Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the ‘apf’ command, which includes detailed usage information on all the features.
The technical side of APF is such that it utilizes the latest stable features from the iptables (netfilter)project to provide a very robust and powerful firewall. The filtering performed by APF is three fold:
1) Static rule based policies (not to be confused with a “static firewall”)
2) Connection based stateful policies
3) Sanity based policies
How to Install APF
cd /usr/src wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz tar -xzf apf-current.tar.gz rm -f apf-current.tar.gz cd apf-* sh ./install.sh
Open the APF configuration file in your favorite text editor.
vi /etc/apf/conf.apf
A few lines need to be edited, search your conf.apf file for the appropriate line and modify them to reflect the changes below:
DEVEL_MODE=”0″
IG_TCP_CPORTS=”20,21,22,25,53,80,110, 143,443, 465,587,993,995,1167,2082,2083,2086, 2087,2095, 2096,2719,3306,35000_36000,49152_49161″
IG_UDP_CPORTS=”21,53,465″
EGF=”1″
EG_TCP_CPORTS=”20,21,22,25,37, 43,53,80,113,443,465,87, 2087,2089,2719, 3306,20001″
EG_UDP_CPORTS=”21,53,465,873″
DLIST_PHP=”1″
DLIST_DSHIELD=”1″
DLIST_RESERVED=”0″
We now need to make sure that passive ports are open and that the FTP server is configured to use passive ports. In a text editor, open the pure-ftpd configuration file.
vi /etc/pure-ftpd.conf
Change the following line:
# PassivePortRange 30000 50000
to
PassivePortRange 35000 36000
Finally restart FTP and APF
service pure-ftpd restartservice apf restart