root, download the software from: http://www.rfxnetworks.com/apf.php (the newest version at the time of writing this article was: 0.9.7_2) unpack it and install it by executing the following commands:

cd /root/

wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz 

tar -zxvf http://www.rfxn.com/downloads/apf-current.tar.gz

cd apf-9.7-2

./install.sh

Below is the general configuration of APF on servers with CentOS and cPanel. For more detailed information on every feature the firewall has, see the README file supplied with the APF sources.

Edit the APF configuration file:

vi /etc/apf/conf.apf

press ‘i’ to enter Input mode.

These are inbound TCP ports that need to be open in order to run cPanel behind a firewall: 20,21,22,25,26,37,43,53,80,110,113,143,443,465,873,993,995,2077,2078,2082, 2083,2086,2087,2095,2096 and 3306 (open port 3306 only if you want to remotely access to the MySQL database server).

Find the line starting with ‘IG_TCP_CPORTS’ and modify it to:

IG_TCP_CPORTS="20,21,22,25,26,37,43,53,80,110,113,143,443,465,873,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306"

Find the line starting with ‘IG_UDP_CPORTS’ (inbound UDP ports that must be open) and modify it to:

IG_UDP_CPORTS="53"

Also modify the following lines:

IG_ICMP_TYPES="0,3,5,8,11,30"

EG_TCP_CPORTS="21,25,37,43,53,80,443,873,2089" 

EG_UDP_CPORTS="20,21,53,873"

where ‘IG_ICMP_TYPES’, ‘EG_TCP_CPORTS’ and ‘EG_UDP_CPORTS’ are inbound ICMP ports, outbound TCP ports and outbound UDP ports that must be open to run cPanel behind a firewall.

Start APF using the following command:

/usr/local/sbin/apf -s

Test the firewall with a port scanner like nmap or using a similar tool and if everything is OK, change DEVEL_MODE=”1″ option in the ‘/etc/apf/conf.apf’ configuration file to 0.

Restart APF for the changes to take effect using:

/usr/local/sbin/apf -r

To autostart APF at boot time execute the following command:

chkconfig --level 2345 apf on

Leave a Comment