How to configure APF Firewall with ubuntu 15.10

Introduction

Advanced Policy Firewall or APF is iptable based firewall system which is a free distribution, this firewall is designed to meet today’s security based essential needs.The firewall is designed to be very informative and present the user with an easy to use follow process.

Features Highlight

The filters perfromed by APF can be catagourised in three parts

static rule based policy.

It define how firewall should handle certain traffic in specific conditions while giving access to certain port or adding some ip address as trusted one.

Connection based stateful policy

Firewall will identify valid/legitimated packets from the different types of connections and will allow only valid connections which are allowed in firewall rules and other will be rejected.

Sanity based policy

Can identify network attacks by screening or scrutinizing packets, it will discard and log any data which is considered as inappropriate.

Installation

It is recommended to have at least 2 LAN cards, 4 GB RAM, dual core processor and 1 GB free disk space to dedicate  your system as APF firewall.

Update Ubuntu 15.10

# apt-get update

Download package

# wget http://www.rfxn.com/downloads/apf-current.tar.gz

Extract package

# tar -xvf apf-current.tar.gz

Extract and install package

# cd apf-9.7-2/
# ./install.sh

Sample output

Installing APF 9.7-2: Completed.

Installation Details:
  Install path:         /etc/apf/
  Config path:          /etc/apf/conf.apf
  Executable path:      /usr/local/sbin/apf

Other Details:
  Listening TCP ports: 53,631
  Listening UDP ports: 53,68,631,5353,23566,47956
  Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.

Now have a look in /etc/apf/conf.apf

# The installation path of APF; this can be changed but it is not recommended.
INSTALL_PATH="/etc/apf"

# Untrusted Network interface(s); all traffic on defined interface will be
# subject to all firewall rules. This should be your internet exposed
# interfaces. Only one interface is accepted for each value.
IFACE_IN="eth0"
IFACE_OUT="eth0"

# Trusted Network interface(s); all traffic on defined interface(s) will by-pass
# ALL firewall rules, format is white space or comma separated list.
IFACE_TRUSTED="eth0"

# This option will allow for all status events to be displayed in real time on
# the console as you use the firewall. Typically, APF used to operate silent
# with all logging piped to $LOG_APF. The use of this option will not disable
# the standard log file displayed by apf --status but rather compliment it.
SET_VERBOSE="1"

Let us explain some of the important parameters which are important in this configuration file

IFACE_IN=”eth0″
IFACE_OUT=”eth0″

Interface in and interface out define which interface you will be using for firewall as inbound and outbound

DEVEL_MODE=”1″

Keep Developer mode as 1

IG_TCP_CPORTS

Define allowed TCP ports

Selection_024

IG_UDP_CPORTS

Define allowed UDP ports

Selection_025

 

Command Examples

To start firewall

# apf -s

To stop firewall

# apf -f

Output

apf(7480): {glob} flushing & zeroing chain policies
apf(7480): {glob} firewall offline

To restart firewall

# apf -r

To dump current status of firewall on terminal

# apf -st

Selection_026

To deny some host

# apf -a 192.168.1.1

It will add IP ADDR to trusted address  and entries goes to  /etc/apf/allow_hosts.rules

# apf -d 192.168.1.1

Above command will add IP ADDR to deny, entries goes to  /etc/apf/deny_hosts.rules

# apf -u 192.168.1.1

Remove entries either from trsuted or from deny hosts rules

Selection_028

Now your firewall is ready to work in an easy to use and deploy manner.

Have fun

  • cybernard

    Another firewall product in desperate need of ipset. Although the firewall will function, the functions.afp and other files reveal just how horribly inefficient the system really is. Instead of using ipset and doing a “ipset del banned $DIP” it has to do a “grep -v” on the hosts.allow and deny list which uses WAY more resources disk,memory, and CPU. There are many additional inefficiencies that would take to long and more space that alloted to document.